
A Checklist to Ensure EC2 Security
AWS is providing 200+ cloud services to Businesses and Enterprises. In current times when data is the most important asset for these businesses, security takes top priority. The Security Strategy at AWS dictates a very simple concept regarding Cloud Security.
Security is job Zero!
Elastic Compute Cloud or Ec2 is the most commonly used service. It is simply a shared virtualized space on a server. Although the physical hardware is shared by many hosts yet they are isolated from each other by the hypervisor. Hence majorly the security of the EC2 instances is dependent on the user. There is one rule of thumb for Security in AWS:
If you can configure it you are responsible for its security.
You can use the following checklist to secure your EC2 instances.
Network Isolation
The first step to securing an EC2 instance or any other resource is to secure the access point.
- By design, your infrastructure exists in a separate space called a Virtual Private Cloud (VPC). Yet how you design your network infrastructure is on your end.
- Make a careful decision regarding the placement of instances in Public vs Private Subnet, connection to the internet via internet gateways and how the traffic is routed within the VPC using route tables.
- Security Groups: Security groups act as the instance-level firewall where everything is implicitly denied until you explicitly allow it. security groups contain ports (through which traffic is directed), sources and destinations. Make sure your security group rules do not allow traffic to or from bulk entities through bulk ports.
- NACLs: Network Access Control List or a NACL acts as a subnet level firewall. As opposed to the Security Groups in a NACL everything is implicitly allowed unless explicitly denied. You can use this feature to deny traffic from a specific source.
- Web Application Firewall (WAF): A web Application firewall is placed between the load-balancer hit point and end-users. You can restrict traffic hitting the end based on geolocation and you can register other rules as well.
- VPC Flow Logs: Enable VPC Flow Logs so that you can view the traffic communicating with your instances.
- Security Hub: AWS Security Hub runs automated tests on your EC2 instances to verify if your system is configured to follow security best practices and enables automated remediation for the gaps as well.
Access Precautions
Ec2 Instances are accessed via two simple ways either an RDP(for Windows)/SSH(for Linux) connection or Session Manager.
- SSM Session Manager: Safest way to access an EC2 instance either Windows or Linux based is Session Manager because you can simply connect with the instance from within the browser and a session is opened via AWS APIs. The session is encapsulated over SSL/TLS 1.2 protocol and encrypted by KMS keys.
- RDP/SSH Sessions: Remote Desktop Protocol (RDP) sessions can be established with Windows-based EC2 instances and Secure Socket Layer (SSH) are established with Linux-based EC2 instances. Both sessions require AWS-managed Key Pairs hence it is important to keep them secured.
- Key Pairs: In case you are not comfortable with keeping Key Pairs an Active Directory can act as another mode of authentication. Making your EC2 instances part of a domain network streamlines the authentication process and encapsulates them into another layer of an isolated network.
- While allowing RDP/SSH ports in security groups make sure the source is a single fixed and trusted IP. For the production environment access via isolated Bastian servers or a VPN is a must.
- Multifactor Authentication (MFA) is important to ensure the security of your EC2 instances.
Data Protection
In the case of EC2 instances, you have two types of Data Storage: an Instance Ephemeral Store and EBS volumes.
- Ephemeral Store is part of the instance itself hence it shares the security mechanisms kept in place to guard your instance. Hence your Ephemeral storage is safe as your instance.
- Make sure the data kept on EBS volumes are encrypted by KMS keys.
- For backup set up a Data Lifecycle Management (DLM) Policy.
Monitoring
Monitor the instance health using the following mechanisms:
- System Checks and Instance checks give information regarding the instance’s health and reachability.
- AWS CloudWatch Alarms to monitor instance metrics like CPU consumption and Disk space.
- CloudTrail logs to monitor communication and overall activity related to instances.
- Event Bridge to track more events.