O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mastering AWS Security

Book Description

In depth informative guide to implement and use AWS security services effectively.

About This Book

  • Learn to secure your network, infrastructure, data and applications in AWS cloud
  • Log, monitor and audit your AWS resources for continuous security and continuous compliance in AWS cloud
  • Use AWS managed security services to automate security. Focus on increasing your business rather than being diverged onto security risks and issues with AWS security.
  • Delve deep into various aspects such as the security model, compliance, access management and much more to build and maintain a secure environment.

Who This Book Is For

This book is for all IT professionals, system administrators and security analysts, solution architects and Chief Information Security Officers who are responsible for securing workloads in AWS for their organizations. It is helpful for all Solutions Architects who want to design and implement secure architecture on AWS by the following security by design principle. This book is helpful for personnel in Auditors and Project Management role to understand how they can audit AWS workloads and how they can manage security in AWS respectively.

If you are learning AWS or championing AWS adoption in your organization, you should read this book to build security in all your workloads. You will benefit from knowing about security footprint of all major AWS services for multiple domains, use cases, and scenarios.

What You Will Learn

  • Learn about AWS Identity Management and Access control
  • Gain knowledge to create and secure your private network in AWS
  • Understand and secure your infrastructure in AWS
  • Understand monitoring, logging and auditing in AWS
  • Ensure Data Security in AWS
  • Learn to secure your applications in AWS
  • Explore AWS Security best practices

In Detail

Mastering AWS Security starts with a deep dive into the fundamentals of the shared security responsibility model. This book tells you how you can enable continuous security, continuous auditing, and continuous compliance by automating your security in AWS with the tools, services, and features it provides.

Moving on, you will learn about access control in AWS for all resources. You will also learn about the security of your network, servers, data and applications in the AWS cloud using native AWS security services.

By the end of this book, you will understand the complete AWS Security landscape, covering all aspects of end - to -end software and hardware security along with logging, auditing, and compliance of your entire IT environment in the AWS cloud.

Lastly, the book will wrap up with AWS best practices for security.

Style and approach

The book will take a practical approach delving into different aspects of AWS security to help you become a master of it. It will focus on using native AWS security features and managed AWS services to help you achieve continuous security and continuous compliance.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Conventions
    5. Readers feedback
    6. Customer support
      1. Downloading the color images of this book
      2. Errata
      3. Piracy
      4. Questions
  2. Overview of Security in AWS
    1. Chapter overview
    2. AWS shared security responsibility model
      1. Shared responsibility model for infrastructure services
      2. Shared responsibility model for container services
      3. Shared responsibility model for abstracted services
    3. AWS Security responsibilities
      1. Physical and environmental security 
      2. Storage device decommissioning
      3. Business continuity management
      4. Communication
      5. Network security
        1. Secure network architecture
        2. Secure access points
        3. Transmission protection
      6. Network monitoring and protection
      7. AWS access
      8. Credentials policy 
    4. Customer security responsibilities
    5. AWS account security features 
      1. AWS account 
      2. AWS credentials 
      3. Individual user accounts
      4. Secure HTTPS access points
      5. Security logs
      6. AWS Trusted Advisor security checks 
      7. AWS Config security checks
    6. AWS Security services
      1. AWS Identity and Access Management 
      2. AWS Virtual Private Cloud
      3. AWS Key Management System (KMS)
      4. AWS Shield
      5. AWS Web Application Firewall (WAF)
      6. AWS CloudTrail
      7. AWS CloudWatch
      8. AWS Config
      9. AWS Artifact
      10. Penetration testing
    7. AWS Security resources
      1. AWS documentation 
      2. AWS whitepapers
      3. AWS case studies
      4. AWS YouTube channel
      5. AWS blogs
      6. AWS Partner Network
      7. AWS Marketplace
    8. Summary
  3. AWS Identity and Access Management
    1. Chapter overview
    2. IAM features and tools
      1. Security
      2. AWS account shared access
      3. Granular permissions
      4. Identity Federation
      5. Temporary credentials
        1. AWS Management Console
        2. AWS command line tools
        3. AWS SDKs
        4. IAM HTTPS API
    3. IAM Authentication
      1. IAM user
      2. IAM groups
      3. IAM roles
        1. AWS service role
        2. AWS SAML role
        3. Role for cross-account access
        4. Role for Web Identity Provider
      4. Identity Provider and Federation
      5. Delegation
      6. Temporary security credentials
      7. AWS Security Token Service
      8. The account root user
    4. IAM Authorization
      1. Permissions
      2. Policy
        1. Statement
        2. Effect
        3. Principal
        4. Action
        5. Resource
        6. Condition
      3. Creating a new policy
      4. IAM Policy Simulator
      5. IAM Policy Validator
      6. Access Advisor
    5. Passwords Policy
    6. AWS credentials
    7. IAM limitations
    8. IAM best practices
    9. Summary
  4. AWS Virtual Private Cloud
    1. Chapter overview
    2. VPC components
      1. Subnets
      2. Elastic Network Interfaces (ENI)
      3. Route tables
      4. Internet Gateway
      5. Elastic IP addresses
      6. VPC endpoints
      7. Network Address Translation (NAT)
      8. VPC peering
    3. VPC features and benefits
      1. Multiple connectivity options
      2. Secure
      3. Simple
    4. VPC use cases
      1. Hosting a public facing website
      2. Hosting multi-tier web application
      3. Creating branch office and business unit networks
      4. Hosting web applications in the AWS Cloud that are connected with your data center
      5. Extending corporate network in AWS Cloud
      6. Disaster recovery
    5. VPC security
      1. Security groups
      2. Network access control list
      3. VPC flow logs
      4. VPC access control
    6. Creating VPC
      1. VPC connectivity options
        1. Connecting user network to AWS VPC
        2. Connecting AWS VPC with other AWS VPC
        3. Connecting internal user with AWS VPC
    7. VPC limits
    8. VPC best practices
      1. Plan your VPC before you create it
      2. Choose the highest CIDR block
      3. Unique IP address range
      4. Leave the default VPC alone
      5. Design for region expansion
      6. Tier your subnets
      7. Follow the least privilege principle
      8. Keep most resources in the private subnet
      9. Creating VPCs for different use cases
      10. Favor security groups over NACLs
      11. IAM your VPC
      12. Using VPC peering
      13. Using Elastic IP instead of public IP
      14. Tagging in VPC
      15. Monitoring a VPC
    9. Summary
  5. Data Security in AWS
    1. Chapter overview
    2. Encryption and decryption fundamentals
      1. Envelope encryption
    3. Securing data at rest
      1. Amazon S3
        1. Permissions
        2. Versioning
        3. Replication
        4. Server-Side encryption
        5. Client-Side encryption
      2. Amazon EBS
        1. Replication
        2. Backup
        3. Encryption
      3. Amazon RDS
      4. Amazon Glacier
      5. Amazon DynamoDB
      6. Amazon EMR
    4. Securing data in transit
      1. Amazon S3
      2. Amazon RDS
      3. Amazon DynamoDB
      4. Amazon EMR
    5. AWS KMS
      1. KMS benefits
        1. Fully managed
        2. Centralized Key Management
        3. Integration with AWS services
        4. Secure and compliant
      2. KMS components
        1. Customer master key (CMK)
        2. Data keys
        3. Key policies
        4. Auditing CMK usage
        5. Key Management Infrastructure (KMI)
    6. AWS CloudHSM
      1. CloudHSM features
        1. Generate and use encryption keys using HSMs
        2. Pay as you go model
        3. Easy To manage
      2. AWS CloudHSM use cases
        1. Offload SSL/TLS processing for web servers
        2. Protect private keys for an issuing certificate authority
        3. Enable transparent data encryption for Oracle databases
    7. Amazon Macie
      1. Data discovery and classification
      2. Data security
    8. Summary
  6. Securing Servers in AWS
    1. EC2 Security best practices
    2. EC2 Security
      1. IAM roles for EC2 instances
      2. Managing OS-level access to Amazon EC2 instances
      3. Protecting your instance from malware
      4. Secure your infrastructure
      5. Intrusion Detection and Prevention Systems
      6. Elastic Load Balancing Security
      7. Building Threat Protection Layers
      8. Testing security
    3. Amazon Inspector
      1. Amazon Inspector features and benefits
      2. Amazon Inspector components
    4. AWS Shield
      1. AWS Shield benefits
      2. AWS Shield features
        1. AWS Shield Standard
        2. AWS Shield Advanced
    5. Summary
  7. Securing Applications in AWS
    1. AWS Web Application Firewall (WAF)
      1. Benefits of AWS WAF
      2. Working with AWS WAF
    2. Signing AWS API requests
    3. Amazon Cognito
    4. Amazon API Gateway
    5. Summary
  8. Monitoring in AWS
    1. AWS CloudWatch
      1. Features and benefits
      2. AWS CloudWatch components
        1. Metrics
        2. Dashboards
        3. Events
        4. Alarms
        5. Log Monitoring
    2. Monitoring Amazon EC2
      1. Automated monitoring tools
      2. Manual monitoring tools
      3. Best practices for monitoring EC2 instances
    3. Summary
  9. Logging and Auditing in AWS
    1. Logging in AWS
      1. AWS native security logging capabilities
        1. Best practices
        2. AWS CloudTrail
        3. AWS Config
        4. AWS detailed billing reports
        5. Amazon S3 Access Logs
        6. ELB Logs
        7. Amazon CloudFront Access Logs
        8. Amazon RDS Logs
        9. Amazon VPC Flow Logs
    2. AWS CloudWatch Logs
      1. CloudWatch Logs concepts
      2. CloudWatch Logs limits
      3. Lifecycle of CloudWatch Logs
    3. AWS CloudTrail
      1. AWS CloudTrail concepts
      2. AWS CloudTrail benefits
      3. AWS CloudTrail use cases
      4. Security at Scale with AWS Logging
      5. AWS CloudTrail best practices
    4. Auditing in AWS
    5. AWS Artifact
    6. AWS Config
      1. AWS Config use cases
    7. AWS Trusted Advisor
    8. AWS Service Catalog
    9. AWS Security Audit Checklist
    10. Summary
  10. AWS Security Best Practices
    1. Shared security responsibility model
    2. IAM security best practices
    3. VPC
    4. Data security
    5. Security of servers
    6. Application security
    7. Monitoring, logging, and auditing
    8. AWS CAF
      1. Security perspective
        1. Directive component
        2. Preventive component
        3. Detective component
        4. Responsive component 
    9. Summary