AWS EC2 Audit

 Amazon EC2 Audit (Security Check list)

With over 500 instances and a choice of the newest processor, storage, networking, operating system, and purchase model to help you best meet the needs of your task, Amazon Elastic Compute Cloud (Amazon EC2) is the most comprehensive and deepest compute platform available.

Amazon Elastic Compute Cloud (EC2) is a well-known web service that offers computational capabilities via virtual machines or instances in the Amazon Web Services cloud. The simplicity with which EC2 computing resources can be scaled is one of the reasons for their widespread adoption in diverse businesses.

What is the purpose of Amazon EC2?

Amazon EC2 is a computing powerhouse. Some of the most important are:

  • High scalability: AWS Auto Scaling allows cloud resources in EC2 instances to scale up or down automatically based on the different loads on an application at any given time.
  • Simple management: Deploying virtual servers and managing cloud storage is easier than dealing with resource configuration on-premises.
  • Pay-as-you-go: You simply pay for the hours you use.
  • Flexibility: Depending on the OS, you can choose any instance size, memory, CPU, or boot partition size.


How can you make sure that your AWS EC2 is safe?
  1. Snapshots of EC2 instances should not be made public.
    The snapshots of your EC2 instance should not be made public. This is to protect your personal information.
  2. Instances that have been running for a long time should be restarted.
    AWS account with an EC2 instance running continuously may increase the risk of potential complications.
  3. AMIs for EC2 should not be made public.
    To avoid exposing sensitive data, AWS AMIs should not be shared publicly with other AWS accounts.
  4. AMIs on EC2 Should Be Encrypted
    To meet compliance standards for data-at-rest encryption, Amazon Machine Images (AMIs) should be encrypted.
  5. The vCPU limit for EC2 instances should not be exceeded.
    Resource starvation can be avoided by monitoring vCPU-based limits for on-demand EC2 instances. Service Quotas is an AWS service that allows you to manage and view your quotas in one place. Quotas, also known as limitations, are the maximum value for your AWS account’s resources, activities, and items.
  6. AMIs on the blacklist should not be used.
    To prevent specific security vulnerabilities from attacking your application, blacklist all of those AMI. Any of the blacklisted AMIs should not be used in your EC2 Instances.
  7. The Default VPC Shouldn’t Be Used. It is not suggested to use the default VPC.
  8. Descriptions for Security Groups are Required.
    To assist you manage your operations successfully, your security groups should have descriptions connected with them. It will be used for future documentation and advice.
  9. The AMI should not be older than the configured age.
    The age of your AMI should be more than the set number of days. This ensures the security and reliability of your EC2 instances.
  10. The EC2 instance must be of the desired type.
    An approved list of instance types should be used to launch an EC2 instance.
  11. Detailed EC2 Instance Monitoring Should Be Enabled.
  12. It is not recommended to use EC2 Classic.
    Instead of utilizing EC2 Classic, VPC should be used for EC2 instances. VPCs are the most recent and secure way to launch AWS resources.
  13. EC2 Instance Scheduled Events.
    There are several EC2 instances that will be retired or maintained. Please take the necessary actions (reboot, restart or re-launch).
  14. Multiple Security Groups on EC2 Instances.
    Checks if several Security Groups are associated to EC2 instances. An EC2 instance should ideally have only one security group attached to it.
  15. It’s a good idea to enable termination protection.
    Ensure that the Termination Protection feature is enabled for non-ASG EC2 instances.
  16. Netbios access should not be unrestricted.
    Inbound access to TCP port 139 and UDP ports 137 and 138 should be blocked in no AWS EC2 security group (NetBIOS).
  17. Outbound Access That Isn’t Restricted Shouldn’t Be Allowed.
    Outbound/egress access should be prohibited in EC2 security groups.
  18. IAM Roles on EC2 Should Be Used
    To effectively assign access permissions to any application that performs AWS API calls running on your EC2 instances, IAM Roles/Instance profiles should be used instead of IAM Access Keys.
  19. Connect data-tier subnets to VPC NAT Gateway alone.
    To restrict Internet connectivity for the EC2 instances available within the data tier, ensure that the Amazon VPC route table associated with the data-tier subnets has no default route configured to provide access to an AWS NAT Gateway.
  20. Access to CIFS should not be unrestricted.
    No AWS EC2 security group should enable uncontrolled TCP port 445 incoming access (CIFS).
  21. Access to ICMP should not be unrestricted.
    Using Internet Control Message Protocol, no security group should enable uncontrolled inbound access (ICMP).
  22. Unrestricted inbound access to all non-standard ports should be prohibited.
    Inbound access to any unusual ports should be prohibited in any EC2 security group.
  23. MongoDB access should not be unrestricted.
    No security group should enable ingress access to MongoDB port 27017 without restrictions.
  24. Access to MsSQL should not be unrestricted.
    Inbound access to TCP port 1433 should be blocked by no security group (MSSQL)
  25. MySQL Access Should Not Be Unrestricted.
    Inbound access to TCP port 3306 should be blocked by no security group (MySQL).
  26. Oracle access should not be unrestricted.
    TCP port 1521 should not be open to unlimited inbound traffic by any security group (Oracle Database).
  27. Port Range Security Group
