Security and Microservice Architecture on AWS - Helion

ebook

Autor: Gaurav Raje
ISBN: 9781098101428
stron: 396, Format: ebook
Data wydania: 2021-09-08
Księgarnia: Helion

Cena książki: 186,15 zł (poprzednio: 216,45 zł)
Oszczędzasz: 14% (-30,30 zł)

Osoby, które kupiły tę książkę, wybierały także »

Security is usually an afterthought when organizations design microservices for cloud systems. Most companies today are exposed to potential security threats, but their responses are often more reactive than proactive. This leads to unnecessarily complicated systems that are hard to implement and even harder to manage and scale. Author Gaurav Raje shows you how to build highly secure systems on AWS without increasing overhead.

Ideal for cloud solution architects and software developers with AWS experience, this practical book starts with a high-level architecture and design discussion, then explains how to implement your solution in the cloud while ensuring that the development and operational experience isn't compromised. By leveraging the AWS Shared Responsibility Model, you'll be able to:

Develop a modular architecture using microservices that aims to simplify compliance with various regulations in finance, medicine, and legal services
Introduce various AWS-based security controls to help protect your microservices from malicious actors
Leverage the modularity of the architecture to independently scale security mechanisms on individual microservices
Improve the security posture without compromising the autonomy or efficiency of software development teams

Osoby które kupowały "Security and Microservice Architecture on AWS", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)

