Bamboo 2.2 : Elastic Bamboo Security
This page last changed on Mar 09, 2009 by nmuldoon.
Elastic Bamboo is a feature in Bamboo that allows Bamboo to dynamically source computing resources from the Amazon Elastic Compute Cloud (EC2). If you choose to enable Elastic Bamboo, the broker port (port 54663 by default) of your Bamboo server must be made available to remote agent instances created in the EC2. Please be warned that this can expose your Bamboo installation to number of security vulnerabilities, if any of your remote agent instances are compromised. These include confidential data (e.g. source code, VCS credentials) being stolen, malicious code being injected into elastic agents, unauthorised access to build queues and false information being submitted to Bamboo servers. To mitigate some of these security risks, Elastic Bamboo incorporates an SSH tunnelling implementation to provide a secure communication channel between your Bamboo server and the EC2. This tunnelling implementation encrypts traffic between the Bamboo server and elastic agents using SSL, which means that you do not need to compromise your firewall by opening it up to outside connections. SSH tunnelling is not implemented for VCS (Version Control System) to EC2 traffic though. You will need to make your VCS available to the EC2 to use Elastic Bamboo. Please see the section on setting up your VCS for Elastic Bamboo, which contains guidelines on securing your VCS. Screenshot: Elastic Bamboo Security Architecture The sections below explain the default access rules for remote agent instances and how to change these rules, if desired. Default EC2 Access RulesWhen you first use Elastic Bamboo, i.e. start an elastic instance, an 'elasticbamboo' security group will be set up for you on your AWS account. This security group is essentially a set of IP addresses that are permitted access to the EC2. By default, the security group will contain two rules — one to allow connections for Elastic Bamboo itself, and another to allow connections via SSH. The EC2 security groups can be accessed via the AWS management console (see 'Security Groups' in the left-hand menu under 'Configuration'). Screenshot: AWS Console - Security Groups Changing the Default EC2 Access RulesIf you wish to change the default access rules for Elastic Bamboo (e.g. remove SSH access, permit additional connections), you can do this by adding or removing entries from the 'Allowed Connections' for the 'elasticbamboo' security group. See the previous section on 'Default EC2 Access Rules' for instructions on how to access your EC2 security groups. Setting up your VCS for Elastic BambooWe recommend that you take the following steps to ensure that your VCS is set up securely for Elastic Bamboo:
1. Make your VCS accessible to the public internet
2. Configure your AWS security group
3. Use VCS authentication and access control
4. Use encrypted connections to VCS
![]() ![]() ![]() |
![]() |
Document generated by Confluence on Mar 09, 2009 17:06 |