AWS All-in-one Security Guide
eBook - ePub

AWS All-in-one Security Guide

Design, Build, Monitor, and Manage a Fortified Application Ecosystem on AWS

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

AWS All-in-one Security Guide

Design, Build, Monitor, and Manage a Fortified Application Ecosystem on AWS

About this book

Learn to build robust security controls for the infrastructure, data, and applications in the AWS Cloud.

Key Features
? Takes a comprehensive layered security approach that covers major use-cases.
? Covers key AWS security features leveraging the CLI and Management Console.
? Step-by-step instructions for all topics with graphical illustrations.
? Relevant code samples written in JavaScript (for Node.js runtime).

Description
If you're looking for a comprehensive guide to Amazon Web Services (AWS) security, this book is for you. With the help of this book, cloud professionals and the security team will learn how to protect their cloud infrastructure components and applications from external and internal threats.The book uses a comprehensive layered security approach to look into the relevant AWS services in each layer and discusses how to use them. It begins with an overview of the cloud's shared responsibility model and how to effectively use the AWS Identity and Access Management (IAM) service to configure identities and access controls for various services and components. The subsequent chapter covers AWS infrastructure security, data security, and AWS application layer security. Finally, the concluding chapters introduce the various logging, monitoring, and auditing services available in AWS, and the book ends with a chapter on AWS security best practices.By the end, as readers, you will gain the knowledge and skills necessary to make informed decisions and put in place security controls to create AWS application ecosystems that are highly secure.

What you will learn
? Learn to create a layered security architecture and employ defense in depth.
? Master AWS IAM and protect APIs.
? Use AWS WAF, AWS Secrets Manager, and AWS Systems Manager Parameter Store.
? Learn to secure data in Amazon S3, EBS, DynamoDB, and RDS using AWS Key Management Service.
? Secure Amazon VPC, filter IPs, use Amazon Inspector, use ECR image scans, etc.
? Protect cloud infrastructure from DDoS attacks and use AWS Shield.

Who this book is for
The book is intended for cloud architects and security professionals interested in delving deeper into the AWS cloud's security ecosystem and determining the optimal way to leverage AWS security features. Working knowledge of AWS and its core services is necessary.

Table of Contents
1. Introduction to Security in AWS
2. Identity And Access Management
3. Infrastructure Security
4. Data Security
5. Application Security
6. Logging, Monitoring, And Auditing
7. Security Best Practices

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access AWS All-in-one Security Guide by Adrin Mukherjee in PDF and/or ePUB format, as well as other popular books in Informatique & Cloud Computing. We have over one million books available in our catalogue for you to explore.

Information

Publisher
BPB Publications
Year
2021
eBook ISBN
9789355510327
Topic
Informatique
Subtopic
Cloud Computing

CHAPTER 1

Introduction to Security in AWS

Introduction

As the enterprises and businesses move their workloads into the public cloud, security has become the most talked about subject in cloud migration and cloud adoption journeys. Design for security is pervasive throughout the Amazon's infrastructure and is built into every service offered by Amazon Web Services (AWS). However, security on the public cloud is different in many respects from security on-premises, and thus, it must be seen from different angles. As such, there is a shared responsibility model of security on the AWS cloud. While AWS is responsible for the "Security of the cloud", the customers are responsible for the "Security in the cloud."

Structure

In this chapter, we will cover the following topics:
  • Shared responsibility model
  • Important AWS security service offerings
  • Security guidance offered by AWS
  • Quick note on AWS Management Console

Objectives

In this chapter, we will gather the basic understanding of the security in the AWS cloud, which primarily revolves around the concept of the shared responsibility model. We will also identify some of the critical AWS security service offerings. We will cover some security guidance tools, documentation, and other resources that are provided by AWS and AWS Partner Network (APN) partners. These can help us create highly secure and resilient workloads and applications hosted on the AWS cloud.

Shared responsibility model

Security of the workloads and applications on the AWS cloud is a shared responsibility. This responsibility is shared between AWS and the customer. AWS is responsible for securing the global infrastructure and hardware that supports the cloud. The customer, on the other hand, is responsible for anything that they put on the cloud. This model can essentially improve the security posture of the customer and increase operational efficiency. The key goal is to create highly secure and resilient applications and workloads on the AWS cloud. Figure 1.1 explains the responsibilities shared by AWS and customers as follows:
Figure 1.1: Shared responsibility in AWS cloud
In the subsequent sections, we will dive deeper into understanding the responsibilities pertaining to each player.

Security of the cloud – AWS responsibility

AWS is responsible for protecting the global infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of hardware, software, networking, and facilities/data centers that run the AWS Cloud services. Securing this infrastructure is AWS's utmost priority, and as such, the infrastructure undergoes regular audits to meet the required security and compliance standards. These audit reports are made available to the AWS customers digitally. AWS is also responsible for the security of the basic essential infrastructure services like compute, storage, networking, and database (managed database services like Amazon RDS or Amazon DynamoDB, etc.).
The figure 1.2 provides an overview of AWS's slice pertaining to the shared responsibility model as follows:
Figure 1.2: Security of the cloud
For pure infrastructure services like Amazon EC2, Amazon EBS, Amazon VPC, etc., AWS is responsible for the security of the underlying global infrastructure and the other infrastructure-related services, including the hypervisor layer (wherever applicable).
For the managed or abstracted services like Amazon RDS, Amazon DynamoDB, Amazon S3, in addition to the security of the infrastructure and related infrastructure services, AWS also handles the fundamental security tasks like guest OS patching, database patching, firewall configurations, and disaster recovery.

