AWS Security Cookbook
eBook - ePub

AWS Security Cookbook

Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

  1. 440 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

AWS Security Cookbook

Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

About this book

Secure your Amazon Web Services (AWS) infrastructure with permission policies, key management, and network security, along with following cloud security best practices

Key Features

  • Explore useful recipes for implementing robust cloud security solutions on AWS
  • Monitor your AWS infrastructure and workloads using CloudWatch, CloudTrail, config, GuardDuty, and Macie
  • Prepare for the AWS Certified Security-Specialty exam by exploring various security models and compliance offerings

Book Description

As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation.

The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure.

By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security – Specialty certification.

What you will learn

  • Create and manage users, groups, roles, and policies across accounts
  • Use AWS Managed Services for logging, monitoring, and auditing
  • Check compliance with AWS Managed Services that use machine learning
  • Provide security and availability for EC2 instances and applications
  • Secure data using symmetric and asymmetric encryption
  • Manage user pools and identity pools with federated login

Who this book is for

If you are an IT security professional, cloud security architect, or a cloud application developer working on security-related roles and are interested in using AWS infrastructure for secure application deployments, then this Amazon Web Services book is for you. You will also find this book useful if you're looking to achieve AWS certification. Prior knowledge of AWS and cloud computing is required to get the most out of this book.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Packt Publishing
Year
2020
Print ISBN
9781838826253
Edition
1
eBook ISBN
9781838827427
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Securing Data on S3 with Policies and Techniques

Amazon S3 is an object store on the AWS platform. In simple terms, an object store is a key-value store for objects with a name as the key and an object as the value, unlike a filesystem store, which is hierarchical. In this chapter, we will learn to secure S3 data with access control lists (ACLs), bucket policies, pre-signed URLs, encryption, versioning, and cross-region replication. We have already seen how to secure S3 data using an IAM policy in Chapter 1, Managing AWS Accounts with IAM and Organizations.
This chapter will cover the following recipes:
  • Creating S3 access control lists
  • Creating an S3 bucket policy
  • S3 cross-account access from the CLI
  • S3 pre-signed URLs with an expiry time using the CLI and Python
  • Encrypting data on S3
  • Protecting data with versioning
  • Implementing S3 cross-region replication within the same account
  • Implementing S3 cross-region replication across accounts

Technical requirements

We need a working AWS account. We should install and configure the AWS CLI on our local machine.
Code files for this chapter are available at https://github.com/PacktPublishing/AWS-Security-Cookbook/tree/master/Chapter02.

Creating S3 access control lists

In this recipe, we will learn to grant permissions to the public (everyone) using ACLs from a console, using predefined groups from the CLI, and using canned ACLs from the CLI. ACLs can be used to grant basic read/write permissions to buckets, objects, and their ACLs. ACL grantees can be either an AWS account or a predefined group.

Getting ready

We need a working AWS account with the following resources configured:
  1. A bucket with a file: I will be using a bucket name awsseccookbook with a file named image-heartin-k.png. Replace these with your own bucket name and filename.
  2. A user with no permission and a user with administrator permission: Configure CLI profiles for these users. I will name users and their profiles testuser and awssecadmin, respectively.
It is good practice to add users to groups and give permissions to these groups instead of directly assigning permissions to users.
    1. Uncheck the two Block all public access settings related to ACLs. Leave the other settings checked and click Save:
    We can manage block public access settings for a bucket by going to Block public access under the bucket's Permissions tab. We can also manage these settings at account level from the S3 dashboard sidebar.

    How to do it...

    We will discuss various usages of S3 ACLs in this section.

    Granting READ ACLs for a bucket to everyone from the console

    Perform the following steps to allow everyone to list the bucket's contents:
    1. Go to the S3 service in the console.
    2. Go to the Access Control List tab under the bucket's Permissions tab of the bucket, click on Everyone, select List objects, and then click Save.
    1. Access the bucket from the browser and we should be able to list the contents of the bucket:
    Next, we will learn to grant READ for AWS users using predefined groups.

    Granting READ for AWS users using predefined groups from the CLI

    We can grant READ for any AWS user using the AuthenticatedUser predefined group by performing the following steps:
    1. If you followed along with the previous section, remove the List objects permission for the bucket that was granted to Everyone.
    2. Create a policy that grants access to the AuthenticatedUsers group and save it as acl-grant-authenticated-users.json:
    {
     "Owner": {
     "DisplayName": "awsseccookbook",
     "ID": "5df5b6014ae606808dcb64208aa09e4f19931b3123456e152c4dfa52d38bf8fd"
     },
     "Grants": [
     {
     "Grantee": {
     "Type": "Group",
     "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
     },
     "Permission": "READ"
     }
     ]
    }
    Here, the Owner element has the current account's display name and canonical ID. The Grants element grants the READ permission to the AuthenticatedUsers group.
    1. Execute the put-bucket-acl command by providing the preceding policy document:
    aws s3api put-bucket-acl \
     --bucket awsseccookbook \
     --access-control-policy file://resources/acl-grant-authenticated-users.json \
     --profile awssecadmin
    1. The testuser user should now be able to list the contents of the S3 bucket. However, we won't be able to list the bucket contents from the browser.

    Granting public READ for an object with canned ACLs from the CLI

    We can upload an object and grant public read access using a canned ACL as follows:
    1. Download the image file using the admin user profile. On this occasion, downloading should be successful:
    1. Upload the same file as an administrator, providing the canned ACL for public-read:
    aws s3 cp image-heartin-k.png s3://awsseccookbook/image-heartin-new.png \
    --acl public-read \
    --profile awssecadmin
    1. Download the new file using the testuser profile:
    We should now be able to download the file successfully.

    How it works...

    In this recipe, we learned ab...

    Table of contents

    1. Title Page
    2. Copyright and Credits
    3. Dedication
    4. About Packt
    5. Contributors
    6. Preface
    7. Managing AWS Accounts with IAM and Organizations
    8. Securing Data on S3 with Policies and Techniques
    9. User Pools and Identity Pools with Cognito
    10. Key Management with KMS and CloudHSM
    11. Network Security with VPC
    12. Working with EC2 Instances
    13. Web Security Using ELBs, CloudFront, and WAF
    14. Monitoring with CloudWatch, CloudTrail, and Config
    15. Compliance with GuardDuty, Macie, and Inspector
    16. Additional Services and Practices for AWS Security
    17. Other Books You May Enjoy

    Frequently asked questions

    Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
    No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
    Perlego offers two plans: Essential and Complete
    • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
    • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
    Both plans are available with monthly, semester, or annual billing cycles.
    We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
    Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
    Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
    Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
    Yes, you can access AWS Security Cookbook by Heartin Kanikathottu in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over 1.5 million books available in our catalogue for you to explore.