Packt+ | Advance your knowledge in tech

You're reading from Cloud Security Automation Get to grips with automating your cloud security on AWS and OpenStack

Product type Paperback

Published in Mar 2018

Publisher Packt

ISBN-13 9781788627863

Length 334 pages

Edition 1st Edition

Tools

AWS

Concepts

Cloud Security

Author (1):

Prashant Priyam

View More author details

Table of Contents (15) Chapters

Title Page

Packt Upsell

Contributors

Preface

1. Introduction to Cloud Security FREE CHAPTER

2. Understanding the World of Cloud Automation

3. Identity and Access Management in the Cloud

4. Cloud Network Security

5. Cloud Storage and Data Security

6. Cloud Platform Security

7. Private Cloud Security

8. Automating Cloud Security

9. Cloud Compliance

1. Other Books You May Enjoy

Leave a review - let other readers know what you think

Index

A

access control, Amazon Redshift
- cluster management / Security in Redshift
- cluster connectivity / Security in Redshift
- database access / Security in Redshift
access control list (ACL) / Shared responsibility model, WAF and Shield
account-based ACL / Swift – OpenStack object storage
Active Directory (AD) / IAM users
Amazon Machine Image (AMI) / Encryption in EBS
Amazon Macie / Amazon Macie
Amazon Redshift
- about / AWS Redshift
- encryption, enabling / Security in Redshift
- access, controlling / Security in Redshift
Amazon Resource Name (ARN) / How does AWS work in IAM?, Using SSL to encrypt database connections
Ansible
- inventory / Configuration management
- playbook / Configuration management
- role / Configuration management
- group variables / Configuration management
- task / Configuration management
application level / Logging and monitoring level
Application Load Balancer (ALB) / WAF and Shield
application program interface (API) / Auditing
asynchronous message queue (AMQP) / Neutron – OpenStack network
Attestation of Compliance (AOC) / Security compliance – PCI DSS
authentication / Authentication
Authentication, Authorization, and Auditing (AAA)
- about / Availability
- authentication / Auditing
- authorization / Auditing
- auditing / Auditing
authentication token / Using IAM
Availability Zone (AZ) / RDS
AWS
- security options / Other security options in AWS
AWS Certificate Manager (ACM) / AWS Certificate Manager, CDN-level security
AWS Cognito / Cognito, Quick recap
AWS DynamoDB
- about / AWS DynamoDB
- security / Security in DynamoDB
AWS Elasticsearch / CloudWatch
AWS GuardDuty / AWS GuardDuty, Quick recap
AWS Inspector
- about / AWS Inspector, Quick recap
- assessment target / AWS Inspector
- assessment template / AWS Inspector
AWS Macie / Amazon Macie, Quick recap
AWS OpsWorks / Automate deployment – AWS OpsWorks
AWS PaaS services
- RDS / Let's have a recap
- Redshift / Let's have a recap
- DynamoDB / Let's have a recap
- ElastiCache / Let's have a recap
- ECS / Let's have a recap
- SQS / Let's have a recap
AWS Snowball
- about / AWS Snowball
- security / Security in Snowball

