AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS
()
About this ebook
Secure your Amazon Web Services (AWS) infrastructure with permission policies, key management, and network security, along with following cloud security best practices
Key Features- Explore useful recipes for implementing robust cloud security solutions on AWS
- Monitor your AWS infrastructure and workloads using CloudWatch, CloudTrail, config, GuardDuty, and Macie
- Prepare for the AWS Certified Security-Specialty exam by exploring various security models and compliance offerings
As a security consultant, securing your infrastructure by implementing policies and following best practices is critical. This cookbook discusses practical solutions to the most common problems related to safeguarding infrastructure, covering services and features within AWS that can help you implement security models such as the CIA triad (confidentiality, integrity, and availability), and the AAA triad (authentication, authorization, and availability), along with non-repudiation.
The book begins with IAM and S3 policies and later gets you up to speed with data security, application security, monitoring, and compliance. This includes everything from using firewalls and load balancers to secure endpoints, to leveraging Cognito for managing users and authentication. Over the course of this book, you'll learn to use AWS security services such as Config for monitoring, as well as maintain compliance with GuardDuty, Macie, and Inspector. Finally, the book covers cloud security best practices and demonstrates how you can integrate additional security services such as Glacier Vault Lock and Security Hub to further strengthen your infrastructure.
By the end of this book, you'll be well versed in the techniques required for securing AWS deployments, along with having the knowledge to prepare for the AWS Certified Security – Specialty certification.
What you will learn- Create and manage users, groups, roles, and policies across accounts
- Use AWS Managed Services for logging, monitoring, and auditing
- Check compliance with AWS Managed Services that use machine learning
- Provide security and availability for EC2 instances and applications
- Secure data using symmetric and asymmetric encryption
- Manage user pools and identity pools with federated login
If you are an IT security professional, cloud security architect, or a cloud application developer working on security-related roles and are interested in using AWS infrastructure for secure application deployments, then this Amazon Web Services book is for you. You will also find this book useful if you’re looking to achieve AWS certification. Prior knowledge of AWS and cloud computing is required to get the most out of this book.
Related to AWS Security Cookbook
Related ebooks
AWS Certified Advanced Networking Official Study Guide: Specialty Exam Rating: 5 out of 5 stars5/5Implementing Cloud Design Patterns for AWS Rating: 0 out of 5 stars0 ratingsAWS Administration – The Definitive Guide Rating: 5 out of 5 stars5/5Implementing DevOps on AWS Rating: 0 out of 5 stars0 ratingsAWS All-in-one Security Guide: Design, Build, Monitor, and Manage a Fortified Application Ecosystem on AWS Rating: 0 out of 5 stars0 ratingsHands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on Kubernetes Rating: 5 out of 5 stars5/5Learning AWS Rating: 4 out of 5 stars4/5AWS Certified Solutions Architect Associate All-in-One Exam Guide, Second Edition (Exam SAA-C02) Rating: 5 out of 5 stars5/5AWS Certified SysOps Administrator Official Study Guide: Associate Exam Rating: 0 out of 5 stars0 ratingsGetting Started with Kubernetes - Second Edition Rating: 0 out of 5 stars0 ratingsMicrosoft Azure Security Rating: 0 out of 5 stars0 ratingsImplementing Azure Solutions Rating: 0 out of 5 stars0 ratingsAmazon EC2 Cookbook Rating: 0 out of 5 stars0 ratingsAWS: The Ultimate Guide From Beginners To Advanced For The Amazon Web Services (2020 Edition) Rating: 2 out of 5 stars2/5Metasploit Bootcamp Rating: 5 out of 5 stars5/5Getting Started with Windows Server Security Rating: 0 out of 5 stars0 ratingsAmazon S3 Cookbook Rating: 0 out of 5 stars0 ratingsLearning Elasticsearch 7.x: Index, Analyze, Search and Aggregate Your Data Using Elasticsearch (English Edition) Rating: 0 out of 5 stars0 ratingsRESTful Java Web Services Security Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Web Penetration Testing Rating: 4 out of 5 stars4/5Amazon Web Services for Mobile Developers: Building Apps with AWS Rating: 0 out of 5 stars0 ratingsSecuring Amazon Web Services Rating: 4 out of 5 stars4/5
Internet & Web For You
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5The Gothic Novel Collection Rating: 5 out of 5 stars5/5Get Rich or Lie Trying: Ambition and Deceit in the New Influencer Economy Rating: 0 out of 5 stars0 ratingsSix Figure Blogging Blueprint Rating: 5 out of 5 stars5/5Coding For Dummies Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsEverybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Beginner's Guide To Starting An Etsy Print-On-Demand Shop Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5200+ Ways to Protect Your Privacy: Simple Ways to Prevent Hacks and Protect Your Privacy--On and Offline Rating: 0 out of 5 stars0 ratingsHacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Internet Is Not What You Think It Is: A History, a Philosophy, a Warning Rating: 4 out of 5 stars4/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5How To Start A Podcast Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsIntroduction to Internet Scams and Fraud: Credit Card Theft, Work-At-Home Scams and Lottery Scams Rating: 4 out of 5 stars4/5
