SEC 6: How do you protect your compute resources?

Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.


Securing Serverless and Container Services
Running high-security workloads on Amazon EKS
Security best practices for the Amazon EC2 instance metadata service
AWS Systems Manager
Replacing a Bastion Host with Amazon EC2 Systems Manager
Security Overview of AWS Lambda
Lab: Automated Deployment of Web Application Firewall

Best Practices:

Improvement Plan

Perform vulnerability management

  • Configure Amazon Inspector: Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of the applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices.
    What is Amazon Inspector?
  • Scan source code: Scan libraries and dependencies for vulnerabilities.
    Amazon CodeGuru
    OWASP: Source Code Analysis Tools
  • Reduce attack surface

  • Harden operating system: Configure operating systems to meet best practices.
    Securing Amazon Linux
    Securing Microsoft Windows Server
  • Harden containerized resources: Configure containerized resources to meet security best practices.
  • AWS Lambda best practices: Implement AWS Lambda best practices
    AWS Lambda best practices
  • Implement managed services

  • Explore available services: Explore, test, and implement services that manage resources, such as Amazon RDS, AWS Lambda, and Amazon ECS.
    AWS Home
  • Automate compute protection

  • Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool.
    AWS Systems Manager
    AWS CloudFormation
    Lab: Automated deployment of VPC
    Lab: Automated deployment of EC2 web application
  • Automate patching of EC2 instances: AWS Systems Manager Patch Manager automates the process of patching managed instances with both security-related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications.
    AWS Systems Manager Patch Manager
    Centralized multi-account and multi-region patching with AWS Systems Manager Automation
  • Implement intrusion detection and prevention: Implement an intrusion detection and prevention tool to monitor and stop malicious activity on instances.
  • Consider APN Partner solutions: APN Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
    Infrastructure security
  • Enable people to perform actions at a distance

  • Replace console access: Replace console access (SSH or RDP) to instances with AWS Systems Manager Run Command to automate management tasks.
    AWS Systems Manager Run Command
  • Validate software integrity

  • Investigate mechanisms: Code signing is one mechanism that can be used to validate software integrity.
    NIST: Security Considerations for Code Signing