C

Ceilometer / Auditing
certificate authority (CA) / Using SSL to encrypt database connections
certificate signing request (CSR) / Cloud hardware security module
Cinder / Cinder – OpenStack block storage
cloud
- types / Types of cloud
- public cloud / Public cloud
- private cloud / Private cloud
- hybrid cloud / Hybrid cloud
- Software as a Service / Software as a Service
- Platform as a Service (PaaS) / Platform as a Service
- Infrastructure as a Service / Infrastructure as a Service
CloudFormation template
- description / Infrastructure as Code
- metadata / Infrastructure as Code
- parameters / Infrastructure as Code
- mapping / Infrastructure as Code
- conditions / Infrastructure as Code
- resources / Infrastructure as Code
- output / Infrastructure as Code
CloudFront
- securing / CDN-level security
CloudFront, vulnerabilities tackling
- cryptographic attacks / CDN-level security
- patching / CDN-level security
- DDoS attack / CDN-level security
cloud hardware security module (HSM) / Cloud hardware security module, Quick recap
cloud security
- about / Cloud security
- confidentiality / Confidentiality
- integrity / Integrity
- availability / Availability
- authentication / Authentication
- authorization / Authorization
- auditing / Auditing
- features / Key concern areas of cloud security
- infrastructure level / Infrastructure level
- user access level / User access level
- storage level / Storage and data level
- data level / Storage and data level
- application access level / Application access level
- network level / Network level
- logging level / Logging and monitoring level
- monitoring level / Logging and monitoring level
Cloud Security Alliance (CSA) / Key concern areas of cloud security, Cloud security compliance
cloud security compliance
- about / Cloud security compliance
- ISMS / Security compliance – ISMS
- PCI DSS / Security compliance – PCI DSS
cloud stakeholders
- cloud provider / Shared responsibility model
- cloud consumers / Shared responsibility model
CloudTrail
- logging / Logging and monitoring, CloudTrail
- about / CloudTrail
CloudWatch
- monitoring / CloudWatch
common name (CN) / Using SSL to encrypt database connections
compiler hardening / Securing KVM
compliance / Logging and monitoring level
components, PCI DSS
- VPC / Security compliance – PCI DSS
- AZs / Security compliance – PCI DSS
- subnets / Security compliance – PCI DSS
- NACL / Security compliance – PCI DSS
- security groups / Security compliance – PCI DSS
- internet gateway / Security compliance – PCI DSS
- NAT gateway / Security compliance – PCI DSS
- RDS / Security compliance – PCI DSS
- CloudFront / Security compliance – PCI DSS
- WAF / Security compliance – PCI DSS
- IAM / Security compliance – PCI DSS
- Certificate Manager / Security compliance – PCI DSS
- AWS KMS / Security compliance – PCI DSS
- AWS Inspector / Security compliance – PCI DSS
- CloudTrail / Security compliance – PCI DSS
- S3 / Security compliance – PCI DSS
- Glacier / Security compliance – PCI DSS
- CloudWatch / Security compliance – PCI DSS
compute
- securing / Securing compute
container-based ACL / Swift – OpenStack object storage
Content Delivery Network (CDN) / Application access level, CDN-level security
continuous data protection (CDP) / Logging and monitoring level
continuous integration (CI) / Why do we need automation?
continuous integration and continuous delivery (CI/CD) / CI/CD
control areas, IT
- information security policy / Security compliance – ISMS
- asset management / Security compliance – ISMS
- cryptography / Security compliance – ISMS
- physical and environmental security / Security compliance – ISMS
- operational security / Security compliance – ISMS
- communication security / Security compliance – ISMS
- system acquisition, development, and maintenance / Security compliance – ISMS
- information security incident management / Security compliance – ISMS
cross-origin resource sharing (CORS) / S3
customer master keys (CMKs) / Encryption in EBS

D

database (DB) / Using security groups
Database Migration Service (DMS) / IAM roles
database services / Database services
database storage / Storage and data level
Data Execution Prevention (DEP) / Securing KVM
data privacy and security
- for tenants / Data privacy and security for tenants
DDoS response team (DRT) / WAF and Shield
Denial Of Service (DoS) / Security for instances
DevOps
- about / What is DevOps?
- code / What is DevOps?
- build / What is DevOps?
- package / What is DevOps?
- release / What is DevOps?
- configure / What is DevOps?
- monitor / What is DevOps?
- automation, need for / Why do we need automation?
- requisites / Why do we need automation?
Direct Connect / Direct Connect, Quick recap
Direct Console User Interface (DCUI) / Securing ESXi
direct memory access (DMA) / Securing hypervisor
distributed denial of service (DDoS) attacks
- about / Availability
- UDP reflection attack / WAF and Shield
- SYN flood / WAF and Shield
- DNS query flood / WAF and Shield
- HTTP flood / WAF and Shield
DNS security
- about / DNS security
- CDN-level security / CDN-level security
DynamoDB Accelerator (DAX) / AWS DynamoDB

