iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of https://github.com/awslabs/amazon-bedrock-agentcore-samples.git synced 2025-09-08 20:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
amazon-bedrock-agentcore-sa.../02-use-cases/SRE-agent/docs/ec2-port-configuration.md
Dheeraj Oruganty e346e83bf1
fix(02-use-cases): SRE-Agent Deployment (#179) 
* Add missing credential_provider_name parameter to config.yaml.example

* Fix get_config function to properly parse YAML values with inline comments

* Enhanced get_config to prevent copy-paste whitespace errors in AWS identifiers

* Improve LLM provider configuration and error handling with bedrock as default

* Add OpenAPI templating system and fix hardcoded regions

* Add backend template build to Readme

* delete old yaml files

* Fix Cognito setup with automation script and missing domain creation steps

* docs: Add EC2 instance port configuration documentation

- Document required inbound ports (443, 8011-8014)
- Include SSL/TLS security requirements
- Add AWS security group best practices
- Provide port usage summary table

* docs: Add hyperlinks to prerequisites in README

- Link EC2 port configuration documentation
- Link IAM role authentication setup
- Improve navigation to detailed setup instructions

* docs: Add BACKEND_API_KEY to configuration documentation

- Document gateway environment variables section
- Add BACKEND_API_KEY requirement for credential provider
- Include example .env file format for gateway directory
- Explain usage in create_gateway.sh script

* docs: Add BACKEND_API_KEY to deployment guide environment variables

- Include BACKEND_API_KEY in environment variables reference table
- Mark as required for gateway setup
- Provide quick reference alongside other required variables

* docs: Add BedrockAgentCoreFullAccess policy and trust policy documentation

- Document AWS managed policy BedrockAgentCoreFullAccess
- Add trust policy requirements for bedrock-agentcore.amazonaws.com
- Reorganize IAM permissions for better clarity
- Remove duplicate trust policy section
- Add IAM role requirement to deployment prerequisites

* docs: Document role_name field in gateway config example

- Explain that role_name is used to create and manage the gateway
- Specify BedrockAgentCoreFullAccess policy requirement
- Note trust policy requirement for bedrock-agentcore.amazonaws.com
- Improve clarity for gateway configuration setup

* docs: Add AWS IP address ranges for production security enhancement

- Document AWS IP ranges JSON download for restricting access
- Reference official AWS documentation for IP address ranges
- Provide security alternatives to 0.0.0.0/0 for production
- Include examples of restricted security group configurations
- Enable egress filtering and region-specific access control

* style: Format Python code with black

- Reformat 14 Python files for consistent code style
- Apply PEP 8 formatting standards
- Improve code readability and maintainability

* docs: Update SRE agent prerequisites and setup documentation

- Convert prerequisites section to markdown table format
- Add SSL certificate provider examples (no-ip.com, letsencrypt.org)
- Add Identity Provider (IDP) requirement with setup_cognito.sh reference
- Clarify that all prerequisites must be completed before setup
- Add reference to domain name and cert paths needed for BACKEND_DOMAIN
- Remove Managing OpenAPI Specifications section (covered in use-case setup)
- Add Deployment Guide link to Development to Production section

Addresses issues #171 and #174

* fix: Replace 'AWS Bedrock' with 'Amazon Bedrock' in SRE agent files

- Updated error messages in llm_utils.py
- Updated comments in both .env.example files
- Ensures consistent naming convention across SRE agent codebase

---------

Co-authored-by: dheerajoruganty <dheo@amazon.com>
Co-authored-by: Amit Arora <aroraai@amazon.com>
2025-08-01 13:24:58 -04:00

2.8 KiB
Raw Permalink Blame History

EC2 Instance Port Configuration

Overview

This document outlines the required port configurations for EC2 instances in the SRE Agent infrastructure. All servers use SSL encryption to ensure secure communication and data protection.

Required Inbound Ports

HTTPS Traffic

  • Port 443 (HTTPS): Primary secure web traffic
    • Protocol: TCP
    • Source: 0.0.0.0/0 (open to internet)
    • Purpose: Secure web interface and API endpoints

Application Ports

  • Ports 8011-8014 (Custom Applications): Application-specific services
    • Protocol: TCP
    • Source: 0.0.0.0/0 (open to internet)
    • Purpose: Internal service communication and application endpoints

AWS Security Group Best Practices

Inbound Rules Configuration

  • Only allow necessary ports to minimize attack surface
  • All configured ports are open to internet traffic (0.0.0.0/0)
  • Implement separate security groups for different service tiers
  • Rely on application-level security and SSL/TLS for protection

SSL/TLS Protection

  • All services on configured ports use SSL/TLS encryption
  • Certificates should be managed through AWS Certificate Manager (ACM)
  • Enforce HTTPS redirects for web traffic on port 443

Security Recommendations

  • Regular security group audits and reviews
  • Use descriptive names and tags for security groups
  • Implement least privilege access principles
  • Monitor traffic patterns and unusual access attempts
  • Consider using AWS WAF for additional web application protection

Production Security Enhancement

For production environments, you can enhance security by restricting access to AWS IP address ranges instead of allowing all internet traffic (0.0.0.0/0):

Download AWS IP Ranges:

curl -O https://ip-ranges.amazonaws.com/ip-ranges.json

You can use the AWS IP address ranges to:

  • Identify traffic from AWS services
  • Allow traffic only from specific AWS regions
  • Implement egress filtering for better security
  • Use AWS-managed prefix lists for automated updates

Example Security Group Configuration: Instead of 0.0.0.0/0, you can specify:

  • AWS service IP ranges from the JSON file
  • Specific company/customer IP ranges
  • VPC CIDR blocks for internal communication
  • Load balancer subnet ranges

Port Usage Summary

Port Protocol Purpose SSL Required
443 TCP HTTPS Web Traffic Yes
8011 TCP Application Service Yes
8012 TCP Application Service Yes
8013 TCP Application Service Yes
8014 TCP Application Service Yes

Compliance Notes

  • All configured ports enforce SSL/TLS encryption
  • Regular security assessments should include port configuration reviews
  • Monitor and log all traffic on configured ports for security analysis