amazon-bedrock-agentcore-sa.../02-use-cases/SRE-agent/docs/ec2-port-configuration.md

# EC2 Instance Port Configuration

## Overview

This document outlines the required port configurations for EC2 instances in the SRE Agent infrastructure. All servers use SSL encryption to ensure secure communication and data protection.

## Required Inbound Ports

### HTTPS Traffic
- **Port 443 (HTTPS)**: Primary secure web traffic
  - Protocol: TCP
  - Source: 0.0.0.0/0 (open to internet)
  - Purpose: Secure web interface and API endpoints

### Application Ports
- **Ports 8011-8014 (Custom Applications)**: Application-specific services
  - Protocol: TCP
  - Source: 0.0.0.0/0 (open to internet)
  - Purpose: Internal service communication and application endpoints

## AWS Security Group Best Practices

### Inbound Rules Configuration
- Only allow necessary ports to minimize attack surface
- All configured ports are open to internet traffic (0.0.0.0/0)
- Implement separate security groups for different service tiers
- Rely on application-level security and SSL/TLS for protection

### SSL/TLS Protection
- All services on configured ports use SSL/TLS encryption
- Certificates should be managed through AWS Certificate Manager (ACM)
- Enforce HTTPS redirects for web traffic on port 443

### Security Recommendations
- Regular security group audits and reviews
- Use descriptive names and tags for security groups
- Implement least privilege access principles
- Monitor traffic patterns and unusual access attempts
- Consider using AWS WAF for additional web application protection

### Production Security Enhancement

For production environments, you can enhance security by restricting access to AWS IP address ranges instead of allowing all internet traffic (0.0.0.0/0):

**Download AWS IP Ranges:**
```bash
curl -O https://ip-ranges.amazonaws.com/ip-ranges.json
```

You can use the [AWS IP address ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) to:
- Identify traffic from AWS services
- Allow traffic only from specific AWS regions
- Implement egress filtering for better security
- Use AWS-managed prefix lists for automated updates

**Example Security Group Configuration:**
Instead of `0.0.0.0/0`, you can specify:
- AWS service IP ranges from the JSON file
- Specific company/customer IP ranges
- VPC CIDR blocks for internal communication
- Load balancer subnet ranges

## Port Usage Summary

| Port | Protocol | Purpose | SSL Required |
|------|----------|---------|--------------|
| 443  | TCP      | HTTPS Web Traffic | Yes |
| 8011 | TCP      | Application Service | Yes |
| 8012 | TCP      | Application Service | Yes |
| 8013 | TCP      | Application Service | Yes |
| 8014 | TCP      | Application Service | Yes |

## Compliance Notes

- All configured ports enforce SSL/TLS encryption
- Regular security assessments should include port configuration reviews
- Monitor and log all traffic on configured ports for security analysis
fix(02-use-cases): SRE-Agent Deployment (#179) * Add missing credential_provider_name parameter to config.yaml.example * Fix get_config function to properly parse YAML values with inline comments * Enhanced get_config to prevent copy-paste whitespace errors in AWS identifiers * Improve LLM provider configuration and error handling with bedrock as default * Add OpenAPI templating system and fix hardcoded regions * Add backend template build to Readme * delete old yaml files * Fix Cognito setup with automation script and missing domain creation steps * docs: Add EC2 instance port configuration documentation - Document required inbound ports (443, 8011-8014) - Include SSL/TLS security requirements - Add AWS security group best practices - Provide port usage summary table * docs: Add hyperlinks to prerequisites in README - Link EC2 port configuration documentation - Link IAM role authentication setup - Improve navigation to detailed setup instructions * docs: Add BACKEND_API_KEY to configuration documentation - Document gateway environment variables section - Add BACKEND_API_KEY requirement for credential provider - Include example .env file format for gateway directory - Explain usage in create_gateway.sh script * docs: Add BACKEND_API_KEY to deployment guide environment variables - Include BACKEND_API_KEY in environment variables reference table - Mark as required for gateway setup - Provide quick reference alongside other required variables * docs: Add BedrockAgentCoreFullAccess policy and trust policy documentation - Document AWS managed policy BedrockAgentCoreFullAccess - Add trust policy requirements for bedrock-agentcore.amazonaws.com - Reorganize IAM permissions for better clarity - Remove duplicate trust policy section - Add IAM role requirement to deployment prerequisites * docs: Document role_name field in gateway config example - Explain that role_name is used to create and manage the gateway - Specify BedrockAgentCoreFullAccess policy requirement - Note trust policy requirement for bedrock-agentcore.amazonaws.com - Improve clarity for gateway configuration setup * docs: Add AWS IP address ranges for production security enhancement - Document AWS IP ranges JSON download for restricting access - Reference official AWS documentation for IP address ranges - Provide security alternatives to 0.0.0.0/0 for production - Include examples of restricted security group configurations - Enable egress filtering and region-specific access control * style: Format Python code with black - Reformat 14 Python files for consistent code style - Apply PEP 8 formatting standards - Improve code readability and maintainability * docs: Update SRE agent prerequisites and setup documentation - Convert prerequisites section to markdown table format - Add SSL certificate provider examples (no-ip.com, letsencrypt.org) - Add Identity Provider (IDP) requirement with setup_cognito.sh reference - Clarify that all prerequisites must be completed before setup - Add reference to domain name and cert paths needed for BACKEND_DOMAIN - Remove Managing OpenAPI Specifications section (covered in use-case setup) - Add Deployment Guide link to Development to Production section Addresses issues #171 and #174 * fix: Replace 'AWS Bedrock' with 'Amazon Bedrock' in SRE agent files - Updated error messages in llm_utils.py - Updated comments in both .env.example files - Ensures consistent naming convention across SRE agent codebase --------- Co-authored-by: dheerajoruganty <dheo@amazon.com> Co-authored-by: Amit Arora <aroraai@amazon.com> 2025-08-01 13:24:58 -04:00			`# EC2 Instance Port Configuration`

