Amazon Community AMI's + Security

Question

I'm looking to launch a linux EC2 instance.

Although I understand linux quite well my ability to security/harden a linux OS would undoubtedly leave me vulnerable to attach. eg: there are others who know more about linux security than me.

I'm looking to just run Linux, Apache & PHP5.

Are there any recommended Amazon AMI's that would come pre-harden running linux/apache/php or something similar to this?

Any advice would be greatly appreciated.

thankyou

Answer 1

One of the things I like most about using Amazon is how quickly and easily I can restrict my attack surface. I've made a prioritized list here. Near the end it gets a bit advanced.

• Launch in a VPC
• Put your webserver behind a loadbalancer ELB or ALB (terminate SSL there too)
• Only allow web traffic from your load balancer
• Create a restrictive security group. The only things allowed into your host should be incoming traffic from the load balancer and ssh from your IP (or your dhcp subnet if your ISP does not offer a static address)
• Enable automatic security updates
  • yum-cron (amazon linux)
  • or unattended-upgrades (ubuntu)
• Harden ssh
  • disallow root login and default amazon accounts
  • disallow password login in favor of ssh keys
• Lock down your aws root account with 2fa and a long password.
• Create and use IAM credentials for day-to-day operations
• If you have a data layer deploy encrypted RDS and put it in a private subnet
• Explore connecting to RDS with IAM credentials (no more db password saved in a conf file)
• Check out yubikey for 2fa ssh.

Advanced: For larger or more important deployments you might consider using something like ThreatStack. They can warn you of AWS misconfig (s3 bucket containing customer data open to the world?), security vulnerabilities in packages on your hosts. They also alert on signals of compromise and keep a command log which is useful for investigating security incidents.

Answer 2

Here is an older article regarding this (I haven't read it, but it's probably a good place to start): http://media.amazonwebservices.com/Whitepaper_Security_Best_Practices_2010.pdf

I would recommend a few best practices off the top of my head

1) Move to VPC, and control inbound and outbound access.

2a) Disable password authentication in SSH & only allow SSH from known IP's

2b) If you cannot limit SSH access via IP (due to roaming etc) allow password authentication and use google authenticator to provide multi-factor authentication.

3) Put an elastic load balancer in front of all public facing websites, and disable access to those servers except from the ELB

4) Create a central logging server, that holds your logs in a different location in case of attack.

5) Change all system passwords every 3 months

6) Employ an IDS, as a simple place to start I would recommend tripwire.

7) check for updates regularly (you can employ a monitoring system like Nagios w/NRPE to do this on all your servers) If you're not a security professional you probably don't have time to be reading bugtraq all day, so use the services provided by your OS (CentOS/RHEL it's yum)

8) Periodically (every quarter) do an external vulnerability assessment. You can learn and use nessus yourself (for non-corporate use) or use a third party such as qualys.

If you're concerned and in doubt, contract a security professional for an audit. This shouldn't be to cost prohibitive and can give you some great insight.

Answer 3

You have to understand 2 things:

• Tight security make life hard for attackers as well as for you...
• Security is an on-going task.
  having your server secure at specific point in time don't say anything about the future.
  New exploits and patches published every day, and lot of "development" acts render security unstable.

Solution?
You might consider services like https://pagodabox.com/
Where you are getting specific PHP resources without having to manage Linux/Security and so...

---

Edit:
Just to empathize...
Running Production system, where you are responsible for the on going security of the site, force you to do much more than starting up with a secure instance!
Otherwise, your site will become much less secure as time passed by (and as more people will learn about it)
As I see it (for a real production site), you have 2 options:

• Get a security expert (in house or freelance) that will check your site regularly and will apply needed patches and so.
• Get hosting service that will manage the security aspect for you.
  I pointed to one service like that, where you can put your PHP code in and they will take care of everything else for you.
  I would check this type of service for every production site that don't have the ability to get real periodically security checkup/fixes

Security is a very complex field... do not underestimate the risks...

Answer 4

Actually, you can always relaunch your server from pre-configured AMI, if something happened. It can be done very easy with Auto Scaling, for example. Use SSH Without a Password. Adjust your Security Groups accordingly. Here's good article on Securing Your EC2 Instance.