Securing the AWS Cloud E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Preface

Acknowledgments

Chapter 1: Introduction to Cloud Security

Understanding Cloud Computing

AWS’s Role in Cloud Computing

Chapter 2: AWS Security Fundamentals

AWS Security Service and Features

Security Best Practices

The AWS Well-Architected Framework

Conclusion

Reference

Chapter 3: Identity and Access Management on AWS

Overview

Use Cases for IAM

Understanding the Lingo

Policies and Permissions in IAM

IAM Identities and Managing Access

Creating an IAM

IAM User Groups

IAM Roles

IAM Policies

AWS IAM Identity Center

Conclusion

References

Chapter 4: AWS Identity Center: Centralizing Access Management

Understanding AWS Identity Center

Best Practices and Advanced Features

Conclusion

Reference

Chapter 5: Infrastructure Protection on AWS

Core Infrastructure Protection Concepts

Creating VPCs and Subnets

Security Groups and Network Access Control Lists (NACLs)

Elastic Load Balancing Security

Adding AWS Network Firewall to Your VPC

Cleaning Up Your AWS Resources

Conclusion

References

Chapter 6: Threat Detection and Management on AWS

Introduction to Threat Detection

Diving into Threat-Detection Services with Amazon GuardDuty

AWS Security Hub Implementation

Threat-Detection Methodologies

Conclusion

References

Chapter 7: Data Security and Cryptography on AWS

Introduction to Data Security and Cryptography

Introduction to Encryption

Secrets Management with AWS Secrets Manager

Cryptographic Best Practices

Cleaning Up Your Resources

Conclusion

References

Chapter 8: Monitoring, Logging, and Compliance on AWS

Overview

Core Concepts of Monitoring and Logging

Monitoring Network Traffic with VPC Flow Logs

Monitoring IAM Activity with CloudTrail

Centralized Security Dashboard Setup

Compliance Framework Examples

Best Practices for Monitoring and Logging in AWS Environments

Cleaning Up Your Resources

Conclusion

References

Chapter 9: Resilience and Recovery Strategies

Why Resilience and Recovery Matter to Cloud Security Professionals

Understanding Recovery Objectives

Cleaning Up Your Resources

Conclusion

References

Chapter 10: Security Operations and Automation

The Evolution of Security Operations

Building Automated Security Controls

Security Operations Workflow

Implementing Different Types of Playbooks

Understanding Security Orchestration

Measuring Security Operations Effectiveness

Cleaning Up Your Resources

Operational Metrics that Matter

Continuous Improvement Process

Building Resilient Security Operations

Conclusion

References

Chapter 11: Applying the Developer Mindset to AWS Security

Understanding the Developer Mindset

The Security as Code Philosophy

The Role of Version Control

Infrastructure as Code Security

Embracing Continuous Security

Conclusion

Reference

Chapter 12: Implementing GitOps for AWS Infrastructure

Understanding GitOps Implementation in AWS

Development Environment Options

Cleaning Up Your Resources

Conclusion

Reference

Index

End User License Agreement

List of Illustrations

Chapter 1

Figure 1.1: Some AWS services.

Chapter 2

Figure 2.1: The CIA triad.

Figure 2.2: Defense in depth illustrated.

Figure 2.3: The shared responsibility model.

Figure 2.4: The shared responsibility model for EC2.

Figure 2.5: The shared responsibility model for RDS.

Figure 2.6: The shared responsibility model for DynamoDB, S3, and similar servic...

Chapter 3

Figure 3.1: User and attributes.

Figure 3.2: Simple AWS account IAM example.

Figure 3.3: AWS policy evaluation logic.

Figure 3.4: AWS user types.

Figure 3.5: Security recommendations.

Figure 3.6: Using an authenticator app.

Figure 3.7: Setting up MFA.

Figure 3.8: Create a strong password policy.

Figure 3.9: Access to AWS CloudShell.

Figure 3.10: Output after adding an IAM user with AWS CLI.

Figure 3.11: Assuming an IAM role.

Chapter 4

Figure 4.1: Enabling IAM Identity Center.

Figure 4.2: Selecting the identity source.

Figure 4.3: Creating the user Alice.

Figure 4.4: Login credentials for Alice.

Figure 4.5: Creating a group.

Figure 4.6: Selecting AdministratorAccess.

Figure 4.7: Selecting accounts for the Admins group permissions.

Figure 4.8: Assigning the Admins group to three accounts.

Figure 4.9: Selecting the permission set.

Figure 4.10: Creating the user Dan.

Figure 4.11: Selecting a custom permission set.

Figure 4.12: Selecting a policy.

Figure 4.13: Naming the permission set.

Figure 4.14: Selecting AWS accounts for the Developers group permissions.

Figure 4.15: Selecting the Developers permission set to attach to two AWS account...

Figure 4.16: Logging in as Alice.

Figure 4.17: Logging in as Dan.

Chapter 5

Figure 5.1: The AWS global network—North America.

Figure 5.2: Example architecture of a VPC.

Figure 5.3: AWS Infrastructure with IGW.

Figure 5.4: NAT Gateway placement.

Figure 5.5: Subnet IDs for the CloudFormation template.

Figure 5.6: Public instance connectivity test.

