This topic provides security guidelines for the Infrastructure as a Service (IaaS) providers supported by VMware Tanzu Operations Manager.

Tanzu Operations Manager supports a variety of IaaS providers. Different IaaS providers require different configuration steps to secure user data, identity information, and credentials.

Security requirements can vary broadly based on the unique configuration and infrastructure of each organization. Rather than provide specific guidance that might not apply to all use cases, VMware has collected links to IaaS providers’ security and identity management documentation. The following documents can help you understand how your IaaS’ security requirements impact your Tanzu Operations Manager deployment.

VMware does not endorse these documents for accuracy or guarantee that their contents apply to all Tanzu Operations Manager installations.

Find your IaaS provider in the following list. The documentation items linked for each IaaS can help you configure and secure your installation infrastructure.

Amazon Web Services (AWS)

These topics in the AWS documentation provide a general reference for AWS’ Identity and Access Management (IAM) features:

• AWS Identity and Access Management Guide: If you are new to AWS, start here.

• Identities (Users, Groups, and Roles) in the AWS Identity and Access Management Guide

• Temporary Security Credentials in the AWS Identity and Access Management Guide: This documentation provides a general definition of IAM terms and provide best practices to help you manage IaaS users and permissions.

• Use IMDSv2: This documentation provides a description of IMDSv2 and the security benefits it provides for the AWS metadata endpoints. IMDSv2 support must be enabled within Tanzu Operations Manager.

Enable IMDSv2 in Tanzu Operations Manager

Tanzu Operations Manager includes a feature that allows you to require the usage of IMDSv2. This security feature requires users to send a signed token header with any request to the instance metadata endpoint provided on AWS VMs. By default, IMDSv2 is not required when using the AWS metadata endpoint on a BOSH-deployed VM. You can configure Tanzu Operations Manager to require IMDSv2 using the Tanzu Operations Manager API. After enabling IMDSv2, you must re-create all VMs for the new configuration to take effect.

VMware Tanzu Application Service for VMs (TAS for VMs) v2.13.0 and later are compatible with IMDSv2. For all versions of VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), it might be necessary to set the hop limit using the metadata_options key. For more information, see VM Types / VM Extensions in the BOSH documentation.

All tiles and service instances must be using stemcell Xenial v621.183 or later in order to require IMDSv2. Requiring IMDSv2 while using an older stemcell causes Apply Changes to fail due to an unresponsive BOSH agent.

To require IMDSv2 on all BOSH-deployed VMs:

1. Ensure all tiles are using stemcell Xenial v621.183 or later.

2. Use the Tanzu Operations Manager API to set the require_imds_v2 property to true. For more information, see Using the Tanzu Operations Manager API.

3. Go to Tanzu Operations Manager Installation Dashboard.

4. Configure the BOSH Director to recreate VMs:

   1. Go to the Tanzu Operations Manager Installation Dashboard.

   2. Click the BOSH Director tile.

   3. Click Director Config.

   4. Enable the Recreate VMs deployed by the BOSH Director check box.

   5. Return to the Tanzu Operations Manager Installation Dashboard.

5. If you have service tiles installed, for each service tile:

   The names of the Upgrade all service instances and Recreate all service instances errands might be slightly different between services.

   1. Click the tile.
   2. Click the Errands tab.
   3. Enable the Upgrade all service instances errand. Running this errand is necessary to push CredHub certificate updates to each service instance.
   4. If the service tile has the Recreate all service instances errand:
      1. Enable the Recreate all service instances errand. Running this errand pushes BOSH Agent certificate updates to service instances.

6. Click Review Pending Changes.

7. Click Apply Changes.

Google Cloud Platform (GCP)

This topic in the GCP documentation describes general authentication guidelines for GCP:

• Authentication overview.

Microsoft Azure

This topic in the Microsoft Azure documentation describes managing IaaS users and credentials:

• Azure documentation.

OpenStack

These topics in the OpenStack documentation provide a general reference for OpenStack service credential management:

• Creating the service credentials.

• Configuring service credentials in Configure the deployment

• Configure the deployment.

VMware vSphere

This topic in the VMware vSphere documentation describes best practices for securing and managing a vSphere installation:

• vSphere Security guide (PDF).