AWS is a very secure ecosystem, but they can’t guarantee what you’re doing in the The cloud will be safe. That responsibility is yours, although AWS will try to point you in the right direction.
This guide describes what you should do through the AWS console to make your network and account more secure. In addition to all of this, you need to make sure that your own applications running on your EC2 servers (or otherwise) are themselves secure. For example, enable HTTPS on a web server or keep your dependencies and programs up to date.
Use two-factor authentication for your AWS account
Your master AWS account controls all of your AWS resources. If someone were to gain access to it, they would have complete control of your resources and could delete everything. You should make sure that your sign-in method isn̵
AWS offers several multi-factor authentication methods. The easiest to use is the virtual MFA device, which uses apps like Google Authenticator and Authy to turn your phone into a virtual keychain. AWS also supports hardware keys from YubiKEy and Gemalto, but they cost money. Alternatively, you can use SMS, but only for administration users you add, not your root account.
Click on your account name in the top menu bar and select “My Security Credentials”.
Under Multi-Factor Authentication, click Enable MFA.
Select “Virtual MFA Device” and open your authentication app on your phone.
AWS will show you a QR code that you should scan with your authentication app to connect the two. Then you can start entering codes. AWS requests two consecutive codes so you have to wait 30 seconds between them. Click “Assign MFA” when you’re done.
If you log out now, you will be asked for a code from your phone when you log in again.
When you set up a physical key fob, all you have to do is plug it in to link it and then plug it in every time you want to log in.
Close your firewalls
When you create a new EC2 instance, you will be prompted to choose a security group or create a new one. This security group is a firewall and defines which ports are opened. By default, AWS opens port 22 (for SSH) for all incoming IPs and lets all traffic go out.
This means anyone can try to authenticate using SSH, which isn’t a huge problem (since AWS uses SSH keys by default). However, it is recommended that you limit most of the traffic to your IP address unless there is a reason to be open to the world.
In the EC2 Administration Console, click Security Groups in the sidebar, select the group your instance is using, select Inbound, and click Edit. Alternatively, you can access this security group from the Instances panel by clicking on it under the Security Groups property.
From here you can edit the rules for this security group. Outbound is usually fine to stay open, but inbound should stay closed as much as possible. Click on the SSH rule and switch the source from Anywhere to My IP, which should close it.
You don’t have to worry about your IP address changing and banning you as you can always reset it through the AWS console.
If several entities communicate with each other, e.g. For example, if you have a database server connecting to an API server, you should secure the connection between them by allowing only secured traffic between the two instances. Except for your administrative IP address, no one other than the API server should be able to communicate with the database.
You don’t have to manually specify individual IP addresses because AWS allows you to allow traffic for all devices that are assigned a specific security group. If you have multiple database servers, you can assign them the entire Database security group and allow your API server to communicate with that security group. You can also allow everything on a specific subnet, so you need to use AWS’s VPC.
Set up IAM users
AWS Identity and Access Management (IAM) users allow you to provide access to your account without granting full permissions. If multiple people have access to your AWS resources, you should give them access through an IAM user. You should never give access to your root account.
However, IAM users are not just intended for other people. If you have code that needs to access your AWS account, you should allow access through an IAM user. Some AWS services use IAM users to respond to resources in your account.
AWS also recommends that you use an IAM user with administrative privileges for all of your normal tasks. This allows you to lock out your root account credentials and only use them when absolutely necessary, primarily for accounting purposes.
IAM users can be assigned very specific permissions, so you can be sure that if any of them were compromised, your entire infrastructure will not be compromised. You can also assign these permissions to role groups and assign roles to users.
You can create new IAM users through the IAM administration console. You will receive a randomly generated password that you have to change when you log in for the first time. You should apply an IAM password policy to ensure that these passwords are secure.
Perform regular security reviews
You should check your safety regularly to make sure you haven’t missed anything. AWS provides a very thorough checklist for exactly this purpose.
You can use this checklist to delete old resources that are no longer in use and review your security policies for various services. The main sources of uncertainty are changes in how you use AWS, such as: For example, if you use a new service, no longer use an old one, or have left someone else. In any case, you should review your access policies.
Unless you’re using AWS for an organizational account, you probably don’t need to go through the entire checklist. However, you should make a habit of checking your security guidelines from time to time.