Reviews for AWS Security Cookbook
0 ratings0 reviews
Book preview
AWS Security Cookbook - Heartin Kanikathottu
AWS Security Cookbook
Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS
Heartin Kanikathottu
BIRMINGHAM - MUMBAI
AWS Security Cookbook
Copyright © 2020 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Commissioning Editor: Karan Sadawna
Acquisition Editor: Shrilekha Inani
Content Development Editor: Pratik Andrade
Senior Editor: Arun Nadar
Technical Editor: Mohd Riyan Khan
Copy Editor: Safis Editing
Project Coordinator: Neil Dmello
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Production Designer: Nilesh Mohite
First published: February 2020
Production reference: 1260220
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-83882-625-3
www.packt.com
To God Almighty, for allowing me to take up this opportunity and complete it successfully.
To my wife, Sneha Heartin, for being a loving and supportive wife and a great reviewer; and to my baby girl, June Grace, for sacrificing a lot of dada time. To our parents, and our siblings and their families, for their unconditional love and support.
– Heartin Kanikathottu
Packt.com
Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Fully searchable for easy access to vital information
Copy and paste, print, and bookmark content
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors
About the author
Heartin Kanikathottu is an author, architect, and tech evangelist with over 12 years of IT experience. He has worked for companies including VMware, IG Infotech, Software AG, SAP Ariba, American Express, and TCS. His degrees include a B-Tech in computer science, an MS in cloud computing, and an M-Tech in software systems. He has over 10 professional certifications in the areas of the cloud, security, coding, and design from providers such as AWS, Pivotal, Oracle, Microsoft, IBM, and Sun. His blogs on computer science, the cloud, and programming have followers from countries across the globe. He mentors others and leads technical sessions at work, meetups, and conferences. He likes reading and maintains a big library of technical, fictional, and motivational books.
Thank you God Almighty for allowing me to take up this authoring opportunity and to complete it successfully. I want to thank all the people who have been close to me and have supported me, especially my wife Sneha who was also the official reviewer for the book; my baby girl June, who sacrificed a lot of her dada time; our parents, Dr. Gresamma, Jacob, Chinnamma, and Thomas; and our siblings and their families. The additional review efforts of my friends, Jayasree, Anitha, Jyothi, Raj, Rajni, Rijo, Saurabh, and Ashutosh, in making this a valuable book was significant. I would not have completed this book without the support of my current employer, VMware, and many colleagues who provided support in various forms, especially P Ramani, Rajneesh, Kyle, Chandana, Casey, and Cathal. Last, but not least, the support from Packt, with some amazing people and great tools, helped me a lot in completing this book on time.
About the reviewers
Sneha Thomas is a senior software engineer with around 10 years of IT experience. She is currently working at Australia and New Zealand Banking Group Limited (ANZ) as a technical lead. She has a master's degree with a specialization in cloud computing and a bachelor's degree in electronics and communications. She has very good knowledge of the AWS cloud as well as many other public clouds. She currently works as a full-stack developer and has worked on various technologies such as Java, Spring, Hibernate, and Angular, along with various web technologies such as HTML, JavaScript, and CSS. She was the reviewer for the book Serverless Programming Cookbook from Packt Publishing. She also likes writing blogs, and her Java blog has a good number of followers.
Michael J. Lewis currently works in the Cloud Enablement practice at Slalom Consulting in Atlanta, Georgia, specializing in AWS and DevSecOps. A computer science major and a U.S. naval submarine veteran with over 25 years' experience in the computer industry, he has been at the forefront of emerging technologies, from the internet boom to the latest trends in serverless and cloud computing. He and his wife Julie reside in Georgia with their three wonderful children.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents
Title Page
Copyright and Credits
AWS Security Cookbook
Dedication
About Packt
Why subscribe?
Contributors
About the author
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Sections
Getting ready
How to do it…
How it works…
There's more…
See also
Get in touch
Reviews
Managing AWS Accounts with IAM and Organizations
Technical requirements
Configuring IAM for a new account
Getting ready
How to do it...
