Resources for implementing a comprehensive EC2 security strategy. Included are customizable configuration items and packages, as well as guides for encryption, authentication, access control, monitoring and compliance, vulnerability and patch management, backup options and more.
Enable at-rest encryption for all EC2 instances by configuring default EBS encryption on the region level for the AWS account. For additional security, create a new KMS encryption key for the default encryption (otherwise use the default AWS managed key).
For instances not supported by default encryption, or if to selectively encrypt EC2 instanecs, follow the instructions in the following solution:
Control network access to and from EC2 instances using Security Groups. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.
Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :
For IPS, URL Filtering, Rate Limit rule capabilities, use AWS Network Firewall to protect EC2 instances in a VPC:
For new environments, build a secure VPC with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:
Internet access from EC2 instances is required to access AWS API endpoints, download software updates and patches, or for other application requirements.
Use VPC Endpoints to provide private access from VPCs to AWS API endpoints, without allowing internet access.
Where internet access is required, AWS Network Firewall or 3rd party proxy solutions can be used to whitelist allowed URLs and domains on the internet.
Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:
Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.
Define appropriate permissions to EC2 instances by using custom IAM policies with least-privilege principles.
Set up a Golden Image Pipeline to regularly create new Amazon Machine Images (AMIs) with the latest updates and patches, hardening requirements, and any required application packages. The pipeline can also be integrated with Amazon Inspector or 3rd party products for vulnerability scanning. EC2 Image Builder simplifies the process of building the pipeline:
Alternatively, the following solutions provide details on how to build a more customizable version of the AMI pipeline without EC2 Image Builder:
Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly:
Set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:
Use the following packages to enable the required logging services, as well as compliance and monitoring rules for EC2 resources:
Create an automated backup policy for EBS volumes using Data Lifecycle Manager or AWS Backup which automated snapshot creation and retention for EC2 instances. It is important to not that EC2 snapshots are crash-consistent.
Application-consistent snapshots are supported with AWS Backup or can be taken for Windows instances using AWS Systems Manager Run Command to create VSS Snapshots.