Page tree

Skip to end of metadata
Go to start of metadata

Introduction

The Automated Safeguards for Amazon EC2 is part of the larger Automated Safeguards platform, previously known as DynamicPHI or DPHI.  The Automated Safeguards for Amazon EC2 ensure that EC2 instances are deployed in adherence to all ClearDATA policies and procedures.  This includes automated security controls, such as anti-virus/malware and intrusion detection monitoring, as well as compliance monitoring via the ClearDATA Compliance Dashboard.

User Guide

This guide is separated into task based groupings, not necessarily a comprehensive listing and discussion on all available options. If you have a need for more detail, please contact your TAM or our support team fro more information and assistance.

Permission Controls Overview

The IAM policy that apply to the Automated Safeguard for Amazon EC2 allows direct access to AWS services. In addition to the services allowed for provisioning, there are policies allowing you to list and view items configured in your account.  The following list provides a sample of access for EC2 related services.

Amazon Virtual Private Cloud (VPC)

Read only access to all networking components, including:

  • VPC
  • Elastic IP
  • Route Tables
  • Subnets

Amazon Elastic Computer Cloud (EC2)

  • Create new EC2 instances from ClearDATA approved AMIs
  • Attach ClearDATA approved Security Groups
  • Modify attached Security Groups, allowing attachment of ClearDATA approved 
  • Terminate EC2 instances 
  • Start and stop EC2 instances 

Amazon Elastic Block Store (EBS)

The basic storage type associated directly with EC2 instances when data is to not be ephemeral. Users can manipulate EBS volumes:

  • Attach and detach EBS volumes
  • Create volume snapshots
  • Create new encrypted volumes
  • Create new volumes from snapshots

Setup

AWS Web Console

As a customer of ClearDATA utilizing the DPHI system, you will have access to the AWS web console as one option for self-management of your enviornment.

Creation and administration of new EC2 instances and other tasks can all be managed from this interface. No setup is required, unless you choose to implement AWS 2-Factor Authentication.

Log In

Logging into the AWS console is straightforward and well documented by AWS teams. 

Screenshot

Reminder: Instructions for establishing AWS 2-Factor Authentication for users is available here.

Screenshot

Configuring AWS-cli

The most direct way to interact with AWS is through the aws-cli application. You can find a guide for setting it up here

You will receive your AWS keys from ClearDATA during the onboard process. The IAM policies associated with these keys will be tailor made for your account and the privileges associated with it.

Note:

Many tools, such as Terraform, can also use the same credentials used by the aws-cli.


Running EC2 Instances With Web Console

Deployment Requirements

There are a few requirements that must be followed when deploying instances

  • You can only launch from AMIs which have the cleardata:hardened tag on them
  • You can only use Security Groups which have cleardata:customer-allow tag on them

This is one way ClearDATA protects customer infrastructure. By ensuring you're only using approved AMIs and launching them in to approved Security Groups, we limit your ability to accidentally spin up a non-compliant machine.

EC2 Deployment

This screen will change in content based on AWS suggestions and recently used services. Selecting EC2 will take you to the EC2 Dashboard. Alternatively, you can click where you see the blue pointer to pulldown a full list of services available. Some services may not be permitted for access within DPHI framework.

Screenshot

EC2 Launch Screens

Once in the EC2 Dahsboard, there are clickable links along the left side for typical tasks. You can select the Instances link to see your running isntances, or Security Groups link to see what groups are already available. Selecting the large LAUNCH INSTANCE button will start the process.

Screenshot

When selecting an image (AMI) to start from, ALWAYS choose from the "My AMIs" tab on the left. This is where the pre-hardened images provided by ClearDATA reside. Then press the blue SELECT button next to the operating system you want your new instance to be.

Screenshot

Next, select the size of server based on the amount of resources you believe the workload will require. ClearDATA recommends that "Configuring Instance Details" should be the next step, instead of jumping directly to "Review and Launch".

Screenshot

Properly configuring instance details such as which VPC and subnet the instance will be launched into will save steps later. Most of the time using the "BaseStack" VPC will be the correct choice unless you have been told otherwise by your TAM or Support representative. The subnet selection will determine which availability group your instance will run in (AZ2 in this example) and will also determine if the server will be made available publicly for the entire world to connect to, or be private, for connection from other instances or users connecting via VPN.

Remember to place duplicate servers (webserver farms) across several availability zones to maximize availability.

Screenshot

Continue to complete details such as assigning a Public IP, and what tenancy. Typically, Dedicated tenancy is the correct choice.

Screenshot

Adding storage is an optional step. This screen allows for additional volumes to be created and attached at instance creation, instead of added later. In the example, you can see that the ROOT volume existed based on the initial instance request, and a second volume will be created. There are several variations on this, depending on the storage type, size, and performance needs. ClearDATA always recommends encrypting data on volumes.