Figure 5.7: Public instance public IP assignment.

Figure 5.8: Private instance connectivity test.

Figure 5.9: Private instance IP assignment.

Figure 5.10: Verifying the configuration.

Figure 5.11: Ephemeral ports.

Figure 5.12: ALB infrastructure.

Figure 5.13: ALB public-facing URL.

Figure 5.14: Creating a CNAME record.

Figure 5.15: Entering the CNAME record information.

Figure 5.16: Load balancer URL.

Figure 5.17: Verifying the ALB.

Figure 5.18: AWS network firewall architecture.

Chapter 6

Figure 6.1: GuardDuty findings output.

Figure 6.2: Automating GuardDuty.

Figure 6.3: Confirming subscription to the SNS topic.

Figure 6.4: SNS notification of a high-severity event.

Figure 6.5: Security Hub Summary page.

Figure 6.6: GuardDuty findings in Security Hub.

Figure 6.7: Finding details in Security Hub.

Figure 6.8: Workflow management.

Chapter 7

Figure 7.1: The three states of data.

Figure 7.2: CNAME record.

Figure 7.3: Macie dashboard.

Chapter 8

Figure 8.1: Subscription email confirmation.

Figure 8.2: Viewing a custom CloudWatch dashboard.

Figure 8.3: Viewing the automatic CloudWatch dashboards.

Figure 8.4: Viewing the EC2 automatic dashboard.

Figure 8.5: Custom trust policy.

Figure 8.6:

CloudWatchLogsFullAccess

policy.

Figure 8.7: Manually triggered test notification email.

Figure 8.8: Triggered WAF alarm.

Figure 8.9: Updated security dashboard.

Figure 8.10: Adding the

cloudtrail-s3-bucket-public-access-prohibited

rule to Config.

Figure 8.11: PCS DSS conformance pack.

Chapter 9

Figure 9.1: The main building blocks of resilience and recovery.

Chapter 10

Figure 10.1: Basic automation flow.

Figure 10.2: SNS confirmation email.

Figure 10.3: GuardDuty-generated events.

Figure 10.4: EventBridge rule invoked.

Figure 10.5: Lambda function invoked.

Figure 10.6: GuardDuty IAM credential finding.

Figure 10.7: S3 data protection.

Figure 10.8: Network security response.

Chapter 11

Figure 11.1: Security as Code workflow.

Figure 11.2: Version control security workflow.

Figure 11.3: IaC security scanning workflow.

Figure 11.4: Continuous security through IaC.

Chapter 12

Figure 12.1: Basic GitOps components and relationships.

Figure 12.2: GitHub repository Fork button.

Figure 12.3: GitHub Codespaces access button.

Figure 12.4: Installing the AWS Toolkit.

Figure 12.5: Creating the OIDC provider.

Figure 12.6: Creating the role.

Figure 12.7: Permissions policies for GitHubActionsRole.

Figure 12.8: Adding the role ARN to GitHub.

Figure 12.9: IaC deployed AWS network firewall.

Figure 12.10: Adding firewall rules.

Figure 12.11: Creating a codespace on a feature branch.

Figure 12.12: Compare & Pull Request button.

Figure 12.13: Create the pull request.

Figure 12.14: Workflow running.

Figure 12.15: Checkov checks before deploy.

Figure 12.16: All the checks have passed.

Figure 12.17: Workflow complete.

List of Tables

Chapter 5

Table 5.1: Resource Tracker

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Preface

Acknowledgments

Begin Reading

Index

End User License Agreement

Pages

iii

iv

v

vi

ix

xi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

Securing the AWS® Cloud

A Guide for Learning to Secure AWS Infrastructure

Copyright © 2025 by John Wiley & Sons, Inc. All rights reserved, including rights for text and data mining and training of artificial intelligence technologies or similar technologies

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

The manufacturer’s authorized representative according to the EU General Product Safety Regulation is Wiley-VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e-mail: [email protected].

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number applied for:

Print ISBN: 9781394289554

ePUB ISBN: 9781394289561

ePDF ISBN: 9781394289578

Cover Design: Wiley

Cover Image: © CSA-Printstock/Getty Images

To Celeste, Weston, and Logan: Thank you for your unwavering support, cooperation, and encouragement.

And to every bookworm who carries around massive tomes and never stops learning—this book is for you.

Preface

When I decided to write this book, I noticed a gap in how people learn AWS security. Too often, they rely on screenshots and web-based dashboards without ever touching the command line. As more organizations adopt a developer mindset for managing infrastructure and security, it is important to move beyond the GUI. That is why this book explores AWS security from the command line, gradually transitioning to infrastructure as code—so you can master the hands-on, code-centric practices that real-world developers use.

This book is written with newcomers to AWS and network security in mind. Many of these individuals will soon be expected to adopt developer-like workflows. You will find a comprehensive tour of essential AWS security concepts, from Identity and Access Management (IAM) to DevSecOps and GitOps, all reinforced with live demos, code samples, and diagrams from my own AWS environment. Along the way, I share anecdotes from personal experience to show why these topics matter in day-to-day operations.

