How to secure AWS EC2
If you host workloads on Amazon Web Services (AWS), there’s a good chance that you use EC2 to help power those workloads. EC2 is a scalable cloud service that lets customers deploy virtual machines (VMs) that host applications. Although EC2 is only one of hundreds of services available on AWS, it’s among the most widely used.
That’s why understanding how to secure EC2 is important for most teams that administer AWS environments. If your cloud strategy includes EC2, you need to know what security risks impact it, what tools and techniques are available for helping to protect it, and what best practices to follow to make it as secure as possible. This article dives into those topics in order to offer a comprehensive overview of AWS EC2 security.
What Is AWS EC2?
AWS EC2 is an Infrastructure-as-a-Service (IaaS) solution that lets users launch virtual machine instances in the AWS cloud. (EC2 also offers a limited selection of physical servers, which AWS calls Dedicated Hosts, for customers who want a physical machine instead of a virtual machine).
EC2 is a popular cloud service for several reasons:
- AWS offers hundreds of EC2 instance types, each with different CPU, memory, and (in some cases) specialized hardware configurations. These options make it easy to find instance types ideally suited for varying workloads.
- As a fully managed service, EC2 is easy to set up and use. Customers simply need to decide which instance type they want and configure basic settings like networking and storage. From there, AWS handles the work of running and managing the VM, as well as supporting the underlying physical infrastructure on which the VM depends.
- EC2 is available under several different pricing models. On-demand pricing, which allows customers to launch VMs whenever they want, is the most expensive approach, but users who want to save money can take advantage of pricing options like reserved instances, which offer discounted EC2 instances if customers reserve them in advance.
- EC2 is designed to be highly scalable, meaning that customers can easily modify the resources allocated to hosting their workloads.
For AWS users who want a flexible, cost-effective solution for hosting workloads, EC2 is a great option.
The importance of EC2 Security
Although EC2 makes it easy to launch VM instances with minimal configuration and management burden on the part of users, it does not automatically secure users’ workloads.
Because AWS does not take charge of protecting EC2 instances against security risks and threats, it is critical that users seek out external security solutions. AWS does assume responsibility for keeping the underlying infrastructure that hosts EC2 instances secure, but it doesn’t secure any software that runs within EC2 instances. It expects customers to do that, under the terms of the AWS shared responsibility model.
This means that the only way to protect EC2 against security risks is to develop an active EC2 security strategy. Expecting AWS to handle EC2 security for you would be a huge mistake that would leave your workloads vulnerable to a variety of security issues.
Main EC2 Security risks
EC2 instances can be affected by a variety of security threats and risks that AWS itself does not attempt to protect against, including:
- Vulnerabilities in the operating systems that customers install inside EC2 instances. Whether you use an officially supported EC2 operating system image or deploy a custom image, your OS could contain vulnerabilities that attackers could exploit to exfiltrate data, deploy malware, or even take control of your entire VM instance.
- Vulnerabilities in individual applications that you deploy on EC2. These vulnerabilities, which could also enable a variety of attacks, including but not limited to taking full control of the VM, can exist even if the OS that you run on your EC2 instances is secure.
- Network configuration mistakes. Poor network settings could expose your EC2 instances to Internet-borne attacks or provide opportunities for malicious actors to intercept sensitive data traveling over the network.
- Weak access controls in your AWS account. Overly permissive Identity and Access Management (IAM) settings may make it easier for attackers or malicious insiders to modify EC2 instance configurations or change the workloads running on EC2.
- Poor security settings to govern the storage resources used by EC2 instances. In most cases, VMs hosted on EC2 store persistent data using Amazon EBS, a block storage service. Oversights in the way EBS is configured – such as forgetting to encrypt EBS volumes, which are not generally encrypted by default – could expose sensitive data to attack. (To be clear, EBS is a separate service from EC2, so insecure storage settings aren’t a risk to EC2 per se; nonetheless, since EBS and EC2 go hand-in-hand, weak security for EBS often translates to security issues for any workloads hosted on EC2.)
Thus, EC2 instances can be vulnerable to attacks through a variety of vectors. It’s only by actively working to secure EC2 that you can stay ahead of the various security risks and threats that may impact EC2 instances and the workloads hosted on them.
