EC2 Security Strategy

Overview

Resources for implementing a comprehensive EC2 security strategy. Included are customizable configuration items and packages, as well as guides for encryption, authentication, access control, monitoring and compliance, vulnerability and patch management, backup options and more.

Encryption

Enable at-rest encryption for all EC2 instances by configuring default EBS encryption on the region level for the AWS account. For additional security, create a new KMS encryption key for the default encryption (otherwise use the default AWS managed key).

Enable EC2 Default Encryption
Configuration Item
Add to Stack
This configuration template enables EBS default encryption for all EC2 instances in that region.

For instances not supported by default encryption, or if to selectively encrypt EC2 instanecs, follow the instructions in the following solution:

How to Launch Encrypted EBS-backed EC2 Instances from Unencrypted AMIs
External: Solution/Guide
This post demonstrates how to start from an unencrypted AMI and launch an encrypted EBS-backed Amazon EC2 instance (both from the AWS Management Console, and using the RunInstances API with the AWS CLI).

Network Access and Security

Control network access to and from EC2 instances using Security Groups. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.

Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :

Common Security Groups and NACL Configuration Templates
Collection
A repository of common AWS Security Group and network ACL configurations

For new environments, build a secure VPC with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:

Custom Amazon VPC Configuration Template
Configuration Package
A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, VPC Endpoints, Flow Logs, and Security Groups
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

Internet Connectivity

Internet access from EC2 instances is required to access AWS API endpoints, download software updates and patches, or for other application requirements. 

Use VPC Endpoints to provide private access from VPCs to AWS API endpoints, without allowing internet access. 

Deploy Amazon VPC Endpoints in an existing VPC
Configuration Item
Add to Stack
Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

Where internet access is required, proxy solutions can be used to whitelist allowed URLs and domains on the internet.

How to set up an outbound VPC proxy with domain whitelisting and content filtering
External: Solution/Guide
This post shows how to limit outbound web connections from a VPC to the internet, using a web proxy with custom domain whitelists or DNS content filtering services. The solution is scalable, highly available, and deploys in a fully automated way. This solution is based on the open source HTTP proxy Squid. The proxy can be used for all workloads running in the VPC, like Amazon Elastic Compute Cloud (EC2) and AWS Fargate.
How to Add URL Filtering to Your NAT Instance with Squid
External: Solution/Guide
This post describes how to use Squid, a leading open-source proxy, to restrict both HTTP and HTTPS outbound traffic to a given set of Internet domains, while being fully transparent for instances in the private subnet.

Authentication

Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:

  • AWS Session Manager: Uses the AWS Systems Manager (SSM) agent to provide a bash or powershell session for the IAM user, without having to open any inbound ports on the instance. 
  • EC2 Connect: Supported on CentOs and Amazon Linux, and allows pushing a temporary SSH key for one-time sessions over SSH.

Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.

Start an Interactive Browser-Based Bash or PowerShell Session to Instances using Systems Manager
External: Solution/Guide
With the Session Manager feature of AWS Systems Manager, you can start a new browser-based interactive shell and a command-line interface (CLI) to manage Windows and Linux instances.
Use EC2 Instance Connect to Manage SSH to Instances with Short Lived Keys
External: Solution/Guide
This blog post presents EC2 Instance Connect as an alternative to complicated SSH key management strategies and includes the benefits of using built-in auditability with CloudTrail. By integrating with IAM and the EC2 instance metadata available on all EC2 instances, EC2 Connect provides a secure way to distribute short-lived keys and control access by IAM policy.
Configure the required EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

IAM Access and Permissions

Define appropriate permissions to EC2 instances by using custom IAM policies with least-privilege principles.

IAM Policy: Allow Launching EC2 Instances in Specific Subnets Only
Configuration Item
Add to Stack
An IAM policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet
IAM Policy: Allow Users to Launch Approved Images and Use Existing Security Groups Only
Configuration Item
Add to Stack
An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True).
IAM Policy: Allow Starting or Stopping EC2 Instances Based on a User's Username
Configuration Item
Add to Stack
An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name
Additional Custom IAM Policy Templates
Collection
A repository of customizable IAM policies for various AWS services including EC2

Image Security

Set up a Golden Image Pipeline to regularly create new Amazon Machine Images (AMIs) with the latest updates and patches, hardening requirements, and any required application packages. The pipeline can also be integrated with Amazon Inspector or 3rd party products for vulnerability scanning : 

Set Up a Golden AMI Pipeline
External: Solution/Guide
The solution includes step-by-step instructions and CloudFormation templates required to set up a golden AMI pipeline that allows one to create, distribute across accounts, regularly assess, and decommission golden AMIs.
Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector
External: Solution/Guide
The solution in this post creates EC2 instances from golden AMIs and then runs an Amazon Inspector security assessment on the created instances. When the assessment results are available, the solution consolidates the findings and advises you about next steps. Furthermore, the solution schedules an Amazon CloudWatch Events rule to run the golden AMI vulnerability assessments on a regular basis.
Extend golden AMIs with AWS Marketplace Private Image Build
External: Solution/Guide
This solution shows how to automate the installation of software from AWS Marketplace onto your golden AMI using Private Image Build.

