Amazon Web Services (AWS)¶
Our default region is us-east-1 (N. Virginia). For large data transfer operations (like backups), use the closest region: for example, us-west-2 (London) for Linode servers in the London datacenter.
Simple Email Service (SES)¶
Reference: Setting up Amazon Simple Email Service
Note
Dedicated IP addresses for Amazon SES are available. However, a dedicated IP address would take a long time to cultivate a sending reputation with our low volume. The shared IP addresses have good reputation. As describe below, SPF, DKIM and Return-Path are configured to improve deliverability.
Verify a domain¶
Go to SES’ Identities:
Click Create identity
Check Domain
Enter the domain in Domain
Expand Advanced DKIM settings
Check Easy DKIM
Check RSA_2048_BIT
Click Create identity
Go to GoDaddy’s DNS Management:
Add the three CNAME records. Add the MX record if none exists.
Note
Omit
.open-contracting.org
from hostnames. GoDaddy appends it automatically.
Wait for the domain’s Identity status to become “Verified” on SES’ Identities
Note
AWS will notify you by email. Last time, it took a few minutes.
Reference: Creating (and verifying) a domain identity
Verify an email address¶
Go to SES’ Identities:
Click Create identity
Check Email address
Enter the email address in Email address
Click Create identity
If the domain’s MX record points to AWS, go to SES’ Email receiving:
Click Create rule set
Enter a name in Rule set name (
email-address-verification
, for example)Click Create rule set
Click the rule set’s name
Click Create rule
Enter a rule name in Rule name (
deliver-to-s3-bucket
, for example)Click Next
Click Next
Select “Deliver to S3 bucket” from the Add new action dropdown
Click Create S3 bucket
Enter a bucket name in Bucket name (
ocp-aws-verification
, for example)Click Create bucket
Click Next
Click Create rule
Click Set as active
If the domain’s MX record points to AWS, go to S3 (otherwise, check your email):
Click the bucket name
Click the long alphanumeric string (if there is none, double-check the earlier steps)
Click Download
Copy the URL in the downloaded file
Open the URL in a web browser
Check that the email address’ Identity status is “Verified” on SES’ Identities
If the domain’s MX record points to AWS, cleanup:
Set the rule set as inactive
Reference: Creating (and verifying) an email address identity
Use a MAIL FROM domain¶
Note
This optional step improves email deliverability. Also known as the Return-Path address.
Refer to Using a custom MAIL FROM domain
Check that the identity’s MAIL FROM configuration is “Successful”
Create SMTP credentials¶
Note
You only need to do this once per AWS region.
Go to SES’ SMTP Settings:
Click Create SMTP credentials
Enter a user name in IAM User Name:
Click Create
Click Download Credentials
Click Close
Reference: Obtaining Amazon SES SMTP credentials
Set up basic notifications¶
Go to SNS’ Topics:
Click Create topic
Set Type to Standard
Enter a hyphenated address in Name (
data-open-contracting-org
, for example)Click Create topic
Click Create subscription:
Select “Email” from the Protocol dropdown
Enter an email address in Endpoint
Click Create subscription
Click the email address on SES’ Identities:
Click the Notifications tab
Click Edit in the Feedback notifications section
Select the created topic from the Bounce feedback dropdown
Check the Include original email headers box
Select the created topic from the Complaint feedback dropdown
Check the Include original email headers box
Click Save changes
Reference: Configuring Amazon SNS notifications for Amazon SES
Set up advanced notifications¶
Go to SES’ Configuration sets:
Click Create set
Enter a name in Configuration set name (
credere
, for example)Click Create set
Click the configuration set’s name
Click the Event destinations tab
Click Add destination:
Check:
Rendering failures, if using email templates
Rejects
Delivery delays
Do not check, to avoid unnecessary notifications:
Sends
Deliveries (same as Delivery feedback above)
Hard bounces (same as Bounce feedback above)
Complaints (same as Complaint feedback above)
Subscriptions
Click Next
Check Amazon SNS
Enter a name in Name (
credere-noreply-open-contracting-org
, for example)Select the SNS topic for basic notifications from the SNS topic dropdown
Click Next
Click Add destination
Go to SNS’ Subscriptions:
Click Create subscription
Select the SNS topic from the Topic ARN dropdown
Select “Email” from the Protocol dropdown
Enter the subscriber’s email address in Endpoint
Click Create subscription
Wait for the email to confirm the subscription
Check DMARC compliance¶
Check DMARC compliance, sending the email using SES.
