Overview
Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:
- Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud.
- Security in the cloud – Your responsibility includes the following areas:
- Controlling network access to your instances, for example, through configuring your VPC and security groups.
- Managing the credentials used to connect to your instances.
- Managing the guest operating system and software deployed to the guest operating system, including updates and security patches.
- Configuring the IAM roles that are attached to the instance and the permissions associated with those roles.
Infrastructure security
- As a managed service, Amazon EC2 is protected by the AWS global network security procedures
- Use AWS published API calls to access Amazon EC2 through the network. Clients must support Transport Layer Security (TLS) 1.0 or later, and also must support cipher suites with perfect forward secrecy (PFS)
- Additionally, requests must be signed using an access key ID and a secret access key that is associated with an IAM principal. Or temporary security credentials to sign requests.
Network isolation
- Use separate VPCs to isolate infrastructure by workload or organizational entity.
- Use subnets to isolate the tiers of your application, use private subnets for your instances if they should not be accessed directly from the internet
- To call the Amazon EC2 API from your VPC without sending traffic over the public internet, use AWS PrivateLink.
Isolation on physical hosts
- Different EC2 instances on the same physical host are isolated from each other as though they are on separate physical hosts.
Interface VPC endpoints
- Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Amazon EC2 APIs by restricting all network traffic between your VPC and Amazon EC2 to the Amazon network. With interface endpoints, you also don't need an internet gateway, a NAT device, or a virtual private gateway.
Resilience
- The AWS global infrastructure
- With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption.
- If you need to replicate your data or applications over greater geographic distances, use AWS Local Zones.
- In addition to the AWS global infrastructure, Amazon EC2 offers the following features to support your data resiliency:
- Copying AMIs across Regions
- Copying EBS snapshots across Regions
- Automating EBS-backed AMIs using Amazon Data Lifecycle Manager
- Automating EBS snapshots using Amazon Data Lifecycle Manager
- Maintaining the health and availability of your fleet using Amazon EC2 Auto Scaling
- Distributing incoming traffic across multiple instances in a single Availability Zone or multiple Availability Zones using Elastic Load Balancing
Data protection
Encryption at rest
- Amazon EBS encryption is an encryption solution for your EBS volumes and snapshots. It uses AWS KMS key.
- The data on NVMe instance store volumes is encrypted using an XTS-AES-256 cipher implemented on a hardware module on the instance.
- You cannot disable this encryption and you cannot provide your own encryption key.
Encryption in transit
- Use an encryption protocol such as Transport Layer Security (TLS) to encrypt sensitive data in transit between clients and your instances.
IAM
- Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your Amazon EC2 resources.
- You can use features of Amazon EC2 and AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your Amazon EC2 resources without sharing your security credentials.
- Amazon EC2 enables you to specify additional AWS accounts that can use your Amazon Machine Images (AMIs) and Amazon EBS snapshots.
- IAM enables you to do the following:
- Create users and groups under your AWS account
- Assign unique security credentials to each user under your AWS account
- Control each user's permissions to perform tasks using AWS resources
- Allow the users in another AWS account to share your AWS resources
- Create roles for your AWS account and define the users or services that can assume them
- Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources
IAM policies for Amazon EC2
- By default, IAM users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API.
- To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permission to use the specific resources and API actions they'll need, and then attach those policies to the IAM users or groups that require those permissions.
- Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon EC2 has partial support for resource-level permissions
IAM roles for Amazon EC2
- Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows:
- Create an IAM role.
- Define which accounts or AWS services can assume the role.
- Define which API actions and resources the application can use after assuming the role.
- Specify the role when you launch your instance, or attach the role to an existing instance.
- Have the application retrieve a set of temporary credentials and use them.
- You can only attach one IAM role to an instance, but you can attach the same role to many instances.
Instance profiles
- Amazon EC2 uses an instance profile as a container for an IAM role.
- An instance profile can contain only one IAM role. This limit cannot be increased.
- When you create an IAM role using the IAM console, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds.
- If you use the AWS CLI, API, or an AWS SDK to create a role, you create the role and instance profile as separate actions, with potentially different names.
Retrieve security credentials from instance metadata
- An application on the instance retrieves the security credentials provided by the role from the instance metadata item
iam/security-credentials/
- These security credentials are temporary and we rotate them automatically.
- he AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the credentials from the EC2 instance metadata service and use them.
Network Access
- To enable network access to your instance, you must allow inbound traffic to your instance.
- To open a port for inbound traffic, add a rule to a security group that you associated with your instance when you launched it.
Key Pair
- A key pair, consisting of a private key and a public key, is a set of security credentials that you use to prove your identity when connecting to an instance.
- Amazon EC2 uses public-key cryptography to encrypt and decrypt login information.
- uses a public key to encrypt a piece of data
- an associated private key to decrypt the data
- These two keys together are called a key pair.
- The Amazon Linux distribution initial user is ec2-user. Initial access to the instance is obtained by using the ec2-user and the private key to log in via SSH.
- When launching a Windows instance, Amazon EC2 generates a random password for the local administrator account and encrypts the password using the public key. Initial access to the instance is obtained by decrypting the password with the private key.
- You can have up to 5,000 key pairs per Region.
- Because Amazon EC2 doesn't keep a copy of your private key, there is no way to recover a private key if you lose it.
- If you lose the private key for an EBS-backed instance, you can regain access to your instance(not supported for instances with instance-store backed root volumes)
- You must stop the instance,
- detach its root volume and attach it to another instance as a data volume,
- modify the
authorized_keys
- move the volume back to the original instance, and restart the instance.
Security Groups
- A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic.
- Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance.
- Security groups allow you to control traffic based on port, protocol, and source/destination.
- port:The port number affected by this rule
- protocol:The communications standard for the traffic affected by this rule
- source/destination: the source for incoming traffic rules, or the destination for outgoing traffic rules. The source/destination can be defined in two ways:
- CIDR block—An x.x.x.x/x style definition that defines a specific range of IP addresses.
- Security group—Includes any instance that is associated with the given security group. This helps prevent coupling security group rules with specific IP addresses.
- Security groups have different capabilities depending on whether they are associated with an Amazon VPC or Amazon EC2-Classic.
- EC2-Classic Security Groups: Control outgoing instance traffic
- VPC Security Groups:Control outgoing and incoming instance traffic
- For instances outside of an Amazon VPC (called EC2-Classic), the association of the security groups cannot be changed after launch.
- If an instance is running in an Amazon VPC, you can change which security groups are associated with an instance while the instance is running.
- Security groups are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0).
Characteristics
- By default, security groups allow all outbound traffic. Note that Amazon EC2 blocks traffic on port 25 by default.
- A security group is default deny; that is, it does not allow any traffic that is not explicitly allowed by a security group rule.
- Security group rules are always permissive; you can't create rules that deny access.
- If there is more than one rule for a specific port, Amazon EC2 applies the most permissive rule.
- Security group rules enable you to filter traffic based on protocols and port numbers.
- Security groups are stateful—if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
- Security groups are applied at the instance level
- You can add and remove rules at any time. Your changes are automatically applied to the instances that are associated with the security group.
- Every instance must have at least one security group but can have more.
- When you associate multiple security groups with an instance, the rules from each security group are effectively aggregated to create one set of rules.
Connection tracking
- Your security groups use connection tracking to track information about traffic to and from the instance.
- Not all flows of traffic are tracked. If a security group rule permits TCP or UDP flows for all traffic (
0.0.0.0/0
::/0
0.0.0.0/0
::/0
- ICMP traffic is always tracked, regardless of rules.
- An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified.
- There is a maximum number of connections that can be tracked per instance. After the maximum is reached, any packets that are sent or received are lost because a new connection cannot be established.
Default and custom security groups
- Your AWS account automatically has a default security group for the default VPC in each Region.
- Default rules for a default security group:
- Allows inbound traffic from network interfaces and instances that are assigned to the same security group.
- Allows all outbound IPv4 traffic(0.0.0.0/0)
- Allows all outbound IPv6 traffic. (::/0)
- You can add or remove inbound and outbound rules for any default security group.
- You can't delete a default security group.
- The following are the default rules for a custom security group:
- Allows no inbound traffic
- Allows all outbound traffic
Reference
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html
![5. AWS Elastic BeanstalkOverviewConceptsPermissionsManaging ApplicationManaging environmentsAuto ScalingReference[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)