book

Cloud Security Handbook - Second Edition

Name: Cloud Security Handbook - Second Edition
Author: Eyal Estrin
ISBN: 9781836200017

by Eyal Estrin

April 2025

Intermediate to advanced

482 pages

12h 30m

English

Packt Publishing

Read now

Unlock full access

Cloud Security Handbook Second Edition
Contributors
About the author
About the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
Part 1:Securing Infrastructure Cloud Services
Chapter 1: Introduction to Cloud Security
What is a cloud service?What are the cloud deployment models?What are the most common cloud service models?Why we need securityWhat is the shared responsibility model?AWS and the shared responsibility modelAzure and the shared responsibility modelGCP and the shared responsibility modelCommand-line toolsAWS CLIAzure CLIGoogle Cloud SDKSummary
Chapter 2: Securing Compute Services – Virtual Machines
Securing VMsFundamental best practices for securing VMsAmazon EC2Azure VMsGCEBest practices for authenticationAmazon EC2Azure VMsGCEBest practices for securing network access to an instanceAmazon EC2Azure VMsGCEBest practices for conducting patch managementAmazon EC2Azure VMsGCEBest practices for securing backupsAWS BackupAzure BackupGoogle Cloud Backup and DRSummary
Chapter 3: Securing Compute Services – Containers and Kubernetes
Securing containersSecuring KubernetesKubernetes terminologyGeneral best practices for KubernetesBest practices for identity and access management in KubernetesBest practices for data protection in KubernetesBest practices for auditing and security monitoring in KubernetesImplementing secure configuration in KubernetesSecuring non-Kubernetes workloadsSecuring Amazon Elastic Container Service (ECS)Securing Azure Container AppsSecuring Google Cloud RunSummary
Chapter 4: Securing Compute Services – Serverless and FaaS
Securing serverless/FaaSHigh-level recommendations for securing FaaSAWS LambdaAzure FunctionsGoogle Cloud Run functionsBest practices for IAM in FaaSAWS LambdaAzure FunctionsGoogle Cloud Run functionsBest practices for data protection in FaaSAWS LambdaAzure FunctionsGoogle Cloud Run functionsBest practices for auditing and security monitoring in FaaSAWS LambdaAzure FunctionsGoogle Cloud Run functionsBest practices for compliance in FaaSAWS LambdaSummary
Chapter 5: Securing Storage Services
Securing object storageGeneral best practices for securing object storageBest practices for IAM in object storageBest practices for data protection in object storageBest practices for auditing and security monitoring in object storageSecuring block storageGeneral best practices for securing block storageBest practices for securing Amazon Elastic Block StoreBest practices for securing Azure-managed disksBest practices for securing Google’s Persistent DiskSecuring file storageGeneral best practices for securing file storageBest practices for IAM in file storageBest practices for data protection in file storageBest practices for auditing and security monitoring in file storageSecuring the Container Storage InterfaceGeneral best practices for securing a CSI driverSecuring Amazon EKS and the CSI driverSecuring AKS and the CSI driverSecuring GKE and the CSI driverSummary

