AWS EC2 Security: Instance Hardening and Network Controls

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

EC2 instances are the most common workload in AWS, and they are also the most common entry point for attackers. A misconfigured security group, a public-facing instance with an unpatched service, or an exposed IMDS endpoint can turn into a full account compromise quickly. Here is what you need to get right.

IMDSv2 — Enforce It

The Instance Metadata Service (IMDS) is how EC2 instances retrieve their IAM role credentials, network configuration, and user data. IMDSv1 responds to simple HTTP GET requests, which makes it trivially exploitable through SSRF vulnerabilities. An attacker who can make your application issue an HTTP request to 169.254.169.254 gets your instance role credentials.

IMDSv2 requires a session token obtained through a PUT request with a hop limit of 1. This blocks most SSRF attacks because the PUT method and the hop limit prevent exploitation through proxies and container boundaries.

Enforce IMDSv2 at launch by setting HttpTokens: required in your launch template. Use an SCP or IAM policy condition ec2:MetadataHttpTokens to prevent anyone from launching instances with IMDSv1 enabled.

Security Groups

Security groups are stateful firewalls at the instance level. The biggest mistakes: allowing 0.0.0.0/0 ingress on SSH or RDP, using overly broad port ranges, and not restricting egress.

Restrict egress. Most applications only need to talk to specific services. Default-allow egress lets attackers exfiltrate data and establish C2 channels. Start with deny-all egress and open only what your application needs: HTTPS to specific endpoints, database ports to your RDS subnet, and DNS.

Reference security groups by ID instead of CIDR blocks when resources are in the same VPC. This way, when IPs change, your rules still work.

AMI Scanning and Hardening

Bake hardened AMIs using a pipeline. Start from a minimal base image (Amazon Linux 2023 or Ubuntu minimal), apply CIS benchmarks, remove unnecessary packages and services, and scan the result with Inspector or a third-party tool before promoting it to your approved AMI registry.

Use AMI deprecation to prevent teams from launching outdated images. Combine this with an AWS Config rule that flags instances running on non-approved AMIs.

Patch Management

Use Systems Manager Patch Manager to automate patching. Define patch baselines per OS, set maintenance windows, and use State Manager associations to enforce compliance. Scan instances daily and patch on a schedule that matches your risk tolerance.

For immutable infrastructure, replace instances rather than patching them. Build a new AMI with current patches, update your Auto Scaling Group launch template, and do a rolling replacement.

Key Pairs and Access

Stop using SSH key pairs for instance access. Use Systems Manager Session Manager instead. It provides authenticated, logged, and auditable shell access without opening port 22 or managing keys. Every session is recorded in S3 and CloudWatch.

Next Steps

• Test your EC2 security knowledge with a skills assessment
• Review the full set of AWS security skills in the skills library
• Map out your certification path with the certificate roadmap

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.