AWS - Grafana - Security


I have a Grafana instance running on a AWS EC2 instance.

What is the security risks exposing the Grafana port (3000) to the internet?
(Sorry, but I don’t know much about security)

It’s probably not a great idea - especially since I assume you don’t have HTTPS (TLS) enabled on the server on port 3000. In principle you should run a public Grafana instance behind a reverse proxy that does TLS termination; AWS CloudFront can serve that function IIRC.

Once you have that set up, “is it secure” remains a very context-dependent question. Have you disabled the default admin account (or set a strong password)? Do all users have strong passwords? More generally, what’s an acceptable level of (in)security for your use case? No publicly available service is ever absolutely secure, so the degree to which you want to harden your specific setup would depend on your specific situation.

1 Like

Hi @svetb

Thanks for the reply, I have done some searching and I can only see AWS CloudFront used for a S3 bucket.

Do you perhaps have a link or some guidance as how to use AWS CloudFront on a EC2 instance to expose XX.XX.XX.XX:3000 via AWS CloudFront?

Hi @johans - maybe check out Content Delivery Network Tutorials | CDN, Dynamic Content, Setting up Amazon EC2 Distribution| Amazon CloudFront or some of the advice in amazon web services - Cloudfront and EC2 - Stack Overflow. (They were the top hits when I googled “ cloudfront for ec2”)

For what it’s worth, you can also run a reverse proxy (e.g. nginx) directly on your EC2 instance. There are a few guides out there for that, especially in the context of Grafana. Whether you use the AWS solution or set up your own is largely a matter of personal preference.

1 Like