Chapter 6: Securing Networking Services – Part 1
Securing virtual networkingAmazon Virtual Private CloudAzure VNetGoogle Cloud VPCGeneral best practices for securing virtual networksBest practices for monitoring virtual networksSecuring DNS servicesSecuring Amazon Route 53Securing Azure DNSSecuring Google Cloud DNSSecuring VPN servicesSecuring AWS Site-to-Site VPNSecuring AWS Client VPNSecuring Azure VPN Gateway (Site-to-Site)Securing Azure VPN Point-to-SiteSecuring Google Cloud VPNSecuring Zero Trust servicesSecuring AWS Verified AccessSecuring Global Secure AccessSecuring BeyondCorpSummary
Chapter 7: Securing Networking Services – Part 2
Using DDoS protection servicesSidenote about DDoS and auto-scaling groupsUsing AWS ShieldUsing Azure DDoS ProtectionUsing Google Cloud Armor (for DDoS protection)Using WAF servicesUsing AWS WAFUsing Azure Application Gateway WAF v2Using Azure Front DoorUsing Google Cloud Armor (as a managed WAF)Summary
Chapter 8: Securing Generative AI Services
Introduction to GenAIFoundation modelsLarge language modelsPromptResponseExample of a GenAI workflowIntroduction to managed GenAI servicesConsiderations for using data to train managed GenAI servicesRisks related to the use of GenAIHigh-level best practices for securing GenAI applicationsAmazon BedrockAzure OpenAIGoogle Vertex AIBest practices for IAM in GenAI servicesAmazon BedrockAzure OpenAIGoogle Vertex AIBest practices for data protection in GenAI servicesAmazon BedrockAzure OpenAIGoogle Vertex AIBest practices for auditing and security monitoring in GenAI servicesAmazon BedrockAzure OpenAIGoogle Vertex AISummary
Part 2: Deep Dive into IAM, Auditing, and Encryption
Chapter 9: Effective Strategies for Implementing IAM Solutions
Introduction to IAMFailing to manage identitiesIdentities in cloud environmentsAuthentication processAuthorization processSecuring cloud-based IAM servicesSecuring AWS IAMSecuring Microsoft Entra IDSecuring IAM in GCPSecuring directory servicesSecuring AWS Directory ServiceSecuring Microsoft Entra Domain ServicesSecuring Google Managed Service for Microsoft Active DirectorySummary
Chapter 10: Auditing and Threat Management in Cloud Environments
Maintaining audit trailsGeneral best practices for audit trails in cloud environmentsAWS CloudTrailAzure MonitorGoogle Cloud Audit LogsControlling access to CSP support engineersAWS SupportCustomer Lockbox (in Azure)Google Access Transparency and Access ApprovalConducting threat detection and responseAmazon GuardDutyMicrosoft Defender for CloudGoogle Security Command CenterManaging cloud-native SIEMMicrosoft SentinelGoogle Security OperationsSummary
Chapter 11: Applying Encryption in Cloud Services
Introduction to encryptionSymmetric encryptionAsymmetric encryptionBest practices for using encryption in transitInternet Protocol security (IPSec)Transport Layer Security (TLS)Encryption at restEncryption/decryption processBest practices for deploying KMSsGeneral best practices for securing KMSsAWS KMSAzure Key Vault (as a key management service)Google Cloud KMSBest practices for deploying secrets management servicesAWS Secrets ManagerAzure Key Vault (as a secrets management service)Google Secret ManagerEncryption in useAWS Nitro EnclavesAzure confidential computingGoogle Confidential ComputingSummary
Part 3: Threat and Vendor Management
Chapter 12: Understanding Common Security Threats to Cloud Services
Data breaches in cloud servicesCommon consequences of data breachesExample of a real event – DrizlyBest practices for detecting and mitigating data breaches in cloud environmentsMisconfigurations in cloud servicesCommon consequences of misconfigurationExample of a real event – CommuteAirBest practices for detecting and mitigating misconfigurations in cloud environmentsInsufficient IAM, secrets, and key managementCommon consequences of insufficient IAM and key managementExample of a real event – Football AustraliaBest practices for detecting and mitigating insufficient IAM, secrets, and key management in cloud environmentsAccount hijacking in cloud servicesCommon consequences of account hijackingExample of a real event – Retool MFABest practices for detecting and mitigating account hijacking in cloud environmentsInsider threats in cloud servicesCommon consequences of insider threatsExample of a real event – First Republic BankBest practices for detecting and mitigating insider attacks in cloud environmentsInsecure APIs in cloud servicesCommon consequences of insecure APIsExample of a real event – TrelloBest practices for detecting and mitigating insecure APIs in cloud environmentsThe abuse of cloud servicesCommon consequences of abuse of cloud servicesExample of a real event – UNC2903Best practices for detecting and mitigating abuse of cloud servicesThe MITRE ATT&CK frameworkSummary
Chapter 13: Engaging with Cloud Providers
