Skip to content

Static Files storage AWS S3

Cintia Del Rio edited this page Jul 15, 2022 · 1 revision

Usage

Used for backups and static websites storage (S3/Glacier only, with CDN). We do not use AWS for anything else.

Costs

We pay full price for the services used.

Access

Go to https://openmrs.signin.aws.amazon.com/console to access AWS Console.

Several different users have full admin access:

  • Burke
  • Cintia
  • Pascal
  • Paul (also has access to the root account)
  • Ian

Other users can be included to execute S3 operations (like Rafal's user).

AWS users and security policies

On AWS IAM, you can see all AWS users. There are two types of users:

  • Humans: It can login to the AWS console, should have a strong key and MFA enabled. As these users are super powerful, so make sure to only generate disposable access key pairs (generate one key pair when needed, and deactivate it just after using it). Do not keep access keys for a long period, and do not leave it on servers. And, of course, never commit them to git.
  • Bots: No password, no MFA, and no access to the console. Every machine which will upload backups automatically to S3 should have a user here. They are pretty restricted keys (each key can only do a couple of operations to a very specific subfolder of a bucket), so their access keys can be long lived and deployed to the server via ansible or puppet.

Make sure to either rotate the keys frequently OR keep the user restricted at all types. There should be never a long-lived super powerful key pair around.

Creating resources

AWS infra should be totally maintaned by terraform (no changes should be done manually on AWS console).

Details about backups can be found in Backups strategy document.

Support

AWS support is available inside AWS console.

Clone this wiki locally