Security risks affect all EC2 instance types and configurations
It’s worth noting that the security risks described above apply across all EC2 instance types and configurations. Whether you use a general-purpose EC2 instance type or a specialized one, such as an instance optimized for GPU-accelerated workloads, you face the same core security risks surrounding vulnerabilities, weak access controls, and insecure storage.
Likewise, the pricing model you select has no meaningful impact on the security of your EC2 instances. Your EC2 workloads may be at risk regardless of how you pay for them.
The bottom line here is that there is no such thing as an inherently secure EC2 instance. All EC2 instance types and deployments may be insecure, regardless of their configuration details.
Best practices for securing AWS EC2
Fortunately, several viable best practices are available to help avoid the types of security risks described above.
Isolate Workloads
You can host multiple applications on a single EC2 instance. As a rule, however, it’s more secure to create separate instances for separate workloads. Doing so ensures that vulnerabilities within one application (or the OS that hosts it) won’t impact other workloads.
And, because EC2 offers so many instance types, it’s easy in most cases to find instance types that are cost-effective regardless of how large or small the workload running on them may be. In other words, you are not likely to save money by trying to consolidate multiple workloads on a single EC2 instance, but you might increase your security risks – so it’s smarter to keep each workload on its own instance.
Enforce least privilege in AWS IAM
When configuring which users inside your AWS environment can access your EC2 instances, follow the principle of least privilege. Least privilege means that each user should have the minimum access rights necessary – and no more. Access controls should also be granular so that each user has permissions tailored to his or her particular needs.
For example, one user may need permission only to read certain types of information about EC2. You could enforce this policy through an IAM configuration like the following:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeTags",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}]
}
Code language: JSON / JSON with Comments (json)
Meanwhile, a user who needs permission both to view and create storage volumes for EC2 instances could be assigned a policy like the following:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:CreateVolume",
"ec2:DescribeInstances"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:region:111122223333:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/purpose": "test"
}
}
}, {
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:region:111122223333:volume/*"
}]
}
Code language: JSON / JSON with Comments (json)
Enforcing minimum privileges on a user-by-user basis is much more secure than granting all users full control over EC2 and related resources.
Secure the network
Likewise, at the network level, it’s a best practice for EC2 security to configure network resources in a way that exposes EC2 instances to the Internet only when and where it is necessary.
AWS provides a variety of network configuration options for EC2, and the best way to secure EC2 networking will vary depending on which approach you take to configuring the network. However, your goal should be to ensure that EC2 instances that don’t need to be connected directly to the Internet are protected behind firewalls. In addition, you should be sure to avoid opening ports or enabling networking protocols that aren’t necessary. In general, only EC2 instances that host public-facing applications require exposure to the Internet, and even then, you should strictly limit the ways in which users on the Internet can interact with the instances.
Monitor EC2 workloads for vulnerabilities
To protect against vulnerabilities on EC2, teams should systematically track the operating systems and applications they run inside EC2 instances and check them for known vulnerabilities. Again, even if you use an officially supported EC2 OS image, there is no guarantee that it’s free from vulnerabilities, nor is there any way to be sure that applications you run on EC2 are vulnerability-free unless you scan them.
AWS won’t perform these scans for you. It’s up to you to monitor for EC2 vulnerabilities under the terms of the shared responsibility model.
Keep EC2 software up to date
Along similar lines, it’s up to you as an EC2 customer to ensure that the operating systems and applications you host on EC2 remain patched and up to date. Keeping software up to date is important for protecting against security vulnerabilities.
AWS provides updates for the underlying software that powers EC2, but it doesn’t update any software that customers deploy on EC2. Installing the latter types of updates is a task that falls to EC2 users.
Conclusion
EC2 is a powerful cloud computing service, but it presents many security challenges from the perspective of users. Understanding the various risks that affect EC2 – such as software vulnerabilities, insecure access control configurations, and beyond – is critical for any team that uses EC2. So is adhering to best practices that minimize EC2 security risks, such as scanning workloads for vulnerabilities and enforcing least-privilege access control settings.