Cloud - Managing Host Security
Host-Level Security in AWS
Host-level security focuses on protecting individual EC2 instances through vulnerability management, patching, and granular traffic control.
1. Key Techniques & Tools
- Vulnerability Scanning: Use Amazon Inspector to automatically find and report software weaknesses.
- Patch Management: Use AWS Systems Manager (SSM) to automate OS updates across thousands of hosts.
2. Security Groups (The Host Firewall)
Security Groups are the primary defense for EC2 instances. They are stateful, meaning they remember connection states.
- Create a role-specific Security Group.
- Allow only required ports (e.g., 443 for Web).
- Restrict administrative access (SSH/RDP) to specific IP ranges.
- Chain Security Groups (Allow DB access only from Web SG).
3. Difference between NACL and Security Groups
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance (Host) | Subnet (Network) |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
How to Create an AWS Security Group for HTTP Traffic
Follow these steps to create a virtual firewall that permits web traffic to reach your resources.
1. Access the Dashboard
Log in to the AWS Management Console. Search for VPC or EC2 and navigate to the Security Groups link in the left-hand sidebar.
2. Initiate Creation
Click the orange Create security group button located at the top right of the screen.
3. Configure Basic Details
- Name:
web-server-public-http - Description:
Allow public HTTP traffic on Port 80 - VPC: Select the VPC where your resource is located.
4. Configure Inbound Rules
Click Add rule and set the following:
- Type: Select HTTP (automatically sets Port 80).
- Source: Select Anywhere-IPv4 (fills in
0.0.0.0/0).
5. Review and Save
Leave Outbound rules as default (Allow All) and click Create security group at the bottom of the page.
⚠️ Security Best Practice
Ensure you do not open Port 22 (SSH) to the entire internet (0.0.0.0/0). Only open administrative ports to your specific IP address to prevent brute-force attacks.
Amazon S3 Data Encryption & AWS KMS
Ensuring Data Security and Compliance in the Cloud
AWS provides several layers of encryption to protect data in Amazon S3, ensuring that even if physical disks were compromised, the data remains unreadable and secure.
1. How S3 Buckets are Encrypted
By default, all S3 buckets have Server-Side Encryption (SSE) enabled. Data is encrypted at the object level as it is written to disk and decrypted upon access. The three primary key management strategies are:
- SSE-S3 (AES-256): AWS fully manages both the data and the encryption keys.
- SSE-KMS: You use AWS Key Management Service to manage the encryption keys, providing more control and auditing.
- SSE-C: You provide and manage your own keys; AWS handles only the encryption/decryption process.
2. The Role of AWS KMS in S3 Encryption
Using AWS KMS provides superior security and auditability compared to standard encryption:
3. CMK vs. Data Keys (Envelope Encryption)
Understanding the relationship between keys is essential for mastering Envelope Encryption:
- The CMK (The Master Lock): Lives inside AWS KMS and never leaves. It encrypts and decrypts other keys.
- The Data Key (The Individual Lock): A unique key generated for every single object uploaded.
The Process Flow:
- S3 requests a Data Key from KMS.
- KMS sends a Plaintext version and an Encrypted version of the Data Key.
- S3 uses the Plaintext key to encrypt the file, then purges the key from memory.
- S3 stores the Encrypted Data Key as metadata alongside your file.
4. Steps to Create an S3 Bucket with AWS KMS Encryption
Navigate to the KMS Console > Customer managed keys > Create key. Select Symmetric, define administrators, and copy the Key ARN.
Go to the S3 Console, click Create bucket, and enter a unique name and region.
In the Default encryption section, select Enable and choose SSE-KMS. Select your custom KMS key alias. Enable Bucket Key to reduce KMS costs.
Review settings like "Block Public Access" and click Create bucket.