SEC 6: How do you protect your compute resources?
Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.
Perform vulnerability management: Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats.
Reduce attack surface: Reduce your attack surface by hardening operating systems, minimizing components, libraries, and externally consumable services in use.
Implement managed services: Implement services that manage resources, such as Amazon RDS, AWS Lambda, and Amazon ECS, to reduce your security maintenance tasks as part of the shared responsibility model.
Automate compute protection: Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources.
Enable people to perform actions at a distance: Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy EC2 instances using infrastructure as code, then manage EC2 instances using tools instead of allowing direct access or a bastion host.
Validate software integrity: Implement mechanisms (for example, code signing) to validate that the software, code, and libraries used in the workload are from trusted sources and have not been tampered with.
Perform vulnerability management
What is Amazon Inspector?
OWASP: Source Code Analysis Tools
Reduce attack surface
Securing Amazon Linux
Securing Microsoft Windows Server
AWS Lambda best practices
Implement managed services
Automate compute protection
AWS Systems Manager
Lab: Automated deployment of VPC
Lab: Lab: Automated deployment of EC2 web application
AWS Systems Manager Patch Manager
Centralized multi-account and multi-region patching with AWS Systems Manager Automation
Enable people to perform actions at a distance
AWS Systems Manager Run Command
Validate software integrity
NIST: Security Considerations for Code Signing