[Other doc versions]
[Doc downloads]
A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. See Amazon EC2 Security Groups for Linux Instances for more information.
We recommend you restrict the security groups that apply to the Stash instance to the absolute minimum required. As an instance can have up to a hundred security groups applied to it, it can be difficult to understand which restrictions are in effect. It is for this reason we recommend you condense the applied security groups to as few as possible.
By default, the Stash AMI configures Stash to serve requests over HTTP not HTTPS. If you are not connected to the AWS VPC your Stash resides in via a Virtual Private Gateway, then all passwords and data will be sent unencrypted over the public Internet. If you intend for your Stash instance to be Internet facing, setting ATL_SSL_SELF_CERT_ENABLED=true
is recommended to enable HTTPS to your instance at launch time.
If HTTPS is enabled via ATL_SSL_SELF_CERT_ENABLED=true
a self-signed certificate will be generated for your Statsh instance.
If you continue to use the self-signed certificate:
git config --global http.sslVerify false
, andThe self-signed certificate should be replaced with a certificate obtained from a trusted certificate authority (CA) at the earliest opportunity to improve your security and improve the experience of your users.
In order to use a trusted CA-issued certificate with your Stash instance and to avoid the problems outlined above with self-signed certificates you will first need a static public domain name associated with your instance. Amazon Route 53 and other DNS providers can provide you with this. You will need to ensure you update your DNS record every time your EC2 instance's IP address changes. Using Amazon's Elastic IP Address helps minimise the IP address changes of your instance and thus minimise its day-to-day administration.
Once you have a static domain name for your EC2 instance you can request a trusted certificate authority issue a certificate for use with this domain / instance. Installing the certificate is a straight-forward process as long as you first set up your instance to use a self-signed certificate.
It is essential to keep your Stash instance up-to-date with patches and updates to maximise security and minimise opportunity for exploits and misadventure. On first boot a Stash AMI instance will download the latest official release of Stash at that time so you are assured of having the very latest version of Stash when you first start using Stash in AWS.
The Stash AMI is based on Amazon Linux and the latest version of this is used whenever we cut a new release of the Stash AMI. Occasionally vulnerabilities in libraries and utilities used in Amazon Linux will be detected and updates posted in the Amazon Linux AMI yum repository. Atlassian will issue new versions of the Stash AMI where necessary to ensure new Stash AWS instances start with these updates but if you are managing an existing instance you may need to apply these updates yourself. By default, Amazon Linux applies all security updates on reboot. Alternatively you can run "yum update --security".
From time-to-time you may also wish to apply other updates from the Amazon Linux AMI yum repository to your Stash instance. You must ensure that any updated packages are supported by the version of Stash you are running. Stash version requirements can always be found on the Supported platforms page.
The Atlassian Stash team have a strong release cadence and routinely issue releases including new features, performance and security fixes. It is strongly recommended you keep Stash as up to date as possible. To update Stash in an existing instance please follow the Stash Upgrade Guide.