Amazon Elastic Compute Cloud instances are available in two different configurations: Amazon EC2 Dedicated Hosts...
and Dedicated Instances. Both configurations provide additional security measures compared to basic EC2 instances running on shared servers. Amazon EC2 Dedicated Hosts offer benefits in terms of license management; some enterprises may require this instance to ensure compliance. Amazon EC2 Dedicated Hosts do not provide additional security compared to Dedicated Instances.
Security for all Elastic Compute Cloud (EC2) instances is pretty strong if configured properly. A weak point in older AWS implementations was the ability to scan the network and identify IP addresses of a target service. AWS implemented Virtual Private Cloud to allow enterprises to use software-defined networks that were logically isolated from other traffic in the AWS data center. This provides a measure of security from various network-based attacks.
How attackers compromise a multi-tenancy model
The security industry explores the potential for compromising VMs running on public cloud services using malicious VMs designed to snoop on their neighbors. This is a relatively novel technique, and adjacent VMs are limited to listening in on the rate of traffic between memory, networking cards and subtle performance changes on CPU usage. In theory, a malicious VM might use this information to compromise encryption keys, which could be used in subsequent attacks on enterprise IT infrastructure.
Security researchers found it possible to time the launch of malicious VMs so that they can be provisioned onto the same physical hardware as a target application. In a study funded by the National Science Foundation, researchers colocated snooping applications on the same physical server as a target application on AWS with a 90% rate for as little as 14 cents.
This test required researchers to trigger the target enterprise application to launch more instances and then time the launch of as many as 3,000 instances of the snooping application. When the applications launched late at night in AWS regions with fewer applications, such as US-West-1, the process was even more effective. They could also launch code that listened to variations in CPU and memory performance to determine the snooping application was colocated with the target app.
However, succeeding with this type of security breach requires a high level of sophistication for translating subtle changes in memory and CPU state into useful information. Attackers would need detailed information about the target application and its configurations. This style of attack has not been demonstrated in the wild. Furthermore, thwarting this kind of attack is easy: Add a small amount of noise to the processing algorithms that enterprise applications use.
Important factors to consider
There are some slight security benefits for enterprises that choose to provision Amazon EC2 Dedicated Instances, but this isn't the case with Amazon EC2 Dedicated Hosts. There may also be performance improvements when an admin isolates enterprise workloads from noisy neighbors with both Dedicated Instances and Dedicated Hosts. However, neither instance offers additional performance benefits over the other.
Overall, Amazon EC2 Dedicated Hosts allow companies to save costs because they can reuse licenses negotiated with application vendors. In this case, the enterprise reviews these tradeoffs with its accounting team. This also requires companies to review some specifics involved with AWS Bring Your Own Licensing provisions.
Avoid these common AWS security mistakes
Procedures, not products, are crucial in AWS security
AWS and the noisy neighbor perception