If you would like to be notified when Ricky & Monique Magalhaes release the next part in this article series please sign up to our InsideAWS.com Real-Time Article Update newsletter.
If you would like to read the first part in this article series please go to Security Best Practices for AWS (IaaS) EC2 (Part 1).
Introduction
As noted in the first instalment of this series, AWS is one of the most secure public cloud platforms available and offer a foundation to enterprise second to none with datacentre security that would be challenging to achieve in-house.
The success level is determined through having in-depth knowledge of the AWS and having clarity of the responsibility roles when using the service. Amazon offers a secure foundation however (they secure the backend), it is the organisations ultimate responsibility to ensure anything deployed above the AWS is secured and that configurations are set up effectively and any gaps filled through the use of additional tools. You are also responsible for securing your own instances. This may require the support of third party tools or technologies.
Amazon offers its own security barriers however these security measures are not all as comprehensive as they could be and further improvement could be made; some third party alternatives built specifically to support AWS prove to be more fit for purpose especially for enterprise use.
Third party security support for Amazon EC2 is growing in certain security areas (firewalls and encryption) but certain areas (security of snapshot data), where the potential for increased data risk, remains an area of concern.
Amazon recommends additional best practices to follow when utilising their services, looking at EC2 specifically we will consider additional steps that can be taken to achieve the best levels of success.
Recommendations to improve AWS EC2 Security
In the first part to this series we mentioned a few areas of concern that enterprises may face when utilising EC2, those concerns included,
- Data residency/location and jurisdiction
- Security of data
- Encryption policies and key management
- Access control
- Long term encryption resiliency
We will consider ways in which these concerns may be addressed through features made available through Amazon and further steps that the enterprise could utilise.
Access control
One of the major concerns is unauthorised access. Enterprises are concerned that their data is at risk of being compromised through unauthorised access.
With regards to EC2 this access would be through the AWS interface and the APIs, through this access, the cloud can be configured and controlled and the data can be accessed.
Amazon offers capabilities to guard against this, however any gaps (that are not always clear) in the preventative and monitoring procedures need to be addressed.
Enterprises can incorporate the following steps to further manage access and mitigate this risk.
- Multifactor authentication to secure the root account. By managing access to the root account you can maintain control of the AWS management.
- Create separate admin accounts using Amazon IAM and use multifactor authentication for these accounts as well. Reduced chance of accounts being compromised compared to if you are securing with only a password.
- Have separate AWS accounts for each obligation (testing, production, development) by compartmentalising accounts the risk is also segregated.
- Combine monitoring with multifactor authentication
- For super admin accounts use least privilege, role based access control and policies.
- Manage access to AWS and APIs using identity federation, IAM users and roles
- Create credential management policies and procedures for all circumstances (creating, rotating, distributing, and revoking credentials)
- Use roles for cross account access
- Use IAM Roles to connect instances and other AWS constituents
- Never share your security keys, create a temporary key if necessary to avoid sharing the master key
- Recycle the keys every couple of months and create new keys including the master key
- Avoid embedding security keys and secret keys in application code, use tools to eliminate static credentials
- Enable all the monitoring tools provided by Amazon (CloudWatch, CloudTrail, Config)
- Deploy third party monitoring tools to bridge the gaps. This could be tools for SIEM and log management
- Consider utilising a management portal instead of direct access to the AWS to help better control and manage access
Securing data and encryption concerns
In order to better secure your data it’s essential that the virtual infrastructure is secured. You cannot have one without the other.
Amazon provides tools to do this however the responsibility for configuring them is up to the enterprise.
Be sure to backup your data regularly too, just because it’s in the cloud doesn’t mean it can’t be compromised, corrupted or lost.
The following is recommended to support security
- Keep your OS and applications on your instances patched, updated and secure
- Use security groups and Virtual Private Clouds (VPCs) to defend the network
- Implement the least permissive rules for your security group
- VPCs makes it possible to run multiple separate private networks
- Launch your instances into a VPC if not already done automatically
- Place critical components that don’t need to be publicly available in private subnets
- Avoid utilising default security groups for your instances
- Carefully create a security groups for each instance, this is done at launch and can’t be altered at a later stage
- Separate application components across security groups, preventing horizontal attack
- External admin access should be restricted to IP addresses used by the administrator
- Keep public subnets to a minimum where possible
- Isolate subnets through the use of Access Control Lists
- Consider connecting through a VPN before connecting to instances
- Monitor events and have a response procedure ready
To support data and host security IAM is probably the best form of defence. Again Amazon does provide an array of functionalities to help secure your data and instances but additional third party tools may be required to fill any gaps.
