Security is usually an afterthought when organizations design microservices for cloud systems. Most companies today are exposed to potential security threats, but their responses are often more reactive than proactive. This leads to unnecessarily complicated systems that are hard to implement and even harder to manage and scale. Author Gaurav Raje shows you how to build highly secure systems on AWS without increasing overhead.
Ideal for cloud solution architects and software developers with AWS experience, this practical book starts with a high-level architecture and design discussion, then explains how to implement your solution in the cloud while ensuring that the development and operational experience isn't compromised. By leveraging the AWS Shared Responsibility Model, you'll be able to:
• Develop a modular architecture using microservices that aims to simplify compliance with various regulations in finance, medicine, and legal services
• Introduce various AWS-based security controls to help protect your microservices from malicious actors
• Leverage the modularity of the architecture to independently scale security mechanisms on individual microservices
• Improve the security posture without compromising the autonomy or efficiency of software development teams
Author(s): Gaurav Raje
Edition: 1
Publisher: O'Reilly Media
Year: 2021
Language: English
Commentary: Vector PDF
Pages: 396
City: Sebastopol, CA
Tags: Amazon Web Services; Cloud Computing; Security; Monitoring; Microservices; Network Security; Encryption; API Design; Incident Response; Containerization; AWS Lambda; AWS Simple Storage Service; Firewalls; TLS; AWS Key Management Service; Virtual Private Cloud
Copyright
Table of Contents
Preface
Goals of This Book
Who Should Use This Book
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction to Cloud Microservices
Basics of Cloud Information Security
Risk and Security Controls
Organizational Security Policy
Security Incidents and the CIA Triad
AWS Shared Responsibility Model
Cloud Architecture and Security
Security Through Modularity
Security Through Simplicity
Security Through Fully Managed AWS Services
Blast Radius, Isolation, and the Locked Rooms Analogy
Defense-in-Depth and Security
Security Through Perimeter Protection
Security Through Zero Trust Architecture
A Brief Introduction to Software Architecture
Tier-Based Architecture
Domain-Driven Design
Microservices
Implementation of Microservices on AWS
Container-Based Microservice Architecture
A Very Brief Introduction to Kubernetes
Function as a Service: FaaS Using AWS Lambda
Overview of Cloud Microservice Implementation
Amazon EKS
Amazon EKS Fargate Mode
Function as a Service Using AWS Lambda
Microservice Implementation Summary
Examples of Microservice Communication Patterns
Example 1: Simple Message Passing Between Contexts
Example 2: Message Queues
Example 3: Event-Based Microservices
Summary
Chapter 2. Authorization and Authentication Basics
Basics of AWS Identity and Access Management
Principals on AWS
IAM Policies
Principle of Least Privilege
PoLP and Blast Radius
Structure of AWS IAM Policies
Principal-Based Policies
Resource-Based Policies
The Zone of Trust
Evaluation of Policies
Advanced Concepts in AWS IAM Policies
IAM Policy Conditions
AWS Tags and Attribute-Based Access Control
“Not” Policy Elements: NotPrincipal and NotResource
Wrapping Up IAM Policies
Role-Based Access Control
RBAC Modeling
Securing Roles
Assuming Roles
Assume Roles Using the AWS Command-Line Interface (CLI)
Switching Roles Using AWS Management Console
Service-Linked Role
Authentication and Identity Management
Basics of Authentication
Identity Federation on AWS
Identity Federation Using SAML 2.0 and OpenID Connect
RBAC and Microservices
Execution Roles
RBAC with AWS Lambda
RBAC with EC2 and the Instance Metadata Service
RBAC with Amazon EKS Using IAM Roles for Service Accounts
Summary
Chapter 3. Foundations of Encryption
Brief Overview of Encryption
Why Is Encryption Important on AWS?
Why Is Encryption Important for Microservice Architectures?
