31,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
With organizations moving their workloads, applications, and infrastructure to the cloud at an unprecedented pace, security of all these resources has been a paradigm shift for all those who are responsible for security; experts, novices, and apprentices alike.
This book focuses on using native AWS security features and managed AWS services to help you achieve continuous security. Starting with an introduction to Virtual Private Cloud (VPC) to secure your AWS VPC, you will quickly explore various components that make up VPC such as subnets, security groups, various gateways, and many more.
You will also learn to protect data in the AWS platform for various AWS services by encrypting and decrypting data in AWS. You will also learn to secure web and mobile applications in AWS cloud.
This book is ideal for all IT professionals, system administrators, security analysts, solution architects, and chief information security officers who are responsible for securing workloads in AWS for their organizations.
This book is embedded with useful assessments that will help you revise the concepts you have learned in this book. This book is repurposed for this specific learning experience from material from Packt's Mastering AWS Security, written by Albert Anthony.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 145
Veröffentlichungsjahr: 2018
Ähnliche
Table of Contents
AWS: Security Best Practices on AWS
AWS: Security Best Practices on AWS
Copyright © 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: March 2018
Production reference: 1070318
Published by Packt Publishing Ltd.
Livery Place, 35 Livery Street
Birmingham B3 2PB, UK.
ISBN: 978-1-78913-451-3
www.packtpub.com
Credits
This book is a blend of text and quizzes, all packaged up keeping your journey in mind. It includes content from the following Packt product:
Meet Your Expert
We have the best work of the following esteemed author to ensure that your learning journey is smooth:
Albert Anthony is a seasoned IT professional with 18 years of experience working with various technologies and in multiple teams spread all across the globe. He believes that the primary purpose of information technology is to solve problems faced by businesses and organizations. He is an AWS certified solutions architect and a corporate trainer. He holds all three AWS associate-level certifications along with PMI-PMP and Certified Scrum Master certifications. He has been training since 2008 on project management, cost management, and people management, and on AWS since 2016. He has managed multiple projects on AWS that runs big data applications, hybrid mobile application development, DevOps, and infrastructure monitoring on AWS. He has successfully migrated multiple workloads to AWS from on premise data centers and other hosting providers. He is responsible for securing workloads for all his customers, with hundreds of servers; processing TBs of data; and running multiple web, mobile, and batch applications.
Preface
With organizations moving their workloads, applications, and infrastructure to the cloud at an unprecedented pace, security of all these resources has been a paradigm shift for all those who are responsible for security; experts, novices, and apprentices alike. AWS provides many controls to secure customer workloads and quite often customers are not aware of their share of security responsibilities, and the security controls that they need to own and put in place for their resources in the AWS cloud.
What's in It for Me?
Maps are vital for your journey, especially when you're holidaying in another continent. When it comes to learning, a roadmap helps you in giving a definitive path for progressing towards the goal. So, here you're presented with a roadmap before you begin your journey.
This book is meticulously designed and developed in order to empower you with all the right and relevant information on AWS. We've created this Learning Path for you that consists of five lessons:
Lesson 1, AWS Virtual Private Cloud, talks about creating and securing our own virtual network in the AWS cloud. This lesson also introduces you to the various connectivity options that AWS provides to create hybrid cloud, public cloud, and private cloud solutions.
Lesson 2, Data Security in AWS, covers encryption in AWS to secure your data in rest and while working with AWS data storage services.
Lesson 3, Securing Servers in AWS, explains ways to secure your infrastructure in AWS by employing continuous threat assessment, agent-based security checks, virtual firewalls for your servers, and so on.
Lesson 4, Securing Applications in AWS, introduces you to ways to secure all your applications developed and deployed in the AWS environment. You will walk through the web application firewall service, as well as securing a couple of AWS services used by developers for web and mobile application development.
Lesson 5, AWS Security Best Practices, walks you through best practices in a consolidated form for securing all your resources in AWS.
What Will I Get from This Book?
Prerequisites
This book is for all IT professionals, system administrators, security analysts, solution architects, and chief information security officers who are responsible for securing workloads in AWS for their organizations. Some of the prerequisites that is required before you begin this book are:
Chapter 1. AWS Virtual Private Cloud
Amazon Virtual Private Cloud or VPC, as it is popularly known, is a logically separated, isolated, and secure virtual network on the cloud, where you provision your infrastructure, such as Amazon RDS instances and Amazon EC2 instances. It is a core component of networking services on AWS cloud.
A VPC is dedicated to your AWS account. You can have one or more VPCs in your AWS account to logically isolate your resources from each other. By default, any resource provisioned in a VPC is not accessible by the internet unless you allow it through AWS-provided firewalls. A VPC spans an AWS region.
VPC is essentially your secure private cloud within AWS public cloud. It is specifically designed for users who require an extra layer of security to protect their resources on the cloud. It segregates your resources with other resources within your AWS account. You can define your network topology as per your requirements, such as if you want some of your resources hidden from public or if you want resources to be accessible from the internet.
Getting the design of your VPC right is absolutely critical for having a secure, fault-tolerant, and scalable architecture.
It resembles a traditional network in a physical data center in many ways, for example, having similar components such as subnets, routes, and firewalls; however, it is a software-defined network that performs the job of data centers, switches, and routers. It is primarily used to transport huge volume of packets into, out of, and across AWS regions in an optimized and secured way along with segregating your resources as per their access and connectivity requirements. And because of these features, VPC does not need most of the traditional networking and data center gear.