Spis treści

Security and Microservice Architecture on AWS eBook -- spis treści

Preface
- Goals of This Book
- Who Should Use This Book
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
1. Introduction to Cloud Microservices
- Basics of Cloud Information Security
  - Risk and Security Controls
  - Organizational Security Policy
  - Security Incidents and the CIA Triad
  - AWS Shared Responsibility Model
- Cloud Architecture and Security
  - Security Through Modularity
  - Security Through Simplicity
  - Security Through Fully Managed AWS Services
  - Blast Radius, Isolation, and the Locked Rooms Analogy
  - Defense-in-Depth and Security
  - Security Through Perimeter Protection
  - Security Through Zero Trust Architecture
- A Brief Introduction to Software Architecture
  - Tier-Based Architecture
  - Domain-Driven Design
- Microservices
- Implementation of Microservices on AWS
  - Container-Based Microservice Architecture
  - A Very Brief Introduction to Kubernetes
  - Function as a Service: FaaS Using AWS Lambda
- Overview of Cloud Microservice Implementation
  - Amazon EKS
  - Amazon EKS Fargate Mode
  - Function as a Service Using AWS Lambda
  - Microservice Implementation Summary
- Examples of Microservice Communication Patterns
  - Example 1: Simple Message Passing Between Contexts
  - Example 2: Message Queues
  - Example 3: Event-Based Microservices
- Summary
2. Authorization and Authentication Basics
- Basics of AWS Identity and Access Management
  - Principals on AWS
  - IAM Policies
  - Principle of Least Privilege
  - PoLP and Blast Radius
  - Structure of AWS IAM Policies
  - Principal-Based Policies
  - Resource-Based Policies
  - The Zone of Trust
  - Evaluation of Policies
- Advanced Concepts in AWS IAM Policies
  - IAM Policy Conditions
  - AWS Tags and Attribute-Based Access Control
  - Not Policy Elements: NotPrincipal and NotResource
  - Wrapping Up IAM Policies
- Role-Based Access Control
  - RBAC Modeling
  - Securing Roles
  - Assuming Roles
  - Assume Roles Using the AWS Command-Line Interface (CLI)
  - Switching Roles Using AWS Management Console
  - Service-Linked Role
- Authentication and Identity Management
  - Basics of Authentication
  - Identity Federation on AWS
  - Identity Federation Using SAML 2.0 and OpenID Connect
- RBAC and Microservices
  - Execution Roles
  - RBAC with AWS Lambda
  - RBAC with EC2 and the Instance Metadata Service
  - RBAC with Amazon EKS Using IAM Roles for Service Accounts
- Summary
3. Foundations of Encryption
- Brief Overview of Encryption
  - Why Is Encryption Important on AWS?
  - Why Is Encryption Important for Microservice Architectures?
  - Encryption on AWS
  - Security Challenges with Key-Based Encryption
  - Business Problem
- AWS Key Management Service
  - Basic Encryption Using CMK
  - Envelope Encryption
  - Envelope Encryption in Action
- Security and AWS KMS
  - KMS Contexts and Additional Authenticated Data
  - Key Policies
  - Grants and ViaService
    - KMS grants
    - KMS ViaService
  - CMK and Its Components and Supported Actions
    - Importing key material
    - Types of CMK
    - Automatic key rotation
    - Manual rotation
    - Deleting a CMK
  - Regions and KMS
  - Cost, Complexity, and Regulatory Considerations
- Asymmetric Encryption and KMS
  - Encryption and Decryption
  - Digital Signing (Sign and Verify)
- Domain-Driven Design and AWS KMS
  - Contextual Boundaries and Encryption
  - Accounts and Sharing CMK
  - KMS and Network Considerations
  - KMS Grants Revisited
- KMS Accounts and Topologies: Tying It All Together
  - Option 1: Including the CMK Within Bounded Contexts
  - Option 2: Using a Purpose-Built Account to Hold the CMK
- AWS Secrets Manager
  - How Secrets Manager Works
  - Secret Protection in AWS Secrets Manager
- Summary
4. Security at Rest
- Data Classification Basics
- Recap of Envelope Encryption Using KMS
- AWS Simple Storage Service
  - Encryption on AWS S3
    - AWS SSE-S3 (AWS-managed keys)
    - AWS SSE-KMS
    - AWS SSE-C (client-provided key)
    - AWS client-side encryption
  - Access Control on Amazon S3 Through S3 Bucket Policies
    - Example 1: Enforce server-side encryption on all objects
    - Example 2: Require users to have MFA while interacting with AWS S3
  - Amazon GuardDuty
  - Nonrepudiation Using Glacier Vault Lock
- Security at Rest for Compute Services
  - Static Code Analysis Using AWS CodeGuru
  - AWS Elastic Container Registry
    - Access control
    - Encryption at rest
    - Image Common Vulnerability and Exposure scanning
  - AWS Lambda
    - Encryption using CMK
    - Encryption using helpers
  - AWS Elastic Block Store
  - Tying It All Together
- Microservice Database Systems
  - AWS DynamoDB
    - Access control on AWS DynamoDB
    - Encryption on DynamoDB
  - Amazon Aurora Relational Data Service
    - IAM authentication on Amazon Aurora
    - Password authentication
    - Encryption on Amazon Aurora
- Media Sanitization and Data Deletion
- Summary
5. Networking Security
- Networking on AWS
  - Controls
  - Understanding the Monolith and Microservice Models
  - Segmentation and Microservices
  - Software-Defined Network Partitions
- Subnetting
  - Routing in a Subnet
  - Gateways and Subnets
  - Public Subnet
  - Private Subnet
  - Subnets and Availability Zones
  - Internet Access for Subnets
- Virtual Private Cloud
  - Routing in a VPC
  - Microsegmentation at the Network Layer
- Cross-VPC Communication
  - VPC Peering
    - Tying it all together with VPC peering
    - Cost and complexity trade-off with VPC peering
  - AWS Transit Gateway
    - Tying it all together using AWS Transit Gateway
    - Cost and complexity trade-off with AWS Transit Gateway
  - VPC Endpoints
    - Gateway VPC endpoint
    - Interface VPC endpoints/VPC endpoint services (using PrivateLink)
    - Tying it all together using VPC endpoints
    - Cost and complexity trade-off with VPC interface endpoints
  - Wrap-Up of Cross-VPC Communication
- Firewall Equivalents on the Cloud
  - Security Groups
  - Security Group Referencing (Chaining) and Designs
  - Properties of Security Groups
  - Network Access Control Lists
  - Security Groups Versus NACLs
- Containers and Network Security
  - Block Instance Metadata Service
  - Try to Run Pods in a Private Subnet
  - Block Internet Access for Pods Unless Necessary
  - Use Encrypted Networking Between Pods
- Lambdas and Network Security
- Summary
6. Public-Facing Services
- API-First Design and API Gateway
- AWS API Gateway
