Reduce attack surface

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Computing resources such as EC2 instances and serverless functions are vital components of your workloads. Reducing the attack surface through diligent hardening strategies is essential to limit potential vectors for threats, ensuring that only necessary components and permissions are exposed.

Best Practices

Harden Operating Systems

Regularly apply security patches and updates to operating systems to fix vulnerabilities.
Configure firewalls to restrict incoming and outgoing traffic based on the principle of least privilege.
Disable unnecessary services, ports, and protocols on your operating systems.
Implement host-based intrusion detection systems to monitor and respond to malicious activities.

Minimize Unused Components

Identify and remove unused libraries, modules, and dependencies in your applications to reduce potential attack vectors.
Regularly audit your EC2 instances to ensure that only necessary software is installed.
Utilize container images that are specifically designed for security and are minimal in size to limit unnecessary services.
Consider using AWS Lambda layers only for libraries that are essential to your functions.

Follow Hardening Guides

Utilize hardening benchmarks from the Center for Internet Security (CIS) tailored for your operating systems and environments.
Review and implement recommendations from AWS security best practices and the AWS Well-Architected Tool.
Conduct periodic security assessments and compliance checks to ensure adherence to hardening guidelines.
Train your team on the importance of following best practices for security and the use of hardening guides.

Implement Access Controls

Use IAM roles and policies to control access to EC2 instances and other compute resources effectively.
Enable multi-factor authentication (MFA) for users with access to management consoles and critical resources.
Limit access to instance metadata service by configuring instance profile roles in AWS EC2.

Regularly Monitor and Audit Resources

Set up logging and monitoring for your compute resources to detect suspicious activities or configuration changes.
Utilize AWS-native tools like CloudTrail and CloudWatch for visibility into actions taken on your resources.
Perform regular audits on configurations and access permissions to identify areas for improvement and ensure compliance.

Questions to ask your team

Have you implemented a process for regularly patching and updating your operating systems on EC2 instances?
Are there any unused software components or packages on your compute resources that can be removed?
Do you follow any hardening guidelines, such as those from the Center for Internet Security, for your EC2 instances and containers?
How do you manage access controls and permissions for your compute resources to reduce the attack surface?
Are external libraries and dependencies regularly reviewed and assessed for security vulnerabilities?
Do you monitor and log access to your compute resources to detect any unauthorized access attempts?

Who should be doing this?

Cloud Security Architect

Design security architecture for compute resources in accordance with the AWS Well-Architected Framework.
Identify and recommend best practices for hardening operating systems and applications.
Assist in selecting minimal and necessary components and libraries to reduce the attack surface.
Stay updated on security trends and the latest hardening guides from recognized institutions.

DevOps Engineer

Implement security best practices in the development and deployment of compute resources.
Regularly review and update configurations to minimize unused components and dependencies.
Automate security hardening processes in CI/CD pipelines.
Collaborate with security teams to ensure compliance with hardening guidelines.

Security Compliance Officer

Monitor compliance with security policies and hardening standards.
Conduct audits and assessments of compute resources to identify security gaps.
Work with teams to implement corrective actions based on audit findings.
Provide training and resources related to security best practices and guidelines.

System Administrator

Manage and maintain compute resources’ security configurations.
Regularly patch and update operating systems and software to minimize vulnerabilities.
Monitor logs and security alerts for any unauthorized access attempts.
Assist in the implementation of security hardening measures across all systems.

What evidence shows this is happening in your organization?

Compute Resource Hardening Checklist: A comprehensive checklist to guide teams in hardening operating systems and minimizing components, libraries, and services used in EC2 instances and containerized environments.
AWS EC2 Security Best Practices Report: A detailed report documenting best practices for reducing the attack surface of EC2 instances, including specific recommendations for configuring security groups, IAM roles, and performing regular vulnerability assessments.
Application Dependency Management Guide: A guide that outlines strategies for managing and reducing external dependencies in applications, including adopting techniques like dependency scanning and threat modeling.
Security Hardening Playbook: A playbook that provides step-by-step instructions for hardening compute resources, including both manual actions and automated scripts to enhance security configurations.
Layered Security Strategy Diagram: A visual diagram illustrating the multi-layered defense strategy for protecting compute resources, highlighting areas of focus for reducing the attack surface.

Cloud Services

AWS

AWS Config: Monitors and records configuration changes to AWS resources, allowing you to assess compliance with your organization’s security policies.
Amazon Inspector: Automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
AWS Systems Manager: Provides operational data from multiple AWS services to automate tasks across AWS resources, including hardening and patch management.
AWS Shield: Managed DDoS protection that safeguards applications running on AWS without requiring additional hardware or configuration.

Azure

Azure Security Center: Unified security management system that enhances visibility and control over the security of Azure workloads.
Azure Policy: Allows you to create, assign, and manage policies to enforce rules and effects over your resources, ensuring compliance and reducing unintended access.
Azure Defender: Provides advanced threat protection across your hybrid cloud workloads, helping to reduce the attack surface.

Google Cloud Platform

Google Cloud Armor: Provides defense against DDoS attacks and helps protect your applications from threats while reducing exposure.
Google Cloud Security Command Center: Provides security and risk management over your Google Cloud assets, helping to identify vulnerabilities and reduce the attack surface.
Google Kubernetes Engine (GKE) Autopilot: Includes best practices for security and operational tasks within Kubernetes, reducing management and potential exposure.

Question: How do you protect your compute resources?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals