Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying AWS Security Cookbook
  • Table Of Contents Toc
AWS Security Cookbook

AWS Security Cookbook - Second Edition

By : Kanikathottu
4.5 (4)
Buy this Book
close
close
AWS Security Cookbook

AWS Security Cookbook

4.5 (4)
By: Kanikathottu
Buy this Book

Overview of this book

As a security consultant, implementing policies and best practices to secure your infrastructure is critical. This cookbook discusses practical solutions for safeguarding infrastructure, covering services and features within AWS that help implement security models, such as the CIA triad (confidentiality, integrity, and availability) and the AAA triad (authentication, authorization, and accounting), as well as non-repudiation. This updated second edition starts with the fundamentals of AWS accounts and organizations. The book then guides you through identity and access management, data protection, network security, and encryption. You’ll explore critical topics such as securing EC2 instances, managing keys with KMS and CloudHSM, and implementing endpoint security. Additionally, you’ll learn to monitor your environment using CloudWatch, CloudTrail, and AWS Config, while maintaining compliance with services such as GuardDuty, Macie, and Inspector. Each chapter presents practical recipes for real-world scenarios, allowing you to apply security concepts. By the end of this book, you’ll be well versed in techniques required for securing AWS deployments and be prepared to gain the AWS Certified Security – Specialty certification.
Table of Contents (13 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Code in Action
Icon
Conventions used
Icon
Sections
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
Lock Free Chapter
1
Chapter 1: Setting Up AWS Accounts and Organization
chevron up
Icon
Chapter 1: Setting Up AWS Accounts and Organization
Icon
Technical requirements
Icon
Setting up IAM, account aliases, and billing alerts
Icon
Multi-account management with AWS Organizations
Icon
User management and SSO with IAM Identity Center
2
Chapter 2: Access Management with IAM Policies and Roles
Icon
Chapter 2: Access Management with IAM Policies and Roles
Icon
Technical requirements
Icon
Creating a customer-managed IAM policy
Icon
Using policy variables within IAM policies
Icon
Creating customer-managed policies in IAM Identity Center
Icon
Setting IAM permission boundaries for IAM entities
Icon
Centralizing governance in AWS Organizations with SCPs
Icon
IAM cross-account role switching and identity account architecture
Icon
Cross-service access via IAM roles on EC2 instances
3
Chapter 3: Key Management with KMS and CloudHSM
Icon
Chapter 3: Key Management with KMS and CloudHSM
Icon
Technical requirements
Icon
Creating keys in KMS
Icon
Creating keys with external key material (BYOK)
Icon
Rotating keys in KMS
Icon
Granting permissions programmatically with grants
Icon
Using key policies with conditional keys
Icon
Sharing customer-managed keys across accounts
Icon
Creating, initializing, and activating a CloudHSM cluster
4
Chapter 4: Securing Data on S3 with Policies and Techniques
Icon
Chapter 4: Securing Data on S3 with Policies and Techniques
Icon
Technical requirements
Icon
Creating an S3 bucket policy
Icon
Working with S3 ACLs
Icon
Creating S3 presigned URLs
Icon
Protecting files with S3 versioning and object locking
Icon
Encrypting data on S3
5
Chapter 5: Network and EC2 Security with VPCs
Icon
Chapter 5: Network and EC2 Security with VPCs
Icon
Technical requirements
Icon
Setting up VPC plus VPC resources with minimal effort
Icon
Creating a bare VPC and setting up public and private subnets
Icon
Launching an EC2 instance with a web server using user data
Icon
Creating and configuring security groups
Icon
Working with NACLs
Icon
Using a VPC gateway endpoint to connect to S3
Icon
Configuring and using VPC flow logs
Icon
Setting up and configuring NAT gateways
6
Chapter 6: Web Security Using Certificates, CDNs, and Firewalls
Icon
Chapter 6: Web Security Using Certificates, CDNs, and Firewalls
Icon
Technical requirements
Icon
Enabling HTTPS for a web server on an EC2 instance
Icon
Creating an SSL/TLS certificate with ACM
Icon
Creating ELB target groups
Icon
Using an application load balancer with TLS termination at the ELB
Icon
Using a network load balancer with TLS termination at EC2
Icon
Securing S3 using CloudFront and TLS
Icon
Using a WAF
7
Chapter 7: Monitoring with CloudWatch, CloudTrail, and Config
Icon
Chapter 7: Monitoring with CloudWatch, CloudTrail, and Config
Icon
Technical requirements
Icon
Creating an SNS topic to send emails
Icon
Working with CloudWatch alarms and metrics
Icon
Creating a CloudWatch log group
Icon
Working with EventBridge (previously CloudWatch Events)
Icon
Reading and filtering logs in CloudTrail
Icon
Creating a trail in CloudTrail
Icon
Using Athena to query CloudTrail logs in S3
Icon
Integrating CloudWatch with CloudTrail making use of a CloudFormation template
Icon
Setting up and using AWS Config
8
Chapter 8: Compliance with GuardDuty, Macie, Inspector, and Analyzer
Icon
Chapter 8: Compliance with GuardDuty, Macie, Inspector, and Analyzer
Icon
Technical requirements
Icon
Setting up and using Amazon GuardDuty
Icon
Aggregating findings from multiple accounts in GuardDuty
Icon
Setting up and using Amazon Macie
Icon
Setting up and using Amazon Inspector
Icon
Setting up and using AWS Security Hub
Icon
Using IAM Access Analyzer to inspect unused access
9
Chapter 9: Advanced Identity and Directory Management
Icon
Chapter 9: Advanced Identity and Directory Management
Icon
Technical requirements
Icon
Working with Amazon Cognito user pools
Icon
Using identity pools to access AWS resources
Icon
Using AWS Simple AD for creating a lightweight directory solution
Icon
Using Microsoft Entra ID as the identity provider within AWS
10
Chapter 10: Additional Services and Practices for AWS Security
Icon
Chapter 10: Additional Services and Practices for AWS Security
Icon
Technical requirements
Icon
Setting up and using AWS RAM
Icon
Storing sensitive data with the Systems Manager Parameter Store
Icon
Using AWS Secrets Manager to manage RDS credentials
Icon
Creating an AMI instead of using EC2 user data
Icon
Using security products from AWS Marketplace
Icon
Using AWS Trusted Advisor for recommendations
Icon
Using AWS Artifact for compliance reports
11
Index
Icon
Index
Icon
Why subscribe?
12
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

