How to improve security for AWS EC2 with NGINX PHP web services
Question
I'm looking for some general information on how to secure my backend running on AWS. I have mobile apps that send requests to PHP scripts living in AWS EC2 instance configured with NGINX. Only thing PHP scripts do is querying MySQL database and echo the json response back to the app. I was looking for options to enhance security of the backend against DDoS attacks and such. I do not have any web contents the users can interact with but just these PHP endpoints which apps communicate with to retrieve data.
In my case, will AWS Cloudfront be helpful? As far as I understand, CloudFront is for CDN, which deals with static web contents that can be distributed to different servers, but since I don't have any websites, and the PHP files are just serving data back to the mobile apps, I'm not sure how it can help.
Also they say AWS Shield is enabled by default, but I'm not sure if that's only useful if I use AWS-API they provide as a service rather than me just having php scripts uploaded to EC2 instance on my own.
With the way I have php files on the server, I'm wondering if my backend gets all the goodies AWS is boasting about their security in general.
I know the question is very generic but as a starter, any advice to what AWS products/options I might be able to opt-in for to make the backend more secure will be appreciated.
Thank you
1 answers
solution1
2 ACCPTED 2020-12-10 09:29:05
I would recommend having a look at AWS whitepaper titled AWS Best Practices for DDoS Resiliency . Its provide a lot of useful information about DDoS and AWS and what services and how you can use to protect your application.
- In my case, will AWS Cloudfront be helpful?
Yes it would be helpful and it is useful for dynamic content. It is integral part of DDoS defend strategies as all the requests would hit AWS Edge locations first, not your server directly. From the white paper:
Amazon CloudFront only accepts well-formed connections, which helps prevent many common DDoS attacks , like SYN floods and UDP reflection attacks, from reaching your origin.
- Also they say AWS Shield is enabled by default,
AWS Shield Standard (free) is available only for Route 53 and CloudFront . So without CloudFront you will not be protected. Thus, at the very list I would consider using CloudFront with which you get Shield automatically.
Also, since you are hosting some PHP API, you could consider proxing it through ** API Gateway** first, as this is yet another way you can protect from DDoS as you can simply impose some throttling limits on your API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.