Speaking about cloud services, specifically Infrastructure as a Service (IaaS), the most common resource everyone talks about is compute – from the traditional virtual machines (VMs), through managed databases (run on VMs on the backend), to modern compute architecture such as containers and eventually serverless.
This chapter will cover all types of compute services and provide you with best practices on how to securely deploy and manage each of them.
In this chapter, we will cover the following topics:
For this chapter, you need to have an understanding of VMs, what managed databases are, and what containers (and Kubernetes) are, as well as a fundamental understanding of serverless.
Each cloud provider has its own implementation of VMs (or virtual servers), but at the end of the day, the basic idea is the same:
According to the shared responsibility model, when using IaaS, we (as the customers) are responsible for the deployment and maintenance of virtual servers, as explained in the coming section.
Next, we are going to see what the best practices are for securing common VM services in AWS, Azure, and GCP.
Amazon EC2 is the Amazon VM service.
Following are some of the best practices to keep in mind:
For more information, please refer the following resources:
Best practices for building AMIs:
https://docs.aws.amazon.com/marketplace/latest/userguide/best-practices-for-building-your-amis.html
https://aws.amazon.com/amazon-linux-2/
https://aws.amazon.com/ec2/nitro/
AWS does not have access to customers' VMs.
It doesn't matter whether you choose to deploy a Windows or a Linux machine, by running the EC2 launch deployment wizard, you must choose either an existing key pair or create a new key. This set of private/public keys is generated at the client browser – AWS does not have any access to these keys, and therefore cannot log in to your EC2 instance.
For Linux instances, the key pair is used for logging in to the machine via the SSH protocol.
Refer to the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html.
For Windows instances, the key pair is used to retrieve the built-in administrator's password.
Refer to the following link: https://docs.amazonaws.cn/en_us/AWSEC2/latest/WindowsGuide/ec2-windows-passwords.html.
The best practices are as follows:
For more information, please refer the following resources:
How to use AWS Secrets Manager to securely store and rotate SSH key pairs:
Allow SSH connections through Session Manager:
Seamlessly join a Windows EC2 instance:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
Seamlessly join a Linux EC2 instance to your AWS-managed Microsoft AD directory:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html
Access to AWS resources and services such as EC2 instances is controlled via security groups (at the EC2 instance level) or a network access control list (NACL) (at the subnet level), which are equivalent to the on-premises layer 4 network firewall or access control mechanism.
As a customer, you configure parameters such as source IP (or CIDR), destination IP (or CIDR), destination port (or predefined protocol), and whether the port is TCP or UDP.
You may also use another security group as either the source or destination in a security group.
For remote access and management of Linux machines, limit inbound network access to TCP port 22.
For remote access and management of Windows machines, limit inbound network access to TCP port 3389.
The best practices are as follows:
For more information, please refer the following resources:
Amazon EC2 security groups for Linux instances: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
Security groups for your virtual private cloud (VPC): https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
AWS Systems Manager Session Manager:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
Compare security groups and network ACLs:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
Instance metadata is a method to retrieve information about a running instance, such as the hostname and internal IP address.
An example of metadata about a running instance can be retrieved from within an instance, by either opening a browser from within the operating system or using the command line, to a URL such as http://169.254.169.254/latest/meta-data/.
Even though the IP address is an internal IP (meaning it cannot be accessed from outside the instance), the information, by default, can be retrieved locally without authentication.
AWS allows you to enforce authenticated or session-oriented requests to the instance metadata, also known as Instance Metadata Service Version 2 (IMDSv2).
The following command uses the AWS CLI tool to enforce IMDSv2 on an existing instance:
aws ec2 modify-instance-metadata-options
--instance-id <INSTANCE-ID>
--http-endpoint enabled --http-tokens required
For more information, please refer the following resource:
Configure the instance metadata service:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
For troubleshooting purposes, AWS allows you to connect using a serial console (a similar concept to what we used to have in the physical world with network equipment) to resolve network or operating system problems when SSH or RDP connections are not available.
The following command uses the AWS CLI tool to allow serial access at the AWS account level to a specific AWS Region:
aws ec2 enable-serial-console-access --region <Region_Code>
Since this type of remote connectivity exposes your EC2 instance, it is recommended to follow the following best practices:
For more information, please refer the following resource:
Configure access to the EC2 serial console:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
Patch management is a crucial part of every instance of ongoing maintenance.
To deploy security patches for either Windows or Linux-based instances in a standard manner, it is recommended to use AWS Systems Manager Patch Manager, following this method:
The best practices are as follows:
For more information, please refer the following resource:
Software patching with AWS Systems Manager:
https://aws.amazon.com/blogs/mt/software-patching-with-aws-systems-manager/
Backing up is crucial for EC2 instance recovery.
