Amazon Web Services are a great solution for web developers and sysadmins who are looking for the best tools to build and scale web apps. One of their most popular services is EC2, the place where you can create and manage your Virtual Server Hosting.
Previously we wrote a tutorial about How to Launch a Linux Virtual Machine in AWS , that tutorial covered the basics about how anyone can deploy their first virtual machine instance on AWS. So, today we will follow that tutorial by exploring ways to secure your AWS EC2 instance.
EC2 instances are as vulerable to attacks as any other server connected to the internet. That’s why today we are going to see what basic security tips can be applied to your EC2 instance to make it a little bit more secure.
Note: this guide just include a few of the most important security tips to harden your system, you should explore and investigate other additional ways to ensure your systems are 100% hardeded against attacks.
Close unnecessary system ports
EC2 instances can be secured with ‘Security Groups’, this is a basic firewall that allows you to open and block network access to your EC2 server.
Security Groups let you limit inbound and outbound connections for specified protocols (UDP and TCP) for common system services (HTTP, DNS, IMAP, POP, MYSQL, etc) limited by IP ranges, your IP or anywhere.
On Linux Servers one of the most common services are SSH, HTTP, HTTPS and MySQL. Let’s see how we can secure access to those services using EC2 Security Groups.
From AWS Management console we can add and edit Security Group filtering rules. Let’s see how to do it.
- Login to AWS Management Console.
- Click on your left menu: Security Groups
- Then click on your instance security group.
- Finally, click on Edit to add new rules or customize existing ones.
A popup will appear and you will be able to edit your inbound rules. There you will be able to set service, protocol, port number/range and source of the incoming connections. Same applies for outbound filtering. After adding your rules, click Save button to apply changes.
That’s how Security Groups work inside AWS, it’s a basic firewall but it works pretty well if you need basic network filtering.
Secure your SSH access with keys
When you are building your EC2 instance, you’ll be prompted to create your Key pair that will allow you to connect to your Linux instance. Let’s see how to create the public and private keys to connect to your server.
On the EC2 configuration process, AWS will let you configure your Key pair if you already have one, or create a new one. This will allow you to connect your EC2 instance securely using a password-less access.
Click on ‘Create a new pair’.
Set your Key pair name and then click on ‘Download Key Pair’.
After done, click on “Launch Instances” button at the bottom to finally build your VM.
Connect to your EC2 virtual machine
Once ready, click on ‘View instances’
Then click on ‘Connect’
This will give you information about how to connect to your EC2 instance using SSH, as you see below.
Set secure permissions to your .pem key file:
[webtech@scalescale ~]$ chmod 400 scalescale-keys.pem -v permissions for «scalescale-keys.pem» changed from 0640 (rw-r-----) to 0400 (r--------)
Connect to your AWS VM using ssh:
[webtech@scalescale ~]$ ssh -i "scalescale-keys.pem" firstname.lastname@example.org
Additional SSH security tips
After loggin into your EC2 box become root by typing:
Edit your SSH configuration file:
nano -w /etc/ssh/sshd_config
Uncomment and set this variables as you see below:
ListenAddress your.ec2.server.ip Protocol 2 LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 6 MaxSessions 10
Replace “your.ec2.server.ip” with your real EC2 server ip address, this can be found at View Instances inside the AWS Management Console.
Restart the SSH service to apply changes we made before:
service sshd restart
Need more more tips about SSH Security? Check out this post: Top 10 Steps to Secure Your SSH Server
Keep your system updated
This is the most useful security tip for all operating systems. Keep your system up to date, this will let you apply new software versions, security patches, and packages upgrades in order to avoid security vulnerabilities. Let’s see how to update our Linux systems:
For CentOS, Fedora, RHEL, CloudLinux and Amazon Linux AMI
yum update # or dnf update
This will search for new packages and update all of them.
On Ubuntu and Debian you should use this command:
If your kernel is update you should reboot your server and ensure you are loading the latest kernel.
AWS EC2 Security Access firewall offers a really practical and easy way to filter system ports access for inbound and outbound connections. Using SSH keys to connect and harden your SSH server is another important tip to harden your SSH security, and finally keeping your system packages & kernel up to date will be one of the best things to do to keep crackers out of your box.
Remember this are just some basic security tips to secure your EC2 instances, it’s up to you to find more ways to secure your servers to keep attackers away from it.
Popular search terms:
- ec2 hardening
- aws tips
- how to secure ec2 instance
- 2018 should i be hardening my aws windows virtual server