Anytime you use external services, like AWS for example, you take significant security risks. The company provides several ways to secure an EC2 instance, and other services that you run on the Amazon cloud.
In fact, cloud security is the highest priority for Amazon Web Services, and has been ever since the platform was launched. The company has built up a really secure network architecture, which combined with the robust datacenters, is more than good enough to meet the needs of even the most security sensitive organizations.
But before we get down to the ways to secure an EC2 instance, a word about security overall.
While AWS provide a number of distinct security features, no amount of security will thwart a determined intruder. No matter how high the walls you build, if someone wants to gain access to your server, they probably will find a way. There is no shortage of talented individuals that know how to find their way around a cloud configuration.
The best you can do is construct some solid security around your cloud infrastructure, using both tools that Amazon provides and third-party ones. And then the monitor the system. Having a solid plan to deal with the intruder as quickly as possible when someone does break in is also a necessity.
Understanding also that you as the user have shared responsibility to ensure you do your part in the securing of your environment.
Let’s quickly take a look at the range of different security options that are available for you to use on EC2 on Amazon Web Services.
A way to give users permissions. This feature basically controls the level of access granted to individual users and user groups. It is possible for you to both allow and deny specific resources managed by EC2 using this feature.
This is a way to separate every instance running on the physical server from every other instance. This means that, at least theoretically, no one can access someone else’s instance. Because secure as it is, hackers have broken into EC2 instances in the past.
An optional feature, think of this as a firewall that controls at a subnet level both incoming and outgoing requests that occur at your instance. This does not provide as granular as option as Security Groups do, but is a recommend implementation to keep your instances safe from unauthorized access.
A virtual firewall that controls both incoming and outgoing requests at the instance level to provide finer-grained controls than Network ACLs. You can have up to five security groups on an instance, each of which can have different permissions. Security Groups must be maintained for each instance, rather than for a virtual machine as a whole.
This refers to a hardware based security device that you install to control security in a hybrid environment. For example, between your on-premises network and the AWS cloud.
A combination of these above mentioned tools is an excellent way to ensure that your cloud based infrastructure is as secure, if not more, than your own resources. The IAM service is practically the backbone of security in AWS, and Amazon provides an incredibly granular level of control to set and unset permissions that allow and deny specific users access to your EC2 resources.
As a newcomer to the cloud, your EC2 security will initially revolve around Security Groups, before you decide to look at more elaborate ways and services to secure your cloud environments.
Ultimately, security is one of the most critical areas of the cloud, and is very important to get right, no matter you have a large setup or small. Good security practices reinforce themselves, leading to a virtuous cycle of capabilities and control.
There are amazon recommended security best practices here.