The AWS Backup service encrypts your backups in transit and at rest using AWS encryption keys, stored in AWS Key Management Service (KMS) (as explained in Chapter 7, Applying Encryption in Cloud Services), as an extra layer of security, independent of your Elastic Block Store (EBS) volume or snapshot encryption keys.
The best practices are as follows:
For more information, please refer the following resources:
Protecting your data with AWS Backup:
https://aws.amazon.com/blogs/storage/protecting-your-data-with-aws-backup/
Creating backup copies across AWS Regions:
https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-region-backup.html
In this section, we have learned how to securely maintain a VM, based on AWS infrastructure – from logging in to securing network access, troubleshooting using a serial console, patch management, and backup.
Azure Virtual Machines is the Azure VM service.
Following are some of the best practices to keep in mind:
For more information, please refer the following resources:
https://docs.microsoft.com/en-us/azure/virtual-machines/image-builder-overview
Using Azure for cloud-based confidential computing:
Microsoft does not have access to customers' VMs.
It doesn't matter whether you choose to deploy a Windows or a Linux machine, by running the create a virtual machine wizard, to deploy a new Linux machine, by default, you must choose either an existing key pair or create a new key pair.
This set of private/public keys is generated at the client side – Azure does not have any access to these keys, and therefore cannot log in to your Linux VM.
For Linux instances, the key pair is used for logging in to the machine via the SSH protocol.
For more information, please refer the following resource:
Generate and store SSH keys in the Azure portal:
https://docs.microsoft.com/en-us/azure/virtual-machines/ssh-keys-portal
For Windows machines, when running the create a new virtual machine wizard, you are asked to specify your own administrator account and password to log in to the machine via the RDP protocol.
For more information, please refer the following resource:
The best practices are as follows:
For more information, please refer the following resources:
Azure Bastion:
https://azure.microsoft.com/en-us/services/azure-bastion
Join a Windows Server VM to an Azure AD Domain Services-managed domain using a Resource Manager template:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
Join a Red Hat Enterprise Linux VM to an Azure AD Domain Services-managed domain:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-rhel-linux-vm
Access to Azure resources and services such as VMs is controlled via network security groups, which are equivalent to the on-premises layer 4 network firewall or access control mechanism.
As a customer, you configure parameters such as source IP (or CIDR), destination IP (or CIDR), source port (or a predefined protocol), destination port (or a predefined protocol), whether the port is TCP or UDP, and the action to take (either allow or deny).
For remote access and management of Linux machines, limit inbound network access to TCP port 22.
For remote access and management of Windows machines, limit inbound network access to TCP port 3389.
The best practices are as follows:
For more information, please refer the following resources:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
How to open ports to a VM with the Azure portal:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
Azure Bastion:
https://azure.microsoft.com/en-us/services/azure-bastion
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
For troubleshooting purposes, Azure allows you to connect using a serial console (a similar concept to what we used to have in the physical world with network equipment) to resolve network or operating system problems when SSH or RDP connections are not available.
The following commands use the Azure CLI tool to allow serial access for the entire Azure subscription level:
subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action enableConsole
--ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
Since this type of remote connectivity exposes your VMs, it is recommended to follow the following best practices:
For more information, please refer the following resources:
Azure serial console for Linux:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux
Azure serial console for Windows:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-windows
Patch management is a crucial part of every instance of ongoing maintenance.
To deploy security patches for either Windows or Linux-based instances in a standard manner, it is recommended to use Azure Automation Update Management, using the following method:
The best practices are as follows:
For more information, please refer the following resources:
Azure Automation Update Management:
https://docs.microsoft.com/en-us/azure/architecture/hybrid/azure-update-mgmt
Manage updates and patches for your VMs:
https://docs.microsoft.com/en-us/azure/automation/update-management/manage-updates-for-vm
Update management permissions:
Backing up is crucial for VM recovery.
The Azure Backup service encrypts your backups in transit and at rest using Azure Key Vault (as explained in Chapter 7, Applying Encryption in Cloud Services).
The best practices are as follows:
For more information, please refer the following resources:
Security features to help protect hybrid backups that use Azure Backup:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature
Use Azure RBAC to manage Azure backup recovery points:
https://docs.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault
Azure Policy Regulatory Compliance controls for Azure Backup:
https://docs.microsoft.com/en-us/azure/backup/security-controls-policy
https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud
Cross Region Restore (CRR) for Azure Virtual Machines using Azure Backup:
In this section, we have learned how to securely maintain a VM, based on Azure infrastructure – from logging in to securing network access, troubleshooting using a serial console, patch management, and backup.
Following are some of the best practices to keep in mind:
For more information, please refer the following resources:
List of public images available on GCE:
https://cloud.google.com/compute/docs/images
Confidential Computing:
https://cloud.google.com/confidential-computing
Google does not have access to customers' VM instances.
When you run the create instance wizard, no credentials are generated.
For Linux instances, you need to manually create a key pair and add the public key to either the instance metadata or the entire GCP project metadata to log in to the machine instance via the SSH protocol.
For more information, please refer the following resource:
Managing SSH keys in metadata:
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
For Windows machine instances, you need to manually reset the built-in administrator's password to log in to the machine instance via the RDP protocol.
For more information, please refer the following resource:
Creating passwords for Windows VMs:
https://cloud.google.com/compute/docs/instances/windows/creating-passwords-for-windows-instances
The best practices are as follows:
For more information, please refer the following resources:
Quickstart: Joining a Windows VM to a domain:
https://cloud.google.com/managed-microsoft-ad/docs/quickstart-domain-join-windows
Quickstart: Joining a Linux VM to a domain:
https://cloud.google.com/managed-microsoft-ad/docs/quickstart-domain-join-linux
Access to GCP resources and services such as VM instances is controlled via VPC firewall rules, which are equivalent to the on-premises layer 4 network firewall or access control mechanism.
As a customer, you configure parameters such as the source IP (or CIDR), source service, source tags, destination port (or a predefined protocol), whether the port is TCP or UDP, whether the traffic direction is ingress or egress, and the action to take (either allow or deny).
For remote access and management of Linux machines, limit inbound network access to TCP port 22.
For remote access and management of Windows machines, limit inbound network access to TCP port 3389.
The best practices are as follows:
For more information, please refer the following resource:
Use fewer, broader firewall rule sets when possible:
https://cloud.google.com/architecture/best-practices-vpc-design#fewer-firewall-rules
For troubleshooting purposes, GCP allows you to connect using a serial console (a similar concept to what we used to have in the physical world with network equipment) to resolve network or operating system problems when SSH or RDP connections are not available.
The following command uses the Google Cloud SDK to allow serial access on the entire GCP project:
gcloud compute project-info add-metadata
--metadata serial-port-enable=TRUE
Since this type of remote connectivity exposes your VMs, it is recommended to follow these best practices:
For more information, please refer the following resource:
Troubleshooting using the serial console:
https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console
Patch management is a crucial part of every instance of ongoing maintenance.
To deploy security patches for either Windows- or Linux-based instances, in a standard manner, it is recommended to use Google operating system patch management, using the following method:
The best practices are as follows:
For more information, please refer the following resources:
Operating system patch management:
https://cloud.google.com/compute/docs/os-patch-management
https://cloud.google.com/compute/docs/os-patch-management/create-patch-job
Best practices for operating system updates at scale:
In this section, we have learned how to securely maintain a VM, based on GCP infrastructure – from logging in to securing network access, troubleshooting using the serial console, and patch management.
Each cloud provider has its own implementation of managed databases.
According to the shared responsibility model, if we choose to use a managed database, the cloud provider is responsible for the operating system and database layers of the managed database (including patch management, backups, and auditing).
If we have the requirement to deploy a specific build of a database, we can always deploy it inside a VM, but according to the shared responsibility model, we will oversee the entire operating system and database maintenance (including hardening, backup, patch management, and monitoring).
A managed solution for running the database engine – either a common database engine such as MySQL, PostgreSQL, Microsoft SQL Server, an Oracle Database server, or proprietary databases such as Amazon DynamoDB, Azure Cosmos DB, or Google Cloud Spanner, but at the end of the day, the basic idea is the same:
There are various reasons for choosing a managed database solution:
Since there is a variety of database types and several database engines, in this chapter, we will focus on a single, popular relational database engine – MySQL.
This chapter will not be focusing on non-relational databases.
Next, we are going to see what the best practices are for securing common managed MySQL database services from AWS, Azure, and GCP.
Amazon Relational Database Service (RDS) for MySQL is the Amazon-managed MySQL service.
MySQL supports the following types of authentication methods:
The best practices are as follows:
For more information, please refer the following resources:
IAM database authentication for MySQL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
Using Kerberos authentication for MySQL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-kerberos.html
Access to a managed MySQL database service is controlled via database security groups, which are equivalent to security groups and the on-premises layer 4 network firewall or access control mechanism.
As a customer, you configure parameters such as the source IP (or CIDR) of your web or application servers and the destination IP (or CIDR) of your managed MySQL database service, and AWS configures the port automatically.
The best practices are as follows:
For more information, please refer the following resources:
Controlling access to RDS with security groups:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
Amazon RDS API and interface VPC endpoints (AWS PrivateLink):
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/vpc-interface-endpoints.html
A database is meant to store data.
In many cases, a database (and, in this case, a managed MySQL database) may contain sensitive customer data (from a retail store containing customers' data to an organization's sensitive HR data).
To protect customers' data, it is recommended to encrypt data both in transport (when data passes through the network), to avoid detection by an external party, and at rest (data stored inside a database), to avoid data being revealed, even by an internal database administrator.
Encryption allows you to maintain data confidentiality and data integrity (make sure your data is not changed by an untrusted party).