Throughout each chapter, you have the chance to follow along with practical examples, using the CLI and code stored in my GitHub repository. By the end, you will not only understand the fundamentals of securing the AWS cloud but also be comfortable applying a developer mindset to building, automating, and maintaining secure cloud deployments. My hope is that these hands-on exercises and real-world insights will help you confidently navigate the ever-evolving landscape of AWS security.

Acknowledgments

I want to thank Romain Jourdan for believing in me when I transitioned from running Global Config Technology Solutions to Riverbed as a tech evangelist, and later for bringing me into AWS as a Senior Developer Advocate. He always championed learning, staying on top of the latest tools, and finding creative, fun ways to reach more people.

I’m also grateful to my tech editor and colleague, Du’An Lightfoot, who started at AWS on the same day as me. He’s been my sounding board, a true friend, and someone I can always rely on for support and honest feedback.

A big thanks to several others in DevRel whose encouragement helped me complete this project, often without even knowing it. Stephen Preston’s support as I tried to fit this book into my 2024 plan was invaluable, even if that plan didn’t quite go as expected. And Cobus Bernard, thank you for being there whenever I had a Terraform question or needed a second pair of eyes on a tricky GitHub Action (even if you didn’t realize it was for my book).

Finally, I want to acknowledge the young learners like Elijah Ramirez and Max Cloninger, whose enthusiasm for these technical topics keeps me energized. Their curiosity reminds me why I love sharing knowledge, and why I believe there’s always something new to discover.

Chapter 1Introduction to Cloud Security

Welcome to the fascinating world of cloud computing and, more specifically, to securing your journey in the cloud with Amazon Web Services (AWS). Whether you’re just starting out or looking to deepen your existing knowledge, this chapter lays the foundation for a robust understanding of cloud security dynamics.

Understanding Cloud Computing

Cloud computing isn’t just a buzzword, although you may feel that way since it’s been thrown around as such for many years now. No, in reality, cloud computing represents a shift in how organizations manage and deploy IT resources. Traditionally, organizations had to invest heavily in physical infrastructure, including things like servers, data centers, and networking equipment. These resources required significant upfront capital investment, not to mention space to “rack and stack” them. They also needed expertise to be configured and maintained.

Cloud computing has changed that to a large degree. Instead of solely relying on purchasing and managing extensive physical hardware, organizations are increasingly turning to cloud service providers like AWS to access and utilize these resources over the Internet. This doesn’t eliminate the need for all physical infrastructure since organizations are still investing in hardware to provide connectivity and to maintain some critical services locally. However, the bulk of computing workloads have been or are being moved to the cloud.

This hybrid approach not only reduces the upfront capital expenditure but also combines the security and reliability of on-premises assets with the scalability and flexibility of the cloud, and there are many benefits to this approach. With the cloud, you can scale your resources up or down based on demand, and you pay only for what you use. This model democratizes access to the latest technology, enabling both small startups and large corporations to leverage powerful computing resources that they otherwise could not access.

This section covers the basics of what cloud computing is, the different models available, and the advantages it brings to businesses and individuals.

Definition and Evolution of Cloud Computing

What exactly is cloud computing? Simply put, cloud computing refers to the delivery of computing services, servers, storage, databases, networking, software, analytics, and more, over the Internet. In the early 2000s, when I was working as a Cisco trainer, we would often draw diagrams that showed two routers with a connection to one another through a service provider’s network. The service provider’s network was drawn in the diagram as a cloud. There were other components of the connectivity between the two routers in that cloud, but we did not have ownership or access to that networking equipment. So the cloud represented resources that were managed by someone else. I think this has something to do with why “the cloud” is called “the cloud.” Using AWS as an example, organizations can store files in an object storage service called S3, and it sits “in the cloud.” This represents that there are other components of the connectivity that provide access to this service, but the organization does not have access, nor does it control these resources. I’ll get into that a bit more. For now, you should understand that “the cloud” involves more resources that provide access to services and applications than what you have control over or even see on an architecture diagram.

But why is using the cloud beneficial to organizations today? Well, this model allows for flexible resource allocation, reduces costs, increases efficiency, and provides scalability. The shift from dedicated physical servers to virtualized resources is a significant technological evolution.

Types of Cloud Models (IaaS, PaaS, and SaaS)

As you’ve seen, cloud computing changes the way companies manage IT resources, giving them different levels of control and management. You can think of cloud services like different ways of getting a meal. First, you can cook from scratch, using traditional on-premises computing. Or you can order a complete meal from a third party. In cloud model terms, this is called Software as a Service (SaaS). In this model, everything is prepared for you. You show up and get your food. You eat.

But maybe you prefer to get a meal kit delivered and make the meal yourself. This most resembles the cloud model known as Platform as a Service (PaaS). With PaaS, you get all the components you need to build your applications in the cloud; however, you have to put them together yourself.

Taking this idea a step further, you can have the groceries delivered to you. This cloud model is called Infrastructure as a Service (IaaS). In this case, you order and prepare the ingredients, and then you cook the meal. You simply have access to the store—you do the rest on your own.

Each of these cloud models caters to different needs. They each provide varying degrees of control—from full (IaaS) to minimal (SaaS)—and they allow you to choose based on your specific requirements.

