Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution, ISBN-13: 978-1098101466

Description

Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution, ISBN-13: 978-1098101466

[PDF eBook eTextbook]

• Publisher: ‎ O’Reilly Media; 1st edition (October 12, 2021)
• Language: ‎ English
• 394 pages
• ISBN-10: ‎ 1098101464
• ISBN-13: ‎ 978-1098101466

Security is usually an afterthought when organizations design microservices for cloud systems. Most companies today are exposed to potential security threats, but their responses are often more reactive than proactive. This leads to unnecessarily complicated systems that are hard to implement and even harder to manage and scale. Author Gaurav Raje shows you how to build highly secure systems on AWS without increasing overhead.

Ideal for cloud solution architects and software developers with AWS experience, this practical book starts with a high-level architecture and design discussion, then explains how to implement your solution in the cloud while ensuring that the development and operational experience isn’t compromised. By leveraging the AWS Shared Responsibility Model, you’ll be able to:

• Develop a modular architecture using microservices that aims to simplify compliance with various regulations in finance, medicine, and legal services
• Introduce various AWS-based security controls to help protect your microservices from malicious actors
• Leverage the modularity of the architecture to independently scale security mechanisms on individual microservices
• Improve the security posture without compromising the autonomy or efficiency of software development teams

Table of Contents:

Preface

Goals of This Book

Who Should Use This Book

Conventions Used in This Book

Using Code Examples

O’Reilly Online Learning

How to Contact Us

Acknowledgments

1. Introduction to Cloud Microservices

Basics of Cloud Information Security

Risk and Security Controls

Organizational Security Policy

Security Incidents and the CIA Triad

AWS Shared Responsibility Model

Cloud Architecture and Security

Security Through Modularity

Security Through Simplicity

Security Through Fully Managed AWS Services

Blast Radius, Isolation, and the Locked Rooms Analogy

Defense-in-Depth and Security

Security Through Perimeter Protection

Security Through Zero Trust Architecture

A Brief Introduction to Software Architecture

Tier-Based Architecture

Domain-Driven Design

Microservices

Implementation of Microservices on AWS

Container-Based Microservice Architecture

A Very Brief Introduction to Kubernetes

Function as a Service: FaaS Using AWS Lambda

Overview of Cloud Microservice Implementation

Amazon EKS

Amazon EKS Fargate Mode

Function as a Service Using AWS Lambda

Microservice Implementation Summary

Examples of Microservice Communication Patterns

Example 1: Simple Message Passing Between Contexts

Example 2: Message Queues

Example 3: Event-Based Microservices

Summary

2. Authorization and Authentication Basics

Basics of AWS Identity and Access Management

Principals on AWS

IAM Policies

Principle of Least Privilege

PoLP and Blast Radius

Structure of AWS IAM Policies

Principal-Based Policies

Resource-Based Policies

The Zone of Trust

Evaluation of Policies

Advanced Concepts in AWS IAM Policies

IAM Policy Conditions

AWS Tags and Attribute-Based Access Control

“Not” Policy Elements: NotPrincipal and NotResource

Wrapping Up IAM Policies

Role-Based Access Control

RBAC Modeling

Securing Roles

Assuming Roles

Assume Roles Using the AWS Command-Line Interface (CLI)

Switching Roles Using AWS Management Console

Service-Linked Role

Authentication and Identity Management

Basics of Authentication

Identity Federation on AWS

Identity Federation Using SAML 2.0 and OpenID Connect

RBAC and Microservices

Execution Roles

RBAC with AWS Lambda

RBAC with EC2 and the Instance Metadata Service

RBAC with Amazon EKS Using IAM Roles for Service Accounts

Summary

3. Foundations of Encryption

Brief Overview of Encryption

Why Is Encryption Important on AWS?

Why Is Encryption Important for Microservice Architectures?

Encryption on AWS

Security Challenges with Key-Based Encryption

Business Problem

AWS Key Management Service

Basic Encryption Using CMK

Envelope Encryption

Envelope Encryption in Action

Security and AWS KMS

KMS Contexts and Additional Authenticated Data

Key Policies

Grants and ViaService

CMK and Its Components and Supported Actions

Regions and KMS

Cost, Complexity, and Regulatory Considerations

Asymmetric Encryption and KMS

Encryption and Decryption

Digital Signing (Sign and Verify)

