Question

In: Computer Science

You are creating a Security Group for a group of mission-critical EC2 instances, and do not...

You are creating a Security Group for a group of mission-critical EC2 instances, and do not want to allow just anyone to be able to SSH into them. As such, you cannot allow traffic on port 22 from the open Internet. What best practice can you implement to still allow you and your colleagues to be able to establish an SSH connection with these instances, without allowing anyone with Internet access to do the same?

Group of answer choices

Deploy another EC2 instance as a "bastion host." Allow only the bastion host instance SSH access to the sensitive EC2 instances. Then, cleared employees can securely log in to the bastion host before jumping into another SSH connection to the target EC2 instances.

Configure the Security Groups on the sensitive EC2 instances to only allow SSH traffic from the IP addresses that belong to you and your colleagues.

Disable SSH access, and use Telnet instead.

Change the SSH configuration on the sensitive EC2 instances to listen on a harder-to-guess port, such as 22521.

Solutions

Expert Solution

Out of the given options, #1 is the best practice. Deploy another EC2 instance as a "bastion host." Allow only the bastion host instance SSH access to the sensitive EC2 instances. Then, cleared employees can securely log in to the bastion host before jumping into another SSH connection to the target EC2 instances.

This is so because deploying the Bastion Host adds an extra layer of security to our architecture. The attacker won't be able to access the private instances directly. The bastion host will act as a proxy server or a jump box. Even if it gets compromised, it is difficult to reach the private instance.

Second option: Configure the Security Groups on the sensitive EC2 instances to only allow SSH traffic from the IP addresses that belong to you and your colleagues. This is also another way to allow limited access but if the hacker can spoof IP address, our instance will directly be compromised. We will have limited response time. Whereas, if the bastion host is compromised, we will still have time to protect the mission-critical instance.

Third option: Disable SSH access and use Telnet instead. This is the least secure way because the Telnet protocol has less security features than the SSH. Telnet sends the data in plain text without encryption whereas SSH first encrypts the data.

Fourth Option: Change the SSH configuration on the sensitive EC2 instances to listen on a harder-to-guess port, such as 22521. This option is also not secure because we are directly exposing our sensitive instance. The hacker might easily be able to figure out the new port number via brute force or some other technique.


Related Solutions

Emirates Group Security Vision, Mission Vision To maintain recognition internationally as being one of the leading...
Emirates Group Security Vision, Mission Vision To maintain recognition internationally as being one of the leading organizations, in the business of providing aviation and security related services and to set the benchmark for this service within the aviation industry. Instruction: identify the specific type of the above vision statement? Develop at least three different vision statements for the above organization. Mission Emirates Group Security is committed to safeguarding all customers, staff, and assets against acts of unlawful interference through continuous...
Imagine you are the Newly hired Security Personnel responsible for creating a security and privacy plan...
Imagine you are the Newly hired Security Personnel responsible for creating a security and privacy plan for your organization. The purpose of your plan is to describe standards that help ensure the privacy and integrity of the many different facets of a network. What policies will you include in your plan that protects the hardware and physical aspects of the network and; Identify hardware areas that need to be secured.
Analyze Amazon’s actions for instances of inconsistencies or practices where the words in the mission, espoused...
Analyze Amazon’s actions for instances of inconsistencies or practices where the words in the mission, espoused values, or goals do not match the actions of the firm. Should Amazon be concerned about its corporate social responsibility (CSR) or about balancing stakeholder and stockholder needs?
For the group project, you will be creating a database system to solve a business problem...
For the group project, you will be creating a database system to solve a business problem of your choice. The database system must meet the criteria shown below. In addition to the database solution, each student will prepare a system summary. Database System Requirements (Group Work): Create a database and name it ITCO630_GPx where "x" is your group letter. Populate your database with appropriate test data. Include all of the scripts in a single file called ITCO630_GPx.SQL where x is...
Managing IT security and risks Information security is critical in the development and implementation of information...
Managing IT security and risks Information security is critical in the development and implementation of information systems in organizations. Assume that you are developing a customer relationship management system for Morita Loan, list five methods that you can use to protect the data in such a system and discuss how you can implement these five means for information security.
A chief information security officer is creating a security committee involving multiple business units of a...
A chief information security officer is creating a security committee involving multiple business units of a corporation. Which of the following is the best justification to ensure collaboration across business units? A risk to business unit is a risk avoided by all business units, and liberal BYOD policies create new unexpected avenues for attackers to exploit Enterprises single point of coordination is required to ensure cyber-security issues are addressed in protected, compartmentalize groups without business unit collaboration, introduced by one...
What mission-critical applications must your college or university protect?
What mission-critical applications must your college or university protect?
Describe with examples, the various layers of security that are critical to your security plan policy.
Describe with examples, the various layers of security that are critical to your security plan policy.
This is an Introduction to Homeland Security course question. In a Homeland Security context, do you...
This is an Introduction to Homeland Security course question. In a Homeland Security context, do you believe that the term “prevention,” differs in meaning from the terms “mitigation” or “preparedness?” What types of prevention activities can be conducted in advance of a terrorist attack?
Your company is tasked with creating software for a home security system.
1. Consider the following:Your company is tasked with creating software for a home security system. The software helps manage all the security cameras and devices installed in the house, relays communications between all parties, and provides a “dashboard” mechanism for homeowners and security personnel to access and monitor.Develop 8 to 10 requirements concerning this scenario.2. What is a “recommendation system” and how can it assist in requirements engineering? What tools can be used to assist in requirements gathering?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT