Skip to content

AWS Security Controls for EC2 IGW ALB SG NACL

Jump to bottom
Miztiik edited this page Nov 30, 2018 · 2 revisions

AWS Security Controls for EC2 - IGW/ALB/SG/NACL

  1. An Internet Gateway (IGW) is allowed to be attached only to VPCs hosting an application which must interact directly with the public internet due to an approved set of business requirements.

  2. Access to every subnet in an application-specific VPC will have a Security Groups which restricts all ingress and egress to a known set of whitelisted protocols and ports.

  3. NACLs will not be used to restrict access from specific IP Addresses. As such, Source and Destination fields inside a NACL are allowed to use an any-source CIDR e.g., 0.0.0.0/0

  4. Every EC2 instance, which requires internet access, will be deployed into a public (internet facing) subnet. But unless otherwise specified, the instance will not be assigned a public IP Address nor an Elastic IP. This means that by default, an instance in a public subnet has no access to the internet.

  5. In order to receive inbound HTTPS connections from the internet, the instance must be front-ended by a public Application-Load-Balancer (ALB.) The ALB must be protected by a WAF and have an Security Group with whitelisted IP Ranges. Insecure (HTTP-based) connections to the ALB are not permitted.

    • The set of whitelisted IP Addresses can, and should, change depending on application-level requirements. IP Address whitelisting will be enforced through the use of either a WAF IPset or a Security Group.

  6. Every EC2 instance, which does not require internet access, will be deployed into private subnet.

    • During maintenance window, an instance in a private subnet is allowed to initiate internet connections via a NAT Gateway. However, both the NAT Gateway and the subnet's route to the NAT are ephemeral; they exist only for the duration of the maintenance window and are programmatically remove once the maintenance window closes.

    • Any private instance using a NAT must have a Security Group with outbound rules which specify the allowable the protocols, ports and destinations. The Security Group cannot contain outbound rules which allow any-destination (0.0.0.0/0)

  7. If SSH access is needed to an EC2 instance, then the SSM Session Manager should be used. Use of the SSM Session Manager is authorized on an ongoing basis since it requires no direct internet access.

    • If required, an EC2 instance is also permitted to accept inbound SSH connections directly from the internet. In order to allow inbound SSH, an EC2 instance will be assigned a public IP Address. And must be protected by a Security Group which only allows connections from an approved set of IP.

    • Password based authentication is disabled.

  8. Direct internet-based SSH connectivity to EC2 instances must be either eliminated or replaced. Elimination means the exclusive use of SSM Session Manager. Replacement means that inbound SSH connections from the internet must be front-ended by a hardened Bastion host(see above).

Clone this wiki locally