Based on the topic Compute in chapter 3 of the class text and chapter 2 from Cloud Security Handbook, P.15, and 345. Write research paper about Compute. Please be sure to make clear distinct what Compute refers to. In your research, identify as many factors as you are able that facilitate compute. Detail explanation about compute and cloud security is expected.
Your paper must conform to the APA style format and must be your own original work. A professional looking paper, well written with complete references is expected. 1500 words minimum.
Cloud Security Handbook
Find out how to effectively secure cloud environments using AWS, Azure, and GCP
Eyal Estrin
BIRMINGHAM—MUMBAI
Cloud Security Handbook Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Rahul Nair Publishing Product Manager: Rahul Nair Senior Editor: Arun Nadar Content Development Editor: Sulagna Mohanty Technical Editor: Arjun Varma Copy Editor: Safis Editing Project Coordinator: Shagun Saini Proofreader: Safis Editing Indexer: Pratik Shirodkar Production Designer: Joshua Misquitta Marketing Coordinator: Hemangi Lotlikar
First published: March 2022 Production reference: 1100322
Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.
ISBN 978-1-80056-919-5 www.packt.com
I wish to dedicate this book to my loving wife for all the support she provided me with during the long hours spent writing this book.
– Eyal Estrin
Contributors
About the author Eyal Estrin is a cloud security architect who has been working with cloud services since 2015. He has been involved in the design and implementation of cloud environments from both the IT and security aspects.
He has worked with AWS, Azure, and Google Cloud in a number of different organizations (in the banking, academia, and healthcare sectors).
He has attained several top cloud security certifications – CCSP, CCSK, and AWS.
He shares his knowledge through social media (LinkedIn, Twitter, Medium, and more) for the benefit of cloud experts around the world.
About the reviewers Randy M. Black is a 25-year veteran in the IT industry and an early adopter of DevOps. Randy has spent the last decade working in some form or other of cloud technology and security. He abhors the silos that traditional IT creates and the detriment they pose to organizations. Randy is a strong advocate of transferring knowledge without fear of being transparent, misunderstood, or seemingly odd.
To Jesus, my rock and salvation, for His grace and peace in accompanying me through this crazy, upside-down world. And to my wife, Jill, who
has supported and stood by me in everything that I do, and who is the cornerstone of my success. And finally, to my four children, who don't
always understand what I do, but appreciate the fact that I am doing it.
Timothy Orr (@easttim0r on Twitter) designs, builds, and operates secure systems in complex cloud environments. He supports customers with cloud security automation, serverless architecture, threat detection and response, security analysis, and multi-tenant cloud brokering and governance. Tim holds a master's degree in InfoSec, CISSP, AWS Security Specialty, AWS Solutions Architect Professional, and AWS SysOps Administrator Associate certifications.
Table of Contents
Preface
Section 1: Securing Infrastructure Cloud Services
1 Introduction to Cloud Security
Technical requirements 4 What is a cloud service? 5 What are the cloud deployment models? 5 What are the cloud service models? 6 Why we need security 7 What is the shared responsibility model? 8
AWS and the shared responsibility model 10 Azure and the shared responsibility model 11 GCP and the shared responsibility model 12
Command-line tools 13 AWS CLI 13 Azure CLI 14 Google Cloud SDK 14
Summary 14
2 Securing Compute Services
Technical requirements 16 Securing VMs 16 Securing Amazon Elastic Compute Cloud (EC2) 16 Securing Azure Virtual Machines 22
Securing Google Compute Engine (GCE) and VM instances 29
Securing managed database services 33 Securing Amazon RDS for MySQL 35
viii Table of Contents
Securing Azure Database for MySQL 39 Securing Google Cloud SQL for MySQL 43
Securing containers 46 Securing Amazon Elastic Container Service (ECS) 49 Securing Amazon Elastic Kubernetes Service (EKS) 52 Securing Azure Container Instances (ACI) 57
Securing Azure Kubernetes Service (AKS) 60 Securing Google Kubernetes Engine (GKE) 64
Securing serverless/function as a service 69 Securing AWS Lambda 70 Securing Azure Functions 74 Securing Google Cloud Functions 79
Summary 82
3 Securing Storage Services
Technical requirements 84 Securing object storage 84 Securing Amazon Simple Storage Service 85 Securing Azure Blob storage 90 Securing Google Cloud Storage 93
Securing block storage 96 Best practices for securing Amazon Elastic Block Store 97 Best practices for securing Azure managed disks 98 Best practices for securing Google Persistent Disk 99
Summary 100
Securing file storage 100 Securing Amazon Elastic File System 101 Securing Azure Files 104 Securing Google Filestore 108
Securing the CSI 109 Securing CSI on AWS 110 Securing CSI on Azure 111 Securing CSI on GCP 112
Summary 113
4 Securing Networking Services