Domain-Driven Design and AWS KMS

Contextual Boundaries and Encryption

Accounts and Sharing CMK

KMS and Network Considerations

KMS Grants Revisited

KMS Accounts and Topologies: Tying It All Together

Option 1: Including the CMK Within Bounded Contexts

Option 2: Using a Purpose-Built Account to Hold the CMK

AWS Secrets Manager

How Secrets Manager Works

Secret Protection in AWS Secrets Manager

Summary

4. Security at Rest

Data Classification Basics

Recap of Envelope Encryption Using KMS

AWS Simple Storage Service

Encryption on AWS S3

Access Control on Amazon S3 Through S3 Bucket Policies

Amazon GuardDuty

Nonrepudiation Using Glacier Vault Lock

Security at Rest for Compute Services

Static Code Analysis Using AWS CodeGuru

AWS Elastic Container Registry

AWS Lambda

AWS Elastic Block Store

Tying It All Together

Microservice Database Systems

AWS DynamoDB

Amazon Aurora Relational Data Service

Media Sanitization and Data Deletion

Summary

5. Networking Security

Networking on AWS

Controls

Understanding the Monolith and Microservice Models

Segmentation and Microservices

Software-Defined Network Partitions

Subnetting

Routing in a Subnet

Gateways and Subnets

Public Subnet

Private Subnet

Subnets and Availability Zones

Internet Access for Subnets

Virtual Private Cloud

Routing in a VPC

Microsegmentation at the Network Layer

Cross-VPC Communication

VPC Peering

AWS Transit Gateway

VPC Endpoints

Wrap-Up of Cross-VPC Communication

Firewall Equivalents on the Cloud

Security Groups

Security Group Referencing (Chaining) and Designs

Properties of Security Groups

Network Access Control Lists

Security Groups Versus NACLs

Containers and Network Security

Block Instance Metadata Service

Try to Run Pods in a Private Subnet

Block Internet Access for Pods Unless Necessary

Use Encrypted Networking Between Pods

Lambdas and Network Security

Summary

6. Public-Facing Services

API-First Design and API Gateway

AWS API Gateway

Types of AWS API Gateway Endpoints

Securing the API Gateway

API Gateway Integration

Access Control on API Gateway

Infrastructure Security on API Gateway

Cost Considerations While Using AWS API Gateway

Bastion Host

Solution

Static Asset Distribution (Content Distribution Network)

AWS CloudFront

Signed URLs or Cookies

AWS Lambda@Edge

Protecting Against Common Attacks on Edge Networks

AWS Web Application Firewall

AWS Shield and AWS Shield Advanced

Microservices and AWS Shield Advanced

Cost Considerations for Edge Protection

Summary

7. Security in Transit

Basics of Transport Layer Security

Digital Signing

Certificates, Certificate Authority, and Identity Verification

Encryption Using TLS

TLS Termination and Trade-offs with Microservices

TLS Offloading and Termination

Cost and Complexity Considerations with Encryption in Transit

Application of TLS in Microservices

Security in Transit While Using Message Queues (AWS SQS)

gRPC and Application Load Balancer

Mutual TLS

A (Very Brief) Introduction to Service Meshes: A Security Perspective

Proxies and Sidecars

App Mesh Components and Terminology

TLS and App Mesh

mTLS Revisited

AWS App Mesh: Wrap-Up

Serverless Microservices and Encryption in Transit

AWS API Gateway and AWS Lambda

Caching, API Gateway, and Encryption in Transit

Field-Level Encryption

Summary

8. Security Design for Organizational Complexity

Organizational Structure and Microservices

Conway’s Law

Single Team Oriented Service Architecture

Role-Based Access Control

Privilege Elevation

Permission Boundaries

Permission Boundaries to Delegate Responsibilities

AWS Accounts Structure for Large Organizations

AWS Accounts and Teams

AWS Organizations

Organizational Units and Service Control Policies

Purpose-Built Accounts

AWS Tools for Organizations

AWS Organizations Best Practices

AWS Resource Access Manager

Shared Services Using AWS RAM

AWS Single Sign-On

Enforcing Multifactor Authentication in Accounts

Simplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS Organizations

Summary

9. Monitoring and Incident Response

NIST Incident Response Framework

Step 1: Design and Preparation

Step 2: Detection and Analysis

Step 3: Containment and Isolation

Step 4: Forensic Analysis

Step 5: Eradication

Step 6: Postincident Activities

Securing the Security Infrastructure

Securing a CloudTrail

Purpose-Built Accounts

Summary

A. Terraform Cloud in Five Minutes

Setup

Creating Your Workspace

Adding AWS Access and Secret Key

Terraform Process

Providers

State

Plans

Apply

Writing Your Terraform Infrastructure as Code

Root Module and Folder Structure

Input Variables

Resources

Running and Applying Your Plan

B. Example of a SAML Identity Provider for AWS

A Hands-On Example of a Federated Identity Setup

Step 1: Configure Your IdP

Step 2: Export Metadata to Be Imported into AWS Account

Step 3: Add Your SAML IdP as a Trusted IdP

Step 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS Account

Step 5: Control Access to Multiple Roles Using Custom Attributes Within the IdP

Summary

C. Hands-On Encryption with AWS KMS

Basic Encryption Using the CMK

Basic Decryption Using the CMK

Envelope Encryption Using the CMK

Decrypting an Envelope Encrypted Message

D. A Hands-On Example of Applying the Principle of Least Privilege

Step 1: Create an AWS IAM Policy for Your Task

Step 2: Define the Service, Actions, and Effect Parameters of an IAM Policy

Step 3: Define the Resource

Step 4: Request Conditions

Step 5: Confirm the Resulting Policy

Step 6: Save the Policy

Step 7: Attach the Policy to a Principal

Summary

Index

Gaurav Raje has worked as a software architect for over 10 years. He has extensive experience in building and scaling applications that host sensitive data and have high availability requirements. Gaurav has paid special attention to safeguarding every user’s information with security best practices. He has also worked on the AWS Certified Database Specialty Exam as a subject matter expert by writing and moderating various questions that ended up in the official test. He is author of the official SHA-224 package within the Jython programming language. Gaurav holds an MBA in finance from NYU Stern School of Business and a master’s in computer science from Rochester Institute of Technology.

What makes us different?

• Instant Download

• Always Competitive Pricing

• 100% Privacy

• FREE Sample Available

• 24-7 LIVE Customer Support