Muutke küpsiste eelistusi

AWS Security [Pehme köide]

4.00/5 (40 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 425 pages, kõrgus x laius x paksus: 234x188x20 mm, kaal: 560 g
  • Ilmumisaeg: 19-Sep-2022
  • Kirjastus: Manning Publications
  • ISBN-10: 161729733X
  • ISBN-13: 9781617297335
Teised raamatud teemal:
AWS SecuritySuurem pilt
  • Formaat: Paperback / softback, 425 pages, kõrgus x laius x paksus: 234x188x20 mm, kaal: 560 g
  • Ilmumisaeg: 19-Sep-2022
  • Kirjastus: Manning Publications
  • ISBN-10: 161729733X
  • ISBN-13: 9781617297335
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781617297335.html
Märksõnad:
Running your systems in the cloud doesn't automatically make them secure. To create secure applications and infrastructure on AWS, you need to understand the tools and features the platform provides and learn new approaches to configuring and managing them. Written by security engineer Dylan Shields,   AWS Security  provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. You'll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring Identity and Access Management and Virtual Private Clouds. about the technology Rapid iteration, easy scaling, and huge savings have caused a mass migration to AWS. However, running in the cloud requires you to modify the security practices you use in on-prem infrastructure. Users of AWS who fail to adapt run the risk of exposing their business and their customers to an attack. Luckily, AWS comes with a stack of tools and services that offer a high level of control over your cloud security. about the book AWS Security  is an invaluable guide that you'll want to have on hand when you're facing any cloud security problem. With a cookbook-style delivery, it's filled with well-documented examples and procedures you can apply to common AWS security issues. This book covers best practices for access policies, data protection, auditing, continuous monitoring, and incident response. You'll also explore several deliberately insecure applications, including a social media site and a mobile app, learning the exploits and vulnerabilities commonly used to attack them and the security practices to counter those attacks. With this practical primer, you'll be well prepared to evaluate your system's security, detect threats, and respond with confidence. what's inside

Securely grant access to AWS resources to coworkers and customers Develop policies for ensuring proper access controls Lock-down network controls using VPCs Record audit logs and use them to identify attacks Track and assess the security of an AWS account Common attacks and vulnerabilities

about the reader For software and security engineers building and securing AWS applications. about the author Dylan Shields  is a software engineer working on Quantum Computing at AWS. Previously, Dylan was the first engineer on the AWS Security Hub team. He has also worked at Google Cloud, focusing on the security and reliability of their serverless data warehouse, BigQuery.

Arvustused

'A book to keep on the desk and consult continuously' Antonio Pessolano

'This book should be part of AWS documentation.' Sébastien Portebois

'The reference for every security engineer. A must-read and a clear recommendation.' Thorsten Weber

'A must read for anyone responsible for AWS security in their project or IT organizations.' Enrico Mazzarella

'A very well presented overview of AWS security by someone who clearly has deep and extensive practical experience in the field.' Tony Mullen

