Cloud Machine Manager Blog

Four Considerations to Improve Amazon EC2 Security

Improve Amazon EC2 Security

If you’re considering a cloud computing infrastructure for your business, or perhaps if AWS is something you’re implementing already, then you’ll understand why Amazon EC2 security is a top concern for many organisations utilising the platform.

AWS EC2 Security Concerns

For most AWS organisations (especially those dealing with sensitive information) the scenario of losing private customer data to a DDoS attack or through an oversight in access management is not only a disaster in terms of the down-time needed to resolve the problem, but also hugely damaging to customer trust and brand credibility.

It’s also no exaggeration that if an attack is significant enough to corrupt a business’s central data, then it’s possible that the company may close down as a result – as was unfortunately the case with Code Spaces.

In fact when the Cloud Machine Manager team recently attended Amazon’s ‘AWSome Roadshow Day’ in London and keynote speaker Tom Woodyer (Technical Instructor) asked the audience what their main concern with AWS was, the answer was (you guessed it) security!

4 Amazon EC2 Security Considerations

It’s very easy when a data breach occurs for users to hastily point their finger at AWS EC2 security and declare it their fault, but in actuality this isn’t always the case. Amazon has gone to great lengths to disprove this opinion by providing users with a significant amount of relevant resources to help keep themselves protected.

However, because AWS is so multi-layered and quite complex, finding this information can become a challenge – that’s where our 4 considerations for Amazon EC2 security can help:

1) The AWS Shared Responsibility Model

When it comes to AWS security all roads start from the Shared Responsibility Model, which is effectively Amazon drawing a line in the sand and making it clear that while they oversee the “security OF the cloud” it’s the customers responsibility to handle their data and it’s “security IN the cloud”.

What does this mean? Well it means that while Amazon will operate, manage, and control the host operating system – from virtualization through to security of the premises that contain the physical servers. The customer maintains the responsibility to look after the guest operating system, security updates, configuration of the EC2 security group firewall (more on that later), and managing any controls for associated software (there’s a nice video summary of all this here). But essentially, the model does a good job of clarifying the AWS landscape in terms of security, and highlighting where your attention is most needed.

2) EC2 Identify and Access Management

The ‘identify and access management’ (IAM) service from AWS, is a permissions based tool that allows network administrators to manage AWS users and the resources they can access – without having to share a password or key with them.

When used for AWS EC2 security, the IAM service can similarly attach user-based permissions to an ‘IAM Role’, and then launch them alongside EC2 instances so applications can securely access AWS service APIs. This is ideal for controlling which AWS users within your business can perform specific API actions, and thereby limiting the potential damage of someone doing something they’re not supposed to.

3) EC2 Security Groups

EC2 security groups are essentially traditional firewalls, but implemented within the AWS virtual environment and block or coordinate the level of traffic they receive depending on the access rules assigned to their ports and protocols – thereby reducing the threat of a hacker breach.

However, by taking the time to set up your security groups properly and configure them towards your businesses security rhetoric (rather than just for the instance), singular policies can then be applied across multiple EC2 instances. This helps to improve your AWS defences on a larger scale whilst also progressing positive security administration.

4) EC2 Encryption

Encryption has become a cornerstone practice for large-scale data security, as it makes life difficult for uninvited viewers (hackers) to read stored data, but unlike an in-house infrastructure where data is encrypted on servers under your own roof, with cloud servers the process is a little bit different.

As such, encryption for EC2 volumes is available as a feature through Elastic Block Store (EBS), a popular storage system for flexible virtual data that many companies will utilise to store their sensitive data, such as databases and images. Here, encryption is applied to the servers that host the EC2 instances, and as data moves between your instances and the accompanying EBS storage.

It’s also worth mentioning that if you’re an S3 user, Amazon also provide additional services for server-side and client-side encryption which you may find useful.

5) AWS Regions – One More for Good Measure!

It’s also worth acknowledging that while AWS datacentres are pretty advanced technology-wise, they’re still subject to the same vulnerabilities that affect other businesses, such as power outages and software problems. Therefore by keeping a spread of your EC2 instances across different AWS regions, this can avoid the problem of a complete system outage if something goes wrong.

So there you have it; five considerations to help improve your Amazon EC2 security. But ultimately, to maintain a secure AWS cloud as your EC2 usage starts to grow, you should restrict AWS resources and closely govern EC2 permissions to form solid security practices.