book

Security and Microservice Architecture on AWS

Name: Security and Microservice Architecture on AWS
Author: Gaurav Raje
ISBN: 9781098101466

by Gaurav Raje

September 2021

Intermediate to advanced

394 pages

10h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Goals of This BookWho Should Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction to Cloud Microservices
Basics of Cloud Information SecurityRisk and Security ControlsOrganizational Security PolicySecurity Incidents and the CIA TriadAWS Shared Responsibility ModelCloud Architecture and SecuritySecurity Through ModularitySecurity Through SimplicitySecurity Through Fully Managed AWS ServicesBlast Radius, Isolation, and the Locked Rooms AnalogyDefense-in-Depth and SecuritySecurity Through Perimeter ProtectionSecurity Through Zero Trust ArchitectureA Brief Introduction to Software ArchitectureTier-Based ArchitectureDomain-Driven DesignMicroservicesImplementation of Microservices on AWSContainer-Based Microservice ArchitectureA Very Brief Introduction to KubernetesFunction as a Service: FaaS Using AWS LambdaOverview of Cloud Microservice ImplementationAmazon EKSAmazon EKS Fargate ModeFunction as a Service Using AWS LambdaMicroservice Implementation SummaryExamples of Microservice Communication PatternsExample 1: Simple Message Passing Between ContextsExample 2: Message QueuesExample 3: Event-Based MicroservicesSummary
2. Authorization and Authentication Basics
Basics of AWS Identity and Access ManagementPrincipals on AWSIAM PoliciesPrinciple of Least PrivilegePoLP and Blast RadiusStructure of AWS IAM PoliciesPrincipal-Based PoliciesResource-Based PoliciesThe Zone of TrustEvaluation of PoliciesAdvanced Concepts in AWS IAM PoliciesIAM Policy ConditionsAWS Tags and Attribute-Based Access Control“Not” Policy Elements: NotPrincipal and NotResourceWrapping Up IAM PoliciesRole-Based Access ControlRBAC ModelingSecuring RolesAssuming RolesAssume Roles Using the AWS Command-Line Interface (CLI)Switching Roles Using AWS Management ConsoleService-Linked RoleAuthentication and Identity ManagementBasics of AuthenticationIdentity Federation on AWSIdentity Federation Using SAML 2.0 and OpenID ConnectRBAC and MicroservicesExecution RolesRBAC with AWS LambdaRBAC with EC2 and the Instance Metadata ServiceRBAC with Amazon EKS Using IAM Roles for Service AccountsSummary
3. Foundations of Encryption
Brief Overview of EncryptionWhy Is Encryption Important on AWS?Why Is Encryption Important for Microservice Architectures?Encryption on AWSSecurity Challenges with Key-Based EncryptionBusiness ProblemAWS Key Management ServiceBasic Encryption Using CMKEnvelope EncryptionEnvelope Encryption in ActionSecurity and AWS KMSKMS Contexts and Additional Authenticated DataKey PoliciesGrants and ViaServiceCMK and Its Components and Supported ActionsRegions and KMSCost, Complexity, and Regulatory ConsiderationsAsymmetric Encryption and KMSEncryption and DecryptionDigital Signing (Sign and Verify)Domain-Driven Design and AWS KMSContextual Boundaries and EncryptionAccounts and Sharing CMKKMS and Network ConsiderationsKMS Grants RevisitedKMS Accounts and Topologies: Tying It All TogetherOption 1: Including the CMK Within Bounded ContextsOption 2: Using a Purpose-Built Account to Hold the CMKAWS Secrets ManagerHow Secrets Manager WorksSecret Protection in AWS Secrets ManagerSummary
4. Security at Rest
Data Classification BasicsRecap of Envelope Encryption Using KMSAWS Simple Storage ServiceEncryption on AWS S3Access Control on Amazon S3 Through S3 Bucket PoliciesAmazon GuardDutyNonrepudiation Using Glacier Vault LockSecurity at Rest for Compute ServicesStatic Code Analysis Using AWS CodeGuruAWS Elastic Container RegistryAWS LambdaAWS Elastic Block StoreTying It All TogetherMicroservice Database SystemsAWS DynamoDBAmazon Aurora Relational Data ServiceMedia Sanitization and Data DeletionSummary
5. Networking Security
Networking on AWSControlsUnderstanding the Monolith and Microservice ModelsSegmentation and MicroservicesSoftware-Defined Network PartitionsSubnettingRouting in a SubnetGateways and SubnetsPublic SubnetPrivate SubnetSubnets and Availability ZonesInternet Access for SubnetsVirtual Private CloudRouting in a VPCMicrosegmentation at the Network LayerCross-VPC CommunicationVPC PeeringAWS Transit GatewayVPC EndpointsWrap-Up of Cross-VPC CommunicationFirewall Equivalents on the CloudSecurity GroupsSecurity Group Referencing (Chaining) and DesignsProperties of Security GroupsNetwork Access Control ListsSecurity Groups Versus NACLsContainers and Network SecurityBlock Instance Metadata ServiceTry to Run Pods in a Private SubnetBlock Internet Access for Pods Unless NecessaryUse Encrypted Networking Between PodsLambdas and Network SecuritySummary
6. Public-Facing Services
API-First Design and API GatewayAWS API GatewayTypes of AWS API Gateway EndpointsSecuring the API GatewayAPI Gateway IntegrationAccess Control on API GatewayInfrastructure Security on API GatewayCost Considerations While Using AWS API GatewayBastion HostSolutionStatic Asset Distribution (Content Distribution Network)AWS CloudFrontSigned URLs or CookiesAWS Lambda@EdgeProtecting Against Common Attacks on Edge NetworksAWS Web Application FirewallAWS Shield and AWS Shield AdvancedMicroservices and AWS Shield AdvancedCost Considerations for Edge ProtectionSummary
7. Security in Transit
Basics of Transport Layer SecurityDigital SigningCertificates, Certificate Authority, and Identity VerificationEncryption Using TLSTLS Termination and Trade-offs with MicroservicesTLS Offloading and TerminationCost and Complexity Considerations with Encryption in TransitApplication of TLS in MicroservicesSecurity in Transit While Using Message Queues (AWS SQS)gRPC and Application Load BalancerMutual TLSA (Very Brief) Introduction to Service Meshes: A Security PerspectiveProxies and SidecarsApp Mesh Components and TerminologyTLS and App MeshmTLS RevisitedAWS App Mesh: Wrap-UpServerless Microservices and Encryption in TransitAWS API Gateway and AWS LambdaCaching, API Gateway, and Encryption in TransitField-Level EncryptionSummary
8. Security Design for Organizational Complexity
Organizational Structure and MicroservicesConway’s LawSingle Team Oriented Service ArchitectureRole-Based Access ControlPrivilege ElevationPermission BoundariesPermission Boundaries to Delegate ResponsibilitiesAWS Accounts Structure for Large OrganizationsAWS Accounts and TeamsAWS OrganizationsOrganizational Units and Service Control PoliciesPurpose-Built AccountsAWS Tools for OrganizationsAWS Organizations Best PracticesAWS Resource Access ManagerShared Services Using AWS RAMAWS Single Sign-OnEnforcing Multifactor Authentication in AccountsSimplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS OrganizationsSummary
9. Monitoring and Incident Response
NIST Incident Response FrameworkStep 1: Design and PreparationStep 2: Detection and AnalysisStep 3: Containment and IsolationStep 4: Forensic AnalysisStep 5: EradicationStep 6: Postincident ActivitiesSecuring the Security InfrastructureSecuring a CloudTrailPurpose-Built AccountsSummary