The best practices are as follows:
For more information, please refer the following resources:
Using SSL with a MySQL database instance:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
Updating applications to connect to MySQL database instances using new SSL/TLS certificates:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-mysql.html
Select the right encryption options for Amazon RDS database engines:
CMK management:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html
Auditing is a crucial part of data protection.
As with any other managed service, AWS allows you to enable logging and auditing using two built-in services:
The best practices are as follows:
For more information, please refer the following resources:
Using Amazon RDS event notifications:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
Working with AWS CloudTrail and Amazon RDS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/logging-using-cloudtrail.html
In this section, we have learned how to securely maintain a managed MySQL database, based on AWS infrastructure – from logging in, to securing network access, to data encryption (in transit and at rest), and logging and auditing.
Azure Database for MySQL is the Azure-managed MySQL service.
MySQL supports the following types of authentication methods:
The best practices are as follows:
For more information, please refer the following resources:
Use Azure AD for authenticating with MySQL:
https://docs.microsoft.com/en-us/azure/mysql/concepts-azure-ad-authentication
Use Azure AD for authentication with MySQL:
https://docs.microsoft.com/en-us/azure/mysql/howto-configure-sign-in-azure-ad-authentication
Access to a managed MySQL database service is controlled via firewall rules, which allows you to configure which IP addresses (or CIDR) are allowed to access your managed MySQL database.
The best practices are as follows:
For more information, please refer the following resources:
Azure Database for MySQL server firewall rules:
https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules
Use VNet service endpoints and rules for Azure Database for MySQL:
https://docs.microsoft.com/en-us/azure/mysql/concepts-data-access-and-security-vnet
A database is meant to store data.
In many cases, a database (and, in this case, a managed MySQL database) may contain sensitive customer data (from a retail store containing customers' data to an organization's sensitive HR data).
To protect customers' data, it is recommended to encrypt data both in transport (when the data passes through the network), to avoid detection by an external party, and at rest (data stored inside a database), to avoid data being revealed, even by an internal database administrator.
Encryption allows you to maintain data confidentiality and data integrity (make sure your data is not changed by an untrusted party).
The best practices are as follows:
For more information, please refer the following resources:
Azure Database for MySQL data encryption with a customer-managed key:
https://docs.microsoft.com/en-us/azure/mysql/concepts-data-encryption-mysql
Azure security baseline for Azure Database for MySQL:
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/mysql-security-baseline
Auditing is a crucial part of data protection.
As with any other managed service, Azure allows you to enable logging and auditing using two built-in services:
The best practices are as follows:
For more information, please refer the following resources:
Audit logs in Azure Database for MySQL:
https://docs.microsoft.com/en-us/azure/mysql/concepts-audit-logs
Configure and access audit logs for Azure Database for MySQL in the Azure portal:
https://docs.microsoft.com/en-us/azure/mysql/howto-configure-audit-logs-portal
Best practices for alerting on metrics with Azure Database for MySQL monitoring:
Security considerations for monitoring data:
In this section, we have learned how to securely maintain a managed MySQL database, based on Azure infrastructure – from logging in, to securing network access, to data encryption (in transit and at rest), and logging and auditing.
Google Cloud SQL for MySQL is the Google-managed MySQL service.
MySQL supports the following types of authentication methods:
The best practices are as follows:
For more information, please refer the following resources:
Creating and managing MySQL users:
https://cloud.google.com/sql/docs/mysql/create-manage-users
MySQL users:
https://cloud.google.com/sql/docs/mysql/users
Roles and permissions in Cloud SQL:
https://cloud.google.com/sql/docs/mysql/roles-and-permissions
Access to a managed MySQL database service is controlled via one of the following options:
The best practices are as follows:
For more information, please refer the following resources:
Authorizing with authorized networks:
https://cloud.google.com/sql/docs/mysql/authorize-networks
Connecting using the Cloud SQL Auth proxy:
https://cloud.google.com/sql/docs/mysql/connect-admin-proxy
Cloud VPN overview:
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
A database is meant to store data.
In many cases, a database (and, in this case, a managed MySQL database) may contain sensitive customer data (from a retail store containing customer data to an organization's sensitive HR data).
To protect customers' data, it is recommended to encrypt data both in transport (when the data passes through the network), to avoid detection by an external party, and at rest (data stored inside a database), to avoid data being revealed, even by an internal database administrator.
Encryption allows you to maintain data confidentiality and data integrity (make sure your data is not changed by an untrusted party).
The best practices are as follows:
For more information, please refer the following resources:
Configuring SSL/TLS certificates:
https://cloud.google.com/sql/docs/mysql/configure-ssl-instance#enforce-ssl
https://cloud.google.com/sql/docs/mysql/client-side-encryption
Overview of CMEKs:
https://cloud.google.com/sql/docs/mysql/cmek
Using CMEKs:
https://cloud.google.com/sql/docs/mysql/configure-cmek
Auditing is a crucial part of data protection.
