- 加密所有网络通信;
- 只使用加密的文件系统;
- 高强度加密您放在S3上所有文件;
- 绝对不能让解密的密钥进入云,除非用于解密进程;
- 除了用于解密文件系统的密钥外,绝对不能在AMI中放置用户的认证证书;
-
在实例启动时解密用户的文件系统;
- Shell访问时绝对永远不能使用简单的用户名/密码认证方式;
- Sudo访问时不需要密码;
- 设计你的系统,使你的应用程序不依赖于特定的AMI结构;
- 定期把你的数据从亚马逊云中完整备份出来,并且在其他地方安全保管;
- 每个EC2实例只运行一个服务;
- 只打开实例中的服务所需的最少的端口;
- 设置你的实例时指定源IP地址;仅对HTTP / HTTPS等开放全局访问;
- 把敏感数据和非敏感数据存放在不同的数据库中,并且在不同的安全组中;
- 自动化安全的尴尬—不可靠,但有时还得用;
- 安装基于主机的入侵检测系统,如OSSEC;
- 充分利用系统强化工具,如巴士底狱Linux;
- 如果你怀疑被黑客入侵,则赶紧备份根文件系统、快照块卷,并关闭该实例。您可以稍后在一个没有被入侵的系统上取证研究;
- 设计一个程序可以给AMI打安全补丁,只需简单地重启你的实例;
- 最重要的是:编写安全的Web应用程序。
(译自 Twenty Rules for Amazon Cloud Security)
-
Encrypt all network traffic.
-
Use only encrypted file systems for block devices and non-root local devices.
-
Encrypt everything you put in S3 using strong encryption.
-
Never allow decryption keys to enter the cloud—unless and only for the duration of an actual decryption activity.
-
Include NO authentication credentials in your AMIs except a key for decrypting the file system key.
-
Pass in your file system key encrypted at instance start-up.
-
Do not allow password-based authentication for shell access. Ever.
-
Do not require passwords for sudo access.
-
Design your systems so that you do not rely on a particular AMI structure for your application to function.
-
Regularly pull full backups out of Amazon and store them securely elsewhere.
-
Run only one service per EC2 instance.
-
Open only the minimum ports necessary to support the services on an instance.
-
Specify source addresses when setting up your instance; only allow global access for global services like HTTP/HTTPS.
-
Segment out sensitive data from non-sensitive data into separate databases in separate security groups when hosting an application with highly sensitive data.
-
Automate your security embarrassments.
-
Install a host-based intrusion detection system like OSSEC.
-
Leverage system hardening tools like Bastille Linux.
-
If you suspect a compromise, backup the root file system, snapshot your block volumes, and shut down the instance. You can perform forensics on an uncompromised system later.
-
Design things so you can roll out a security patch to an AMI and simply relaunch your instances.
-
Above all else, write secure web applications.