E

EFS
- about / EFS
- security / Security in EFS
ElastiCache
- about / ElastiCache
- securing / Securing ElastiCache
- VPC-level security / VPC-level security
- authentication / Authentication and access control
- access control / Authentication and access control
- Redis authentication, authenticating / Authenticating with Redis authentication
- data encryption / Data encryption
- data-in-transit encryption / Data-in-transit encryption
- data-at-rest encryption / Data-at-rest encryption
Elastic Block Store (EBS)
- about / Storage and data level , EBS
- fault tolerance / Fault tolerance at EBS
- encryption / Encryption in EBS
Elastic Container Service (ECS)
- about / AWS ECS
- securing / Securing ECS
Elastic Load Balancing (ELB) / Auditing
Elasticsearch, Logstash, and Kibana (ELK) stack / Application access level, Security for instances
elements, IAM
- principal / How does AWS work in IAM?
- request / How does AWS work in IAM?
- authentication / How does AWS work in IAM?
- authorization / How does AWS work in IAM?
- actions / How does AWS work in IAM?
- resources / How does AWS work in IAM?
explicit deny / How does AWS work in IAM?
external authentication
- MFA / Authentication methods – internal and external
- password policy enforcement / Authentication methods – internal and external

F

features, KVM
- relocation read-only (RELRO) / Securing KVM
- stack measurement / Securing KVM
- Never Execute (NX) / Securing KVM
- Position Independent Executable (PIE) / Securing KVM
- Address Space Layout Randomization (ASLR) / Securing KVM
Federal Risk and Authorization Management Program (FedRAMP) / Cloud security compliance
Federated identity / Federated identity
file integrity monitoring (FIM) / Securing compute
Flux Advanced Security Kernel (Flask) / Securing XenServer

G

Glacier
- about / CloudTrail, AWS Glacier
- security / Security in AWS Glacier
Glance / Cinder – OpenStack block storage, Glance – OpenStack image storage
group / User access level

H

hardware infection / Securing hypervisor
hash-based message authentication codes (HMACs) / Cloud hardware security module
Health Insurance Portability and Accountability Act (HIPAA) / Cloud security compliance
high availability (HA) / Auditing, Using SSL to encrypt database connections
Horizon
- about / Horizon – OpenStack dashboard service
- security / Horizon – OpenStack dashboard service
HTTP Strict Transport Security (HSTS) / Horizon – OpenStack dashboard service
hypervisor
- securing / Securing hypervisor
- requisites / Securing hypervisor
- KVM, securing / Securing KVM
- XenServer, securing / Securing XenServer
- ESXi, securing / Securing ESXi
- compute, securing / Securing compute
hypervisor level / Logging and monitoring level
hypervisor threat / Securing KVM

I

Identity and Access Management (IAM)
- about / Auditing, IAM, Security compliance – PCI DSS
- features / IAM features
- AWS, working / How does AWS work in IAM?
- elements / How does AWS work in IAM?
- users / Anatomy of IAM users, groups, roles, and policies
- groups / IAM groups
- roles / IAM roles
- policies / IAM policies
- used, for accessing delegation / Access right delegation using IAM
- temporary credentials / Temporary credentials
- cross-account access / Cross-account access
- identity federation / Identity federation
- best practices / IAM best practices
- authentication / Authentication
- authentication methods / Authentication methods – internal and external
- authorization / Authorization
- tokens / Policy, tokens, and domains
- policy / Policy, tokens, and domains
- domains / Policy, tokens, and domains
- Federated identity / Federated identity
image / AWS ECS
Information Security Management System (ISMS) / Security compliance – ISMS
Infrastructure as a Service (IaaS) / Infrastructure as a Service
Infrastructure as Code
- about / Infrastructure as Code, Infrastructure as Code
- configuration management / Configuration management
infrastructure level / Infrastructure level
Input Output Memory Management Unit (IOMMU) / Securing hypervisor
International Standard Organization (ISO) / Cloud security compliance
Internet of Things (IoT) / Auditing

J

JavaScript Object Notation (JSON) / Infrastructure as Code

K

Key Management Service (KMS) / Storage and data level , IAM roles, Encryption in EBS, Security in Redshift
Keystone / IAM
Keystone Service / Policy, tokens, and domains
Kinesis / CloudWatch
knowledge management portal (KM Portal) / Security compliance – ISMS
KVM
- securing / Securing KVM

M

mandatory access control (MAC) / Securing KVM
Manila / Manila – OpenStack shared file storage
measured launch environment (MLE) / Securing XenServer
message queue
- about / Message queue
monitoring / Monitoring
multi-factor authentication (MFA) / Auditing

N

NACL / NACL
National Institute of Standards and Technology (NIST) / Cloud security compliance
natural language processing (NLP) / Amazon Macie
networking
- best practices / Virtual private cloud
network level / Logging and monitoring level
Neutron / Neutron – OpenStack network
New Relic / Auditing
nova conductor / Database services

O

object storage / Storage and data level
Online Certificate Status Protocol (OCSP) / CDN-level security
OpenStack block storage
- Cinder / Cinder – OpenStack block storage
OpenStack dashboard service
- Horizon / Horizon – OpenStack dashboard service
OpenStack image storage
- Glance / Glance – OpenStack image storage
OpenStack network
- Neutron / Neutron – OpenStack network
- neutron server / Neutron – OpenStack network
- plugin agent / Neutron – OpenStack network
- DHCP agent / Neutron – OpenStack network
- neutron L3-agent / Neutron – OpenStack network
- SDN / Neutron – OpenStack network
- management / Neutron – OpenStack network
- guest / Neutron – OpenStack network
- external / Neutron – OpenStack network
- API / Neutron – OpenStack network
- operation-based policy / Neutron – OpenStack network
- resource-based policy / Neutron – OpenStack network
OpenStack object storage
- Swift / Swift – OpenStack object storage
OpenStack Security Portal
- URL / Securing compute
OpenStack shared file storage
- Manila / Manila – OpenStack shared file storage
OpenWeb Application Security Project (OWASP) / Database services
Orchestration Layer / Infrastructure as a Service
Origin Access Identity (OAI) / CDN-level security

P

Payment Application Data Security Standard (PA-DSS) / Security compliance – PCI DSS
Payment Card Industry (PCI) / Cloud security compliance
Payment Card Industry Data Security Standards (PCI DSS)
- about / IAM features, Security compliance – PCI DSS
- component / Security compliance – PCI DSS
Payment Card Industry Security Standards Council (PCI SSC) / Security compliance – PCI DSS
PCI PIN Transaction Security (PTS) / Security compliance – PCI DSS
personally identifiable information (PII) / Amazon Macie
policies / Policy, tokens, and domains
protected health information (PHI) / Amazon Macie

R

read replica / RDS
redundant array of independent disk (RAID)
- about / Fault tolerance at EBS
- RAID 0 / RAID 0
- RAID 1 / RAID 1
Relational Database Service (RDS)
- about / Platform as a Service, RDS, Security compliance – PCI DSS
- Single Availability Zone / RDS
- multi AZ / RDS
- security / Security in RDS
- security groups, using / Using security groups
- IAM, using / Using IAM
- database connections, encrypting with SSL / Using SSL to encrypt database connections
- security best practices / Security best practices for AWS RDS
- database, backing up / Back up and restore database
- database, restoring / Back up and restore database
- monitoring / Monitoring of RDS
replication process / Swift – OpenStack object storage
requisites, DevOps
- CI / Why do we need automation?
- Continuous delivery (CD) / Why do we need automation?
- microservices / Why do we need automation?
- Infrastructure as Code / Why do we need automation?
- monitoring / Why do we need automation?
- logging / Why do we need automation?
- collaboration / Why do we need automation?
- communication / Why do we need automation?
Role-Based Access Control (RBAC) / User access level
roles / User access level
Route 53
- DNS management / DNS security
- traffic management / DNS security
- availability monitoring / DNS security
- domain registration / DNS security
rules, OpenStack network access
- rule based on roles / Neutron – OpenStack network
- rule based on field / Neutron – OpenStack network
- generic rules / Neutron – OpenStack network

