20 Amazon cloud security rules

• Encrypt all network communications;
• Only the encrypted file system is used;
• High-strength encryption: All files stored on S3;
• Never allow the decryption key to enter the cloud unless it is used to decrypt the process;
• Except the key used to decrypt the file system, the user's authentication certificate cannot be placed in the AMI;

• Decrypts the user's file system when the instance is started;

• Shell accessAlwaysSimple user name/password authentication is not supported;
• No Password is required for sudo access;
• Design your system so that your applications do not depend on the specific AMI structure;
• Regularly back up your data from the Amazon cloud and keep it securely elsewhere;
• Each EC2 instance runs only one service;
• Only open the minimum port required by the Service in the instance;
• Specify the source IP address when setting your instance; only enable global access to HTTP/HTTPS;
• Store sensitive and non-sensitive data in different databases and in different security groups;
• Automation and security-unreliable, but sometimes used;
• Install a host-based intrusion detection system, such as ossec;
• Make full use of system hardening tools, such as the baseline Linux;
• If you are suspected of being hacked, back up the root file system and snapshot block volume and close the instance. You can obtain evidence from a system that has not been intruded;
• Design a program to install security patches for the AMI. Simply restart your instance;
• The most important thing is to write Secure Web applications.

(Translated from Twenty Rules for Amazon cloud security)

1. Encrypt all network traffic.

2. Use only encrypted file systems for Block devices and non-root local devices.

1. Encrypt everything you put in S3 using strong encryption.

2. Never allow decryption keys to enter the cloud-unless and only for the duration of an actual decryption activity.

3. Include no authentication credentials in your AMIS encrypt t a key for decrypting the file system key.

4. Pass in your file system key encrypted at instance start-up.

5. Do not allow password-based authentication for shell access. Ever.

6. Do not require passwords for sudo access.

7. Design your systems so that you do not rely on a special AMI structure for your application to function.

8. Regularly pull full backups out of Amazon and store them securely elsewhere.

9. Run only one service per EC2 instance.

10. Open only the minimum ports necessary to support the services on an instance.

11. Specify source addresses when setting up your instance; only allow global access for global services like HTTP/HTTPS.

12. Segment out sensitive data from non-sensitive data into separate databases in separate security groups when hosting an application with highly sensitive data.

13. Automate your security embarrassments.

14. Install a host-based intrusion detection system likeOssec.

15. Leverage system hardening tools likeBastille Linux.

16. If you suspect a compromise, backup the root file system, snapshot your block volumes, and shut down the instance. You can perform forensics on an uncompromised system later.

17. Design things so you can roll out a security patch to an AMI and simply relaunch your instances.

18. Above all else, write Secure Web Applications.

20 Amazon cloud security rules