This book will provide you with a deep understanding of the different security mechanisms that can be applied when architecting within the cloud, specifically within AWS. Security should always be the number one factor when deploying solutions, and understanding the impact of security at every layer is a requirement for any security practitioner.

You will be guided through every layer of AWS security from the following perspectives:

• Access management and the different techniques that can be applied to enforce it

• Policy management to understand how to define permissions that should be applied
• Host security, defining best practices on protecting instances
• Network and application security, ensuring neither are left vulnerable to exposures, vulnerabilities, or attacks
• Incident response, and how to manage security incidents to minimize the blast radius
• Log management, allowing full tracking and tracing of your solutions to automatically detect and remediate any issues found 
• How to accurately record and audit your infrastructure to maintain compliance with governance standards
• Data protection, covering different encryption mechanisms to ensure your data is protected at rest and in transit

Who this book is for

The AWS Certified Security – Specialty certification is recommended for those who have at least 2 years of practical AWS production deployment experience, due to the level of depth and technical ability that is expected from the candidate.  

You should also have some basic knowledge of security principles and concepts and, ideally, come from a background in IT security and governance.  Also, if you are responsible for maintaining and implementing AWS security across production environments and are in a position similar to the following roles, then you are ideally suited to certify in this area:

• Cloud security consultant
• Cloud security architect
• Cloud security engineers
• DevSecOps engineer
• Cloud security specialist

If you are looking to validate your knowledge of being able to architect, implement, maintain, and operate security features, techniques, and services within AWS, then this certification is the one for you!

What this book covers

Chapter 1, AWS Certified Security Specialty Exam Coverage, provides you with an understanding of the different assessment topics that will be covered throughout the exam across the five different domains, including incident response, logging and monitoring, infrastructure security, identity and access management, and data protection.

Chapter 2, AWS Shared Responsibility Model, looks at the different security models (infrastructure, container, and abstract) that define where your responsibility as a customer implementing, controlling, and managing security in AWS starts and ends, in addition to the responsibilities of AWS, which controls the security of the cloud.

Chapter 3, Access Management, outlines the core concepts of identity and access management through the use of users, groups, and roles, and the differences between them. It also dives into the different types of roles available and EC2 instance profiles, before finishing with an understanding of how to implement multi-factor authentication.

Chapter 4, Working with Access Policies, takes a deep look at the multitude of different access policies that exist across the AWS environment, and which policy type should be used in different circumstances.

You will also learn how to read JSON policies to evaluate their permissions and the steps involved to implement cross-account access.

Chapter 5, Federated and Mobile Access, provides you with a comprehensive understanding of different federated access methods, including enterprise identity and social identity federation to provide a single sign-on approach to your AWS environment. In addition, you will also be introduced to the Amazon Cognito service to understand access control through mobile applications and devices. 

Chapter 6, Securing EC2 Instances, tackles the best approach to secure your instance infrastructure using a variety of techniques.  These include performing vulnerability scans using Amazon Inspector, how to manage your EC2 key pairs, using AWS Systems Manager to effectively administer your fleet of EC2 instances, and also, should a security breach occur, how to isolate your EC2 instances for forensic investigation.

Chapter 7, Configuring Infrastructure Security, enables you to gain a full understanding and awareness of the range of Virtual Private Cloud (VPC) security features that AWS offers to effectively secure your VPC environments. By the end of the chapter, you will be able to confidently build a secure multi-subnet VPC using internet gateways, route tables, network access control lists, security groups, bastion hosts, NAT gateways, subnets, and virtual private gateways.

Chapter 8, Implementing Application Security, looks at how to minimize and mitigate threats against your application architecture using different AWS services to prevent them from being compromised. You will also be introduced to the configuration of securing your elastic load balancers using certificates and how to secure your APIs using AWS API Gateway.

Chapter 9, DDoS Protection, highlights how to utilize different AWS features and services to minimize threats against this very common attack to ensure that your infrastructure is not hindered or halted by the threat. You will gain an understanding of the different DDoS attack patterns and how AWS Shield can be used to provide added protection.

Chapter 10, Incident Response, explains the process and steps to manage a security incident and the best practices to help you reduce the blast radius of the attack. You will understand how to prepare for such incidents and the necessary response actions to isolate the issue using a forensic account.

Chapter 11, Securing Connections to Your AWS Environment, provides you with an understanding of the different methods of securely connecting your on-premise data centers to your AWS cloud environment using both a Virtual Private Network (VPN) and the AWS Direct Connect service.  

Chapter 12, Implementing Logging Mechanisms, focuses on Amazon S3 server access logs, VPC flow logs, AWS CloudTrail logs, and the Amazon CloudWatch logging agent to enable you to track and record what is happening across your resources to allow you to monitor your environment for potential weaknesses or signs of attack indicating a security threat.  

Chapter 13, Auditing and Governance, looks at the different methods and AWS services that can play key parts in helping you to maintain a level of governance and how to provide evidence during an audit. You will be introduced to AWS Artifact, the integrity controls of  AWS CloudTrail, AWS Config, and how to maintain compliance with Amazon Macie.

Chapter 14, Automating Security Threat Detection and Remediation, provides you with an understanding of how to implement automation to quickly identify, record, and remediate security threats as and when they occur. It looks at Amazon CloudWatch, Amazon GuardDuty, and AWS Security Hub to help you detect and automatically resolve and block potential security incidents.

Chapter 15, Discovering Security Best Practices, covers a wide range of different methods of implementing security best practices when working with AWS in an effort to enhance your security posture. It highlights and reviews a number of common best practices that are easy to implement and could play a huge role in protecting your solutions and data.

Chapter 16, Managing Key Infrastructure, takes a deep dive look into the world of two data encryption services, the AWS Key Management Service (KMS) and CloudHSM. You will learn how to implement, manage, and secure your data through AWS encryption services and the best service to use to meet your business requirements.

Chapter 17, Managing Data Security, introduces you to a variety of different encryption features related to a range of different services covering both storage and database services, including Amazon Elastic Block Store (EBS), Amazon Elastic File System (EFS), Amazon Simple Storage Service (S3), Amazon Relational Database Service (RDS), and Amazon DynamoDB.  

Chapter 18, Mock Tests, provides you with two mock exams. Each of them is 65 questions in length to review your understanding of the content covered throughout this book to help you assess your level of exam readiness.

To get the most out of this book

Throughout this book, there are a number of demonstrations that you can follow to help with your learning. As a result, I suggest you have your own AWS account created that is not used for any production environments. You can follow along on either a Linux-based or windows-based operating system, however, I suggest you also have the AWS CLI installed.

To create a new AWS account, please follow the guide found at: https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/.

To install the AWS CLI, please follow the guide found at: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html.

On completion of this book, I suggest you get as much hands-on experience with AWS as possible to use the different AWS services that are discussed to help reinforce the material from each of the chapters.

Code in Action

Code in Action videos for this book can be viewed at (https://bit.ly/33jnvMT).

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789534474_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The Principal parameter is used within resource-based policies to identify the user, role, account, or federated user."

A block of code is set as follows:

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"AWS": "arn:aws:iam::356903128354:user/Stuart"},
   "Action": "sts:AssumeRole",
   "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
 }
}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]
exten => s,1,Dial(Zap/1|30)
exten => s,2,Voicemail(u100)
exten => s,102,Voicemail(b100)
exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ mkdir css
$ cd css

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select Route Tables from the menu on the left and click the blue Create Route Table button."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.