Safeguarding your AWS infrastructure is of utmost importance to steer clear of potential security challenges. This blog is part 3 of our series on vital AWS services and the ongoing inclusive checklist of 26 security best practices to adopt. If you haven't gone through part 1, and part 2 please check them out first, and then proceed with the remaining set of suggestions.

Amazon EC2

Amazon EC2 functions as a web service offering scalable computing capacity. This capacity is utilized for the construction and hosting of software systems. EC2 stands as a fundamental service within Amazon Web Services (AWS). Understanding optimal security practices and how to ensure the security of EC2 is crucial.

16. Ensuring Encryption for Attached EBS Volumes

It is important to verify if the EBS volumes currently attached are encrypted. To meet this requirement, EBS volumes should be actively in use and configured for encryption. If an EBS volume is not attached, it is exempt from this examination.

‍

To bolster the protection of sensitive data within EBS volumes, enabling encryption at rest is recommended. Amazon EBS encryption provides a straightforward solution without the need for establishing and maintaining a separate key management infrastructure. Encryption utilizes KMS keys during the creation of encrypted volumes and snapshots.

‍

Execute the "describe-volumes" command to assess whether your EC2 Elastic Block Store volume is encrypted:

<pre class="codeWrap">aws ec2 describe-volumes
--filters Name=attachment.instance-id, Values=INSTANCE_ID<code></code></pre>

‍

The command output will indicate the encryption status of the instance EBS volume (true for enabled, false for disabled). It's important to note that there is no direct method to encrypt an existing unencrypted volume or snapshot. Encryption can only be applied when creating a new volume or snapshot.

‍

Enabling encryption by default ensures that new volumes or snapshots created are automatically encrypted using your default Amazon EBS encryption key. Even if default encryption is not enabled, encryption can be selectively applied when creating an individual volume or snapshot. In both scenarios, there is flexibility to override the default key and opt for a symmetric customer-managed key for Amazon EBS encryption.

17. Activating VPC Flow Logging Across All VPCs

Enabling VPC Flow Logs is a crucial step in capturing details about the traffic to and from network interfaces within your Virtual Private Cloud (VPC). Once established, these logs can be accessed and retrieved from CloudWatch Logs. For cost efficiency, there is also an option to direct flow logs to Amazon S3.

‍

It is highly recommended to enable flow logging specifically for packet rejects within VPCs. Flow logs play a vital role in offering insights into the network traffic traversing the VPC. They prove valuable in identifying abnormal traffic patterns and providing additional context during security-related processes. The default log record includes essential information such as source and destination IP addresses, as well as the protocol used.

<pre class="codeWrap"><code>- name: flow-logs-enabled
  description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs.
  resource: vpc
  filters:
    - not:
          - type: flow-logs
            enabled: true
</code></pre>

18. Verifying Default Security Group Restrictions

It is essential to confirm that the default security group within your Virtual Private Cloud (VPC) is configured not to allow all inbound and outbound traffic. The default rules for this security group permit unrestricted inbound and outbound traffic from network interfaces and their associated instances that share the same security group.

‍

The use of the default security group is discouraged due to its permissive nature. While it cannot be deleted, it is advisable to modify the rules of the default security group to restrict both inbound and outbound traffic. This precautionary measure prevents unintended traffic if the default security group is unintentionally applied to resources, such as EC2 instances.

‍

Execute the command to obtain the description of the default security group within the chosen region:

<pre class="codeWrap"><code>aws ec2 describe-security-groups
   --region REGION
   --filters Name=group-name,Values='default'
   --output table
   --query 'SecurityGroups[].IpPermissions[].IpRanges'</code></pre>

If the command yields no output, it signifies that the default security group prohibits public inbound traffic. However, if there is output, it will display the defined source IPs for inbound traffic.

<pre class="codeWrap"><code>------------------------

|DescribeSecurityGroups|

+----------------------+

|        CidrIp        |

+----------------------+

|  0.0.0.0/0           |

|  ::/0                |

|  1.2.3.4/32          |

|  1.2.3.5/32          |

+----------------------+ </code></pre>

In cases where the returned IPs are 0.0.0.0/0 or ::/0, it indicates that the selected default security group permits public inbound traffic. We have previously outlined the potential threats associated with securing SSH on EC2 instances.

‍

To address this issue, it is recommended to create new security groups and assign them to your resources. Additionally, to prevent inadvertent usage of default security groups, eliminate both inbound and outbound rules associated with them.

19. Activating Default Encryption for EBS Volumes

Enabling encryption for your EBS volumes and their snapshot copies ensures that data at rest is securely encrypted. This additional security layer enhances the protection of your data. Refer to the "Encryption by default" section in the Amazon EC2 User Guide for Linux Instances for further details. It's important to note that encryption is not supported for the following instance types: R1, C1, and M1.

