Centralizing and Analyzing Logs It is essential to consolidate logging from your solution in a central location for further analysis. In that central location, you want to make sure you collect all the logs, whether from AWS services, custom solution components, or third-party services. The objective of aggregating the logs is twofold: analysis and retention. […]

Detecting Incidents Even after you have put all the necessary measures in place to protect your infrastructure and your data, you are only halfway through ensuring security. Despite all the protections implemented, some incidents can still occur. It can be any type of incident—a security breach, a data leak, a system misconfiguration, a configuration change, […]

Limiting Data Access and Visibility First, keep people away whenever it is feasible. End users should consume the data as much as possible through an interface of some sort, such as a custom user interface (UI), a custom API, or another AWS service UI or API. Allowing access to the data directly where it is […]

When to Use AWS CloudHSM You may now be thinking: CloudHSM sounds like the cherry-pick for cryptography, so why would I want to use anything else? First, you need to consider whether you have an actual use case for AWS CloudHSM. For instance, does your corporate security require that you store your keys on HSMs […]

Protecting Data at Rest The first task is to protect the data at rest, that is, where it is stored. AWS best practices recommend that you encrypt the data—no exception. Your data must be encrypted, whether you decide to use object storage, file storage, block storage, databases, or anything else. Many AWS services (storage, compute, […]

Automating the Protection Finally, automate all security maintenance tasks as much as possible. Repetitive manual tasks are error-prone and should be avoided at all costs. It may take you a bit more time to put the automation in place at first, but it will pay off from the very beginning as your AWS footprint grows. […]

Protecting the Compute What should you do to ensure the protection of your application’s Amazon EC2 instances, containers, AWS Lambda functions, databases, and so on? Well, to start with, you want to design an AWS environment that has proper resource isolation. There are multiple means of achieving this isolation, as we have seen in Chapter […]

Protecting the Network You may now be wondering why protecting the network is important even though it was just mentioned that zero-trust concepts recommend not to trust systems based on their location. Now while zero trust advocates not to solely use the location of a system to decide whether it can be trusted or not, […]

Protecting your Infrastructure Before you dive into infrastructure protection, first recall a key principle of AWS—the shared responsibility model. Security, along with compliance, is considered a shared responsibility between AWS and the customer. Essentially, AWS is responsible for the security of the cloud and you, the customer, are responsible for the security in the cloud. […]

Using Federation for Access Control and Authentication What we are going to look at more specifically now is how to manage end user access for a new solution that you design for AWS, whether it is for public access or internal use only. User federation was introduced in Chapter 1, Determining an Authentication and Access […]