			`## Overview`

			`This document outlines the required port configurations for EC2 instances in the SRE Agent infrastructure. All servers use SSL encryption to ensure secure communication and data protection.`

			`## Required Inbound Ports`

			`### HTTPS Traffic`
			`- Port 443 (HTTPS): Primary secure web traffic`
			`- Protocol: TCP`
			`- Source: 0.0.0.0/0 (open to internet)`
			`- Purpose: Secure web interface and API endpoints`

			`### Application Ports`
			`- Ports 8011-8014 (Custom Applications): Application-specific services`
			`- Protocol: TCP`
			`- Source: 0.0.0.0/0 (open to internet)`
			`- Purpose: Internal service communication and application endpoints`

			`## AWS Security Group Best Practices`

			`### Inbound Rules Configuration`
			`- Only allow necessary ports to minimize attack surface`
			`- All configured ports are open to internet traffic (0.0.0.0/0)`
			`- Implement separate security groups for different service tiers`
			`- Rely on application-level security and SSL/TLS for protection`

			`### SSL/TLS Protection`
			`- All services on configured ports use SSL/TLS encryption`
			`- Certificates should be managed through AWS Certificate Manager (ACM)`
			`- Enforce HTTPS redirects for web traffic on port 443`

			`### Security Recommendations`
			`- Regular security group audits and reviews`
			`- Use descriptive names and tags for security groups`
			`- Implement least privilege access principles`
			`- Monitor traffic patterns and unusual access attempts`
			`- Consider using AWS WAF for additional web application protection`

			`### Production Security Enhancement`

			`For production environments, you can enhance security by restricting access to AWS IP address ranges instead of allowing all internet traffic (0.0.0.0/0):`

			`Download AWS IP Ranges:`
			```bash
			`curl -O https://ip-ranges.amazonaws.com/ip-ranges.json`
			```

			`You can use the [AWS IP address ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) to:`
			`- Identify traffic from AWS services`
			`- Allow traffic only from specific AWS regions`
			`- Implement egress filtering for better security`
			`- Use AWS-managed prefix lists for automated updates`

			`Example Security Group Configuration:`
			Instead of `0.0.0.0/0`, you can specify:
			`- AWS service IP ranges from the JSON file`
			`- Specific company/customer IP ranges`
			`- VPC CIDR blocks for internal communication`
			`- Load balancer subnet ranges`

			`## Port Usage Summary`

			`\| Port \| Protocol \| Purpose \| SSL Required \|`
			`\|------\|----------\|---------\|--------------\|`
			`\| 443 \| TCP \| HTTPS Web Traffic \| Yes \|`
			`\| 8011 \| TCP \| Application Service \| Yes \|`
			`\| 8012 \| TCP \| Application Service \| Yes \|`
			`\| 8013 \| TCP \| Application Service \| Yes \|`
			`\| 8014 \| TCP \| Application Service \| Yes \|`

			`## Compliance Notes`

			`- All configured ports enforce SSL/TLS encryption`
			`- Regular security assessments should include port configuration reviews`
			`- Monitor and log all traffic on configured ports for security analysis`