Note
SES adds an extra DKIM signature (“The extra DKIM signature, which contains d=amazonses.com
, is automatically added by Amazon SES. You can ignore it”). It is not aligned, but according to RFC 7489, “a single email can contain multiple DKIM signatures, and it is considered to be a DMARC ‘pass’ if any DKIM signature is aligned and verifies.”
Debug delivery issues¶
Bounces and complaints are sent to the subscribed address. The relevant properties of the notification message are:
Disable account-level suppression list¶
Note
This optional step can negatively affect sender reputation.
Reference: Disabling the account-level suppression list
Move out of sandbox¶
Note
You only need to do this once per AWS account.
Reference: Moving out of the Amazon SES sandbox
Relational Database Service (RDS)¶
Note
This configuration is for data analysis, where it is acceptable for the data to be lost.
Go to RDS’ Databases
Click Create database
Set Engine type to “PostgreSQL”
Set Version to the latest version
Set Templates to “Free tier”
Check Auto generate a password
Set DB instance class to “db.t3.micro”
Uncheck Enable storage autoscaling
Set Public access to “Yes”
Add “postgresql-anywhere” to Existing VPC security groups
Remove “default” from Existing VPC security groups
Expand Additional configuration
Uncheck Enable automated backups
Uncheck Enable encryption
Uncheck Turn on Performance Insights
Click Create database
Wait for the database to be created
Click View connection details
Simple Storage Service (S3)¶
Create bucket¶
Go to Amazon S3 Buckets
Select the nearest region to the server from the top-right dropdown
Click the Create bucket button
Enter a Bucket name (
ocp-registry-backup
, for example)Click the Create bucket button
If the bucket is for file or MySQL backups:
Warning
Do not create lifecycle rules when using pgBackRest, which manages lifecycle itself.
Click the created bucket
Click the Management tab
Click the Create lifecycle rule button
Lifecycle rule name:
delete-after-30-days
Choose a rule scope: Apply to all objects in the bucket
Check I acknowledge that this rule will apply to all objects in the bucket.
Check Expire current versions of objects
Check Delete expired object delete markers or incomplete multipart uploads
Days after object creation: 30
Check Delete incomplete multipart uploads
Number of days: 7
Click Create rule
Reference: Creating a bucket
Identity and Access Management (IAM)¶
Create a backup policy¶
Go to IAM Policies
Click Create policy
Click the JSON tab
Paste the appropriate content below, replacing
BUCKET_NAME
and/orPREFIX
:See also
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "PREFIX" ], "s3:delimiter": [ "/" ] } } }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME" ], "Condition": { "StringLike": { "s3:prefix": [ "PREFIX/*" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME/PREFIX/*" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME/*" ] } ] }
Click the Next button
Enter a Policy name (
registry-backup
, for example)Click the Create policy button
Create a backup user¶
Note
If a policy is relevant to many users, instead of attaching policies directly, create a group, attach the policy to the group, and add the user to the group.
Go to IAM Users
Click the Create user button
Enter a User name (
registry-backup
, for example)Click the Next button
Click the Attach existing policies directly radio button
Search for and check the policy above
Click the Next button
Click the Create user button
Click the created user
Click the Security credentials tab
Click the Create access key button
Check the Command Line Interface (CLI) radio button
Check the I understand the above recommendation and want to proceed to create an access key. box
Click the Next button
Click the Create access key button
Copy the Access key and Secret access key
Click the Done button
Reference: Creating an IAM user in your AWS account