- It is essential to have an incident response place in place for compromised instances.
- Encryption is essential. Encrypt your data. Amazon provides encryption for its storage services (EBS, S3) but you may prefer to utilise a third party solution to secure in a different manner.
- Amazon has access to the encryption keys in their Key Management Service and this might not suffice for all enterprises. The alternative is to use AWS Cloud HSM, where the keys are only accessible by you. Remembering that if you loose your keys Amazon will not be able to access them.
EC2 instances
For improved management of your instances the following steps can be taken.
- Launch the EC2 instances in a standard AMI that is clean
- Keep the naming of instances consistent and simple by utilising the standard naming conventions
- To ensure end users are not impacted, assign elastic IP for your instances when necessary
- Instances should be stopped when not being used
- Avoid holding important data in temporary storage, to prevent data loss when the instance starts and stops
- Enable termination protection, to prevent accidental termination of EC2 instances
- Monitor your instances to manage any issues and any underutilised instances effectively
Securing stored data
- Utilise independent Amazon EBS volumes for the OS and data ensuring that the volume holding the data persists after instance termination
- Use the instance store, to store temporary data only, the data in the instance store is deleted when you end or terminate the instance
- Deploy critical components of your application across multiple Availability Zones, and replicate your data appropriately, in some occurrences it is advisable to even replicate across vendor/providers
- Back up your instance, you can utilise EBS snapshots or an alternate backup tool
- Take regular EBS snapshots
- Make a backup of our EBS snapshots
- Frequently test the procedure of recovering your instances and Amazon EBS volumes if they were to fail. If you don’t test restores, then you don’t have a valid backup.
- Check your snapshots regularly by creating volumes, mounting to instances to verify the integrity of the data
- Encrypt disk volumes and data so both data at rest is confidential as well as data in transit.
Third party support
Third party tools have been advised to support AWS EC2 to improve the service through filling gaps at the front end and on top of the AWS service. There are a few areas in particular where third party support may be beneficial.
1. Monitoring
Amazons monitoring tools lack in the areas of data correlation and analysis. Third party tools are necessary to achieve comprehensive monitoring capabilities. You can utilise SIEM, log management and alerting tools built to support AWS to bridge any gaps.
2. Security assessment and scanning tools
These tools should work with Amazons APIs and can scan instances as well as access the AWS environment.
3. Host configuration management tools
This is useful to automatically configure and update instances and also ensures instances meet security configurations at all times.
4. Host security tools and detection tools specific to cloud deployments (Helps give visibility into the network)
Improve host security for AWS EC2 using third party tools. By utilising intended compatible tool to:
- Detect unauthorised changes to instances (Host Integrity Monitoring tool)
- Logging and alerting on policy violation, alerting on application error (Logging and Alerting tool)
- Central log server
- Bridge gaps caused by limitations on security groups (Host firewall tools)
5. Tools for further DDoS protection
These tools are great for further DDoS protection and protection of your instances.
Conclusion
These steps can be taken to assist in strengthening security when using AWS, this is not at all an all-inclusive set of guidelines, there are many more procedures that can be undertaken to help further secure AWS EC2.
It should be emphasised that Amazon provides various tools and options to help secure their already very secure foundation but organisations must ensure that they are aware of any security gaps and bridge them appropriately.
With a good knowledge of the workings of AWS and EC2, the correct security measures can be followed and the correct setup procedures implemented and any third party security tools acquired for greater success and security when utilising the service.
It is important to note that complimentary third part solutions maybe required to further secure your cloud installation or platform and that you should have a full restorable backup preferably on a different platform so that you maintain full control of your data and its independence.
If you would like to be notified when Ricky & Monique Magalhaes release the next part in this article series please sign up to our InsideAWS.com Real-Time Article Update newsletter.
If you would like to read the first part in this article series please go to Security Best Practices for AWS (IaaS) EC2 (Part 1).