‍

Execute the "get-ebs-encryption-by-default" command to determine whether default encryption for EBS is enabled in your AWS cloud account within the chosen region:

<pre class="codeWrap"><code>aws ec2 get-ebs-encryption-by-default
--region REGION
--query 'EbsEncryptionByDefault'</code></pre>

If the command returns "false," it indicates that data at rest is not automatically encrypted by default for new EBS volumes in the specified AWS region. Correct this by using the following command:

<pre class="codeWrap"><code>aws ec2 enable-ebs-encryption-by-default
--region REGION</code></pre>

AWS Database Migration Service (DMS)

DMS is used for moving databases (relational and NoSQL), data warehouses, and various data stores with ease. AWS DMS allows you to easily transfer your data into the AWS Cloud or between different combinations of cloud and on-premises configurations.

20. Ensure AWS Database Migration Service (DMS) Replication Instances are Secure

It is important to make sure that DMS is not accessible to the public over the internet to enhance its security. This step is vital for preventing the exposure of private data and minimizing potential security risks.

Follow the guidelines below:

• Confirm that your DMS replication instance possesses a private IP address.
• Disable the Publicly Accessible feature, especially when both the source and target databases reside in the same network connected to the instance's Virtual Private Cloud (VPC) through a VPN, VPC peering connection, or an AWS Direct Connect dedicated connection.

1. Access AWS Management Console by visiting https://console.aws.amazon.com/dms/.

2. Navigate to Replication instances in the left sidebar.

3. Choose the desired DMS replication instance to view its resource configuration details.

4. Navigate to the Overview tab in the bottom dashboard panel and inspect the value of the Publicly accessible configuration attribute. If set to Yes, the chosen Amazon DMS replication instance is accessible outside the Virtual Private Cloud (VPC), posing potential security risks. To address this:

    a. Click the Create replication instance button in the top menu of the dashboard to initiate the launch process.

    b. On the Create replication instance page, follow these steps:

         * Deselect the Publicly accessible checkbox to disable public access to the new replication instance. When disabled, Amazon DMS will not assign a public IP address to the instance during creation, preventing connections outside the VPC.

         * Assign a unique name to the new replication instance in the Name box. Then, configure the remaining instance settings using the information copied in step No. 5

• Click Create replication instance to launch your new Amazon DMS instance.
• Revise your database migration plan by creating a new migration task that includes the recently created AWS DMS replication instance.

* To cease incurring charges for the old replication instance:

• Choose the old DMS instance, and then click the Delete button in the top menu of the dashboard.
• In the Delete replication instance dialog box, review the instance details, and click Delete to terminate the selected DMS resource.

5. Repeat steps Nos. 3 and 4 for each AWS DMS replication instance provisioned in the chosen region.

6. Switch to a different region from the console navigation bar and repeat the process for all other regions.

Explore further on AWS security best practices for AWS Database Migration Service.

Amazon Elastic Block Store (EBS)

Amazon EBS offers block-level storage volumes designed for utilization with EC2 instances. These EBS volumes function similarly to raw, unformatted block devices and can be mounted as devices on your instances. When attached to an instance, EBS volumes are presented as storage volumes that persist independently of the instance's lifecycle. Users have the flexibility to create file systems on these volumes or leverage them as they would any block device, such as a hard drive.

‍

One notable feature of Amazon EBS is the ability to dynamically modify the configuration of a volume that is currently attached to an EC2 instance. This provides users with the convenience of adjusting volume settings as needed without the requirement to detach the volume or interrupt the instance's operation.

21. Securing Amazon EBS Snapshots Access

Amazon EBS snapshots serve the purpose of backing up data from EBS volumes to Amazon S3 at a specific moment. These snapshots are valuable for restoring previous states of EBS volumes. Sharing a snapshot with the public is generally not recommended, as it often results from unintentional actions or insufficient awareness of the consequences. This verification process ensures that any such sharing is deliberate and well-planned.

‍

Retrieve a list of all EBS volume snapshots:

<pre class="codeWrap"><code>aws ec2 describe-snapshots
   --region REGION    --owner-ids ACCOUNT_ID
   --filters Name=status,Values=completed
   --output table
   --query 'Snapshots[*].SnapshotId'
</code></pre>

For each snapshot, examine its createVolumePermission attribute:

<pre class="codeWrap"><code>aws ec2 describe-snapshot-attribute
--region REGION
--snapshot-id SNAPSHOT_ID
--attribute createVolumePermission
--query 'CreateVolumePermissions[]'</code></pre>

The command output provides details about permissions for creating EBS volumes from the specified snapshot:

<pre class="codeWrap"><code>{
   "Group": "all"
}</code></pre>

If the output indicates "Group": "all," it implies the snapshot is accessible to all AWS accounts and users. In such cases, it is advisable to execute the following command to rectify the situation:

<pre class="codeWrap"><code>aws ec2 modify-snapshot-attribute
--region REGION --snapshot-id SNAPSHOT_ID
--attribute createVolumePermission
--operation-type remove
--group-names all</code></pre>