The Amazon Elastic Compute Cloud (EC2) web service provides secure, elastic, scalable computing capacity in the form of virtual computing environments known as instances in the AWS cloud. EC2 is the backbone of AWS, in a way, so that it drives a majority of the revenue for AWS. This service enables users to run their web applications on a cloud by renting servers. EC2 is part of the Infrastructure as a Service (IaaS) offering from AWS, and it provides complete control over the instance provided to the user.
These servers or instances are used for a variety of use cases, such as running web applications, installing various software, running databases, and file storage. EC2 has various benefits as follows that make it quite popular:
- Secured service offering multiple options for securing servers
- Elastic web scale computing; no need to guess the computing capacity
- Complete control over your EC2 instance
- Multiple instance types for various scenarios
- Integration with other AWS services
- Reliable service, offering 99.95% availability for each region
- Inexpensive, offering pay-what-you-use and pay-as-you-use models
Since most of the workloads in AWS run or use EC2 one way or another, it is critical to secure your servers. AWS provides multiple options to secure your servers from numerous threats and gives you the ability to test these security measures as well. Securing servers is essentially securing your infrastructure in AWS. It involves accessing your EC2 instances, monitoring activities on your EC2 instances, and protecting them from external threats such as hacking, Distributed Denial of Service (DDoS) attacks, and so on.
With the Amazon EC2 service, users can launch virtual machines with various configurations in the AWS cloud. AWS users have full control over these elastic and scalable virtual machines, also known as EC2 instances.
In this lesson, you are going to learn about best practices and ways to secure EC2 instances in the cloud. AWS provides security for EC2 instances at multiple levels, such as in the operating system of the physical host, in the operating system of the virtual machine, and through multiple firewalls to ensure all API calls are signed. Each of these security measures is built on the capabilities of other security measures.
Our goal is to secure data stored and transferred from an AWS EC2 instance so that it reaches its destination without being intercepted by malicious systems while also maintaining the flexibility of the AWS EC2 instance, along with other AWS services. Our servers in AWS should always be protected from ever-evolving threats and vulnerabilities.
We will dive deep into the following areas of EC2 security:
- IAM roles for EC2
- Managing OS-level access to Amazon EC2 instances
- Protecting the system from malware
- Securing your infrastructure
- Intrusion detection and prevention systems
- Elastic load balancing security
- Building threat protection layers
- Test security
In Lesson 1, AWS Virtual Private Cloud, we looked at ways to secure your network in the AWS cloud. We looked at network access control list (NACL) and security groups as two firewalls provided by AWS for subnets and EC2 instances, respectively. In this lesson, we are going to dig deeper into security groups. We will also look at other ways to protect your infrastructure in the cloud.
We will look into AWS Inspector, an agent-based and API-driven service that automatically assesses security and vulnerabilities for applications deployed on EC2 instances. We will cover the following topics for AWS Inspector service:
- Features and benefits
- Components
Next, you will learn about AWS Shield, a managed DDoS protection service that will help you minimize downtime and latency for your applications running on EC2 instances and for your AWS resources, such as EC2 instances, Elastic Load Balancer (ELB), Route 53, and so on. We will cover the following topics for the AWS Shield service:
- Benefits
- Key features
There are general best practices for securing EC2 instances that are applicable irrespective of operating system or whether instances are running on virtual machines or on on-premise data centers. Let's look at these general best practices:
- Least access: Unless required, ensure that your EC2 instance has restricted access to the instance, as well as restricted access to the network. Provide access only to trusted entities, including software and operating system components that are required to be installed on these instances.
- Least privilege: Always follow the principle of least privilege required by your instances, as well as users, to perform their functions. Use role-based access for your instances and create roles with limited permissions. Control and monitor user access for your instances.
- Configuration management: Use AWS configuration management services to have a baseline for your instance configuration and treat each EC2 instance as a configuration item. This base configuration should include the updated version of your anti-virus software, security patches, and so on. Keep assessing the configuration of your instance against baseline configuration periodically. Make sure you are generating, storing, and processing logs and audit data.
- Change management: Ensure that automated change management processes are in place in order to detect changes in the server configuration. Create rules using AWS services to roll back any changes that are not in line with accepted server configuration or changes that are not authorized.
- Audit logs: Ensure that all changes to the server are logged and audited. Use AWS logging and auditing features, such as AWS CloudTrail and VPC flow logs, for logging all API requests and AWS VPC network traffic, respectively.
- Network access: AWS provides three options to secure network access for your EC2 instances, security groups, network access control lists, and route tables. An Elastic Network Interface (ENI) connected to your instance provides network connectivity to an AWS VPC.
- Configure security group rules to allow minimum traffic for your instance. For example, if your EC2 instance is a web server, allow only HTTP and HTTPS traffic.
- Use network access control lists as a second layer of defense, as these are stateless and needs more maintenance. Use them to deny traffic from unwanted sources.
- Configure route tables for the subnet in your VPC to ensure that instance-specific conditions are met by distinct route tables. For example, create a route table for internet access and associate it with all subnets that require access to the internet.
- AWS API access from EC2 instances: Quite often, applications running on EC2 instances would need to access multiple AWS services programmatically by making API calls. AWS recommends that you create roles for these applications, as roles are managed by AWS and credentials are rotated multiple times in a day. Moreover, with roles, there is no need to store credentials locally on an EC2 instance.
- Data encryption: Any data that is either stored on or transmitted through an EC2 instance should be encrypted. Use Elastic Block Storage (EBS) volumes to encrypt your data at rest through the AWS Key Management Service (KMS). To secure data in transit through encryption, use Transport Layer Security (TLS) or IPsec encryption protocols. Ensure that all connections to your EC2 instances are encrypted by configuring outbound rules for security groups.