Configuration management in Amazon EC2
Amazon Machine Images (AMIs) provide an initial configuration for an Amazon EC2 instance, which includes the Windows OS and optional customer-specific customizations, such as applications and security controls. Create an AMI catalog containing customized security configuration baselines to ensure all Windows instances are launched with standard security controls. Security baselines can be baked into an AMI, bootstrapped dynamically when an EC2 instance is launched, or packaged as a product for uniform distribution through AWS Service Catalog portfolios. For more information on securing an AMI, see Best Practices for Building an AMI.
Each Amazon EC2 instance should adhere to organizational security standards. Do not install any
Windows roles and features that are not required, and do install software to protect against
malicious code (antivirus, antimalware, exploit mitigation), monitor host-integrity, and
perform intrusion detection. Configure security software to monitor and maintain OS security
settings, protect the integrity of critical OS files, and alert on deviations from the
security baseline. Consider implementing recommended security configuration benchmarks
published by Microsoft, the Center for Internet Security (CIS), or the National Institute of
Standards and Technology (NIST). Consider using other Microsoft tools for particular
application servers, such as
the Best Practice Analyzer for SQL Server
AWS customers can also run Amazon Inspector assessments to improve the security and compliance of applications deployed on Amazon EC2 instances. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices and includes a knowledge base of hundreds of rules mapped to common security compliance standards (for example, PCI DSS) and vulnerability definitions. Examples of built-in rules include checking if remote root login is enabled, or if vulnerable software versions are installed. These rules are regularly updated by AWS security researchers.