Securing Stash in AWS

This page describes security best practices for running and maintaining Stash in AWS.

Amazon Virtual Private Cloud (VPC) and Subnets

Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. See Amazon EC2 and Amazon Virtual Private Cloud for more information.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet.

See Amazon's article called Your VPC and Subnets for a general overview of VPCs and subnets.

To bolster the security of your VPC you may wish to enable one or more of the following:

Secure your VPC with a firewall virtual appliance / AMI to defend against unauthorised network activity
Configure a site-to-site VPN to ensure information is transferred securely between Stash and its users
Configure an intrusion prevention or intrusion detection virtual appliance to detect when unauthorised network activity has occurred
Enable Amazon CloudTrail to log VPC API operations and keep an audit trail of network changes

Security Groups

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. See Amazon EC2 Security Groups for Linux Instances for more information.

We recommend you restrict the security groups that apply to the Stash instance to the absolute minimum required. As an instance can have up to a hundred security groups applied to it, it can be difficult to understand which restrictions are in effect. It is for this reason we recommend you condense the applied security groups to as few as possible.

HTTPS

By default, the Stash AMI configures Stash to serve requests over HTTP not HTTPS. If you are not connected to the AWS VPC your Stash resides in via a Virtual Private Gateway, then all passwords and data will be sent unencrypted over the public Internet. If you intend for your Stash instance to be Internet facing, setting ATL_SSL_SELF_CERT_ENABLED=true is recommended to enable HTTPS to your instance at launch time.

Self-signed SSL certificates

If HTTPS is enabled via ATL_SSL_SELF_CERT_ENABLED=true a self-signed certificate will be generated for your Statsh instance.

If you continue to use the self-signed certificate:

most browsers will display security warnings that must be ignored before proceeding to the Stash Web interface,
Git clients will refuse to connect to Stash over HTTPS unless configured to ignore the self-signed certificate with git config --global http.sslVerify false, and
Application links and/or integrations with other applications that use Stash's REST API and do not accept self-signed certificates may fail.

The self-signed certificate should be replaced with a certificate obtained from a trusted certificate authority (CA) at the earliest opportunity to improve your security and improve the experience of your users.

Domain name

In order to use a trusted CA-issued certificate with your Stash instance and to avoid the problems outlined above with self-signed certificates you will first need a static public domain name associated with your instance. Amazon Route 53 and other DNS providers can provide you with this. You will need to ensure you update your DNS record every time your EC2 instance's IP address changes. Using Amazon's Elastic IP Address helps minimise the IP address changes of your instance and thus minimise its day-to-day administration.

Trusted CA-issued certificates

Once you have a static domain name for your EC2 instance you can request a trusted certificate authority issue a certificate for use with this domain / instance. Installing the certificate is a straight-forward process as long as you first set up your instance to use a self-signed certificate.

Keeping your system up-to-date

It is essential to keep your Stash instance up-to-date with patches and updates to maximise security and minimise opportunity for exploits and misadventure. On first boot a Stash AMI instance will download the latest official release of Stash at that time so you are assured of having the very latest version of Stash when you first start using Stash in AWS.

Please be sure to always perform a backup of your instance before attempting any update.

Amazon Linux Security Updates

The Stash AMI is based on Amazon Linux and the latest version of this is used whenever we cut a new release of the Stash AMI. Occasionally vulnerabilities in libraries and utilities used in Amazon Linux will be detected and updates posted in the Amazon Linux AMI yum repository. Atlassian will issue new versions of the Stash AMI where necessary to ensure new Stash AWS instances start with these updates but if you are managing an existing instance you may need to apply these updates yourself. By default, Amazon Linux applies all security updates on reboot. Alternatively you can run "yum update --security".

From time-to-time you may also wish to apply other updates from the Amazon Linux AMI yum repository to your Stash instance. You must ensure that any updated packages are supported by the version of Stash you are running. Stash version requirements can always be found on the Supported platforms page.

Stash Updates

The Atlassian Stash team have a strong release cadence and routinely issue releases including new features, performance and security fixes. It is strongly recommended you keep Stash as up to date as possible. To update Stash in an existing instance please follow the Stash Upgrade Guide.

Page tree