book

Security and Microservice Architecture on AWS

Name: Security and Microservice Architecture on AWS
Author: Gaurav Raje
ISBN: 9781098101466

by Gaurav Raje

September 2021

Intermediate to advanced

394 pages

10h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Goals of This BookWho Should Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction to Cloud Microservices
Basics of Cloud Information SecurityRisk and Security ControlsOrganizational Security PolicySecurity Incidents and the CIA TriadAWS Shared Responsibility ModelCloud Architecture and SecuritySecurity Through ModularitySecurity Through SimplicitySecurity Through Fully Managed AWS ServicesBlast Radius, Isolation, and the Locked Rooms AnalogyDefense-in-Depth and SecuritySecurity Through Perimeter ProtectionSecurity Through Zero Trust ArchitectureA Brief Introduction to Software ArchitectureTier-Based ArchitectureDomain-Driven DesignMicroservicesImplementation of Microservices on AWSContainer-Based Microservice ArchitectureA Very Brief Introduction to KubernetesFunction as a Service: FaaS Using AWS LambdaOverview of Cloud Microservice ImplementationAmazon EKSAmazon EKS Fargate ModeFunction as a Service Using AWS LambdaMicroservice Implementation SummaryExamples of Microservice Communication PatternsExample 1: Simple Message Passing Between ContextsExample 2: Message QueuesExample 3: Event-Based MicroservicesSummary
2. Authorization and Authentication Basics
Basics of AWS Identity and Access ManagementPrincipals on AWSIAM PoliciesPrinciple of Least PrivilegePoLP and Blast RadiusStructure of AWS IAM PoliciesPrincipal-Based PoliciesResource-Based PoliciesThe Zone of TrustEvaluation of PoliciesAdvanced Concepts in AWS IAM PoliciesIAM Policy ConditionsAWS Tags and Attribute-Based Access Control“Not” Policy Elements: NotPrincipal and NotResourceWrapping Up IAM PoliciesRole-Based Access ControlRBAC ModelingSecuring RolesAssuming RolesAssume Roles Using the AWS Command-Line Interface (CLI)Switching Roles Using AWS Management ConsoleService-Linked RoleAuthentication and Identity ManagementBasics of AuthenticationIdentity Federation on AWSIdentity Federation Using SAML 2.0 and OpenID ConnectRBAC and MicroservicesExecution RolesRBAC with AWS LambdaRBAC with EC2 and the Instance Metadata ServiceRBAC with Amazon EKS Using IAM Roles for Service AccountsSummary
3. Foundations of Encryption
Brief Overview of EncryptionWhy Is Encryption Important on AWS?Why Is Encryption Important for Microservice Architectures?Encryption on AWSSecurity Challenges with Key-Based EncryptionBusiness ProblemAWS Key Management ServiceBasic Encryption Using CMKEnvelope EncryptionEnvelope Encryption in ActionSecurity and AWS KMSKMS Contexts and Additional Authenticated DataKey PoliciesGrants and ViaServiceCMK and Its Components and Supported ActionsRegions and KMSCost, Complexity, and Regulatory ConsiderationsAsymmetric Encryption and KMSEncryption and DecryptionDigital Signing (Sign and Verify)Domain-Driven Design and AWS KMSContextual Boundaries and EncryptionAccounts and Sharing CMKKMS and Network ConsiderationsKMS Grants RevisitedKMS Accounts and Topologies: Tying It All TogetherOption 1: Including the CMK Within Bounded ContextsOption 2: Using a Purpose-Built Account to Hold the CMKAWS Secrets ManagerHow Secrets Manager WorksSecret Protection in AWS Secrets ManagerSummary
4. Security at Rest
Data Classification BasicsRecap of Envelope Encryption Using KMSAWS Simple Storage ServiceEncryption on AWS S3Access Control on Amazon S3 Through S3 Bucket PoliciesAmazon GuardDutyNonrepudiation Using Glacier Vault LockSecurity at Rest for Compute ServicesStatic Code Analysis Using AWS CodeGuruAWS Elastic Container RegistryAWS LambdaAWS Elastic Block StoreTying It All TogetherMicroservice Database SystemsAWS DynamoDBAmazon Aurora Relational Data ServiceMedia Sanitization and Data DeletionSummary
5. Networking Security
Networking on AWSControlsUnderstanding the Monolith and Microservice ModelsSegmentation and MicroservicesSoftware-Defined Network PartitionsSubnettingRouting in a SubnetGateways and SubnetsPublic SubnetPrivate SubnetSubnets and Availability ZonesInternet Access for SubnetsVirtual Private CloudRouting in a VPCMicrosegmentation at the Network LayerCross-VPC CommunicationVPC PeeringAWS Transit GatewayVPC EndpointsWrap-Up of Cross-VPC CommunicationFirewall Equivalents on the CloudSecurity GroupsSecurity Group Referencing (Chaining) and DesignsProperties of Security GroupsNetwork Access Control ListsSecurity Groups Versus NACLsContainers and Network SecurityBlock Instance Metadata ServiceTry to Run Pods in a Private SubnetBlock Internet Access for Pods Unless NecessaryUse Encrypted Networking Between PodsLambdas and Network SecuritySummary
6. Public-Facing Services
API-First Design and API GatewayAWS API GatewayTypes of AWS API Gateway EndpointsSecuring the API GatewayAPI Gateway IntegrationAccess Control on API GatewayInfrastructure Security on API GatewayCost Considerations While Using AWS API GatewayBastion HostSolutionStatic Asset Distribution (Content Distribution Network)AWS CloudFrontSigned URLs or CookiesAWS Lambda@EdgeProtecting Against Common Attacks on Edge NetworksAWS Web Application FirewallAWS Shield and AWS Shield AdvancedMicroservices and AWS Shield AdvancedCost Considerations for Edge ProtectionSummary
7. Security in Transit
Basics of Transport Layer SecurityDigital SigningCertificates, Certificate Authority, and Identity VerificationEncryption Using TLSTLS Termination and Trade-offs with MicroservicesTLS Offloading and TerminationCost and Complexity Considerations with Encryption in TransitApplication of TLS in MicroservicesSecurity in Transit While Using Message Queues (AWS SQS)gRPC and Application Load BalancerMutual TLSA (Very Brief) Introduction to Service Meshes: A Security PerspectiveProxies and SidecarsApp Mesh Components and TerminologyTLS and App MeshmTLS RevisitedAWS App Mesh: Wrap-UpServerless Microservices and Encryption in TransitAWS API Gateway and AWS LambdaCaching, API Gateway, and Encryption in TransitField-Level EncryptionSummary
8. Security Design for Organizational Complexity
Organizational Structure and MicroservicesConway’s LawSingle Team Oriented Service ArchitectureRole-Based Access ControlPrivilege ElevationPermission BoundariesPermission Boundaries to Delegate ResponsibilitiesAWS Accounts Structure for Large OrganizationsAWS Accounts and TeamsAWS OrganizationsOrganizational Units and Service Control PoliciesPurpose-Built AccountsAWS Tools for OrganizationsAWS Organizations Best PracticesAWS Resource Access ManagerShared Services Using AWS RAMAWS Single Sign-OnEnforcing Multifactor Authentication in AccountsSimplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS OrganizationsSummary
9. Monitoring and Incident Response
NIST Incident Response FrameworkStep 1: Design and PreparationStep 2: Detection and AnalysisStep 3: Containment and IsolationStep 4: Forensic AnalysisStep 5: EradicationStep 6: Postincident ActivitiesSecuring the Security InfrastructureSecuring a CloudTrailPurpose-Built AccountsSummary

A. Terraform Cloud in Five Minutes
SetupCreating Your WorkspaceAdding AWS Access and Secret KeyTerraform ProcessProvidersStatePlansApplyWriting Your Terraform Infrastructure as CodeRoot Module and Folder StructureInput VariablesResourcesRunning and Applying Your Plan
B. Example of a SAML Identity Provider for AWS
A Hands-On Example of a Federated Identity SetupStep 1: Configure Your IdPStep 2: Export Metadata to Be Imported into AWS AccountStep 3: Add Your SAML IdP as a Trusted IdPStep 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS AccountStep 5: Control Access to Multiple Roles Using Custom Attributes Within the IdPSummary
C. Hands-On Encryption with AWS KMS
Basic Encryption Using the CMKBasic Decryption Using the CMKEnvelope Encryption Using the CMKDecrypting an Envelope Encrypted Message
D. A Hands-On Example of Applying the Principle of Least Privilege
Step 1: Create an AWS IAM Policy for Your TaskStep 2: Define the Service, Actions, and Effect Parameters of an IAM PolicyStep 3: Define the ResourceStep 4: Request ConditionsStep 5: Confirm the Resulting PolicyStep 6: Save the PolicyStep 7: Attach the Policy to a PrincipalSummary
Index

Content preview from Security and Microservice Architecture on AWS

Chapter 1. Introduction to Cloud Microservices

Cloud computing and microservices have become a dominant theme in the software architecture world. Microservices have added complexity to an era in which security attacks are far too common, and they have raised the importance of security practitioners in every organization.

This is a story (that I heard for the first time on YouTube) that may sound familiar to many of you. A fast-paced company is building a microservices-based application and you are on the security team. It is possible that you have stakeholders, such as a CEO or a product manager, who want your product to be launched in time to gain market share. The developers in your company are doing their best to meet deadlines and ship code faster. You are brought in at the end of the process, and your mandate is to make sure that the final product is secure. This should immediately raise red flags to you. If the product is developed independently of you (the security team), you will be the only ones standing in the way of a product that adds value to the company. In my experience, in many dysfunctional firms, security professionals have been viewed as naysayers by development teams, product managers, and other stakeholders at organizations.

The problem with superficial security initiatives is that they interfere with value-adding activities. Bad security initiatives are notorious for causing frustration among developers. This is usually due to bad design and poor implementations, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Deploy Containers on AWS: With EC2, ECS, and EKS

Publisher Resources

ISBN: 9781098101459Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security and Microservice Architecture on AWS

by Gaurav Raje

Chapter 1. Introduction to Cloud Microservices

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.