-
Notifications
You must be signed in to change notification settings - Fork 9
Static Files storage AWS S3
Used for backups and static websites storage (S3/Glacier only, with CDN). We do not use AWS for anything else.
We pay full price for the services used.
Go to https://openmrs.signin.aws.amazon.com/console to access AWS Console.
Several different users have full admin access:
- Burke
- Cintia
- Pascal
- Paul (also has access to the root account)
- Ian
Other users can be included to execute S3 operations (like Rafal's user).
On AWS IAM, you can see all AWS users. There are two types of users:
- Humans: It can login to the AWS console, should have a strong key and MFA enabled. As these users are super powerful, so make sure to only generate disposable access key pairs (generate one key pair when needed, and deactivate it just after using it). Do not keep access keys for a long period, and do not leave it on servers. And, of course, never commit them to git.
- Bots: No password, no MFA, and no access to the console. Every machine which will upload backups automatically to S3 should have a user here. They are pretty restricted keys (each key can only do a couple of operations to a very specific subfolder of a bucket), so their access keys can be long lived and deployed to the server via ansible or puppet.
Make sure to either rotate the keys frequently OR keep the user restricted at all types. There should be never a long-lived super powerful key pair around.
AWS infra should be totally maintaned by terraform (no changes should be done manually on AWS console).
Details about backups can be found in Backups strategy document.
AWS support is available inside AWS console.
Read this before updating this wiki.