  - Types of AWS API Gateway Endpoints
    - Regional API Gateway endpoint
    - Edge-optimized API Gateway endpoint
    - Private API Gateway endpoint
- Securing the API Gateway
  - API Gateway Integration
    - AWS Lambda integrations
    - HTTP integration
    - VPC links
    - Kubernetes microservices and API Gateway
  - Access Control on API Gateway
    - IAM authorizer (API-based authorizer)
    - AWS Cognito authorizer
    - Lambda authorizer
  - Infrastructure Security on API Gateway
    - Rate limiting
    - Mutual TLS
- Cost Considerations While Using AWS API Gateway
- Bastion Host
  - Solution
- Static Asset Distribution (Content Distribution Network)
  - AWS CloudFront
    - CloudFront origins
    - Origin Access Identity
  - Signed URLs or Cookies
    - Business problem
    - Solution
    - Signed URLs versus signed cookies
    - AWS CloudFront and signed URLs
    - Signing a URL using AWS CloudFront
  - AWS Lambda@Edge
- Protecting Against Common Attacks on Edge Networks
  - AWS Web Application Firewall
    - Setting up basic rules using regex and IPs
    - Other rules for protecting your application
    - Managed and Marketplace rule sets
  - AWS Shield and AWS Shield Advanced
  - Microservices and AWS Shield Advanced
  - Cost Considerations for Edge Protection
- Summary
7. Security in Transit
- Basics of Transport Layer Security
  - Digital Signing
  - Certificates, Certificate Authority, and Identity Verification
    - Certificate agility and the need for certificate agility
    - AWS Certificate Manager
    - Publicly trusted certificate authorityAmazon Trust Services
    - Inner workings of AWS ACM
    - Validating domain ownership
      - Email validation for domain ownership
      - DNS validation
    - ACM Private CA
  - Encryption Using TLS
    - TLS Handshake
    - Perfect forward secrecy
- TLS Termination and Trade-offs with Microservices
  - TLS Offloading and Termination
    - AWS Application Load Balancer
    - Network load balancers
    - CloudFront TLS termination and caching
    - Server Name Indication
- Cost and Complexity Considerations with Encryption in Transit
- Application of TLS in Microservices
  - Security in Transit While Using Message Queues (AWS SQS)
  - gRPC and Application Load Balancer
  - Mutual TLS
- A (Very Brief) Introduction to Service Meshes: A Security Perspective
  - Proxies and Sidecars
  - App Mesh Components and Terminology
  - TLS and App Mesh
  - mTLS Revisited
    - Trust inside a mesh
    - Trust outside a mesh
  - AWS App Mesh: Wrap-Up
- Serverless Microservices and Encryption in Transit
  - AWS API Gateway and AWS Lambda
  - Caching, API Gateway, and Encryption in Transit
- Field-Level Encryption
- Summary
8. Security Design for Organizational Complexity
- Organizational Structure and Microservices
  - Conways Law
  - Single Team Oriented Service Architecture
  - Role-Based Access Control
  - Privilege Elevation
    - AWS Systems Manager run command
    - Break-the-Glass
  - Permission Boundaries
  - Permission Boundaries to Delegate Responsibilities
- AWS Accounts Structure for Large Organizations
  - AWS Accounts and Teams
  - AWS Organizations
  - Organizational Units and Service Control Policies
    - Organizational units
    - Service control policies
    - Representation of departmental hierarchy using OUs and SCPs
    - Examples of control using SCP
      - Example 1: Ensuring proper resource tagging
      - Example 2: Ensuring that only a certain type of instance can be run by users of an account
  - Purpose-Built Accounts
- AWS Tools for Organizations
  - AWS Organizations Best Practices
  - AWS Resource Access Manager
  - Shared Services Using AWS RAM
  - AWS Single Sign-On
  - Enforcing Multifactor Authentication in Accounts
- Simplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS Organizations
- Summary
9. Monitoring and Incident Response
- NIST Incident Response Framework
  - Step 1: Design and Preparation
    - Architecture for incident control and isolation of blast radius
    - Activity logging
      - AWS CloudTrail events
      - CloudTrail logging
      - VPC flow logs
      - Application logging using AWS CloudWatch
    - Composable monitoring
      - CloudWatch namespace
      - Monitoring data using CloudWatch
    - Synthetic monitoring
    - Other AWS monitoring and security services
      - AWS Systems Manager
      - Amazon Macie
  - Step 2: Detection and Analysis
    - Precursors to an incident
    - AWS EventBridge
      - EventBridge event bus
      - EventBridge rules
      - EventBridge targets
  - Step 3: Containment and Isolation
    - Possibility 1: Compromised infrastructure
    - Possibility 2: Compromised application
  - Step 4: Forensic Analysis
    - AWS Athena
    - Live-box forensics
    - Dead-box forensics
    - Tools for performing digital forensic analysis
      - Run Command
      - EventBridge event replay
      - Marketplace solutions
  - Step 5: Eradication
    - Cleanup
    - Security posturing
  - Step 6: Postincident Activities
    - Recovery
    - Simulate and iterate
- Securing the Security Infrastructure
  - Securing a CloudTrail
    - Encrypting a trail
    - Log validation
  - Purpose-Built Accounts
- Summary
A. Terraform Cloud in Five Minutes
- Setup
  - Creating Your Workspace
  - Adding AWS Access and Secret Key
- Terraform Process
  - Providers
  - State
  - Plans
  - Apply
- Writing Your Terraform Infrastructure as Code
  - Root Module and Folder Structure
  - Input Variables
  - Resources
  - Running and Applying Your Plan
B. Example of a SAML Identity Provider for AWS
- A Hands-On Example of a Federated Identity Setup
  - Step 1: Configure Your IdP
  - Step 2: Export Metadata to Be Imported into AWS Account
  - Step 3: Add Your SAML IdP as a Trusted IdP
  - Step 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS Account
  - Step 5: Control Access to Multiple Roles Using Custom Attributes Within the IdP
- Summary
C. Hands-On Encryption with AWS KMS
- Basic Encryption Using the CMK
- Basic Decryption Using the CMK
- Envelope Encryption Using the CMK
- Decrypting an Envelope Encrypted Message
D. A Hands-On Example of Applying the Principle of Least Privilege
- Step 1: Create an AWS IAM Policy for Your Task
- Step 2: Define the Service, Actions, and Effect Parameters of an IAM Policy
- Step 3: Define the Resource
- Step 4: Request Conditions
- Step 5: Confirm the Resulting Policy
- Step 6: Save the Policy
- Step 7: Attach the Policy to a Principal
- Summary
Index