Securing Bitbucket Server in AWS

Getting started with Bitbucket Server and AWS

On this page

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

This page describes security best practices for running and maintaining Bitbucket Server in AWS.

Amazon Virtual Private Cloud (VPC) and Subnets

Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. See Amazon EC2 and Amazon Virtual Private Cloud for more information.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet.

See Amazon's article called Your VPC and Subnets for a general overview of VPCs and subnets.

To bolster the security of your VPC you may wish to enable one or more of the following:

  • Secure your VPC with a firewall virtual appliance / AMI to defend against unauthorised network activity
  • Configure a site-to-site VPN to ensure information is transferred securely between Bitbucket Server and its users
  • Configure an intrusion prevention or intrusion detection virtual appliance to detect when unauthorised network activity has occurred
  • Enable Amazon CloudTrail to log VPC API operations and keep an audit trail of network changes

On this page:

Security Groups

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. See Amazon EC2 Security Groups for Linux Instances for more information. 

We recommend you restrict the security groups that apply to the Bitbucket Server instance to the absolute minimum required. As an instance can have up to a hundred security groups applied to it, it can be difficult to understand which restrictions are in effect. It is for this reason we recommend you condense the applied security groups to as few as possible.

HTTPS

By default, the Bitbucket Server AMI configures Bitbucket Server to serve requests over HTTP not HTTPS. If you are not connected to the AWS VPC your Bitbucket Server resides in via a Virtual Private Gateway, then all passwords and data will be sent unencrypted over the public Internet. If you intend for your Bitbucket Server instance to be Internet facing, setting ATL_SSL_SELF_CERT_ENABLED=true is recommended to enable HTTPS to your instance at launch time.

Self-signed SSL certificates

If HTTPS is enabled via ATL_SSL_SELF_CERT_ENABLED=true a self-signed certificate will be generated for your Statsh instance.

If you continue to use the self-signed certificate:

  • most browsers will display security warnings that must be ignored before proceeding to the Bitbucket Server Web interface,
  • Git clients will refuse to connect to Bitbucket Server over HTTPS unless configured to ignore the self-signed certificate with git config --global http.sslVerify false, and
  • Application links and/or integrations with other applications that use Bitbucket Server's REST API and do not accept self-signed certificates may fail.

The self-signed certificate should be replaced with a certificate obtained from a trusted certificate authority (CA) at the earliest opportunity to improve your security and improve the experience of your users.

Domain name

In order to use a trusted CA-issued certificate with your Bitbucket Server instance and to avoid the problems outlined above with self-signed certificates you will first need a static public domain name associated with your instance. Amazon Route 53 and other DNS providers can provide you with this. You will need to ensure you update your DNS record every time your EC2 instance's IP address changes. Using Amazon's Elastic IP Address helps minimise the IP address changes of your instance and thus minimise its day-to-day administration.

Trusted CA-issued certificates

Once you have a static domain name for your EC2 instance you can request a trusted certificate authority issue a certificate for use with this domain / instance. Installing the certificate is a straight-forward process as long as you first set up your instance to use a self-signed certificate.

Keeping your system up-to-date

It is essential to keep your Bitbucket Server instance up-to-date with patches and updates to maximise security and minimise opportunity for exploits and misadventure. On first boot a Bitbucket Server AMI instance will download the latest official release of Bitbucket Server at that time so you are assured of having the very latest version of Bitbucket Server when you first start using Bitbucket Server in AWS.

Please be sure to always perform a backup of your instance before attempting any update.

Amazon Linux Security Updates

The Bitbucket Server AMI is based on Amazon Linux and the latest version of this is used whenever we cut a new release of the Bitbucket Server AMI. Occasionally vulnerabilities in libraries and utilities used in Amazon Linux will be detected and updates posted in the Amazon Linux AMI yum repository. Atlassian will issue new versions of the Bitbucket Server AMI where necessary to ensure new Bitbucket Server AWS instances start with these updates but if you are managing an existing instance you may need to apply these updates yourself. By default, Amazon Linux applies all security updates on reboot. Alternatively you can run "yum update --security". 

From time-to-time you may also wish to apply other updates from the Amazon Linux AMI yum repository to your Bitbucket Server instance. You must ensure that any updated packages are supported by the version of Bitbucket Server you are running. Bitbucket Server version requirements can always be found on the Supported platforms page.

Bitbucket Server Updates

The Atlassian Bitbucket Server team have a strong release cadence and routinely issue releases including new features, performance and security fixes. It is strongly recommended you keep Bitbucket Server as up to date as possible. To update Bitbucket Server in an existing instance please follow the Bitbucket Server Upgrade Guide.

Last modified on Sep 16, 2015

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.