As with any other managed service, GCP allows you to enable logging and auditing using Google Cloud Audit Logs.
The best practices are as follows:
For more information, please refer the following resources:
Audit logs:
https://cloud.google.com/sql/docs/mysql/audit-logging
https://cloud.google.com/logging/docs/audit
Configuring data access audit logs:
https://cloud.google.com/logging/docs/audit/configure-data-access
Permissions and roles:
https://cloud.google.com/logging/docs/access-control#permissions_and_roles
In this section, we have learned how to securely maintain a managed MySQL database, based on GCP infrastructure – from logging in, to securing network access, to data encryption (in transit and at rest), and logging and auditing.
Following VMs, the next evolution in the compute era is containers.
Containers behave like VMs, but with a much smaller footprint.
Instead of having to deploy an application above an entire operating system, you could use containers to deploy your required application, with only the minimum required operating system libraries and binaries.
Containers have the following benefits over VMs:
The following diagram presents the architectural differences between VMs and containers:
If you are still in the development phase, you can install a container engine on your laptop and create a new container (or download an existing container) locally, until you complete the development phase.
When you move to production and have a requirement to run hundreds of container instances, you need an orchestrator – a mechanism (or a managed service) for managing container deployment, health check monitoring, container recycling, and more.
Docker was adopted by the industry as a de facto standard for wrapping containers, and in the past couple of years, more and more cloud vendors have begun to support a new initiative for wrapping containers called the Open Container Initiative (OCI).
Kubernetes is an open source project (developed initially by Google) and is now considered the industry de facto standard for orchestrating, deploying, scaling, and managing containers.
In this section, I will present the most common container orchestrators available as managed services.
For more information, please refer the following resources:
What is a container?
https://www.docker.com/resources/what-container
Open Container Initiative:
OCI artifact support in Amazon ECR:
https://aws.amazon.com/blogs/containers/oci-artifact-support-in-amazon-ecr/
Azure and OCI images:
GCP and OCI image format:
https://cloud.google.com/artifact-registry/docs/supported-formats#oci
The Kubernetes project:
Next, we are going to see what the best practices are for securing common container and Kubernetes services from AWS, Azure, and GCP.
ECS is the Amazon-managed container orchestration service.
It can integrate with other AWS services such as Amazon Elastic Container Registry (ECR) for storing containers, AWS IAM for managing permissions to ECS, and Amazon CloudWatch for monitoring ECS.
AWS IAM is the supported service for managing permissions to access and run containers through Amazon ECS.
The best practices are as follows:
For more information, please refer the following resources:
Amazon ECS container instance IAM role:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
IAM roles for tasks:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Authorization based on Amazon ECS tags:
Using IAM to control filesystem data access:
https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
Amazon ECS task and container security:
https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html
Since Amazon ECS is a managed service, it is located outside the customer's VPC. An alternative to secure access from your VPC to the managed ECS environment is to use AWS PrivateLink, which avoids sending network traffic outside your VPC, through a secure channel, using an interface VPC endpoint.
The best practices are as follows:
For more information, please refer the following resource:
Amazon ECS interface VPC endpoints (AWS PrivateLink):
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/vpc-endpoints.html
Auditing is a crucial part of data protection.
As with any other managed service, AWS allows you to enable logging and auditing using two built-in services:
The best practices are as follows:
For more information, please refer the following resources:
Logging and monitoring in Amazon ECS:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-logging-monitoring.html
Logging Amazon ECS API calls with AWS CloudTrail:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html
Security configuration is a crucial part of your infrastructure.
Amazon allows you to conduct ongoing compliance checks against well-known security standards (such as the Center for Internet Security Benchmarks).
The best practices are as follows:
For more information, please refer the following resources:
Docker Bench for Security:
https://github.com/docker/docker-bench-security
Amazon ECR private repositories:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html
In this section, we have learned how to securely maintain Amazon ECS, based on AWS infrastructure – from logging in, to securing network access, to logging and auditing, and security compliance.
EKS is the Amazon-managed Kubernetes orchestration service.
It can integrate with other AWS services, such as Amazon ECR for storing containers, AWS IAM for managing permissions to EKS, and Amazon CloudWatch for monitoring EKS.
AWS IAM is the supported service for managing permissions to access and run containers through Amazon EKS.
The best practices are as follows:
For more information, please refer the following resources:
How Amazon EKS works with IAM:
https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html
IAM roles for service accounts:
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
IAM:
https://aws.github.io/aws-eks-best-practices/security/docs/iam/
Since Amazon EKS is a managed service, it is located outside the customer's VPC. An alternative to secure access from your VPC to the managed EKS environment is to use AWS PrivateLink, which avoids sending network traffic outside your VPC, through a secure channel, using an interface VPC endpoint.
