Loading...
 

Cloud Security 101 - MFA and Security Groups

There are several things you could do to secure your cloud environment. Cloud security could be broadly grouped as AWS centered and Resource centered. In this tutorial we will cover a few aspects based on AWS Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).

1. AWS Account Security

1.1. Access “My Security Credentials”

From the AWS management console (the page that you will land, as soon as you log in to your AWS account), click your account name menu option - towards the top right hand corner (screenshot below). Then click the “My Security Credentials” link.

NRIm3GDI4MhDeuot4akvWpiLJCBkhzzeTRxdOtCycotsu9R5PHlPkCibwanoq5Z-3pXF5uXgFzXJ8jJnrLcAw4nYb-bRxIMG0wgo1mT1eW2RbO7zv4HQ5BAC7xkth_f3yEYdqXG-


1.2. Google authenticator

Download and install the google-authenticator app in your smartphone.

1.3. AWS Multi-factor authentication (MFA)

1.3.1. In the Security Credentials page of your AWS management console, click on the “Multi-factor authentication (MFA) option. Under the MFA section click “Activate MFA” button.

XmPdKY7-FKA-MxQe6uDZ3gBR3iFUNGgI-Zx1-GUeS376s7x2vvXrSkA75luXwOy8f1Z3IjozIVb-yZJR6HLtKb1mKbWWrnobQgs2Vo6JWVNYO_rC96pvIUh0k-RUp1TLrFzBjD3U


1.3.2. In the “Manage MFA device” window, choose “A Virtual MFA device” and click the “Next Step” button.

_a5rHfTlWmvgLod5ejI7YdcdSsFuIccy_A0yaZnDt1vcreF1BXnNGC_JGe47yfqNhobMdjh6FL4bZ0EP4Dl4co5YQ80cUoRzRuHDZm-f_sBr3pPMeSr-kF2OUD3BgJ3QZqaT6oaA


1.3.3. Click “Next Step” after reading any additional notes. Use your smartphone google  authenticator app to scan the displayed barcode. Then enter the two consecutive codes displayed on your smartphone and click “Activate Virtual MFA” button. Click “Finish” in the next window, to complete your MFA setup.

sUdUIuNS9WUAvstSHIRgJSLsAjh1EpQd8K2lCNwZPDGReofcYn0rfUPso-CuyH7d0znss34oijPgzzl8xGQ0l5fkAnsI2t6i4eoICE-VDtFjLJ_MvI6vqG7IKZPB09iK-Z5GEAVr


1.4. Test MFA

1.4.1. Sign out of your AWS console account by clicking your account name in the AWS console menu bar and then choosing “Sign Out” option. Now try signing back into your AWS console. This time you will be prompted to enter your MFA code from google authenticator.

 

VVnueQIFaAD-vFRQYcuX-OmVpbTRM-1-ab11FcknUKnq9Y05m1eBczGxLv8YMBElW7oHGmyyOLLRS7uMaOsI8yErYlNGM43USqkSRbtP9_pm2tN0WmAjjT8BTc8j9KzXWt7iL7Tg


1.5. Security Status

Carry out other tasks to secure your account. The “Dashboard” option in the right hand side menu bar of the Security Credentials page, should show all green check mark under the “Security Status” section.

DHhsOrn0s9SFJIe7_H60rwLtRy-aMX5nYwUZ2fPwEZNA0nVe0NfiEaaxF-EkOFwBJGhi55Fl41j90MVmgtK-XqmHaSAQ3NHLuFHO79h52WFmShrymO5m9SKfEE208p5O-ZYzeuzh

2. Instance (System) security

  • There are several tools and techniques to harden/secure/protect your instance/system in the cloud.

  • There are things like access control, continuous monitoring, rapid response, virus protection, system auditing, encryption etc., that could be carried out to protect your assets.

  • You can protect your system from inside and also from outside. In this tutorial, we will setup a few system level security measures to protect our instance.

2.1. AWS Security groups

Security groups in AWS specify the inbound and outbound traffic to and from your instance (who (client IP address) is allowed to communicate with your instance and what protocol (like SSH, http etc.,) is allowed to communicate with your instance). You can create a security group that only allows SSH (secure shell) connections between the instance and the client. This security group can also be used to specify that only your IP address is allowed to communicate with the instance. This security group is like an external firewall.

2.1.1. Create a security group

In the EC2 console left hand menu, clilck the “Security Groups” option under the “NETWORK & SECURITY” section.

d9dxNhqyvePEL3fVXBXxfC39hE9OxFFGByIGpe8x5YnUtRLKlkpF0TAQelIle-bRVPJIVXrhoxPaPgZ5TUoEZhi9B_mB6XIFln-JsHTYWxLrTTB6PpuAvvXIfCD8vSE66EgI23kS


In the Security Groups window, click “Create Security Group” button.

SHYKcS3uvaBGyHva1NGflITyrp8_uWqJHdgB-PitpEoJ2KQ35xQA7Hksa1Hx7hwDdXKHsHbz2I4K9JB17Ra2NGkB2rzsUIsyYdJ-1dXQ9eht_UtQl8Xef5oJ0gteYpjkygJvei_v


  • In the Create Security Group window, give your security group a name (ex: onlymyip), give a description (optional). Click “Add Rule” and then click to choose “SSH” for Type, “My IP” for Source.

  • Once you have a setup like in the below screenshot, click “Create” (right hand corner in the Create Security Group Window).

mZhLH8B7buUMJAzkIPC-WlJgJqQyr44nyPUAR-leoleQCxDDQBQ_vxCiq-P7fZIzO4otDp8eGtuNaMGpKDqD1d29cMtYvsy9IAQspRQTsi8zmUiDWfYxaUfK6vnlS1yQh2gCqCci


2.1.2. Attach the security group to instance

Click the “Instances” left hand menu option in the EC2 console.

Click choose the instance that you want to set with the new security group.

Click “Actions”, Networking and then “Change Security Groups”.

7Duhb8KzWVLV7bNaOzPgKr6HctibTVuhmVuulyUccAxlgA0Cj2P77xiV-gz_mnyiqRbg_UDsOCk4I5XXiRik29S7OWSRn5nEle9d175oPssxrz_KfIyX-Cc9v-SltCtOwtR_XPTq

 


From the “Change Security Groups” window, check the box besides the “onlymyip” security group and click the “Assign Security Groups” button. As soon as this is done, this instance will be blocked for access to any one else in the world, other than your machine (your ip address).

nGnP4xVrSPGeAPVv1hfRIlUqSJAh16r6VQfJ3MkGaneZ3D_Wkz_P9tLfpNEsglWG2hqLrNfMnzxaYBXbyPWjtdQxg1gqz6GR4QtvfEp6lzFlQhACFVq8SrJyO4KuJeA3pTMmxyKk

Try logging in to your instance from another machine (not from your laptop) and see what happens.


2.2. No Password

By default  official ubuntu linux instances are initiated without any password and only with keypairs. Using specific keypairs is more secure than using password. Access your instance only with keypairs. Create new keypairs for additional users. Follow this AWS tutorial for additional help for creating and using passwordless linux user account - https://aws.amazon.com/premiumsupport/knowledge-center/new-user-accounts-linux-instance/