Bamboo 3.4 : Elastic Bamboo Security

Elastic Bamboo is a feature in Bamboo that allows Bamboo to dynamically source computing resources from the Amazon Elastic Compute Cloud (EC2).

Please be warned that if one of your remote agent instances is compromised, your Bamboo installation may be exposed to number of security vulnerabilities. These include confidential data (e.g. source code, VCS credentials) being stolen, malicious code being injected into elastic agents, unauthorised access to build queues and false information being submitted to Bamboo servers.

To mitigate some of these security risks, Elastic Bamboo incorporates an SSL tunneling implementation to provide a secure communication channel between your Bamboo server and the EC2. This tunneling implementation encrypts traffic between the Bamboo server and elastic agents using SSL, which means that you do not need to compromise your firewall by allowing inbound connections - all connections will be initiated from the Bamboo Server to the EC2 instance.

SSH tunnelling is not implemented for VCS (Version Control System) to EC2 traffic though. You will need to make your VCS available for access from EC2 to use Elastic Bamboo. Please see the section on setting up your VCS for Elastic Bamboo, which contains guidelines on securing your VCS.

The sections below explain the default access rules for remote agent instances and how to change these rules, if desired.

Diagram above: Elastic Bamboo security architecture

Default EC2 Access Rules

When you first use Elastic Bamboo, i.e. start an elastic instance, an 'elasticbamboo' security group will be set up for you on your AWS account. This security group is essentially a set of IP addresses that are permitted access to the EC2. By default, the security group will contain two rules — one to allow connections for Elastic Bamboo itself, and another to allow connections via SSH.

The EC2 security groups can be accessed via the AWS management console (see 'Security Groups' in the left-hand menu under 'Configuration').

Screenshot above: AWS Console - Security Groups

Changing the Default EC2 Access Rules

If you wish to permit additional connections to your EC2 instance, you can do this by adding entries to the 'Allowed Connections' section for the 'elasticbamboo' security group. See the previous section on 'Default EC2 Access Rules' for instructions on how to access your EC2 security groups.

Setting up your VCS for Elastic Bamboo

We recommend that you take the following steps to ensure that your VCS is set up securely for Elastic Bamboo:

  1. Make your VCS accessible to the public internet
  2. Use VCS authentication and access control
  3. Use encrypted connections to VCS

1. Make your VCS accessible to the public internet

As SSL tunnelling is not implemented for VCS to EC2 connections, you will need to make your VCS accessible to the public internet to use Elastic Bamboo. If your VCS is behind a firewall this will involve configuring an access point in your firewall. Please consult the documentation for your firewall software for details on how to do this.

2. Use VCS authentication and access control

As you have made your VCS available to the public internet, we highly recommend that you secure access to your VCS by enabling the authentication and access control features on your VCS. The instructions for doing this vary from VCS to VCS. Please consult the documentation for your VCS for details.

3. Use encrypted connections to VCS

We also highly recommend that you use encrypted connections for your VCS (e.g. SSL). Again, the instructions for doing this vary from VCS to VCS. Please consult the documentation for your VCS for details.

Notes

Related Topics

Configuring Elastic Bamboo