The best practices are as follows:
For more information, please refer the following resources:
Network security:
https://aws.github.io/aws-eks-best-practices/security/docs/network
Amazon EKS networking:
https://docs.aws.amazon.com/eks/latest/userguide/eks-networking.html
Introducing security groups for Pods:
https://aws.amazon.com/blogs/containers/introducing-security-groups-for-pods/
EKS best practice guides:
https://aws.github.io/aws-eks-best-practices/
Auditing is a crucial part of data protection.
As with any other managed service, AWS allows you to enable logging and auditing using two built-in services:
The best practices are as follows:
For more information, please refer the following resources:
Amazon EKS control plane logging:
https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
Auditing and logging:
https://aws.github.io/aws-eks-best-practices/security/docs/detective/
Security configuration is a crucial part of your infrastructure.
Amazon allows you to conduct ongoing compliance checks against well-known security standards (such as CIS Benchmarks).
The best practices are as follows:
For more information, please refer the following resources:
Configuration and vulnerability analysis in Amazon EKS:
https://docs.aws.amazon.com/eks/latest/userguide/configuration-vulnerability-analysis.html
Introducing the CIS Amazon EKS Benchmark:
https://aws.amazon.com/blogs/containers/introducing-cis-amazon-eks-benchmark/
Compliance:
https://aws.github.io/aws-eks-best-practices/security/docs/compliance/
Image security:
https://aws.github.io/aws-eks-best-practices/security/docs/image/
Pod security:
https://aws.github.io/aws-eks-best-practices/security/docs/pods/
kube-bench:
https://github.com/aquasecurity/kube-bench
Docker Bench for Security:
https://github.com/docker/docker-bench-security
Amazon ECR private repositories:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html
In this section, we have learned how to securely maintain Amazon EKS, based on AWS infrastructure – from logging in, to securing network access, to logging and auditing, and security compliance.
ACI is the Azure-managed container orchestration service.
It can integrate with other Azure services, such as Azure Container Registry (ACR) for storing containers, Azure AD for managing permissions to ACI, Azure Files for persistent storage, and Azure Monitor.
Although ACI does not have its own authentication mechanism, it is recommended to use ACR to store your container images in a private registry.
ACR supports the following authentication methods:
The best practices are as follows:
For more information, please refer the following resources:
Authenticate with ACR:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication
ACR roles and permissions:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
Encrypt a registry using a customer-managed key:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys
Auditing is a crucial part of data protection.
As with any other managed service, Azure allows you to enable logging and auditing using Azure Monitor for containers – a service that allows you to log container-related activities and raise an alarm according to predefined thresholds (for example, low memory resources or high CPU, which requires up-scaling your container environment).
The best practices are as follows:
For more information, please refer the following resources:
Container insights overview:
https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview
Container monitoring solution in Azure Monitor:
https://docs.microsoft.com/en-us/azure/azure-monitor/containers/containers
Security configuration is a crucial part of your infrastructure.
Azure allows you to conduct ongoing compliance checks against well-known security standards (such as CIS Benchmarks).
The best practices are as follows:
For more information, please refer the following resources:
Azure security baseline for ACI:
Azure security baseline for ACR:
Security considerations for ACI:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-image-security
Introduction to private Docker container registries in Azure:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
In this section, we have learned how to securely maintain ACI, based on Azure infrastructure – from logging in to auditing and monitoring and security compliance.
AKS is the Azure-managed Kubernetes orchestration service.
It can integrate with other Azure services, such as ACR for storing containers, Azure AD for managing permissions to AKS, Azure Files for persistent storage, and Azure Monitor.
Azure AD is the supported service for managing permissions to access and run containers through Azure AKS.
The best practices are as follows:
For more information, please refer the following resources:
AKS-managed Azure AD integration:
https://docs.microsoft.com/en-us/azure/aks/managed-aad
Best practices for authentication and authorization in AKS:
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-identity
Azure AKS exposes services to the internet – for that reason, it is important to plan before deploying each Azure AKS cluster.
The best practices are as follows:
For more information, please refer the following resources:
Best practices for network connectivity and security in AKS:
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-network
Best practices for cluster isolation in AKS:
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-isolation
Create a private AKS cluster:
https://docs.microsoft.com/en-us/azure/aks/private-clusters
Auditing is a crucial part of data protection.
As with any other managed service, Azure allows you to enable logging and auditing using Azure Monitor for containers – a service that allows you to log container-related activities and raise an alarm according to predefined thresholds (for example, low memory resources or high CPU, which requires up-scaling your container environment).
The best practices are as follows:
For more information, please refer the following resources:
ACI overview:
https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview
Container monitoring solution in Azure Monitor:
https://docs.microsoft.com/en-us/azure/azure-monitor/containers/containers
Security configuration is a crucial part of your infrastructure.
Azure allows you to conduct ongoing compliance checks against well-known security standards (such as CIS Benchmarks).
