标签:des style http color os io 使用 strong ar
在实例启动时解密用户的文件系统;
(译自 Twenty Rules for Amazon Cloud Security)
Encrypt all network traffic.
Use only encrypted file systems for block devices and non-root local devices.
Encrypt everything you put in S3 using strong encryption.
Never allow decryption keys to enter the cloud—unless and only for the duration of an actual decryption activity.
Include NO authentication credentials in your AMIs except a key for decrypting the file system key.
Pass in your file system key encrypted at instance start-up.
Do not allow password-based authentication for shell access. Ever.
Do not require passwords for sudo access.
Design your systems so that you do not rely on a particular AMI structure for your application to function.
Regularly pull full backups out of Amazon and store them securely elsewhere.
Run only one service per EC2 instance.
Open only the minimum ports necessary to support the services on an instance.
Specify source addresses when setting up your instance; only allow global access for global services like HTTP/HTTPS.
Segment out sensitive data from non-sensitive data into separate databases in separate security groups when hosting an application with highly sensitive data.
Automate your security embarrassments.
Install a host-based intrusion detection system like OSSEC.
Leverage system hardening tools like Bastille Linux.
If you suspect a compromise, backup the root file system, snapshot your block volumes, and shut down the instance. You can perform forensics on an uncompromised system later.
Design things so you can roll out a security patch to an AMI and simply relaunch your instances.
Above all else, write secure web applications.
标签:des style http color os io 使用 strong ar
原文地址:http://www.cnblogs.com/cu-wosign-com/p/3954316.html