    In order to prevent your EC2 instances from denial-of-service (DoS) or brute-force attacks, security groups should not have a range of ports accessible for inbound traffic.
  28. Access to PostgreSQL should not be unrestricted.
    Inbound access to TCP port 5432 should be blocked by no security group (PostgreSQL Database).
  29. RDP Access Without Limits Should Not Be Permitted
    Inbound access to TCP port 3389 should be limited in no AWS EC2 security group (RDP).
  30. RPC Access That Isn’t Restricted Shouldn’t Be Allowed
    TCP port 135 should not be open to unlimited inbound traffic by any security group (RPC).
  31. Access to SMTP should not be unrestricted.
    TCP port 25 should not be open to unlimited inbound traffic by any security group (SMTP).
  32. Unrestricted public traffic should not be allowed by the default security group.
    To implement AWS security best practices, default security groups should prohibit all public traffic.
  33. Telnet access should not be unrestricted.
    TCP port 23 should not be open to unlimited inbound traffic by any security group (Telnet).
  34. Access to SSH should not be unrestricted.
    TCP port 22 should not be open to unlimited inbound traffic by any security group (SSH).
  35. Elasticsearch Access Should Not Be Unrestricted
    TCP port 9200 should not be open to unlimited inbound traffic by any security group (Elasticsearch).
  36. FTP Access Without Limits Should Not Be Permitted
    Inbound access to TCP ports 20 and 21 should be blocked by no security group (FTP).
  37. Payment for EC2 Reserved Instances Should Not Fail
    To make sure none of your AWS EC2 Reserved Instance purchases have gone wrong.
  38. Payment for EC2 Reserved Instances Should Not Be Pending
    To make sure none of your AWS EC2 Reserved Instance orders are waiting.
  39. Recent Purchases of EC2 Reserved Instances Should Be Examined
    For cost-cutting purposes, you should check your EC2 Reserved Instance purchases on a regular basis (informational).
  40. The Elastic IP Address Limit for EC2-Classic Should Not Be Exceeded
    Your account should not exceed the number of assigned Elastic IPs established by AWS.
  41. The Elastic IP Address Limit in EC2-VPC Should Not Be Exceeded
    The number of Elastic IPs in your account should not exceed the AWS limit.
  42. Hibernation on AWS EC2 Should Be Enabled
    For EBS-backed EC2 instances, the Hibernation functionality should be enabled to maintain memory state throughout instance stop/start cycles.
  43. Launch the instance in the Auto Scaling Group.
    To follow the best AWS dependability and security policies, every EC2 instance should be deployed inside an Auto Scaling Group (ASG).
  44. In the next 30 days, the lease on a reserved instance will expire.
    This page displays all EC2 reserved instances that will expire in the next 30 days.
  45. In the next 7 days, the reserved instance lease will expire.
    Lists all EC2 reserved instances that are about to expire in the next seven days.
  46. Excessive Counts in the Security Group
    There shouldn’t be an excessive amount of security groups per region in your AWS account.
  47. Launch-wizard Should Not Be Used As A Security Group Name
    In order to meet AWS security best practices, EC2 security groups prefixed with launch-wizard should not be used.
  48. The Number of EC2 Instances Should Not Exceed the Maximum
    The number of EC2 instances in your AWS account should not exceed the limit.
  49. EC2 Instances Should Be of the Most Recent Generation
    For the best price-performance ratio, your AWS servers should run the most recent generation of EC2 instances.
  50. The Value of Security Group Rules
    The amount of rules defined in EC2 security groups should not be excessive.
  51. RFC 1918 inbound traffic should not be allowed by security groups.
    In order to meet AWS security best practices, no EC2 security group should allow traffic from RFC-1918 CIDRs inbound.
  52. Elastic IP Addresses That Aren’t Associated Should Be Removed
    To save money, identify and eliminate any unrelated Elastic IP (EIP) numbers.
  53. Public Subnet Should Not Be Used For EC2 Instances
    In public subnets, no backend EC2 instances should be running.
  54. DNS Access That Isn’t Restricted Shouldn’t Be Allowed
    Inbound access to TCP and UDP port 53 should be blocked by no security group (DNS).
  55. HTTP Access Without Limits Should Not Be Permitted
    No security group should allow uncontrolled TCP port 80 incoming access (HTTP).
  56. Access to HTTPS without restrictions should be prohibited.
    No security group should enable uncontrolled TCP port 443 incoming access (HTTPS).
  57. Blacklisted Instance Types Should Not Be Used On EC2 Instances
    There should be no EC2 instances with the instance type blacklisted in your AWS account.
  58. Elastic Network Interfaces That Aren’t In Use Should Be Removed
    In order to follow best practices, unused AWS Elastic Network Interfaces (ENIs) should be removed.
  59. AMIs that are no longer in use should be removed.
    To follow best practices, unused AMIs should be erased.
  60. AWS EC2 Key Pairs That Aren’t In Use Should Be Removed
    To follow best practices, decommission unused AWS EC2 key pairs.
  61. Instances that have been reserved should not be left unused.
    Reserved Instances on AWS EC2 should be completely utilized.
  62. Overusing EC2 instances is not recommended.
    To improve application response time, overused EC2 instances should be upgraded.
  63. Instances on EC2 should never be left idle.
    In order to reduce AWS charges, idle AWS EC2 instances should be halted or terminated.
  64. EC2 instances should not be used inefficiently.
    In order to reduce your AWS expenditures, you should shrink underutilized EC2 instances.
  65. Tenancy on EC2 Instances
    For security and regulatory compliance, EC2 instances should have the proper tenancy.


