ArcGIS Server security on Amazon EC2

Securing your cloud administration environment

Administration of ArcGIS Server on Amazon EC2 is performed using the AWS Management Console. You must log into the console before you can launch or terminate EC2 instances, configure Amazon Elastic Load Balancers (ELBs) and Elastic IPs, and perform other administrative functions of the virtual environment. Logging in also lets you view your account activity and billing information.

Only share your AWS Management Console account name and password with a small number of people in your organization who understand how to properly launch, edit, and terminate resources using the console. Allowing widespread access to untrained personnel makes your deployment vulnerable to severe system disruption and excessive charges on your account. These types of problems may ultimately be more damaging than an assault from an external hacker.

Amazon offers an optional layer of protection for the AWS Management Console beyond your account name and password. This option, AWS Multi-Factor Authentication, requires you to have a six-digit code generated by a small hardware device in your possession. The code frequently changes, such that if a malicious user were to obtain your account name and password, he or she would still not be able to log in to the AWS Management Console.

Securing your EC2 instance administration

Logging in to the AWS Management Console is just one aspect of ArcGIS Server administration on Amazon EC2. Another part of setting up your cloud deployment is logging in to your EC2 instances to transfer data and configure GIS services and applications.

You initially log in to your EC2 instance as the machine administrator, using a randomly generated password. The first time you log in, you should change the password to something easier to remember. It is not secure to write down the password or store it in clear text somewhere on your local machine.

Tip:

Consider choosing a password that corresponds to the Windows Server 2008 complexity requirements, which are as follows:

• Passwords should not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
• Passwords should be at least six characters in length.
• Passwords should contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Nonalphabetic characters (for example, !, $, #, %)

Once you've entered the machine, you can optionally use the Windows tools to define nonadministrative users who can log in. You can add these users to the agsadmin and agsusers groups as you would in any other ArcGIS Server deployment.

The SOM account, SOC account, and ArcGIS Web Services account are all preconfigured on your EC2 instance with random passwords and should not be modified.

Securing your EC2 instances against outside attacks

All EC2 instances use a firewall to protect against inappropriate or unknown outside access. You configure the firewall by creating security groups and opening access to a range of IP addresses, ports, and protocols on each group. Every time you launch a new EC2 instance, you need to specify which security group the instance will belong to.

By default, new security groups have no access allowed. At a minimum, you need to allow remote desktop access and HTTP access to log in to your EC2 instance and test your server. See Opening an Amazon EC2 security group for ArcGIS Server for instructions. Also, see Common security group configurations for ideas of security group settings that are appropriate for ArcGIS Server on Amazon EC2.

Windows Firewall can help you further control access to your EC2 instances if you need to go beyond the functionality the EC2 security groups expose. Windows Firewall is included on the instances you launch with the ESRI-provided AMIs.

Sometimes you need to adjust Windows Firewall to accommodate settings you make in the EC2 security groups. For example, on instances that you launch with the enterprise geodatabase AMI, port 5432 has been opened on Windows Firewall. This is preconfigured because it's anticipated you will open port 5432 on the EC2 firewall for your machines that receive spatial database connections to PostgreSQL.

The Amazon Security Center contains white papers and best practice documents for designing a secure architecture for EC2. These guidelines are applicable to ArcGIS Server on Amazon EC2.

Securing your GIS Web applications and services

Access to ArcGIS Server services and Web applications is managed through the same security mechanisms that you use with ArcGIS Server outside of Amazon. These are described in the ArcGIS Server Help book Securing Internet connections and Web applications. You configure users and roles and choose which users and roles have access to your services.

The recommended user and role store for ArcGIS Server on Amazon EC2 is Microsoft SQL Server. An instance of SQL Server Express is installed on the EC2 instances you launch from the ArcGIS Server AMI. When you scale out your deployment, you can choose whether to duplicate your SQL Server user and role store or just point at one central SQL Server user and role store on one of your EC2 instances. The latter option may require adjustments to your Amazon security groups and Windows Firewall.

You can re-use your SQL Server Express user and role store to authenticate Web application logins. You can configure forms-based authentication to require a login for users that try to access your Web application. The login credentials can be checked against the user and role store.