How Halo Augments Amazon VPC Security

marc luo / 04.29.13

Amazon recently introduced a new platform to its users that combines the functionality of the popular Amazon EC2 platform (now renamed Amazon EC2-Classic) with the additional controls of Amazon VPC security – they call it simply Amazon EC2-VPC.  While this is an interesting development for Amazon customers, with implications across the IaaS market, it does warrant a reexamination of Amazon’s shared responsibility model and how it relates to the new EC2-VPC platform.


Amazon EC2-Classic gained popularity because it was so easy to use (all you need to get started is a credit card), and allowed users the flexibility to spin up environments on a whim.  However, some customers felt more comfortable using Amazon’s VPC platform, which has more built-in network security control than EC2’s Security Groups. VPC allows you to create a logically private network – you can create a VM that only has a private IP.  This is a great feature to allow for the ability to mimic a typical datacenter network structure where you can segregate servers based on function (ie. Webservers, Application Servers and Database servers).  VPC also includes the ability to add rules for outbound traffic as part of a set of rules in Security Groups.  You can also create Network Access Control Lists as a second layer of defense. Network ACLs let you define “allow” and “deny” rules, where with Security Groups, a user can only define “allow” rules. The differences between Amazon EC2-Classic and Amazon EC2-VPC / Amazon VPC are outlined here.

Though VPC security features do offer more control over network access to cloud servers, network access control is not enough to call your cloud servers “secure”. In fact, Amazon outlines other considerations that customers must be aware of in its white paper describing security processes:

Moving IT infrastructure to AWS creates a shared responsibility model between the customer and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall… It is possible for you to enhance security and/or meet more stringent compliance requirements by leveraging technology such as host-based firewalls, host-based intrusion detection/prevention, and encryption.

— (AWS Overview of Security Processes – pdf)

Put simply, AWS will handle the security of the hypervisor down; this would include all the hardware and the datacenter.  You, as the Amazon user, are responsible for security from the Guest OS and up.

VPC Security Shared Responsibility

Awareness of the shared responsibility for security is the first step. Many people just assume that since they are buying a product from Amazon that security is built into the product. So where do you go from here? Since you have complete control over the Guest OS it would make sense that you add as many security measures in the VM.

Securing via host-based firewalls is a first step.  One of the biggest advantages of using host-based firewalls in the cloud is that the traffic can be logged (logs are unavailable in Security Groups), so you have the ability to see what IP and what type of traffic is being denied and/or accepted.  The solution you choose should also have the ability to manage IPs dynamically, as VPC’s public IPs may change. Being able to group your servers logically into areas like Web Servers, Application Servers, and Database Servers and having the ability to apply the appropriate host firewall rules automatically as a server starts up into a group ensures communication between servers.

IDS is the next big step in securing your VPC servers. You want to be automatically informed if any vital files or settings have been modified either accidentally or maliciously. This would include any applications you are using like Apache, MySQL, Postgres, etc. Watching ownership of files, directories and what processes are running is an important piece of your security solution. Once you have set a baseline of what your system should look like, any unexpected deviation should be considered a breach of security.

Moving up in the stack, you need to be able to handle User Access Management. Auditing which users accounts exist / have root access / have passwords and being able to add/remove accounts as required is a must. Monitoring accounts is a fundamental step in ensuring that VPC servers are secure and unauthorized users don’t have access to your systems.

As security holes are found in various applications, software scanning becomes a must have. Closing these holes as patches become available minimizes the risk that your servers will be compromised. This all starts with being informed that the vulnerability exists.

Another thing to consider is how much CPU the solution is using to perform its scans. In AWS you are paying per hour for your Virtual Machine, so the resources that your security solution consumes become a financial concern. Traditional security solutions that are designed for the datacenter can consume a huge chunk of the machine’s processing power; however, in the datacenter there is minimal cost to eating up the CPU. In AWS the dollar amount can add up quickly.

Lastly, but perhaps the most important point, is automation. With the self-service nature of the cloud you need to make sure that security is baked into the Virtual Machine so that as environments are being spun up you do not have to worry if the VM is susceptible to attacks.

Moving to the Cloud provides many advantages, but requires a shift in thinking when it comes to security. Security in the traditional datacenter where you typically push security measures out to the perimeter is no longer possible in the Cloud. As you can see AWS EC2-VPC provides customers with some great security features, but by themselves are not enough to protect your Cloud servers. You need to add security where you have broad control and that is at the Guest OS level. When you look for the solution to secure your VPC you need to ask these questions to make sure you’re taking advantage of the Cloud:

  • Is the security automated?
  • Will the security scale?
  • Will the security solution be portable?
  • Will the security solution secure the different layers of the Virtual Machine?