Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution
Security is usually an afterthought when organizations design microservices for cloud systems. Most companies today are exposed to potential security threats, but their response is more reactive than proactive. That leads to unnecessarily complicated architecture that’s harder to implement and even harder to manage and scale. Author Gaurav Raje shows you how to build highly secure systems on AWS without increasing overhead.
Ideal for cloud solution architects and software developers with AWS experience, this practical book starts with a high-level architecture and design discussion, then explains how to implement your solution in the cloud in a secure but frictionless manner. By leveraging the AWS Shared Responsibility Model, you’ll be able to:
- Achieve complete mediation in microservices at the infrastructure level
- Implement a secure and reliable audit trail of all events within the system
- Develop architecture that aims to simplify compliance with various regulations in finance, medicine, and legal services
- Put systems in place that detect anomalous behavior and alert the proper administrators in case of a breach
- Scale security mechanisms on individual microservices independent of each other
Table of contents
1. Basics of Authorization and Authentication
2. Foundations of Encryption
3. Networking Security
4. Public Facing Applications
5. Security in Transit
6. Security Design for Organizational Complexity
7. Monitoring and Incident Response
Preface Goals of This Book Who Should Use This Book Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments 1. Introduction to Cloud Microservices Basics of Cloud Information Security Risk and Security Controls Organizational Security Policy Security Incidents and the CIA Triad AWS Shared Responsibility Model Cloud Architecture and Security Security Through Modularity Security Through Simplicity Security Through Fully Managed AWS Services Blast Radius, Isolation, and the Locked Rooms Analogy Defense-in-Depth and Security Security Through Perimeter Protection Security Through Zero Trust Architecture A Brief Introduction to Software Architecture Tier-Based Architecture Domain-Driven Design Microservices Implementation of Microservices on AWS Container-Based Microservice Architecture A Very Brief Introduction to Kubernetes Function as a Service: FaaS Using AWS Lambda Overview of Cloud Microservice Implementation Amazon EKS Amazon EKS Fargate Mode Function as a Service Using AWS Lambda Microservice Implementation Summary Examples of Microservice Communication Patterns Example 1: Simple Message Passing Between Contexts Example 2: Message Queues Example 3: Event-Based Microservices Summary 2. Authorization and Authentication Basics Basics of AWS Identity and Access Management Principals on AWS IAM Policies Principle of Least Privilege PoLP and Blast Radius Structure of AWS IAM Policies Principal-Based Policies Resource-Based Policies The Zone of Trust Evaluation of Policies Advanced Concepts in AWS IAM Policies IAM Policy Conditions AWS Tags and Attribute-Based Access Control “Not” Policy Elements: NotPrincipal and NotResource Wrapping Up IAM Policies Role-Based Access Control RBAC Modeling Securing Roles Assuming Roles Assume Roles Using the AWS Command-Line Interface (CLI) Switching Roles Using AWS Management Console Service-Linked Role Authentication and Identity Management Basics of Authentication Identity Federation on AWS Identity Federation Using SAML 2.0 and OpenID Connect RBAC and Microservices Execution Roles RBAC with AWS Lambda RBAC with EC2 and the Instance Metadata Service RBAC with Amazon EKS Using IAM Roles for Service Accounts Summary 3. Foundations of Encryption Brief Overview of Encryption Why Is Encryption Important on AWS? Why Is Encryption Important for Microservice Architectures? Encryption on AWS Security Challenges with Key-Based Encryption Business Problem AWS Key Management Service Basic Encryption Using CMK Envelope Encryption Envelope Encryption in Action Security and AWS KMS KMS Contexts and Additional Authenticated Data Key Policies Grants and ViaService CMK and Its Components and Supported Actions Regions and KMS Cost, Complexity, and Regulatory Considerations Asymmetric Encryption and KMS Encryption and Decryption Digital Signing (Sign and Verify) Domain-Driven Design and AWS KMS Contextual Boundaries and Encryption Accounts and Sharing CMK KMS and Network Considerations KMS Grants Revisited KMS Accounts and Topologies: Tying It All Together Option 1: Including the CMK Within Bounded Contexts Option 2: Using a Purpose-Built Account to Hold the CMK AWS Secrets Manager How Secrets Manager Works Secret Protection in AWS Secrets Manager Summary 4. Security at Rest Data Classification Basics Recap of Envelope Encryption Using KMS AWS Simple Storage Service Encryption on AWS S3 Access Control on Amazon S3 Through S3 Bucket Policies Amazon GuardDuty Nonrepudiation Using Glacier Vault Lock Security at Rest for Compute Services Static Code Analysis Using AWS CodeGuru AWS Elastic Container Registry AWS Lambda AWS Elastic Block Store Tying It All Together Microservice Database Systems AWS DynamoDB Amazon Aurora Relational Data Service Media Sanitization and Data Deletion Summary 5. Networking Security Networking on AWS Controls Understanding the Monolith and Microservice Models Segmentation and Microservices Software-Defined Network Partitions Subnetting Routing in a Subnet Gateways and Subnets Public Subnet Private Subnet Subnets and Availability Zones Internet Access for Subnets Virtual Private Cloud Routing in a VPC Microsegmentation at the Network Layer Cross-VPC Communication VPC Peering AWS Transit Gateway VPC Endpoints Wrap-Up of Cross-VPC Communication Firewall Equivalents on the Cloud Security Groups Security Group Referencing (Chaining) and Designs Properties of Security Groups Network Access Control Lists Security Groups Versus NACLs Containers and Network Security Block Instance Metadata Service Try to Run Pods in a Private Subnet Block Internet Access for Pods Unless Necessary Use Encrypted Networking Between Pods Lambdas and Network Security Summary 6. Public-Facing Services API-First Design and API Gateway AWS API Gateway Types of AWS API Gateway Endpoints Securing the API Gateway API Gateway Integration Access Control on API Gateway Infrastructure Security on API Gateway Cost Considerations While Using AWS API Gateway Bastion Host Solution Static Asset Distribution (Content Distribution Network) AWS CloudFront Signed URLs or Cookies AWS [email protected] Protecting Against Common Attacks on Edge Networks AWS Web Application Firewall AWS Shield and AWS Shield Advanced Microservices and AWS Shield Advanced Cost Considerations for Edge Protection Summary 7. Security in Transit Basics of Transport Layer Security Digital Signing Certificates, Certificate Authority, and Identity Verification Encryption Using TLS TLS Termination and Trade-offs with Microservices TLS Offloading and Termination Cost and Complexity Considerations with Encryption in Transit Application of TLS in Microservices Security in Transit While Using Message Queues (AWS SQS) gRPC and Application Load Balancer Mutual TLS A (Very Brief) Introduction to Service Meshes: A Security Perspective Proxies and Sidecars App Mesh Components and Terminology TLS and App Mesh mTLS Revisited AWS App Mesh: Wrap-Up Serverless Microservices and Encryption in Transit AWS API Gateway and AWS Lambda Caching, API Gateway, and Encryption in Transit Field-Level Encryption Summary 8. Security Design for Organizational Complexity Organizational Structure and Microservices Conway’s Law Single Team Oriented Service Architecture Role-Based Access Control Privilege Elevation Permission Boundaries Permission Boundaries to Delegate Responsibilities AWS Accounts Structure for Large Organizations AWS Accounts and Teams AWS Organizations Organizational Units and Service Control Policies Purpose-Built Accounts AWS Tools for Organizations AWS Organizations Best Practices AWS Resource Access Manager Shared Services Using AWS RAM AWS Single Sign-On Enforcing Multifactor Authentication in Accounts Simplifying a Complex Domain-Driven Organization Using RBAC, SSO, and AWS Organizations Summary 9. Monitoring and Incident Response NIST Incident Response Framework Step 1: Design and Preparation Step 2: Detection and Analysis Step 3: Containment and Isolation Step 4: Forensic Analysis Step 5: Eradication Step 6: Postincident Activities Securing the Security Infrastructure Securing a CloudTrail Purpose-Built Accounts Summary A. Terraform Cloud in Five Minutes Setup Creating Your Workspace Adding AWS Access and Secret Key Terraform Process Providers State Plans Apply Writing Your Terraform Infrastructure as Code Root Module and Folder Structure Input Variables Resources Running and Applying Your Plan B. Example of a SAML Identity Provider for AWS A Hands-On Example of a Federated Identity Setup Step 1: Configure Your IdP Step 2: Export Metadata to Be Imported into AWS Account Step 3: Add Your SAML IdP as a Trusted IdP Step 4: Create a Role That Your Federated Users Can Assume to Interact with Your AWS Account Step 5: Control Access to Multiple Roles Using Custom Attributes Within the IdP Summary C. Hands-On Encryption with AWS KMS Basic Encryption Using the CMK Basic Decryption Using the CMK Envelope Encryption Using the CMK Decrypting an Envelope Encrypted Message D. A Hands-On Example of Applying the Principle of Least Privilege Step 1: Create an AWS IAM Policy for Your Task Step 2: Define the Service, Actions, and Effect Parameters of an IAM Policy Step 3: Define the Resource Step 4: Request Conditions Step 5: Confirm the Resulting Policy Step 6: Save the Policy Step 7: Attach the Policy to a Principal Summary Index
How to download source code?
1. Go to:
2. Search the book title:
Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution, sometime you may not get the results, please search the main title
3. Click the book title in the search results
Publisher resources section, click
Download Example Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.