AWS Security
Dylan Shields
  • ISBN 9781617297335
  • 425 pages (estimated)
  • printed in black & white

A book to keep on the desk and consult continuously.

Antonio Pessolano
Running your systems in the cloud doesn’t automatically make them secure. To create secure applications and infrastructure on AWS, you need to understand the tools and features the platform provides and learn new approaches to configuring and managing them. Written by security engineer Dylan Shields, AWS Security provides comprehensive coverage on the key tools and concepts you can use to defend AWS-based systems. You’ll learn how to honestly assess your existing security protocols, protect against the most common attacks on cloud applications, and apply best practices to configuring Identity and Access Management and Virtual Private Clouds.

About the Technology

Rapid iteration, easy scaling, and huge savings have caused a mass migration to AWS. However, running in the cloud requires you to modify the security practices you use in on-prem infrastructure. Users of AWS who fail to adapt run the risk of exposing their business and their customers to an attack. Luckily, AWS comes with a stack of tools and services that offer a high level of control over your cloud security.

About the book

AWS Security is an invaluable guide that you’ll want to have on hand when you’re facing any cloud security problem. With a cookbook-style delivery, it’s filled with well-documented examples and procedures you can apply to common AWS security issues. This book covers best practices for access policies, data protection, auditing, continuous monitoring, and incident response. You’ll also explore several deliberately insecure applications, including a social media site and a mobile app, learning the exploits and vulnerabilities commonly used to attack them and the security practices to counter those attacks. With this practical primer, you’ll be well prepared to evaluate your system’s security, detect threats, and respond with confidence.
Table of Contents detailed table of contents

Part 1: Securing your cloud infrastructure

1 Introduction to AWS Security

1.1 The Shared Responsibility Model

1.1.1 What is AWS Responsible For?

1.1.2 What are You Responsible For?

1.2 Cloud Native Security Tools

1.2.1 Identity and Access Management - IAM

1.2.2 Virtual Private Cloud - VPC

1.2.3 And Many More

1.3 A New Way of Operating

1.3.1 Speed of Infrastructure Development

1.3.2 Shifting Responsibilities

1.4 Conclusion

1.5 Summary

2 Logical Access Protection: Securing the use of your AWS account with IAM

2.1 Identity and Access Management Basics

2.1.1 Users

2.1.2 Identity Policies

2.1.3 Resource Policies

2.1.4 Groups

2.1.5 Roles

2.2 Using Common Patterns in AWS IAM

2.2.1 AWS Managed Policies

2.2.2 Advanced Patterns

2.3 Securing Access Between Multiple Accounts

2.3.1 The Wall Between Accounts

2.3.2 Cross Account IAM Roles

2.3.3 Managing Multiple Accounts with AWS Organizations

2.4 Attribute-Based Access Control with Tags

2.4.1 Tagged Resources

2.4.2 Tagged Principals

2.5 Integration with Existing Access Management Systems

2.5.1 Integrating with Active Directory and other SAML Systems

2.5.2 Integrating with OpenID Connect Systems

2.6 Summary

3 Policies and Procedures for Secure Access

3.1 Establishing Best Practices for IAM

3.1.1 Why create best practices?

3.1.2 Best Practices Example: MFA

3.1.3 Enforceable Best Practices

3.2 Applying Least Privilege Access Control

3.2.1 Why Least Privilege is Hard

3.2.2 Policy Wildcards

3.2.3 AWS Managed Policies

3.2.4 Shared Permissions (Groups and Managed Policies)

3.3 Choosing Between Short and Long-Lived Credentials

3.3.1 The risk of long-lived credentials

3.3.2 Trade-offs With Credential Rotation

3.3.3 A Balance With IAM Roles

3.4 Reviewing IAM Permissions

3.4.1 Why you should review IAM resources

3.4.2 Types of Reviews

3.4.3 Reducing the review burden

3.5 Summary

4 Securing the Network: The Virtual Private Cloud

4.1 Working with a Virtual Private Cloud

4.1.1 VPCs

4.1.2 Subnets

4.1.3 Network Interfaces and IPs

4.1.4 Internet and NAT Gateways

4.2 Traffic Routing and Virtual Firewalls

4.2.1 Route Tables

4.2.2 Security Groups

4.2.3 Network ACLs

4.3 Separating Private Networks

4.3.1 Using Multiple VPCs for Network Isolation

4.3.2 Connections between VPCs

4.3.3 Connecting VPCs to Private Networks

4.4 Summary

5 Network Access Protection beyond the VPC

5.1.1 What’s Wrong With Public Traffic?

5.1.2 Using VPC Endpoints

5.2 Blocking Malicious Traffic with AWS Web Application Firewall

5.2.1 Using WAF Managed Rules

5.2.2 Blocking Real-World Attacks with Custom AWS WAF Rules

5.2.3 When To Use AWS WAF

5.3 Protecting against distributed denial of service attacks using AWS Shields

5.3.1 Free Protection with Shield Standard

5.3.2 Stepping Up Protection with Shield Advanced

5.4 Integrating Third Party Firewalls

5.4.1 Web Application and Next-Gen Firewalls

5.4.2 Setting Up a Firewall From AWS Marketplace

5.5 Summary

6 Protecting Data in the Cloud

6.1 Data Security Concerns

6.1.1 Confidentiality

6.1.2 Data Integrity

6.1.3 Defense in Depth

6.2 Securing Data at Rest

6.2.1 Encryption At Rest

6.2.2 Least Privilege Access Controls

6.2.3 Backups and Versioning

6.3 Securing Data in Transit

6.3.1 Secure Protocols for Data Transport

6.3.2 Enforcing Secure Transport

6.4 Data Access Logging

6.4.1 Access Logging for Amazon S3

6.4.2 CloudTrail Logs for Resource Access

6.4.3 VPC Flow Logs for Network Access

6.5 Data Classification

6.5.1 Identifying Sensitive Data with Amazon Macie

6.6 Summary

7 Logging and Audit Trails

8 Continuous Monitoring and Alerting

9 Incident Response and Remediation

= Part 2: case studies in applying cloud security

10 Securing a Public Web Application

11 Securing an Internal Business Application

12 Securing a Mobile Application

What's inside

  • Securely grant access to AWS resources to coworkers and customers
  • Develop policies for ensuring proper access controls
  • Lock-down network controls using VPCs
  • Record audit logs and use them to identify attacks
  • Track and assess the security of an AWS account
  • Common attacks and vulnerabilities

About the reader

For software and security engineers building and securing AWS applications.

About the author

Dylan Shields is a software engineer working on Quantum Computing at AWS. Previously, Dylan was the first engineer on the AWS Security Hub team. He has also worked at Google Cloud, focusing on the security and reliability of their serverless data warehouse, BigQuery.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $29.99 $49.99 pBook + eBook + liveBook
Additional shipping charges may apply
AWS Security (print book) added to cart
continue shopping
go to cart

eBook $24.99 $39.99 3 formats + liveBook
AWS Security (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks