OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

Securing EC2 Instances

By admin@oculuscyber.com

October 11, 2025

A single misconfigured instance can expose your environment to attacks, credential leaks, or crypto-mining malware.This guide walks you through how to secure EC2 instances from the ground up, using AWS-native tools and real-world best practices.

1. Lock the Perimeter — Network-Level Security

Security Groups (SGs) are your first line of defense.

  • Treat SGs like host firewalls.
    # Allow SSH only from your corporate IP
aws ec2 authorize-security-group-ingress \
  --group-id sg-123456 \
  --protocol tcp --port 22 \
  --cidr 203.0.113.4/32
    Never allow 0.0.0.0/0 on SSH (22) or RDP (3389).Use AWS Systems Manager Session Manager instead of public SSH whenever possible.

Network ACLs (NACLs) add subnet-level protection.Keep them stateless and restrictive, especially for public subnets.

2. Guard the Keys — Identity and Access Control

Misused IAM permissions cause more breaches than malware.

  • Always use IAM roles for applications running on EC2 instead of static credentials.
    aws iam create-role --role-name AppEC2Role \
  --assume-role-policy-document file://trust.json
  • Enforce Instance Metadata Service v2 (IMDSv2) to stop SSRF-based credential theft:
    curl -X PUT "http://169.254.169.254/latest/api/token" \
     -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
  • Apply least privilege — give instances only the permissions they need.

3. Keep It Patched and Hardened

An unpatched instance is an open door.

  • Enable automatic patching with AWS Systems Manager Patch Manager:
    aws ssm create-patch-baseline --name "LinuxSecurityBaseline" \
  --operating-system AMAZON_LINUX_2 \
  --approval-rule '{"PatchFilterGroup":{"PatchFilters":[{"Key":"CLASSIFICATION","Values":["Security"]}]},"ApproveAfterDays":0}'
  • Disable unused services (FTP, Telnet) and close unnecessary ports.
  • Regularly update base images before deployment.

Example:If a new OpenSSL vulnerability is discovered, SSM Patch Manager can automatically patch all EC2 instances tagged Environment=Prod within hours — no manual SSH needed.

4. Protect Data — Encryption and Access Logging

  • Encrypt EBS volumes by default:
    aws ec2 run-instances \
  --image-id ami-123456 \
  --instance-type t3.micro \
  --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"Encrypted":true}}]'
  • Enforce KMS CMKs for full control of key rotation and access.
  • Use CloudTrail to log every API action — who started, stopped, or terminated instances.
  • Enable VPC Flow Logs to analyze inbound/outbound traffic for anomalies.

Example:A compromised instance making outbound requests to unfamiliar IPs can be detected in Flow Logs and investigated via GuardDuty.

5. Monitor and Automate Detection

Security without visibility is blind.

  • Amazon GuardDuty: Detects EC2 compromise indicators like crypto-mining or port scanning.
  • AWS Security Hub: Centralizes findings from GuardDuty, Inspector, and Config.
  • EventBridge + Lambda: Automate response.For example:If GuardDuty reports "EC2 instance communicating with known malicious IP," EventBridge can trigger a Lambda function to:
    • Quarantine the instance by removing it from its security group.
    • Notify the SOC team via SNS.

6. Least Privilege Networking

Use VPC design as a control mechanism:

  • Place sensitive workloads in private subnets with no direct internet access.
  • Route outbound traffic via NAT Gateway or VPC Endpoint.
  • Use Network Firewall for egress filtering.

Example:Your EC2 instance fetching OS updates from the internet? Configure a VPC Endpoint for SSM — no public IPs needed.

7. Continuous Compliance and Auditing

  • Use AWS Config Rules to enforce policies like:
    • "EC2 instances must use encrypted volumes."
    • "No public IPs in production VPCs."
  • Automate remediation:
    aws configservice put-remediation-configurations \
  --remediation-configurations '{
    "ConfigRuleName":"encrypted-volumes",
    "TargetType":"SSM_DOCUMENT",
    "TargetId":"AWSConfigRemediation-EncryptEBSVolume"
  }'

Result:Every new EC2 instance launched without encryption is auto-fixed — no human intervention.

8. Final Checklist

Category Best Practice

Network Restrict ports, use SGs + NACLs

Access IAM roles only, IMDSv2 enabled

System Patch OS via SSM, disable unused services

Data Encrypt EBS + snapshots with KMS

Monitoring Enable GuardDuty, CloudTrail, Flow Logs

Automation Use Config + EventBridge for remediation

Conclusion

Securing EC2 instances is not a one-time setup — it's a continuous process of hardening, monitoring, and automating.By starting from the network layer and working upward through IAM, patching, encryption, and detection, you can build a resilient EC2 environment that stays secure even as it scales.