Security Best Practices for AWS (IaaS) EC2 (Part 1)

If you would like to read the next part in this article series please go to Security Best Practices for AWS (IaaS) EC2 (Part 2).

In this article we consider the security practices utilised by Amazon to ensure data remains secure and security risk mitigated, with focus on utilising Amazons IaaS EC2, while also considering what enterprises could do to better secure their data.

Introduction

Vast numbers of organisations use AWS and it’s in Amazon’s best interest to ensure that their data remains secure and protected, however the ultimate responsibility of the data remains with the organisation using the services. Being cloud-based services, security best practice should be utilised to ensure data processed and stored in Amazon cloud remains private and secure.

Amazon is without a doubt the current leader in the orchestration and provisioning of cloud computing services. The services provided by AWS touch industries globally; with positive outcome, enabling many industries/organisations to accelerate business growth by utilising the broad cloud compute service range available through AWS.

A recent study into the security features utilised by Amazon, has highlighted the need for third party security support for the Amazon AWS EC2 (Elastic Compute Cloud), one of the most widely used Infrastructure-as-a-service models.

The following areas may cause concern for some organisations. These concern areas are also prevalent when using other cloud platforms as well as EC2

  • Data residency/location
  • Security of data
  • Encryption policies and key management
  • Access control
  • Long term encryption resiliency

Best practise should involve the use of defence in depth and should include continual evaluation to stay abreast of the enhancements that can be made and the ever-changing threat vector.

We will look at the security features specific to EC2.

Security best practices afforded to AWS EC2

When utilising AWS the organisation shares the responsibility of security with Amazon. Amazon secures the host OS, the virtualisation layer and the physical security of its facilities however the security of the organisations/guest OS which includes updates, patches, any software or application security, configuration of the firewall etc. remains the responsibility of the organisation.

The organisation remains responsible for everything deployed on top of AWS and for the correct configuration of the security features. Therefore by leveraging third party technology (firewalls, encryption, intrusion detection software) the organisation can enhance their security and ensure that their specific compliance requirements are met successfully.

Amazon ensures a secure infrastructure. This includes the facilities, hardware, network and relevant operational software. Amazon aligns their security with best security practices and standards to ensure security of the infrastructure is met and forms a secure foundation for enterprises. AWS has obtained many security and compliance-related certifications and audits.

Over and above the security procedures in place for AWS (physical and environmental security, business continuity management, network security, identity and access control and management, multifactor authentication, key management and trusted advisor security checks) each specific service on the Amazon infrastructure has its own built in distinct security as well.

The foundation provided by Amazon is one of the best; the data centre has extensive security in depth and offers additional user-accessible security features. The achievable success relies on using Amazons infrastructure and services correctly, and knowing where the gaps may be and being able to fill these gaps effectively with additional tools/technologies.

Amazon AWS EC2 security features

Multiple levels of security are afforded to EC2, to secure against unauthorised data interception and to secure EC2 instances.

The hypervisor

The Xen hypervisor utilised for EC2 is customised to take advantage of Paravirtualisation. This allows management to access to the CPU. The CPU provides four distinct access privilege modes (rings), 0-3, with mode 0 being most privileged and 3 the least. The host OS runs in mode 0, the guest OS runs in mode 1 and applications in mode 3. Undertaking functioning in this manner, hypervisor and guest remain separate and security is increased.

The instance

The firewall running in the hypervisor layer as well as the Xen hypervisor helps to isolate instances running on the same physical machine. All packets pass through the hypervisor layer where the firewall resides and thus each instance is isolated and behaves as if it were on separate physical hosts.

Access to raw disk devices is not allowed, and customer instances are offered with virtualised disks. Customer data is kept private through the automatic reset of every block of storage used by the customer and by scrubbing memory when it is unallocated to a guest and only making it available again after complete scrub.

Amazon recommends further data protection procedures to be undertaken like encrypting files above the virtualised disk device.

Host OS

Access to the administration host requires successful multifactor authentication to gain access. Access is tracked through logs and audits. Access Privileges are revocable if no longer required for business purpose.

Guest OS

The organisation has complete control of their virtual instances. Amazon puts forward recommendations for security best practices however the ultimate responsibility for security lies with the organisation.

Recommendations include:

  • Multifactor authentication instead of password only access to instances access
  • Privilege escalation procedures
  • Logon per user basis
  • Generate your own key pairs

Patching and updating your guest OS is your sole responsibility.

Firewall

Amazon provides a complete firewall solution for EC2; the firewall is inbound and is configured as deny-all mode by default. Traffic restriction can be configured through protocol, service port and IP address.

The firewall is not controlled through the guest OS, improving security.

The level of security achieved by the firewall depends on how you configure it. Default status is deny-all so any access allowed is configured by the organisation.

It is the organisations responsibility to ensure each traffic instance is properly managed and secured and Amazon recommends further procedures such as additional per-instance filters with host-based firewalls and VPNs to further restrict traffic flow.

API Access

Launching and terminating instances, configuring the firewall, as well as undertaking of other functions requires the utilisation of an Amazon Secret Access Key, without this API calls cannot be made.

It is possible to encrypt these API calls with SSL and SSL-encrypted API endpoints are also advised.

Elastic Block Storage (EBS)

Elastic Block Storage (EBS) can be mounted as storage devices for EC2 instances. Access is managed through restricting access to the EBS to the AWS account that created the volume.

The data is stored in multiple physical locations.

For long-term data durability regular snapshots to AWS S3 is advised, Amazon does not backup data maintained on the virtual disks attached to running instances on EC2.

Encryption of data is advised, Amazon provides this capability to encrypt EBS volumes and their snapshots. Encryption takes place on the servers that host the EC2 instances but only for the more powerful instances.

If you or your organisation are not comfortable with the default security options provided by Amazon or one of the cloud vendors you are using or looking to use, it is recommended for peace of mind you elect an additional third party vendor platform or solution to compliment the security options offered.

Conclusion

Amazon makes recommendations to users to further secure their data. The roles of responsibility regarding Amazon (host) and the user/organisation (guest) seem clear. It’s important that the organisation is aware of their responsibilities and aware of the areas where further procedures should be put in place so that security enhancements can be made.

Third party support has been highlighted as a requirement through recent research with many third parties already stepping up.

Although AWS EC2 is designed for enterprise, third party software such as host-based firewalls offers good support and enhances the security. Many third parties are developing technologies to specifically support EC2; hence they are very well suited.

Other third party products include encryption products (although Amazon have their own), SIEM solutions and server-based security options.

Look out for the second instalment to this article where we will look at additional steps that the enterprise could take to further improve security through best practice while utilising AWS EC2.

If you would like to read the next part in this article series please go to Security Best Practices for AWS (IaaS) EC2 (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top