Forcimi i Instancave EC2

Mesatar 14 min Siguria në Cloud

Hyrje

EC2 instances remain the most common cloud workload, and most cloud incidents involve at least one compromised EC2.

Teoria

Start with a minimal AMI: Amazon Linux 2023, Ubuntu LTS, or a container-optimized base like Bottlerocket. Keep the instance patched via Systems Manager Patch Manager or an OS-native tool. Disable password SSH and rely on SSH keys or, better, Session Manager, which removes the need for an inbound SSH port at all. Use security groups as a stateful firewall and restrict inbound traffic to the minimum needed — nothing public unless the workload truly requires it. Attach the smallest IAM instance profile that works. A common mistake is attaching a role with broad permissions to an EC2 that hosts a web app; a single RCE in the app then grants the attacker whatever that role can do. Use IMDSv2 (token-based metadata service) so attackers cannot fetch role credentials via a simple SSRF. Configure VPC flow logs to record traffic for incident response, and enable CloudWatch agent to ship logs to a central account. Finally, encrypt EBS volumes with KMS keys and use separate key per environment. Back up critical data, but test restores — an untested backup is not a backup. The combination of patching, minimal IAM, IMDSv2, network segmentation and logging is the baseline for every EC2 in production.

Mjetet

Mjete:

  • AWS Systems Manager (Session Manager, Patch Manager).
  • CIS Benchmarks AMI.
  • Inspector, SSM Compliance.

Praktika

Launch template i sigurt (Terraform):

resource "aws_launch_template" "web" {
  image_id      = data.aws_ami.cis_hardened.id
  instance_type = "t3.micro"
  metadata_options {
    http_tokens   = "required"   # IMDSv2 only
    http_endpoint = "enabled"
  }
  iam_instance_profile { name = aws_iam_instance_profile.app.name }
  vpc_security_group_ids = [aws_security_group.app.id]
  user_data = base64encode(file("bootstrap.sh"))
}

Ushtrime

  1. Forço IMDSv2 në të gjitha instancat e një VPC.
  2. Konfiguro SSM Session Manager për të hequr nevojën për SSH.

Burime

  • AWS — EC2 Security Best Practices.
  • CIS AMI Hardened Images.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re