Technical requirements 116 Securing virtual networking 116 Securing Amazon Virtual Private Cloud 117 Securing Azure VNet 121 Securing Google Cloud VPC 124
Securing DNS services 127 Securing Amazon Route 53 127 Securing Azure DNS 129 Securing Google Cloud DNS 130
Securing CDN services 131
Table of Contents ix
Securing Amazon CloudFront 131 Securing Azure CDN 133 Securing Google Cloud CDN 134
Securing VPN services 135 Securing AWS Site-to-Site VPN 135 Securing AWS Client VPN 137 Securing Azure VPN Gateway (Site-to-Site) 138 Securing Azure VPN Gateway (Point-to-Site) 139 Securing Google Cloud VPN 141
Securing DDoS protection services 142 Securing AWS Shield 142 Securing Azure DDoS Protection 144 Securing Google Cloud Armor 146
Securing WAF services 148 Securing AWS WAF 148 Securing Azure WAF 149
Summary 151
Section 2: Deep Dive into IAM, Auditing, and Encryption
5 Effective Strategies to Implement IAM Solutions
Technical requirements 156 Introduction to IAM 157 Failing to manage identities 158 Securing cloud-based IAM services 159 Securing AWS IAM 160 Auditing AWS IAM 162 Securing Azure AD 164 Auditing Azure AD 166 Securing Google Cloud IAM 168
Auditing Google Cloud IAM 170
Securing directory services 171 Securing AWS Directory Service 172 Securing Azure Active Directory Domain Services (Azure AD DS) 174 Securing Google Managed Service for Microsoft AD 176
Configuring MFA 178 Summary 181
6 Monitoring and Auditing Your Cloud Environments
Technical requirements 184 Conducting security monitoring and audit trails 185
Security monitoring and audit trails using AWS CloudTrail 185 Security monitoring using AWS Security Hub 188
x Table of Contents
Best practices for using AWS Security Hub 188 Security monitoring and audit trails using Azure Monitor 190 Best practices for using Azure Monitor 190 Security monitoring and approval process using Customer Lockbox 192 Best practices for using Customer Lockbox 193 Security monitoring and audit trail using Google Cloud Logging 194 Security monitoring using Google Security Command Center 196 Security monitoring and approval process using Access Transparency and Access Approval 197
Conducting threat detection and response 199 Using Amazon Detective for threat detection 199
Using Amazon GuardDuty for threat detection 200 Security monitoring using Microsoft Defender for Cloud 202 Using Azure Sentinel for threat detection 204 Using Azure Defender for threat detection 206 Using Google Security Command Center for threat detection and prevention 207
Conducting incident response and digital forensics 209 Conducting incident response in AWS 210 Conducting incident response in Azure 212 Conducting incident response in Google Cloud Platform 213
Summary 214
7 Applying Encryption in Cloud Services
Technical requirements 216 Introduction to encryption 216 Symmetric encryption 218 Asymmetric encryption 219
Best practices for deploying KMSes 221 AWS Key Management Service (KMS) 222 AWS CloudHSM 226 Azure Key Vault 229 Azure Dedicated/Managed HSM 232 Google Cloud Key Management Service (KMS) 234
Best practices for deploying secrets management services 236 AWS Secrets Manager 237 Google Secret Manager 239
Best practices for using encryption in transit 241 IPSec 241 Transport Layer Security (TLS) 241
Best practices for using encryption at rest 244 Object storage encryption 244
Table of Contents xi
Block storage encryption 247 Full database encryption 250 Row-level security 253
Encryption in use 254
AWS Nitro Enclaves 255 Azure Confidential Computing 255 Google Confidential Computing 255
Summary 256
Section 3: Threats and Compliance Management
8 Understanding Common Security Threats to Cloud Services
Technical requirements 260 The MITRE ATT&CK framework 260 Detecting and mitigating data breaches in cloud services 262 Common consequences of data breaches 263 Best practices for detecting and mitigating data breaches in cloud environments 263 Common AWS services to assist in the detection and mitigation of data breaches 265 Common Azure services to assist in the detection and mitigation of data breaches 265 Common GCP services to assist in the detection and mitigation of data breaches 266
Detecting and mitigating misconfigurations in cloud services 267 Common AWS services to assist in the detection and mitigation of misconfigurations 269
Common Azure services to assist in the detection and mitigation of misconfigurations 270 Common GCP services to assist in the detection and mitigation of misconfigurations 270
Detecting and mitigating insufficient IAM and key management in cloud services 271 Common AWS services to assist in the detection and mitigation of insufficient IAM and key management 273 Common Azure services to assist in the detection and mitigation of insufficient IAM and key management 274 Common GCP services to assist in the detection and mitigation of insufficient IAM and key management 274
Detecting and mitigating account hijacking in cloud services 276
xii Table of Contents
Common AWS services to assist in the detection and mitigation of account hijacking 277 Common Azure services to assist in the detection and mitigation of account hijacking 278 Common GCP services to assist in the detection and mitigation of account hijacking 278