Benefits of Cloud Computing

The flexibility mentioned in these cloud models leads directly to some of the major benefits of cloud computing. These benefits extend beyond simple cost savings (which is one of the first benefits most people mention when asked). Taking advantage of the cloud can significantly change how businesses operate. The scalability allows companies to easily adjust their resource use in response to varying demand without the need for physical upgrades. In addition to that, flexibility and accessibility can increase operational efficiency. This is important because it provides remote access to resources, pretty much from anywhere, which in turn reduces IT management headaches and, of course, overall costs. The benefits are real, and many organizations are already taking advantage of these benefits. And likely, you will either work for one of these organizations or are already working for one. There are still many misconceptions and challenges that these organizations face, however. Let’s briefly discuss these.

Common Misconceptions and Challenges

As mentioned in the prior section, along with the clear benefits of cloud computing come some common misconceptions. One of these common misconceptions is that with cloud computing comes inherent security. It’s important to understand that, while cloud providers like AWS secure the infrastructure, the security of the resources you deploy and manage is your responsibility. This is called the shared responsibility model, and it’s essential that you understand it. Years ago, I worked for the phone company. When I arrived at someone’s home to fix an issue with their service, I had to explain to them that the connection on the outside of the house was a demarcation point. Anything up to that point was the phone company’s responsibility, and if the problem was there, I could fix it at no charge. Anything from that box into the house, all the way up to the telephone, was the customer’s responsibility, and although I might be able to fix it, there would be a cost involved. This represented a clear change of responsibility. The shared responsibility model is similar. Security “of” the cloud is AWS’s responsibility. Security “in” the cloud is the customer’s responsibility, which means “your” responsibility. If you don’t understand this, you’ll have a hard time avoiding risks that can undermine the convenience that cloud computing offers.

Now that I’ve talked about cloud computing models at a high level, and I’ve specifically mentioned AWS and the shared responsibility model, it’s time to look at the role that AWS plays in cloud computing.

AWS’s Role in Cloud Computing

I started working with AWS services in the late 2000s. I worked at a training company teaching Cisco certification classes. Some of the assets we shared with students, along with my personal blog, were stored in S3. S3 is the Amazon Simple Storage Service, one of AWS’s first offerings in the cloud. I will get into more details on services later, but my point here is that AWS has been around for a long time. Although others also provided services in the cloud before AWS, AWS is considered one of the first and most successful providers of cloud computing services.

Given its comprehensive tools and services, AWS plays a huge role in how many organizations leverage cloud computing. AWS isn’t just a set of tools: it’s way more. AWS supports everything from the ability to host simple websites to building complex Generative AI projects. Having a sense of AWS’s role reveals why it has become a leader in the cloud industry and how it supports such a diverse range of computing needs. The good news is that you’re here to learn more about how to implement the networking and security services AWS offers, so you’re going to become very familiar with them by the time you finish this book. With that said, the next section gives a high-level overview of AWS services and infrastructure.

Overview of AWS Services and Infrastructure

AWS provides an extensive array of services that cater to various IT needs, making it the Swiss Army knife of the tech world—ready for nearly any task. If you don’t believe me, try this. First, make sure you sign up for an AWS account at aws.amazon.com. With this account, once you’re logged in, click on the Services option, and then select All Services. You should see several areas that AWS supports, from Analytics to Robotics. In fact, AWS supports over 230 services, and you can see just a fraction of them in Figure 1.1.

Figure 1.1: Some AWS services.

Yes, from computing power with Amazon EC2, storage options with Amazon S3, and networking (Amazon VPCs), to machine learning and Generative AI (Amazon Bedrock), Amazon SageMaker, and more, AWS’s infrastructure is designed to support scalable, flexible, and secure applications across multiple industries. You’re going to learn more about this as you progress, so I don’t go into details right now. With that said, why choose AWS?

Why AWS and the Advantages of Adoption and Learning

AWS’s popularity stems from its robust, flexible, and secure infrastructure, trusted by startups and large enterprises alike. That might be reason enough to spend the time looking at AWS and moving some of your workloads there. But I would be remiss if I didn’t compare AWS to my early days at the phone company. We used Lucent switches, Fujitsu DSLAMs (DSL access multiplexers), and Redback routers. I could have taken the time to learn any of those technologies and probably would have had a pretty good career with whatever certifications followed. But at the time, Cisco was in its prime, and everyone knew it. Today, the competition in cloud providers is a bit more fierce, but there are a few outliers that just make sense. AWS is one of them. If you take the time to learn AWS now, my belief is that you are in for a long career in cloud technology. That comes with one caveat. This long career will be a career of constant learning, constant testing, and constant growth. If you’re up for that challenge, you’ve already answered the question, “Why AWS?” Still, whatever your decision is, I trust that if you’re here, you really want to learn how to secure your AWS cloud infrastructure. That’s exactly what you learn in this book.

You can expand on the examples in this book. I stretch beyond just the standard security practices to areas that are adjacent, like networking, DevOps, DevSecOps, and GitOps. I certainly can’t cover security in today’s day and age without a consideration of Generative AI, including the many ways it intersects with cloud security.

This chapter has explored the essential concepts and advantages of cloud computing with AWS, so you can now transition to Chapter 2, which dives a bit deeper into AWS security fundamentals. Chapter 2 examines the specific security services and features that AWS offers and explains how these tools can be mapped to core security concepts that you’ll find across providers and on-premises environments.

