14. Security Concerns and Best Practices

Best practices for configuring your CPM server. Using and configuring AWS Identity and Access Management (IAM). Setting the CPM security policies.

Contents

 

 

14 – Security Concerns and Best Practices

Security is one of the main issues and barriers in decisions regarding moving business applications and data to the cloud. The basic question is whether the cloud is as secure as keeping your critical applications and data in your own data center. There is probably no one simple answer to this question, as it depends on many factors.

 

Prominent cloud service providers like Amazon Web Services, are investing a huge amount of resources so people and organizations can answer ‘yes’ to the question in the previous paragraph. AWS has introduced many features to enhance the security of its cloud. Examples are elaborate authentication and authorization schemes, secure APIs, security groups, IAM, Virtual Private Cloud (VPC), and more.

 

CPM strives to be as secure as the cloud it is in. It has many features that provide you with a secure solution.

 

 

14.1 – CPM Server

CPM Server’s security features are:

  • Since you are the one who launches the CPM server instance, it belongs to your AWS account. It is protected by security groups you control and define. It can also run in a VPC.
  • All the metadata CPM stores, is stored in an EBS volume belonging to your AWS account. It can only be created, deleted, attached, or detached from within your account.
  • You can only communicate with the CPM server using HTTPS or SSH, both secure protocols, which means that all communication to and from CPM is encrypted. Also, when connecting to AWS endpoints, CPM will verify that the SSL server-side certificates are valid.
  • Every CPM has a unique self-signed SSL certificate. It is also possible to use your own SSL certificate.
  • AWS account secret keys are saved in an encrypted format in CPM’s database.
  • CPM supports using different AWS credentials for backup and recovery.
  • CPM Server supports IAM Roles. If the CPM Server instance is assigned an adequate IAM role at launch time, you can use cross-account IAM roles to “assume” roles from the main IAM role of the CPM instance account to all of the other AWS accounts you manage and not type AWS credentials at all.
  • To manage CPM, you need to authenticate using a username and password.
  • CPM allows creating multiple users to separately manage the backup of different AWS accounts, except in the Basic Edition.

 

 

14.2 – Best Security Practices for CPM

Implementing all or some of the following best practices depends on your company’s needs and regulations. Some of the practices may make the day-to-day work with CPM a bit cumbersome, so it is your decision whether to implement them or not.

 

14.2.1 – Avoid using AWS Credentials

By using the CPM Server instance IAM role and cross-account IAM role, you can manage multiple AWS accounts without using AWS credentials (access and secret keys) at all. This is the most secure way to manage multiple AWS accounts and the one recommended by AWS.

 

14.2.2 – Credentials Rotation

Assuming you have to use AWS credentials, you should follow AWS practices. It is recommended to rotate account credentials from time to time. See http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#CredentialRotation

 

After changing credentials in AWS, you need to update them in CPM. Click on the account name in the Accounts management screen and modify the access and secret keys.

 

14.2.3 – Passwords

Create a strong password for the CPM server and make sure no one can access it. Change passwords from time to time. CPM does not enforce any password rules. It is the user’s responsibility to create strong passwords.

 

14.2.4 – Security Groups

Since CPM server is an instance in your account, you can define and configure its security groups. Even though CPM is a secure product, you can block access from unauthorized addresses:

  • You need HTTPS access (original 443 port or your customized port) from:
    • Any machine which will need to open the management application
    • Machines that have CPM Thin Backup Agent installed on them
  • You will also need to allow SSH access to create and maintain backup scripts.
  • Blocking anyone else will make CPM server invisible to the world and therefore completely bullet-proof.

Note: The only problem with this approach is that any time you will try to add new backup agents or connect to the management console or SSH from a different IP, you will need to change the settings of the security groups.

 

 

14.3 – Using IAM

CPM keeps your AWS credentials safe. However, it is preferable to use IAM roles and not use credentials at all. Additionally, CPM will not accept root user credentials. To minimize risk, try:

  • To provide credentials that are potentially less dangerous if they are compromised, or
  • To set IAM roles, which will save you the need of typing in credentials at all.

 

You can create IAM users/roles and use them in CPM to:

  1. Create a user/role using IAM.
  2. Attach a user policy to it.
  3. Use the policy generator to give the user custom permissions.

 

An IAM role can also be used in the CPM Server (for the account the CPM Server was launched in) and for instances running CPM Agent to perform the configuration stage as well as normal operations by combining some of the policies. You can attach more than one IAM policy to any IAM user or role.

 

The permissions the IAM policy must have depend on what you want to policy to do. For more information about IAM, see IAM documentation: http://aws.amazon.com/documentation/iam/

 

14.3.1 – CPM Server Configuration Process

AWS credentials in the CPM configuration process are only used for configuring the new server. However, if you want to use IAM credentials for the CPM configuration process, or to use the IAM role associated with the CPM Server instance, its IAM policy should enable CPM to:

  • View volumes instances, tags and security groups
  • Create EBS volumes
  • Attach EBS volumes to instances
  • Create tags

 

Generally, if you want to use IAM role with the CPM Server instance, you will need the following policy and the policies for CPM Server’s normal operations, as described in the next section.

 

Minimal IAM Policy for CPM Configuration

{
  "Version": "2012-10-17",
  "Statement": [
     {
      "Action": [
       "ec2:AttachVolume",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:CreateTags",
       "ec2:CreateVolume",
       "ec2:DescribeAvailabilityZones",
       "ec2:DescribeInstanceAttribute",
       "ec2:DescribeInstanceStatus",
       "ec2:DescribeInstances",
       "ec2:DescribeSecurityGroups",
       "ec2:DescribeTags",
       "ec2:DescribeVolumeAttribute",
       "ec2:DescribeVolumeStatus",
       "ec2:DescribeVolumes"
     ],
     "Sid": "Stmt1374233119000",
     "Resource": [
       "*"
     ],
     "Effect": "Allow"
    }
  ]
}

 

14.3.2 – CPM Server IAM Settings

You can use the CPM Server’s IAM role to manage backups of the same AWS account. If you manage multiple AWS accounts, you will still either need to create cross-account roles or enter the credentials for other accounts. If you want to use an IAM user for an account managed by CPM Server (or the IAM role), you need to decide whether you want to support backup only or recovery as well. There is a substantial difference:

  • For backup you only need to manipulate snapshots.
  • For recovery you will need to create volumes, create instances and create RDS databases. Plus, you will need to attach and detach volumes and even delete volumes. If your credentials fall into the wrong hands, recovery credentials can be more harmful.
  • If you use a backup-only IAM user or role, then you will need to enter ad-hoc credentials when you perform a recovery operation.
  • Generally, if you want to use the IAM role with the CPM Server instance, you will need a certain policy, or policies, for CPM Server’s normal operations. For details, see the N2WS Knowledge Base article on minimal IAM policies at https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation

 

You can check on the permissions required for AWS services and resources, such as backup, RDS, and DynamoDB, and compare them to the policies which cover the requirements. In the Accounts management screen, click the Check AWS Permissions button in the Actions column. Figure 14‑1 shows an example of the account permission check output.

C:\Users\Janet\AppData\Local\Temp\image006.jpg

Figure 14‑1

 

To download a summary report of an account’s current permissions, click Permission Summary in the Reports column.

 

14.3.3 – Configure CPM’s IAM Role with CloudFormation

CloudFormation is an AWS service that allows you to treat a collection of AWS resources as one logical unit. CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment, across all regions and accounts in an automated and secure manner.

 

The IAM role will automatically contain the required permissions for CPM operations.

 

14.3.4 – CPM Agent IAM Role

If you are using CPM agents in your environment and do not wish the CPM Server to actually send credentials to them, you can associate the Windows instance the CPM agent is on with an IAM role at launch time. The IAM role needs less permissions than CPM Server:

  {
   "Version": "2012-10-17",
   "Statement": [
    {
     "Action": [
      "ec2:CreateSnapshot",
      "ec2:CreateTags",
      "ec2:DescribeAvailabilityZones",
      "ec2:DescribeInstanceAttribute",
      "ec2:DescribeInstanceStatus",
      "ec2:DescribeInstances",
      "ec2:DescribeRegions",
      "ec2:DescribeSnapshotAttribute",
      "ec2:DescribeSnapshots",
      "ec2:DescribeVolumeAttribute",
      "ec2:DescribeVolumeStatus",
      "ec2:DescribeVolumes",
      "ec2:ModifySnapshotAttribute"
     ],
     "Sid": "Stmt1374250341000",
     "Resource": [
       "*"
     ],
     "Effect": "Allow"
   },
   {
    "Action": [
     "rds:CreateDBSnapshot",
     "rds:DescribeDBInstances",
     "rds:DescribeDBSnapshots"
     ],
     "Sid": "Stmt1374250440000",
     "Resource": [
       "*"
     ],
     "Effect": "Allow"
    }
   ]
  }

Note: If you do not use CPM with RDS at all, you can omit all RDS permissions from your IAM policies.

 

14.4 – Thin Backup Agent

The CPM Thin Backup Agent is used for Windows instances that need to perform application quiescence using VSS or backup scripts. The agent communicates with the CPM Server using the HTTPS protocol.

 

No sensitive information passes between the backup agent and the CPM Server.

Share this post →