Creating a billing alarm
How it works...
There's more...
See also
Creating IAM policies
Getting ready
How to do it...
Creating policies with the IAM visual editor
Creating policies using the AWS CLI
How it works...
There's more...
See also
Creating a master account for AWS Organizations
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a new account under an AWS Organization
Getting ready
How to do it...
Creating an account and OU from the CLI
Creating and moving an account from the console
How it works...
There's more...
See also
Switching roles with AWS Organizations
Getting ready
How to do it...
Switching as an administrator
Granting permission for a non-admin user to switch roles
Granting permission for a non-admin user to switch roles using the CLI
How it works...
Switching roles between any two accounts
There's more...
See also
Securing Data on S3 with Policies and Techniques
Technical requirements
Creating S3 access control lists
Getting ready
How to do it...
Granting READ ACLs for a bucket to everyone from the console
Granting READ for AWS users using predefined groups from the CLI
Granting public READ for an object with canned ACLs from the CLI
How it works...
There's more...
Comparing ACLs, bucket policies, and IAM policies
See also
Creating an S3 bucket policy
Getting ready
How to do it...
Bucket public access with a bucket policy from the console
Bucket list access with a bucket policy from the CLI
How it works...
There's more...
See also
S3 cross-account access from the CLI
Getting ready
How to do it...
Uploading to a bucket in another account
Uploading to a bucket in another account with a bucket policy
How it works...
There's more...
See also
S3 pre-signed URLs with an expiry time using the CLI and Python
Getting ready
How to do it...
Generating a pre-signed URL from the CLI
Generating a pre-signed URL using the Python SDK
How it works...
There's more...
See also
Encrypting data on S3
Getting ready
How to do it...
Server-side encryption with S3-managed keys (SSE-S3)
Server-side encryption with KMS-managed keys (SSE-KMS)
Server-side encryption with customer-managed keys (SSE-C)
How it works...
There's more...
See also
Protecting data with versioning
Getting ready
How to do it...
How it works...
There's more...
See also
Implementing S3 cross-region replication within the same account
Getting ready
How to do it...
How it works...
There's more...
See also
Implementing S3 cross-region replication across accounts
Getting ready
How to do it...
How it works...
There's more...
See also
User Pools and Identity Pools with Cognito
Technical requirements
Creating Amazon Cognito user pools
Getting ready
How to do it...
How it works...
There's more...
See also
Creating an Amazon Cognito app client
Getting ready
How to do it...
How it works...
There's more...
Customizing workflows with triggers
See also
User creation and user signups
Getting ready
How to do it...
Creating a user by an administrator
Creating a user through self-signup with admin confirmation
Creating a user through self-signup with self-confirmation
How it works...
There's more...
See also
Implementing an admin authentication flow
Getting ready
How to do it...
How it works...
There's more...
See also
Implementing a client-side authentication flow
Getting ready
How to do it...
How it works...
There's more...
See also
Working with Cognito groups
Getting ready
How to do it...
How it works...
There's more...
See also
Federated identity with Cognito user pools
Getting ready
How to do it...
Configuring within the Amazon developer portal
Configuring in Cognito
How it works...
There's more...
See also
Key Management with KMS and CloudHSM
Technical requirements
Creating keys in KMS
Getting ready
How to do it...
How it works...
There's more...
See also
Using keys with external key material
Getting ready
How to do it...
Creating key configuration for an external key
Generating our key material using OpenSSL
Continuing with key creation from the console
How it works...
There's more...
See also
Rotating keys in KMS
Getting ready
How to do it...
How it works...
There's more...
See also
Granting permissions programmatically with grants
Getting ready
How to do it...
How it works...
There's more...
See also
Using key policies with conditional keys
Getting ready
How to do it...
How it works...
There's more...
See also
Sharing customer-managed keys across accounts
Getting ready
How to do it...
Creating a key and giving permission to the other account
Using the key as an administrator user from account 2
Using the key as a non-admin user from account 2
How it works...
There's more...
See also
Creating a CloudHSM cluster
Getting ready
How to do it...
How it works...
There's more...
See also
Initializing and activating a CloudHSM cluster
Getting ready
How to do it...
Initializing the cluster and creating our first HSM
Launching an EC2 client instance and activating the cluster
How it works...
There's more...
See also
Network Security with VPC
Technical requirements
Creating a VPC in AWS
Getting ready
How to do it...
How it works...
There's more...
