Security for Cloud Native Applications : The practical guide for securing modern applications using AWS, Azure, and GCP

Cover
Title Page
Copyright Page
Dedication Page
About the Author
About the Reviewer
Acknowledgement
Preface
Table of Contents
1. Introduction to Cloud Native Applications
   Introduction
   Structure
   Objectives
   Recap of cloud services
   Cloud-native services
   Cloud-native applications
   Conclusion
   References
2. Securing Modern Design Architectures
   Introduction
   Structure
   Objectives
   Application programmable interfaces
      Understanding APIs
      Benefits of using APIs
      Common use cases for using APIs
      Best practices for securing APIs
         Transport layer
         Authentication and authorization
         HTTPS methods
         Input validation
         API Gateway
         Network and application controls
         Auditing
         Information leakage
   Event-driven architectures
      Understanding Event-driven architecture
         Pub/Sub model
         Event streaming model
      Benefits of using Event-driven architecture
      Common use cases for using Event-driven architecture
         External integration
         Cross-account/Cross-region data replication
         Business workflow
      APIs versus Event-driven architecture
         Communication method
         Data transfer size
         Development effort
         Resiliency to load and failure
      Best practices for securing Event-driven architecture
         Network layer
         Transport layer
         Encryption at rest
         Authentication and authorization
         Auditing
   Microservices architecture
      Understanding microservice architecture
      Benefits of using microservices architecture
         Decoupled architecture
         Scalability
         Fault isolation and resiliency
         Continuous Integration/Continuous Delivery
         Language and technology agnostic
      Common use cases for using microservices architecture
         Modernizing legacy applications
         Big data applications
         Real-time data processing
      Security in Microservices architecture
   Conclusion
   References
3. Containers and Kubernetes for Cloud Native Applications
   Introduction
   Structure
   Objectives
   Containers technology
      Understanding Containers
         Container components
      Benefits of using containers
         Excellent use of resources
         Reduced overhead
         Small footprint
         Scalability
         Portability
         Speed
         Developer experience
      Best practices for securing containers
         Container registry
         Least privileged user
         Read-only file system
         Container image size
         Container base image
         Container image signing
         Handling third-party vulnerabilities
         Secrets management
         Container host
         Network Layer (Docker images)
   Container operating systems
      Understanding container operating systems
      Benefits of container operating system
         Small footprint
         Improved security
         Update mechanism
         Immutable file system
         Fast boot time
      Examples of Container operating systems
         AWS Bottlerocket
         Google Container-optimized OS
   Kubernetes as a Container orchestrator
      Understanding Kubernetes
      Kubernetes components
         Control plane
         Serverless control plane
         Worker node
      Benefits of using Kubernetes
         Run anywhere
         Automation
         Community support
         Cloud support
         Self-healing capability
         Horizontal scaling capability
         Portability and vendor lock-in
         Cost efficiency
      Best practices for securing the Kubernetes platform
         Managed Kubernetes
         Container OS
         Confidential computing
         Pod Security
         Network layer
         Pod to Pod communication
         Service mesh
         Transport layer
         Certificate management
         Encryption at Rest
         Secrets management
         Authentication and authorization
         Configuration standard
         Security updates
         Auditing
   Conclusion
   References
4. Serverless for Cloud Native Applications
   Introduction
   Structure
   Objectives
   Serverless fundamentals
      Types of Serverless Services
         Compute
         Database
         Storage
         Application integration
      Benefits of using Serverless
         Time to market
         Scalability
         High availability
         Security
         Cost
      Introducing Serverless/Function as a Service
   Introducing AWS Lambda
   Introducing Azure Functions
   Introducing Google Cloud Functions
      Best practices for securing Serverless/Function as a Service
         Securing Containerized Functions
