Application

Security
Module 04
 Module objectives

• Secure Amazon EC2 instances and its applications.

• Assess vulnerabilities with Amazon Inspector.

• Apply instance security checks in an automated way via AWS Systems Manager.
Amazon EC2
Security Considerations

PwC | CLOUD ACADEMY - INSERT TRACK NAME

Amazon EC2 Key Pairs

Amazon
EC2
AKeyPair
Active Directory/
LDAP server
Private key Public key
Credentials

Private subnet

SSH SSO

Security group
Administrator User
Instance metadata service (IMDS)

Provides applications with access to temporary, frequently rotated credentials

IMDS version 2 adds protection against:

Open website application firewalls
Open reverse proxies
SSRF vulnerabilities
Open layer 3 firewalls and NATs
 Section topics

Amazon Machine Images

Amazon Inspector
AMIs for security and compliance
AMIs may be created to meet security
and regulatory requirements
AMIs can be shared within an AWS
Region or copied to another region
Incident response can use AMIs to spin
up machines for forensics
AWS-provided AMIs
Quick Start Amazon Linux 2 AMI

My AMIs

SUSE Linux Enterprise Server 15 SP1

AWS Marketplace

Community AMIs
Red Hat Enterprise Linux 8

Ubuntu Server 18.04 LTS

Microsoft Windows Server 2019 Base

 Customizing AMIs via baking

• Great for organizations that require compliant instances

• Reduces time for autoscaling instances to come into production

• Tools used in customization include Chef, Puppet, and Cloud-Init

+
Amazon Launched Security Hardened Custom AMI/
Linux AMI EC2 instance configurations EC2 instance Golden Copy
and patches
 Customizing AMIs via bootstrapping

• Install latest patches, service packs, and updates

• Apply configurations that are specific to an environment

• Register instances with security monitoring as they launch

+
Custom AMI Amazon EC2 Amazon EC2
bootstrapping Fleet
 Sharing AMIs

Community
AMIs

• AMIs sold by software vendors • Custom AMIs made public

through AWS • Convenient for developers
• Ideal for the “regular user” • AMIs are created by AWS users, but
• All AMIs are verified by AWS are not verified by AWS
Securing AMIs

What can you do to protect your custom AMIs?

Disable unsecure applications
Minimize exposure
Protect credentials when baking AMIs
Protect systems and log data
Use EC2 Image Builder for keeping images up-to-date and secure.
Amazon Machine Images

Amazon Inspector
 Agent-based solutions

Use Cases
Private subnet

Central monitoring
• Highly distributed and scalable application
and policy control
architectures

Benefits
• Scales with application
Private subnet Private subnet
• Endpoints enforce policy

• Aids in regular auditing and monitoring

• Allows AWS to gather information on behalf of

the customer
Amazon Inspector

Automated assessments that help improve

security and compliance of applications

Detects vulnerabilities
Verifies security best practices
Generates findings report
Offers both agent-based and agent-less
Amazon Inspector
solutions
 Security benefits

Automation of Built-in library of Guidance on

security AWS security knowledge resolving security
assessments and best practices findings
 Getting started

Install agent AWS service Tag all of your Define and

on each EC2 role is used EC2 instances schedule an
instance. by Inspector. for scanning*. assessment
run.
Assessment templates and rules

Assessment run
duration Rules package

• Security best practices

• Host hardening
benchmarks
Assessment • Common vulnerabilities
Amazon SNS template and exposures
Topics
• EC2 instance network
vulnerabilities
Amazon Inspector findings

Severity Date Application Rules Package Finding

High 06/01/2018 (… Customer Processing Authentication Best Prac… Instance A1 is configured to allow users…

High 06/01/2018 (… Customer Processing Common Vulnerabilities… Instance B1 is vulnerable to CVE-2016-05

High 06/01/2018 (… Customer Processing Common Vulnerabilities… Instance B2 is vulnerable to CVE-2016-05

Medium 06/01/2018 (… Customer Processing Common Vulnerabilities… Instance C2 is vulnerable to CVE-2016-34

Medium 06/01/2018 (… Customer Processing Common Vulnerabilities… Instance D2 is vulnerable to CVE-2016-34

Informational 06/01/2018 (… Customer Processing Operating System Best… No potential security issues found.

Informational 06/01/2018 (… Customer Processing Runtime Behavior Anal… Instance C1 was found to have unused…

Informational 06/01/2018 (… Customer Processing Networking Security Best… No potential security issues found.
Instance Automation
with AWS Systems
Manager

PwC | CLOUD ACADEMY - INSERT TRACK NAME

AWS Systems Manager

Centrally manage the security and hardening

of your applications and OS

System inventory
OS patch updates
Automated AMI creation
OS and application configuration
AWS Systems
Manager Session manager
 Security benefits

Automate complex and Maintain software compliance Collect software

repetitive tasks by defining and enforcing configuration and
policies inventory
Getting started

Create instance Attach instance Install the AWS

profile with Systems
profile to your Manager (SSM)
IAM role. EC2 instances. Agent.
Features and use cases

Description Use Cases

Automate common and repetitive IT operations and • Automate AMI creation from AWS
Automation
management tasks across AWS resources. Marketplace or custom AMIs.

Inventory Collect data about applications, files, network • Audit application configurations.
Manager configurations, updates, and other system properties. • Track licenses and application assets.

Maintenance Schedule windows of time to run administrative and • Control system stability when performing
Window maintenance tasks across your instances. high risk or disruptive tasks like OS patching.

Parameter Manage configuration data, whether plain-text data such • Keep secrets out of code.
Store as database strings or passwords. • Centrally manage global configurations.

Patch Deploy software patches automatically across large • Roll out patches at scale and increase fleet
Manager groups of EC2 or on-premises instances. compliance visibility.
 Features and use cases

Description Use Cases

State Maintain consistent configuration of your EC2 or on- • Run tests to ensure instances are compliant.
Manager premises instances. • Patch instances with software updates.

• Filter data based on compliance type.

Compliance Monitor patching and configuration compliance by
• Group and filter on user-defined resource
Dashboard logical grouping.
groups.

Publish resources to Systems Manager-managed • Publish AWS provided agent software.

Distributor
instances. • Publish custom software packages.

Run Command/ Manage instances remotely at scale without logging • Perform staged command runs.
Session Manager into your servers. • Manage instances without SSH access.
Use case: patching instances

AWS Cloud
AWS Lambda Amazon SNS
function calls State invokes Lambda
Manager. function.
Call

State
VPC Manager
Patch

Invoke

Send Publish Notify

Amazon EC2 findings
Instances Amazon Amazon
Inspector SNS Administrator
KNOWLEDGE CHECK

PwC | CLOUD ACADEMY - INSERT TRACK NAME

Knowledge Check

Amazon Inspector can automatically remediate issues found during a security

assessment.

True False
Knowledge Check

Amazon Inspector can automatically remediate issues found during a security

assessment.

True False
Knowledge Check

How does Systems Manager communicate with instances in order to patch

operating systems?

A. Via a preconfigured route table.

B. Via an update request to AWS Support.

C. Via an installed agent.

Knowledge Check

How does Systems Manager communicate with instances in order to patch

operating systems?

A. Via a preconfigured route table.

B. Via an update request to AWS Support.

C. Via an installed agent.

Thank you
pwc.com

© 2022 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of
PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm
is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not
responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in
any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another
member firm’s professional judgment or bind another member firm or PwCIL in any way.