Amazon Web Services EC2 – Part 3: Security and Security Groups
Elastic Compute Cloud (EC2)
Security and Security Groups
Security is one of the most important, if not the most important, aspects of any important application. If you are thinking about running any kind of a mission critical application in the cloud, security should be a large part of your research.
AWS has been independently certified as Sarbanes-Oxley compliant and has passed a SAS70 audit. Amazon’s physical data center security follows established norms and is routinely audited.
On the software side, Amazon maintains a separation between host operating systems (those that Amazon are responsible for) and guest operating systems (the AMIs). Amazon is using a customized version of the Xen Hypervisor so you automatically get all of the security that comes with Xen.
When you are choosing which AMI to run, you should include your security needs in your determination. While EC2 raw disks are protected by virtualization, you may want an encrypted file system. Access to the guest OS is via SSL regardless of the OS chosen.
EC2 offers a feature called security Groups. These security groups are user defined and can a security group across multiple instances. You assign a security group when you start your instance. The best way to think of a security group is as a hardware, inbound firewall.
By default, the security group will block all incoming access. You can open access by port, protocol and by incoming IP address(es). Changes to the security group require an x.509 certificate and key which means control of the firewall at the hardware level can be separate from any OS based firewalls.
Amazon recommends disabling password based access too guest instances and to use key based access instead. It is very easy to configure access with SSH to use keys instead of passwords. It is also very easy to share keys between instances so that applications do not require password based access, even within the data center.