book

Security and Microservice Architecture on AWS

Name: Security and Microservice Architecture on AWS
Author: Gaurav Raje
ISBN: 9781098101466

by Gaurav Raje

September 2021

Intermediate to advanced

394 pages

10h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Goals of This BookWho Should Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction to Cloud Microservices
Basics of Cloud Information SecurityRisk and Security ControlsOrganizational Security PolicySecurity Incidents and the CIA TriadAWS Shared Responsibility ModelCloud Architecture and SecuritySecurity Through ModularitySecurity Through SimplicitySecurity Through Fully Managed AWS ServicesBlast Radius, Isolation, and the Locked Rooms AnalogyDefense-in-Depth and SecuritySecurity Through Perimeter ProtectionSecurity Through Zero Trust ArchitectureA Brief Introduction to Software ArchitectureTier-Based ArchitectureDomain-Driven DesignMicroservicesImplementation of Microservices on AWSContainer-Based Microservice ArchitectureA Very Brief Introduction to KubernetesFunction as a Service: FaaS Using AWS LambdaOverview of Cloud Microservice ImplementationAmazon EKSAmazon EKS Fargate ModeFunction as a Service Using AWS LambdaMicroservice Implementation SummaryExamples of Microservice Communication PatternsExample 1: Simple Message Passing Between ContextsExample 2: Message QueuesExample 3: Event-Based MicroservicesSummary
2. Authorization and Authentication Basics
Basics of AWS Identity and Access ManagementPrincipals on AWSIAM PoliciesPrinciple of Least PrivilegePoLP and Blast RadiusStructure of AWS IAM PoliciesPrincipal-Based PoliciesResource-Based PoliciesThe Zone of TrustEvaluation of PoliciesAdvanced Concepts in AWS IAM PoliciesIAM Policy ConditionsAWS Tags and Attribute-Based Access Control“Not” Policy Elements: NotPrincipal and NotResourceWrapping Up IAM PoliciesRole-Based Access ControlRBAC ModelingSecuring RolesAssuming RolesAssume Roles Using the AWS Command-Line Interface (CLI)Switching Roles Using AWS Management ConsoleService-Linked RoleAuthentication and Identity ManagementBasics of AuthenticationIdentity Federation on AWSIdentity Federation Using SAML 2.0 and OpenID ConnectRBAC and MicroservicesExecution RolesRBAC with AWS LambdaRBAC with EC2 and the Instance Metadata ServiceRBAC with Amazon EKS Using IAM Roles for Service AccountsSummary
3. Foundations of Encryption
Brief Overview of EncryptionWhy Is Encryption Important on AWS?Why Is Encryption Important for Microservice Architectures?Encryption on AWSSecurity Challenges with Key-Based EncryptionBusiness ProblemAWS Key Management ServiceBasic Encryption Using CMKEnvelope EncryptionEnvelope Encryption in ActionSecurity and AWS KMSKMS Contexts and Additional Authenticated DataKey PoliciesGrants and ViaServiceCMK and Its Components and Supported ActionsRegions and KMSCost, Complexity, and Regulatory ConsiderationsAsymmetric Encryption and KMSEncryption and DecryptionDigital Signing (Sign and Verify)Domain-Driven Design and AWS KMSContextual Boundaries and EncryptionAccounts and Sharing CMKKMS and Network ConsiderationsKMS Grants RevisitedKMS Accounts and Topologies: Tying It All TogetherOption 1: Including the CMK Within Bounded ContextsOption 2: Using a Purpose-Built Account to Hold the CMKAWS Secrets ManagerHow Secrets Manager WorksSecret Protection in AWS Secrets ManagerSummary
4. Security at Rest
Data Classification BasicsRecap of Envelope Encryption Using KMSAWS Simple Storage ServiceEncryption on AWS S3Access Control on Amazon S3 Through S3 Bucket PoliciesAmazon GuardDutyNonrepudiation Using Glacier Vault LockSecurity at Rest for Compute ServicesStatic Code Analysis Using AWS CodeGuruAWS Elastic Container RegistryAWS LambdaAWS Elastic Block StoreTying It All TogetherMicroservice Database SystemsAWS DynamoDBAmazon Aurora Relational Data ServiceMedia Sanitization and Data DeletionSummary
5. Networking Security
Networking on AWSControlsUnderstanding the Monolith and Microservice ModelsSegmentation and MicroservicesSoftware-Defined Network PartitionsSubnettingRouting in a SubnetGateways and SubnetsPublic SubnetPrivate SubnetSubnets and Availability ZonesInternet Access for SubnetsVirtual Private CloudRouting in a VPCMicrosegmentation at the Network LayerCross-VPC CommunicationVPC PeeringAWS Transit GatewayVPC EndpointsWrap-Up of Cross-VPC CommunicationFirewall Equivalents on the CloudSecurity GroupsSecurity Group Referencing (Chaining) and DesignsProperties of Security GroupsNetwork Access Control ListsSecurity Groups Versus NACLsContainers and Network SecurityBlock Instance Metadata ServiceTry to Run Pods in a Private SubnetBlock Internet Access for Pods Unless NecessaryUse Encrypted Networking Between PodsLambdas and Network SecuritySummary
6. Public-Facing Services
API-First Design and API GatewayAWS API GatewayTypes of AWS API Gateway EndpointsSecuring the API GatewayAPI Gateway IntegrationAccess Control on API GatewayInfrastructure Security on API GatewayCost Considerations While Using AWS API GatewayBastion HostSolutionStatic Asset Distribution (Content Distribution Network)AWS CloudFrontSigned URLs or CookiesAWS Lambda@EdgeProtecting Against Common Attacks on Edge NetworksAWS Web Application FirewallAWS Shield and AWS Shield AdvancedMicroservices and AWS Shield AdvancedCost Considerations for Edge ProtectionSummary
7. Security in Transit
Basics of Transport Layer SecurityDigital SigningCertificates, Certificate Authority, and Identity VerificationEncryption Using TLSTLS Termination and Trade-offs with MicroservicesTLS Offloading and TerminationCost and Complexity Considerations with Encryption in TransitApplication of TLS in MicroservicesSecurity in Transit While Using Message Queues (AWS SQS)gRPC and Application Load BalancerMutual TLSA (Very Brief) Introduction to Service Meshes: A Security PerspectiveProxies and SidecarsApp Mesh Components and TerminologyTLS and App MeshmTLS RevisitedAWS App Mesh: Wrap-UpServerless Microservices and Encryption in TransitAWS API Gateway and AWS LambdaCaching, API Gateway, and Encryption in TransitField-Level EncryptionSummary
8. Security Design for Organizational Complexity
Organizational Structure and MicroservicesConway’s LawSingle Team Oriented Service ArchitectureRole-Based Access ControlPrivilege ElevationPermission BoundariesPermission Boundaries to Delegate ResponsibilitiesAWS Accounts Structure for Large OrganizationsAWS Accounts and TeamsAWS OrganizationsOrganizational Units and Service Control PoliciesPurpose-Built AccountsAWS Tools for OrganizationsAWS Organizations Best PracticesAWS Resource Access ManagerShared Services Using AWS RAMAWS Single Sign-OnEnforcing Multifactor Authentication in AccountsSimplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS OrganizationsSummary
9. Monitoring and Incident Response
NIST Incident Response FrameworkStep 1: Design and PreparationStep 2: Detection and AnalysisStep 3: Containment and IsolationStep 4: Forensic AnalysisStep 5: EradicationStep 6: Postincident ActivitiesSecuring the Security InfrastructureSecuring a CloudTrailPurpose-Built AccountsSummary

