Many individuals and organizations implement virtual machines and dedicated servers using Amazon Elastic Cloud Compute (EC2). Like any other host on the Internet, your Amazon EC2 instance can be vulnerable to attack if you don’t take special precautions. In this article, I explain some of the most important things you should do to secure your Amazon EC2 instance.
Close Unnecessary Ports
Firewalls are implemented on EC2 instances using Security Groups. Security Groups contain rules which are used to limit inbound traffic to specific ports and protocols and specify which IP addresses can have access.
In order to prevent hackers from gaining access to your server and stealing data, you should ensure that important ports are only accessible by trusted IP addresses and networks.
With security groups, administrators can create firewall rules for TCP, UDP and/or ICMP traffic from various IP addresses and IP address ranges. They can also secure common services and ports like HTTP, HTTPS, SSH, RDP and databases like Microsoft SQL and MySQL.
For example, ports like 22 (SSH) and 3389 (RDP) should only allow access from your private network and not the entire Internet. But HTTP/HTTPS access can be allowed to come from anywhere. Here is how the new Security Group screen looks like in the AWS Console:
The entire Internet is specified as 0.0.0.0/0 in security groups. Some of the common ports you should consider restricting access to include:
- 20/21 (FTP)
- 22 (SSH)
- 3389 (RDP)
- 3306 (MySQL)
- 1433 (MSSQL Server)
- 1434 (MSSQL Monitor)
- 4333 (MSQL)
- 5432 (PostgreSQL)
- 5500 (VNC RDP)
You should only open ports that MUST be open for your service to operate.
Use SSH Keys Instead Of Passwords
Make sure your internet conversations between your PC (or web browser) and the Amazon EC2 instance is encrypted. So, if you use PuTTY or an FTP client like WinSCP, you would not be vulnerable to man-in-the-middle attacks.
When you have launched your Amazon EC2 instance, you can connect to it like any other remote server. So you could connect using both Telnet and SSH. Since Telnet transmits information in cleartext over the network, you should avoid using Telnet and instead use secure and encrypted protocols such as Secure Shell (SSH).
External link: Difference between Telnet and SSH.
For additional security, you should use a secure authentication method like public-key authentication instead of passwords (passwords are vulnerable to many simple attacks like brute force attacks).
RELATED READING: Password Hashing, Salting And Peppering
If you launched your instance using the Amazon Linux AMI, the password authentication feature will already be disabled by default and you would have to set up a public/private key pair to SSH into the instance.
If you created your own AMI or used one from a third-party, the password authentication feature might not be disabled by default. You should verify and disable that option.
Keep Software Up To Date
Windows and Linux operating systems are supported by very active communities. So, very often, new updates/versions/patches are released to upgrade different components of the platforms. Since many of these upgrades are in response to security vulnerabilities that are continuously being discovered, it is important to always keep the software on your server up to date.
The AWS infrastructure updates the Amazon-provided AMIs on a regular basis. The easiest way to get these updates (without having to launch a new instance) is to use the built in package manager for your operating system. Windows updates for example are quite popular and easy to use. For Linux users, you could use either of these commands:
yum update
For Amazon Linux, Redhat, etc. Or:
apt-get update
For Debian, Ubuntu, etc.
These commands will determine the latest versions of your packages and prompt you to update them.
Other Things You Can Do
The above three EC2 security tips are probably the most important. However, you might also want to do/note the following:
- Utilize multi-factor authentication.
- Disable remote root login. Many people still do this surprisingly.
- Follow AWS standard practices.
- Audit any proprietary applications you may be running on your EC2 instance.
- Install only necessary software.
- Provide access only to those users who have a business need to be on your systems and have a procedure to revoke access when it is no longer needed.
- Provide temporary escalated privileges such as sudo for users who need to perform occasional privileged tasks.
- Review configuration settings on your packages and harden their configuration from attackers.
Please can you help me to do all this, someone asked me why I don’t release the AR