Preface xii
Acknowledgments xiv
About this book xvi
About the author xix
About the cover illustration xx
1 Introduction to AWS security
1(16)
1.1 The shared responsibility model
2(3)
What is AWS responsible for?
2(2)
What are you responsible for?
4(1)
1.2 Cloud-native security tools
5(9)
Identity and access management
5(2)
Virtual private cloud
7(6)
And many more
13(1)
1.3 A new way of operating
14(1)
Speed of infrastructure development
14(1)
Shifting responsibilities
15(1)
1.4 Conclusion
15(2)
2 Identity and access management
17(27)
2.1 Identity and access management basics
18(17)
Users
18(1)
Identity policies
19(8)
Resource policies 25 Groups
27(3)
Roles
30(5)
2.2 Using common patterns in AWS IAM
35(5)
AWS managed policies
35(1)
Advanced patterns
35(5)
2.3 Attribute-based access control with tags
40(4)
Tagged resources
40(1)
Tagged principals
41(3)
3 Managing accounts
44(11)
3.1 Securing access between multiple accounts
44(6)
The wall between accounts
45(2)
Cross-account IAM roles
47(1)
Managing multiple accounts with AWS organizations
48(2)
3.2 Integration with existing access management systems
50(5)
Integrating with Active Directory and other SAML systems
50(1)
Integrating with OpenID Connect systems
51(4)
4 Policies and procedures for secure access
55(26)
4.1 Establishing best practices for IAM
58(4)
Why create best practices?
59(1)
Best practices example: MFA 59 Enforceable best practices
60(2)
4.2 Applying least privilege access control
62(7)
Why least privilege is hard
63(1)
Policy wildcards
64(2)
AWS managed policies
66(2)
Shared permissions (groups and managed policies)
68(1)
4.3 Choosing between short- and long-lived credentials
69(2)
The risk of long-lived credentials
69(1)
Trade-offs associated with credential rotation
70(1)
A balance with IAM roles
71(1)
4.4 Reviewing IAM permissions
71(10)
Why you should review IAM resources
72(5)
Types of reviews 72 Reducing the review burden
77(4)
5 Securing the network: The virtual private cloud
81(31)
5.1 Working with a virtual private cloud
83(9)
VPCs
84(2)
Subnets
86(1)
Network interfaces and IPs
87(2)
Internet and NAT gateways
89(3)
5.2 Traffic routing and virtual firewalls
92(12)
Route tables
93(4)
Security groups
97(4)
Network ACLs
101(3)
5.3 Separating private networks
104(8)
Using multiple VPCs for network isolation
104(2)
Connections between VPCs
106(3)
Connecting VPCs to private networks
109(3)
6 Network access protection beyond the VPC
112(29)
6.1 Securing access to services with VPC endpoints and PrivateLink
114(8)
What's wrong with public traffic?
115(1)
Using VPC endpoints
116(2)
Creating a PrivateLink service
118(4)
6.2 Blocking malicious traffic with AWS Web Application Firewall
122(14)
Using WAF managed rules
124(3)
Blocking real-world attacks with custom AWS WAF rules
127(6)
When to use AWS WAF
133(3)
6.3 Protecting against distributed denial of service attacks using AWS Shield
136(2)
Free protection with Shield Standard
136(1)
Stepping up protection with Shield Advanced
137(1)
6.4 Integrating third-party firewalls
138(3)
Web application and next-gen firewalls
138(1)
Setting up a firewall from AWS Marketplace
139(2)
7 Protecting data in the cloud
141(32)
7.1 Data security concerns
142(5)
Confidentiality
143(2)
Data integrity
145(2)
Defense in depth
147(1)
7.2 Securing data at rest
147(9)
Encryption at rest
148(4)
Least privilege access controls
152(1)
Backups and versioning
153(3)
7.3 Securing data in transit
156(4)
Secure protocols for data transport
157(1)
Enforcing secure transport
158(2)
7.4 Data access logging
160(9)
Access logging for Amazon S3
160(3)
CloudTrail logs for resource access
163(2)
VPC Flow Logs for network access
165(4)
7.5 Data classification
169(4)
Identifying sensitive data with Amazon Made
170(3)
8 Logging and audit trails
173(26)
8.1 Recording management events
175(7)
Setting up CloudTrail
177(3)
Investigating an issue with CloudTrail logs
180(2)
8.2 Tracking resource configuration changes
182(6)
Pinpoint a change with a configuration timeline
183(3)
Setting up AWS Config
186(1)
Resource compliance information
187(1)
8.3 Centralizing application logs
188(11)
CloudWatch Logs basics
188(2)
The CloudWatch agent
190(2)
Advanced CloudWatch logs features
192(5)
Recording network traffic
197(2)
9 Continuous monitoring
199(28)
9.1 Resource configuration scanning
200(10)
Ad hoc scanning
201(3)
Continuous monitoring
204(4)
Compliance standards and benchmarks
208(2)
9.2 Host vulnerability scanning
210(4)
Types of host vulnerabilities
211(1)
Host-scanning tools
211(3)
9.3 Detecting threats in logs
214(13)
Threats in VPC Flow Logs
215(3)
Threats in CloudTrail logs
218(9)
10 Incident response and remediation
227(18)
10.1 Tracking security events
228(8)
Centralizing alerts
229(4)
Status tracking
233(2)
Data analysis
235(1)
10.2 Incident response planning
236(3)
Play books
237(2)
10.3 Automating incident response
239(6)
Scripting playbooks
239(4)
Automated response
243(2)
11 Securing a real-world application
245(34)
11.1 A sample application
246(9)
Diving into the application
246(4)
Threat modeling
250(5)
11.2 Strong authentication and access controls
255(4)
Credential stuffing
255(2)
Brute forcing
257(1)
Overly permissive policies and incorrect authorization settings
258(1)
Inadvertent admin or root access
258(1)
11.3 Protecting data
259(5)
Data classification
259(1)
Highly sensitive data
260(2)
Sensitive data
262(1)
Public data
263(1)
11.4 Web application firewalls
264(7)
Cross-site scripting
265(1)
Injection attacks
266(3)
Scraping
269(2)
11.5 Implementing authentication and authorization end to end
271(8)
Setting up Cognito
271(4)
Securing the API gateway endpoints
275(4)
Index 279
Dylan Shields is a software engineer working on Quantum Computing at AWS. Previously, Dylan was the first engineer on the AWS Security Hubteam. He has also worked at Google Cloud, focusing on the security and reliability of their serverless data warehouse, BigQuery.