You must be logged in to view saved presets
EC2 Security Strategy
Resources for implementing a comprehensive EC2 security strategy. Included are customizable configuration items and packages, as well as guides for encryption, authentication, access control, monitoring and compliance, vulnerability and patch management, backup options and more.
Encryption
Enable at-rest encryption for all EC2 instances by configuring default EBS encryption on the region level for the AWS account. For additional security, create a new KMS encryption key for the default encryption (otherwise use the default AWS managed key).
Enable EC2 Default Encryption
Configuration Item
Add to Stack
This configuration template enables EBS default encryption for all EC2 instances in that region.
For instances not supported by default encryption, or if to selectively encrypt EC2 instanecs, follow the instructions in the following solution:
How to Launch Encrypted EBS-backed EC2 Instances from Unencrypted AMIs
External: Solution/Guide
This post demonstrates how to start from an unencrypted AMI and launch an encrypted EBS-backed Amazon EC2 instance (both from the AWS Management Console, and using the RunInstances API with the AWS CLI).
Network Access and Security
Control network access to and from EC2 instances using Security Groups. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.
Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :
Common Security Groups and NACL Configuration Templates
Collection
A repository of common AWS Security Group and network ACL configurations
For IPS, URL Filtering, Rate Limit rule capabilities, use AWS Network Firewall to protect EC2 instances in a VPC:
AWS Network Firewall Custom Configuration Template
Collection
Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.
For new environments, build a secure VPC with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:
Custom Amazon VPC Configuration Template
Configuration Package
A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, VPC Endpoints, Flow Logs, and Security Groups
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.
Internet Connectivity
Internet access from EC2 instances is required to access AWS API endpoints, download software updates and patches, or for other application requirements.
Use VPC Endpoints to provide private access from VPCs to AWS API endpoints, without allowing internet access.
Deploy Amazon VPC Endpoints in an existing VPC
Configuration Item
Add to Stack
Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.
Where internet access is required, AWS Network Firewall or 3rd party proxy solutions can be used to whitelist allowed URLs and domains on the internet.
AWS Network Firewall Custom Configuration Template
Collection
Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.
How to set up an outbound VPC proxy with domain whitelisting and content filtering
External: Solution/Guide
This post shows how to limit outbound web connections from a VPC to the internet, using a web proxy with custom domain whitelists or DNS content filtering services. The solution is scalable, highly available, and deploys in a fully automated way. This solution is based on the open source HTTP proxy Squid. The proxy can be used for all workloads running in the VPC, like Amazon Elastic Compute Cloud (EC2) and AWS Fargate.
How to Add URL Filtering to Your NAT Instance with Squid
External: Solution/Guide
This post describes how to use Squid, a leading open-source proxy, to restrict both HTTP and HTTPS outbound traffic to a given set of Internet domains, while being fully transparent for instances in the private subnet.
Authentication
Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:
- AWS Session Manager: Uses the AWS Systems Manager (SSM) agent to provide a bash or powershell session for the IAM user, without having to open any inbound ports on the instance.
- EC2 Connect: Supported on CentOs and Amazon Linux, and allows pushing a temporary SSH key for one-time sessions over SSH.
Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.
Start an Interactive Browser-Based Bash or PowerShell Session to Instances using Systems Manager
External: Solution/Guide
With the Session Manager feature of AWS Systems Manager, you can start a new browser-based interactive shell and a command-line interface (CLI) to manage Windows and Linux instances.
Use EC2 Instance Connect to Manage SSH to Instances with Short Lived Keys
External: Solution/Guide
This blog post presents EC2 Instance Connect as an alternative to complicated SSH key management strategies and includes the benefits of using built-in auditability with CloudTrail. By integrating with IAM and the EC2 instance metadata available on all EC2 instances, EC2 Connect provides a secure way to distribute short-lived keys and control access by IAM policy.
Configure the required EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.
