Securing Bitbucket in AWS
A security group acts as a virtual firewall that controls the traffic for one or more instances. The security group(s) that apply to newly launched instances depend on your launch method:
- If you launched instance(s) via the AWS console or API, the EC2 launch process gives you the opportunity to either create a new security group or associate one or more existing security group(s) with the instance. We recommend allowing inbound access to Bitbucket only on ports 22, 80, 443, and 7999, and only allowing access from the tightest possible IP address range.
- If launched via BitbucketServer.template or BitbucketDataCenter.template, AWS CloudFormation creates and manages a security group as part of the stack, allowing inbound access on ports 22, 80, 443, and 7999 from the Permitted IP range of addresses you specify. We recommend specifying the tightest possible Permitted IP range and not adding unnecessary inbound access to the security group after launch.
We recommend using security groups to restrict incoming traffic to your Bitbucket instance to the absolute minimum required.
See Amazon EC2 Security Groups for Linux Instances for more information.
In order to enable HTTPS, you need a valid SSL certificate. SSL certificates are issued by a trusted third party Certificate Authority (CA), such as VeriSign, DigiCert or Thawte, which provide such services on a commercial basis. Atlassian does not provide such services or support their use.
Until you install a valid SSL certificate, new Bitbucket Server and Data Center instances are configured to serve requests over plain HTTP, not HTTPS. Unless you are connected to AWS via a Virtual Private Gateway, all passwords and data will be sent unencrypted over the public Internet.
If you launch Bitbucket Server via BitbucketServer.template or manually as described in Launching Bitbucket Server in AWS manually, there is currently no way to install your own SSL certificate at initial launch time. If you intend for your Bitbucket Server instance to be internet facing, we recommend setting
ATL_SSL_SELF_CERT_ENABLED=true to enable HTTPS to your instance at launch time, then installing a true SSL certificate as described in Administering Bitbucket Server in AWS as soon as possible after launch.
Note on self-signed SSL certificates
If HTTPS is enabled via
ATL_SSL_SELF_CERT_ENABLED=true a self-signed certificate will be generated for your Bitbucket Server instance.
If you continue to use the self-signed certificate:
- most browsers will display security warnings that must be ignored before proceeding to the Bitbucket Server Web interface
- git clients will refuse to connect to Bitbucket Server over HTTPS unless configured to ignore the self-signed certificate with
git config --global http.sslVerify false
- application links and/or integrations with other applications that use Bitbucket Server's REST API and don't accept self-signed certificates may fail
The self-signed certificate should be replaced with a certificate obtained from a trusted certificate authority (CA) at the earliest opportunity.
If you launch BItbucket Data Center via BitbucketDataCenter.template, then you can upload your SSL certificate into Amazon prior to launching, and specify it as the SSL Certificate Name parameter at launch time. This will pre-configure HTTPS from the outset. See Bitbucket Data Center in AWS for more information.
Keeping your system up-to-date
It is essential to keep your Bitbucket Server instance up-to-date with patches and updates to maximize security and minimize opportunity for exploits and misadventure. On first boot a Bitbucket Server AMI instance will download the latest official release of Bitbucket Server at that time so you are assured of having the very latest version of Bitbucket Server when you first start using Bitbucket Server in AWS.
Amazon Linux Security Updates
The Bitbucket Server AMI is based on Amazon Linux and the latest version of this is used whenever we cut a new release of the Bitbucket Server AMI. Occasionally vulnerabilities in libraries and utilities used in Amazon Linux will be detected and updates posted in the Amazon Linux AMI yum repository. Atlassian will issue new versions of the Bitbucket Server AMI where necessary to ensure new Bitbucket Server AWS instances start with these updates but if you are managing an existing instance you may need to apply these updates yourself. By default, Amazon Linux applies all security updates on reboot. Alternatively you can run "yum update --security".
You may wish to apply other updates from the Amazon Linux AMI yum repository to your Bitbucket Server instance. You must ensure that any updated packages are supported by the version of Bitbucket Server you are running. Bitbucket Server version requirements can always be found on the Supported platforms page.
Bitbucket Server Updates
The Atlassian Bitbucket Server team have a strong release cadence and routinely issue releases including new features, performance and security fixes. It is strongly recommended you keep Bitbucket Server as up to date as possible. To update Bitbucket Server in an existing instance please follow the Bitbucket Server Upgrade Guide.