See also
Creating subnets in a VPC
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring an internet gateway and a route table for internet access
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and configuring NAT gateways
Getting ready
How to do it...
How it works...
There's more...
See also
Working with NACLs
Getting ready
How to do it...
How it works...
There's more...
See also
Using a VPC gateway endpoint to connect to S3
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring and using VPC flow logs
Getting ready
How to do it...
How it works...
There's more...
See also
Working with EC2 Instances
Technical requirements
Creating and configuring security groups
Getting ready
How to do it...
How it works...
There's more...
See also
Launching an EC2 instance into a VPC
Getting ready
How to do it...
General steps for launching an EC2 instance and doing SSH
Launching an instance into our public subnet
Launching an instance into our private subnet
How it works...
There's more...
See also
Setting up and configuring NAT instances
Getting ready
How to do it...
Adding a route for the NAT instance
How it works...
There's more...
See also
Creating and attaching an IAM role to an EC2 instance
Getting ready
How to do it...
How it works...
There's more...
See also
Using our own private and public keys with EC2
Getting ready
How to do it...
Generating the keys
Uploading a key to EC2
How it works...
There's more...
See also
Using EC2 user data to launch an instance with a web server
Getting ready
How to do it...
How it works...
There's more...
See also
Storing sensitive data with the Systems Manager Parameter Store
Getting ready
How to do it...
Creating a parameter in the AWS Systems Manager Parameter Store
Creating and attaching role for the AWS Systems Manager
Retrieving parameters from the AWS Systems Manager Parameter Store
How it works...
There's more...
See also
Using KMS to encrypt data in EBS
Getting ready
How to do it...
How it works...
There's more...
See also
Web Security Using ELBs, CloudFront, and WAF
Technical requirements
Enabling HTTPS on an EC2 instance
Getting ready
How to do it...
How it works...
There's more...
See also
Creating an SSL/TLS certificate with ACM
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a classic load balancer
Getting ready
How to do it...
How it works...
There's more...
See also
Creating ELB target groups
Getting ready
How to do it...
How it works...
There's more...
See also
Using an application load balancer with TLS termination at the ELB
Getting ready
How to do it...
How it works...
There's more...
See also
Using a network load balancer with TLS termination at EC2
Getting ready
How to do it...
How it works...
There's more...
See also
Securing S3 using CloudFront and TLS
Getting ready
How to do it...
CloudFront distribution with CloudFront default domain
CloudFront distribution with a custom domain and ACM certificate
How it works...
There's more...
See also
Configuring and using the AWS web application firewall (WAF)
Getting ready
How to do it...
How it works...
There's more...
See also
Monitoring with CloudWatch, CloudTrail, and Config
Technical requirements
Creating an SNS topic to send emails
Getting ready
How to do it...
How it works...
There's more...
See also
Working with CloudWatch alarms and metrics
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a dashboard in CloudWatch
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a CloudWatch log group
Getting ready
How to do it...
How it works...
There's more...
See also
Working with CloudWatch events
Getting ready
How to do it...
How it works...
There's more...
See also
Reading and filtering logs in CloudTrail
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a trail in CloudTrail
Getting ready
How to do it...
How it works...
There's more...
See also
Using Athena to query CloudTrail logs in S3
Getting ready
How to do it...
How it works...
There's more...
See also
Cross-account CloudTrail logging
Getting ready
How to do it...
How it works...
There's more...
See also
Integrating CloudWatch and CloudTrail
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and using AWS Config
Getting ready
How to do it...
How it works...
There's more...
See also
Compliance with GuardDuty, Macie, and Inspector
Technical requirements
Setting up and using Amazon GuardDuty
Getting ready
How to do it...
How it works...
There's more...
See also
Aggregating findings from multiple accounts in GuardDuty
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and using Amazon Macie
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and using Amazon Inspector
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a custom Inspector template
Getting ready
How to do it...
How it works...
There's more...
See also
Additional Services and Practices for AWS Security
Technical requirements
Setting up and using AWS Security Hub
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and using AWS SSO
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up and using AWS Resource Access Manager
Getting ready
How to do it...
How it works...
There's more...
See also
Protecting S3 Glacier vaults with Vault Lock
Getting ready
How to do it...
How it works...
There's more...
See also
Using AWS Secrets Manager to manage RDS credentials
Getting ready
How to do it...
How it works...
There's more...
See also
Creating an AMI instead of using EC2 user data
Getting ready
How to do it...
How it works...
There's more...
See also
Using security products from AWS Marketplace
Getting ready
How to do it...