The best practices are as follows:
For more information, please refer the following resources:
Introduction to Azure Defender for Kubernetes:
https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction
Use Azure Defender for container registries to scan your images for vulnerabilities:
https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-usage
Azure security baseline for ACI:
Azure security baseline for ACR:
Security considerations for ACI:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-image-security
Introduction to private Docker container registries in Azure:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
In this section, we have learned how to securely maintain AKS, based on Azure infrastructure – from logging in, to network access, to auditing and monitoring, and security compliance.
GKE is the Google-managed Kubernetes orchestration service.
It can integrate with other GCP services, such as Google Container Registry for storing containers, Google Cloud IAM for managing permissions to GKE, Google Filestore for persistent storage, and Google Cloud operations for monitoring.
Google Cloud IAM is the supported service for managing permissions to access and run containers through GKE.
The best practices are as follows:
For more information, please refer the following resources:
Creating IAM policies:
https://cloud.google.com/kubernetes-engine/docs/how-to/iam
Configuring RBAC:
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
Enforce least privilege with recommendations:
https://cloud.google.com/iam/docs/recommender-overview
Use least privilege Google service accounts:
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#permissions
Secret management:
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#secret_management
GKE exposes services to the internet – for that reason, it is important to plan before deploying each GKE cluster.
The best practices are as follows:
For more information, please refer the following resources:
Creating a private cluster:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
Restrict network access to the control plane and nodes:
Restrict traffic among Pods with a network policy:
Network security:
https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview#network_security
Harden workload isolation with a GKE sandbox:
https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods
Auditing is a crucial part of data protection.
As with any other managed service, Google allows you to enable logging and auditing using the Google Cloud Logging service – a service that allows you to audit container-related activities.
The best practices are as follows:
For more information, please refer the following resources:
Audit policy:
https://cloud.google.com/kubernetes-engine/docs/concepts/audit-policy
Overview of Google Cloud's operations suite for GKE:
https://cloud.google.com/stackdriver/docs/solutions/gke
Remediating security health analytics findings:
Security configuration is a crucial part of your infrastructure.
Google allows you to conduct ongoing compliance checks against well-known security standards (such as CIS Benchmarks).
The best practices are as follows:
For more information, please refer the following resources:
Container threat detection conceptual overview:
https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview
GKE CIS 1.1.0 Benchmark Inspec Profile:
https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark
GKE auditor:
https://github.com/google/gke-auditor
Node images:
https://cloud.google.com/kubernetes-engine/docs/concepts/node-images#containerd_node_images
Binary authorization:
https://cloud.google.com/binary-authorization
Container Registry:
https://cloud.google.com/container-registry
In this section, we have learned how to securely maintain the Google Kubernetes service, based on GCP infrastructure – from logging in, to network access, to auditing and monitoring, and security compliance.
Although the name implies that there are no servers, the term serverless or function as a service means that you, as a customer of the service, are not in charge of the underlying compute infrastructure (operating system maintenance, scale, runtime management, and so on) – you simply import your code (according to the supported language by each cloud provider), select your preferred runtime, select the amount of required memory per function (which affects the amount of CPU), and set the trigger to invoke the function.
The following diagram presents the architectural differences between VMs, containers, and serverless:
In this section, I will present the most common serverless/function as a service platforms.
Then, we are going to see what the best practices are for securing common serverless services from AWS, Azure, and GCP.
AWS Lambda is the Amazon serverless service.
It can integrate with other AWS services, such as AWS IAM for managing permissions to AWS Lambda, Amazon CloudWatch for monitoring AWS Lambda, and Amazon S3 and Amazon EFS for persistent storage.
AWS IAM is the supported service for managing permissions to AWS Lambda.
The best practices are as follows:
For more information, please refer the following resources:
Identity-based IAM policies for Lambda:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html
Security best practices:
Encrypting Lambda environment variables:
serverless-puresec-cli:
https://github.com/puresec/serverless-puresec-cli
AWS Lambda can be deployed either as an external resource outside your VPC or inside your VPC – for that reason, it is important to plan before deploying each Lambda function.
The best practices are as follows:
For more information, please refer the following resources:
Data protection in AWS Lambda:
https://docs.aws.amazon.com/lambda/latest/dg/security-dataprotection.html
AWS Lambda now supports AWS PrivateLink:
https://aws.amazon.com/about-aws/whats-new/2020/10/aws-lambda-now-supports-aws-privatelink/
Configuring a Lambda function to access resources in a VPC:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
How do I give internet access to a Lambda function that's connected to an Amazon VPC?
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
Auditing is a crucial part of data protection.
As with any other managed service, AWS allows you to enable auditing using the AWS CloudTrail service – a service that allows you to audit API-related activities.
The best practices are as follows:
For more information, please refer the following resources:
Using AWS Lambda with AWS CloudTrail:
https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Using AWS Lambda with Amazon CloudWatch Events:
https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchevents.html
Serverless, or function as a service, is mainly code running inside a closed managed environment.
