SEC06-BP02 Reduce attack surface
Reduce your exposure to unintended access by hardening operating systems and minimizing the
components, libraries, and externally consumable services in use. Start by reducing unused
components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud
(Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can
find many hardening and security configuration guides for common operating systems and server
software. For example, you can start with the Center
for Internet Security
In Amazon EC2, you can create your own Amazon Machine Images (AMIs), which you have patched and hardened, to help you meet the specific security requirements for your organization. The patches and other security controls you apply on the AMI are effective at the point in time in which they were created—they are not dynamic unless you modify after launching, for example, with AWS Systems Manager.
You can simplify the process of building secure AMIs with EC2 Image Builder. EC2 Image Builder significantly reduces the effort required to create and maintain golden images without writing and maintaining automation. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. EC2 Image Builder allows you to easily validate the functionality and security of your images before using them in production with AWS-provided tests and your own tests. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria. For example, you can produce images that conform to the Security Technical Implementation Guide (STIG) standard using AWS-provided templates.
Using third-party static code analysis tools, you can identify common security issues such
as unchecked function input bounds, as well as applicable common vulnerabilities and exposures
(CVEs). You can use Amazon CodeGuru
Using Amazon Inspector, you can perform configuration assessments against your instances for known
CVEs, assess against security benchmarks, and automate the notification of defects. Amazon Inspector runs
on production instances or in a build pipeline, and it notifies developers and engineers when
findings are present. You can access findings programmatically and direct your team to backlogs
and bug-tracking systems. EC2 Image Builder
While Amazon Inspector and other tools are effective at identifying
configurations and any CVEs that are present, other methods are
required to test your workload at the application
level. Fuzzing
Level of risk exposed if this best practice is not established: High
Implementation guidance
-
Harden operating system: Configure operating systems to meet best practices.
-
Harden containerized resources: Configure containerized resources to meet security best practices.
-
Implement AWS Lambda best practices.
Resources
Related documents:
Related videos:
Related examples: