Skip to main content

Insecure service configuration - EC2

Need

Secure configuration of EC2 instances

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of terraform-provider-aws for managing AWS resources using Terraform

Description

Non compliant code

provider "aws" {
  region = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-0c94855ba95c574c8"
  instance_type = "t2.micro"

  tags = {
    Name = "example-instance"
  }
}

This Terraform script creates an EC2 instance with a publicly accessible AMI. The instance type is t2.micro and is located in the us-west-2 region. The instance is tagged with the name "example-instance".

The vulnerability here is that the EC2 instance is publicly accessible, and there are no security groups or key pairs specified for this instance. This means that anyone can access this instance if they have the public IP address, which can be easily obtained.

Furthermore, the lack of a specified key pair means that anyone who gains access to the instance will have full permissions, including the ability to install, modify, or delete any data or applications on the instance.

Finally, the lack of security groups means that all inbound and outbound traffic is allowed by default. This makes the instance vulnerable to attacks such as DDoS attacks, brute force attacks, or data exfiltration.

This configuration is a significant security risk and should not be used in a production environment.

Steps

  • Update the EC2 instance configuration to use a secure AMI (Amazon Machine Image) that is regularly updated and patched.
  • Review and update the instance type to ensure it meets the security requirements of your application.
  • Implement security groups to restrict inbound and outbound traffic to only necessary ports and protocols.
  • Enable VPC (Virtual Private Cloud) flow logs to monitor network traffic and detect any suspicious activity.
  • Configure IAM (Identity and Access Management) roles and policies to limit access permissions for the EC2 instances.
  • Enable encryption at rest for the EC2 instance storage volumes.
  • Implement regular security updates and patches for the EC2 instances.
  • Implement monitoring and logging solutions to detect and respond to any security incidents.
  • Regularly review and audit the EC2 instance configurations to ensure compliance with security best practices.
  • Implement automated backups and disaster recovery plans for the EC2 instances and their data.

Compliant code

provider "aws" {
  region = "us-west-2"
}

data "aws_ami" "example" {
  most_recent = true
  owners      = ["self"]

  filter {
    name   = "name"
    values = ["my-ami-name"]
  }
}

resource "aws_instance" "example" {
  ami           = data.aws_ami.example.id
  instance_type = "t2.micro"

  vpc_security_group_ids = [aws_security_group.example.id]

  iam_instance_profile = aws_iam_instance_profile.example.name

  ebs_block_device {
    device_name = "/dev/sda1"
    encrypted   = true
  }

  tags = {
    Name = "example-instance"
  }
}

resource "aws_security_group" "example" {
  name        = "example"
  description = "Example security group"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_iam_instance_profile" "example" {
  name = "example"
  role = aws_iam_role.example.name
}

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

The updated code includes several security enhancements:

  1. AMI: The code now uses a data source to fetch the most recent AMI owned by the account. This ensures that the EC2 instance is launched with an updated and patched AMI.

  2. Security Group: A security group is created and associated with the EC2 instance. This security group only allows inbound SSH traffic and allows all outbound traffic. Adjust these rules according to your application's requirements.

  3. IAM Role: An IAM role and instance profile are created and associated with the EC2 instance. This limits the permissions of the EC2 instance to only what is defined in the IAM role.

  4. EBS Encryption: The root EBS volume of the EC2 instance is encrypted, ensuring that data at rest is secure.

Remember to replace "my-ami-name" with the name of your secure AMI, and adjust the security group rules and IAM role according to your application's requirements.

References

Last updated on