AWS is a very secure ecosystem, but they cannot guarantee what you do in the cloud will be safe. That responsibility is up to you, although AWS will try to push you in the right direction.
This guide covers what to do from the AWS console to make your network and account more secure. In addition to everything here, you need to make sure that your own applications running on your EC2 servers (or otherwise) are themselves secure. For example, enabling HTTPS on a web server or keeping your dependencies and programs up to date.
Use two-factor authentication for your AWS account
Your main AWS account controls all of your AWS resources; if someone had access to it, they would have complete control over your resources and could remove everything. You want to make sure that your login method is not just a simple password that can be stolen.
AWS offers several authentication methods with several factors. The easiest to use is the Virtual MFA device, which uses apps like Google Authenticator and Authy to turn your phone into a virtual key phobia. AWS also supports hardware keys from YubiKEy and Gemalto, but they cost money. Alternatively, you can use SMS, but only for administrative users you add, not your root account.
Click on your account name in the top menu bar and select “My Security Information.”;
Click “Enable MFA” under “Multifactor Authentication”.
Select “Virtual MFA Device” and open your authentication app on your phone.
AWS shows you a QR code to scan with your authentication app to link the two together. Then you can start entering codes; AWS will ask for two consecutive codes, so you will have to wait 30 seconds between them. Click “Assign MFA” when done.
Now when you log out, you will be asked to get a code from your phone when you log in again.
If you set up a physical key fob, you just need to connect it to link it and then connect it every time you want to log in.
Close your firewalls
When you create a new EC2 instance, you will be prompted to select a security group or create a new one. This security group is a firewall and defines which gates should be open. By default, AWS opens port 22 (for SSH) for all incoming IP addresses and allows all traffic to exit.
This means that anyone can try to verify via SSH, which is not a big problem (since AWS uses SSH keys by default), but it is good practice to restrict most traffic to your IP unless it has a reason to be open. for the world.
Click “Security Groups” in the sidebar of the EC2 Management Console, select the group that your instance uses, select “Incoming” and click “Edit”. Alternatively, you can access this security group from the Instances panel by clicking on it under the “Security Groups” property.
From here, you can edit the rules for this security group. Outgoing is usually good to leave open, but incoming should be left as closed as possible. Click on the SSH rule and switch the source from “Anywhere” to “My IP”, which will close it.
You do not have to worry about your IP changing and locking, as you can always reset it from the AWS console.
If you have several instances that talk to each other, such as a database server that connects to an API server, you should secure the connection between them by only allowing secure traffic between the two instances. No one else should be able to talk to the database except the API server, except for your IP address for management purposes.
You do not need to enter individual IP addresses manually, as AWS allows you to allow traffic to all devices assigned to a specific security group. If you have multiple database servers, you can give them all “database” security groups and let your API server talk to anything with that security group. You can also allow everything in a specific subnet, which requires you to use AWS VPC.
Set up IAM users
AWS Identity and Access Management (IAM) users are a way to allow access to your account without providing full permissions. If you have multiple people who have access to your AWS resources, you should give them access through an IAM user. You should never grant access to your root account.
However, IAM users are not just for other people; if you have code that needs access to your AWS account, you should allow access through an IAM user. Some AWS services use IAM users to act on resources in your account.
AWS also recommends that you use an IAM user with administrator privileges for all your common tasks. This way, you can block your root account information and only use it when absolutely necessary, mainly for account maintenance.
IAM users can be assigned very specific permissions, so you can be sure that if one of them is compromised, it will not affect your entire infrastructure. You can also assign these permissions to role groups and assign roles to users.
You can create new IAM users through the IAM Management Console. They receive a randomly generated password which they are forced to change at the first login. You should apply an IAM password policy to ensure that these passwords are secure.
Perform regular security checks
You should regularly check your safety to make sure there is nothing you missed. AWS provides a very accurate checklist for just this purpose.
This checklist removes old resources that are no longer used and reviews your security policies for various services. The main sources of uncertainty are changes in how you use AWS, such as whether you have started using a new service, stopped using an old service, or have had people leave. In either case, you should review your access policy.
If you do not use AWS for an organizational account, it is probably not necessary to go through this entire checklist, but you should still make a good habit of reviewing your security policies from time to time.