Hardening an EC2 Instance: 5 Critical Best Practices

Hardening an EC2 Instance: 5 Critical Best Practices

By Contributing Writer
Gilad David Maayan
  |  December 16, 2021



What is an Amazon EC2 Instance?

Amazon Web Services (News - Alert) (AWS) is a top cloud computing vendor offering various services, including a web-based service, called Amazon Elastic Compute Cloud (Amazon EC2), which offers secure and resizable cloud compute capacity.

Amazon EC2 offers cloud computing resources in the form of virtual servers, called EC2 instances. You can use EC2 instances to run applications on top of the AWS infrastructure. AWS does not limit the number of virtual machines (VMs)—you can scale as needed.

AWS offers a variety of EC2 instance types, each providing different configurations of memory, networking, storage, and CPU resources. AWS provides each instance type in various sizes to help address certain workload requirements.

Each EC2 instance is created from an Amazon Machine Image (AMI), which serves as a template. AMIs are configured with their own software and operating system that define the operating environment. You can use any of the AMIs provided by AWS or those offered in the AWS Marketplace. You can also create and share your own AMIs.

Security in Amazon EC2

AWS, like most cloud providers, regards security as a shared responsibility. Cloud security is based on a shared responsibility model, which splits responsibility between cloud vendors and customers.

Security of the cloud—the responsibility of the cloud provider

As the cloud vendor, AWS is responsible for protecting the AWS infrastructure that runs its services. Additionally, AWS provides customers with services that they can use securely. AWS regularly undergoes tests run by third-party auditors that verify the effectiveness of their security as part of the AWS Compliance Programs.

Security in the cloud—the responsibility of the cloud customer

Here are the security aspects that fall under the responsibilities of cloud customers:

  • Control network access to your EC2 instances. You can do that by configuring your security groups and VPC.
  • Manage the credentials that can connect to your instances.
  • Harden the guest operating system as well as the software deployed to the guest operating system. This responsibility includes managing security patches and updates.
  • Configure all Identity and Access Management (IAM) roles attached to your instance as well as the permissions associated with these roles.

Hardening an EC2 Instances

Here are five ways you can perform hardening for your EC2 instances to improve the security of your workloads in the cloud.

1. Use IAM Roles

AWS provides default security credentials for new users. These credentials have unlimited access to all AWS resources under the account, including EC2. Do not use these credentials to grant users, services, or applications access to EC2 instances. Instead, you should use AWS.

Do not use default AWS credentials to grant services, applications, or users access to EC2 instances. Instead, use IAM to specify and control access and privileges to your AWS resources.

IAM enables you to create specific users and groups, defining each with its unique security credentials. IAM also lets you create and use JSON-based policies. These policies define various tasks, and the system uses the EC2 APIs to perform and enforce the policies.

Additionally, IAM enables you to create roles, which you can use to manage AWS credentials for applications that run on your EC2 instances. Applications that make API calls must sign their requests signed with valid AWS credentials.

When you create an IAM role and assign it to an EC2 instance, it is configured to provide secure access to another AWS resource like an S3 bucket. The necessary permissions required by that role are defined by an IAM policy you have created. Next, the instance is launched in EC2, and the IAM role generates temporary credentials the instance uses to access the bucket.

This method of using IAM roles ensures that the long-term credentials stored in your instance are not used to access the bucket. Instead, it uses temporary credentials. The latter offers a more secure alternative because long-term credentials remain unexposed.

2. Identify Anomalies in Usage or Cost

Amazon has a usage reporting feature called Cost Explorer, which lets you see your usage and cost trends, and identify areas for improvement. CloudWatch applies statistical and machine learning algorithms that determine normal baselines and can surface anomalies without user intervention.

You can combine Cost Explorer metrics with Amazon CloudWatch to detect anomalies such as:

  • Unusually high usage of specific Amazon EC2 instances
  • Unexpected costs incurred on Amazon resources

These anomalies could indicate accidental misconfiguration or malicious attack, such as a denial of service (DoS) or economic denial of sustainability attack (EDoS), where attackers hit your resources with fake traffic to cause them to scale up.

3. Avoiding Malware

Here are several practices you can use to avoid malware:

Use only resources from a trusted source

Your instance should run only applications and executable code from trusted sources. This principle also applies to any AMIs you use to launch your instances.

Harden the operating system

You should properly secure the guest operating system running on your instance according to the standard hardening procedures relevant for each particular operating system. You should ensure that your applications and guest operating systems are fully patched and that any newly released patches are applied on time. Additionally, you should install trusted and regularly updated antivirus software on the guest operating system.

4. Tighten Up Security Groups

A security group is defined as part of a virtual private cloud (VPC), which is a virtual, stateful firewall around a network interface. This is the last layer of protection stopping attackers from accessing an EC2 instance, and is usually the easiest way to restrict network access in the AWS Cloud.

Always follow the principle of least privilege when using security groups. In other words, you should ensure only those clients that actually need to perform a task on the instance can access it.

What is often overlooked in the definition of security groups is outbound communication rules. Protect your instances by limiting the destination of traffic sent by them, for example by preventing botnets from sending requests to their command and control (C&C) server. If you’re not sure how to limit traffic, a good place to start is to create an allowlist of safe protocols.

5. Set up Automatic Updates

You should regularly update, secure, and patch the applications and operating system running on your instances. You can set up automated processes that install security-related updates using AWS Systems Manager Patch Manager or any other automatic update services. If the vendor specifies a recommended process for installing their updates, you should follow these instructions.

Conclusion

In this article, I explained the basics of Amazon EC2 security and provided several ways you can secure EC2 instances by hardening their configuration:

  • Define custom IAM roles—do not use default roles. Apply custom roles that match your organizational structure, and use the least privilege principle.
  • Identify anomalies—use tools like Cost Explorer and CloudWatch to identify anomalous behavior of an EC2 instance and respond to it.
  • Avoid malware—ensure applications and AMIs come from trusted sources, and scan EC2 instances for malware just like any endpoint.
  • Tighten up security groups—ensure that security groups in your VPC are tightly defined to isolate sensitive EC2 instances.
  • Set up automatic updates—use the AWS Systems Manager Patch Manager to automate security updates on all EC2 instances.

I hope this will be useful as you improve your organization’s security posture in Amazon EC2.