In our previous top tips for AWS security we looked at hardening access to your AWS resources through proper use of IAM, policies and authentication. In this tip we turn our focus to hardening your Amazon Machine Images (AMI).
No matter whether you pronounce it A.M.I or Ahhh-ME (as the AWS folks do) your machine images are an important part of building applications on AWS. AMIs form the foundation of ‘Instances’ or the running machines in EC2 or VPC. AMIs can be private, communal or from the AWS marketplace.
AMIs may include only the operating system, foundation for your application (such as this LAMP Web Starter), or a fully complete application. In this tip we look at creating your own secure AMI.
Steps 1, 2, 3 for an Ahhh-ME
First, and most important when building your own AMI is to start from a base you trust. This usually means choosing a base AMI from Amazon. However there are times where you want to base your AMI on something more elaborate or specialized from the community or marketplace.
Step two is to customize and harden your AMI. If you are adding components like a webserver, ensure that default passwords are altered and unnecessary options are disabled. Look at the OS to, disable services not required, disable remote “root” account logins and for Linux consider disabling password-only access entirely.
Step three is to prepare the AMI so it can be launched over and over. For Windows this is as easy as running Sysprep. This ensures that all the instances you launch from this new AMI get a unique password encrypted with the user launch key. For Linux there are additional steps to perform before the system is ready and will accept the user launch key for SSH authentication.
Or don’t build AMIs at all…
Another option to consider is not building AMIs at all! Your instances could assemble the components they need as they startup using scripts in the AWS User Data field, AWS OpsWorks or tools like RightScale, Chef or Puppet. Dynamic servers take longer to come online than pre-built AMI templates, but they benefit from always being able to pull the latest software. You still have to ensure your instances are hardened, however you avoid building template AMIs for your application.
Have any tips for managing access in AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances check out our new Deep Security as a Service for cloud servers, currently in free Beta.