Vulnerability Management and Patching

Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly:

  • Amazon Inspector is an agent-based solution that can be used to run recurring vulnerability assessments (as well as other packaged assessments such as CIS standards and security best practices).
  • AWS Systems Manager (SSM) Patch Manager scans and installs missing patches on EC2 instances. Create SSM Maintenance Windows to regularly run these operations and control how patching is applied. 
Recurring Inspector Assessments with Custom Template
Configuration Item
Add to Stack
Set up scheduled assessments using Amazon Inspector to assess the security state of EC2 instances, including testing applications for exposure, vulnerabilities, and deviations from best practices. Templates can be restricted to select EC2 instances by Tag or apply to all EC2 instances. Configuration includes options to enable automatically recurring assessments based on a schedule.
Amazon Inspector Configuration Templates
Collection
AWS security controls to set up Amazon Inspector as well as solutions that use Amazon Inspector.
Set Up Scheduled EC2 Instance Patching
Configuration Guide
This guide provides a walkthrough for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment. The following is included:
EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Monitoring and Compliance

Set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:

  • VPC Flow Logs can be enabled to log network traffic to and from EC2 instances.
  • AWS CloudTrail logs all API activity in the account including the creation/modification/deletion of EC2 resources.
  • AWS Config tracks configuration changes in an environment and provides a historical view of EC2 resources throughout their lifetime.
  • AWS Config Rules allows the configuration of compliance rules to ensure resources in the environment are configured properly and securely.
  • CloudWatch Alarms can be used to alert based on CloudTrail and VPC Flow Logs events.

Use the following packages to enable the required logging services, as well as compliance and monitoring rules for EC2 resources:

EC2 Monitoring and Compliance Rules Package
Configuration Package
A configuration package to monitor EC2 related API activity as well as configuration compliance rules to ensure the security of AWS EC2 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups
VPC Flow Logs
Configuration Item
Add to Stack
Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.
A Collection of AWS Config Copmliance Rules
Collection
Repository of AWS Config rules examples - both AWS managed and custom Config rules.
Preventing Blacklisted Applications with AWS Systems Manager and AWS Config
External: Solution/Guide
This blog post walks through an example that shows how to use AWS Systems Manager Inventory with AWS Config to detect and track changes in applications installed on an instance, and with AWS Config and Config rules to detect prohibited (aka blacklisted) applications installed on managed instances and report non-compliance.
Using AWS Systems Manager to run compliance scans using InSpec by Chef
External: Solution/Guide
InSpec by Chef, an open-source testing framework, provides teams the ability to define and assess system state and status across the entire application lifecycle. AWS Systems Manager supports running Inspec compliance scans on managed instances. You can then use the Compliance pane as a unified dashboard to identify issues, remediate them, and track progress for various nodes and profiles.

Backup

Create an automated backup policy for EBS volumes using Data Lifecycle Manager which automated snapshot creation and retention for EC2 instances. It is important to not that EC2 snapshots are crash-consistent.

Application-consistent snapshots can be taken for Windows instances using AWS Systems Manager Run Command to create VSS Snapshots.

Configure Data Lifecycle Manager (Automated EBS Snapshots)
Configuration Item
Add to Stack
Configure a Data Lifecycle Manager (DLM) policy to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
Take Microsoft VSS-Enabled Snapshots Using Amazon EC2 Systems Manager
External: Solution/Guide
This blog post shows how to use AWSEC2-CreateVssSnapshot Systems Manager Run Command Document to create application-consistent snapshots of EBS volumes for Windows Instances.

Other

AWS Instance Scheduler
External: Solution/Guide
The AWS Instance Scheduler is a solution that enables customers to easily configure custom start and stop schedules for their Amazon EC2 and Amazon RDS instances. The solution is easy to deploy and can help reduce operational costs for both development and production environments.
Open Source Tool: ec2-metadata-filter
External: Solution/Guide
Enhance the security of the EC2 metadata service
How to Create an Opportunistic IPSec Mesh between EC2 Instances
External: Solution/Guide
This blog post shows how to build an opportunistic IPSec mesh that sets up dynamic IPSec tunnels between EC2 instances. IPSec is based on Libreswan, an open-source project implementing opportunistic IPSec encryption (IKEv2 and IPSec) on a large scale.