AWS Elastic Compute Cloud (EC2) is one of the most commonly used compute services in AWS. With a wide variety of operating systems and the flexibility of processing and memory options available, along with an array of performance variations to meet various workloads, the EC2 service makes it extremely easy to get up and running in the cloud. Furthermore, if you have long-running or predictable workloads, with the EC2 service, you can take advantage of cost savings in Reserved Instances or Savings Plans. Even for short-term instances, EC2 offers its extra capacity as Spot Instances at significant discounts.
Unfortunately, there will always be malicious actors with the sole aim of harming and hindering your infrastructure. As a result, you need to learn the techniques that not only keep your perimeter secure, as discussed in Chapter 10, but also maintain the security of the EC2 instances running your application code inside your AWS environment. These security techniques also explain how to securely access your EC2 instances to minimize the surface through which unauthorized users can gain entry.
In this chapter, you will look at several ways in which security relates to the actual EC2 service and how you can configure and implement the security measures.
The following main topics will be covered in this chapter:
To complete some of the exercises in this chapter, you will need an AWS account with an EC2 Linux instance running and permission to access the instance. You will also need permission to run and configure Amazon Inspector and AWS Systems Manager.
The more customizable your service or platform, the more responsibilities you hold as the customer. With the EC2 service, you can create a set of encryption keys that will allow secure access to your EC2 instances.
As part of the process for creating an EC2 instance, you are asked to create a new key pair or select an existing one. This section will discuss the importance of these key pairs and how you can manage them.
Key pairs allow you to connect to your instance, whether it’s Linux-based or Windows-based. The methods for connecting to each of these operating systems with key pairs differ, and you will review the different techniques shortly.
Each key pair uses public key cryptography using 2,048-bit SSH-2 RSA keys and is used to encrypt and decrypt administrative logs on credentials for that instance. It is worth noting, however, that key pairs, once created, are not tied down to a specific instance and can be used for multiple instances. Public key cryptography uses two separate keys to encrypt and decrypt data: the public key and the private key. The EC2 instance maintains the public key and the private key is kept secure by you, the customer. You must download and store this private key securely, as you cannot recover it if you lose it. The public key encrypts the credentials, and your private key decrypts them, allowing you to access the instance.
Key pairs created in AWS are created for use in a single region by default. However, suppose you want to use the same key in multiple regions. In that case, you can import the private key into the EC2 service either via the console or using the CLI after changing the region. Once imported for all regions or your chosen regions, that same key you initially generated will work on EC2 instances in multiple regions.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
