April 9, 2018

AWS Security Insights: S3 and EC2

By William Welbes

What do our AWS Solutions Architects have to say about security on AWS?

Security is a top concern for any organization considering stepping into the cloud or for those already floating around in the cloud. Amazon puts a lot of energy and effort into designing and maintaining a cloud environment that is secure for a wide range of implementations.

We asked our AWS Certified Cloud Architects for some insight and considerations on security in AWS. Amazon's Simple Storage Service (S3) and Elastic Cloud Compute (EC2) are two of the most widely used AWS services. Ben Felda and Kyle Maloney gave us some great tips.

Ben Felda - AWS Certified Developer
Ben Felda
AWS Certified Developer

S3 Buckets

The number one mistake I have seen companies make when it comes to security in AWS is trusting security by obfuscation in S3. This approach leaves all end user supplied documents (videos, pictures, etc.) stored in S3 open to the public. The user relies on the unique S3 document urls to be secured by the hope that it is difficult to guess the url of a different user's document.

An alternative approach is to use an application on your domain to proxy the documents from a secured S3 account. This will allow your application to fully control authorization for the document, and apply the proper security credentials required by your locked down S3 bucket. A downside to this approach is a cost increase as your compute stack is now used to fetch each and every document. Your app will also incur additional latency with the request if your compute stack and S3 instances are in different regions.

The approach I recommend is to use signed urls. Signed urls enable S3 to validate that the url was provided by your application within a time-box. It does not provide user authentication. Your app will still need to do this before providing the signed url. When your application loads links to your S3 documents, a signature and expire date query parameter are added to the url. These parameters are then checked in S3 for validity.

Using a signed url, your S3 account can be in a different region than your application and the end user's browser will access S3 directly. Keep this in mind when learning how the url will be used. If the end user plans on sharing the url with others, the time-box needs to be long enough. If the url is only going to be used when the end user loads the web page, then it can expire much sooner.


Kyle Maloney - AWS Certified Solutions Architect
Kyle Maloney
AWS Certified Solutions Architect

EC2 Instances

Cloud service providers like Amazon Web Services make it simple for users to spin up new virtual machines on demand, deploy an application, and move on to solve other business challenges.

While it's easy to get up and running with EC2, companies can easily become negligent when it comes to managing the operational security of their EC2 instances. After all, when you launch an EC2 instance from an AWS supported Amazon Machine Image like Amazon Linux or Microsoft Windows Server, you receive a fully updated machine with the latest security patches applied. However, it is important to remember that after you launch an EC2 instance, the responsibility of securing that instance over its lifespan is entirely up to you.

A simple approach to securing the operating system and applications of your EC2 instances can involve configuring each Windows Server to use automatic updates or by writing a scheduled cron task to automatically apply patches. If you have fleets of EC2 instances across multiple AWS availability zones and regions, this approach can be difficult to scale without creating pre-configured Amazon Machine Images, which in turn creates additional management overhead.

A more robust approach would be to use a centralized management server like Microsoft Systems Configuration Manager, Puppet, or Chef. Fortunately, AWS users already have a tool at their disposal that can readily handle the automatic patching of EC2 (and even on-premise) instances: AWS Systems Manager Patch Manager.

Patch Manager is a free product available through the AWS console that can automatically scan managed instances for missing or outdated patches, download, and apply patches to entire fleets of EC2 instances. Aside from being a free product, Patch Manager is fully managed by AWS, freeing your teams from having to administer and maintain a centralized management server.

If you are concerned that your organization isn’t keeping your EC2 instances properly patched and secured, take a look at AWS Systems Manager Patch Manager. It’s a simple tool to ensure that your EC2 instances are up to date and protected from the latest vulnerabilities.


Looking for some help integrating with AWS? Centare has a talented team of AWS certified professionals to help.

William Welbes - Developer

About William Welbes

Will is a Solutions Architect and consultant at Centare with a passion for building great software. With over 15 years of experience in software development, he has helped clients develop solutions across many different industries.