         Function isolation
         Network layer
         Transport layer
         Secrets management
         Authentication and authorization
         Code signing
         Vulnerability management
         Code repository
         Configuration Management
         Auditing
   Conclusion
   References
5. Building Secure CI/CD Pipelines
   Introduction
   Structure
   Objectives
   CI/CD pipeline fundamentals
   Static Application Security Testing tools
      Introducing Static Application Security Testing tools
      Embedding SAST as part of the CI/CD pipeline
      Examples of open-source SAST tools
   Software Composition Analysis tools
      Introducing SCA tools
      Embedding SCA tools as part of the CI/CD pipeline
      Examples of open-source SCA tools
   Static code analyzers for Infrastructure as Code
      Embedding IaC scanning tools as part of the CI/CD pipeline
      Examples of open-source IaC scanning tools
   Repositories and artifacts
      Using repositories as part of the CI/CD process
      Source code and library repositories
         AWS CodeCommit
         Azure Repos
         Google Cloud Source Repositories
      Artifact package repositories
         AWS CodeArtifact
         Azure Artifacts
         Google Artifact Registry
      Container image repositories
         Amazon Elastic Container Registry
         Azure Container Registry
         Google Artifact Registry
   Software supply chain
      Definition of software supply chain
         Common threats relating to the software supply chain
      Introducing Software bill of materials
         Amazon Inspector
         Azure SBOM Tool
         Google Artifact Analysis
   Best practices for securing the CI/CD pipeline
      Network layer
      Transport layer
      Authentication and authorization
      Design/Plan phase
      Code development phase
      Build phase
      Test phase
      Delivery phase
      Deployment phase
      Operational/Maintenance phase
      Auditing
   Conclusion
   References
6. The 12-Factor Application Methodology
   Introduction
   Structure
   Objectives
   The twelve-factor app methodology
      Introduction to the 12-Factors application methodology
         Codebase
         Security best practices
         Dependencies
         Security best practices
         Config
         Security best practices
         Backing services
         Security best practices
         Build, release, run
         Security best practices
         Processes
         Security best practices
         Port binding
         Security best practices
         Concurrency
         Disposability
         Security best practices
         Dev/prod parity
         Security best practices
         Logs
         Security best practices
         Admin processes
         Security best practices
   Conclusion
   References
7. Using Infrastructure as Code
   Introduction
   Structure
   Objectives
   Introduction to Infrastructure as Code
      IaC: Declarative versus imperative
         Imperative programming
         Declarative programming
      Benefits of using IaC
   AWS CloudFormation
      Introduction to AWS CloudFormation templates
      Best practices for securing AWS CloudFormation
         Identity management
         Secrets management
         Parameters management
         Syntax validation
         Policy as code
         Network connectivity
         Auditing
   HashiCorp Terraform
      Benefits of using Terraform
         Multi-cloud provider support
         Community support
         State management
         Authentication
         Authorization
      Best practices for securing Terraform
         Authentication and authorization
         Code repository
         State management
         Secrets management
         Static code analysis
         Policy as Code
         Auditing
         CI/CD pipeline
         Configuration management
         Using secure Terraform modules
      Terraform code samples
         Terraform modules on AWS
         Terraform modules on Azure
         Terraform modules on GCP
   Conclusion
   References
8. Authorization and Policy as Code
   Introduction
   Structure
   Objectives
   Introduction for Policy as Code
      Benefits of using Policy as Code
      Using AWS Service control policies
      Using Azure Policy
      Using Google Organization Policy service
   Introduction to the HashiCorp Sentinel framework
      Using Sentinel to complement Terraform modules
      Code samples for Sentinel policies
   Introduction to Open Policy Agent
      Benefits of using OPA
      Authorization process using OPA
      Sample “Hello World” policy
      Sample code for using OPA to secure Kubernetes
   Introduction to Cedar policy language
      Authorization process using Cedar
      Sample Cedar code
   Conclusion
   References
9. Implementing Immutable Infrastructure
