In this write-up, I will introduce you to the overview of cloud security, what Amazon EC2 Instance is and how to secure Instances of EC2.
The security of cloud resources is of utmost importance as more and more organizations migrate their on-premises resources to the cloud, either through the lift-n-shift strategy or a one-time migration process. Many of the same security controls, technologies, policies, and processes used to protect physical data centers, networks, and compute environments are delivered as a service to protect your cloud data.
Confidentiality, integrity, and availability are the three essential qualities of secure cloud services. Confidentiality refers to the ability to keep information hidden from those who should not have it. Integrity refers to the ability of systems to function as intended and to deliver results that are neither unexpected nor deceptive. While Availability refers to the uptime of cloud infrastructure and cloud-based services, as well as the prevention of Denial-of-Service (DoS) attacks.
What is an Amazon EC2 Instance?
An Amazon EC2 Instance is a virtual server Amazon's Elastic Compute Cloud (EC2) for running applications on the Amazon Web Services (AWS) infrastructure . AWS is a robust and ever-evolving cloud computing platform, while EC2 is a service that allows businesses to run application programs in a computing environment. It can be used to create an almost infinite number of virtual machines (VMs). To meet the needs of its customers, Amazon offers a variety of instances with varying configurations of CPU, memory, storage, and networking resources. Each type is available in a variety of sizes to meet the needs of different workloads.
AWS customers can launch and fully control virtual machines in the cloud using the Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 offers several instance types to serve various operating systems, each with its own set of security capabilities and requirements. Each Instance of EC2 is launched from Amazon Machine Image.
An Amazon Machine Image (AMI) contains all of the information needed to launch an instance. When you launch an instance, you must specify an AMI. When you need multiple instances with the same configuration, you can launch them all from a single AMI. When you need instances with different configurations, you can launch them using different AMIs.
After setting the stage with this discussion, here are four critical tips to help you ensure that your EC2 instances are properly secured.
Amazon Virtual Private Cloud (Amazon VPC) is an Amazon Web Services feature that allows you to define a logically isolated virtual network in which to provision your AWS resources. IP addresses, subnets, route tables, gateways, network interfaces, endpoints, and other components make up a VPC.
VPC serves as the underlying physical host to EC2 Instance and if the host that runs your EC2 instance is compromised in some way, your instance may be compromised as well.
- One way to ensure that your VPC is secured is to begin from scratch by creating a new Virtual Private Cloud. Although AWS provides a default Virtual Private Cloud in each region of your AWS account, it is preferable if you do not use the default VPC and instead create your own new VPCs. The reason for this is that the default VPC's security configuration is basically open because subnets in the de facto VPC are associated with your main routing table, which does not place any restrictions on inbound or outbound traffic. So, from the standpoint of securing your AWS resources (EC2 in particular), it's always best to create new VPCs and then defines custom route tables for each VPC as all other resources in your AWS account depend on it to communicate and exchange information.
AWS offers two types of virtual firewalls that you can use to control the inbound and outbound flow of network traffic in your environment. Network access control lists (NACLs) and security groups are the two types of firewalls. While NACLs are important for securing communication with VPCs because they control access to subnets in your cloud environment, security groups are important for securing communication with EC2 instances.
To secure your EC2 instances, you must first ensure that you have a thorough understanding of how security groups work. Amazon has a good description of how to use security groups to secure inbound traffic for Linux instances, and by working through the scenario they present, you can gain a good understanding of how to use security groups to protect other types of instances. However, the fundamental principles are straightforward: assign one or more security groups to your instance, then add rules to each security group to allow specific types of traffic to your instance. Keep in mind the cardinal rules of access control, which are: least privilege and least access.
When setting up your AWS environment for the first time, you are given security credentials that allow you to access all of your AWS resources, including EC2. Use these default AWS credentials for granting users, applications, or services access to your instances at your own risk! Instead, use AWS Identity and Access Management (IAM) to limit how much access users, applications, and services have to your instances and other resources like storage. IAM is an AWS feature that allows you to create users and groups and assign them unique security credentials. IAM can also be used to create JSON-format policies for performing various tasks on instances via the EC2 APIs.
Even more importantly for managing instance security, IAM allows you to create roles. IAM roles enable the management of AWS credentials for applications running on EC2 instances. This is significant because API calls made by applications must be signed with valid AWS credentials. Typically, you will create an IAM role and assign it to your EC2 instance. The IAM role has been configured to provide secure access to another AWS resource, such as an S3 bucket, and the role's required permissions are defined by an IAM policy you created. After that, the instance is launched in EC2, and the IAM role generates temporary credentials for the instance to be used in order to access the bucket. The benefit of using IAM roles in this manner is that root credentials stored in the instance are not used to access the bucket; instead, temporary credentials are used, which is more secure because root credentials are not exposed.
Apart from other points stated above, protecting your EC2 instances from malware infection is an important part of the task of securing your instances. Many of the same practices that you use to harden the physical servers in your server room or datacenter can be applied here. This means, that you should:
- Make sure that any applications or other executable code you install on your instance are from a reputable source.
- If you're using AMIs, make sure the Amazon Machine Image (AMI) from which you launch your instance is also from a trusted source.
- Ensure that your instance's guest OS and installed applications are fully patched and that newly released patches are applied in a timely manner.
- Ensure that trusted anti-malware software is installed and running on the guest OS and that the software's signatures are updated on a regular basis.
- Ensure that the guest operating system on your instance is properly secured in line with the operating system's standard hardening procedures
In all you do remember the shared responsibility model i.e. the Security of the cloud and the Security in the cloud. Do your path to ensure that you control network access to your instances, manage the login credentials used to connect to your instances, manage the guest operating system and software installed on it, along with updates and security patches and configure the IAM roles attached to the instance, as well as the permissions linked with those roles, and watch AWS takes care of the security of the cloud for you. Cheers!🙌🙌