IAM Access and Permissions
Define appropriate permissions to EC2 instances by using custom IAM policies with least-privilege principles.
IAM Policy: Allow Launching EC2 Instances in Specific Subnets Only
Configuration Item
Add to Stack
An IAM policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet
IAM Policy: Allow Users to Launch Approved Images and Use Existing Security Groups Only
Configuration Item
Add to Stack
An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True).
IAM Policy: Allow Starting or Stopping EC2 Instances Based on a User's Username
Configuration Item
Add to Stack
An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name
Additional Custom IAM Policy Templates
Collection
A repository of customizable IAM policies for various AWS services including EC2
Image Security
Set up a Golden Image Pipeline to regularly create new Amazon Machine Images (AMIs) with the latest updates and patches, hardening requirements, and any required application packages. The pipeline can also be integrated with Amazon Inspector or 3rd party products for vulnerability scanning. EC2 Image Builder simplifies the process of building the pipeline:
Automate OS Image Build Pipelines with EC2 Image Builder
External: Solution/Guide
EC2 Image Builder makes it easier to build and maintain secure OS images for Windows Server and Amazon Linux 2, using automated build pipelines. The pipelines that you can configure for EC2 Image Builder include the image recipe, infrastructure configuration, distribution, and test settings, to produce the resulting images. This includes the ability to automatically provision images as new software updates, including security patches, become available
Alternatively, the following solutions provide details on how to build a more customizable version of the AMI pipeline without EC2 Image Builder:
Set Up a Golden AMI Pipeline
External: Solution/Guide
The solution includes step-by-step instructions and CloudFormation templates required to set up a golden AMI pipeline that allows one to create, distribute across accounts, regularly assess, and decommission golden AMIs.
Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector
External: Solution/Guide
The solution in this post creates EC2 instances from golden AMIs and then runs an Amazon Inspector security assessment on the created instances. When the assessment results are available, the solution consolidates the findings and advises you about next steps. Furthermore, the solution schedules an Amazon CloudWatch Events rule to run the golden AMI vulnerability assessments on a regular basis.
Extend golden AMIs with AWS Marketplace Private Image Build
External: Solution/Guide
This solution shows how to automate the installation of software from AWS Marketplace onto your golden AMI using Private Image Build.
Vulnerability Management and Patching
Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly:
- Amazon Inspector is an agent-based solution that can be used to run recurring vulnerability assessments (as well as other packaged assessments such as CIS standards and security best practices).
- AWS Systems Manager (SSM) Patch Manager scans and installs missing patches on EC2 instances. Create SSM Maintenance Windows to regularly run these operations and control how patching is applied.
Recurring Inspector Assessments with Custom Template
Configuration Item
Add to Stack
Set up scheduled assessments using Amazon Inspector to assess the security state of EC2 instances, including testing applications for exposure, vulnerabilities, and deviations from best practices. Templates can be restricted to select EC2 instances by Tag or apply to all EC2 instances. Configuration includes options to enable automatically recurring assessments based on a schedule.
Amazon Inspector Configuration Templates
Collection
AWS security controls to set up Amazon Inspector as well as solutions that use Amazon Inspector.
Set Up Scheduled EC2 Instance Patching
Configuration Guide
This guide provides a walkthrough for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment. The following is included:
EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.
Monitoring and Compliance
Set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:
- VPC Flow Logs can be enabled to log network traffic to and from EC2 instances.
- VPC Traffic Mirroring creates a copy of the network traffic to/from a specific interface in a VPC and streams it to a specified destination for analysis
- VPC DNS Logging monitor DNS queries in a VPC by configuring Route53 Resolver Query Logging
- AWS CloudTrail logs all API activity in the account including the creation/modification/deletion of EC2 resources.
- AWS Config tracks configuration changes in an environment and provides a historical view of EC2 resources throughout their lifetime.
- AWS Config Rules allows the configuration of compliance rules to ensure resources in the environment are configured properly and securely.
