Compute and storage: EC2, S3, RDS
EC2, S3 and RDS are the AWS "big three" — most workloads rest on these three services. In this lesson you will learn their roles and the most important security controls that ZEUS verifies.
EC2 — virtual machines
Elastic Compute Cloud provides virtual servers. You choose an AMI
(image), an instance type (CPU/RAM, e.g. t3.medium, m6i.large) and a
subnet. Access is best done through SSM Session Manager, not SSH.
aws ec2 run-instances \
--image-id ami-0abc123 --instance-type t3.medium \
--subnet-id subnet-xxxx --security-group-ids sg-xxxx \
--iam-instance-profile Name=ssm-role \
--tag-specifications 'ResourceType=instance,Tags=[{Key=env,Value=prod}]'
Key controls: EBS disk encryption, no public IP where it is not needed, and IMDSv2 enforced (protection against credential theft).
S3 — object storage
Simple Storage Service stores objects in buckets. It is the most common source of data leaks across the entire public cloud, which is why the controls are critical:
- Block Public Access enabled at the account and bucket level,
- encryption (SSE-S3 or SSE-KMS) by default,
- enforced TLS in the bucket policy.
# Zablokuj publiczny dostęp do bucketa
aws s3api put-public-access-block --bucket zeus-data \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
# Domyślne szyfrowanie
aws s3api put-bucket-encryption --bucket zeus-data \
--server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
Tip: a public S3 bucket is the classic data-leak headline. ZEUS flags every bucket with public access as a critical finding.
RDS — managed relational databases
Relational Database Service runs managed databases: PostgreSQL, MySQL, SQL Server, MariaDB, Oracle (and Aurora). No patching, with automatic backups and Multi-AZ. Security controls:
PubliclyAccessible = false— the database only in a private subnet,- encryption at rest (KMS),
- enforced SSL/TLS on connections.
aws rds create-db-instance \
--db-instance-identifier zeus-pg --engine postgres \
--db-instance-class db.t3.medium --allocated-storage 50 \
--master-username zeusadmin --manage-master-user-password \
--no-publicly-accessible --storage-encrypted
Comparison
| Service | Type | Most common misconfig |
|---|---|---|
| EC2 | compute | public IP + open SSH |
| S3 | object storage | public bucket, no encryption |
| RDS | relational database | public access, no encryption |
How ZEUS sees it
Through Boto3, ZEUS inventories EC2 instances (public IP, IMDS state, EBS encryption), S3 buckets (Block Public Access, encryption, policies) and RDS instances (public access, encryption). These controls feed both posture and compliance frameworks — data encryption and the absence of public exposure are direct requirements of ISO 27001 and NIS2.
In the next lesson we move into automation with Boto3 in Python.