AWS Consulting Sydney

Cloudten Techblog: Level up bastion EC2 instance security (Amazon Linux)

AWS is a secure cloud environment if we build out the stack in a proper way.

Amazon Linux is also a pretty secure distro already. However, cyberspace can be a cruel, cruel world. It’s always a good idea to level up your defences ahead of time. At the architecture level, with thoughtful design of Security Groups, Network ACLs, different gateways and routing tables the stack is fairly safe from the outside world, the internet at large.

But, in terms of large corporations where no public access has been been provisioned to their VPC, the greatest threat may originate internally. A bastion instance can sit between the on-premises environment and cloud. It regulates user activities, filters the traffic, and performs like a gatekeeper. Yet, once this bastion box is compromised, the whole stack will be in danger. In this scenario, the bastion EC2 instance becomes the critical component to the security of the whole stack.

In terms of hardening this critical bastion Linux box, we take three aspects into account: services, intrusion detection, traffic monitoring.

Service is a two-bladed sword. When services are running, functionality increases,  along to some extent with vulnerability. Thus, preventing unnecessary services from starting up is the first step of eliminating weak points of the system. This approach is simple but effective.

For instance, following is the list of services starting with system by default.

Default services list

In this list, we can find some services, like NFS and sendmail, are not needed if this instance is only running as a SSH bastion server. So we can simply stop them from starting up or even uninstall the service. After sorting out start-up services, tailoring down the remaining services configuration can reduce vulnerability as well. Disabling the tunnelling and forwarding, for example, in SSH service can regulate user behaviour a step further.

Even with services running at “just enough” level, the bastion server still requires extra monitoring on its interior in order to detect any unexpected change or intrusion. There are some good open source integrity/intrusion tools can be implemented. With such tools, the system can log and detect any suspicious changes inside the box at the file level. With proper configuration, such tools can do detection, reporting, and even response to the attacking immediately.  In our hardened bastion server, this is an essential component. Additionally, when AWS Inspector comes to our region, it can be a good alternative to those handy tools.

In order to maximise the security, we recommend using network intrusion detection tools in some circumstances as well. Same with integrity checking tools, there are some highly rated tools in open source project.

Security should always the first priority in AWS. With tailored services, file integrity and network intrusion monitoring tools, the bastion box can effectively reduce its vulnerability to both the internet and the internal environment.