Mastering AWS Security电子书

Title Page

Copyright

Mastering AWS Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

why subscribe

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Readers feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Overview of Security in AWS

Chapter overview

AWS shared security responsibility model

Shared responsibility model for infrastructure services

Shared responsibility model for container services

Shared responsibility model for abstracted services

AWS Security responsibilities

Physical and environmental security

Storage device decommissioning

Business continuity management

Communication

Network security

Secure network architecture

Secure access points

Transmission protection

Network monitoring and protection

AWS access

Credentials policy

Customer security responsibilities

AWS account security features

AWS account

AWS credentials

Individual user accounts

Secure HTTPS access points

Security logs

AWS Trusted Advisor security checks

AWS Config security checks

AWS Security services

AWS Identity and Access Management

AWS Virtual Private Cloud

AWS Key Management System (KMS)

AWS Shield

AWS Web Application Firewall (WAF)

AWS CloudTrail

AWS CloudWatch

AWS Config

AWS Artifact

Penetration testing

AWS Security resources

AWS documentation

AWS whitepapers

AWS case studies

AWS YouTube channel

AWS blogs

AWS Partner Network

AWS Marketplace

Summary

AWS Identity and Access Management

Chapter overview

IAM features and tools

Security

AWS account shared access

Granular permissions

Identity Federation

Temporary credentials

AWS Management Console

AWS command line tools

AWS SDKs

IAM HTTPS API

IAM Authentication

IAM user

IAM groups

IAM roles

AWS service role

AWS SAML role

Role for cross-account access

Role for Web Identity Provider

Identity Provider and Federation

Delegation

Temporary security credentials

AWS Security Token Service

The account root user

IAM Authorization

Permissions

Policy

Statement

Effect

Principal

Action

Resource

Condition

Creating a new policy

IAM Policy Simulator

IAM Policy Validator

Access Advisor

Passwords Policy

AWS credentials

IAM limitations

IAM best practices

Summary

AWS Virtual Private Cloud

Chapter overview

VPC components

Subnets

Elastic Network Interfaces (ENI)

Route tables

Internet Gateway

Elastic IP addresses

VPC endpoints

Network Address Translation (NAT)

VPC peering

VPC features and benefits

Multiple connectivity options

Secure

Simple

VPC use cases

Hosting a public facing website

Hosting multi-tier web application

Creating branch office and business unit networks

Hosting web applications in the AWS Cloud that are connected with your data center

Extending corporate network in AWS Cloud

Disaster recovery

VPC security

Security groups

Network access control list

VPC flow logs

VPC access control

Creating VPC

VPC connectivity options

Connecting user network to AWS VPC

Connecting AWS VPC with other AWS VPC

Connecting internal user with AWS VPC

VPC limits

VPC best practices

Plan your VPC before you create it

Choose the highest CIDR block

Unique IP address range

Leave the default VPC alone

Design for region expansion

Tier your subnets

Follow the least privilege principle

Keep most resources in the private subnet

Creating VPCs for different use cases

Favor security groups over NACLs

IAM your VPC

Using VPC peering

Using Elastic IP instead of public IP

Tagging in VPC

Monitoring a VPC

Summary

Data Security in AWS

Chapter overview

Encryption and decryption fundamentals

Envelope encryption

Securing data at rest

Amazon S3

Permissions

Versioning

Replication

Server-Side encryption

Client-Side encryption

Amazon EBS

Replication

Backup

Encryption

Amazon RDS

Amazon Glacier

Amazon DynamoDB

Amazon EMR

Securing data in transit

Amazon S3

Amazon RDS

Amazon DynamoDB

Amazon EMR

AWS KMS

KMS benefits

Fully managed

Centralized Key Management

Integration with AWS services

Secure and compliant

KMS components

Customer master key (CMK)

Data keys

Key policies

Auditing CMK usage

Key Management Infrastructure (KMI)

AWS CloudHSM

CloudHSM features

Generate and use encryption keys using HSMs

Pay as you go model

Easy To manage

AWS CloudHSM use cases

Offload SSL/TLS processing for web servers

Protect private keys for an issuing certificate authority

Enable transparent data encryption for Oracle databases

Amazon Macie

Data discovery and classification

Data security

Summary

Securing Servers in AWS

EC2 Security best practices

EC2 Security

IAM roles for EC2 instances

Managing OS-level access to Amazon EC2 instances

Protecting your instance from malware

Secure your infrastructure

Intrusion Detection and Prevention Systems

Elastic Load Balancing Security

Building Threat Protection Layers

Testing security

Amazon Inspector

Amazon Inspector features and benefits

Amazon Inspector components

AWS Shield

AWS Shield benefits

AWS Shield features

AWS Shield Standard

AWS Shield Advanced

Summary

Securing Applications in AWS

AWS Web Application Firewall (WAF)

Benefits of AWS WAF

Working with AWS WAF

Signing AWS API requests

Amazon Cognito

Amazon API Gateway

Summary

Monitoring in AWS

AWS CloudWatch

Features and benefits

AWS CloudWatch components

Metrics

Dashboards

Events

Alarms

Log Monitoring

Monitoring Amazon EC2

Automated monitoring tools

Manual monitoring tools

Best practices for monitoring EC2 instances

Summary

Logging and Auditing in AWS

Logging in AWS

AWS native security logging capabilities

Best practices

AWS CloudTrail

AWS Config

AWS detailed billing reports

Amazon S3 Access Logs

ELB Logs

Amazon CloudFront Access Logs

Amazon RDS Logs

Amazon VPC Flow Logs

AWS CloudWatch Logs

CloudWatch Logs concepts

CloudWatch Logs limits

Lifecycle of CloudWatch Logs

AWS CloudTrail

AWS CloudTrail concepts

AWS CloudTrail benefits

AWS CloudTrail use cases

Security at Scale with AWS Logging

AWS CloudTrail best practices

Auditing in AWS

AWS Artifact

AWS Config

AWS Config use cases

AWS Trusted Advisor

AWS Service Catalog

AWS Security Audit Checklist

Summary

AWS Security Best Practices

Shared security responsibility model

IAM security best practices

VPC

Data security

Security of servers

Application security

Monitoring, logging, and auditing

AWS CAF

Security perspective

Directive component

Preventive component

Detective component

Responsive component

Summary