Running your systems in the cloud doesn’t automatically make them secure. Learn the tools and new management approaches you need to create secure apps and infrastructure on AWS.
In AWS Security you’ll learn how to:
• Securely grant access to AWS resources to coworkers and customers
• Develop policies for ensuring proper access controls
• Lock-down network controls using VPCs
• Record audit logs and use them to identify attacks
• Track and assess the security of an AWS account
• Counter common attacks and vulnerabilities
Written by security engineer Dylan Shields, AWS Security provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. You’ll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring identity and access management and virtual private clouds.
About the technology
AWS provides a suite of strong security services, but it’s up to you to configure them correctly for your applications and data. Cloud platforms require you to learn new techniques for identity management, authentication, monitoring, and other key security practices. This book gives you everything you’ll need to defend your AWS-based applications from the most common threats facing your business.
About the book
AWS Security is the guide to AWS security services you’ll want on hand when you’re facing any cloud security problem. Because it’s organized around the most important security tasks, you’ll quickly find best practices for data protection, auditing, incident response, and more. As you go, you’ll explore several insecure applications, deconstruct the exploits used to attack them, and learn how to react with confidence.
What's inside
• Develop policies for proper access control
• Securely assign access to AWS resources
• Lock-down network controls using VPCs
• Record audit logs and use them to identify attacks
• Track and assess the security of an AWS account
About the reader
For software and security engineers building and securing AWS applications.
About the author
Dylan Shields is a software engineer working on Quantum Computing at Amazon. Dylan was one of the first engineers on the AWS Security Hub team.
Author(s): Dylan Shields
Edition: 1
Publisher: Manning Publications
Year: 2022
Language: English
Commentary: Vector PDF
Pages: 312
City: Shelter Island, NY
Tags: Amazon Web Services; Cloud Computing; Security; Log Data Analysis; Monitoring; Logging; Best Practices; Network Security; Incident Response; Access Management; Identity Management; Security Policies; Cloud-Native Applications; Data Security; Virtual Private Cloud
