Title Page Copyright and Credits AWS Security Cookbook Dedication About Packt Why subscribe? Contributors About the author About the reviewers Packt is searching for authors like you Preface Who this book is for What this book covers To get the most out of this book Download the example code files Download the color images Conventions used Sections Getting ready How to do it… How it works… There's more… See also Get in touch Reviews Managing AWS Accounts with IAM and Organizations Technical requirements Configuring IAM for a new account Getting ready How to do it... Creating a billing alarm How it works... There's more... See also Creating IAM policies Getting ready How to do it... Creating policies with the IAM visual editor Creating policies using the AWS CLI How it works... There's more... See also Creating a master account for AWS Organizations Getting ready How to do it... How it works... There's more... See also Creating a new account under an AWS Organization Getting ready How to do it... Creating an account and OU from the CLI Creating and moving an account from the console How it works... There's more... See also Switching roles with AWS Organizations Getting ready How to do it... Switching as an administrator Granting permission for a non-admin user to switch roles Granting permission for a non-admin user to switch roles using the CLI How it works... Switching roles between any two accounts There's more... See also Securing Data on S3 with Policies and Techniques Technical requirements Creating S3 access control lists Getting ready How to do it... Granting READ ACLs for a bucket to everyone from the console Granting READ for AWS users using predefined groups from the CLI Granting public READ for an object with canned ACLs from the CLI How it works... There's more... Comparing ACLs, bucket policies, and IAM policies See also Creating an S3 bucket policy Getting ready How to do it... Bucket public access with a bucket policy from the console Bucket list access with a bucket policy from the CLI How it works... There's more... See also S3 cross-account access from the CLI Getting ready How to do it... Uploading to a bucket in another account Uploading to a bucket in another account with a bucket policy How it works... There's more... See also S3 pre-signed URLs with an expiry time using the CLI and Python Getting ready How to do it... Generating a pre-signed URL from the CLI Generating a pre-signed URL using the Python SDK How it works... There's more... See also Encrypting data on S3 Getting ready How to do it... Server-side encryption with S3-managed keys (SSE-S3) Server-side encryption with KMS-managed keys (SSE-KMS) Server-side encryption with customer-managed keys (SSE-C) How it works... There's more... See also Protecting data with versioning Getting ready How to do it... How it works... There's more... See also Implementing S3 cross-region replication within the same account Getting ready How to do it... How it works... There's more... See also Implementing S3 cross-region replication across accounts Getting ready How to do it... How it works... There's more... See also User Pools and Identity Pools with Cognito Technical requirements Creating Amazon Cognito user pools Getting ready How to do it... How it works... There's more... See also Creating an Amazon Cognito app client Getting ready How to do it... How it works... There's more... Customizing workflows with triggers See also User creation and user signups Getting ready How to do it... Creating a user by an administrator Creating a user through self-signup with admin confirmation Creating a user through self-signup with self-confirmation How it works... There's more... See also Implementing an admin authentication flow Getting ready How to do it... How it works... There's more... See also Implementing a client-side authentication flow Getting ready How to do it... How it works... There's more... See also Working with Cognito groups Getting ready How to do it... How it works... There's more... See also Federated identity with Cognito user pools Getting ready How to do it... Configuring within the Amazon developer portal Configuring in Cognito How it works... There's more... See also Key Management with KMS and CloudHSM Technical requirements Creating keys in KMS Getting ready How to do it... How it works... There's more... See also Using keys with external key material Getting ready How to do it... Creating key configuration for an external key Generating our key material using OpenSSL Continuing with key creation from the console How it works... There's more... See also Rotating keys in KMS Getting ready How to do it... How it works... There's more... See also Granting permissions programmatically with grants Getting ready How to do it... How it works... There's more... See also Using key policies with conditional keys Getting ready How to do it... How it works... There's more... See also Sharing customer-managed keys across accounts Getting ready How to do it... Creating a key and giving permission to the other account Using the key as an administrator user from account 2 Using the key as a non-admin user from account 2 How it works... There's more... See also Creating a CloudHSM cluster Getting ready How to do it... How it works... There's more... See also Initializing and activating a CloudHSM cluster Getting ready How to do it... Initializing the cluster and creating our first HSM Launching an EC2 client instance and activating the cluster How it works... There's more... See also Network Security with VPC Technical requirements Creating a VPC in AWS Getting ready How to do it... How it works... There's more... See also Creating subnets in a VPC Getting ready How to do it... How it works... There's more... See also Configuring an internet gateway and a route table for internet access Getting ready How to do it... How it works... There's more... See also Setting up and configuring NAT gateways