AWS Security

Running your systems in the cloud doesn’t automatically make them secure. Learn the tools and new management approaches you need to create secure apps and infrastructure on AWS. In AWS Security you’ll learn how to: Securely grant access to AWS resources to coworkers and customers Develop policies for ensuring proper access controls Lock-down network controls using VPCs Record audit logs and use them to identify attacks Track and assess the security of an AWS account Counter common attacks and vulnerabilities Written by security engineer Dylan Shields, AWS Security provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. You’ll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring identity and access management and virtual private clouds. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology AWS provides a suite of strong security services, but it’s up to you to configure them correctly for your applications and data. Cloud platforms require you to learn new techniques for identity management, authentication, monitoring, and other key security practices. This book gives you everything you’ll need to defend your AWS-based applications from the most common threats facing your business. About the book AWS Security is the guide to AWS security services you’ll want on hand when you’re facing any cloud security problem. Because it’s organized around the most important security tasks, you’ll quickly find best practices for data protection, auditing, incident response, and more. As you go, you’ll explore several insecure applications, deconstruct the exploits used to attack them, and learn how to react with confidence. What's inside Develop policies for proper access control Securely assign access to AWS resources Lock-down network controls using VPCs Record audit logs and use them to identify attacks Track and assess the security of an AWS account About the reader For software and security engineers building and securing AWS applications. About the author Dylan Shields is a software engineer working on Quantum Computing at Amazon. Dylan was one of the first engineers on the AWS Security Hub team. Table of Contents 1 Introduction to AWS security 2 Identity and access management 3 Managing accounts 4 Policies and procedures for secure access 5 Securing the network: The virtual private cloud 6 Network access protection beyond the VPC 7 Protecting data in the cloud 8 Logging and audit trails 9 Continuous monitoring 10 Incident response and remediation 11 Securing a real-world application AWS Security 1 brief content 8 contents 9 preface 14 acknowledgments 16 about this book 18 Who should read this book 18 How this book is organized: A roadmap 18 About the code 19 liveBook discussion forum 20 Other online resources 20 about the author 21 about the cover illustration 22 Chapter 1: Introduction to AWS security 23 1.1 The shared responsibility model 24 1.1.1 What is AWS responsible for? 24 1.1.2 What are you responsible for? 26 1.2 Cloud-native security tools 27 1.2.1 Identity and access management 27 1.2.2 Virtual private cloud 29 1.2.3 And many more 35 1.3 A new way of operating 36 1.3.1 Speed of infrastructure development 36 1.3.2 Shifting responsibilities 37 1.4 Conclusion 37 Chapter 2: Identity and access management 39 2.1 Identity and access management basics 40 2.1.1 Users 40 2.1.2 Identity policies 41 2.1.3 Resource policies 47 2.1.4 Groups 49 2.1.5 Roles 52 2.2 Using common patterns in AWS IAM 57 2.2.1 AWS managed policies 57 2.2.2 Advanced patterns 57 2.3 Attribute-based access control with tags 62 2.3.1 Tagged resources 62 2.3.2 Tagged principals 63 Chapter 3: Managing accounts 66 3.1 Securing access between multiple accounts 66 3.1.1 The wall between accounts 67 3.1.2 Cross-account IAM roles 69 3.1.3 Managing multiple accounts with AWS organizations 70 3.2 Integration with existing access management systems 72 3.2.1 Integrating with Active Directory and other SAML systems 72 3.2.2 Integrating with OpenID Connect systems 73 Chapter 4: Policies and procedures for secure access 77 4.1 Establishing best practices for IAM 80 4.1.1 Why create best practices? 