A. Terraform Cloud in Five Minutes
SetupCreating Your WorkspaceAdding AWS Access and Secret KeyTerraform ProcessProvidersStatePlansApplyWriting Your Terraform Infrastructure as CodeRoot Module and Folder StructureInput VariablesResourcesRunning and Applying Your Plan
B. Example of a SAML Identity Provider for AWS
A Hands-On Example of a Federated Identity SetupStep 1: Configure Your IdPStep 2: Export Metadata to Be Imported into AWS AccountStep 3: Add Your SAML IdP as a Trusted IdPStep 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS AccountStep 5: Control Access to Multiple Roles Using Custom Attributes Within the IdPSummary
C. Hands-On Encryption with AWS KMS
Basic Encryption Using the CMKBasic Decryption Using the CMKEnvelope Encryption Using the CMKDecrypting an Envelope Encrypted Message
D. A Hands-On Example of Applying the Principle of Least Privilege
Step 1: Create an AWS IAM Policy for Your TaskStep 2: Define the Service, Actions, and Effect Parameters of an IAM PolicyStep 3: Define the ResourceStep 4: Request ConditionsStep 5: Confirm the Resulting PolicyStep 6: Save the PolicyStep 7: Attach the Policy to a PrincipalSummary
Index

Content preview from Security and Microservice Architecture on AWS

Chapter 9. Monitoring and Incident Response

Until now, I have talked about how to design a microservice system that has controls in place to prevent malicious users from gaining unauthorized access to resources. This chapter takes a slightly different approach. Consider what would happen if, despite your best efforts at segmenting, controlling access, and applying network security measures, an attacker has somehow managed to exploit a vulnerability in your organization and gain unauthorized access.

Every company has to deal with security breaches at some point. Incidents do not necessarily indicate how secure a company’s security posture is or how they conduct their business. A humorous quotation made by John Chambers at the World Economic Forum that I generally like to use whenever I talk about information security is, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” It is their level of preparedness for an incident that distinguishes a good company from a bad one.

In this chapter, I will be going through various types of detective controls that administrators have on AWS resources. It is the goal of detective controls to make security incidents more visible and reduce the time required for their detection or response. AWS provides every user with the ability to monitor all the activities that happen on the cloud. This includes the ability to log every action, specify metrics, and alert for any suspicious behavior. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Serverless Architectures on AWS, Second Edition

Publisher Resources

ISBN: 9781098101459Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security and Microservice Architecture on AWS

by Gaurav Raje

Chapter 9. Monitoring and Incident Response

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.