Q: Which operating systems does AWS Elastic Beanstalk use? AWS Elastic Beanstalk runs on the Amazon Linux AMI and the Windows Server AMI. Both AMIs are supported and maintained by Amazon Web Services and are designed to provide a stable, secure, and high-performance execution environment for Amazon EC2 Cloud computing. Amazon EC2 enables you to run any compatible Windows-based solution on AWS' high-performance, reliable, cost-effective, cloud computing platform.
We would like to show you a description here but the site won’t allow us. By default, AWS services don’t have permissions to access other services. The instance profile and service role give Elastic Beanstalk the permissions it needs to create, modify, and delete resources in other AWS services, such as EC2. The final step in the wizard allows you to review all of the settings. Q: Which operating systems does AWS Elastic Beanstalk use? AWS Elastic Beanstalk runs on the Amazon Linux AMI and the Windows Server AMI. Both AMIs are supported and maintained by Amazon Web Services and are designed to provide a stable, secure, and high-performance execution environment for Amazon EC2 Cloud computing.
It’s pretty common to see DevOps folks roll their eyes when they are asked to install Java and Tomcat on Windows Server in AWS. For some reason, folks have decided this is hard. I don’t think it’s all that hard. And I have the CloudFormation template pattern (below) to prove it. 🙂
Here’s a description of what’s going on in this CloudFormation template snippet along with some pointers:
- The CloudFormation pattern assumes you stage the Tomcat and Java installation executables on S3 and that the template has access to the S3 bucket. You might consider updating Java and Tomcat once the initial versions get old via a CloudFormation change set
- The Java and Tomcat installations are placed in the default subdirectories with default installation options on Windows Server
- The all-important
JAVA_HOMEenvironment variables are set to the default installation directories
- I assume you have at least PowerShell 5 installed. See this CloudFormation skeleton if you need a pattern to install PowerShell 5. I actually use the code from that template pattern in every Windows Server 2012 R2 EC2 instance — and recommend you do, too
- The PowerShell scripts that are built in a CloudFormation template can be, ahem, a bit fussy to create and execute. Be certain to include a terminating semi-colon at the end of each statement. I don’t believe the ending newline (
n) is absolutely required in each script. But I like it, so it stayed in during my testing. In
Set-Java-Tomcat8-Paths-Homes.ps1the semicolon is required in the PowerShell script to join the old and new paths. In this case, the semicolon is not a PowerShell statement delimiter. Do not replace the single quotes around the semicolon in this script with double quotes
- During testing, sometimes Tomcat would install as a Windows service; sometimes it wouldn’t even though the documentation says it installs by default as a service on Windows. Just be sure, I added a
service.bat installstatement. You’ll see an error in the cfn-init.log if Tomcat was installed as a service, but you can ignore it.
This article is part 3 of a series that started here. In this post we get down to the business of actually installing Tomcat into the Ubuntu 18.04 LTS AWS EC2 instance created in earlier posts. I go in to some detail on how to secure your Tomcat installation.
We start by installing Java and Tomcat. You now arrive at a fork in the road. Your choices:
- Install packages from Ubuntu’s package manager.
- Install specific versions, perhaps even installing Oracle JRE instead of the OpenJDK JRE.
The second option will appeal to you if you require precise control over tool versions for compatibility reasons. Or if you enjoy self-flagellation. In my case, I’m going with option 1. This gets me Tomcat 8.5 and Java 10.
This installs Tomcat to /var/lib/tomcat8
You can check the installed versions as follows:
Apache AJP Connector
In the previous post on Apache Web Server, we setup Proxy AJP for forwarding of requests from Apache Web Server to Tomcat. We now need to enable Tomcat’s AJP Connector so it can receive the forwarded requests.
Uncomment the following line.
And restart Tomcat.
If you now pop your Public IP address or domain name into your browser, Tomcat goes like a bought one.
OK so let’s make the Tomcat installation a little more secure.
Default Web Applications
Administration and example web applications are often installed as part of a Tomcat installation, although they aren’t installed by default using Ubuntu Tomcat8 package installation.
Per Apache’s advice, you should remove all of these default web applications. In case you are in any doubt, you should NOT use the Manager and Host Manager applications to deploy and manage your web applications. Instead, you should use the ubuntu user over SSH, and restrict the SSH port (22) to only be accessible from your IP address, as per the AWS Security Group configuration in part 1 of this series.
Remove HTTP Connector
The HTTP Connector is the only connector enabled by default in a Tomcat installation. In my previous post, I installed Apache Web Server as a front-end to Tomcat, and used Proxy AJP to forward all requests to Tomcat. In that architecture, only the AJP Connector is required, and the HTTP Connector is redundant. Thus it should be disabled.
Comment out the following definition.
Note that port 8080 was not open in our AWS Security Group anyway, so this port is only a threat if an attacker can exploit some other vulnerability first.
Disable Shutdown Port
By default, Tomcat supports shutdown commands being received on port 8005. We don’t have this port open in the AWS Security Group, so there’s not much risk associated with it. Ubuntu doesn’t even use it for systemctl. Instead it kills Tomcat using the PID. Nonetheless we disable the port, to be sure to be sure, by changing 8005 to -1.
File & Directory Ownership
Per Apache’s advice, we tighten the file and directory ownership and permissions.
In the Ubuntu package Tomcat8 installation, Tomcat will already be running under the tomcat8 user instead of root. However, the tomcat8 user is left with write permissions to the lib and webapps directories:
This is less than desirable because, if an attacker could compromise a web application, they could modify the contents of these directories.
Therefore we aim to disallow the tomcat8 user from changing anything in the lib and webapps directories, but allow the ubuntu user to write to the lib and webapps directories when deploying over SSH.
We set lib and webapps directories to both be owned by root but with ubuntu group. We set permissions to 775 on both directories. That way, the ubuntu user can write, but the tomcat8 user can only read.
Disable Automatic Deployment
I take heed of Apache’s own practices:
Taking the Tomcat instances at the ASF as an example (where auto-deployment is disabled and web applications are deployed as exploded directories)http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Non-Tomcat_settings
Thus I disable automatic deployment and unpacking of WARs.
Set unpackWARs and autoDeploy both to false.
With unpackWARs disabled, it will likely be desirable to unpack from the command line over SSH. Since we only have JRE, not JDK, installed, you may wish to install a jar tool. You can use the following command to avoid installing the entire JDK.
Aws Ec2 Tomcat Tutorial
In Apache’s own words:
Enabling the security manager is usually done to limit the potential impact, should an attacker find a way to compromise a trusted web application . A security manager may also be used to reduce the risks of running untrusted web applications (e.g. in hosting environments) but it should be noted that the security manager only reduces the risks of running untrusted web applications, it does not eliminate them.http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Security_manager
The aim of this series is to create an environment for running trusted applications. Hence we can dismiss the untrusted motivations for using the Security Manager.
Aws Ec2 Tomcat Download
If Security Manager is enabled, it’s not possible to include a context.xml within your web applications. Instead the context needs to be specified within the Tomcat installation. As I’m advocating to use the ubuntu user and SSH port to both manage your server and deploy web applications, there is no material advantage to this restriction. Thus I have elected to not enable the Security Manager. YMMV.