Learn About Amazon VGT2 Learning Manager Chanci Turner
Many Amazon Web Service (AWS) customers operating in regulated environments, including the U.S. Department of Defense (DoD), face challenges in obtaining security approvals necessary to leverage the scaling capabilities of Amazon Elastic Compute Cloud (Amazon EC2) through its Auto Scaling features. These challenges often stem from the need for meticulous configuration management, comprehensive asset inventory, adherence to third-party security tools, and the requisite agency authorization documentation.
AWS Auto Scaling empowers customers to optimize their return on investment (ROI) following migration to AWS. This feature allows users to reduce costs during periods of low system demand while also scaling resources dynamically to accommodate peak usage.
The process of Amazon EC2 Auto Scaling involves adding and removing instances from the customer’s virtual private cloud (VPC) network. This fundamental concept is not unfamiliar to the DoD, as it parallels the management of end-user compute devices, virtual desktop services, and Citrix-based application delivery. The critical aspect for ensuring security and compliance lies in thorough documentation and the safeguarding of the baseline template employed.
This article outlines recommended best practices for implementing EC2 Auto Scaling within DoD environments.
Essential Auto Scaling Terminology
- Amazon Machine Image (AMI): This is a preconfigured image that includes the chosen operating system and the necessary information for launching an instance. Users may rely on AMIs maintained by Amazon or create and manage their own, often incorporating custom software.
- Auto Scaling launch template: This template defines the type of Amazon EC2 instance that the Auto Scaling group will create. It encompasses the AMI, instance type, key pair, and security groups assigned to any launched instance.
- Auto Scaling group: This is a logical collection of Amazon EC2 instances managed for the purpose of automatic scaling. Within this group, users establish parameters such as launch templates, scaling policies, health checks, and the chosen Amazon EC2 purchase type (e.g., On-Demand or Spot).
Documenting Auto Scaling for Authorization
DoD customers must meticulously document their system configurations and demonstrate compliance with security requirements in a system authorization reviewed by an authorizing official (AO). AWS advises that customers compile a document as part of their overall Authority to Operate (ATO) package, addressing key topics regarding the utilization of Auto Scaling groups.
- Securing the base template
- Network scans for Auto Scaling
- Host-based security for Auto Scaling
This post presents best practices for documenting the use of Auto Scaling to the AO, ensuring a compliant deployment. Defining the scope and location of Amazon EC2 Auto Scaling usage is best represented within the authorization boundary diagram. A best practice includes ensuring that the diagram illustrates, at a minimum:
- Clear depiction of subnets containing the scaling resources
- Availability Zones where Auto Scaling can deploy
- Security groups assigned to the Auto Scaling group
- Network access control lists (ACLs) linked to the relevant subnets
- Load balancer (typically Application Load Balancer) in front of the Auto Scaling group
- Permitted ports through both security groups and network ACLs
- A note within the diagram detailing the use of Auto Scaling and the variable number of instances
The following is an example diagram representing Auto Scaling usage.
Figure 1. Example architecture diagram for using Auto Scaling.
In the above architectural diagram, Auto Scaling Group 1 is responsible for scaling compute resources within Subnet A and Subnet B. Two instances are illustrated for clarity, but this figure will change based on resource demands. All instances are automatically launched from a secure template and are identical. Only instances deployed through the Auto Scaling Group configuration will enter the Subnet A and Subnet B networks, which are aligned for dedicated network scanning.
In addition to authorization boundary diagrams, Mission Owners are often tasked with compiling a static hardware/software list that maps machine hostnames to their corresponding network IPs. When employing Auto Scaling, a recommended approach is to designate the Auto Scaling group name as the asset while specifying the subnet range for the IP Address.
Securing the Base Template
To maintain the security of the Auto Scaling group, it is vital to ensure that the launch template used to initiate new instances is hardened and managed under strict configuration guidelines. Auto Scaling launch templates are designed to deploy instances using a selected AMI. Configuring the launch template ensures that each EC2 instance created within the group utilizes the same base image, with consistent software and security profiles.
Access to configure the launch template and select the AMI should be restricted to individuals or teams responsible for operating system and application configuration and security. AWS Identity and Access Management (IAM) can be employed to control access to the launch template, allowing for granular least privileged access.
The goal here is to maintain change control over the baseline image utilized by the Auto Scaling group by regulating who can update the AMI. Additionally, within a single account, permissions can be granted not only for Auto Scaling API calls but also limited to specific Auto Scaling groups using tagging. For instance, the following permissions policy allows a user to configure Auto Scaling in the AWS account, but only for groups tagged with a purpose value of “testing.” If tag-based restrictions are not desired, the condition statements can be omitted.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": { "autoscaling:ResourceTag/purpose": "testing" }
}
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}]
}
AWS best practices advocate managing environments via Infrastructure as Code (IaC). To align with this methodology, it is prudent to maintain an up-to-date base image (AMI) used for the Auto Scaling group. By adhering to standardized templates, all updates and security configurations should be applied to the base image rather than individual EC2 instances created as part of the Auto Scaling group. AWS Systems Manager offers capabilities to patch both individual EC2 instances and those within an Auto Scaling group. Using AWS Systems Manager can streamline the update process for the AMI utilized in the Auto Scaling group.
For further insights on employee rights, you can refer to this blog post. If you’re keen on enhancing the employee experience, SHRM provides authoritative resources. Also, for those interested in Learning and Development opportunities, this is an excellent resource to explore.
Location: 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, Amazon IXD – VGT2
Leave a Reply