Hi people, I'm just testing an ec2 juju deployment, and had a few questions about setup and default secgroups, which aren't addressed on the docs afaics [1]
First, the docs assume that you'll put your primary (administrator) creds in your environment, which is easiest and works, but it would be safer to create a separate identity within your account which you can manage in isolation [2]. So I'm doing that, creating a separate user for the environment, assigning it as a power user [3], but wanted to check whether there is a better setting (or specific policy) to use that will allow juju to do everything it needs and no more? Second, the default secgroup for an aws account allows (by default) all tcp/udp between all instances using that same default secgroup. This secgroup is *not* associated with the juju units of the environment (afaict, which is great, because it would mean that other instances in other envs but the same account could, as aws-classic only has one default per account, afaics). Juju seems to create it's own "default-for-environment" secgroup which is applied to all the units within the environment (in addition to one per unit), which has similar rules to the above (ie. all instances can talk to each other over all ports). It also allows inbound access to ssh, 17070 and 37017 for 0.0.0.0/0, which may be a sane default given that you might be deploying from your laptop on different networks, but if you're deploying from a specific machine, it makes sense to restrict those three (no question, just comment) Finally, unlike openstack secgroups, aws (classic) doesn't allow any outbound filtering rules on the secgroup (?!). Is anyone working around this, or does it require touching iptables on each of the units? Thanks for any info, Michael [1] https://jujucharms.com/docs/config-aws [2] https://aws.amazon.com/iam/ [3] "Provides full access to AWS services and resources, but does not allow management of Users and groups." I'll create a group and use that instead once I'm sure of the best permissions. -- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
