AWS Security Guidelines

AWS Security Guidelines

Following below are basic AWS security guidelines which must be followed by every developer while working with AWS.

IAM

  1. Always use role based access between AWS resources.
  2. Always create separate IAM users to give access to multiple users.
  3. Follow the least privilege concept while giving permissions to a user.
  4. Always have MFA enabled.

EC2

  1. Do not open security groups for public, like SSH port should be open for a specific ip instead of public access
  2. Do not store AWS credentials in EC2 instance, instead give access to EC2 via roles.
  3. Enable EC2 volume encryption
  4. Enable EC2 instance termination protection

RDS

  1. Enable RDS instance delete protection
  2. Disable Public access on RDS instance
  3. Enable Encryption at rest on RDS instance
  4. Keep proper backup of your prod RDS instance
  5. Enable Multi AZ for production RDS instance
  6. Allow db port (3306 or 5432) access from trusted IP’s or security groups.
  7. IAM policies can be used to assign permissions that determine who is allowed to manage RDS resources
  8. Use IAM database authentication to connect with your database.
  9. Enable event notifications of a variety of important events that can occur on the RDS instance, such as whether the instance was shut down, a backup was started, a failover occurred, the security group was changed, or your storage space is low can be received.

BastionHost/JumpBox

If you are creating AWS EC2, RDS instances over Cloud you should restrict the public access on these instances.

You should always create a bastion host to provide access to the application instances.

The bastion hosts provide secure access to Linux instances located in the private and public subnets of your virtual private cloud (VPC).

To know more and to create a bastion host follow the below link.

https://aws-quickstart.github.io/quickstart-linux-bastion/

Steps to create your own jumpbox:

AWS bastion hosts may come with extra cost and complexities so you can create your own jumpbox.

  1. Create an t2.small instance (jumpbox)
  2. Open port 22 in the jumpbox security group.
  3. The port should be open only for your org. VPN or your private static IPs
  4. Now create your application and db instances and open only relevant ports on those instances.
  5. Like web app instances should open port 80 and 443 only.
  6. If you are using an ALB then the app instances should be accessible via ALB only over port 80 and 443.
  7. The db instance should open ports, for mysql — 3306, psql — 5432, mongo 2207 etc
  8. The db instance ports should be open only for the application instances.
  9. If you want to ssh on your app and db instances then you can open port 22 of app and db instances for your jumpbox instance ip only.

Access app instances via jumpbox:

  1. Generate ssh keys for your system using the ssh-keygen command.
  2. (Optional) Connect with Organization VPN server.
  3. Ssh to the jumpbox via the pem file of the jumpbox instance.
  4. Add your system ssh public key(cat ~/.ssh/id_rsa.pub) to the jumpbox instance (sudo vi ~/.ssh/authorized_keys)
  5. Generate ssh keys for your jumpbox using the ssh-keygen command.
  6. Add your jumpbox ssh public key(cat ~/.ssh/id_rsa.pub) to the app instance (sudo vi ~/.ssh/authorized_keys)
  7. Now ssh to your app instance without any pem file.

Note:

  1. Do not push pem files over jumpbox
  2. Always use separate pem files for jumpbox and app instances.
  3. Always create separate security groups for jumpbox and app instances.
  4. Always use passphrase while creating a ssh key for your system.