- CloudWatch Alarms can be used to alert based on CloudTrail and VPC Flow Logs events.
Use the following packages to enable the required logging services, as well as compliance and monitoring rules for EC2 resources:
EC2 Monitoring and Compliance Rules Package
Configuration Package
A configuration package to monitor EC2 related API activity as well as configuration compliance rules to ensure the security of AWS EC2 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups
VPC Flow Logs
Configuration Item
Add to Stack
Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.
VPC Traffic Mirroring
Configuration Item
Add to Stack
Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.
VPC DNS Query Logging (Route53 Resolver Query Logging)
Configuration Item
Add to Stack
Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose
A Collection of AWS Config Compliance Rules
Collection
Repository of AWS Config rules examples - both AWS managed and custom Config rules.
Preventing Blacklisted Applications with AWS Systems Manager and AWS Config
External: Solution/Guide
This blog post walks through an example that shows how to use AWS Systems Manager Inventory with AWS Config to detect and track changes in applications installed on an instance, and with AWS Config and Config rules to detect prohibited (aka blacklisted) applications installed on managed instances and report non-compliance.
Using AWS Systems Manager to run compliance scans using InSpec by Chef
External: Solution/Guide
InSpec by Chef, an open-source testing framework, provides teams the ability to define and assess system state and status across the entire application lifecycle. AWS Systems Manager supports running Inspec compliance scans on managed instances. You can then use the Compliance pane as a unified dashboard to identify issues, remediate them, and track progress for various nodes and profiles.
Backup
Create an automated backup policy for EBS volumes using Data Lifecycle Manager or AWS Backup which automated snapshot creation and retention for EC2 instances. It is important to not that EC2 snapshots are crash-consistent.
Application-consistent snapshots are supported with AWS Backup or can be taken for Windows instances using AWS Systems Manager Run Command to create VSS Snapshots.
Configure Data Lifecycle Manager (Automated EBS Snapshots)
Configuration Item
Add to Stack
Configure a Data Lifecycle Manager (DLM) policy to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
Configure AWS Backup
Configuration Item
Add to Stack
Configuration to create AWS Backup plans and vaults. AWS Backup automates the process of backing up of data across AWS services including EFS, DynamoDB, EC2, EBS, Aurora, RDS, and Storage Gateway, as well as setting custom retention policies, access policies, and encryption
Take Microsoft VSS-Enabled Snapshots Using Amazon EC2 Systems Manager
External: Solution/Guide
This blog post shows how to use AWSEC2-CreateVssSnapshot Systems Manager Run Command Document to create application-consistent snapshots of EBS volumes for Windows Instances.
Other
How to Automate Incident Response in the AWS Cloud for EC2 Instances
External: Solution/Guide
This solution provides a pre-provisioned architecture for an incident response system that can be used to respond to a suspect EC2 instance
EC2 Instance Metadata Service v2: Enhanced Protection against SSRF and other attacks
External: Solution/Guide
This blog post covers the EC2 Instance Metadata Service v2 which adds defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities. The blog post also provides details on how to use the new v2 service, and how to monitor instances to ensure they are using the latest version.
AWS Instance Scheduler
External: Solution/Guide
The AWS Instance Scheduler is a solution that enables customers to easily configure custom start and stop schedules for their Amazon EC2 and Amazon RDS instances. The solution is easy to deploy and can help reduce operational costs for both development and production environments.
Open Source Tool: ec2-metadata-filter
External: Solution/Guide
Enhance the security of the EC2 metadata service
How to Create an Opportunistic IPSec Mesh between EC2 Instances
External: Solution/Guide
This blog post shows how to build an opportunistic IPSec mesh that sets up dynamic IPSec tunnels between EC2 instances. IPSec is based on Libreswan, an open-source project implementing opportunistic IPSec encryption (IKEv2 and IPSec) on a large scale.