In this series, Mark and I have covered tips for securing your Amazon Web Services (AWS) account, building hardened Amazon Machine Images and locking down the operating system. Now we turn our attention to one of the most simple, yet powerful ways to secure your instances: the firewall.
Implementing a firewall policy is just basic survival when it comes to internet-facing servers. AWS provides Security Groups as a mandatory whitelisting firewall to limit inbound open ports on EC2. You can allow specific ports/protocols for an IP or CIDR. Within a Virtual Private Cloud (VPC) the firewall adds additional capabilities for outbound filtering.
The firewall provided by AWS is implemented outside of the instance and controlled using your AWS credentials. This ensures your basic firewall policy is in place even if the operating system in the instance is compromised.
Expect it to heat up? dress in layers
In addition to filtering by source IP or CIDR, you can open a port to another Security Group in the same AWS region. This allows you to create tiers of protection mapping to your application tiers. The Web Servers need incoming 80/443 traffic, but the rest of your tiers only need to be reached externally for operational or troublesooting purposes. This allows you to limit other access (say for example opening SSH on the application tier) to specific IPs such as your office or home.
Creating these layered firewall policies makes your applications significantly more secure.
One good firewall deserves another…
In the AWS Security whitepaper (updated this month) AWS further encourages you to apply per-instance filters with host-based firewalls. Why is this the case?
- Outbound – Control what resources your servers are accessing externally and block unwanted traffic (e.g. malicious command and control)
- More Granular Policy – Host-based firewalls can perform more complex tasks such as blocking countries under export control, handeling dynamic protocols that require a stateful firewall or maintaining an annotated list of known IPs for RDP/SSH
- Logs – The AWS firewall does not tell you what traffic is being blocked. A host-based firewall gives you additional visibility and allows you to troubleshoot access issues
Deploying a host-based firewall also adds to your security protection in the event that your AWS credentials are compromised.
What are your favorite tips on designing a firewall policy in AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.