Getting ready How to do it... How it works... There's more... See also Working with NACLs Getting ready How to do it... How it works... There's more... See also Using a VPC gateway endpoint to connect to S3 Getting ready How to do it... How it works... There's more... See also Configuring and using VPC flow logs Getting ready How to do it... How it works... There's more... See also Working with EC2 Instances Technical requirements Creating and configuring security groups Getting ready How to do it... How it works... There's more... See also Launching an EC2 instance into a VPC Getting ready How to do it... General steps for launching an EC2 instance and doing SSH Launching an instance into our public subnet Launching an instance into our private subnet How it works... There's more... See also Setting up and configuring NAT instances Getting ready How to do it... Adding a route for the NAT instance How it works... There's more... See also Creating and attaching an IAM role to an EC2 instance Getting ready How to do it... How it works... There's more... See also Using our own private and public keys with EC2 Getting ready How to do it... Generating the keys Uploading a key to EC2 How it works... There's more...  See also Using EC2 user data to launch an instance with a web server Getting ready How to do it... How it works... There's more... See also Storing sensitive data with the Systems Manager Parameter Store Getting ready How to do it... Creating a parameter in the AWS Systems Manager Parameter Store Creating and attaching role for the AWS Systems Manager Retrieving parameters from the AWS Systems Manager Parameter Store How it works... There's more... See also Using KMS to encrypt data in EBS Getting ready How to do it... How it works... There's more... See also Web Security Using ELBs, CloudFront, and WAF Technical requirements Enabling HTTPS on an EC2 instance  Getting ready How to do it... How it works... There's more... See also Creating an SSL/TLS certificate with ACM Getting ready How to do it... How it works... There's more... See also Creating a classic load balancer Getting ready How to do it... How it works... There's more... See also Creating ELB target groups Getting ready How to do it... How it works... There's more... See also Using an application load balancer with TLS termination at the ELB Getting ready How to do it... How it works... There's more... See also Using a network load balancer with TLS termination at EC2 Getting ready How to do it... How it works... There's more... See also Securing S3 using CloudFront and TLS Getting ready How to do it... CloudFront distribution with CloudFront default domain CloudFront distribution with a custom domain and ACM certificate How it works... There's more... See also Configuring and using the AWS web application firewall (WAF) Getting ready How to do it... How it works... There's more... See also Monitoring with CloudWatch, CloudTrail, and Config Technical requirements Creating an SNS topic to send emails Getting ready How to do it... How it works... There's more... See also Working with CloudWatch alarms and metrics Getting ready How to do it... How it works... There's more... See also Creating a dashboard in CloudWatch Getting ready How to do it... How it works... There's more... See also Creating a CloudWatch log group Getting ready How to do it... How it works... There's more... See also Working with CloudWatch events Getting ready How to do it... How it works... There's more... See also Reading and filtering logs in CloudTrail Getting ready How to do it... How it works... There's more... See also Creating a trail in CloudTrail Getting ready How to do it... How it works... There's more... See also Using Athena to query CloudTrail logs in S3 Getting ready How to do it... How it works... There's more... See also Cross-account CloudTrail logging Getting ready How to do it... How it works... There's more... See also Integrating CloudWatch and CloudTrail Getting ready How to do it... How it works... There's more... See also Setting up and using AWS Config Getting ready How to do it... How it works... There's more... See also Compliance with GuardDuty, Macie, and Inspector Technical requirements Setting up and using Amazon GuardDuty Getting ready How to do it... How it works... There's more... See also Aggregating findings from multiple accounts in GuardDuty Getting ready How to do it... How it works... There's more... See also Setting up and using Amazon Macie Getting ready How to do it... How it works... There's more... See also Setting up and using Amazon Inspector Getting ready How to do it... How it works... There's more... See also Creating a custom Inspector template Getting ready How to do it... How it works... There's more... See also Additional Services and Practices for AWS Security Technical requirements Setting up and using AWS Security Hub Getting ready How to do it... How it works... There's more... See also Setting up and using AWS SSO Getting ready How to do it... How it works... There's more... See also Setting up and using AWS Resource Access Manager Getting ready How to do it... How it works... There's more... See also Protecting S3 Glacier vaults with Vault Lock Getting ready How to do it... How it works... There's more... See also Using AWS Secrets Manager to manage RDS credentials Getting ready How to do it... How it works... There's more... See also Creating an AMI instead of using EC2 user data Getting ready How to do it... How it works... There's more... See also Using security products from AWS Marketplace Getting ready How to do it... How it works... There's more... See also Using AWS Trusted Advisor for recommendations Getting ready How to do it... How it works... There's more... See also Using AWS Artifact for compliance reports Getting ready How to do it... How it works... There's more... See also Other Books You May Enjoy Leave a review - let other readers know what you think