S

S3, storage
- S3 Standard / S3
- Reduced Redundancy Storage / S3
- Infrequent Access (IA) / S3
Secure Socket Layer (SSL) / Security in RDS
secure virtualization (sVirt) / Securing KVM
security, Amazon Redshift
- sign in credential / Security in Redshift
- IAM roles and policies / Security in Redshift
- security groups / Security in Redshift
- VPC / Security in Redshift
- encryption / Security in Redshift
- SSL-based encryption / Security in Redshift
- data encryption, loading / Security in Redshift
- data-in-transit / Security in Redshift
security, for instances / Security for instances
security, Horizon
- Cross Site Scripting (XSS) / Horizon – OpenStack dashboard service
- Cross Site Request Forgery (CSRF) / Horizon – OpenStack dashboard service
- Cross-Frame Scripting (XFS) / Horizon – OpenStack dashboard service
- access over SSL / Horizon – OpenStack dashboard service
- cookie / Horizon – OpenStack dashboard service
- Cross Origin Resource Sharing (CORS) / Horizon – OpenStack dashboard service
- frontend caching / Horizon – OpenStack dashboard service
- session backend / Horizon – OpenStack dashboard service
security options, AWS
- AWS Certificate Manager / AWS Certificate Manager
- WAF / WAF and Shield
- Shield / WAF and Shield
- cloud hardware security module / Cloud hardware security module
- AWS Cognito / Cognito
- Amazon Macie / Amazon Macie
- AWS Inspector / AWS Inspector
- AWS GuardDuty / AWS GuardDuty
Security Token Service (STS) / Identity federation, Security in DynamoDB
server-side encryption (SSE) / CloudTrail, Security in Redshift
Server Name Indicator (SNI) / CDN-level security
shared responsibility model
- about / Shared responsibility model
- using, for infrastructure / Shared responsibility model for infrastructure
- using, for container service / Shared responsibility model for container service
- using, for abstract services / Shared responsibility model for abstract services
Shield / Quick recap
Simple Authentication and Secure Layer (SASL) / Message queue
Simple Email Service (SES) / Shared responsibility model
Simple Notification Service (SNS) / Shared responsibility model for abstract services, AWS Inspector
Simple Queue Service (SQS)
- about / Shared responsibility model, SQS
- securing / Securing SQS
Simple Storage Service (S3)
- about / Auditing, S3
- security / Security in S3
Software as a Service (SaaS) / Software as a Service
Software Development Kits (SDKs) / CloudTrail
storage gateway
- about / Storage gateway
- file gateway / Storage gateway
- volume gateway / Storage gateway
- tape gateway / Storage gateway
- security / Security in the storage gateway
storage level / Logging and monitoring level
Swift / Swift – OpenStack object storage

T

token
- about / Policy, tokens, and domains
- UUID / Policy, tokens, and domains
- PKI / Policy, tokens, and domains
- PKIZ / Policy, tokens, and domains
- fernet / Policy, tokens, and domains
Transparent Data Encryption (TDE) / Using SSL to encrypt database connections
Transport Layer Security (TLS) / Authentication
Trusted Execution Technology (TXT) / Securing XenServer
Trusted Platform Module (TPM) / Securing hypervisor

U

User Datagram Protocol (UDP) / WAF and Shield
user level / Logging and monitoring level
users / User access level

V

virtual interfaces (VIFs) / Direct Connect
Virtualization Layer / Infrastructure as a Service
virtual machine threat / Securing KVM
virtual private cloud (VPC)
- about / Auditing, Virtual private cloud
- NACL / NACL
- security group / Security group
virtual private gateway (VGW) / Virtual private cloud
VM level / Logging and monitoring level
VMware ESXi
- securing / Securing ESXi
- options / Securing ESXi
volume storage / Storage and data level
VPN connection
- about / VPN connection, Quick recap
- AWS-managed VPN connection / VPN connection
- hub / VPN connection
- third-party VPN appliance / VPN connection
- transit VPC / VPN connection
Vulnerability Assessment and Penetration Testing (VAPT) / Security compliance – ISMS

W

web application firewall (WAF)
- about / Application access level, WAF and Shield, Quick recap, Security compliance – PCI DSS
- conditions / WAF and Shield
- rules / WAF and Shield
WordPress application infrastructure
- high-level severity / Cloud security compliance
- medium-level severity / Cloud security compliance
- informational-level severity / Cloud security compliance