VPC gives you granular control to define what traffic flows in or out of your VPC.
Introduction
In this lesson, we will deep dive into the security of AWS VPC. VPC is the most important component of networking services in AWS. Networking services are one of the foundation services on the AWS cloud. A secure network is imperative to ensure security in AWS for your resources.
We will look at components that make up VPC, such as subnets, security groups, various gateways, and so on. We will take a deep dive into the AWS VPC features and benefits such as simplicity, security, multiple connectivity options, and so on.
We will look at the following most popular use cases of VPC that use various security and connectivity features of VPC:
AWS provides multiple measures to secure resources in VPC and monitor activities in VPC, such as security groups, network access control list (ACL), and VPC flow logs. We will dive deep into each of these measures.
Next, we'll walk through the process of creating a VPC. You can either choose to create a VPC through the wizard, through the console, or through the CLI.
Furthermore, we'll go through the following VPC connectivity options along with VPC limits in detail:
We'll wrap up this lesson with VPC best practices.
Throughout this lesson, we'll take a look at AWS architecture diagrams for various use cases, connectivity options, and features. The objective of this lesson is to familiarize you with AWS VPC and let you know about ways to secure your VPC.
VPC Components
AWS VPC is a logically separated network isolated from other networks. It lets you set your own IP address range and configure security settings and routing for all your traffic. AWS VPC is made up of several networking components, as shown in the following figure; some of them are as follows:
Figure 1: AWS VPC components
Let's take a closer look at these components:
Subnets
A VPC spans an AWS region. A region contains two or more availability zones. A VPC contains subnets that are used to logically separate resources inside a region. A subnet cannot span across multiple availability zones. A subnet can either be a private subnet or a public subnet based on its accessibility from outside of VPC and if it can access resources outside of VPC.
Subnets are used for separating resources, such as web servers and database servers. They are also used for making your application highly available and fault-tolerant. By default, all resources in all subnets of a VPC can route (communicate) to each other using private IP addresses.
Elastic Network Interfaces (ENI)
The ENI are available for EC2 instances running inside a VPC. An ENI can have many attributes, such as a primary private IPv4 address, a MAC address, one or more security groups, one or more IPv6 addresses, and so on. These attributes will move with ENI when an ENI is attached to an instance; when this ENI is detached from an instance, these attributes will be removed.
By default, every VPC has a network interface attached to every instance. This ENI is known as a primary network interface (eth0). This default ENI cannot be detached from an instance. You can, however, create and attach many additional ENIs to your instances inside a VPC.
One of the popular use cases of ENI is having secondary ENI attached to instances running network and security appliances, such as network address translation servers or load balancers. These ENIs can be configured with their own attributes, such as public and private IP address, security groups, and so on.
Route Tables
As you've learned about VPC, it essentially facilitates traffic in and out of a software-defined network. This traffic needs to know where to go, and this is achieved via route tables. A route table in VPC has rules or routes defined for the flow of traffic. Every VPC has a default route table that is known as the main route table. You can modify this main route table and you can create additional route tables.
Each subnet in VPC is associated with only one route table, however, one route table can be attached to multiple subnets. You use route tables to decide what data stays inside of VPC and what data should go outside of VPC, and that is where it plays a very important part in deciding data flow for a VPC.
In the following figure, you can see four route tables for two VPCs in my AWS account. You can see rules in the route table, and you see tabs for subnet associations as well:
Figure 2: AWS VPC route tables
Internet Gateway
An internet gateway allows communication between resources such as EC2 and RDS instances in your VPC and the Internet. It is highly available, redundant, and horizontally scalable; that is, you do not need to attach more than one internet gateway to your VPC in order to support an increase in traffic.
An internet gateway serves as a target for route table in VPC for all the traffic that is supposed to go out of VPC to the internet. Along with that, it also performs network address translation for all instances with public IPv4 addresses.
Elastic IP Addresses
An Elastic IP Address is a public IPv4, static address that can be associated with any one instance or one network interface at a time within any VPC in your AWS account. When your application is dependent on an IP address, you would use an Elastic IP address instead of a regular public IP address because public IP addresses would be lost if the underlying instance shuts down for some reason. You can simply move your Elastic IP address to another instance that is up and running from a failed instance.
You first allocate an Elastic IP address and then associate it with your instance or network interface. Once you do not need it, you should disassociate it and then release it. If an Elastic IP address is allocated but not associated with any instance, then you will be charged by AWS on an hourly basis, so if you don't have a requirement for Elastic IP addresses, it is better to release them.
VPC Endpoints
A VPC endpoints is a secure way to communicate with other AWS services without using the internet, Direct Connect, VPN Connection, or a NAT device. This communication happens within the Amazon network internally so your traffic never goes out of Amazon network. At present, endpoints are supported only for Simple Storage Service (S3). These endpoints are virtual devices supporting IPv4-only traffic.
An endpoint uses the private IP address of instances in your VPC to communicate with other services. You can have more than one endpoint in your VPC. You create a route in your route table for directing traffic from instance V2 in subnet 2 through your endpoint to your target service (such as S3), as shown in the following figure:
Figure 3: AWS VPC endpoints and route tables
