Introduction
Securing AWS resource infrastructure involves robust IAM (Identity and Access Management), encryption, and continuous monitoring, along with configuring secure VPCs, subnets, and managing ports. I will now discuss and demonstrate a few methods by which we can protect the AWS infrastructure from malicious activities.
Requirements
An active AWS account with the necessary privileges to manage the needed services and resources.
Security Measure 1 - Delete unused VPCs, subnets, security groups
The above security measure is essential to
- Minimizing the attack surface
- Reducing necessary costs
- Simplifying management of the network
Step 1:
Get the list of resources from EC2 Global View and review all the used / unused resources. Use both the “Region Explorer” and “Global Search” to identify the inactive resources.
Step 2:
Detach any running EC2 instances through termination, before deleting the unused default VPCs.
Step 3:
You will now be asked for confirmation to delete the default VPCs along with other network resources like subnets, internet gateway etc. Once you confirm, the unused VPCs will be deleted.
Note: It is quite easy to recreate a default VPC for any region if deleted accidentally.
Security Measure 2 - Deploy Private Resources into Private Subnets
Placing resources like EC2, databases, caches in private subnets enhances security by isolating them from direct internet access. All inbound and outbound traffic is routed through NAT gateways and bastion hosts, that ensures compliance with regulatory standards, and facilitates better management and implementation of security policies.
- Create a private subnet with “auto-assign public IPv4 address” is disabled.
- While creating EC2 resources in a private subnet, select Disable for "Auto-assign Public IP".
Security Measure 3 - Use AWS Systems Manager (SSM) instead of SSH/RDP
Session Manager is able to access instances in private subnets (subnets with no route to the internet) or instances that have Security Groups or Network Access Control Lists with ports 22 (for SSH) or 3389 (for RDS) closed.
Session Manager runs a small open-source agent on the instance that connects into Systems Manager within the AWS network. You can then use the AWS CLI or web management console to start a session that connects into the instance via the agent-based secure tunnel.
Step 1: Create VPC endpoints for the SSM by connecting them to the following SSM services. Substitute the region where you have all the resources.
com.amazonaws.[region].ssm
com.amazonaws.[region].ssmmessages
com.amazonaws.[region].ec2messages
Step 2: Allow port 443 (HTTPS) inbound access on the security group
Create a security group, or modify an existing security group. The security group must allow inbound HTTPS (port 443) traffic to the resources (ex. private EC2 instance) in your VPC that communicate with the service.
Step 3: Create or modify an existing IAM role to have the following policy AmazonSSMManagedInstanceCore attached to it and assign this role to all resources to be monitored by SSM.
Step 4: Connect to a EC2 instance from Session Manager control screen and click Start session to interact with your instances using the browser-based shell.
Security Measure 4 - Restrict Network Access with Security Groups
- For EC2 instances managed by SSM, delete the inbound and outbound rules for port 22 on the security groups attached to these instances.
- Check for security groups that have overly permissive rules using Trusted Advisor.
Security Measure 5 - Enable AWS Trusted Advisor
Run the security checks on the Trusted Advisor dashboard and investigate the findings. Pay special attention to those that are marked as Action recommended or Investigation recommended.
Note : The use of Edge Protection for Public Endpoints will be covered in a subsequent post.
Cleanup
If setting up the measures for practice purposes on the free tier account, make sure to delete the VPC endpoints after trial. For real-time setup, use the pricing calculator to understand the charges for using services like VPC Endpoints and Trusted Advisor.
Conclusion
The above write-up gives an overview on the various security measures that can be implemented over the network layer to prevent malicious attacks. Implementing best practices such as deleting unused resources, placing critical assets in private subnets, and leveraging AWS Systems Manager (SSM) for centralized management and automation leads to a resilient and secure cloud environment.
References
https://catalog.workshops.aws/startup-security-baseline/en-US
Top comments (0)