Book Description
Secure your Amazon Web Services (AWS) infrastructure with permission policies, key management, and network security, along with following cloud security best practices
Key Features
- Explore useful recipes for implementing robust cloud security solutions on AWS
- Monitor your AWS infrastructure and workloads using CloudWatch, CloudTrail, config, GuardDuty, and Macie
- Prepare for the AWS Certified Security-Specialty exam by exploring various security models and compliance offerings
Book Description
As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation.
The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure.
By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security - Specialty certification.
What you will learn
- Create and manage users, groups, roles, and policies across accounts
- Use AWS Managed Services for logging, monitoring, and auditing
- Check compliance with AWS Managed Services that use machine learning
- Provide security and availability for EC2 instances and applications
- Secure data using symmetric and asymmetric encryption
- Manage user pools and identity pools with federated login
Who this book is for
If you are an IT security professional, cloud security architect, or a cloud application developer working on security-related roles and are interested in using AWS infrastructure for secure application deployments, then this Amazon Web Services book is for you. You will also find this book useful if you're looking to achieve AWS certification. Prior knowledge of AWS and cloud computing is required to get the most out of this book.
Table of Contents
- Title Page
- Copyright and Credits
- Dedication
- About Packt
- Contributors
- Preface
- Managing AWS Accounts with IAM and Organizations
- Securing Data on S3 with Policies and Techniques
- Technical requirements
- Creating S3 access control lists
- Creating an S3 bucket policy
- S3 cross-account access from the CLI
- S3 pre-signed URLs with an expiry time using the CLI and Python
- Encrypting data on S3
- Protecting data with versioning
- Implementing S3 cross-region replication within the same account
- Implementing S3 cross-region replication across accounts
- User Pools and Identity Pools with Cognito
- Key Management with KMS and CloudHSM
- Technical requirements
- Creating keys in KMS
- Using keys with external key material
- Rotating keys in KMS
- Granting permissions programmatically with grants
- Using key policies with conditional keys
- Sharing customer-managed keys across accounts
- Creating a CloudHSM cluster
- Initializing and activating a CloudHSM cluster
- Network Security with VPC
- Working with EC2 Instances
- Technical requirements
- Creating and configuring security groups
- Launching an EC2 instance into a VPC
- Setting up and configuring NAT instances
- Creating and attaching an IAM role to an EC2 instance
- Using our own private and public keys with EC2
- Using EC2 user data to launch an instance with a web server
- Storing sensitive data with the Systems Manager Parameter Store
- Using KMS to encrypt data in EBS
- Web Security Using ELBs, CloudFront, and WAF
- Technical requirements
- Enabling HTTPS on an EC2 instance 
- Creating an SSL/TLS certificate with ACM
- Creating a classic load balancer
- Creating ELB target groups
- Using an application load balancer with TLS termination at the ELB
- Using a network load balancer with TLS termination at EC2
- Securing S3 using CloudFront and TLS
- Configuring and using the AWS web application firewall (WAF)
- Monitoring with CloudWatch, CloudTrail, and Config
- Technical requirements
- Creating an SNS topic to send emails
- Working with CloudWatch alarms and metrics
- Creating a dashboard in CloudWatch
- Creating a CloudWatch log group
- Working with CloudWatch events
- Reading and filtering logs in CloudTrail
- Creating a trail in CloudTrail
- Using Athena to query CloudTrail logs in S3
- Cross-account CloudTrail logging
- Integrating CloudWatch and CloudTrail
- Setting up and using AWS Config
- Compliance with GuardDuty, Macie, and Inspector
- Additional Services and Practices for AWS Security
- Technical requirements
- Setting up and using AWS Security Hub
- Setting up and using AWS SSO
- Setting up and using AWS Resource Access Manager
- Protecting S3 Glacier vaults with Vault Lock
- Using AWS Secrets Manager to manage RDS credentials
- Creating an AMI instead of using EC2 user data
- Using security products from AWS Marketplace
- Using AWS Trusted Advisor for recommendations
- Using AWS Artifact for compliance reports
- Other Books You May Enjoy