AWS Security
brief content
contents
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A roadmap
About the code
liveBook discussion forum
Other online resources
about the author
about the cover illustration
Chapter 1: Introduction to AWS security
1.1 The shared responsibility model
1.1.1 What is AWS responsible for?
1.1.2 What are you responsible for?
1.2 Cloud-native security tools
1.2.1 Identity and access management
1.2.2 Virtual private cloud
1.2.3 And many more
1.3 A new way of operating
1.3.1 Speed of infrastructure development
1.3.2 Shifting responsibilities
1.4 Conclusion
Chapter 2: Identity and access management
2.1 Identity and access management basics
2.1.1 Users
2.1.2 Identity policies
2.1.3 Resource policies
2.1.4 Groups
2.1.5 Roles
2.2 Using common patterns in AWS IAM
2.2.1 AWS managed policies
2.2.2 Advanced patterns
2.3 Attribute-based access control with tags
2.3.1 Tagged resources
2.3.2 Tagged principals
Chapter 3: Managing accounts
3.1 Securing access between multiple accounts
3.1.1 The wall between accounts
3.1.2 Cross-account IAM roles
3.1.3 Managing multiple accounts with AWS organizations
3.2 Integration with existing access management systems
3.2.1 Integrating with Active Directory and other SAML systems
3.2.2 Integrating with OpenID Connect systems
Chapter 4: Policies and procedures for secure access
4.1 Establishing best practices for IAM
4.1.1 Why create best practices?
4.1.2 Best practices example: MFA
4.1.3 Enforceable best practices
4.2 Applying least privilege access control
4.2.1 Why least privilege is hard
4.2.2 Policy wildcards
4.2.3 AWS managed policies
4.2.4 Shared permissions (groups and managed policies)
4.3 Choosing between short- and long-lived credentials
4.3.1 The risk of long-lived credentials
4.3.2 Trade-offs associated with credential rotation
4.3.3 A balance with IAM roles
4.4 Reviewing IAM permissions
4.4.1 Why you should review IAM resources
4.4.2 Types of reviews
4.4.3 Reducing the review burden
Chapter 5: Securing the network: The virtual private cloud
5.1 Working with a virtual private cloud
5.1.1 VPCs
5.1.2 Subnets
5.1.3 Network interfaces and IPs
5.1.4 Internet and NAT gateways
5.2 Traffic routing and virtual firewalls
5.2.1 Route tables
5.2.2 Security groups
5.2.3 Network ACLs
5.3 Separating private networks
5.3.1 Using multiple VPCs for network isolation
5.3.2 Connections between VPCs
5.3.3 Connecting VPCs to private networks
Chapter 6: Network access protection beyond the VPC
6.1 Securing access to services with VPC endpoints and PrivateLink
6.1.1 What’s wrong with public traffic?
6.1.2 Using VPC endpoints
6.1.3 Creating a PrivateLink service
6.2 Blocking malicious traffic with AWS Web Application Firewall
6.2.1 Using WAF managed rules
6.2.2 Blocking real-world attacks with custom AWS WAF rules
6.2.3 When to use AWS WAF
6.3 Protecting against distributed denial of service attacks using AWS Shield
6.3.1 Free protection with Shield Standard
6.3.2 Stepping up protection with Shield Advanced
6.4 Integrating third-party firewalls
6.4.1 Web application and next-gen firewalls
6.4.2 Setting up a firewall from AWS Marketplace
Chapter 7: Protecting data in the cloud
7.1 Data security concerns
7.1.1 Confidentiality
7.1.2 Data integrity
7.1.3 Defense in depth
7.2 Securing data at rest
7.2.1 Encryption at rest
7.2.2 Least privilege access controls
7.2.3 Backups and versioning
7.3 Securing data in transit
7.3.1 Secure protocols for data transport
7.3.2 Enforcing secure transport
7.4 Data access logging
7.4.1 Access logging for Amazon S3
7.4.2 CloudTrail logs for resource access
7.4.3 VPC Flow Logs for network access
7.5 Data classification
7.5.1 Identifying sensitive data with Amazon Macie
Chapter 8: Logging and audit trails
8.1 Recording management events
8.1.1 Setting up CloudTrail
8.1.2 Investigating an issue with CloudTrail logs
8.2 Tracking resource configuration changes
8.2.1 Pinpoint a change with a configuration timeline
8.2.2 Setting up AWS Config
8.2.3 Resource compliance information
8.3 Centralizing application logs
8.3.1 CloudWatch Logs basics
8.3.2 The CloudWatch agent
8.3.3 Advanced CloudWatch Logs features
8.3.4 Recording network traffic
Chapter 9: Continuous monitoring
9.1 Resource configuration scanning
9.1.1 Ad hoc scanning
9.1.2 Continuous monitoring
9.1.3 Compliance standards and benchmarks
9.2 Host vulnerability scanning
9.2.1 Types of host vulnerabilities
9.2.2 Host-scanning tools
9.3 Detecting threats in logs
9.3.1 Threats in VPC Flow Logs
9.3.2 Threats in CloudTrail logs
Chapter 10: Incident response and remediation
10.1 Tracking security events
10.1.1 Centralizing alerts
10.1.2 Status tracking
10.1.3 Data analysis
10.2 Incident response planning
10.2.1 Playbooks
10.3 Automating incident response
10.3.1 Scripting playbooks
10.3.2 Automated response
Chapter 11: Securing a real-world application
11.1 A sample application
11.1.1 Diving into the application
11.1.2 Threat modeling
11.2 Strong authentication and access controls
11.2.1 Credential stuffing
11.2.2 Brute forcing
11.2.3 Overly permissive policies and incorrect authorization settings
11.2.4 Inadvertent admin or root access
11.3 Protecting data
11.3.1 Data classification
11.3.2 Highly sensitive data
11.3.3 Sensitive data
11.3.4 Public data
11.4 Web application firewalls
11.4.1 Cross-site scripting
11.4.2 Injection attacks
11.4.3 Scraping
11.5 Implementing authentication and authorization end to end
11.5.1 Setting up Cognito
11.5.2 Securing the API gateway endpoints
index
A
B
C
D
E
F
G
H
I
K
L
M
N
O
P
R
S
T
U
V
W
