Security is unsurprisingly a very hot topic in The Cloud Computing - should you be doing it? debate.
On one side we have the my-hardware-is-my-castle group of people, who find it deeply unnatural to even think of delegating your compute environment to some abstract entity that assures you that you own the capacity of X number of machines at any given time, but which you cannot see or touch. Not to mention the question of your data.
On the other, we find the people who do not really mind the mystical concept of the cloud at all. Their main interest is in having instant access to somewhat unlimited amount of compute resources at a reasonable cost. Unfortunately, they might occasionally concentrate too much on getting a job done quickly, ignoring some valid, healthy concerns that the former group puts forward.
Then there is the middle ground - those of us who recognize the sacrifices one has to accept when moving to the cloud as well as the various solutions to make up for those. That is to say, with well-designed applications plus carefully planned-out architecture, your environment can remain adequately secure regardless of the underlying type of hosting platform.
We are going to examine a few of these solutions and practices in attempt to make our AWS environment more secure.
We shall cover:
- Managing access using IAM
- VPC security
- EC2 security
- Security auditing
Let us begin.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
ref: http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
We will be using IAM for managing access (be it user or application) to services under our AWS account.
When a new AWS account is opened, it comes with a single user (the account owner) also referred to as the root login. This almighty user has all the powers, including the option of terminating the AWS account. For this reason, it is often advised that the root login is only used for high-level account management purposes while any day-to-day operations are done via IAM user accounts.
We shall follow this recommendation, so the very first thing we do after registering an AWS account is to login as root, disable any unnecessary authentication mechanisms and create ourselves a lower-privileged IAM user account.
Let us browse to the AWS Console (ref: https://console.aws.amazon.com/console/home):
Notice the small print underneath the Sign In button. This is the link we need to follow in order to access the root account, which takes us to a slightly different login page as shown in the following screenshot:
Here, use your main Amazon credentials; you should see the familiar Console page. click on the name in the top-right corner:
Choosing Security Credentials takes us to our root account security options:
Enable Multi-Factor Authentication (MFA); there really isn't a good reason not to. You could purchase a hardware token device or simply use an app on your phone such as the Google Authenticator.
Delete the keys under Access Keys. These are used for API access, which you are very likely not going to need for account management tasks.
Next, click on the Account Settings link on the left, to update the current password policy. With the various password management tools available today, choosing a complex password and changing it often is no longer an inconvenience, so go crazy:
On the same page, we can disable any regions we are not going to be using:
Now we proceed to create the IAM accounts for daily AWS usage. We will organize our users into groups. We start with a user in a group which has administrator privileges, which can then be used to manage almost all aspects of the AWS account.
On the left, select Groups and create a new group, granting it administrator access. Then under Users, create an account for yourself and make it a member of that group.
During the user creation process you would have had the option to create API access keys (you could also do it at a later stage too), which are useful if you are planning to use the AWS CLI or programmatic access in general. Once created, select the user and switch to the Security Credentials tab:
Here you have the option to create an Access Keys pair, if you did not do so earlier, as well as set a password for using the AWS Console. As mentioned earlier, you should take the opportunity to enable MFA (to take this a step further, have a look at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html). Also if you are planning to use the CodeCommit service over SSH, this is where you upload your public key.
This is it, from now on you can login to the AWS Console using the username and password of the IAM account you just created, keeping the root for special occasions.
As a side note for those who might already maintain a user database external to AWS, there are ways to integrate it using Federation.
Note
For more details, see either of these links: https://aws.amazon.com/iam/details/manage-federation http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html