Screenshot

Tagging Instances

Standard ClearDATA tags

The following tags are put in place by ClearDATA during the creation of an instance for our customers. Alteration or removal of these tags may negatively affect the management of your environment. If there is an issues with a tag, or you have questions on this, please contact support.

cleardata:asset-id, cleardata:customer-id, cleardata:disable-monitoring, cleardata:phi, and cleardata:service-class

Asset Name

When cataloging machines, it is often valuable to have a name associated with the "idea" of a machine. Instance-ids come and go, but a name can give a logical label to a VM.

At ClearDATA, we have the concept of an asset-id to identify machines. You will see the tag cleardata:asset-id applied to your instances. The format of an asset-id is

{CUSTOMER_ID}-{STAGE}{OPERATING_SYSTEM}-{REGION}-{ASSET_NAME}

If you want to give us an easy name to track your instance by, make sure to apply a tag cleardata:asset-name on it.
If you fail to supply this value, we will use the instance-id (and that's not very human-friendly!).

In the example, you can see tags being chosen, and the values are highlighted in green. As you add tags, just begin typing "cleardata" in the KEY space, and a list will pop-up with options for ClearDATA use tags.

Screenshot

To set the STAGE of an asset-id, please set the cleardata:service-class tag on the instance. By default, it'll be p, for "production"

Additional Tags

TagValuesDescription
cleardata:disable-monitoring1If this tag is present, cleardata will not run ping monitors against this instance
cleardata:phi1Indicates that a machine should be capable of handling PHI, useful for compliance checks

Security Group

Selecting the security group(s) for your instance to operate in will define all connectivity rules. Security groups act as instance specific firewalls. An instance can have multiple security groups attached to it.

Note that there are groups with "APPROVED" in the name that are approved for customer use.

Screenshot

Also, if a user were to click on a security group name and check the properties, an "Approved" security group will have a tag on it stating that is is for customer use.

Screenshot

You can view the workings of a security group by selecting it in the upper pane, then selecting the tabs in the lower pane to view inbound and outbound rules.

Screenshot

Review

Lastly, the user is shown a review screen to insure the proposed isntance has all the desired settings. Clicking the blue launch button begins the build process that will result in additional environment space for new or expanding workloads.

Screenshot


Running EC2 Instances With CLI

Deployment Requirements

There are a few requirements that must be followed when deploying instances

  • You can only launch from AMIs which have the cleardata:hardened tag on them
  • You can only use Security Groups which have cleardata:customer-allow tag on them

This is one way ClearDATA protects customer infrastructure. By ensuring you're only using approved AMIs and launching them in to approved Security Groups, we limit your ability to accidentally spin up a non-compliant machine.

CLI Example

To run an instance via the cli, your command would look something like. Make sure to fill in your own values for the AMI id, instance type, SSH Key Pair name, the security groups and the subnet you want to use.

aws ec2 run-instances --image-id ami-xxxxxxxx --instance-type t1.micro --key-name MyKeyPair --security-group-ids sg-xxxxxxxx --subnet-id subnet-xxxxxxxx

Tagging Instances

Standard ClearDATA tags

The following tags are put in place by ClearDATA during the creation of an instance for our customers. Alteration or removal of these tags may negatively affect the management of your environment. If there is an issues with a tag, or you have questions on this, please contact support.

cleardata:asset-id, cleardata:customer-id, cleardata:disable-monitoring, cleardata:phi, and cleardata:service-class

Asset Name

When cataloging machines, it is often valuable to have a name associated with the "idea" of a machine. Instance-ids come and go, but a name can give a logical label to a VM.

At ClearDATA, we have the concept of an asset-id to identify machines. You will see the tag cleardata:asset-id applied to your instances. The format of an asset-id is

{CUSTOMER_ID}-{STAGE}{OPERATING_SYSTEM}-{REGION}-{ASSET_NAME}

The cleardata:asset-id, and all other cleardata-x tags, are applied through our Automated Safeguards and are not permitted to be changed by customers.  The tags are required for compliance monitoring.

Decoding Errors

If you ever get a permissions error when trying to launch an instance with a big base64 encoded string in the response, you can use the decode-authorization-message command to see the exact cause of the error. Find more here

aws sts decode-authorization-message --encoded-message avcdef123...

This information is critical for ClearDATA Support to assist with any IAM permission troubleshooting.  Please ensure to include the decoded message in the ClearDATA ticket.

Revision History

DateChange
November 2018Initial Version
March 2019Updated Tagging to clarify the use of all "cleardata" tags.

  • No labels