Encryption on AWS
Security Challenges with Key-Based Encryption
Business Problem
AWS Key Management Service
Basic Encryption Using CMK
Envelope Encryption
Envelope Encryption in Action
Security and AWS KMS
KMS Contexts and Additional Authenticated Data
Key Policies
Grants and ViaService
CMK and Its Components and Supported Actions
Regions and KMS
Cost, Complexity, and Regulatory Considerations
Asymmetric Encryption and KMS
Encryption and Decryption
Digital Signing (Sign and Verify)
Domain-Driven Design and AWS KMS
Contextual Boundaries and Encryption
Accounts and Sharing CMK
KMS and Network Considerations
KMS Grants Revisited
KMS Accounts and Topologies: Tying It All Together
Option 1: Including the CMK Within Bounded Contexts
Option 2: Using a Purpose-Built Account to Hold the CMK
AWS Secrets Manager
How Secrets Manager Works
Secret Protection in AWS Secrets Manager
Summary
Chapter 4. Security at Rest
Data Classification Basics
Recap of Envelope Encryption Using KMS
AWS Simple Storage Service
Encryption on AWS S3
Access Control on Amazon S3 Through S3 Bucket Policies
Amazon GuardDuty
Nonrepudiation Using Glacier Vault Lock
Security at Rest for Compute Services
Static Code Analysis Using AWS CodeGuru
AWS Elastic Container Registry
AWS Lambda
AWS Elastic Block Store
Tying It All Together
Microservice Database Systems
AWS DynamoDB
Amazon Aurora Relational Data Service
Media Sanitization and Data Deletion
Summary
Chapter 5. Networking Security
Networking on AWS
Controls
Understanding the Monolith and Microservice Models
Segmentation and Microservices
Software-Defined Network Partitions
Subnetting
Routing in a Subnet
Gateways and Subnets
Public Subnet
Private Subnet
Subnets and Availability Zones
Internet Access for Subnets
Virtual Private Cloud
Routing in a VPC
Microsegmentation at the Network Layer
Cross-VPC Communication
VPC Peering
AWS Transit Gateway
VPC Endpoints
Wrap-Up of Cross-VPC Communication
Firewall Equivalents on the Cloud
Security Groups
Security Group Referencing (Chaining) and Designs
Properties of Security Groups
Network Access Control Lists
Security Groups Versus NACLs
Containers and Network Security
Block Instance Metadata Service
Try to Run Pods in a Private Subnet
Block Internet Access for Pods Unless Necessary
Use Encrypted Networking Between Pods
Lambdas and Network Security
Summary
Chapter 6. Public-Facing Services
API-First Design and API Gateway
AWS API Gateway
Types of AWS API Gateway Endpoints
Securing the API Gateway
API Gateway Integration
Access Control on API Gateway
Infrastructure Security on API Gateway
Cost Considerations While Using AWS API Gateway
Bastion Host
Solution
Static Asset Distribution (Content Distribution Network)
AWS CloudFront
Signed URLs or Cookies
AWS Lambda@Edge
Protecting Against Common Attacks on Edge Networks
AWS Web Application Firewall
AWS Shield and AWS Shield Advanced
Microservices and AWS Shield Advanced
Cost Considerations for Edge Protection
Summary
Chapter 7. Security in Transit
Basics of Transport Layer Security
Digital Signing
Certificates, Certificate Authority, and Identity Verification
Encryption Using TLS
TLS Termination and Trade-offs with Microservices
TLS Offloading and Termination
Cost and Complexity Considerations with Encryption in Transit
Application of TLS in Microservices
Security in Transit While Using Message Queues (AWS SQS)
gRPC and Application Load Balancer
Mutual TLS
A (Very Brief) Introduction to Service Meshes: A Security Perspective
Proxies and Sidecars
App Mesh Components and Terminology
TLS and App Mesh
mTLS Revisited
AWS App Mesh: Wrap-Up
Serverless Microservices and Encryption in Transit
AWS API Gateway and AWS Lambda
Caching, API Gateway, and Encryption in Transit
Field-Level Encryption
Summary
Chapter 8. Security Design for Organizational Complexity
Organizational Structure and Microservices
Conway’s Law
Single Team Oriented Service Architecture
Role-Based Access Control
Privilege Elevation
Permission Boundaries
Permission Boundaries to Delegate Responsibilities
AWS Accounts Structure for Large Organizations
AWS Accounts and Teams
AWS Organizations
Organizational Units and Service Control Policies
Purpose-Built Accounts
AWS Tools for Organizations
AWS Organizations Best Practices
AWS Resource Access Manager
Shared Services Using AWS RAM
AWS Single Sign-On
Enforcing Multifactor Authentication in Accounts
Simplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS Organizations
Summary
Chapter 9. Monitoring and Incident Response
NIST Incident Response Framework
Step 1: Design and Preparation
Step 2: Detection and Analysis
Step 3: Containment and Isolation
Step 4: Forensic Analysis
Step 5: Eradication
Step 6: Postincident Activities
Securing the Security Infrastructure
Securing a CloudTrail
Purpose-Built Accounts
Summary
Appendix A. Terraform Cloud in Five Minutes
Setup
Creating Your Workspace
Adding AWS Access and Secret Key
Terraform Process
Providers
State
Plans
Apply
Writing Your Terraform Infrastructure as Code
Root Module and Folder Structure
Input Variables
Resources
Running and Applying Your Plan
Appendix B. Example of a SAML Identity Provider for AWS
A Hands-On Example of a Federated Identity Setup
Step 1: Configure Your IdP
Step 2: Export Metadata to Be Imported into AWS Account
Step 3: Add Your SAML IdP as a Trusted IdP
Step 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS Account
Step 5: Control Access to Multiple Roles Using Custom Attributes Within the IdP
Summary
Appendix C. Hands-On Encryption with AWS KMS
Basic Encryption Using the CMK
Basic Decryption Using the CMK
Envelope Encryption Using the CMK
Decrypting an Envelope Encrypted Message
Appendix D. A Hands-On Example of Applying the Principle of Least Privilege
Step 1: Create an AWS IAM Policy for Your Task
Step 2: Define the Service, Actions, and Effect Parameters of an IAM Policy
Step 3: Define the Resource
Step 4: Request Conditions
Step 5: Confirm the Resulting Policy
Step 6: Save the Policy
Step 7: Attach the Policy to a Principal
Summary
Index
About the Author
Colophon
