In this recipe, we will allow cross-account access to a bucket in one account (let's call this account A) to users in another account (let's call this account B), both through ACLs and bucket policies. Logging is a common use case for cross-account access. We can store our logs in a different account to provide access to an auditor or to secure them in case the account is compromised.
- Title Page
- Copyright and Credits
- Dedication
- About Packt
- Contributors
- Preface
- Managing AWS Accounts with IAM and Organizations
- Securing Data on S3 with Policies and Techniques
- Technical requirements
- Creating S3 access control lists
- Creating an S3 bucket policy
- S3 cross-account access from the CLI
- S3 pre-signed URLs with an expiry time using the CLI and Python
- Encrypting data on S3
- Protecting data with versioning
- Implementing S3 cross-region replication within the same account
- Implementing S3 cross-region replication across accounts
- User Pools and Identity Pools with Cognito
- Key Management with KMS and CloudHSM
- Technical requirements
- Creating keys in KMS
- Using keys with external key material
- Rotating keys in KMS
- Granting permissions programmatically with grants
- Using key policies with conditional keys
- Sharing customer-managed keys across accounts
- Creating a CloudHSM cluster
- Initializing and activating a CloudHSM cluster
- Network Security with VPC
- Working with EC2 Instances
- Technical requirements
- Creating and configuring security groups
- Launching an EC2 instance into a VPC
- Setting up and configuring NAT instances
- Creating and attaching an IAM role to an EC2 instance
- Using our own private and public keys with EC2
- Using EC2 user data to launch an instance with a web server
- Storing sensitive data with the Systems Manager Parameter Store
- Using KMS to encrypt data in EBS
- Web Security Using ELBs, CloudFront, and WAF
- Technical requirements
- Enabling HTTPS on an EC2 instance 
- Creating an SSL/TLS certificate with ACM
- Creating a classic load balancer
- Creating ELB target groups
- Using an application load balancer with TLS termination at the ELB
- Using a network load balancer with TLS termination at EC2
- Securing S3 using CloudFront and TLS
- Configuring and using the AWS web application firewall (WAF)
- Monitoring with CloudWatch, CloudTrail, and Config
- Technical requirements
- Creating an SNS topic to send emails
- Working with CloudWatch alarms and metrics
- Creating a dashboard in CloudWatch
- Creating a CloudWatch log group
- Working with CloudWatch events
- Reading and filtering logs in CloudTrail
- Creating a trail in CloudTrail
- Using Athena to query CloudTrail logs in S3
- Cross-account CloudTrail logging
- Integrating CloudWatch and CloudTrail
- Setting up and using AWS Config
- Compliance with GuardDuty, Macie, and Inspector
- Additional Services and Practices for AWS Security
- Technical requirements
- Setting up and using AWS Security Hub
- Setting up and using AWS SSO
- Setting up and using AWS Resource Access Manager
- Protecting S3 Glacier vaults with Vault Lock
- Using AWS Secrets Manager to manage RDS credentials
- Creating an AMI instead of using EC2 user data
- Using security products from AWS Marketplace
- Using AWS Trusted Advisor for recommendations
- Using AWS Artifact for compliance reports
- Other Books You May Enjoy
S3 cross-account access from the CLI
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.