Insecure service configuration - EC2 - Cloudformation
Need
Secure configuration of EC2 instances
Context
- Usage of CloudFormation for Infrastructure as Code (IaC)
- Usage of AWS native service to manage infrastructure as code
Description
Insecure Code Example
Resources:
InsecureInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
This CloudFormation template launches an EC2 instance without a security group or key pair, exposing it publicly and making it inaccessible securely.
Steps
- Use updated and secure AMIs
- Restrict traffic via security groups
- Use SSH key pairs for access control
- Encrypt EBS volumes
Secure Code Example
Parameters:
KeyName:
Type: String
Description: Existing EC2 KeyPair
Resources:
InstanceSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref InstanceSG
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
Encrypted: true
This template secures the instance by using a key pair for SSH, a restrictive security group, and encrypted storage.
References
Last updated
2025/04/04