Chapter 2AWS Security Fundamentals

“Most of us forget the basics and wonder why the specifics don’t work.”

—Garrison Wynn

Welcome to the second chapter of your journey to securing your infrastructure on AWS. By now, you should have a good grasp of what cloud computing is and why AWS stands out as a top choice for cloud services. This chapter digs deeper into the fundamentals of AWS security and covers some of the basic concepts that apply to security today. You’ll need to map these basics to AWS’s security services, so this chapter looks at these core security concepts at a high level and then identifies how the security services that AWS has to offer solve or address these core concepts. Buckle up, and let’s get started!

AWS Security Service and Features

AWS has many security services. If you’ve spent any time in the AWS console, you know it’s packed with an array of services—over 206, the last time I checked. The services that provide security features are designed to protect your data, applications, and infrastructure. This section covers some of the key security services that AWS offers. The first service to discuss is AWS Identity and Access Management (IAM).

Core Security Concepts

There are four core concepts addressed in this chapter. They are

Confidentiality, Integrity, and Availability (the CIA triad)

Principle of least privilege

Defense in depth

Shared responsibility model

The CIA Triad

The CIA triad is a foundational concept in information security. It represents the three core principles that should guide your security efforts: confidentiality, integrity, and availability. Figure 2.1 provides a visual representation of the CIA triad, in which all three areas of the triad surround your data. I break these down and highlight AWS services that provide a way to address these areas:

Confidentiality has to do with ensuring that sensitive information is accessed only by authorized individuals. There are various ways to do this, but this example applies it to AWS. One way to make sure your data remains confidential is to ensure that only those you deem authorized are allowed to access it. In AWS, this involves using Identity and Access Management (IAM). With IAM you can create users, groups, policies, and roles to control access. Another way to maintain confidentiality is to make sure that when your data is

at rest

, meaning it is stored somewhere, or when your data is

in transit

, meaning it is being passed along the network, it is encrypted. Encryption ensures that your data is unreadable to prying eyes. In AWS, companies use services like AWS Key Management Service (KMS) and AWS Certificate Manager (ACM) when they encrypt their data.

Integrity is the act of protecting information from being altered by unauthorized parties. You can do this several ways. When you encrypt traffic, you can also use a one-way hash function to ensure integrity. The hashtag is like weighing a box before you ship it and then weighing it again at the destination. If the weight is different, you know something has changed without even opening the package. That’s not the only way to ensure data integrity, though. AWS provides several tools to help maintain data integrity, including AWS CloudTrail for logging changes to your environment and Amazon Macie for monitoring and protecting sensitive data. I cover these in more detail later in this book.

Availability is all about ensuring that information and resources are accessible when needed. This can be through providing redundancy for infrastructure equipment, or multiple paths for routing traffic to a destination. AWS offers various services to enhance availability, including Elastic Load Balancing (ELB) to distribute traffic across multiple instances and Amazon Route 53 for reliable DNS routing.

Figure 2.1: The CIA triad.

As you provision your resources in the cloud, you should always consider the CIA triad and apply these functions as you go.

The Principle of Least Privilege

The principle of least privilege (PoLP) is a security concept that promotes granting the minimal level of access or permissions that are necessary for users, programs, or systems to perform their tasks. The main idea is simple: the fewer permissions an entity has, the lower the risk of malicious or accidental damage.

In the context of AWS, this principle is particularly relevant. AWS provides a wide range of resources and services, from virtual machines (like EC2 instances) to storage solutions (like S3 buckets). As you build and manage your AWS infrastructure, applying the principle of least privilege ensures that each element (be it a user, service, or application) has only the permissions necessary to function correctly, and nothing more.

But you may wonder, why is applying the principle of least privilege important when working with resources in the cloud?

Implementing least privilege in AWS serves multiple purposes:

Security:

By limiting access, you reduce the potential impact of a security breach. If a user or service has minimal permissions, the scope for damage is significantly reduced.

Compliance:

Many regulatory frameworks require strict access controls. Adhering to the least-privilege principle helps in meeting these compliance requirements.

Operational simplicity

: Managing permissions can become complex. Applying the least-privilege principle keeps configurations as simple and as manageable as possible.

AWS offers various tools and features to help implement the least-privilege principle. Here are just a few of them:

Identity and access management (IAM):

Use IAM to create users, groups, roles, and policies that define permissible actions and resource access levels.

AWS IAM Access Analyzer:

This tool helps you identify and audit resources in your AWS environment that are accessible from outside your account, allowing you to detect unintended access and refine permissions to enforce least privilege.

AWS Policy Generator:

This tool helps you create security policies that grant only necessary permissions.

Access Advisor:

Within IAM, Access Advisor shows the services accessed by a user and provides information on the last access date. This can help in revising permissions to fit actual usage patterns.

Least-privilege Access Reviews:

Regularly review and adjust permissions to ensure they align with current needs and the principle of least privilege.

Automate Permissions Management:

Tools like AWS CloudTrail and AWS Config can help monitor and record compliance with your least-privilege policies.

As you progress through this book, you will learn more about some of these practices. Embracing the principle of least privilege is essential for maintaining a secure and efficient AWS environment. By granting only the necessary permissions, you not only bolster your security posture but also streamline your operations and compliance efforts.

