TUTORIAL

How to Protect Virtualized Systems

by Erik Mikac

Securing virtualized systems in the cloud is essential to protecting sensitive data and keeping services reliable. In this tutorial, you’ll learn practical steps to harden your AWS environment, from encrypting API calls with TLS and IAM keys to using vendor-provided secure configurations. 

You’ll also set up logging with CloudTrail, segment your networks using VPCs, and secure administrative access through bastion hosts. By the end, you’ll have a clear, hands-on foundation for securing cloud resources against common threats.

Project Overview

EXPERIENCE LEVEL: Advanced - To execute some of these commands, you may need to provision IAM roles, which can be a bit tricky. Having a solid understanding of the AWS console is also important.

TIME TO COMPLETE:  2–4 hours (depending on the number of cloud resources you configure)

ESTIMATED COST: Free with AWS Free Tier; optional costs for additional services (e.g., Lightsail instances, CloudWatch logs beyond the free tier)

Skills Needed:

  • Basic networking knowledge (VLANs, VPNs, SSH)

  • Familiarity with AWS IAM and CLI

Tools and Materials Needed:

  • AWS account

  • AWS CLI installed (aws --version)

  • SSH client (like OpenSSH or MTPuTTY). You can also use Terminal or CMD.

  • Text editor

Before You Begin:

Before starting, make sure you have an AWS account with an IAM user (not the root account) and sufficient permissions. This tutorial also assumes you have an S3 bucket created in AWS. Also, install the AWS CLI on your local machine. 

If you want to pursue certifications, having a foundation such as CompTIA Cloud Essentials helps. However, advanced learners might benefit from exploring the CCSP certification as a long-term goal.

How to Secure Virtualized Systems in the Cloud

Cloud platforms make it easy to spin up services, but without proper security, those services are vulnerable. This tutorial will walk you through five practical steps to protect your virtualized systems in AWS. We'll cover securing communications, configuring settings, enabling logging, segmenting networks, and securing remote administration.

Step 1: Secure Communications

Every action you take in AWS, whether through the CLI or the web console, is just an API call. If those calls aren’t encrypted or authorized, attackers could intercept them and gain access to your environment. Not good. 

To begin securing your setup, start by verifying that the AWS CLI is using TLS. You can do this by running aws s3 ls --debug and checking the output for https://, which confirms encryption is in place.

Next, you’ll need to configure IAM credentials. In the AWS console, navigate to IAM, create a new user, enable programmatic access, and attach an appropriate policy such as AmazonS3ReadOnlyAccess. Download the Access Key ID and Secret Access Key provided.

Once you have those credentials, configure them locally with aws configure, supplying your keys, region, and output format. To confirm everything is working as expected, run aws s3 ls. If you see results, then you’ve successfully secured your communications with TLS and IAM keys.

Step 2: Use Standard Configurations

While it can be tempting to build everything from scratch, cloud vendors provide hardened templates for a reason. These prebuilt configurations reduce the likelihood of overlooking important security settings. For example, in AWS Lightsail, you can deploy WordPress using a Bitnami template that already includes secure defaults. Instead of spending hours locking down a custom LAMP stack, you can launch the Lightsail WordPress instance and inherit those protections automatically.

Once your instance is running, log in and take note of the applied security measures, such as preset firewall rules and hardened defaults. This not only saves time but ensures your environment follows vendor-tested best practices.

Step 3: Enable Logging

Logs serve as your record of activity, allowing you to see who accessed resources, when, and how. Without logs, diagnosing issues or identifying malicious behavior becomes nearly impossible. Start by enabling CloudTrail, which records API calls made in your AWS account. You can create a trail with:

aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-log-bucket aws cloudtrail start-logging --name MyTrail

Make sure you have all the required permissions to run these commands. The trickiest part of cloud computing is always the permissions.

To expand visibility, also enable CloudWatch logs for system-level metrics and application monitoring. In the AWS Console, create a log group under CloudWatch and stream logs from services such as EC2, Lambda, or Lightsail.

Screenshot: AWS Console – CloudWatch → Log Groups page with a new log group created.

To validate that logging is working, run aws logs describe-log-groups and confirm your logs are listed. Try running aws s3 ls again, and then check CloudTrail to see that the command has been recorded.

Step 4: Network Segmentation

A flat (non-segmented) network leaves every resource exposed to any change or disruption. By segmenting your infrastructure, you reduce the surface area attackers can reach. In AWS, segmentation begins with creating subnets inside a Virtual Private Cloud (VPC). For example, you might place public-facing web servers in one subnet while isolating databases in a private subnet.

From there, refine access with security groups. A common pattern is to allow inbound traffic on ports 80 and 443 to the web server group. Then, restrict database access so it only accepts connections from the web servers.

Also, you can introduce a VPN or PrivateLink for administrative access, ensuring that sensitive systems aren’t exposed to the public internet. To test your configuration, confirm that a web server can connect to the database, but a direct attempt from your laptop fails.

Step 5: Secure Remote Administration

Finally, you need to protect the tools you use for remote administration, as these are some of the most sensitive entry points into your systems. A bastion host, sometimes called a jump box, provides a controlled gateway for administrative access. Launch an EC2 instance to serve as your bastion host and connect to it via SSH:

ssh -i my-key.pem ec2-user@<bastion-ip>

From there, tunnel into private servers inside your VPC:

ssh -i my-key.pem ec2-user@<private-server-ip>

To strengthen this setup, disable password-based login in favor of SSH keys. Restrict access by IP address and consider requiring VPN connectivity before granting access. Test it by connecting directly to a private server from the internet. If your setup is correct, the connection will fail, forcing all access through the secure bastion.

Conclusion

By following these steps, you’ve built a solid foundation for securing your cloud environment. You learned to encrypt API calls with TLS, manage access with IAM keys, and streamline Lightsail deployments using hardened templates. You also improved visibility with CloudTrail and CloudWatch, segmented networks with VPCs and security groups, and protected remote access using bastion hosts and VPNs. Together, these practices give you the tools to defend your virtualized systems with confidence.

If you’re just starting out, consider continuing your learning journey with Cloud Essentials+ training. For those looking to move into advanced cloud security roles, preparing for the CCSP certification is an excellent next step. 

To continue building practical skills, explore more of our security tutorials.

Get CBT Nuggets IT training news and resources

I have read and understood the privacy policy and am able to consent to it.

Follow us

Let's chat!

Sales | Support | General
© 2025 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent Avenue, Eugene, OR 97408 | 541-284-5522