Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying AWS Security Cookbook
  • Table Of Contents Toc
  • Feedback & Rating feedback
AWS Security Cookbook

AWS Security Cookbook

By : Heartin Kanikathottu, Kanikathottu
4.8 (8)
Buy this Book
close
close
AWS Security Cookbook

AWS Security Cookbook

4.8 (8)
By: Heartin Kanikathottu, Kanikathottu

Overview of this book

As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation. The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure. By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security – Specialty certification.
Table of Contents (12 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
1
Managing AWS Accounts with IAM and Organizations
Managing AWS Accounts with IAM and Organizations
Technical requirements
Configuring IAM for a new account
Creating IAM policies
Creating a master account for AWS Organizations
Creating a new account under an AWS Organization
Switching roles with AWS Organizations
Free Chapter
2
Securing Data on S3 with Policies and Techniques
Securing Data on S3 with Policies and Techniques
Technical requirements
Creating S3 access control lists
Creating an S3 bucket policy
S3 cross-account access from the CLI
S3 pre-signed URLs with an expiry time using the CLI and Python
Encrypting data on S3
Protecting data with versioning
Implementing S3 cross-region replication within the same account
Implementing S3 cross-region replication across accounts
3
User Pools and Identity Pools with Cognito
User Pools and Identity Pools with Cognito
Technical requirements
Creating Amazon Cognito user pools
Creating an Amazon Cognito app client
User creation and user signups
Implementing an admin authentication flow
Implementing a client-side authentication flow
Working with Cognito groups
Federated identity with Cognito user pools
4
Key Management with KMS and CloudHSM
Key Management with KMS and CloudHSM
Technical requirements
Creating keys in KMS
Using keys with external key material
Rotating keys in KMS
Granting permissions programmatically with grants
Using key policies with conditional keys
Sharing customer-managed keys across accounts
Creating a CloudHSM cluster
Initializing and activating a CloudHSM cluster
5
Network Security with VPC
Network Security with VPC
Technical requirements
Creating a VPC in AWS
Creating subnets in a VPC
Configuring an internet gateway and a route table for internet access
Setting up and configuring NAT gateways
Working with NACLs
Using a VPC gateway endpoint to connect to S3
Configuring and using VPC flow logs
6
Working with EC2 Instances
Working with EC2 Instances
Technical requirements
Creating and configuring security groups
Launching an EC2 instance into a VPC
Setting up and configuring NAT instances
Creating and attaching an IAM role to an EC2 instance
Using our own private and public keys with EC2
Using EC2 user data to launch an instance with a web server
Storing sensitive data with the Systems Manager Parameter Store
Using KMS to encrypt data in EBS
7
Web Security Using ELBs, CloudFront, and WAF
Web Security Using ELBs, CloudFront, and WAF
Technical requirements
Enabling HTTPS on an EC2 instance
Creating an SSL/TLS certificate with ACM
Creating a classic load balancer
Creating ELB target groups
Using an application load balancer with TLS termination at the ELB
Using a network load balancer with TLS termination at EC2
Securing S3 using CloudFront and TLS
Configuring and using the AWS web application firewall (WAF)
8
Monitoring with CloudWatch, CloudTrail, and Config
chevron up
Monitoring with CloudWatch, CloudTrail, and Config
Technical requirements
Creating an SNS topic to send emails
Working with CloudWatch alarms and metrics
Creating a dashboard in CloudWatch
Creating a CloudWatch log group
Working with CloudWatch events
Reading and filtering logs in CloudTrail
Creating a trail in CloudTrail
Using Athena to query CloudTrail logs in S3
Cross-account CloudTrail logging
Integrating CloudWatch and CloudTrail
Setting up and using AWS Config
9
Compliance with GuardDuty, Macie, and Inspector
Compliance with GuardDuty, Macie, and Inspector
Technical requirements
Setting up and using Amazon GuardDuty
Aggregating findings from multiple accounts in GuardDuty
Setting up and using Amazon Macie
Setting up and using Amazon Inspector
Creating a custom Inspector template
10
Additional Services and Practices for AWS Security
Additional Services and Practices for AWS Security
Technical requirements
Setting up and using AWS Security Hub
Setting up and using AWS SSO
Setting up and using AWS Resource Access Manager
Protecting S3 Glacier vaults with Vault Lock
Using AWS Secrets Manager to manage RDS credentials
Creating an AMI instead of using EC2 user data
Using security products from AWS Marketplace
Using AWS Trusted Advisor for recommendations
Using AWS Artifact for compliance reports
11
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Monitoring with CloudWatch, CloudTrail, and Config

We've already looked at many aspects of security, such as confidentiality, integrity, authentication, authorization, and availability. Accountability, the A in the CIA model, can be achieved through continuous monitoring, alerting, and regular auditing. Proper monitoring and alerting can also help in better availability through auto-remediation. In this chapter, we will look into Amazon CloudWatch, AWS CloudTrail, and AWS Config. CloudWatch is the primary service within AWS for application logging, monitoring, and alerting. CloudTrail can log the API calls within AWS. AWS Config can record and evaluate configurations. We will also learn about the Simple Notification Service (SNS), which will allow us to send notifications.

In this chapter, we will cover the following recipes:

  • Creating an SNS topic to send emails
  • Working...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 1
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY