Cloud administrators are responsible for securing AWS resources. Using hardened Amazon Machine Images is one way...
to launch secure Elastic Compute Cloud instances, while avoiding the time-consuming configuration tasks associated with securing an operating system. The Center for Internet Security offers a number of hardened Linux OSes in the AWS Marketplace.
The Center for Internet Security (CIS) is a cybersecurity organization that holds security training seminars and releases an annual report on the state of Internet security. Additionally, the organization releases security benchmarking guides with a wide range of configuration settings for a secure OS.
The CIS guides delve into some low-level details, such as protecting the boot process. For example, setting permissions on the bootloader config protects boot parameters and settings. Configuring the bootloader to only allow reads and writes for root users is one simple method that can be easily overlooked.
Similarly, the CIS recommends that admins require user authentication -- even in single-user mode. To configure this, set a password for the root user. Without user authentication, hackers can reboot the machine and gain root-user access.
For high-level security issues, the CIS recommends disabling legacy services to protect other software from possible breaches. To do this, disable software or remove it all together.
Hardening an OS can take significant time and attention. Even though many of the changes are easy to implement, they can also introduce the opportunity for errors. Several hardened OSes, including GoldDisk Plus, CIS Amazon Linux and CIS Ubuntu, are available in the AWS Marketplace. Here's a look at each option.
GoldDisk Plus is a secure version of Windows 2008 R2 64-bit for Amazon Elastic Compute Cloud (EC2) and Elastic Block Store (EBS) instances. The OS image is compliant with the Defense Information Systems Agency (DISA) Security Technology Implementation Guide (STIG) and has the option to include an automated remediation tool, called ConfigOS. GoldDisk Plus includes a set of STIG-compliant software and other components, such as Internet Explorer 10, a .NET Framework 4v1 and IIS 7.0.
Pricing for GoldDisk Plus varies depending on AWS instance size and region. The range includes t1.micro instances at $0.02 per hour to i2.8xlarge instances at $7.842 per hour.
CIS Amazon Linux
This option is a hardened 64-bit Linux Amazon Machine Image (AMI). CIS developed the OS and secures it using its security benchmarking guidelines. Similar to GoldDisk Plus, the hardened OS supports use on EC2 and EBS instances.
CIS Amazon Linux instance pricing ranges from $0.033 per hour for t2.micro images to $6.84 per hour for i2.8xlarge instances -- in the US-East region.
The CIS' Ubuntu hardened OS uses Ubuntu version 14.04 LTS x64; it conforms to CIS security benchmarks and supports use on EC2 and EBS instances.
The pricing for CIS Ubuntu is the same as CIS Amazon Linux. The range covers r2.micro images at $0.033 per hour to i2.8xlarge instances at $6.84 per hour. Prices vary by region.
While using a preconfigured, hardened OS can reduce the risk of data breaches or attacks, there are tradeoffs. Some hardened OSes don't include packages or libraries necessary for applications that will run on the hardened server.
But spotting most missing packages should be easy. For example, if a server will transfer data and FTP, but it doesn't have Secure File Transfer Protocol (SFTP) installed, then developers likely will detect that quickly. Similarly, developers who compile applications on instances will quickly detect when compilers aren't installed. However, a missing dependency or improper configuration could appear when part of the application code is executed.
Keep in mind that vendors offering hardened OSes will update AMIs as new vulnerabilities are detected or new code is released. If you created your own AMIs based on hardened images, you will need to recreate those AMIs with the latest hardened images.
Hardened OSes can help cloud admins improve the security of their instances, but thorough testing and reviewing are required to ensure applications will function as expected.
Think like a hacker with security threat modeling
AWS security looks to avoid cloud reboots with s2n
CloudHSM offers premium level of cloud security