   Introduction
   Structure
   Objectives
   Introduction to immutable infrastructure
      Differences between stateful and stateless applications
      Introducing Immutable Infrastructure
      Benefits of using immutable infrastructure
   Building a golden image
      Best practices for creating container golden image
         Virtual machine image source
         Virtual Machine Image update
         Virtual Machine Image builder
         Container Image source
         Container Image Builder
         Container registry
         Managing persistent data
         Managing environment variables
         Secrets management
   Creating deployment pipeline
      Implementing Immutable Infrastructure as part of the CI/CD pipeline
         CI/CD pipeline using AWS services
         CI/CD pipeline using Azure services
         CI/CD pipeline using GCP services
         CI/CD pipeline using vendor-agnostic tools
   Conclusion
   References
10. Encryption and Secrets Management
   Introduction
   Structure
   Objectives
   Introducing encryption and key management services
      Introducing key management services
         Best practices for securing key management services
      Introduction to AWS KMS
         Best practices for securing AWS KMS
      Introduction to Azure Key Vault
         Best practices for securing Azure Key Vault
      Introduction to Google Cloud KMS
         Best practices for securing Google Cloud KMS
   Introduction to secrets management in cloud-native applications
      Secrets management risks
      Best practices for securing secrets management services
      Introduction to AWS Secrets Manager
         Best practices for securing AWS Secrets Manager
      Secrets Management in Azure
         Best practices for securing secrets using Azure Key Vault
      Introduction to Google Secret Manager
         Best practices for securing secrets using Google Secret Manager
      Introduction to HashiCorp Vault
         Best practices for securing secrets using HashiCorp Vault
      Secrets management in Git repositories
      Secrets management in the CI/CD pipeline
         AWS CodeBuild
         Azure DevOps pipelines
         Google Cloud Build
      Secrets management in Containers
         Scanning for secrets inside Container images
         Securing access to secrets in Kubernetes
      Secrets management in Function-as-a-Service
         AWS Lambda
         Azure Functions
         Google Cloud Functions
      Secrets management in Infrastructure-as-Code
   Conclusion
   References
11. Threat Management in Cloud Native Applications
   Introduction
   Structure
   Objectives
   Vulnerability versus threat versus risk
   Introducing vulnerability management in Cloud-native applications
      Introduction to Amazon Inspector
         Amazon Inspector for Containers
         Amazon Inspector for Lambda
         Best practices for implementing Amazon Inspector
      Introduction to Microsoft Defender for Cloud
         Microsoft Defender for Containers
         Microsoft Defender for Cloud DevOps Security
         Best practices for implementing Microsoft Defender for Cloud
      Introducing GitHub advanced security for Azure DevOps
         Best practices for implementing GitHub Advanced Security for Azure DevOps
      Introducing Google vulnerability management services
         Best practices for implementing Google vulnerability management services
   Implementing threat intelligence at scale
      Introduction to Amazon GuardDuty
         Best practices for implementing Amazon GuardDuty
      Introducing Microsoft Sentinel
         Best practices for implementing Microsoft Sentinel
      Introducing Google Security Command Center
         Best practices for implementing Google Security Command Center
   Conclusion
   References
12. Summary and Key Takeaways
   Introduction
   Structure
   Objectives
   Introducing Pet Store
   Key takeaways from the book
      Chapter 1, Introduction to Cloud Native Applications: Key takeaways
      Chapter 2, Securing Modern Design Architectures: Key takeaways
      Chapter 3, Containers and Kubernetes for Cloud Native Applications: Key takeaways
      Chapter 4, Serverless for Cloud Native Applications: Key takeaways
      Chapter 5, Building Secure CI/CD Pipelines: Key takeaways
      Chapter 6, The 12-Factor Application Methodology: Key takeaways
      Chapter 7, Using Infrastructure as Code: Key takeaways
      Chapter 8, Authorization and Policy as Code: Key takeaways
      Chapter 9, Implementing Immutable Infrastructure: Key takeaways
      Chapter 10, Encryption and Secrets Management: Key takeaways
      Chapter 11, Threat Management in Cloud Native Applications: Key takeaways
   Recommendations for the readers of the book
      Gain hands-on experience
      Share knowledge with your peers
      Learn from experts
Index