What Needs To Be Secured

SSL

LightTag is a web application, that sends data to be annotated and receives annotations from your annotators. Typically this communication will happen over the internet, and thus it needs to be secured with SSL encryption. 

To configure SSL, you'll need a domain you'll be serving LightTag from (e.g. labeling.your-company.com) and an SSL certificate associated with that domain.
A generic method of adding SSL to your LightTag instance is covered here

SSH

LightTag-on-AWS has an SSH listener, which accepts connections on port 22. This port is protected by a secure key and thus only accessible to LightTag support personnel. Many organizations have a requirement to disable such access, or allow it on an as-needed basis. We'll cover how to ensure that port is inaccessible and how to activate on an as-needed basis.

Restricting SSH Access

When you set up your LightTag-on-AWS instance, you assigned a security group to your instance. By default, that security group has port 22 (SSH) open to the world, and in the getting started guide we suggested you restrict access to a particular (LightTag) IP address. 

To completely block SSH access to your instance, simply remove the inbound rule on the security group that allows access to port 22. This will have no effect on your usage of LightTag, however in some support cases you may need to reopen it to allow LightTag support staff to assist.