Server Setup » Platforms » Amazon EC2
Conjur Enterprise on AWS
Conjur provides Amazon Machine Images (AMIs) that make it easy to run a Conjur Enterprise environment on AWS. CloudFormation templates are also available to simplify and accelerate the process of setting up a Conjur HA cluster in AWS.
Getting the Conjur AMI
Contact firstname.lastname@example.org to obtain an AMI of the Conjur platform. Conjur staff will share AMIs to your AWS account, so please be sure and include your organization's AWS Account ID in the AMI request.
Once the AMI has been shared, it will show up in the "AMIs" section of the EC2 Dashboard. Search for "conjur" if many AMIs are listed. Select the AMI and click "Launch" to enter the configuration screen.
Conjur should be run in a VPC, for the following reasons:
- Conjur instances require a stable IP address, which is avaliable to every VPC instance.
- AWS load balancers require a VPC to load-balance port 636.
- Using a VPC offers you the option to make your Conjur servers unreachable from the public internet.
Conjur EC2 instances should use a dedicated security group.
The following ports (and only these ports!) should be opened:
|5433||PostgreSQL audit replication|
Load Balancing and DNS
You should run your Conjur servers behind an Elastic Load Balancer (ELB) mapped to a DNS name. Conjur provides a built-in health check that is perfect for ELBs.
The most common way to manage DNS inside of AWS is Amazon Route 53; however, you can use any DNS provider. If you give Conjur a DNS name, you can use the DNS name in subsequent steps that ask for your Conjur hostname.
If you run only a master and standbys, you can use a single ELB and DNS name. If you run followers, you should have one ELB and DNS name for the master + standbys, and another ELB and DNS name for the followers. If you run followers in multiple regions, you can either use a single ELB and DNS name for all of them, or use a distinct ELB and DNS name per-region.
Once the Conjur EC2 instance is avaliable, establish an SSH connection using your AWS SSH key.
Here's the command. Replace
$hostname with the DNS name of your Conjur server.
$ ssh -i your-ec2-key.pem core@$hostname
If you can't establish a connection, check that port 22 is open in the security group.
coreuser is used for SSH access.
Once you've SSHed into the EC2 instance, you can configure the Conjur master. Initial configuration is only done once per instance. Instances with incorrect configuration must be terminated and re-launched.
You'll need to provide the following information:
|hostname||Hostname of the server. This should be the DNS name by which you connect to the server. For a production environment, it's the top-level DNS name. For a testing sandbox instance, it can be the DNS name which is auto-assigned by EC2.|
|orgaccount||The name of your organization. "mycorp", "sprocketsltd", or "spacex", for example.|
|password||Choose a strong admin password. This is your master admin credential. You won't use it for daily tasks.|
# On the Conjur EC2 instance $ hostname=conjur-dev.myorg.com $ password=$(openssl rand -base64 15) # Or choose a strong one yourself $ orgaccount=myorg $ docker exec conjur-appliance evoke configure master \ -h $hostname \ -p $password \ $orgaccount
The evoke utility is used to configure a Conjur server. Read more about evoke here.
You're done with the server installation and configuration. You should close your SSH connection. Optionally, you can also close security group port 22.
Next, you should install the Conjur command-line interface (CLI) on your own machine (laptop or workstation) and configure it to talk to your new Conjur instance.
After you have installed and configured the Conjur CLI, learn how to use it in our Tutorials section.
Inside the AMI
The base operating system of the Conjur AMI is CoreOS. CoreOS is a lightweight Linux distribution built for running containers. The threat surface of CoreOS is smaller than that of a larger distribution (Ubuntu or CentOS, for example).
As detailed in the Conjur Configuration section, the
default system user is
core. SSH to Conjur instances using the
CoreOS uses systemd as its init system.
The name of the service that runs the Conjur container is
When upgrading or debugging Conjur it is helpful to be able to manage the
service. This can be done like so:
# View service status $ systemctl status conjur # Start/stop/restart service $ sudo systemctl start conjur $ sudo systemctl stop conjur $ sudo systemctl restart conjur
Note that this service is already running when the EC2 instance starts.
To view the container's logs use
$ journalctl CONTAINER_NAME=conjur-appliance
Note that since the AMI uses the
journald logging driver,
will not return the container's logs.