As a customer, you cannot control the underlying infrastructure – as a result, you must invest in secure coding to avoid attackers breaking into your application and causing harm that AWS cannot protect.
The best practices are as follows:
For more information, please refer the following resources:
Using AWS Lambda with AWS Config:
https://docs.aws.amazon.com/lambda/latest/dg/services-config.html
Lambda function versions:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html
Use API Gateway Lambda authorizers:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Setting up automatic assessment runs through a Lambda function:
Configuring code signing for AWS Lambda:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html
OWASP Serverless Top 10:
https://owasp.org/www-project-serverless-top-10/
In this section, we have learned how to securely maintain the AWS Lambda service, based on AWS infrastructure – from logging in, to network access, to auditing and monitoring, and security compliance.
Azure Functions is the Azure function as a service.
It can integrate with other Azure services, such as Azure AD for managing permissions to Azure Functions, Azure Monitor Application Insights for monitoring Azure Functions, and Azure Blob storage for persistent storage.
Azure AD is the supported service for managing permissions to your Azure Functions.
The best practices are as follows:
For more information, please refer the following resources:
How to use managed identities for App Service and Azure Functions:
Azure Functions authorizations:
https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api#authorization
Use Key Vault references for App Service and Azure Functions:
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Azure Functions can access resources in your Azure subscription – for that reason, it is important to plan before deploying each Azure function.
The best practices are as follows:
For more information, please refer the following resources:
Azure Functions networking options:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options
Secure an HTTP endpoint in production:
IP address restrictions:
https://docs.microsoft.com/en-us/azure/azure-functions/ip-addresses#ip-address-restrictions
Azure Functions and FTP:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies#ftp
Protect your web apps and APIs:
https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
Auditing is a crucial part of data protection.
As with any other managed service, Azure allows you to enable logging and auditing using the Azure Monitor service.
The best practices are as follows:
For more information, please refer the following resources:
Logging and threat detection:
Azure security baseline for Azure Functions:
https://docs.microsoft.com/en-us/azure/azure-functions/security-baseline#logging-and-monitoring
Serverless, or function as a service, is mainly code running inside a closed, managed environment.
As a customer, you cannot control the underlying infrastructure – as a result, you must invest in secure coding to avoid attackers breaking into your application and causing harm that Azure cannot protect against.
The best practices are as follows:
For more information, please refer the following resources:
Azure security baseline for Azure Functions:
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/functions-security-baseline
Posture and vulnerability management:
OWASP Serverless Top 10:
https://owasp.org/www-project-serverless-top-10/
In this section, we have learned how to securely maintain the Azure Functions service, based on Azure infrastructure – from logging in, to network access, to auditing and monitoring, and security compliance.
Google Cloud Functions is the GCP function as a service.
It can integrate with other GCP services, such as Google Cloud IAM for managing permissions to Google Cloud Functions, Google Cloud Audit Logs for monitoring Google Cloud Functions, and Google Cloud Storage for persistent storage.
Google Cloud IAM is the supported service for managing permissions on your Google Cloud Functions.
The best practices are as follows:
For more information, please refer the following resources:
Authorizing access via IAM:
https://cloud.google.com/functions/docs/securing/managing-access-iam
Authenticating for invocation:
https://cloud.google.com/functions/docs/securing/authenticating
Securing access with identity:
https://cloud.google.com/functions/docs/securing#identity
Google Cloud Functions can access resources in your GCP project – for that reason, it is important to plan before deploying each Google Cloud function.
The best practices are as follows:
For more information, please refer the following resources:
Configuring network settings:
https://cloud.google.com/functions/docs/networking/network-settings
Connecting to a VPC network:
https://cloud.google.com/functions/docs/networking/connecting-vpc
Configuring serverless VPC access:
https://cloud.google.com/vpc/docs/configure-serverless-vpc-access
Using VPC service controls:
https://cloud.google.com/functions/docs/securing/using-vpc-service-controls
Managing secrets:
https://cloud.google.com/functions/docs/env-var#managing_secrets
Auditing is a crucial part of data protection.
As with any other managed service, Google allows you to enable logging and auditing using the Google Cloud Audit Logs service.
The best practices are as follows:
For more information, please refer the following resources:
Using Cloud audit logging with Cloud Functions:
https://cloud.google.com/functions/docs/monitoring/audit-logging
In this section, we have learned how to securely maintain the Google Cloud Functions service, based on GCP infrastructure – from logging in, to network access, to auditing and monitoring.
In this chapter, we have focused on the various compute services in AWS, Azure, and GCP, from VMs, through managed MySQL databases, containers, and finally serverless (or functions as a service).
In each section, we have reviewed how to manage identity (for authentication and authorization), how to control network access (from access controls to network encryption), how to configure auditing and logging, and finally, how to configure compliance or security standards (for services that support those capabilities).
In the next chapter, we will review the various storage services in the cloud (from object storage to block storage and finally, file storage).
18.191.8.216