Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post's top contributors.
How do I secure my EC2 instance to meet compliance programs?
I want to secure my Amazon Elastic Compute Cloud (Amazon EC2) instance to meet a compliance program.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
It's your responsibility to follow compliance laws, regulations, and privacy programs. For more information about existing compliance programs, see AWS Compliance Programs.
The following table includes common compliance programs, their requirements, and AWS services to help you configure compliance:
| Compliance program | Key requirements | AWS services to use |
|---|---|---|
| SOC 2 | Security, availability, and confidentiality | AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Config, Amazon GuardDuty |
| Health Insurance Portability and Accountability Act (HIPAA) | Electronic protected health information (ePHI) encryption, and access logs | AWS Key Management Service (AWS KMS), CloudTrail, Amazon Macie |
| Payment Card Data Security Standards (PCI DSS) | Cardholder data protection and web application firewall (WAF) | AWS WAF, AWS Shield, Amazon Inspector |
| General Data Protection Regulation (GDPR) | Personally identifiable information (PII) protection, and right to erasure | Macie, AWS Lambda |
| ISO 27001 | Risk management and encryption | AWS Security Hub, AWS Artifact |
| National Institute of Standards and Technology (NIST) 800-53 | Access control and logging | AWS Organizations service control policies (SCPs) |
| Federal Risk and Authorization Management Program (FedRAMP) | US government cloud security | AWS GovCloud (US), AWS Control Tower |
To meet compliance requirements, it's a best practice to implement a layered security approach for your EC2 instances.
Use access control to adhere to the principle of least privilege
To configure compliance for programs such as SOC 2, NIST, and ISO 27001, take the following actions:
- Use the IAM Identity Center console or the AWS CLI to enforce multi-factor authentication (MFA) for all users.
Note: Enforced MFA is required for PCI DSS and SOC 2. - Use IAM roles instead of root users or long-term credentials.
- Apply SCPs to restrict risky actions.
Set up encryption at rest and in transit
To configure compliance for programs such as HIPPA, PCI DSS, and GDPR, take the following actions:
- Activate Amazon Elastic Block Store (Amazon EBS) encryption.
Note: You can set up automatic encryption for new EBS volumes and snapshots. - Enforce TLS 1.2 or later.
Note: This is required for PCI DSS. - Use AWS Certificate Manager (ACM) certificates to manage HTTPS traffic.
- Configure your security groups to block non-SSL/TLS traffic.
Note: To allow only encrypted traffic, allow SSL/TLS ports such as 443, 465, and 587, and block plaintext ports such as 80, 21, and 3306. For more information about security groups, see Security group rules for different use cases. - Combine security group rules with application-level enforcement, such as HTTP Strict Transport Security (HSTS).
Set up network security firewalls
To configure compliance for programs such as PCI DSS, FedRAMP, and NIST, take the following actions:
- Restrict security groups to allow only the required ports.
- Use AWS WAF to protect your instance.
- Activate Amazon Virtual Private Cloud (Amazon VPC) Flow Logs to capture IP address traffic so that you comply with operational best practices for NIST 800-53.
Set up audit trails
To configure compliance for programs such as SOC 2, ISO 27001, and HIPAA, take the following actions:
- To activate CloudTrail for all AWS Regions, create a trail with IsMultiRegionTrail set to true, or update your existing trails.
- Send logs to Amazon Detective or the Security Hub for automated compliance checks.
Configure patch management and vulnerability scans
To configure compliance with programs such as PCI DSS and FedRAMP, take the following actions:
- Set up Patch Manager, a capability of AWS Systems Manager, to automatically patch your Windows and Linux instances.
- Use Amazon Inspector to scan your instances for package vulnerabilities and network reachability issues.
Set up SSH access
To configure compliance with programs such as SOC 2, HIPAA, PCI DSS, and NIST, take the following actions:
- Adhere to SSH access best practices.
- Use Session Manager, a capability of AWS Systems Manager, to connect to your instance instead of SSH.
- Restrict security groups to specific IP addresses.
- Deactivate password login, and use SSH key pairs instead.
- Rotate your SSH keys every 90 days.
Set up threat detection
To configure compliance with programs such as SOC 2 and IS 27001, configure the following GuardDuty settings:
- Integrate GuardDuty with Security Hub to escalate critical findings.
- Set up On-demand malware scans.
- To identify security threats that most affect your environment, set up suppression rules to remove false positives, low-value findings, and non-actionable threats.
Retrieve information about your instances for a report
To get data about your instance such as ID, tags, and compliance status, run the following describe-instances AWS CLI command:
aws ec2 describe-instances --query Reservations[*].Instances[*].{InstanceId, InstanceType, LaunchTime, State.Name, Tags[?Key==`Name`].Value} --output text > instances.csv
Important: It's a best practice to regularly audit and update your configuration to maintain compliance as standards change.
- Topics
- Compute
- Language
- English
Relevant content
- asked 4 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
