HTTPS for the CloudFormation demo instance

[tobiasmcnulty]

I find it odd that the demo created via CloudFormation does not do HTTPS for the API.

I know you recommend a VPN for production, but it seems like having HTTPS in both places wouldn't hurt.

How hard would this be to enable, or are there any alternate plans for making the demo environment more secure by default?

[ejholmes]

Hi @tobiasmcnulty. The demo environment is simply meant to serve as a quick way to try out an Empire environment. We try to make it explicitly clear that it's not suitable for production with the Launch Empire check box, which has this message attached:

Note that this is NOT a production grade stack, this is only meant to serve as an easy way to try out Empire. If you want to take Empire into production, read the docs on Production Best Practices http://empire.readthedocs.io/en/latest/production_best_practices/.

The Production Best Practices guide does include information about setting up SSL.

We don't have any plans to make the demo stack production grade, but you can check the stacker blueprints for an example of a more production grade stack.

[tobiasmcnulty]

I don't think the demo instance needs to be a perfect model of production, but an unencrypted service that has the ability to create resources in my AWS account still makes me nervous, even if I'm using a dedicated account for it (which I am). Just a thought.

[ejholmes]

@tobiasmcnulty good point. It would be pretty easy to add an option for optionally selecting an ACM/Server cert. I'll re-open this.

[tobiasmcnulty]

If it's any help, I found this code which automates the installation of a (free) cert on the ELB: https://github.com/jeanphix/ecs/commit/52351573d268dec0eae8f2ae71387fe76bf2cb63