Protecting Compute Resources on AWS

This blog is in continuation to my previous writeup Infrastructure Protection On AWS where I discussed about protecting network in AWS.

In this post I will discuss strategies and relevant AWS services to protect compute resources in a VPC.

Compute services in AWS are EC2 Instance( Virtual Machines), Containers, Lambdas and Edge/Hybrid services. I will focus specifically on containers and EC2 instances in this blog post.

EC2 Instances :

1. Security Groups : Security groups are first level of defence on compute resources. Security groups are stateful resource and it has only allow rule. Anything not matching the any SG rule will be explicitly denied. Allow only the legitimate IP addresses/ ports or security groups.

2. AMIs : AMIs are the machine images in AWS. It is recommended to use latest AMI’s where possible or keep EC2 instances updated with latest security patches. AWS Customer can use EC2 image builder create custom AMI with security hardening for use within the organisation.

3. Vulnerability Scans : Perform regular vulnerability scan on EC2 instances. This can be done via various antivirus tools available from AWS partners. Amazon Inspector can also be used for detecting common vulnerabilities and exposures (CVEs) and it is also possible automate the notification of the defect.

Containers :

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. Scan can be manual or can be automated by configuring scan with your repos when images are pushed to it.

Other Strategies:

Make use of AWS managed services : Use AWS managed service like ECS, Lambda, RDS etc to reduce security maintenance tasks. Using AWS managed ELBs with EC2 instances can help in reducing the exposure of EC2 instance.

Reduce Area of Attack:

Remove unused components e.g. operating system packages, applications, etc. (for EC2-based workloads) or external software modules in your code (for all workloads) that are no longer used. Use hardening and security configuration guides for common operating systems and server software e.g. CIS Center for Internet Security (cisecurity.org)

Use Systems Manager :

Systems Manager is good option to connect to EC2 instances instead of using bastion hosts or accessing EC2 instances directly.

Manage Operation as Code to reduce defects:

AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly. Performing operations as code can help in reducing the manual errors.

Guard duty : Guard duty is good in detect the malicious traffic to EC2 and its finding can be automated with event bridge to block malicious IP addresses.

Thank you for reading.

Click on clap button if you like the post or Give me feedback via comment section.

Connect with me on twitter @vineet85s