Any security issues with creating EC2 ami with Chef Server installed?


#1

Hey all,

I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?

Currently to create an open source chef server, I’d have to

  1. Create EC2 instance
  2. SSH into the instance
  3. Wget & dpfg using the omnibus installer
  4. sudo chef-server-ctl reconfigure

At this point, I’d like to make an EC2 ami & reuse it in future.

Thank you for your help in advance! :slight_smile:

Ritesh


#2

On Fri, Dec 20, 2013 at 1:18 AM, Ritesh Angural
ritesh.angural@gmail.com wrote:

I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?

Currently to create an open source chef server, I’d have to

  1. Create EC2 instance
  2. SSH into the instance
  3. Wget & dpfg using the omnibus installer
  4. sudo chef-server-ctl reconfigure

At this point, I’d like to make an EC2 ami & reuse it in future.

If you do point #4 and then snapshot the machine, the generated keys
for the Chef server will be identical for every instance you launch
from the AMI. That could be a security problem.

You should also be aware of
https://tickets.opscode.com/browse/CHEF-4883. Until we have a fix,
ensure that you launch the instance into a security group that doesn’t
have wide-open ports.

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#3

Thanks Julian! Exactly the clarification I was looking for :slight_smile:

Ritesh
On Dec 20, 2013, at 10:56 PM, Julian C. Dunn jdunn@aquezada.com wrote:

On Fri, Dec 20, 2013 at 1:18 AM, Ritesh Angural
ritesh.angural@gmail.com wrote:

I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?

Currently to create an open source chef server, I’d have to

  1. Create EC2 instance
  2. SSH into the instance
  3. Wget & dpfg using the omnibus installer
  4. sudo chef-server-ctl reconfigure

At this point, I’d like to make an EC2 ami & reuse it in future.

If you do point #4 and then snapshot the machine, the generated keys
for the Chef server will be identical for every instance you launch
from the AMI. That could be a security problem.

You should also be aware of
https://tickets.opscode.com/browse/CHEF-4883. Until we have a fix,
ensure that you launch the instance into a security group that doesn’t
have wide-open ports.

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]