What is the need for Amazon EC2 monitoring?

Amazon EC2 is used by the vast majority of businesses because it enables for quick provisioning to meet any demand. To optimize your cloud ecosystem, you must obtain information about EC2 resource limits and consumption. Furthermore, both hypervisor-level and system-level metrics are required to provide OS context to your Cloud-Watch data.

A proactive EC2 monitoring solution may assist fill gaps and provide visibility into performance, availability, memory, and disc metrics from a single dashboard, allowing you to avoid any looming dangers. Look for a tool that has a native Cloud-Watch integration and system-level performance counters to offer basic infrastructure metrics. However, you should use an advanced AI-powered AWS monitoring product that has a built-in best practice check.


These best practices are reflected in security standards.

To comply with worldwide regulatory bodies for cloud security, any firm must adhere to particular security standards and compliance certifications. The following standards are covered by the Amazon EC2 best practices:
  • Payment Card Industry Data Security Standard (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • National Institute of Standards and Technology (NIST)
  • Australian Prudential Regulation Authority (APRA)
  • Monetary Authority of Singapore (MAS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)


Thank you very much for reading…

    Comments

    Post a Comment

    Popular posts from this blog

    AWS IAM Audit (Checklist)

    Image
     AWS IAM Audit (Checklist) Compliance is frequently seen as a blocking factor to digital transformation. Creating regulations that identify the who, what, where, why, and how of data access ensures that the correct users have access to the right information at the right time for the right reason. You’ll need a solution that addresses the proliferation of identities across the on-premises, hybrid, and cloud ecosystems when your company migrates to the cloud. You can mature your security tactics by understanding how Identity and Access Management (IAM) compliance fits into the jigsaw piece of updated IT infrastructure. Starting with user authentication and authorization, often using a single sign-on solution that incorporates multi-factor authentication, Identity and Access Management (IAM) services protect data privacy and security by assigning users’ access rights to resources with Identity Management (IDM) solutions that continuously monitor access for proving enforcement of and g...
    Read more

    AWS Redshift Table Redesign

    Image
    AWS Redshift Table Redesign To redesign an AWS Redshift table optimally, you’d typically consider factors like data access patterns, scalability, performance, and cost-effectiveness. Here are some steps you can follow: Run Vacuum: The VACUUM command reclaims space and re-sorts rows in your table. This is important for optimizing performance by removing deleted rows, reorganizing data for better storage efficiency, and updating statistics used by the query optimizer. Syntax:  VACUUM schema_name.table_name; Analyze Compression: The ANALYZE COMPRESSION command analyzes the compression ratios for each column in your table. It provides insights into how effectively each column is compressed and identifies opportunities for further compression optimizations. Syntax: ANALYZE COMPRESSION schema_name.table_name; Review Analysis Results: When reviewing the analysis results, focus on columns where the storage savings from compression are significant or where the current compression settings m...
    Read more

    AWS Data Pipeline

    Image
     AWS Data Pipeline An AWS data pipeline can efficiently manage your data workflow. Raw data from various sources lands in the scalable and cost-effective storage of Amazon S3. AWS Glue, a serverless ETL service, then transforms the data in S3 using Spark or Python. The transformed data can be loaded into Amazon Redshift, a fast data warehouse, for complex analytical queries using familiar SQL. Alternatively, for interactive reports and visualizations without writing SQL, Amazon QuickSight can connect directly to the transformed data in S3, empowering self-service analytics. This flexible architecture provides options for both in-depth analysis and user-friendly reporting. 1. Data Ingestion and Storage: Amazon S3:  This acts as your data lake. S3 is a highly scalable and cost-effective object storage service that can handle any amount of structured, semi-structured, and unstructured data. 2. Data Transformation and Orchestration: AWS Glue:  Glue is a serverless ETL (Extrac...
    Read more