Book Image

AWS Security Cookbook

By : Heartin Kanikathottu
Book Image

AWS Security Cookbook

By: Heartin Kanikathottu

Overview of this book

As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation. The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure. By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security – Specialty certification.

Related Content you might be interested in

Current Title:

Small book image
AWS Security Cookbook
Heartin Kanikathottu
Feb, 2020 | 440 pages
Small book image
AWS Certified Security – Specialty Exam Guide
Stuart Scott
Sep, 2020 | 558 pages
Small book image
Serverless Programming Cookbook
Heartin Kanikathottu
Jan, 2019 | 490 pages
Small book image
AWS Networking Cookbook
Jhalak Modi | Satyajit Das
Aug, 2017 | 366 pages
Table of Contents (12 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
1
Managing AWS Accounts with IAM and Organizations
Managing AWS Accounts with IAM and Organizations
Technical requirements
Configuring IAM for a new account
Creating IAM policies
Creating a master account for AWS Organizations
Creating a new account under an AWS Organization
Switching roles with AWS Organizations
Free Chapter
2
Securing Data on S3 with Policies and Techniques
Securing Data on S3 with Policies and Techniques
Technical requirements
Creating S3 access control lists
Creating an S3 bucket policy
S3 cross-account access from the CLI
S3 pre-signed URLs with an expiry time using the CLI and Python
Encrypting data on S3
Protecting data with versioning
Implementing S3 cross-region replication within the same account
Implementing S3 cross-region replication across accounts
3
User Pools and Identity Pools with Cognito
User Pools and Identity Pools with Cognito
Technical requirements
Creating Amazon Cognito user pools
Creating an Amazon Cognito app client
User creation and user signups
Implementing an admin authentication flow
Implementing a client-side authentication flow
Working with Cognito groups
Federated identity with Cognito user pools
4
Key Management with KMS and CloudHSM
Key Management with KMS and CloudHSM
Technical requirements
Creating keys in KMS
Using keys with external key material
Rotating keys in KMS
Granting permissions programmatically with grants
Using key policies with conditional keys
Sharing customer-managed keys across accounts
Creating a CloudHSM cluster
Initializing and activating a CloudHSM cluster
5
Network Security with VPC
Network Security with VPC
Technical requirements
Creating a VPC in AWS
Creating subnets in a VPC
Configuring an internet gateway and a route table for internet access
Setting up and configuring NAT gateways
Working with NACLs
Using a VPC gateway endpoint to connect to S3
Configuring and using VPC flow logs
6
Working with EC2 Instances
Working with EC2 Instances
Technical requirements
Creating and configuring security groups
Launching an EC2 instance into a VPC
Setting up and configuring NAT instances
Creating and attaching an IAM role to an EC2 instance
Using our own private and public keys with EC2
Using EC2 user data to launch an instance with a web server
Storing sensitive data with the Systems Manager Parameter Store
Using KMS to encrypt data in EBS
7
Web Security Using ELBs, CloudFront, and WAF
Web Security Using ELBs, CloudFront, and WAF
Technical requirements
Enabling HTTPS on an EC2 instance
Creating an SSL/TLS certificate with ACM
Creating a classic load balancer
Creating ELB target groups
Using an application load balancer with TLS termination at the ELB
Using a network load balancer with TLS termination at EC2
Securing S3 using CloudFront and TLS
Configuring and using the AWS web application firewall (WAF)
8
Monitoring with CloudWatch, CloudTrail, and Config
Monitoring with CloudWatch, CloudTrail, and Config
Technical requirements
Creating an SNS topic to send emails
Working with CloudWatch alarms and metrics
Creating a dashboard in CloudWatch
Creating a CloudWatch log group
Working with CloudWatch events
Reading and filtering logs in CloudTrail
Creating a trail in CloudTrail
Using Athena to query CloudTrail logs in S3
Cross-account CloudTrail logging
Integrating CloudWatch and CloudTrail
Setting up and using AWS Config
9
Compliance with GuardDuty, Macie, and Inspector
Compliance with GuardDuty, Macie, and Inspector
Technical requirements
Setting up and using Amazon GuardDuty
Aggregating findings from multiple accounts in GuardDuty
Setting up and using Amazon Macie
Setting up and using Amazon Inspector
Creating a custom Inspector template
10
Additional Services and Practices for AWS Security
Additional Services and Practices for AWS Security
Technical requirements
Setting up and using AWS Security Hub
Setting up and using AWS SSO
Setting up and using AWS Resource Access Manager
Protecting S3 Glacier vaults with Vault Lock
Using AWS Secrets Manager to manage RDS credentials
Creating an AMI instead of using EC2 user data
Using security products from AWS Marketplace
Using AWS Trusted Advisor for recommendations
Using AWS Artifact for compliance reports
11
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Monitoring with CloudWatch, CloudTrail, and Config

We've already looked at many aspects of security, such as confidentiality, integrity, authentication, authorization, and availability. Accountability, the A in the CIA model, can be achieved through continuous monitoring, alerting, and regular auditing. Proper monitoring and alerting can also help in better availability through auto-remediation. In this chapter, we will look into Amazon CloudWatch, AWS CloudTrail, and AWS Config. CloudWatch is the primary service within AWS for application logging, monitoring, and alerting. CloudTrail can log the API calls within AWS. AWS Config can record and evaluate configurations. We will also learn about the Simple Notification Service (SNS), which will allow us to send notifications.

In this chapter, we will cover the following recipes:

  • Creating an SNS topic to send emails
  • Working...
Previous Section
End of Section 1
Next Section