In this blog post, we will take a look at the top 13 AWS EC2 misconfigurations that you should avoid. Let us brush up our knowledge on what AWS EC2 is first.
We will be covering the below topics:
- What is AWS EC2?
- The 13 Common AWS EC2 Misconfigurations
- How Can Cloudanix Help?
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides a secure and resizable compute capacity in the cloud. In other words, Amazon allows users to rent virtual computers (called EC2 instances) on which they can run their applications. This eliminates your need to invest in hardware resources as you can rely on these virtual servers for your storage and configure your security. The aim of AWS EC2 is to make web-scale distributed computing simpler for developers. The "pay-as-you-go" model of AWS EC2 makes it even more popular.
With every good service and for it to be really secure, you need to take specific measures from your side too. Below are the top 13 common AWS EC2 Misconfigurations that will help you achieve security, efficiency, cost optimization, and adherence to various compliance standards.
- Public Snapshots
- Non-public EC2 AMI
- Encrypted AMI
- Not using default VPC
- AMI Age
- Scheduled Events
- EC2 Instance Not In Public Subnet
- Unrestricted Netbios Access
- Unrestricted Outbound Access
- EC2 Reserved Instance Payment Pending
- EC2 IAM Roles
- Unrestricted CIFS Access
- EC2 Reserved Instance Payment Failed
Let us take a look at them one by one in detail.
The very first EC2 misconfigurations you should be avoiding is making your snapshots public. Ensure that your EC2 instance snapshots are not publicly accessible. Having public snapshots can expose your personal and sensitive information, thereby violating compliance standards like GDPR, NIST, and PCI DSS. Violating these compliance standards can result in hefty fines and litigation.
The next most common EC2 misconfiguration is publicly sharing your Amazon Machine Images (AMIs) with other AWS accounts. AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data. It is a requirement for NIST, ARPA, MAS compliance standards.
Talking about AMIs, having non-encrypted AMIs is another misconfiguration. When dealing with sensitive data that is crucial to your business, encrypting AMIs is necessary to protect your data from attackers. Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption. Compliance standards required for this are NIST, PCI, ARPA, MAS, HIPAA, GDPR.
Using a default VPC is a misconfiguration you should avoid. It is recommended not to using the default VPC. Compliance with this policy is also required for APRA, MAS, NIST.
Your AMI should not be old than a given number of days. This value can be as per your convenience; however, we recommend not having an AMI older than 180 days. Using up-to-date AMIs ensures that your EC2 instances deployed are secure and reliable. Overcoming this misconfiguration is one step towards achieving NIST, APRA, and MAS compliance.
Not taking any action on the AWS EC2 scheduled events result in unexpected downtimes that further results in low availability and reliability. You should take the necessary steps on EC2 instances that are scheduled for retirement and/or maintenance.
Backend instances should not be running in public subnets. This will help you maintain security. Backend instances are EC2 instances that should run in a private subnet (i.e., behind a NAT gateway). Backend instances do not require direct access to the public internet, such as databases, API, or caching servers.
No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS). Failure to resolve this misconfiguration can result in devastating consequences like Denial of Service (DoS) attacks, man-in-the-middle (MITM) attacks, and data breaches. Furthermore, having this misconfiguration violates a host of compliance standards like - PCI, APRA, MAS, NIST, SOC2.
EC2 security groups should not allow unrestricted outbound/egress access. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
Ensuring that none of your AWS EC2 Reserved Instance purchases have a pending status helps you implement cost optimization. Furthermore, it also helps you comply with APRA, MAS, and AWAF.
IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that performs AWS API requests running on your EC2 instances.
No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS). Failure to resolve this misconfiguration can result in devastating consequences like Denial of Service (DoS) attacks, man-in-the-middle (MITM) attacks, and data breaches. Furthermore, having this misconfiguration violates a host of compliance standards like - PCI, APRA, MAS, NIST.
Ensuring that none of your AWS EC2 Reserved Instance purchases have failed helps you implement cost optimization. Furthermore, it also helps you comply with APRA, MAS, and AWAF.
EC2 Misconfigurations issues are not new. It is the largest issue faced by organizations for years. It is essential to understand what they are and why acting on them immediately is necessary. Cloudanix provides you with an EC2 recipe that helps audits your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! You can sign up for a free trial here today!