Choosing a cloud providerWhat is the most suitable cloud service model for our needs?Data privacy and data sovereigntyAuditing and monitoringMigration capabilitiesAuthenticationWhat is a cloud provider questionnaire?What are SOC reports?Tips for contracts with cloud providersConducting penetration testing in cloud environmentsSummary
Part 4: Advanced Use of Cloud Services
Chapter 14: Managing Hybrid Clouds
Hybrid cloud strategyCloud burstingBackup and disaster recoveryArchive and data retentionDistributed data processingApplication modernizationIdentity management over hybrid cloud environmentsBest practices for identity in a hybrid environmentManaging identity over hybrid AWS environmentsManaging identity over hybrid Azure environmentsManaging identity over GCP hybrid environmentsNetwork architecture for hybrid cloud environmentsConnecting the on-premises environment to AWSConnecting the on-premises environment to AzureConnecting the on-premises environment to GCPStorage services for hybrid cloud environmentsConnecting to storage services over AWS hybrid environmentsConnecting to storage services over Azure hybrid environmentsConnecting to storage services over GCP hybrid environmentsComputing services for hybrid cloud environmentsUsing computing services over AWS hybrid environmentsUsing computing services over Azure hybrid environmentsUsing computing services over GCP hybrid environmentsSecuring hybrid cloud environmentsSecuring AWS hybrid environmentsSecuring Azure hybrid environmentsSecuring GCP hybrid environmentsSummary
Chapter 15: Managing Multi-Cloud Environments
Multi-cloud strategyFreedom to select a cloud providerFreedom to select your servicesData sovereigntyBC and DRImproving reliabilityIdentity managementData securityAsset managementSkills gapIAM over multi-cloud environmentsManaging identity in AWS over multi-cloud environmentsManaging identity in Azure over multi-cloud environmentsManaging identity in GCP over multi-cloud environmentsNetwork architecture for multi-cloud environmentsCreating network connectivity between AWS and GCPCreating network connectivity between AWS and AzureHow to create network connectivity between Azure and GCPData security in multi-cloud environmentsData classification and governmentEncryption in transitEncryption at restEncryption in useCost management in multi-cloud environmentsCSPMCIEMPatch and configuration management in multi-cloud environmentsThe monitoring and auditing of multi-cloud environmentsSummary
Chapter 16: Implementing DevSecOps
Introduction to DevSecOpsDevOps and CI/CDThe goals of DevSecOpsDevSecOps best practices – peopleAdopting a security-by-design approachShared responsibilityCultural shiftEmpowering development and operations teamsDevSecOps best practices – processesImplementing security as part of the planning phaseImplementing security as part of the coding phaseImplementing security as part of the build phaseImplementing security as part of the test phaseImplementing security as part of the release phaseImplementing security as part of the deployment phaseImplementing security as part of the maintenance phaseDevSecOps best practices – technologyAmazon Q DeveloperGitHub CopilotAmazon InspectorMicrosoft Defender for CloudGoogle Artifact AnalysisOpen source toolsSummary
Chapter 17: Security in Large-Scale Environments
Managing governance and policies at a large scaleGovernance in AWSGovernance in AzureGovernance in Google CloudAutomation using IaC and PaCIaCPaCCommon best practices for IaC and PaC in AWS, Google, and AzureAWS CloudFormationAzure Resource Manager (ARM) templatesGoogle Cloud Deployment ManagerHashiCorp TerraformHashiCorp Sentinel policiesSummaryWhat is next?Plan aheadAutomateThink bigContinue learning
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Content preview from Cloud Security Handbook - Second Edition

3 Securing Compute Services – Containers and Kubernetes

In the previous chapter, we learned about security in VMs.

This chapter will cover containers and Kubernetes-managed services and provide you with best practices on how to securely deploy and manage each of them.

In this chapter, we will cover the following topics:

Best practices for securing Kubernetes workloads (identity and access management, network access, auditing and security monitoring, and compliance)
Best practices for securing non-Kubernetes workloads (identity and access management, network access, and auditing and monitoring)

Securing containers

Containers share some of the same characteristics as VMs but with a much smaller footprint. Instead of having to deploy an application ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781836200017

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Security Handbook - Second Edition

by Eyal Estrin

3

Securing Compute Services – Containers and Kubernetes

Securing containers

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.