AWS Security

Book description

Running your systems in the cloud doesn’t automatically make them secure. Learn the tools and new management approaches you need to create secure apps and infrastructure on AWS.

In AWS Security you’ll learn how to:

  • Securely grant access to AWS resources to coworkers and customers
  • Develop policies for ensuring proper access controls
  • Lock-down network controls using VPCs
  • Record audit logs and use them to identify attacks
  • Track and assess the security of an AWS account
  • Counter common attacks and vulnerabilities

Written by security engineer Dylan Shields, AWS Security provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. You’ll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring identity and access management and virtual private clouds.

About the Technology
AWS provides a suite of strong security services, but it’s up to you to configure them correctly for your applications and data. Cloud platforms require you to learn new techniques for identity management, authentication, monitoring, and other key security practices. This book gives you everything you’ll need to defend your AWS-based applications from the most common threats facing your business.

About the Book
AWS Security is the guide to AWS security services you’ll want on hand when you’re facing any cloud security problem. Because it’s organized around the most important security tasks, you’ll quickly find best practices for data protection, auditing, incident response, and more. As you go, you’ll explore several insecure applications, deconstruct the exploits used to attack them, and learn how to react with confidence.

What's Inside
  • Develop policies for proper access control
  • Securely assign access to AWS resources
  • Lock-down network controls using VPCs
  • Record audit logs and use them to identify attacks
  • Track and assess the security of an AWS account


About the Reader
For software and security engineers building and securing AWS applications.

About the Author
Dylan Shields is a software engineer working on Quantum Computing at Amazon. Dylan was one of the first engineers on the AWS Security Hub team.

Quotes
A comprehensive book on AWS security by someone who knows what he’s talking about.
- Peter Singhof, NTT DATA Germany

Provides the conceptual framework to understand cloud security. Dylan’s experience is evident in his clear and practical explanations.
- Amado Gramajo, NASDAQ

Learn AWS security through real-world scenarios.
- Sanjeev Jaiswal, Lifesight

There are few authors who know as much about AWS security as Dylan Shields.
- Victor Durán, Kaldi AI

