Amazon EC2 Security Solutions
Amazon Web Service Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. AWS provides scalable and highly reliable platform that provides customer to deploy applications and data quickly and securely.
AWS claims world-class protection on their cloud services. Here we will see one of the best and most useful Amazon EC2 service security solutions provided by Amazon.
Let’s have a look on What is Amazon EC2? for those who are new to Amazon EC2 service.
What is Amazon EC2 service?
Amazon Elastic Compute Cloud (Amazon EC2) is an Infrastructure as a Service (IaaS) provided by Amazon. Amazon EC2 provides resizable compute capacity in the cloud.
In simple words Amazon EC2 provides extremely scalable and highly secure computing (Servers) service on demand.
Now come to the point. As we know Amazon Web Services provides different types of Cloud Services and Amazon EC2 is one of them. Amazon EC2 is a true virtual computing environment, allow you to use web service interface to launch instances with variety of operating system.
You can also load your custom application environment; manage your network’s access permissions (here is security solution).
Amazon EC2 provides multiple levels of security within it, like the Operating System of the host machine, virtual instance operating system or guest OS, a firewall, and signed API calls. The goal is to protect against data contained within Amazon EC2 from being intercepted by unauthorized system or user.
Multiple levels of Security on Amazon EC2
Host Operating System
Administrators with a business need to access the management plane are required to use multi-factor authentication to gain access to purpose built administration hosts. These administrative hosts are systems that are specifically designed, built, configured, and hardened to protect the management plane of the cloud.
All such access is logged and audited. When an employee no longer has a business need to access the management plane, the privileges and access to these hosts and relevant systems are revoked.
Guest Operating System
Virtual instances are completely controlled by the customer. Customers have full root access or administrative control over accounts, services, and applications.
AWS does not have any access rights to customer instances and cannot log into the guest OS. AWS recommends a base set of security best practices to include disabling password only access to their hosts and utilizing some form of multi-factor authentication to gain access to their instances (or at a minimum certificate based SSH Version 2 access).
Additionally, customers should employ a privilege escalation mechanism with logging on a per-user basis. For example, if the guest OS is Linux, after hardening their instance, they should utilize certificate based SSHv2 to access the virtual instance, disable remote root login, use command line logging, and use ‘sudo’ for privilege escalation.
Customers should generate their own key pairs in order to guarantee that they are unique, and not shared with other customers or with AWS.
Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny all mode and Amazon EC2 customers must explicitly open the ports needed to allow inbound traffic.
The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter Domain Routing (CIDR) block). The firewall can be configured in groups permitting different classes of instances to have different rules.
Consider, for example, the case of a traditional three – tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group.
The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22(SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. See diagram below:
The firewall isn’t controlled through the Guest OS; rather it requires the customer’s X.509 certificate and key to authorize changes, thus adding an extra layer of security.
AWS supports the ability to grant granular access to different administrative functions on the instances and the firewall, therefore enabling the customer to implement additional security through separation of duties.
The level of security afforded by the firewall is a function of which ports are opened by the customer, and for what duration and purpose. The default state is to deny all incoming traffic, and customers should plan carefully what they will open when building and securing their applications.
Well informed traffic management and security design are still required on a per instance basis. AWS further encourages customers to apply additional per instance filters with host based firewalls such as IPtables or the Windows Firewall and VPNs. This can restrict both inbound and outbound traffic on each instance.
6,086 total views, 3 views today