ScaleScaleScaleScale

Tips / AWS


How to secure your EC2 virtual servers

Amazon Web Services are a great solution for web developers and sysadmins who are looking for the best tools to build and scale web apps. One of their most popular services is EC2, the place where you can create and manage your Virtual Server Hosting.

Previously we wrote a tutorial about How to Launch a Linux Virtual Machine in AWS , that tutorial covered the basics about how anyone can deploy their first virtual machine instance on AWS. So, today we will follow that tutorial by exploring ways to secure your AWS EC2 instance.

EC2 instances are as vulerable to attacks as any other server connected to the internet. That’s why today we are going to see what basic security tips can be applied to your EC2 instance to make it a little bit more secure.

Note: this guide just include a few of the most important security tips to harden your system, you should explore and investigate other additional ways to ensure your systems are 100% hardeded against attacks.

Close unnecessary system ports

EC2 instances can be secured with ‘Security Groups’, this is a basic firewall that allows you to open and block network access to your EC2 server.
Security Groups let you limit inbound and outbound connections for specified protocols (UDP and TCP) for common system services (HTTP, DNS, IMAP, POP, MYSQL, etc) limited by IP ranges, your IP or anywhere.

On Linux Servers one of the most common services are SSH, HTTP, HTTPS and MySQL. Let’s see how we can secure access to those services using EC2 Security Groups.

From AWS Management console we can add and edit Security Group filtering rules. Let’s see how to do it.

  1. Login to AWS Management Console.
  2. Click on your left menu: Security Groups
  3. Then click on your instance security group.
  4. Finally, click on Edit to add new rules or customize existing ones.

 

EC2 Management Console - Security Control

 

A popup will appear and you will be able to edit your inbound rules. There you will be able to set service, protocol, port number/range and source of the incoming connections. Same applies for outbound filtering. After adding your rules, click Save button to apply changes.

EC2 Management Console

 

That’s how Security Groups work inside AWS, it’s a basic firewall but it works pretty well if you need basic network filtering.

Secure your SSH access with keys

When you are building your EC2 instance, you’ll be prompted to create your Key pair that will allow you to connect to your Linux instance. Let’s see how to create the public and private keys to connect to your server.

On the EC2 configuration process, AWS will let you configure your Key pair if you already have one, or create a new one. This will allow you to connect your EC2 instance securely using a password-less access.

Click on ‘Create a new pair’.
Set your Key pair name and then click on ‘Download Key Pair’.

EC2 Management Console

 

EC2 Management Console

After done, click on “Launch Instances” button at the bottom to finally build your VM.

Connect to your EC2 virtual machine
Once ready, click on ‘View instances’

 

EC2 Management Console

 

Then click on ‘Connect’
This will give you information about how to connect to your EC2 instance using SSH, as you see below.

 

EC2 Management Console

EC2 Management Console

Set secure permissions to your .pem key file:

[webtech@scalescale ~]$ chmod 400 scalescale-keys.pem -v
permissions for «scalescale-keys.pem» changed from 0640 (rw-r-----) to 0400 (r--------)

Connect to your AWS VM using ssh:

[webtech@scalescale ~]$ ssh -i "scalescale-keys.pem" ec2-user@ec2-54-191-169-76.us-west-2.compute.amazonaws.com

Additional SSH security tips

After loggin into your EC2 box become root by typing:

sudo -s

Edit your SSH configuration file:

nano -w /etc/ssh/sshd_config

Uncomment and set this variables as you see below:

ListenAddress your.ec2.server.ip
Protocol 2

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10

Replace “your.ec2.server.ip” with your real EC2 server ip address, this can be found at View Instances inside the AWS Management Console.

Restart the SSH service to apply changes we made before:

service sshd restart

Need more more tips about SSH Security? Check out this post: Top 10 Steps to Secure Your SSH Server

Keep your system updated

This is the most useful security tip for all operating systems. Keep your system up to date, this will let you apply new software versions, security patches, and packages upgrades in order to avoid security vulnerabilities. Let’s see how to update our Linux systems:

For CentOS, Fedora, RHEL, CloudLinux and Amazon Linux AMI

yum update # or dnf update

This will search for new packages and update all of them.

On Ubuntu and Debian you should use this command:

apt-get update

If your kernel is update you should reboot your server and ensure you are loading the latest kernel.


Conclusion

AWS EC2 Security Access firewall offers a really practical and easy way to filter system ports access for inbound and outbound connections. Using SSH keys to connect and harden your SSH server is another important tip to harden your SSH security, and finally keeping your system packages & kernel up to date will be one of the best things to do to keep crackers out of your box.

Remember this are just some basic security tips to secure your EC2 instances, it’s up to you to find more ways to secure your servers to keep attackers away from it.

Popular search terms:

  • ec2 hardening
  • 2018 should i be hardening my aws windows virtual server
  • aws secure ec2
  • aws tips
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking