Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution

Copyright
Table of Contents
Preface
	Goals of This Book
	Who Should Use This Book
	Conventions Used in This Book
	Using Code Examples
	O’Reilly Online Learning
	How to Contact Us
	Acknowledgments
Chapter 1. Introduction to Cloud Microservices
	Basics of Cloud Information Security
		Risk and Security Controls
		Organizational Security Policy
		Security Incidents and the CIA Triad
		AWS Shared Responsibility Model
	Cloud Architecture and Security
		Security Through Modularity
		Security Through Simplicity
		Security Through Fully Managed AWS Services
		Blast Radius, Isolation, and the Locked Rooms Analogy
		Defense-in-Depth and Security
		Security Through Perimeter Protection
		Security Through Zero Trust Architecture
	A Brief Introduction to Software Architecture
		Tier-Based Architecture
		Domain-Driven Design
	Microservices
	Implementation of Microservices on AWS
		Container-Based Microservice Architecture
		A Very Brief Introduction to Kubernetes
		Function as a Service: FaaS Using AWS Lambda
	Overview of Cloud Microservice Implementation
		Amazon EKS
		Amazon EKS Fargate Mode
		Function as a Service Using AWS Lambda
		Microservice Implementation Summary
	Examples of Microservice Communication Patterns
		Example 1: Simple Message Passing Between Contexts
		Example 2: Message Queues
		Example 3: Event-Based Microservices
	Summary
Chapter 2. Authorization and Authentication Basics
	Basics of AWS Identity and Access Management
		Principals on AWS
		IAM Policies
		Principle of Least Privilege
		PoLP and Blast Radius
		Structure of AWS IAM Policies
		Principal-Based Policies
		Resource-Based Policies
		The Zone of Trust
		Evaluation of Policies
	Advanced Concepts in AWS IAM Policies
		IAM Policy Conditions
		AWS Tags and Attribute-Based Access Control
		“Not” Policy Elements: NotPrincipal and NotResource
		Wrapping Up IAM Policies
	Role-Based Access Control
		RBAC Modeling
		Securing Roles
		Assuming Roles
		Assume Roles Using the AWS Command-Line Interface (CLI)
		Switching Roles Using AWS Management Console
		Service-Linked Role
	Authentication and Identity Management
		Basics of Authentication
		Identity Federation on AWS
		Identity Federation Using SAML 2.0 and OpenID Connect
	RBAC and Microservices
		Execution Roles
		RBAC with AWS Lambda
		RBAC with EC2 and the Instance Metadata Service
		RBAC with Amazon EKS Using IAM Roles for Service Accounts
	Summary
Chapter 3. Foundations of Encryption
	Brief Overview of Encryption
		Why Is Encryption Important on AWS?
		Why Is Encryption Important for Microservice Architectures?
		Encryption on AWS
		Security Challenges with Key-Based Encryption
		Business Problem
	AWS Key Management Service
		Basic Encryption Using CMK
		Envelope Encryption
		Envelope Encryption in Action
	Security and AWS KMS
		KMS Contexts and Additional Authenticated Data
		Key Policies
		Grants and ViaService
		CMK and Its Components and Supported Actions
		Regions and KMS
		Cost, Complexity, and Regulatory Considerations
	Asymmetric Encryption and KMS
		Encryption and Decryption
		Digital Signing (Sign and Verify)
	Domain-Driven Design and AWS KMS
		Contextual Boundaries and Encryption
		Accounts and Sharing CMK
		KMS and Network Considerations
		KMS Grants Revisited
	KMS Accounts and Topologies: Tying It All Together
		Option 1: Including the CMK Within Bounded Contexts
		Option 2: Using a Purpose-Built Account to Hold the CMK
	AWS Secrets Manager
		How Secrets Manager Works
		Secret Protection in AWS Secrets Manager
	Summary
Chapter 4. Security at Rest
	Data Classification Basics
	Recap of Envelope Encryption Using KMS
	AWS Simple Storage Service
		Encryption on AWS S3
		Access Control on Amazon S3 Through S3 Bucket Policies
		Amazon GuardDuty
		Nonrepudiation Using Glacier Vault Lock
	Security at Rest for Compute Services
		Static Code Analysis Using AWS CodeGuru
		AWS Elastic Container Registry
		AWS Lambda
		AWS Elastic Block Store
		Tying It All Together
	Microservice Database Systems
		AWS DynamoDB
		Amazon Aurora Relational Data Service
	Media Sanitization and Data Deletion
	Summary
Chapter 5. Networking Security
	Networking on AWS
		Controls
		Understanding the Monolith and Microservice Models
		Segmentation and Microservices
		Software-Defined Network Partitions
	Subnetting
		Routing in a Subnet
		Gateways and Subnets
		Public Subnet
		Private Subnet
		Subnets and Availability Zones
		Internet Access for Subnets
	Virtual Private Cloud
