Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
AWS: Security Best Practices on AWS
AWS: Security Best Practices on AWS

AWS: Security Best Practices on AWS: Learn to secure your data, servers, and applications with AWS

eBook
₹799 ₹2621.99
Paperback
₹3276.99
Subscription
Free Trial
Renews at ₹800p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

AWS: Security Best Practices on AWS

Chapter 2. Data Security in AWS

Data security in the AWS platform can be classified into two broad categories:

  • Protecting data at rest

  • Protecting data in transit

Furthermore, data security has the following components that help in securing data in multiple ways:

  • Data encryption

  • Key Management Services (KMS)

  • Access control

  • AWS service security features

AWS provides you with various tools and services to secure your data in AWS when your data is in transit or when your data is at rest. These tools and services include resource access control using AWS Identity and Access Management (IAM), data encryption, and managed KMS, such as AWS KMS for creating and controlling keys used for data encryption. The AWS KMS provides multiple options for managing your entire Key Management Infrastructure (KMI). Alternatively, you also have the option to go with the fully managed AWS CloudHSM service, a cloud-based hardware security module (HSM) that helps you generate and use your own keys for encryption purpose...

Introduction


In this lesson, we will learn about protecting data in the AWS platform for various AWS services. To begin with, we will go over the fundamentals of encryption and decryption and how encryption and decryption of data work in AWS. Post that, we will start with security features for securing data in transit and at rest for each of the following AWS services:

  • Amazon Simple Storage Service (S3)

  • Amazon Elastic Block Storage (EBS)

  • Amazon Relational Database Service (RDS)

  • Amazon Glacier

  • Amazon DynamoDB

  • Amazon Elastic Map Reduce (EMR)

We will look at data encryption in AWS and we will learn about three models that are available for managing keys for encryption and how we can use these models for encrypting data in various AWS services such as, AWS S3, Amazon EBS, AWS Storage Gateway, Amazon RDS, and so on.

Next, we will deep dive on AWS KMS and go through KMS features and major KMS components.

Furthermore, we will go through the AWS CloudHSM service with its benefits and popular use cases.

Lastly...

Encryption and Decryption Fundamentals


Encryption of data can be defined as converting data known as plaintext into code, often known as ciphertext that is unreadable by anyone except the intended audience. Data encryption is the most popular way of adding another layer of security for preventing unauthorized access and use of data. Encryption is a two-step process: in the first step, data is encrypted using a combination of an encryption key and an encryption algorithm, in the second step, data is decrypted using a combination of a decryption key and a decryption algorithm to view data in its original form.

The following three components are required for encryption. These three components work hand in hand for securing your data.

  • Data to be encrypted

  • Algorithm for encryption

  • Encryption keys to be used alongside the data and the algorithm

There are two types of encryption available, symmetric and asymmetric. Asymmetric encryption is also known as public key encryption. Symmetric encryption uses...

Securing Data at Rest


You might be required to encrypt your data at rest for all AWS services or for some of the AWS storage services depending on your organizational policies, industry or government regulations, compliance, or simply for adding another layer of security for your data. AWS provides several options for encrypting data at rest including fully automated and fully managed AWS encryption solutions, manual encryption solutions, client-side encryption, and so on. In this section, we are going to go over these options for each AWS storage service.

Amazon S3

The S3 is one of the major and most commonly used storage services in the AWS platform. It supports a wide range of use cases such as file storage, archival records, disaster recovery, website hosting, and so on. The S3 provides multiple features to protect your data such as encryption, MFA, versioning, access control policies, cross-region replication, and so on. Let us look at these features for protecting your data at rest in...

Securing Data in Transit


Most of the web applications that are hosted on AWS will be sending data over the internet and it is imperative to protect data in transit. This transit will involve network traffic between clients and servers, and network traffic between servers. So data in transit needs to be protected at the network layer and the session layer.

AWS services provide IPSec and SSL/TLS support for securing data in transit. An IPSec protocol extends the IP protocol stack primarily for the network layer and allows applications on the upper layers to communicate securely without modification. The SSL/TLS, however, operates at the session layer.

The Transport Layer Security (TLS) is a standard set of protocols for securing communications over a network. TLS has evolved from Secure Sockets Layer (SSL) and is considered to be a more refined system.

Let us look at options to secure network traffic in AWS for various AWS services.

Amazon S3

The AWS S3 supports the SSL/TLS protocol for encrypting...

AWS KMS


AWS KMS is a fully managed service that supports encryption for your data at rest and data in transit while working with AWS services. AWS KMS lets you create and manage keys that are used to encrypt your data. It provides a fully managed and highly available key storage, management and auditing solution that can be used to encrypt data across AWS services as well as to encrypt data within your applications. It is low cost as default keys are stored in your account at no charge – you pay for key usage and for creating any additional master keys.

KMS Benefits

AWS KMS has various benefits such as importing your own keys in KMS and creating keys with aliases and description. You can disable keys temporarily and re-enable them. You can also delete keys that are no longer required or used. You can rotate your keys periodically or let AWS rotate them annually. Let us look at some major benefits of KMS in detail:

Fully Managed

AWS KMS is a fully managed service, where AWS takes care of underlying...

AWS CloudHSM


AWS and AWS partners offer various options such as AWS KMS to protect your data in AWS. However, due to contractual, regulatory compliance, or corporate requirements for security of an application or sensitive data, you might need additional protection. AWS CloudHSM is a cloud-based dedicated, single-tenant HSM allowing you to include secure key storage and high-performance crypto operations to your applications on the AWS platform. It enables you to securely generate, store, manage, and protect encryption keys in a way that these keys are accessible only by you or authorized users that only you specify and no one else.

AWS CloudHSM is a fully managed service that takes care of administrative, time-consuming tasks such as backups, software updates, hardware provisioning, and high availability by automating these tasks. However, AWS does not have any access to configure, create, manage, or use your CloudHSM. You can quickly scale by adding or removing HSM capacity on-demand with...

CloudHSM Features


Let us look at some features of the AWS CloudHSM service.

Generate and Use Encryption Keys Using HSMs

AWS CloudHSM provides FIPS 140-2 level 3 compliant HSM for using and generating your encryption keys. It protects your encryption keys with a single tenant, exclusive access, and dedicated tamper-proof device in your own AWS VPC.

Pay as You Go Model

AWS CloudHSM offers a utility pricing model like many other AWS services. You pay only for what you use and there are no upfront costs whatsoever. You are billed for every running hour (or partial hour) for every HSM you provision within a CloudHSM cluster.

Easy to Manage

AWS CloudHSM is a fully managed service, so you need not worry about scalability, high availability, hardware provisioning, or software patching. These tasks are taken care by of AWS. The AWS also takes automated encrypted backups of your HSM on a daily basis.

AWS monitors health and network availability of HSMs. It does not have access to keys stored inside these...

AWS CloudHSM Use Cases


A CloudHSM cluster can store up to 3,500 keys of any type or size. It integrates with AWS CloudTrail so all activities related to CloudHSM are logged and you can get a history of all AWS API calls made to CloudHSM.

With so many features and benefits, AWS CloudHSM has many use cases when it comes to securing your data. Let us look at some of the most popular use cases for this service.

Offload SSL/TLS Processing for Web Servers

Web servers and web browsers often use SSL or TLS for a secure connection to transfer data over the internet. This connection requires the web server to use a public-private key pair along with a public key certificate in order to establish an HTTPS session with each client. This activity acts as an overhead for the web server in terms of additional computation. CloudHSM can help you offload this overhead by storing the web server's private key in HSM as it is designed for this purpose. This process is often known as SSL acceleration.

Protect Private...

Amazon Macie


Amazon Macie is the newest security service powered by Artificial Intelligence launched by AWS that uses machine learning to identify, categorize, and secure your sensitive data that is stored in S3 buckets. It continuously monitors your data and sends alerts when it detects an anomaly in the usage or access patterns. It uses templated Lambda functions for either sending alerts, revoking unauthorized access, or resetting password policies upon detecting suspicious behavior.

As of now, Amazon Macie supports S3 and CloudTrail with the support for more services such as EC2, DynamoDB, RDS, Glue is planned in the near future. Let us look at two important features of Amazon Macie.

Data Discovery and Classification

Amazon Macie allows you to discover and classify sensitive data along with analyzing usage patterns and user behavior. It continuously monitors newly added data to your existing data storage.

It uses artificial intelligence to understand and analyze usage patterns of existing...

Summary


Data security is one of the major requirements for most of the AWS users. The AWS platform provides multiple options to secure data in their data storage services for data at rest and data in transit. We learned about securing data for most popular storage services such as AWS S3, AWS RDS, and so on.

We learned the fundamentals of data encryption and how AWS KMS provides a fully managed solution for creating encryption keys, managing, controlling, and auditing usage of these encryption keys.

We also learned about AWS CloudHSM, a dedicated hardware appliance to store your encryption keys for corporate or regulatory compliance. We went through various features of CloudHSM and the most popular use cases for this service.

Lastly, we went through Amazon Macie, a newly launched data security service that uses machine learning for protecting your critical data by automatically detecting and classifying it.

The AWS EC2 service provides compute or servers in AWS for purposes such as web servers...

Assessments


  1. Which among the following is used for creating and controlling keys used for data encryption in AWS?

    1. IAM

    2. HSM

    3. KMS

    4. S3

  2. Asymmetric encryption is also known as _______.

    1. Private key encryption

    2. Public key encryption

    3. Secret key encryption

    4. Data key encryption

  3. For encrypting data in AWS, which among the following is used to convert plaintext data into cipher text using the encryption algorithm?

    1. Cipher text private key

    2. Cipher text public key

    3. Plaintext private key

    4. Plaintext data key

  4. For decrypting data in AWS, cipher text uses the _____ for converting cipher text into plaintext by applying the decryption algorithm.

    1. Plaintext public key

    2. Plaintext data key

    3. Plaintext private key

    4. Plaintext secret key

  5. State whether the following statement is True or False: AWS uses envelope encryption to encrypt data directly.

Left arrow icon Right arrow icon

Key benefits

  • ? Learn to secure your network, infrastructure, data, and applications in AWS cloud
  • ? Use AWS managed security services to automate security
  • ? Dive deep into various aspects such as the security model, compliance, access management and much more to build and maintain a secured environment
  • ? Explore Cloud Adoption Framework (CAF) and its components
  • ? Embedded with assessments that will help you revise the concepts you have learned in this book

Description

With organizations moving their workloads, applications, and infrastructure to the cloud at an unprecedented pace, security of all these resources has been a paradigm shift for all those who are responsible for security; experts, novices, and apprentices alike. This book focuses on using native AWS security features and managed AWS services to help you achieve continuous security. Starting with an introduction to Virtual Private Cloud (VPC) to secure your AWS VPC, you will quickly explore various components that make up VPC such as subnets, security groups, various gateways, and many more. You will also learn to protect data in the AWS platform for various AWS services by encrypting and decrypting data in AWS. You will also learn to secure web and mobile applications in AWS cloud. This book is ideal for all IT professionals, system administrators, security analysts, solution architects, and chief information security officers who are responsible for securing workloads in AWS for their organizations. This book is embedded with useful assessments that will help you revise the concepts you have learned in this book. This book is repurposed for this specific learning experience from material from Packt's Mastering AWS Security, written by Albert Anthony.

Who is this book for?

This book is for all IT professionals, system administrators, security analysts, solution architects, and chief information security officers who are responsible for securing workloads in AWS for their organizations.

What you will learn

  • ? Get familiar with VPC components, features, and benefits
  • ? Learn to create and secure your private network in AWS
  • ? Explore encryption and decryption fundamentals
  • ? Understand monitoring, logging, and auditing in AWS
  • ? Ensure data security in AWS
  • ? Secure your web and mobile applications in AWS
  • ? Learn security best practices for IAM, VPC, shared security responsibility model, and so on

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 13, 2018
Length: 118 pages
Edition : 1st
Language : English
ISBN-13 : 9781789137637
Vendor :
Amazon
Category :
Concepts :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Mar 13, 2018
Length: 118 pages
Edition : 1st
Language : English
ISBN-13 : 9781789137637
Vendor :
Amazon
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
₹800 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
₹4500 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₹400 each
Feature tick icon Exclusive print discounts
₹5000 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₹400 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 10,203.97
AWS Administration - The Definitive Guide
₹3649.99
AWS: Security Best Practices on AWS
₹3276.99
Practical AWS Networking
₹3276.99
Total 10,203.97 Stars icon
Banner background image

Table of Contents

5 Chapters
AWS Virtual Private Cloud Chevron down icon Chevron up icon
Data Security in AWS Chevron down icon Chevron up icon
Securing Servers in AWS Chevron down icon Chevron up icon
Securing Applications in AWS Chevron down icon Chevron up icon
AWS Security Best Practices Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Half star icon Empty star icon Empty star icon 2.6
(5 Ratings)
5 star 0%
4 star 20%
3 star 40%
2 star 20%
1 star 20%
Amazon Customer Aug 12, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Discription is clear and strait-forward. However, it only provides high-level concepts without deep diving into details. May need to refer to AWS white papers or technicsl guides for detail.
Amazon Verified review Amazon
Amazon Customer Oct 13, 2018
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
Basic high level view of Security in AWS great for non technical managers. And is a quick read . .
Amazon Verified review Amazon
Roscoe Nov 07, 2018
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
It's an okay book but I thought it would have a bit more details on the individual topics. I'm a newby in this area and will most likely need additional information for AWS.
Amazon Verified review Amazon
Agoa Apr 08, 2018
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
This has not nothing more than what you will find in the aws whitepapers. I expected a lot more content and lessons learned.
Amazon Verified review Amazon
Amazon Customer Jan 16, 2019
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
In his book author says Security groups are stateless but they are statefull (FYI) I hope he will correct it ?
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.