On the cloud, you are responsible for the security of your VMs.

This document is not intended to be a complete guide but only to give you some basic guidelines on things your need to consider when creating a VM on the cloud.

Keeping the Operating System secured[edit]

• Apply security updates
• Avoid using packages from unknown sources
• use an updated image (ex: don't use Ubuntu 14.04 when ubuntu 16.04 avalaible, or cent
• Do not allow password authentication for SSH (key authentication by default)
• Install fail2ban to block authentication failure

Network security[edit]

• Limit who can access your service, avoid using 0.0.0.0 in the CIDR field of the security group form.
• Be careful when creating your security rules, consider the following
  • Most services aren't meant to be publicly accessible:
    • mysql
    • postgresql
    • nosql
    • RDP
    • ... many, many others
  • Some services are meant to be accessible from the internet to deliver a service
    • Apache
    • Nginx
    • ... others
• Configure your web server to use HTTPS instead of HTTP.
  • In many case HTTP should only be used to redirect traffic to HTTPS.
• others:
  • Do not try to run a mail server.