		Routing in a VPC
		Microsegmentation at the Network Layer
	Cross-VPC Communication
		VPC Peering
		AWS Transit Gateway
		VPC Endpoints
		Wrap-Up of Cross-VPC Communication
	Firewall Equivalents on the Cloud
		Security Groups
		Security Group Referencing (Chaining) and Designs
		Properties of Security Groups
		Network Access Control Lists
		Security Groups Versus NACLs
	Containers and Network Security
		Block Instance Metadata Service
		Try to Run Pods in a Private Subnet
		Block Internet Access for Pods Unless Necessary
		Use Encrypted Networking Between Pods
	Lambdas and Network Security
	Summary
Chapter 6. Public-Facing Services
	API-First Design and API Gateway
	AWS API Gateway
		Types of AWS API Gateway Endpoints
	Securing the API Gateway
		API Gateway Integration
		Access Control on API Gateway
		Infrastructure Security on API Gateway
	Cost Considerations While Using AWS API Gateway
	Bastion Host
		Solution
	Static Asset Distribution (Content Distribution Network)
		AWS CloudFront
		Signed URLs or Cookies
		AWS Lambda@Edge
	Protecting Against Common Attacks on Edge Networks
		AWS Web Application Firewall
		AWS Shield and AWS Shield Advanced
		Microservices and AWS Shield Advanced
		Cost Considerations for Edge Protection
	Summary
Chapter 7. Security in Transit
	Basics of Transport Layer Security
		Digital Signing
		Certificates, Certificate Authority, and Identity Verification
		Encryption Using TLS
	TLS Termination and Trade-offs with Microservices
		TLS Offloading and Termination
	Cost and Complexity Considerations with Encryption in Transit
	Application of TLS in Microservices
		Security in Transit While Using Message Queues (AWS SQS)
		gRPC and Application Load Balancer
		Mutual TLS
	A (Very Brief) Introduction to Service Meshes: A Security Perspective
		Proxies and Sidecars
		App Mesh Components and Terminology
		TLS and App Mesh
		mTLS Revisited
		AWS App Mesh: Wrap-Up
	Serverless Microservices and Encryption in Transit
		AWS API Gateway and AWS Lambda
		Caching, API Gateway, and Encryption in Transit
	Field-Level Encryption
	Summary
Chapter 8. Security Design for Organizational Complexity
	Organizational Structure and Microservices
		Conway’s Law
		Single Team Oriented Service Architecture
		Role-Based Access Control
		Privilege Elevation
		Permission Boundaries
		Permission Boundaries to Delegate Responsibilities
	AWS Accounts Structure for Large Organizations
		AWS Accounts and Teams
		AWS Organizations
		Organizational Units and Service Control Policies
		Purpose-Built Accounts
	AWS Tools for Organizations
		AWS Organizations Best Practices
		AWS Resource Access Manager
		Shared Services Using AWS RAM
		AWS Single Sign-On
		Enforcing Multifactor Authentication in Accounts
	Simplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS Organizations
	Summary
Chapter 9. Monitoring and Incident Response
	NIST Incident Response Framework
		Step 1: Design and Preparation
		Step 2: Detection and Analysis
		Step 3: Containment and Isolation
		Step 4: Forensic Analysis
		Step 5: Eradication
		Step 6: Postincident Activities
	Securing the Security Infrastructure
		Securing a CloudTrail
		Purpose-Built Accounts
	Summary
Appendix A. Terraform Cloud in Five Minutes
	Setup
		Creating Your Workspace
		Adding AWS Access and Secret Key
	Terraform Process
		Providers
		State
		Plans
		Apply
	Writing Your Terraform Infrastructure as Code
		Root Module and Folder Structure
		Input Variables
		Resources
		Running and Applying Your Plan
Appendix B. Example of a SAML Identity Provider for AWS
	A Hands-On Example of a Federated Identity Setup
		Step 1: Configure Your IdP
		Step 2: Export Metadata to Be Imported into AWS Account
		Step 3: Add Your SAML IdP as a Trusted IdP
		Step 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS Account
		Step 5: Control Access to Multiple Roles Using Custom Attributes Within the IdP
	Summary
Appendix C. Hands-On Encryption with AWS KMS
	Basic Encryption Using the CMK
	Basic Decryption Using the CMK
	Envelope Encryption Using the CMK
	Decrypting an Envelope Encrypted Message
Appendix D. A Hands-On Example of Applying the Principle of Least Privilege
	Step 1: Create an AWS IAM Policy for Your Task
	Step 2: Define the Service, Actions, and Effect Parameters of an IAM Policy
	Step 3: Define the Resource
	Step 4: Request Conditions
	Step 5: Confirm the Resulting Policy
	Step 6: Save the Policy
	Step 7: Attach the Policy to a Principal
	Summary
Index
About the Author
Colophon