AWS Web Server Security
This article describes 3 basic and important steps to secure internet-facing web servers on AWS.
Join the DZone community and get the full member experience.Join For Free
Security is probably the most important aspect of application deployments on the cloud. A lot of factors are to be considered like encryption, firewall configuration, and DDoS protection to name a few. It demands a considerable amount of time and effort to design a suitable architecture that addresses all security concerns. AWS provides a bouquet of services to address specific areas of security. In this article, I’ll take a common use case of running an internet-facing application on an auto-scaling group of EC2 instances and explore a few ways in which the servers can be secured.
1. Network Setup
First things first, the network setup has to be spot on. To start with there has to be a VPC with private and public subnets. The auto-scaling group of EC2 instances should be deployed on the private subnet/s. An ALB (application load balancer) should be deployed on the public subnet. To ensure transport Layer Security (TLS), the ALB should accept HTTPS requests only. To achieve this a certificate needs to be created on Amazon Certificate Manager (ACM) and attached to the load balancer. The Security Group of the ALB would be open for inbound HTTPS ports only. The security group of the EC2 instances on the other hand would only allow inbound traffic from the security group of the load balancer.
2. Firewall Setup
With the network setup in place, it’s time to tighten the screws further. A Web Application Firewall (WAF) needs to be attached to the ALB. WAF would protect the application from common web exploits like cross-site scripting and SQL injection. Additionally, WAF can filter out requests by applying customized rules configured in an Access Control List (web ACL) based on the IP address of the request, country of origin, string match, regular expression match, etc.
3. Intelligent Monitoring
Once the initial setup is complete and the application is up and running, there should be a monitoring mechanism in place. To that end, it’s advisable to enable GuardDuty. GuardDuty is a threat detection service that continuously monitors for malicious activities and unauthorized behaviors. It analyses multiple sources such as CloudTrail events logs, VPC Flow Logs, and DNS logs. GuardDuty can be integrated with CloudWatch events. Whenever an alert is raised it can be sent to administrators using SNS notification. A lambda can also be triggered via a CloudWatch event that can update web ACL based on the findings of GuardDuty thereby automating actions on detected threats.
Utilizing the AWS services mentioned in this article in the above steps it can be ensured that internet-facing applications are secure from malicious and unauthorized attacks. The next thing to look at is probably encrypting data at rest. Another major area of concern is DDoS protection. I haven’t discussed DDoS protection in this article as that merits a separate article.
Opinions expressed by DZone contributors are their own.