This tip is a part of the SearchCloudSecurity.com AWS security and Amazon EC2 security tutorial
As more organizations implement virtual machine instances within Amazon’s
First, customers should harden and properly configure the operating system. Amazon allows customers to use simple pre-built OS templates to get started, or customers can deploy OS and application builds known as Amazon Machine Images (AMIs). Either of these can be locked down and secured using well-known guidance from OS vendors like Microsoft, as well as the Defense Information Systems Agency (DISA) or Center for Internet Security (CIS).
When creating a new instance, users walk through a basic setup wizard that includes several key security controls right off the bat. The first is the creation of a public/private key pair. This key pair allows for simple authentication to an instance by presenting the private key, which is stored securely on a local system or separate storage device. Creating the key pair is not mandatory, but is highly recommended as a foundational security measure to prevent anonymous connection attempts or brute force authentication attacks against the instance.
The next security control to set up is the EC2 firewall. The first step in using the firewall is setting up one or more Security Groups. Each Security Group comprises a number of firewall rules that can be configured for more secure access to the instance. By default, no rules are set up, providing a “default deny” network stance to instances. Firewall rules are simple in nature, and the firewall is not advanced by modern standards; for example, it does not provide stateful protection. However, it does allow administrators to create rules for TCP,UDP and ICMP traffic from various IP address ranges, and common ports and services like SSH, RDP, HTTP, HTTPS and databases like MS SQL and MySQL are simple to configure quickly.
Amazon also offers Identity and Access Management as a tab within the AWS console. In this
console, administrators can create groups, and then apply policies to the groups. Policies include
Administrator (full) access, Power User (admin access but cannot manage users and groups), and
individual AWS services control. Custom policy templates can also be created and managed with a
simple syntax. For example, the following is the template for Power Users:
Users can then be added to the groups, with unique access keys for each user that are required for numerous AWS application programming interfaces (APIs).
Other networking and security availability features that customers should set up include Elastic IPs, Placement Groups and Load Balancers, and all are available in the lower left side of the EC2 console window. Elastic IPs are simply public addresses that Amazon will allocate to a customer account that can be associated with instances. These differ from traditional static IP addresses by allowing customers to dynamically map them to additional instances in the case of an instance or Amazon Availability Zone (regional EC2 cloud fabric) failure. Placement Groups are essentially clusters for instances, allowing higher availability overall, and Load Balancers distribute traffic between two or more instances.
Availability is a critical component of a comprehensive risk management strategy, and given the recent outage that Amazon experienced[mw1] , more security professionals are thinking about these features. However, it’s important to keep in mind that the April outage was caused by a network configuration error on Amazon’s part; these features would not have mitigated that problem.
The steps outlined for Amazon EC2 security are only a few of the most important features built-in to AWS that can help secure instances and access to the administrative console. Although implementing these controls will not prevent all attacks, hardening operating systems, restricting network and administrative access, and creating a more intelligent role-based access permissions model are all critical steps that will go a long way towards preventing attackers from exploiting your EC2 systems.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.
This was first published in May 2011