How it works...
There's more...
See also
Using AWS Trusted Advisor for recommendations
Getting ready
How to do it...
How it works...
There's more...
See also
Using AWS Artifact for compliance reports
Getting ready
How to do it...
How it works...
There's more...
See also
Other Books You May Enjoy
Leave a review - let other readers know what you think
Preface
AWS Security Cookbook discusses practical solutions to the most common problems faced by security consultants while securing their infrastructure. This book discusses services and features within AWS that can help us to achieve security models such as the CIA triad (confidentiality, integrity, and availability), the AAA triad (authentication, authorization, and availability), and non-repudiation.
The book begins by getting you familiar with IAM and S3 policies; then, it dives deeper into data security, application security, monitoring, and compliance. Over the course of this book, you will come across AWS Security services such as Config, GuardDuty, Macie, Glacier Vault Lock, Inspector, and Security Hub. Lastly, this book covers essential security areas per chapter and progresses toward cloud security best practices and integrating additional security services.
By the end of this book, you will be adept with all of the techniques pertaining to securing AWS deployments along with having help to prepare for the AWS Certified Security – Specialty certification.
Who this book is for
If you are an IT security professional, cloud security architect, or a cloud application developer working on security-related roles and are interested in using the AWS infrastructure for secure application deployment, then this book is for you. This book will also benefit individuals interested in taking up the AWS Certified Security – Specialty certification. Prior knowledge of AWS and cloud computing is required.
What this book covers
Chapter 1, Managing AWS Accounts with IAM and Organizations, covers recipes for working with Identity and Access Management (IAM) users, groups, roles, and permission policies. This chapter also discusses recipes to create and manage multiple user accounts from a single master account using the AWS Organizations service.
Chapter 2, Securing Data on S3 with Policies and Techniques, discusses recipes related to securing Simple Storage Service (S3) data with Access Control Lists (ACLs), bucket policies, pre-signed URLs, encryption, versioning, and cross-region replication.
Chapter 3, User Pools and Identity Pools with Cognito, focuses mostly on application security with Cognito and discusses recipes related to concepts such as user pools, user signups, authentication and authorization flows, and federated identity logins.
Chapter 4, Key Management with KMS and CloudHSM, discusses recipes for managing encryption keys with AWS Key Management Service (KMS), which uses shared Hardware Security Modules (HSMs), as well as CloudHSM, which uses dedicated HSMs for enhanced security.
Chapter 5, Network Security with VPC, discusses recipes to secure your AWS infrastructure by creating Virtual Private Clouds (VPCs). We discuss topics such as public and private subnets, configuring route tables and network gateways, and using security mechanisms such as security groups and Network Access Control Lists (NACLs) to secure incoming and outgoing traffic.
Chapter 6, Working with EC2 Instances, covers additional recipes for securing Amazon Elastic Compute Cloud (EC2) instances, such as launching them into custom VPCs, using security groups, using the Systems Manager Parameter Store, and bootstrapping an EC2 instance with user data. We will also learn to encrypt data in Elastic Block Store (EBS).
Chapter 7, Web Security Using ELBs, CloudFront, and WAF, discusses recipes for securing web traffic and improving availability with different types of load balancers, the CloudFront service, and features such as instance-level TLS termination. We will also learn how to configure and use Web Application Firewalls (WAFs) within AWS.
Chapter 8, Monitoring with CloudWatch, CloudTrail, and Config, covers recipes to help us in troubleshooting, achieving compliance and accountability, and more through continuous monitoring, alerting, and regular auditing. We will learn about services such as CloudWatch, CloudTrail, Config, and Simple Notification Service (SNS).
Chapter 9, Compliance with GuardDuty, Macie, and Inspector, discusses recipes related to checking for compliance and notifying us about non-compliance. We will learn about services, such as GuardDuty, Macie, and Inspector, that use machine learning and advanced algorithms to help us to check compliance.
Chapter 10, Additional Services and Practices for AWS Security, discusses additional services and features that you can use to secure your AWS infrastructure, such as Security Hub, Single Sign-On (SSO), Resource Access Manager, Secrets Manager, Trusted Advisor, Artifact, and S3 Glacier vaults. We will also learn how to use additional security products from AWS Marketplace.
To get the most out of this book
You will need a working AWS account for practicing the recipes within this book.
You should already have some basic knowledge of AWS services such as IAM, S3, EC2, and VPC.
Basic knowledge of cloud computing, computer networking, and IT security concepts can help you to grasp the contents of this book faster.
Download the example code files
You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit