AWS Newbie Tips Community

Jason Wright
Jason Wright

Posted on

Does anyone have any best practice recommendations on security for my ec2 instances

I could do with a bit of list of best practice recommendations for my ec2 instances, security focused but also anything else would be really cool.

Found this thread which is also quite useful:

I set up a EC2 Instance and noticed that my crontab had been hacked to curl some weird url. I had to delete that instance and set up a new one and went through security to see where the mistake was which I found some. so now my security group contains limited access to ssh into the server by specific…

Latest comments (5)

komalsaini profile image
Komal Saini

this will be helpful. Also, I would like to understand and learn more about related guidelines.

lee profile image

From a security perspective, start from inside the ec2 instance and work back from there (don't just assume AWS platform configurations such as security groups and NACLs are the answer - although they definately are part of it).

So making sure your OS is patched and under some sort of configuraiton management and reporting, then:

  • Ensure that any un-used services are off, strip it right down.
  • Design your hosting VPC accordingly with public/private subnets, internet gateways and NAT instances where required, don't just drop an ec2 instance into a public subnet.
  • Use AWS session manager for any remote connectivity
  • Use AWS back up
  • Ensure you are checking the access logs and have them setup through CloudTrail and CloudWatch
  • Encrypt the EBS volume
  • Ensure that you have IAM setup properly, only use IAM roles for ec2 privilages to other AWS services with the principle of least privilege (again with logging). You can use IAM Access Analyzer here to understand more about what is required.
  • Use a load balancer if needed
  • Configure your ec2 security groups to only allow certain ports from specific ip ranges, take it a step further with NACLS if needed
  • Consider using AWS firewall and other services such as WAF and Shield if public facing.
  • Consider offloading content to Cloudfront if public facing.

That should keep you busy for a while 😂

jenna profile image

Nice list, really good to know

jason profile image
Jason Wright

Thanks, that's one long list - this is in lightsail btw

lee profile image

No probs, careful with lightsail, it's brilliant for quick start etc but ignorance is bliss if you know what I mean..