Active Directory-Based Access Control for Amazon EC2 Cloud Systems

The Amazon Elastic Compute Cloud (Amazon EC2) is a highly popular web service platform that IT organizations, application developers and web entreneurs are using to stand up everything from a single internal test system to massive web server farms. Amazon EC2 gives organizations the ability to launch and terminate server instances on demand and pay only modest hourly rental fees for active servers.

While EC2 servers may be fully configured for a particular task such hosting a web server or database, they also come online over a public network with underlying operating systems that have a standard root and other well known default service accounts. Amazon provides web service interfaces and a virtual private cloud feature to help protect cloud systems, but it is up to the customer to fully take control, secure and harden these systems. Taking control of systems before they can be discovered by bots can be especially problematic for, say, server farms that are configured to dynamically launch new server instances in response to user demand.

The Centrify CloudTools include several Amazon Machine Images (AMI) that have been configured for automatic lock down at the moment when they are launched. To make it easy and cost-effective for you to get started, we have pre-installed our free Centrify Express, which will handle the tasks of automatically joining a new server instance to your enterprise Active Directory domain and locking down access to the root account. These Centrify AMIs are provided at no charge to Amazon EC2 users; however, standard Amazon virtual machine charges will apply. Support is available on the Centrify CloudTools Community, where you can exchange best practice advice with Centrify staff and other CloudTools users.

See our white paper, Enforcing Enterprise-Out Security for Cloud Servers, for a full an overview of Centrify's solution for dynamically extending an organization's existing enterprise security infrastructure out to cloud-based UNIX and Linux systems.

How the Centrify Express AMIs Work

The Centrify Express AMIs have been built for the following operating systems:

• Amazon Linux 1.0 64bit (AMI ID: ami-1f15465a)
• Ubuntu 10.4 64bit (AMI ID: ami-2915466c)
• Fedora 13 64bit (AMI ID: ami-1b15465e)

Centrify has taken these base distributions as published by the operating system vendor and made a few changes as described below.

• The root account has been locked down with its password that has been randomized at first boot and SSH has been configured to prevent root login to the system. This provides a more secure environment where the root account is locked and any access will require login using a normal user account leveraging sudo in order to run specific commands with privilege which provides a more rich audit trail in syslog.
• The local root account is configured to require the Active Directory password for the "ec2.root" upon login as "root". This configuration ensures that your Active Directory infrastructure is in control of the root account of the newly created AMI Instance once it has been joined to Active Directory.
• A local account named "centrify" is used for local login where needed since it has sudo permissions as an administrator. Once joined to Active Directory, it's login password will be controlled by your Active Directory user account named "ec2.centrify".
• These AMIs are configured to automatically join your Active Directory domain controller upon boot in order to enable centralized authentication and access controls using your Active Directory domain management tools. The Centrify agent is configured to automatically join the next available computer account within a pool of accounts pre-configured in your Active Directory. When an instance terminates, it leaves Active Directory to free up the computer account for the next instance to be launched.
• Existing Active Directory users can be granted login rights simply by adding them as a member of the Active Directory group named "ec2.access". This configuration enables you to centrally control which of your users are authorized to login to the new AMI instance. In order to grant your Active Directory users access, simply create this group and add them as members; this will enable them to login with their Active Directory user ID and password.
• Root privileges can also be centrally grant as needed. Users within your Active Directory who are a member of the Active Directory group "ec2.admins" will be given the rights to execute privileged commands via sudo once logged into the Centrify Express AMI instance.