A. Terraform Cloud in Five Minutes
SetupCreating Your WorkspaceAdding AWS Access and Secret KeyTerraform ProcessProvidersStatePlansApplyWriting Your Terraform Infrastructure as CodeRoot Module and Folder StructureInput VariablesResourcesRunning and Applying Your Plan
B. Example of a SAML Identity Provider for AWS
A Hands-On Example of a Federated Identity SetupStep 1: Configure Your IdPStep 2: Export Metadata to Be Imported into AWS AccountStep 3: Add Your SAML IdP as a Trusted IdPStep 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS AccountStep 5: Control Access to Multiple Roles Using Custom Attributes Within the IdPSummary
C. Hands-On Encryption with AWS KMS
Basic Encryption Using the CMKBasic Decryption Using the CMKEnvelope Encryption Using the CMKDecrypting an Envelope Encrypted Message
D. A Hands-On Example of Applying the Principle of Least Privilege
Step 1: Create an AWS IAM Policy for Your TaskStep 2: Define the Service, Actions, and Effect Parameters of an IAM PolicyStep 3: Define the ResourceStep 4: Request ConditionsStep 5: Confirm the Resulting PolicyStep 6: Save the PolicyStep 7: Attach the Policy to a PrincipalSummary
Index

Content preview from Security and Microservice Architecture on AWS

Chapter 7. Security in Transit

If two modules in a monolith are to communicate with each other, it is generally a simple in-memory method call. Microservices, unlike monoliths, rely on an external transport (such as a network) to communicate with each other (since modules are decomposed into independent services possibly running on different machines).

External communication channels are more likely to be vulnerable to potential threats from malicious actors compared to in-memory calls. Thus, by definition, external communication channels run with a higher aggregate risk.

To illustrate this point, I will use an example of an ecommerce application’s checkout process, as outlined in Figure 7-1. Imagine that the checkout process involves the application calculating the item’s price and charging the customer by looking it up in a repository. Upon checking out, the company then decrements this item’s available inventory.

Since an external communication channel inherently increases the aggregate risk of the application, security professionals need to add controls to ensure that potential threats are minimized. Encryption in transit is the most commonly used control that reduces the potential threat of messages being intercepted, tampered with, or spoofed. (Encryption is covered in detail in Chapter 3).

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Serverless Architectures on AWS, Second Edition

Publisher Resources

ISBN: 9781098101459Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security and Microservice Architecture on AWS

by Gaurav Raje

Chapter 7. Security in Transit

Figure 7-1. In the case of microservices, calls to external services happen over ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.