AWS Security – Tightening up your Amazon Deployments

We’ve talked about AWS security before – what tools AWS has created for us and some common mistakes people make – but you never can really cover the whole thing. So I’ve put together a checklist of some key best practices that’s guaranteed to mess with your next night’s sleep.

Thinking of launching an EC2 instance as a testbed? Not sure whether it’ll still be up a month from now? Don’t stop reading…now’s the time to think about AWS security!

Avoid using the default AWS security group

Everyone loves a default setting because it can help you avoid thinking for yourself…and who has time for that? Sure, you can always keep adding new policies to a single AWS security group so it will work with all your nodes, but try not to.

Instead, create separate security groups for each network traffic profile you plan to use and use them only when the fit is perfect. Besides the risk of introducing vulnerabilities, overusing default configurations can lead to bad architecture design and practices. Also, if you force yourself to create new security groups for each project, you’ll actually end up thinking a whole lot more about your larger design, which will probably improve it.

Open only those ports that are absolutely necessary

If the only access you will need is SSH, then make sure that’s all you leave open. Afraid you may need POP3 or MySQL access some time over the next six months? Wait until you actually need it.

Restrict access to sessions originating on your IP

When you set up a security group in AWS and open a certain port, you can also choose the Source. This controls which traffic will be allowed to reach your instance. Rather than leaving it wide open (0.0.0.0/0), specify a single IP address or an IP address range in CIDR notation (for example, 203.0.113.0/24).

Even better: if you select “My IP” for “source”, AWS should automatically populate your public IP.

Use meaningful names

You may not think it is possible, but twelve months from now, you may be looking after a huge AWS infrastructure with 50 or more security groups. Which of these AWS security group names do you think would work best?

  1. security_group1
  2. my-sg
  3. ssh_access_port22_only_WordPress_server
  4. jimmies_best_security_group_ever

Hopefully, you guessed (2) ssh_access_port22_only because it tells us exactly what it does and what it’s meant for. You get the idea.
If you look at the screenshot below, I’m in the middle of configuring the launch of an EC2 instance. In Step 6: Configure Security Group, I chose:

  • A meaningful security group name.
  • A description that explains it even better.
  • SSH access only
  • Only my IP
AWS Security - Create a new security group

Remove (or don’t even generate) a Root Account Access Key

One of the best ways to protect your account is to not have an access key for your root account. Unless there’s some reason that you absolutely must have a root access key (which is very rare), it is best not to generate one. Instead, the recommended best practice is to create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions, and use IAM users for everyday interaction with AWS.

If you already have an access key for your account, AWS recommends that you find all the applications currently relying on it key, replace the root access key with an IAM user access key, and then disable and remove the root access key.

AWS security: summary

Security is important – and nowhere more so than in the cloud. From my experience, you need to get the basics in place first and the rest of your security should build out naturally. So, to review, I would suggest focusing on these points for your AWS security plan:

  • Avoid using the default security group.
  • Only open ports that need to be open.
  • Use names that are meaningful for your Security Group
  • Choose to access from your IP only unless wider access is needed (eg:HTTP)
  • Remove (or don’t generate) a Root Account Access Key

If you want to get a jump start on cloud security, check out Cloud Academy’s Security training library.

Avatar

Written by

Michael Sheehy

I have been UNIX/Linux System Administrator for the past 15 years and am slowly moving those skills into the AWS Cloud arena. I am passionate about AWS and Cloud Technologies and the exciting future that it promises to bring.

Related Posts

Avatar
Michael Sheehy
— August 19, 2019

What Exactly Is a Cloud Architect and How Do You Become One?

One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...

Read more
  • AWS
  • Cloud Computing
Avatar
Andrew Larkin
— August 13, 2019

Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More

Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...

Read more
  • AWS
  • Azure
  • content roadmap
  • Google Cloud Platform
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Stefano Giacone
— August 8, 2019

Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform

Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...

Read more
  • AWS
  • Cloud skills
  • Google Cloud
  • Microsoft Azure
Avatar
Andrew Larkin
— August 7, 2019

Disadvantages of Cloud Computing

If you want to deliver digital services of any kind, you’ll need to estimate all types of resources, not the least of which are CPU, memory, storage, and network connectivity. Which resources you choose for your delivery —  cloud-based or local — is up to you. But you’ll definitely want...

Read more
  • AWS
  • Azure
  • Cloud Computing
  • Google Cloud Platform
Joe Nemer
Joe Nemer
— August 6, 2019

Google Cloud vs AWS: A Comparison (or can they be compared?)

The "Google Cloud vs AWS" argument used to be a common discussion among our members, but is this still really a thing? You may already know that there are three major players in the public cloud platforms arena: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)...

Read more
  • AWS
  • Google Cloud Platform
  • Kubernetes
Avatar
Stuart Scott
— July 29, 2019

Deployment Orchestration with AWS Elastic Beanstalk

If you're responsible for the development and deployment of web applications within your AWS environment for your organization, then it's likely you've heard of AWS Elastic Beanstalk. If you are new to this service, or simply need to know a bit more about the service and the benefits th...

Read more
  • AWS
  • elastic beanstalk
Avatar
Stuart Scott
— July 26, 2019

How to Use & Install the AWS CLI

What is the AWS CLI? | The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services and implement a level of automation. If you’ve been using AWS for some time and feel...

Read more
  • AWS
  • AWS CLI
  • Command line interface
Alisha Reyes
Alisha Reyes
— July 22, 2019

Cloud Academy’s Blog Digest: July 2019

July has been a very exciting month for us at Cloud Academy. On July 10, we officially joined forces with QA, the UK’s largest B2B skills provider (read the announcement). Over the coming weeks, you will see additions from QA’s massive catalog of 500+ certification courses and 1500+ ins...

Read more
  • AWS
  • Azure
  • Cloud Academy
  • Cybersecurity
  • DevOps
  • Kubernetes
Avatar
Stuart Scott
— July 18, 2019

AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security

If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog.   It can be both d...

Read more
  • AWS
  • Compute
  • Database
  • fundamentals
  • networking
  • Security
  • Storage
Avatar
Adam Hawkins
— July 17, 2019

How to Become a DevOps Engineer

The DevOps Handbook introduces DevOps as a framework for improving the process for converting a business hypothesis into a technology-enabled service that delivers value to the customer. This process is called the value stream. Accelerate finds that applying DevOps principles of flow, f...

Read more
  • AWS
  • AWS Certifications
  • DevOps
  • DevOps Foundation Certification
  • Engineer
  • Kubernetes
Avatar
Vineet Badola
— July 15, 2019

AWS AMI Virtualization Types: HVM vs PV (Paravirtual VS Hardware VM)

Amazon Machine Images (AWS AMI) offers two types of virtualization: Paravirtual (PV) and Hardware Virtual Machine (HVM). Each solution offers its own advantages. When we’re using AWS, it’s easy for someone — almost without thinking —  to choose which AMI flavor seems best when spinning...

Read more
  • AWS
  • Hardware Virtual Machine
  • Paravirtual
  • Virtualization