Security in the cloud – customer responsibility

Customer responsibility is determined by the AWS Cloud services that a customer uses. The AWS services that fall clearly into the category of Infrastructure-as-a-Service (IaaS) – such as Amazon EC2, Amazon VPC, etc. – are entirely under the customer's control, and the customers are expected to perform all of the necessary security configuration and management tasks. For example, for Amazon EC2 instances, the customer is responsible for the guest OS updates and patches, any application software or utilities installed on these instances, and the configuration of AWS firewall (called security groups) on each instance.
In the case of managed or abstracted services like Amazon S3, Amazon DynamoDB, or Amazon RDS, the customer is relieved of the burden of launching and maintaining the underlying instances, patching the guest OS or database, etc. AWS handles the infrastructure layer, operating system, and the platforms on behalf of the customer. However, the customer still needs to access the service endpoints to store and retrieve the data, setup necessary permissions, and access control policies, etc. The customer also needs to decide on the classification of the data and security of the data at rest and in motion and apply the appropriate encryption options. Auditing and tracking of the API/user activity need to be performed by the customer.
The figure 1.3 gives the basic set of responsibilities that needs to be managed by the customers who have deployed their applications and workloads on the AWS cloud as follows:
Figure 1.3: Security in the cloud

Controls in shared responsibility model

In this section, we will look into "who is responsible for what" in the context of Shared Responsibility Model and IT controls in the AWS cloud. The IT controls can be differentiated into the following three categories:

Inherited controls

These controls are inherited by the customers from AWS. Some examples are as follows:
  • Physical and environmental controls: This includes the physical access to the AWS facilities and involves various strict and controlled access to the facilities, professional security staff at ingress points, video surveillance, intrusion detection systems, multi-factor authentication, decommissioning physical storage devices, etc. The environmental controls like fire detection and suppression, power, climate, and temperature controls also fall under this category.
  • Controls For Business Continuity Management: The AWS data centers are always built in clusters in various geographical regions to offer greater availability. The core applications are load-balanced and deployed in the N+1 configurations, so that the architecture can handle the data center failures. Availability Zones (AZs) are engineered to be physically separated within a metropolitan region and are located in the lower-risk flood plains. To reduce the single point of failure, in addition to the uninterruptable power supply (UPS) and the on-site backup generation facilities, AZs are also fed via different power grids from the independent sources.
  • Network Security Controls: AWS has state-of-the-art, high bandwidth, fault-tolerant network infrastructure that is strictly monitored and managed. The boundary devices and other network devices manage the rulesets and traffic flow policies that are approved by Amazon Information Security. AWS has a limited number of access points to the cloud placed strategically that offer comprehensive ingress and egress traffic monitoring. These are called API endpoints, and they allow the HTTPS traffic only.

Shared controls

These controls apply to both the infrastructure and the customer layers. Here, AWS provides the requirements specific to the infrastructure, and the customers provide their own implementation of the controls within the context of their use of the AWS services. Some common examples are as follows:
  • Patch management: AWS is responsible for patching and fixing the issues within the infrastructure, including network, hypervisor, host OS, etc. The customers are responsible for patching their guest OS and applications hosted on top of the infrastructure. AWS does provide services like AWS Systems Manager-Patch Manager that can be used by the customers to facilitate the patching process.
  • Configuration management: AWS maintains and manages the configuration of its infrastructure devices, and the customers are responsible for configuring their own guest OS, databases, and applications.
  • Awareness and training: While AWS train the AWS employees with the knowledge about the security controls in place, the customers are responsible for training and educating the internal cloud employees.

Fully controlled by the customer

These controls are solely the responsibility of the customers, based on the nature of the workload or the application deployed within the AWS services. Here’s an example:
  • Service and communications protection/zone security: The customers may require routing or zoning the data within the specific security environments.

Important AWS security service offerings

AWS has a plethora of related security services which can help the customer to create a highly secured platform or application on the AWS cloud. The following section provides with the introductory notes on some of the essential and vital services that can be leveraged.

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables the customers to control and manage the access to the AWS services and resources securely. AWS IAM can be leveraged to create the human identities and/or machine identities and provide the fine-grained permission and access control to these identities. It supports the complex conditions to control the access, like originating IP address, whether SSL is used, or whether the user has been authenticated with Multi-Factor Authentication (MFA) device, etc. AWS IAM also helps to integrate the users with the existing corporate identity providers, like Microsoft Active Directory, or with the web identity providers, like Google, Facebook, etc., through Identity Federation.

Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud, or VPC for short, is a foundational regional service that allows us to launch or instantiate the AWS resources in a logically isolated virtual network that we define. A VPC is a software-defined network (SDN) optimized for moving massive amounts of network packets from the source to the destination. It gives us complete control over the virtual networking environment which includes, selection of the...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Reviewer
  6. Acknowledgement
  7. Preface
  8. Errata
  9. 1. Introduction to Security in AWS
  10. 2. Identity and Access Management
  11. 3. Infrastructure Security
  12. 4. Data Security
  13. 5. Application Security
  14. 6. Logging, Monitoring, and Auditing
  15. 7. Security Best Practices
  16. Index