One additional call-out here is to direct you to the AWS Well-Architected Framework, specifically the Security Pillar. The AWS Well-Architected Framework is a set of best practices and design principles for building secure, high-performing, resilient, and efficient infrastructure on AWS. Its Security Pillar focuses on protecting data, systems, and assets by implementing identity and access management, detection, infrastructure protection, data protection, and incident response. Within this pillar, least privilege is enforced through access control policies, and the CIA triad is addressed by securing data, ensuring data accuracy, and maintaining access to resources as needed.

As you can see, between the principle of least privilege and the CIA triad, there’s much to consider when it comes to securing your resources. To help you with this, consider the defense-in-depth approach.

Defense in Depth

Defense in depth is a security strategy that uses multiple layers of defense to protect your data and resources. If one layer fails, other layers provide the needed protection. Oftentimes, this strategy is compared to that of a castle. Along the perimeter you have a moat. Then you have very high walls. Atop the walls are towers with lookouts and guards stationed at the ready. All of these layers of defense work together to keep the castle secure. This is illustrated in Figure 2.2.

Figure 2.2: Defense in depth illustrated.

Shared Responsibility Model

Security and compliance is a shared responsibility between AWS and the customer. By following this shared model, customers can reduce the operational burden, as AWS assumes responsibility for operating, managing, and controlling the components “of” the cloud. This leaves customers to focus on building their applications and implementing their services while assuming responsibility for securing those services “in” the cloud. You can see an example of this model in Figure 2.3.

Figure 2.3: The shared responsibility model.

There’s an aspect of this model that I believe many fail to grasp. The model you see in Figure 2.3 does not apply to all services on AWS. In fact, the less customizable the service, the more responsibility AWS takes on. For example, Figure 2.4 illustrates the shared responsibility model as it applies to services like EC2.

Figure 2.4: The shared responsibility model for EC2.

With AWS foundational services, like compute, storage, networking, and physical infrastructure, AWS takes responsibility for all underlying security controls, including physical security. As a customer, you don’t need to manage these aspects. However, for elements running on top of AWS services, such as the operating system on an EC2 instance, firewall configurations, security rules, and identity and access management, you are responsible for implementing and maintaining these security controls. What about a more abstracted service?

Looking at Figure 2.5, you can see how the shared responsibility model applies to something like an RDS database. As you can see in the figure, AWS provides the security all the way up to the platform, applications, and identity and access management.

Figure 2.5: The shared responsibility model for RDS.

To take it one step further, Figure 2.6 illustrates how AWS provides security for services like DynamoDB and S3, whereby network traffic protection and (optionally) server-side data encryption are provided by AWS as part of the shared responsibility model.

Figure 2.6: The shared responsibility model for DynamoDB, S3, and similar services.

Why is this concept so important to understand? Because you need to know what is your responsibility in order to know what you need to secure, which tools and services are available to help you do so, and any gaps in security you currently have.

AWS Security Services Overview

Now that you have a basic understanding of the core security concepts, this section provides an overview of some AWS’s security services and discusses how the core concepts apply to them. To begin, I discuss identity and access management.

Identity Services

What do you think of when you hear the term “identity services” or “identity management”? For me, I think back to my routing and switching days, and the first thing that comes to mind is authentication, authorization, and accounting (AAA). Authentication involves identifying a user and determining if they are supposed to have access to a resource. Once you know who a user is and that they are allowed to have access, authorization determines the specific actions they are allowed to take. And accounting involves keeping an audit trail of everything that’s been done. When it comes to identity management with AWS, this isn’t far from the same idea.

At its core, identity management on AWS involves managing identities, permissions, and resource access. There is more than one way to secure and manage identities with AWS. The services involved are as follows:

AWS IAM Identity Center:

Centralizes user access management across AWS accounts and applications within an organization.

AWS IAM:

Manages user access and permissions for AWS services and resources.

AWS Directory Service:

Provides managed directory services to integrate and manage user authentication for AWS resources.

AWS Resource Access Manager:

Shares AWS resources securely across accounts in your organization.

AWS Organizations:

Organizes and manages multiple AWS accounts centrally, enforcing policies and consolidating billing.

Amazon Cognito:

Enables secure user sign-up, sign-in, and access control for web and mobile apps.

Amazon Verified Permissions:

Offers fine-grained access control policies for custom applications, ensuring verified access permissions.

AWS identity and access management (IAM) is AWS’s foundational service for controlling access to AWS resources. IAM allows you to manage users, groups, and roles within individual AWS accounts and apply specific permissions to secure access to AWS services. As the original service for access management on AWS, IAM provides the core features needed to control who has access to which resources. It’s an essential part of the shared responsibility model.

Building on IAM’s capabilities, the AWS IAM Identity Center is designed to help you manage the workforce access across your AWS accounts and applications. This is the AWS recommended service for doing so, but it’s not the only one. The benefit of following this recommendation is that users get a consistent experience across all AWS applications. Prior to the use of the AWS IAM Identity Center, most workforce management was done with AWS IAM. So why choose Identity Center over IAM? Because Identity Center lets you manage access to all AWS accounts in an AWS organization, as well as access to other applications. IAM, on the other hand, lets you manage access to AWS services and resources within an AWS account. Chapter 3 goes into much more detail on identity management.

