Security¶
Operating System Users¶
The Helix Core deployment relies heavy on cloud-init for list minute deployment configuration. cloud-init runs as root but Helix Core runs as the perforce user with very limited sudo privileges. These privileges are enforced via /etc/sudoers.d/perforce:
Cmnd_Alias P4_SVC = /usr/bin/systemctl start p4d_*, \
/usr/bin/systemctl start p4d_*, \
/usr/bin/systemctl stop p4d_*, \
/usr/bin/systemctl restart p4d_*, \
/usr/bin/systemctl status p4d_*, \
/usr/bin/systemctl cat p4d_*, \
/usr/bin/systemctl start p4dtg_*, \
/usr/bin/systemctl stop p4dtg_*, \
/usr/bin/systemctl restart p4dtg_*, \
/usr/bin/systemctl status p4dtg_*, \
/usr/bin/systemctl cat p4dtg_*, \
/usr/bin/systemctl start p4broker_*, \
/usr/bin/systemctl stop p4broker_*, \
/usr/bin/systemctl restart p4broker_*, \
/usr/bin/systemctl status p4broker_*, \
/usr/bin/systemctl cat p4broker_*, \
/usr/bin/systemctl start p4p_*, \
/usr/bin/systemctl stop p4p_*, \
/usr/bin/systemctl restart p4p_*, \
/usr/bin/systemctl status p4p_*, \
/usr/bin/systemctl cat p4p_*, \
/usr/bin/systemctl start p4prometheus*, \
/usr/bin/systemctl stop p4prometheus*, \
/usr/bin/systemctl restart p4prometheus*, \
/usr/bin/systemctl status p4prometheus*, \
/usr/bin/systemctl cat p4prometheus*
perforce ALL = (root) NOPASSWD: P4_SVC
Least Privilege¶
Network Security Group¶
When configuring your AWS Security Group Rules at deployment time via the CloudFormation parameter AccessCIDR we recommending starting with your single public IPv4 address. Post deployment you can open up additional access for users but we still recommend adding individual public IPv4 addresses instead of a blanket 0.0.0.0/0 rule.
IAM Role / IAM Policy¶
An IAM role is created for the Helix Core EC2 instance which allows access to a few AWS services:
- write access to send system notification to SNS Topic
AmazonSSMManagedInstanceCoreAWS managed policy to allow users to use SSM for remote shell administrative access to the host
Helix Core Protect Table¶
Post deployment you will want to create Helix Core users/groups and grant them access.
You can create users either using the p4 user CLI command or using P4Admin GUI application.
Similarly, you can create groups using the p4 group CLI command or using P4Admin GUI application.
Once you have users and groups created you will need to grant access to them. This is done with the Helix Core Protect Table.
Always follow security best practices and grant the minimum required permissions to users and groups.
AWS Public Resources¶
To lower the barrier to entry with getting a Helix Core server setup in AWS the Helix Core server has been placed in the public subnet. This allows all of your users to connect over the internet using the Helix Core Public IPv4 Address.
When updating the Security Group attached to the Helix Core EC2 instance if you do not follow the best practice of whitelisting required IP addresses and you use a blanket rule like 0.0.0.0/0 any user on the internet will be able to connect to the Helix Core port, 1666, from anywhere in the world. Note that being able to connect is not guarantee that they can authenticate. All users in Helix Core are required to have a secure password.
IAM Users¶
The Enhanced Studio Pack deployment does not create any IAM users and does not require any IAM user key/secret credentials as a part of the deployment.
Secrets Management¶
Helix Core Perforce User Password¶
The Helix Core deployment creates an initial Helix Core user (username: perforce). This user gets dynamically assigned a password which is the EC2 instance ID.
It is acceptable to rotate this password at anytime but a password file on the system must be kept in sync with the actual password.
The password file can be found here:
/p4/common/config/.p4passwd.p4_1.admin
Hansoft Administrator Password¶
The Hansoft deployment creates an initial Hansoft user (username: Administrator). This user gets dynamically assigned a password which is the EC2 instance ID.
It is acceptable to rotate this password at anytime.
Sensitive Data Storage¶
Helix Core Depot Volume¶
Any files submitted to Helix Core are stored in this volume. These files will include your business intellectual property.
Helix Core Metadata Volume¶
The Metadata is the database backend for Helix Core. This database will include things like: list of files in Depots, usernames, user email addresses, etc.
Hansoft Data Volume¶
The Hansoft database and all file attachments are stored in this data volume. The Hansoft database will include all details of your tasks, username, email addresses, etc.
Data Encryption¶
Helix Core itself does not encrypt any data and no operating system level encryption is implemented. The Helix Core Depot and Metadata volumes use EBS encryption.
Network Configuration¶
Review the architecture diagram for a high level view of the networking configuration
Subnets¶
Two public subnets and two private subnets are created. Once of each will be placed in an Availability Zones for a total of two Availability Zones being used.
Public¶
One of the two Public Subnets will be selected to hold all of the EC2 instances.
The second Public Subnet is not currently used but was included for future expansion. For example, a high availability capability could be layered on top of what was created with the Enhanced Studio Pack.
Private¶
The Private Subnets are not used today but were included for future expansion. For example, Helix Swarm is a web application and could be moved to the Private Subnet and then fronted with an AWS Application Load Balancer and SSL certificate.
Subnet ACLs¶
The ACL associated with each subnet allows all ingress and all egress.
Route Tables¶
The Route Table associated with te Public Subnets provides a route to the internet via the Internet Gateway.
The Route Table associated with the Private Subnets provides just the out of the box local route.
AWS Instance Metadata Service Version 1 (IMDSv1)¶
The AWS Enhanced Studio Pack only uses recent versions of the AWS SDKs that support IMDSv2. It is safe to disable IMDSv1 in your AWS Account and not impact the on going operations of the Enhanced Studio Pack.