Publisher resources

View/Submit Errata

Table of contents

  1. inside front cover
  2. AWS Security
  3. Copyright
  4. dedication
  5. Brief contents
  6. Contents
  7. front matter
    1. preface
    2. acknowledgments
    3. about this book
      1. Who should read this book
      2. How this book is organized: A roadmap
      3. About the code
      4. liveBook discussion forum
      5. Other online resources
    4. about the author
    5. about the cover illustration
  8. 1 Introduction to AWS security
    1. 1.1 The shared responsibility model
      1. 1.1.1 What is AWS responsible for?
      2. 1.1.2 What are you responsible for?
    2. 1.2 Cloud-native security tools
      1. 1.2.1 Identity and access management
      2. 1.2.2 Virtual private cloud
      3. 1.2.3 And many more
    3. 1.3 A new way of operating
      1. 1.3.1 Speed of infrastructure development
      2. 1.3.2 Shifting responsibilities
    4. 1.4 Conclusion
    5. Summary
  9. 2 Identity and access management
    1. 2.1 Identity and access management basics
      1. 2.1.1 Users
      2. 2.1.2 Identity policies
      3. 2.1.3 Resource policies
      4. 2.1.4 Groups
      5. 2.1.5 Roles
    2. 2.2 Using common patterns in AWS IAM
      1. 2.2.1 AWS managed policies
      2. 2.2.2 Advanced patterns
    3. 2.3 Attribute-based access control with tags
      1. 2.3.1 Tagged resources
      2. 2.3.2 Tagged principals
    4. Summary
  10. 3 Managing accounts
    1. 3.1 Securing access between multiple accounts
      1. 3.1.1 The wall between accounts
      2. 3.1.2 Cross-account IAM roles
      3. 3.1.3 Managing multiple accounts with AWS organizations
    2. 3.2 Integration with existing access management systems
      1. 3.2.1 Integrating with Active Directory and other SAML systems
      2. 3.2.2 Integrating with OpenID Connect systems
    3. Summary
  11. 4 Policies and procedures for secure access
    1. 4.1 Establishing best practices for IAM
      1. 4.1.1 Why create best practices?
      2. 4.1.2 Best practices example: MFA
      3. 4.1.3 Enforceable best practices
    2. 4.2 Applying least privilege access control
      1. 4.2.1 Why least privilege is hard
      2. 4.2.2 Policy wildcards
      3. 4.2.3 AWS managed policies
      4. 4.2.4 Shared permissions (groups and managed policies)
    3. 4.3 Choosing between short- and long-lived credentials
      1. 4.3.1 The risk of long-lived credentials
      2. 4.3.2 Trade-offs associated with credential rotation
      3. 4.3.3 A balance with IAM roles
    4. 4.4 Reviewing IAM permissions
      1. 4.4.1 Why you should review IAM resources
      2. 4.4.2 Types of reviews
      3. 4.4.3 Reducing the review burden
    5. Summary
  12. 5 Securing the network: The virtual private cloud
    1. 5.1 Working with a virtual private cloud
      1. 5.1.1 VPCs
      2. 5.1.2 Subnets
      3. 5.1.3 Network interfaces and IPs
      4. 5.1.4 Internet and NAT gateways
    2. 5.2 Traffic routing and virtual firewalls
      1. 5.2.1 Route tables
      2. 5.2.2 Security groups
      3. 5.2.3 Network ACLs
    3. 5.3 Separating private networks
      1. 5.3.1 Using multiple VPCs for network isolation
      2. 5.3.2 Connections between VPCs
      3. 5.3.3 Connecting VPCs to private networks
    4. Summary
  13. 6 Network access protection beyond the VPC
    1. 6.1 Securing access to services with VPC endpoints and PrivateLink
      1. 6.1.1 What’s wrong with public traffic?
      2. 6.1.2 Using VPC endpoints
      3. 6.1.3 Creating a PrivateLink service
    2. 6.2 Blocking malicious traffic with AWS Web Application Firewall
      1. 6.2.1 Using WAF managed rules
      2. 6.2.2 Blocking real-world attacks with custom AWS WAF rules
      3. 6.2.3 When to use AWS WAF
    3. 6.3 Protecting against distributed denial of service attacks using AWS Shield
      1. 6.3.1 Free protection with Shield Standard
      2. 6.3.2 Stepping up protection with Shield Advanced
    4. 6.4 Integrating third-party firewalls
      1. 6.4.1 Web application and next-gen firewalls
      2. 6.4.2 Setting up a firewall from AWS Marketplace
    5. Answers to exercises
    6. Summary
  14. 7 Protecting data in the cloud
    1. 7.1 Data security concerns
      1. 7.1.1 Confidentiality
      2. 7.1.2 Data integrity
      3. 7.1.3 Defense in depth
    2. 7.2 Securing data at rest
      1. 7.2.1 Encryption at rest
      2. 7.2.2 Least privilege access controls
      3. 7.2.3 Backups and versioning
    3. 7.3 Securing data in transit
      1. 7.3.1 Secure protocols for data transport
      2. 7.3.2 Enforcing secure transport
    4. 7.4 Data access logging
      1. 7.4.1 Access logging for Amazon S3
      2. 7.4.2 CloudTrail logs for resource access
      3. 7.4.3 VPC Flow Logs for network access
    5. 7.5 Data classification
      1. 7.5.1 Identifying sensitive data with Amazon Macie
    6. Answers to exercises
    7. Summary
  15. 8 Logging and audit trails
    1. 8.1 Recording management events
      1. 8.1.1 Setting up CloudTrail
      2. 8.1.2 Investigating an issue with CloudTrail logs
    2. 8.2 Tracking resource configuration changes
      1. 8.2.1 Pinpoint a change with a configuration timeline
      2. 8.2.2 Setting up AWS Config
      3. 8.2.3 Resource compliance information
    3. 8.3 Centralizing application logs
      1. 8.3.1 CloudWatch Logs basics
      2. 8.3.2 The CloudWatch agent
      3. 8.3.3 Advanced CloudWatch Logs features
      4. 8.3.4 Recording network traffic
    4. Summary
  16. 9 Continuous monitoring
    1. 9.1 Resource configuration scanning
      1. 9.1.1 Ad hoc scanning
      2. 9.1.2 Continuous monitoring
      3. 9.1.3 Compliance standards and benchmarks
    2. 9.2 Host vulnerability scanning
      1. 9.2.1 Types of host vulnerabilities
      2. 9.2.2 Host-scanning tools
    3. 9.3 Detecting threats in logs
      1. 9.3.1 Threats in VPC Flow Logs
      2. 9.3.2 Threats in CloudTrail logs
    4. Summary
  17. 10 Incident response and remediation
    1. 10.1 Tracking security events
      1. 10.1.1 Centralizing alerts
      2. 10.1.2 Status tracking
      3. 10.1.3 Data analysis
    2. 10.2 Incident response planning
      1. 10.2.1 Playbooks
    3. 10.3 Automating incident response
      1. 10.3.1 Scripting playbooks
      2. 10.3.2 Automated response
    4. Answers to exercises
    5. Summary
  18. 11 Securing a real-world application
    1. 11.1 A sample application
      1. 11.1.1 Diving into the application
      2. 11.1.2 Threat modeling
    2. 11.2 Strong authentication and access controls
      1. 11.2.1 Credential stuffing
      2. 11.2.2 Brute forcing
      3. 11.2.3 Overly permissive policies and incorrect authorization settings
      4. 11.2.4 Inadvertent admin or root access
    3. 11.3 Protecting data
      1. 11.3.1 Data classification
      2. 11.3.2 Highly sensitive data
      3. 11.3.3 Sensitive data
      4. 11.3.4 Public data
    4. 11.4 Web application firewalls
      1. 11.4.1 Cross-site scripting
      2. 11.4.2 Injection attacks
      3. 11.4.3 Scraping
    5. 11.5 Implementing authentication and authorization end to end
      1. 11.5.1 Setting up Cognito
      2. 11.5.2 Securing the API gateway endpoints
    6. Summary
  19. index

Product information

  • Title: AWS Security
  • Author(s): Dylan Shields
  • Release date: September 2022
  • Publisher(s): Manning Publications
  • ISBN: 9781617297335