For now, it’s important to understand that identity services on AWS allow you to manage users, groups, and roles as well as apply policies and permissions. This provides at least one layer of defense in the defense-in-depth approach, and it covers the confidentiality portion of the CIA triad. Regarding the shared responsibility model, the users and their permissions are part of your responsibility. When configuring user accounts, groups, and roles, you should follow the least-privilege principle.

Network Security

The next area of AWS security services is network security. There are several services to discuss in this area; however, the primary service is the Amazon Virtual Private Cloud (VPC). An Amazon VPC is a logically isolated section of the AWS cloud environment that allows you to define and control your own virtual networking environment, including IP address ranges, subnets, routing tables, and network gateways.

Within an Amazon VPC, you can create and configure various resources, including

Virtual Private Cloud (VPC):

The virtual network itself, where you can launch AWS resources like Amazon Elastic Compute Cloud (EC2) instances, Amazon Relational Database Service (RDS) instances, and others.

Subnet:

You can divide your VPC into multiple subnets, which are isolated segments within the VPC. These subnets can be public (accessible from the Internet) or private (accessible only from within the VPC or other connected networks).

Internet gateway:

A horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet.

NAT gateway:

A Network Address Translation (NAT) gateway enables instances in a private subnet to connect to the Internet or other private subnets, or AWS services, but prevents the Internet from initiating connections with those instances.

Virtual private gateway:

This component establishes a secure and private connection between your corporate data center and your VPC, typically over an Internet Protocol Security (IPsec) virtual private network (VPN) connection.

By creating an Amazon VPC, you have control over your virtual networking environment, allowing you to customize it according to your specific security and infrastructure requirements. There are several security features within a VPC. For example, a VPC is a logically isolated network environment that is separate from other virtual networks in the AWS cloud. This isolation ensures that network traffic within your VPC is isolated by default from other VPCs or networks unless you allow that traffic, providing an additional layer of security.

Taking that a step further, subnet isolation could be considered another security feature of a VPC. Since public subnets are associated with route tables that have a route to an Internet gateway, while private subnets do not, you can isolate resources based on their accessibility needs. This setup helps ensure confidentiality when properly designed.

There is another feature within a VPC that is more clearly a security feature, and it’s called a security group. Security groups act as virtual firewalls for your EC2 instances within a VPC. You can define inbound and outbound rules to control the traffic to and from your instances, allowing or denying specific IP addresses, protocols, and ports. You can specify other security groups, as well. Security groups offer you granular control at the instance level, and they are applied to the ENI of an instance (EC2 instances, RDS instances, etc.). Security groups are also stateful, meaning they track the state of a connection, and valid responses to a connection are allowed.

Another security construct at the network level is the Network Access Control List (NACL). NACLs are stateless firewalls that operate at the subnet level. They provide an additional layer of security (again, think defense in depth) by allowing or denying traffic based on inbound and outbound rules, including IP addresses, protocols, and port numbers. NACLs have a numerical order (lowest to highest) in which they are processed. By default, NACLs allow all inbound and outbound traffic, but you can modify the rules to restrict traffic.

VPCs fit into the integrity and availability sections of the CIA triad. And as you configure security groups and NACLs, you might keep the principle of least privilege in mind and allow only the necessary ports and protocols. Finally, the access into and out of your VPC is the customer responsibility of the shared responsibility model.

Before you move on from the network security section, there are a few other services and features that fall into this category. For the sake of brevity, I only mention these services briefly. A more in-depth discussion of these services comes when applicable, later in this book. These services include

Flow logs:

They capture information about the IP traffic going to and from network interfaces in your VPC. These logs can be analyzed to monitor and audit network traffic for security purposes. Flow logs can be applied at the VPC, subnet, and ENI levels.

AWS PrivateLink:

Allows you to securely access AWS services and resources from your VPC without traversing the public Internet. This reduces the exposure of your VPC resources to potential threats on the Internet.

AWS Network Firewall:

A managed network security service that enables you to deploy essential network protection across your VPCs. It provides stateful, managed firewalling capabilities to filter traffic at the perimeter of your VPC.

AWS Web Application Firewall (WAF):

A web application firewall that helps protect your web applications and APIs from common web exploits and bots. It operates at the application level, inspecting and filtering incoming HTTP/HTTPS traffic based on user-defined rules.

Amazon VPC Traffic Mirroring:

Enables you to capture and inspect network traffic from Amazon EC2 instances within your VPC, allowing for deep packet inspection and network analysis.

AWS Shield:

A managed DDoS (distributed denial-of-service) protection service that safeguards your applications from external threats, enhancing availability by mitigating large-scale attacks.

Data Protection

The data protection category in AWS security services covers a range of services and features designed to help protect and secure data in various states: at rest, in transit, and in use. These are not the traditional data protection services that some think of, like backup, disaster recovery, or data replication services. These services aim to prevent unauthorized access, ensure data integrity, and maintain data privacy and compliance. The data protection services to be aware of are as follows:

AWS Key Management Service (KMS):

A managed service that enables you to create, store, and manage cryptographic keys used for data encryption and decryption. It provides secure key management, including key rotation, key access control, and auditing capabilities, as well as integrating with other AWS services to enable encryption and decryption of data at rest and in transit.

