• Skip to main content
  • Skip to primary sidebar

Technical Notes Of
Ehi Kioya

Technical Notes Of Ehi Kioya

  • Forums
  • About
  • Contact
MENUMENU
  • Blog Home
  • AWS, Azure, Cloud
  • Backend (Server-Side)
  • Frontend (Client-Side)
  • SharePoint
  • Tools & Resources
    • CM/IN Ruler
    • URL Decoder
    • Text Hasher
    • Word Count
    • IP Lookup
  • Linux & Servers
  • Zero Code Tech
  • WordPress
  • Musings
  • More
    Categories
    • Cloud
    • Server-Side
    • Front-End
    • SharePoint
    • Tools
    • Linux
    • Zero Code
    • WordPress
    • Musings
Home » AWS, Azure, Cloud » Securing Your Amazon EC2 Instance

Securing Your Amazon EC2 Instance

By Ehi Kioya 1 Comment

Many individuals and organizations implement virtual machines and dedicated servers using Amazon Elastic Cloud Compute (EC2). Like any other host on the Internet, your Amazon EC2 instance can be vulnerable to attack if you don’t take special precautions. In this article, I explain some of the most important things you should do to secure your Amazon EC2 instance.

Close Unnecessary Ports

Firewalls are implemented on EC2 instances using Security Groups. Security Groups contain rules which are used to limit inbound traffic to specific ports and protocols and specify which IP addresses can have access.

In order to prevent hackers from gaining access to your server and stealing data, you should ensure that important ports are only accessible by trusted IP addresses and networks.

With security groups, administrators can create firewall rules for TCP, UDP and/or ICMP traffic from various IP addresses and IP address ranges. They can also secure common services and ports like HTTP, HTTPS, SSH, RDP and databases like Microsoft SQL and MySQL.

For example, ports like 22 (SSH) and 3389 (RDP) should only allow access from your private network and not the entire Internet. But HTTP/HTTPS access can be allowed to come from anywhere. Here is how the new Security Group screen looks like in the AWS Console:

Amazon EC2 Instance Security Group

The entire Internet is specified as 0.0.0.0/0 in security groups. Some of the common ports you should consider restricting access to include:

  • 20/21 (FTP)
  • 22 (SSH)
  • 3389 (RDP)
  • 3306 (MySQL)
  • 1433 (MSSQL Server)
  • 1434 (MSSQL Monitor)
  • 4333 (MSQL)
  • 5432 (PostgreSQL)
  • 5500 (VNC RDP)

You should only open ports that MUST be open for your service to operate.

Use SSH Keys Instead Of Passwords

Make sure your internet conversations between your PC (or web browser) and the Amazon EC2 instance is encrypted. So, if you use PuTTY or an FTP client like WinSCP, you would not be vulnerable to man-in-the-middle attacks.

When you have launched your Amazon EC2 instance, you can connect to it like any other remote server. So you could connect using both Telnet and SSH. Since Telnet transmits information in cleartext over the network, you should avoid using Telnet and instead use secure and encrypted protocols such as Secure Shell (SSH).
External link: Difference between Telnet and SSH.

For additional security, you should use a secure authentication method like public-key authentication instead of passwords (passwords are vulnerable to many simple attacks like brute force attacks).

RELATED READING: Password Hashing, Salting And Peppering

If you launched your instance using the Amazon Linux AMI, the password authentication feature will already be disabled by default and you would have to set up a public/private key pair to SSH into the instance.

If you created your own AMI or used one from a third-party, the password authentication feature might not be disabled by default. You should verify and disable that option.

Keep Software Up To Date

Windows and Linux operating systems are supported by very active communities. So, very often, new updates/versions/patches are released to upgrade different components of the platforms. Since many of these upgrades are in response to security vulnerabilities that are continuously being discovered, it is important to always keep the software on your server up to date.

The AWS infrastructure updates the Amazon-provided AMIs on a regular basis. The easiest way to get these updates (without having to launch a new instance) is to use the built in package manager for your operating system. Windows updates for example are quite popular and easy to use. For Linux users, you could use either of these commands:

1
yum update

For Amazon Linux, Redhat, etc. Or:

1
apt-get update

For Debian, Ubuntu, etc.

These commands will determine the latest versions of your packages and prompt you to update them.

Other Things You Can Do

The above three EC2 security tips are probably the most important. However, you might also want to do/note the following:

  • Utilize multi-factor authentication.
  • Disable remote root login. Many people still do this surprisingly.
  • Follow AWS standard practices.
  • Audit any proprietary applications you may be running on your EC2 instance.
  • Install only necessary software.
  • Provide access only to those users who have a business need to be on your systems and have a procedure to revoke access when it is no longer needed.
  • Provide temporary escalated privileges such as sudo for users who need to perform occasional privileged tasks.
  • Review configuration settings on your packages and harden their configuration from attackers.

Found this article valuable? Want to show your appreciation? Here are some options:

  1. Spread the word! Use these buttons to share this link on your favorite social media sites.
  2. Help me share this on . . .

    • Facebook
    • Twitter
    • LinkedIn
    • Reddit
    • Tumblr
    • Pinterest
    • Pocket
    • Telegram
    • WhatsApp
    • Skype
  3. Sign up to join my audience and receive email notifications when I publish new content.
  4. Contribute by adding a comment using the comments section below.
  5. Follow me on Twitter, LinkedIn, and Facebook.

Related

Filed Under: AWS, Azure, Cloud, Cloud Computing, Linux & Servers Tagged With: Amazon EC2, Cloud Computing, Security

About Ehi Kioya

I am a Toronto-based Software Engineer. I run this website as part hobby and part business.

To share your thoughts or get help with any of my posts, please drop a comment at the appropriate link.

You can contact me using the form on this page. I'm also on Twitter, LinkedIn, and Facebook.

Reader Interactions

Comments

  1. Pedro gort Aramillo says

    July 27, 2019 at 5:29 am

    Please can you help me to do all this, someone asked me why I don’t release the AR

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

26,136
Followers
Follow
30,000
Connections
Connect
14,643
Page Fans
Like

POPULAR   FORUM   TOPICS

  • How to find the title of a song without knowing the lyrics
  • The Art of Exploratory Data Analysis (Part 1)
  • Welcome Message
  • How To Change Or Remove The WordPress Login Error Message
  • Getting Started with SQL: A Beginners Guide to Databases
  • Replacing The Default SQLite Database With PostgreSQL In Django
  • How to Implement Local SEO On Your Business Website And Drive Traffic
  • What Is Arduino, And Why Should You Use It?
  • How To View And Manage Saved Passwords In Google Chrome
  • Tips to Secure Your Windows 10 PC Against Hackers and Viruses
  • Recently   Popular   Posts   &   Pages
  • Actual Size Online Ruler Actual Size Online Ruler
    I created this page to measure your screen resolution and produce an online ruler of actual size. It's powered with JavaScript and HTML5.
  • Allowing Multiple RDP Sessions In Windows 10 Using The RDP Wrapper Library Allowing Multiple RDP Sessions In Windows 10 Using The RDP Wrapper Library
    This article explains how to bypass the single user remote desktop connection restriction on Windows 10 by using the RDP wrapper library.
  • WordPress Password Hash Generator WordPress Password Hash Generator
    With this WordPress Password Hash Generator, you can convert a password to its hash, and then set a new password directly in the database.
  • Forums
  • About
  • Contact

© 2021   ·   Ehi Kioya   ·   All Rights Reserved
Privacy Policy