In this blog post, we will take a look at the top 13 AWS EC2 misconfigurations that you should avoid. Let us brush up our knowledge on what AWS EC2 is first.
What is AWS EC2?
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides a secure and resizable compute capacity in the cloud. In other words, Amazon allows users to rent virtual computers (called EC2 instances) on which they can run their applications. This eliminates your need to invest in hardware resources as you can rely on these virtual servers for your storage and configure your security. The aim of AWS EC2 is to make web-scale distributed computing simpler for developers. The “pay-as-you-go” model of AWS EC2 makes it even more popular.
The 13 Common AWS EC2 Misconfigurations
With every good service and for it to be really secure, you need to take specific measures from your side too. Below are the AWS top 13 common EC2 Misconfigurations that will help you achieve security, efficiency, cost optimization, and adherence to various compliance standards.
- Public Snapshots
- Non-public EC2 AMI
- Encrypted AMI
- Not using default VPC
- AMI Age
- Scheduled Events
- EC2 Instance Not In Public Subnet
- Unrestricted Netbios Access
- Unrestricted Outbound Access
- EC2 Reserved Instance Payment Pending
- EC2 IAM Roles
- Unrestricted CIFS Access
- EC2 Reserved Instance Payment Failed
Let us take a look at them one by one in detail.
The very first EC2 misconfigurations you should be avoiding is making your snapshots public. Ensure that your EC2 instance snapshots are not publicly accessible. Having public snapshots can expose your personal and sensitive information, thereby violating compliance standards like GDPR, NIST, and PCI DSS. Violating these compliance standards can result in hefty fines and litigation.
Non-Public EC2 AMI
The next most common EC2 misconfiguration is publicly sharing your Amazon Machine Images (AMIs) with other AWS accounts. AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data. It is a requirement for NIST, ARPA, and MAS compliance standards.
Talking about AMIs, having non-encrypted AMIs is another misconfiguration. When dealing with sensitive data that is crucial to your business, encrypting AMIs is necessary to protect your data from attackers. Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption. Compliance standards required for this are NIST, PCI, ARPA, MAS, HIPAA, and GDPR.
Not Using Default VPC
Using a default VPC is a misconfiguration you should avoid. It is recommended not to use the default VPC. Compliance with this policy is also required for APRA, MAS, and NIST.
Your AMI should not be old than a given number of days. This value can be as per your convenience; however, we recommend not having an AMI older than 180 days. Using up-to-date AMIs ensures that your EC2 instances deployed are secure and reliable. Overcoming this misconfiguration is one step toward achieving NIST, APRA, and MAS compliance.
Not taking any action on the AWS EC2 scheduled events results in unexpected downtimes that further result in low availability and reliability. You should take the necessary steps on EC2 instances that are scheduled for retirement and/or maintenance.
EC2 Instance Not In Public Subnet
Backend instances should not be running in public subnets. This will help you maintain security. Backend instances are EC2 instances that should run in a private subnet (i.e., behind a NAT gateway). Backend instances do not require direct access to the public internet, such as databases, API, or caching servers.
Unrestricted Netbios Access
No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS). Failure to resolve this misconfiguration can result in devastating consequences like Denial of Service (DoS) attacks, man-in-the-middle (MITM) attacks, and data breaches. Furthermore, having this misconfiguration violates a host of compliance standards like – PCI, APRA, MAS, NIST, and SOC2.
Unrestricted Outbound Access
EC2 security groups should not allow unrestricted outbound/egress access. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
EC2 Reserved Instance Payment Pending
Ensuring that none of your AWS EC2 Reserved Instance purchases have a pending status helps you implement cost optimization. Furthermore, it also helps you comply with APRA, MAS, and AWAF.
EC2 IAM Roles
IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that performs AWS API requests running on your EC2 instances.
Unrestricted CIFS Access
No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS). Failure to resolve this misconfiguration can result in devastating consequences like Denial of Service (DoS) attacks, man-in-the-middle (MITM) attacks, and data breaches. Furthermore, having this misconfiguration violates a host of compliance standards like – PCI, APRA, MAS, and NIST.
EC2 Reserved Instance Payment Failed
Ensuring that none of your AWS EC2 Reserved Instance purchases have failed helps you implement cost optimization. Furthermore, it also helps you comply with APRA, MAS, and AWAF.
How Can Cloudanix Help?
EC2 Misconfigurations issues are not new. It is the largest issue faced by organizations for years. It is essential to understand what they are and why acting on them immediately is necessary. Cloudanix provides you with an EC2 recipe that helps audit your AWS account for these misconfigurations and more! We also help you remediate these EC2 misconfigurations in an automated way! You can sign up for a free trial today!