AWS CloudHSM:

A cloud-based hardware security module (HSM) that provides secure key storage and cryptographic operations. It offers FIPS 140-2 Level 3 validated HSMs, ensuring high levels of security for cryptographic keys and operations. CloudHSM is often used for scenarios that require strict compliance requirements or additional control over key management.

AWS Certificate Manager (ACM):

A service that simplifies the provisioning, management, and deployment of public and private SSL/TLS certificates. It helps secure data in transit by enabling HTTPS connections between clients and web applications or services. ACM integrates with other AWS services, like Elastic Load Balancing, Amazon CloudFront, and API Gateway.

Amazon Macie:

A data security and privacy service that uses machine learning to discover and protect sensitive data stored in Amazon S3. It can identify and alert you to sensitive data, such as personally identifiable information (PII) or intellectual property. Macie helps you meet data privacy and compliance requirements by identifying and protecting sensitive data.

AWS Encryption Services:

AWS provides various encryption services and features, including server-side encryption for Amazon S3, Amazon EBS, and Amazon RDS, client-side encryption, and field-level encryption for specific services. These services enable data encryption at rest and in transit, helping protect data confidentiality and integrity.

AWS PrivateLink:

This provides private connectivity among AWS services, your VPC, and on-premises networks without exposing data to the public Internet. It helps secure data in transit and ensures that sensitive data remains within the AWS network or on your private network.

To conclude this section on data protection, I highlight how these services align with the core security principles and models covered at the onset.

AWS data protection services, such as AWS Key Management Service (KMS), AWS CloudHSM, AWS Certificate Manager (ACM), and Amazon Macie, directly contribute to the confidentiality and integrity aspects of the CIA (confidentiality, integrity, and availability) triad. They enable encryption, secure key management, and secure communication channels, protecting data at rest, in transit, and in use. Moreover, these services support the principle of least privilege by providing granular access controls and integrating with AWS identity and access management (IAM) for role-based permissions. Collectively, they form a defense-in-depth strategy, offering multiple layers of data protection through encryption, key management, certificate management, and sensitive data discovery. Finally, they align with the shared responsibility model, where AWS ensures the security of the underlying cloud infrastructure and you, the customer, are responsible for properly configuring and using these services to safeguard your data’s confidentiality and integrity.

Now that you have fundamental knowledge of data protection, the next section explores AWS services focused on threat detection and monitoring.

Threat Detection and Monitoring

Threat detection and monitoring refers to the process of identifying, analyzing, and responding to potential security threats and risks within an organization’s IT infrastructure and systems. It involves continuous monitoring of various sources, such as network traffic, system logs, user activities, and application events, with the goal of detecting any suspicious or malicious behavior that could compromise or otherwise impact the security of an organization’s assets, data, and operations. This typically involves the use of various tools and technologies, such as security information and event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), log management solutions, vulnerability scanners, and security analytics platforms.

The key AWS services in this category include Amazon GuardDuty, AWS CloudTrail, and AWS Config. A brief overview of each of these and how they relate to the core security concepts already discussed is in order:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior within your AWS accounts and workloads. I think of GuardDuty in a similar manner to a typical intrusion detection system. GuardDuty leverages machine learning, anomaly detection, and integrated threat intelligence to identify potential threats, such as compromised instances, suspected credential exposure, or suspicious network activity. GuardDuty helps organizations maintain the integrity and confidentiality of their data and systems by promptly alerting them to potential security incidents.

AWS CloudTrail is a service that records API calls and related events across your AWS infrastructure. It provides a comprehensive audit trail of actions taken within your AWS accounts. This audit trail supports compliance efforts, security analysis, and operational troubleshooting. CloudTrail aligns with the principle of least privilege in that you can monitor and review the actions taken by different users, roles, and services and ensure that only authorized activities are performed. If actions are taken outside the scope of a user, role, or service, you can adjust the policies and permissions accordingly.

AWS Config is a service that continuously monitors and records the configuration of your AWS resources and then assesses those resources against desired configurations and compliance rules that you select or define. It helps organizations maintain a secure and compliant infrastructure by identifying misconfigurations, deviations from best practices, and potential security risks. Config supports the defense-in-depth approach by providing a layer of continuous monitoring and assessment, complementing other security controls.

These threat-detection and monitoring services contribute to the CIA triad by supporting the confidentiality, integrity, and availability of your AWS resources and data. They align with the shared responsibility model, where AWS provides the secure service and you are responsible for configuring, enabling, and actively monitoring these services to detect and respond to potential threats effectively.

The threat detection and monitoring services discussed in this section are key services, and they play an important role in identifying potential security threats, monitoring user activities, and ensuring compliance with security best practices. However, in today’s complex regulatory landscape, organizations must go beyond reactive threat detection and proactively ensure compliance with various industry standards, regulations, and internal governance policies.

This leads to the next category of AWS security services, focused on compliance and governance. The next section discusses services like AWS Artifact, AWS Config rules, and AWS Organizations and explains how they equip you with the tools and capabilities to streamline compliance efforts, enforce governance policies, and maintain a consistent security posture across your AWS environments.

Compliance and Governance