Creating a Cerberus environment is an automated processes and can be completed in as little as 30 minutes.
Due to how Cerberus uses KMS as part of its authentication we strongly recommended running Cerberus in its own account for security reasons. Running Cerberus in its own account prevents services from being able to impersonate each other. In the future, we hope to remove this limitation.
Clone or download the Cerberus Utility Script project and follow the README to create the AMI for the Cerberus Management Service.
Ensure you have a Java 8 JRE with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy installed and available on your path (Note: a second download is required).
Download the Cerberus Lifecycle CLI
(both the cerberus shell script and jar) to some location like ~/Applications/cerberus and setup environment variables:
export CERBERUS_HOME=~/Applications/cerberus
export PATH=$PATH:$CERBERUS_HOME
Recommended: Install the AWS CLI. This is not required to stand up a Cerberus environment, but it is required
to delete one. Then configure your AWS credentials via the CLI command: aws configure.
If you do not wish to install the AWS CLI, see
Working with AWS Credentials
for alternative ways to supply credentials for the Cerberus Lifecycle CLI. We use the default credential provider chain with
an added STSAssumeRoleSessionCredentialsProvider (so that build systems can assume a role). You can allow cerberus to
assume a role by setting environment variables CERBERUS_ASSUME_ROLE_ARN and CERBERUS_ASSUME_ROLE_EXTERNAL_ID.
Go to the EC2 panel and navigate to Key Pairs and generate a new key pair(s) to use for the Cerberus environment.
Copy and modify the example-standup.yaml and pass it as a parameter to the create environment command.
cerberus -f /path/to/yaml create-environment
Recommended: Name the YAML properties file after the environment name (e.g. dev.yaml, test.yaml, prod.yaml, etc.)
TLS Certificates can be automatically created for you by the CLI, using Let’s Encrypt, or can be manually created using another vendor such as Venafi.
This lambda monitors the ALB logs and uses the AWS WAF to enforce a configurable rate limit.
The following properties are required:
| Property | Notes |
|---|---|
| rate-limit-per-minute | The number of requests per minute an IP can make before its added to the auto blacklist IP Set |
| rate-limit-violation-block-period-in-minutes | The number of minutes an IP will be blocked for violating the rate limit |
(Optionally) configure the Lambda to message slack when CIDRs are added or removed from the Auto Block IP set. To do so, add the following properties in your YAML:
| Property | Notes |
|---|---|
| slack-web-hook-url | Your slack webhook url. |
| slack-icon | A URL to a custom icon, you can leave this off to use the default icon. |
See the github project for more information.
There is a Manual Whitelist and a Manual Blacklist IP Set that you can add or remove CIDRs to in the WAF section of the AWS console.
The healthcheck lambda can be used to monitor a Cerberus system.
See the github project for more information.