How secure is Amazon EC2

Back up Tableau Server on AWS

When deploying Tableau Server on-premises as well as in the cloud, it is important to take the necessary steps to ensure that it is deployed securely. For more information on how to make Tableau Server more secure, see Security.

In addition to the security features built into Tableau Server, AWS has other features that you can use to make your Tableau Server environment more secure. These include the following functions, among others:

  • The Amazon VPC adds another layer of network security to your environment by creating private subnets.

  • Security groups determine which inbound and outbound traffic can connect to your network. Limit incoming traffic to the IP addresses in the block assigned by Classless Inter-Domain Routing (CIDR). Do not use 0000 \ 0. That would be unsafe as it would allow any traffic to access your server.

  • AWS Identity and Access Management (IAM) enables precise control of user access to functions of AWS.

  • AWS Direct Connect enables a dedicated network connection from a corporate network to AWS through an AWS Direct Connect partner using VLANs that conform to the industry standard 802.1Q. For more information, see Requesting Cross Connects at AWS Direct Connect Locations in the AWS Direct Connect User Guide on the AWS website.

  • Amazon EBS Encryption offers simple and powerful encryption for data at rest on your hard drive volumes as well as for data on the transmission path between EC2 instances and the EBS storage.

You can add enterprise-level application security to AWS and Tableau Server so that individual reports or dashboards meet the needs of a diverse and diverse user base, including both internal and external users. Enterprise-level application security has three main areas:

network

Network security for Tableau Server on AWS relies on the use of Amazon VPC security groups with SSL to secure internal and external communication. For more information, see Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide on the AWS website.

Amazon VPC

An Amazon VPC is a unique, isolated network within the cloud. The network traffic within each Amazon VPC is isolated from all other Amazon VPCs. With an Amazon VPC, you can create your own subnets for your network and split application tiers between these subnets for more control. We recommend installing and running Tableau Server on a separate subnet within your Amazon VPC so that you can configure the network to access Tableau Server and other datasets. The following illustration shows a typical single node installation of Tableau Server in an Amazon VPC.

Security groups

You can use security groups to define what type of network traffic can access Tableau Server. Amazon EC2 security groups act as a firewall that regulates inbound and outbound network traffic for Amazon EC2 instances. You can define and assign security groups that are appropriate for your Amazon EC2 instances. By default, Amazon EC2 instances start with security groups that do not allow inbound traffic. Before you can access your EC2 instance, you need to make changes to allow the appropriate inbound traffic.

The following are the minimum requirements for connecting to Tableau Server on an EC2 instance:

  • Connection via RDP (port 3389) with a remote desktop client for access to instance and services and their management.

  • Standard web traffic over HTTP (port 80) and HTTPS (port 443) for viewing hosted content and publishing to Tableau Server.

  • Communication between Tableau Server components on different instances (if any) should be allowed. Note the ports that are under the categories All and Distributed availability / high availability are listed.

Based on these requirements, you should only enable three standard ports for incoming data traffic for your EC2 instance: HTTP 80, HTTPS 443 and RDP 3389. Furthermore, you should limit remote access (port 3389) to a few hosts, as well as HTTP and HTTPS traffic should be restricted to hosts within your corporate network or to a group of trusted clients.

Client access

By default, Tableau Server uses standard HTTP requests and responses. Tableau Server can be configured for HTTPS (SSL) with customer-supplied security certificates. When Tableau Server is configured for SSL, all traffic between clients is encrypted and the HTTPS protocol is used. When you configure Tableau Server for SSL, the browser and SSL library on the server agree on a common level of encryption. On the server side, Tableau Server uses OpenSSL as its SSL library and is configured to use currently accepted standards. Any web browser that accesses Tableau Server over SSL uses that browser's standard implementation of SSL. For more information on how Tableau Server uses SSL, see SSL. Tableau Server only listens on port 443 for SSL traffic. You cannot configure standard ports for SSL / TLS.

If you are using Elastic Load Balancing (ELB), ELB can also do SSL termination on your behalf. The encryption / decryption of data traffic by ELB is an easy way to secure the client connection with Tableau Server without having to manually configure SSL on Tableau Server itself. For more information, see AWS Elastic Load Balancing: Support for SSL Termination on the AWS website.

AWS Directory Service

Optional. The AWS Directory Service is a managed service that enables you to connect your AWS resources to an existing local directory such as Microsoft Active Directory (with AD connector) or to create a new single directory in the AWS cloud ( with Simple AD). Connecting to a local directory is easy. Once this connection is made, all users can access AWS resources and applications using their existing corporate credentials.

With AWS Directory Service, instead of local authentication, you can use Active Directory-based authentication, which uses Tableau Server's built-in user management system to create users and assign passwords. In the configuration step after installing Tableau Server, select Active Directory to set up Active Directory-based authentication. You cannot switch back and forth between Active Directory-based and local authentication later.

The Active Directory authentication model uses the Microsoft Security Support Provider Interface (SSPI) to automatically sign in your users based on their Windows username and password. This process is similar to the single sign-on single sign-on process.

Data

Tableau Server uses native drivers (or a generic ODBC adapter if native drivers are not available) to connect to databases, process result sets, update extracts, and all other communications with the database. You can configure the driver to communicate using ports other than the standard ports or transport encryption. However, this type of configuration is transparent to Tableau Server. However, since communication between Tableau Server and the database usually takes place behind a firewall, you can also choose not to encrypt this communication.

Connect to data stores on AWS

You can launch AWS resources such as Amazon Relational Database Service (Amazon RDS), Amazon Elastic MapReduce (Amazon EMR) Hadoop Hive, or Amazon Redshift in an Amazon VPC. By placing Tableau Server in the same Amazon VPC as your data stores, you ensure that your traffic never leaves the Amazon VPC.

You can use subnets with security groups to start your resources in different tiers, but to let them communicate securely with each other within an Amazon VPC (see the following diagram).

Connect to data stores outside of AWS

Optionally, you can connect your Amazon VPC to your company's data center by using a hardware-based IPsec VPN connection, making the AWS cloud an extension of your data center. A VPN connection includes a virtual private gateway associated with your Amazon VPC and a customer gateway in your data center. You can also choose to use AWS Direct Connect. This network service provides an alternative to using the Internet to use AWS cloud services. AWS Direct Connect enables a dedicated network connection to be established through an AWS Direct Connect partner using VLANs that conform to the industry standard 802.1Q. For more information, see Requesting Cross Connects at AWS Direct Connect Locations in the AWS Direct Connect User Guide on the AWS website.

You can use the same connection to access public resources (e.g. objects stored in Amazon Simple Storage Service (Amazon S3) using public IP address spaces) and private resources (e.g. Amazon EC2 instances running within an Amazon VPC under Using a private IP address space) without affecting the separation of the networks between the public and private environments.

Encrypt data at rest

Amazon EBS Encryption offers a transparent and easy way to encrypt volumes on which personal data can be stored. EBS Encryption encrypts data stored on the volume as well as data on the transmission path between the volume and the instance with AES-256. This feature has little to no impact on Tableau Server's performance. For this reason, we advise you to use this service regardless of whether personal data is stored in your system.