Contents

  

Front matter

preface

acknowledgments

about this book

about the author

about the cover illustration

  

  1 Introduction to AWS security

  1.1  The shared responsibility model

What is AWS responsible for?

What are you responsible for?

  1.2  Cloud-native security tools

Identity and access management

Virtual private cloud

And many more

  1.3  A new way of operating

Speed of infrastructure development

Shifting responsibilities

  1.4  Conclusion

  2 Identity and access management

  2.1  Identity and access management basics

Users

Identity policies

Resource policies

Groups

Roles

  2.2  Using common patterns in AWS IAM

AWS managed policies

Advanced patterns

  2.3  Attribute-based access control with tags

Tagged resources

Tagged principals

  3 Managing accounts

  3.1  Securing access between multiple accounts

The wall between accounts

Cross-account IAM roles

Managing multiple accounts with AWS organizations

  3.2  Integration with existing access management systems

Integrating with Active Directory and other SAML systems

Integrating with OpenID Connect systems

  4 Policies and procedures for secure access

  4.1  Establishing best practices for IAM

Why create best practices?

Best practices example: MFA

Enforceable best practices

  4.2  Applying least privilege access control

Why least privilege is hard

Policy wildcards

AWS managed policies

Shared permissions (groups and managed policies)

  4.3  Choosing between short- and long-lived credentials

The risk of long-lived credentials

Trade-offs associated with credential rotation

A balance with IAM roles

  4.4  Reviewing IAM permissions

Why you should review IAM resources

Types of reviews

Reducing the review burden

  5 Securing the network: The virtual private cloud

  5.1  Working with a virtual private cloud

VPCs

Subnets

Network interfaces and IPs

Internet and NAT gateways

  5.2  Traffic routing and virtual firewalls

Route tables

Security groups

Network ACLs

  5.3  Separating private networks

Using multiple VPCs for network isolation

Connections between VPCs

Connecting VPCs to private networks

  6 Network access protection beyond the VPC

  6.1  Securing access to services with VPC endpoints and PrivateLink

What’s wrong with public traffic?

Using VPC endpoints

Creating a PrivateLink service

  6.2  Blocking malicious traffic with AWS Web Application Firewall

Using WAF managed rules

Blocking real-world attacks with custom AWS WAF rules

When to use AWS WAF

  6.3  Protecting against distributed denial of service attacks using AWS Shield

Free protection with Shield Standard

Stepping up protection with Shield Advanced

  6.4  Integrating third-party firewalls

Web application and next-gen firewalls

Setting up a firewall from AWS Marketplace

  7 Protecting data in the cloud

  7.1  Data security concerns

Confidentiality

Data integrity

Defense in depth

  7.2  Securing data at rest

Encryption at rest

Least privilege access controls

Backups and versioning

  7.3  Securing data in transit

Secure protocols for data transport

Enforcing secure transport

  7.4  Data access logging

Access logging for Amazon S3

CloudTrail logs for resource access

VPC Flow Logs for network access

  7.5  Data classification

Identifying sensitive data with Amazon Macie

  8 Logging and audit trails

  8.1  Recording management events

Setting up CloudTrail

Investigating an issue with CloudTrail logs

  8.2  Tracking resource configuration changes

Pinpoint a change with a configuration timeline

Setting up AWS Config

Resource compliance information

  8.3  Centralizing application logs

CloudWatch Logs basics

The CloudWatch agent

Advanced CloudWatch logs features

Recording network traffic

  9 Continuous monitoring

  9.1  Resource configuration scanning

Ad hoc scanning

Continuous monitoring

Compliance standards and benchmarks

  9.2  Host vulnerability scanning

Types of host vulnerabilities

Host-scanning tools

  9.3  Detecting threats in logs

Threats in VPC Flow Logs

Threats in CloudTrail logs

10 Incident response and remediation

10.1  Tracking security events

Centralizing alerts

Status tracking

Data analysis

10.2  Incident response planning

Playbooks

10.3  Automating incident response

Scripting playbooks

Automated response

11 Securing a real-world application

11.1  A sample application

Diving into the application

Threat modeling

11.2  Strong authentication and access controls

Credential stuffing

Brute forcing

Overly permissive policies and incorrect authorization settings

Inadvertent admin or root access

11.3  Protecting data

Data classification

Highly sensitive data

Sensitive data

Public data

11.4  Web application firewalls

Cross-site scripting

Injection attacks

Scraping

11.5  Implementing authentication and authorization end to end

Setting up Cognito

Securing the API gateway endpoints

  

index