Book Image

AWS Security Cookbook

By : Heartin Kanikathottu
Book Image

AWS Security Cookbook

By: Heartin Kanikathottu

Overview of this book

As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation. The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure. By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security – Specialty certification.

Related Content you might be interested in

Current Title:

Small book image
AWS Security Cookbook
Heartin Kanikathottu
Feb, 2020 | 440 pages
Small book image
AWS Certified Security – Specialty Exam Guide
Stuart Scott
Sep, 2020 | 558 pages
Small book image
Serverless Programming Cookbook
Heartin Kanikathottu
Jan, 2019 | 490 pages
Small book image
AWS Networking Cookbook
Satyajit Das | Jhalak Modi
Aug, 2017 | 366 pages
Table of Contents (12 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
1
Managing AWS Accounts with IAM and Organizations
Managing AWS Accounts with IAM and Organizations
Technical requirements
Configuring IAM for a new account
Creating IAM policies
Creating a master account for AWS Organizations
Creating a new account under an AWS Organization
Switching roles with AWS Organizations
Free Chapter
2
Securing Data on S3 with Policies and Techniques
Securing Data on S3 with Policies and Techniques
Technical requirements
Creating S3 access control lists
Creating an S3 bucket policy
S3 cross-account access from the CLI
S3 pre-signed URLs with an expiry time using the CLI and Python
Encrypting data on S3
Protecting data with versioning
Implementing S3 cross-region replication within the same account
Implementing S3 cross-region replication across accounts
3
User Pools and Identity Pools with Cognito
User Pools and Identity Pools with Cognito
Technical requirements
Creating Amazon Cognito user pools
Creating an Amazon Cognito app client
User creation and user signups
Implementing an admin authentication flow
Implementing a client-side authentication flow
Working with Cognito groups
Federated identity with Cognito user pools
4
Key Management with KMS and CloudHSM
Key Management with KMS and CloudHSM
Technical requirements
Creating keys in KMS
Using keys with external key material
Rotating keys in KMS
Granting permissions programmatically with grants
Using key policies with conditional keys
Sharing customer-managed keys across accounts
Creating a CloudHSM cluster
Initializing and activating a CloudHSM cluster
5
Network Security with VPC
Network Security with VPC
Technical requirements
Creating a VPC in AWS
Creating subnets in a VPC
Configuring an internet gateway and a route table for internet access
Setting up and configuring NAT gateways
Working with NACLs
Using a VPC gateway endpoint to connect to S3
Configuring and using VPC flow logs
6
Working with EC2 Instances
Working with EC2 Instances
Technical requirements
Creating and configuring security groups
Launching an EC2 instance into a VPC
Setting up and configuring NAT instances
Creating and attaching an IAM role to an EC2 instance
Using our own private and public keys with EC2
Using EC2 user data to launch an instance with a web server
Storing sensitive data with the Systems Manager Parameter Store
Using KMS to encrypt data in EBS
7
Web Security Using ELBs, CloudFront, and WAF
Web Security Using ELBs, CloudFront, and WAF
Technical requirements
Enabling HTTPS on an EC2 instance
Creating an SSL/TLS certificate with ACM
Creating a classic load balancer
Creating ELB target groups
Using an application load balancer with TLS termination at the ELB
Using a network load balancer with TLS termination at EC2
Securing S3 using CloudFront and TLS
Configuring and using the AWS web application firewall (WAF)
8
Monitoring with CloudWatch, CloudTrail, and Config
Monitoring with CloudWatch, CloudTrail, and Config
Technical requirements
Creating an SNS topic to send emails
Working with CloudWatch alarms and metrics
Creating a dashboard in CloudWatch
Creating a CloudWatch log group
Working with CloudWatch events
Reading and filtering logs in CloudTrail
Creating a trail in CloudTrail
Using Athena to query CloudTrail logs in S3
Cross-account CloudTrail logging
Integrating CloudWatch and CloudTrail
Setting up and using AWS Config
9
Compliance with GuardDuty, Macie, and Inspector
Compliance with GuardDuty, Macie, and Inspector
Technical requirements
Setting up and using Amazon GuardDuty
Aggregating findings from multiple accounts in GuardDuty
Setting up and using Amazon Macie
Setting up and using Amazon Inspector
Creating a custom Inspector template
10
Additional Services and Practices for AWS Security
Additional Services and Practices for AWS Security
Technical requirements
Setting up and using AWS Security Hub
Setting up and using AWS SSO
Setting up and using AWS Resource Access Manager
Protecting S3 Glacier vaults with Vault Lock
Using AWS Secrets Manager to manage RDS credentials
Creating an AMI instead of using EC2 user data
Using security products from AWS Marketplace
Using AWS Trusted Advisor for recommendations
Using AWS Artifact for compliance reports
11
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

To get the most out of this book

  • You will need a working AWS account for practicing the recipes within this book.
  • You should already have some basic knowledge of AWS services such as IAM, S3, EC2, and VPC.
  • Basic knowledge of cloud computing, computer networking, and IT security concepts can help you to grasp the contents of this book faster.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

  1. Log in or register at www.packt.com.
  2. Select the Support tab.
  3. Click on Code Downloads.
  4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

  • WinRAR/7-Zip for Windows
  • Zipeg/iZip/UnRarX for Mac
  • 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/AWS-Security-Cookbook. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Verify that our testuser user can now list the files in the S3 bucket."

A block of code is set as follows:

"Condition": { 
    "StringEquals": { 
        "s3:x-amz-acl": [ 
            "public-read" 
        ] 
    }
}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

"Condition": { 
    "StringEquals": { 
        "s3:x-amz-acl": [ 
            "public-read" 
        ] 
    }
}

Any command-line input or output is written as follows:

aws iam attach-group-policy \
--group-name testusergroup \
--policy-arn arn:aws:iam::135301570106:policy/MyS3ListPolicyCLI \
--profile awssecadmin

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Go to the Organize accounts tab."

Warnings or important notes appear like this.
Tips and tricks appear like this.
Previous Section
Next Section