Setting Up AWS Accounts and Organization

An application or platform’s security is often characterized by features such as confidentiality, integrity, availability, authentication, authorization, accounting, and non-repudiation. These features are grouped into the Confidentiality, Integrity, and Availability (CIA) triad and the Authentication, Authorization, and Accounting (AAA) triad. A solid grasp of these security features will facilitate better understanding and implementation of the AWS security concepts detailed in this book.

In this chapter, we will first learn about setting up the Identity and Access Management (IAM) service for a new AWS account along with account aliases and billing alerts. Then, we will learn to set up the AWS Organizations service that allows us to create and manage multiple AWS accounts from within a single management account. We will also learn about user management and Single Sign-On (SSO) using AWS IAM Identity Center (formerly known as AWS SSO), which centralizes identity creation and access management across AWS accounts and apps and is recommended for organizations of all sizes and types.

This chapter is slightly longer than the rest of the chapters in this book since it sets the stage for other chapters. We could skip the second and third recipes within this chapter regarding setting up AWS Organizations and IAM Identity Center and execute most of the recipes in other chapters on a standalone AWS account. However, if our goal is to work in an enterprise environment, it would be good to complete all the recipes within this chapter before proceeding with the rest of the book.

This chapter includes the following recipes:

  • Setting up IAM, account aliases, and billing alerts
  • Multi-account management with AWS Organizations
  • User management and SSO with IAM Identity Center
Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
AWS Security Cookbook
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon