How to Secure Access to Confluence on AWS

Posted on

How to Secure Access to Confluence on AWS (~10 mintutes)

Many organizations use Confluence to create, share, and collaborate on projects and consider it to be a security-sensitive application which should not be exposed to the public Internet.

This post will guide you through configuring New Edge to provide secure access to a private, self-hosted instance of Confluence deployed on AWS and then locking-down AWS to prevent direct, unauthorized access over the Internet. We assume your users should be able to access Confluence securely at a URL provided by your company, e.g. http://confluence.example.com:8090

Prerequisites

  1. A New Edge organization account (Learn how to create one).
  2. Basic New Edge account configuration, including one or more end users (Learn how to configure New Edge)
  3. A self-hosted instance of Confluence installed in your AWS environment (Learn how to install Confluence on Linux). For the purposes of this post we assume Confluence is installed on a single EC2 instance and not a high availability deployment.

Create a service under New Edge

  1. Sign in to your New Edge Admin console
  2. Click Services in the left sidebar menu
  3. Click New Service
  4. Enter a name, e.g. “Confluence”
  5. Enter a hostname, e.g. “confluence.example.com”
  6. Select TCP from Protocols
  7. Enter the port number you set when you configured Confluence, e.g. “8090”
  8. Select the Publisher which you deployed alongside Confluence in your VPC
  9. Select the Access Policy you created before
  10. Click “Save Service”
  11. Assign Confluence to one or more end users

End user device registration

  1. Install the New Edge app on your end user device
  2. Register the app using your end user email address
  3. Connect the New Edge app
  4. Open your browser and navigate to http://confluence.example.com:8090 to confirm that you can access Confluence throuh the New Edge Service

Configure AWS security groups

  1. Choose security groups for the EC2 instance which hosts Confluence and change security groups to accept only inbound connections on port 8090 from the New Edge Publisher IP (This will ensure that this EC2 instance is not accessible from the Internet). Learn about AWS Security groups.
  2. Optionally, you can deploy Confluence on an EC2 instance which does not have a public IP address. This will create an additional layer of protection ensuring that even security group misconfiguration won’t expose Confluence to the Internet

Configure DNS records for Confluence

Domain names for private applications should be resolvable only within your AWS VPC to prevent unauthorized users from discovering them. To accomplish this, we recommend creating a private DNS record in Amazon Route 53 and removing any public DNS records.

  1. Open your AWS console
  2. Open Route 53 (Amazon’s DNS service)
  3. Click “Create Hosted Zone”
  4. Enter “example.com” (where example.com is your company’s domain) in Domain name
  5. Choose Type: “Private Hosted Zone for Amazon VPC”
  6. Choose the VPC where both Confluence and your New Edge Publisher are deployed
  7. Click “Create Record Set”
  8. Type “confluence” in Name field
  9. Choose “A – IPV4 address” and type Confluence private IP address in Value field
  10. (Optional) If you have a public DNS record for Confluence, delete the record from your public DNS provider

If you’re planning to secure Confluence running in your AWS environment, New Edge is the best way to provide secure access to cloud services. Contact us, and we’d be happy to talk you through this process step by step.

One comment on “How to Secure Access to Confluence on AWS

  • Hi Kevin,
    I went through the write-up on securing confluence access hosted on AWS, and it instantly appears to be a full proof security solution. I could instantly think of the the target customers of this solution in the banking/financial institutes and the government department. The only feedback I have till now is to find out a way to deploy the configuration automatically onto the end user devices. Also to provide the ability for the IT administrator to do all configurations from new edge labs customer built forms as a single window.

    Thanks
    Laxmikant

Leave a Reply

Your email address will not be published. Required fields are marked *