Showing posts from September, 2018

AWS - Basic Security Considerations

Often the default Security rules in AWS allow highest level of access and this is undesirable in production system. Principle of Least access is the recommended security approach for any secure system.  This article explains how we can apply some specific Security rules to various resources in AWS. Access to EC2 instances Do not provide SSH access to EC2 instances in public subnet, which are exposed to outside world. Rather, create a separate EC2 instance which will act like a Bastion server. Let us call the security group associated with this Bastion server as ‘BastionSG’.  The ‘BastionSG’ should have a security group which will allow a specific IP or a range of IP in corporate network via SSH for allowing inbound access. Expose SSH from all EC2 instances only from the Bastion server by providing the ‘BastionSG’ as the source Security Group. Access to VPC By default, a VPC will have a NACL(Network Access control) which allows traffic to all. We can create a c