Amazon Linux Network & Security Configuration

Table of Contents

1. Challenge

   Configure firewalld zones and rules to secure network traffic for a three-tier web application

   • Inspect the default firewalld configuration and confirm the active zone bound to the primary network interface.
   • Apply service rules to the public zone for the web tier and a port rule to the internal zone for the application tier.
   • Create a database zone with a default DROP target and add a rich rule that allows traffic on port 3306 from the application subnet CIDR.
   • Verify rule effectiveness using firewall-cmd --list-all for each zone and test allowed traffic with nc and curl.
2. Challenge

   Apply SSH hardening and validate AWS Systems Manager Session Manager as a keyless access method

   • Apply SSH hardening settings using a drop-in file under /etc/ssh/sshd_config.d/, validate syntax with sshd -t, and reload the service.
   • Confirm that amazon-ssm-agent is running and registered, then verify the SSM ping state to prove Session Manager is a viable replacement for inbound SSH.
   • Inspect the firewalld rule that would remove SSH from the public zone in production without applying the change in the lab.
3. Challenge

   Configure SELinux in enforcing mode and use auditd to verify compliance and policy correctness

   • Switch SELinux to enforcing mode and persist the change in /etc/selinux/config.
   • Trigger the pre-staged httpd service configured to listen on port 8888 and locate the resulting name_bind AVC denials with ausearch.
   • Use audit2why to explain the denial cause and audit2allow -M lab_http to generate and compile a targeted custom policy module.
   • Install the module with semodule -i, confirm that httpd starts cleanly, and produce an aureport confirming that no unauthorized privilege escalation occurred.