Bamboo Cloud Agent User Account Security

Safety documentation for bamboo states:

Please note the following security implications when enabling remote agents for Bamboo:

• No encryption of data transmitted between the server and the agent - this includes data such as:

  • credentials for version control repositories

  • build logs

  • collecting artifacts

• No agent or server authentication - this can lead to unauthorized actions being taken on your system, for example:

  • Unauthorized parties installing new remote agents - The credentials to log into the source control repository can be stolen.

  • Unauthorized parties masquerading as a Bamboo server - An unauthorized server can transmit malicious code to an agent to run.

  • For more information, see. The agent authentication .

We strongly recommend that you do not enable remote agent installation on any Bamboo that is accessible from a public or untrusted network. Remote agent creation is to disable and enable remote agent support by default.

For public agents, Atlassian strongly recommends protecting them that run using SSL. See Securing Your Remote Agents for this note:

This page applies to remote agents, not elastic agents. Elastic agents are automatically secured by the Bamboo server and no additional steps are required.

In addition to Elastic Piece, their Elastic Bamboo Security documentation says:

All traffic sent between agents located in EC2 and the Bamboo server is tunneled through an SSL encrypted tunnel. The tunnel will be initiated from the Bamboo server to the EC2 instance, which means you don't need to allow incoming connections to your server. However, you need to allow outbound traffic from the server on the tunnel port — the default port number is 26224. On the EC2 instance, only the tunnel port should be open for inbound traffic.