Understanding and Securing EC2 instances

Before moving forward towards EC2, lets get familiar with AWS Access keys and their security if you interested then go ahead and check my previous blog for that.

https://gupta-bless.medium.com/securing-and-managing-aws-access-key-88aa8ae938a

What is Amazon Elastic Compute Cloud/EC2?

EC2 is web based service provided by amazon that is used to provide resizable compute capacity in the cloud in short they are virtual machine in cloud.

Instance: Computing in EC2 is handled by launching it. Therefore, whenever we launch ec2 instance it depends on two factors:

· The operation system we are going to use in that, it will make the configuration which support that OS.

· Amount of virtual hardware user provides to that instance such as the RAM, Hard Disk or SSD.

If there are a lot of instance in your account then it is not easy to manage these instances so we can make that work easier by tagging them. Tag are basically key/value pairs which user can associate with instance.

Types:

There are variety of instance and it depends on memory, storage, network performance and virtual CPUs. So while selecting any instance we have to consider the organization requirement first and on that basis we have to select instances i.e.

· Compute optimized, for significant processing of loads.

· Memory optimized, for memory intensive workloads.

· Storage optimized, for high amount of SSD storage.

· GPU-based instance, for graphics and general-purpose GPU compute workloads.

Advantages:

· EC2 have capability to boot new instances within mins.

· EC2 has scale capability for both up and down very quickly, as per the user requirements.

· Users have to pay as much as they have used.

· Isolation facility: It means if one ec2 instance failed, it does not effect to other ec2 instances.

Working

Amazon EC2 uses public key cryptography to encrypt and decrypt the information.

Public key and private key together known as “key pair”.

EC2 generates a random password for user and encrypts the password using public key. But initial access to the instance can be obtained by decrypting the password with private key.

Note: In case of Linux, public key stored in the /.ssh/authorized_keys file at time of user creation.

How to securely use an instance?

AWS provides so many feature and facilities for the managing EC2 instances simply and securely but Aws also has “Shared Responsibility Model” that clearly states which responsibilities are managed by the user and which are managed by AWS. Once instance has been launched they can also be managed over internet.

· Virtual Firewall Protection:

Every EC2 instance has a security group feature and must have at least one security group. In security group we can control the in and out traffic for instance. User can control it on basis of port, protocol and source/ destination IP address basis.

After EC2 instance has been launched we can associate it with more than one security group.

By default all rules in security group are set to deny. It can be possible that an instance can be part of multiple security group, so all the rules associated with that instance are aggregated and traffic allowed by each of the individual groups is allowed.

Note: Security group feature capability depends on how they are associated means:

· Software upgrades:

AWS continuously updates AMI because AMI defines initial software on instance when it is launched. So AMI have every aspect of the software state when the instance has been launched such as

i. Operating system and its configuration

ii. Initial state of any patch

iii. Application or system software.

So it provides base to further snapshots, permissions whenever these instances comes up in use.

Note: If user are using custom built AMI they have to make it restricted.

· Content on EC2

User is completely responsible for managing or installing the contents on EC2. Therefore, before installing anything make sure it is required and do not try to make everything public.

· Internal Link Usage

For most of services, AWS provide internal connectivity. So always prefer those because

i. By using them your traffic, does not reach on internet and so it is hidden from the public internet no one will be able to steal your data.

ii. It also increases the performance.

· Monitoring the instances

AWS provides “Cloud Watch” tool which can be used to monitor the instance you can set different type of rules and alerts in that.

It provide the monitoring and alerting for Amazon EC2 instances. On that basis you can update modify the policy to secure the instances.

· Use of IAM roles/ IAM user irrespective of access keys.

Whenever we create an EC2 instance AWS provides an option so we can attach IAM role with that EC2 instance. It will give use more security as compare to key pairing.

As in key pairing “access key” or “Secret key” can be stolen but in case of IAM role, EC2 instance will be able perform only those operations that are mentioned in IAM roles and polices.

Remediation

· Implement security group as much as possible because security groups are applied at instance level. Therefore, hacker has to breach security group repeatedly for each individual instance.

· Only preserve that volume after instance termination that are strongly needed because volume contain precious data.

Termination protection: can be enabled at instance because call to terminate the instance will fail until termination protection is enabled.

· Do not open unnecessary ports on the instances

· Always provide time based authorization to end user. So no one can misuse the resources.

· Do not blindly support AWS managed policy, just use them as per your business needs.

· Be particular while declaring subnets on security group.

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store