81 4.1.2 Best practices example: MFA 81 4.1.3 Enforceable best practices 82 4.2 Applying least privilege access control 84 4.2.1 Why least privilege is hard 85 4.2.2 Policy wildcards 86 4.2.3 AWS managed policies 88 4.2.4 Shared permissions (groups and managed policies) 90 4.3 Choosing between short- and long-lived credentials 91 4.3.1 The risk of long-lived credentials 91 4.3.2 Trade-offs associated with credential rotation 92 4.3.3 A balance with IAM roles 93 4.4 Reviewing IAM permissions 93 4.4.1 Why you should review IAM resources 94 4.4.2 Types of reviews 94 4.4.3 Reducing the review burden 99 Chapter 5: Securing the network: The virtual private cloud 103 5.1 Working with a virtual private cloud 105 5.1.1 VPCs 106 5.1.2 Subnets 108 5.1.3 Network interfaces and IPs 109 5.1.4 Internet and NAT gateways 111 5.2 Traffic routing and virtual firewalls 114 5.2.1 Route tables 115 5.2.2 Security groups 119 5.2.3 Network ACLs 123 5.3 Separating private networks 126 5.3.1 Using multiple VPCs for network isolation 126 5.3.2 Connections between VPCs 128 5.3.3 Connecting VPCs to private networks 131 Chapter 6: Network access protection beyond the VPC 134 6.1 Securing access to services with VPC endpoints and PrivateLink 136 6.1.1 What’s wrong with public traffic? 137 6.1.2 Using VPC endpoints 138 6.1.3 Creating a PrivateLink service 140 6.2 Blocking malicious traffic with AWS Web Application Firewall 144 6.2.1 Using WAF managed rules 146 6.2.2 Blocking real-world attacks with custom AWS WAF rules 149 6.2.3 When to use AWS WAF 155 6.3 Protecting against distributed denial of service attacks using AWS Shield 158 6.3.1 Free protection with Shield Standard 158 6.3.2 Stepping up protection with Shield Advanced 159 6.4 Integrating third-party firewalls 160 6.4.1 Web application and next-gen firewalls 160 6.4.2 Setting up a firewall from AWS Marketplace 161 Chapter 7: Protecting data in the cloud 164 7.1 Data security concerns 165 7.1.1 Confidentiality 166 7.1.2 Data integrity 168 7.1.3 Defense in depth 170 7.2 Securing data at rest 170 7.2.1 Encryption at rest 171 7.2.2 Least privilege access controls 175 7.2.3 Backups and versioning 176 7.3 Securing data in transit 179 7.3.1 Secure protocols for data transport 180 7.3.2 Enforcing secure transport 181 7.4 Data access logging 183 7.4.1 Access logging for Amazon S3 183 7.4.2 CloudTrail logs for resource access 186 7.4.3 VPC Flow Logs for network access 188 7.5 Data classification 192 7.5.1 Identifying sensitive data with Amazon Macie 193 Chapter 8: Logging and audit trails 197 8.1 Recording management events 199 8.1.1 Setting up CloudTrail 201 8.1.2 Investigating an issue with CloudTrail logs 204 8.2 Tracking resource configuration changes 206 8.2.1 Pinpoint a change with a configuration timeline 207 8.2.2 Setting up AWS Config 210 8.2.3 Resource compliance information 211 8.3 Centralizing application logs 212 8.3.1 CloudWatch Logs basics 212 8.3.2 The CloudWatch agent 214 8.3.3 Advanced CloudWatch Logs features 216 8.3.4 Recording network traffic 221 Chapter 9: Continuous monitoring 223 9.1 Resource configuration scanning 224 9.1.1 Ad hoc scanning 225 9.1.2 Continuous monitoring 228 9.1.3 Compliance standards and benchmarks 232 9.2 Host vulnerability scanning 234 9.2.1 Types of host vulnerabilities 235 9.2.2 Host-scanning tools 235 9.3 Detecting threats in logs 238 9.3.1 Threats in VPC Flow Logs 239 9.3.2 Threats in CloudTrail logs 242 Chapter 10: Incident response and remediation 251 10.1 Tracking security events 252 10.1.1 Centralizing alerts 253 10.1.2 Status tracking 257 10.1.3 Data analysis 259 10.2 Incident response planning 260 10.2.1 Playbooks 261 10.3 Automating incident response 263 10.3.1 Scripting playbooks 263 10.3.2 Automated response 267 Chapter 11: Securing a real-world application 269 11.1 A sample application 270 11.1.1 Diving into the application 270 11.1.2 Threat modeling 274 11.2 Strong authentication and access controls 279 11.2.1 Credential stuffing 279 11.2.2 Brute forcing 281 11.2.3 Overly permissive policies and incorrect authorization settings 282 11.2.4 Inadvertent admin or root access 282 11.3 Protecting data 283 11.3.1 Data classification 283 11.3.2 Highly sensitive data 284 11.3.3 Sensitive data 286 11.3.4 Public data 287 11.4 Web application firewalls 288 11.4.1 Cross-site scripting 289 11.4.2 Injection attacks 290 11.4.3 Scraping 293 11.5 Implementing authentication and authorization end to end 295 11.5.1 Setting up Cognito 295 11.5.2 Securing the API gateway endpoints 299 index 303 A 303 B 304 C 304 D 305 E 305 F 305 G 305 H 306 I 306 K 307 L 307 M 307 N 307 O 307 P 308 R 308 S 308 T 309 U 309 V 309 W 310 Running your systems in the cloud doesnt automatically make them secure. To create secure applications and infrastructure on AWS, you need to understand the tools and features the platform provides and learn new approaches to configuring and managing them. Written by security engineer Dylan Shields, AWS Security provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. Youll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring Identity and Access Management and Virtual Private Clouds.