Blog | G5 Cyber Security

Secure EC2 Config Files

G5 Cyber Security

TL;DR

Keep your EC2 instance config files secure by using version control (Git), limiting file permissions, avoiding hardcoded secrets, and automating updates. Regularly back up your configurations.

1. Version Control with Git

Using Git is essential for tracking changes, collaborating, and rolling back if something goes wrong.

  1. Create a Repository: Set up a private Git repository (e.g., on GitHub, GitLab, Bitbucket) to store your configuration files.
  2. Commit Regularly: Commit changes frequently with descriptive messages. This helps you understand the history of your configurations.
  3. Branching Strategy: Use branches for new features or changes before merging them into the main branch (e.g., main or master).
git init
git add .
git commit -m "Initial commit of EC2 configs"
git remote add origin <your_repository_url>
git push -u origin main

2. Limit File Permissions

Restrict access to your config files to only the necessary users and processes.

  1. Ownership: Ensure the correct user owns the configuration files (usually root or a dedicated system user).
  2. Permissions: Set permissions so that only authorized users can read, write, or execute the files. A common approach is 600 for sensitive files and 644 for less sensitive ones.
sudo chown root:root /path/to/config_file
sudo chmod 600 /path/to/sensitive_config_file
sudo chmod 644 /path/to/less_sensitive_config_file

3. Avoid Hardcoded Secrets

Never store passwords, API keys, or other sensitive information directly in your config files.

  1. Environment Variables: Use environment variables to pass secrets to your applications at runtime.
  2. Secrets Management Services: Consider using a dedicated secrets management service like AWS Secrets Manager, HashiCorp Vault, or Cyber security key vaults.
  3. IAM Roles: For EC2 instances, use IAM roles to grant permissions to access other AWS services without storing credentials on the instance.

Example using environment variables in a bash script:

#!/bin/bash
DB_PASSWORD=$DB_PASSWORD
echo "Connecting to database with password: $DB_PASSWORD"

4. Automate Configuration Updates

Automating updates reduces the risk of manual errors and ensures consistency.

  1. Configuration Management Tools: Use tools like Ansible, Chef, Puppet, or SaltStack to manage your configurations automatically.
  2. Infrastructure as Code (IaC): Define your infrastructure using code (e.g., Terraform, CloudFormation) and automate the deployment process.
  3. Continuous Integration/Continuous Deployment (CI/CD): Integrate configuration updates into a CI/CD pipeline to ensure they are tested and deployed reliably.

5. Regular Backups

Back up your config files regularly to protect against data loss.

  1. Automated Backups: Schedule regular backups of your configuration files to a secure location (e.g., S3, another EC2 instance).
  2. Backup Retention Policy: Define a retention policy to determine how long backups should be stored.
  3. Test Restores: Regularly test restoring from backups to ensure they are working correctly.
Exit mobile version