Detecting and mitigating insider threats in cloud services 279 Common AWS services to assist in the detection and mitigation of insider threats 281 Common Azure services to assist in the detection and mitigation of insider threats 281 Common GCP services to assist in the detection and mitigation of insider threats 282 Detecting and mitigating insecure APIs in cloud services 283
Common AWS services to assist in the detection and mitigation of insecure APIs 284 Common Azure services to assist in the detection and mitigation of insecure APIs 285 Common GCP services to assist in the detection and mitigation of insecure APIs 285
Detecting and mitigating the abuse of cloud services 286 Common AWS services to assist in the detection and mitigation of the abuse of cloud services 287 Common Azure services to assist in the detection and mitigation of the abuse of cloud services 287 Common GCP services to assist in the detection and mitigation of the abuse of cloud services 288
Summary 289
9 Handling Compliance and Regulation
Technical requirements 292 Compliance and the shared responsibility model 292 Introduction to compliance with regulatory requirements and industry best practices 293 How to maintain compliance in AWS 293 How to maintain compliance in Azure 294 How to maintain compliance in GCP 294
Summary 295
What are the common ISO standards related to cloud computing? 295 ISO/IEC 27001 standard 295 ISO 27017 standard 296 ISO 27018 standard 297 Summary 298
What is a SOC report? 299 Summary 300
Table of Contents xiii
What is the CSA STAR program? 300 STAR Level 1 301 STAR Level 2 301 Summary 301
What is PCI DSS? 302 Summary 303
What is the GDPR? 303 Summary 305
What is HIPAA? 305 Summary 306
Summary 307
10 Engaging with Cloud Providers
Technical requirements 310 Choosing a cloud provider 310 What is the most suitable cloud service model for our needs? 311 Data privacy and data sovereignty 313 Auditing and monitoring 314 Migration capabilities 315 Authentication 315 Summary 315
What is a cloud provider questionnaire? 316
Summary 322
Tips for contracts with cloud providers 322 Summary 324
Conducting penetration testing in cloud environments 324 Summary 326
Summary 326
Section 4: Advanced Use of Cloud Services
11 Managing Hybrid Clouds
Technical requirements 332 Hybrid cloud strategy 332 Cloud bursting 332 Backup and disaster recovery 333 Archive and data retention 333 Distributed data processing 333 Application modernization 333 Summary 334
Identity management over hybrid cloud environments 334 How to manage identity over hybrid AWS environments 335 How to manage identity over hybrid Azure environments 336
xiv Table of Contents
How to manage identity over GCP hybrid environments 337 Best practices for managing identities in hybrid environments 337 Summary 338
Network architecture for hybrid cloud environments 338 How to connect the on-premises environment to AWS 339 How to connect the on-premises environment to Azure 340 How to connect the on-premises environment to GCP 341 Summary 342
Storage services for hybrid cloud environments 342 How to connect to storage services over AWS hybrid environments 342 How to connect to storage services over Azure hybrid environments 344
How to connect to storage services over GCP hybrid environments 345 Summary 345
Compute services for hybrid cloud environments 345 Using compute services over AWS hybrid environments 346 Using compute services over Azure hybrid environments 347 Using compute services over GCP hybrid environments 348 Summary 349
Securing hybrid cloud environments 349 How to secure AWS hybrid environments 349 How to secure Azure hybrid environments 351 How to secure GCP hybrid environments 352 Summary 353
Summary 353
12 Managing Multi-Cloud Environments
Technical requirements 356 Multi-cloud strategy 356 Freedom to select a cloud provider 356 Freedom to select your services 357 Reduced cost 357 Data sovereignty 357 Backup and disaster recovery 357 Improving reliability 357 Identity management 358 Data security 358 Asset management 359
Skills gap 359 Summary 359
Identity management over multi-cloud environments 360 How to manage identity in AWS over multi-cloud environments 360 How to manage identity in Azure over multi-cloud environments 362 How to manage identity in GCP over multi-cloud environments 363 Summary 364
Table of Contents xv
Network architecture for multi-cloud environments 364 How to create network connectivity between AWS and GCP 366 How to create network connectivity between AWS and Azure 367 How to create network connectivity between Azure and GCP 367 Summary 368
Data security in multi-cloud environments 368 Encryption in transit 368 Encryption at rest 369 Encryption in use 369 Summary 370
Cost management in multi- cloud environments 370 Summary 372
Cloud Security Posture Management (CSPM) 372 Summary 373
Cloud Infrastructure Entitlement Management (CIEM) 374 Summary 374
Patch and configuration management in multi-cloud environments 375 Summary 377
The monitoring and auditing of multi-cloud environments 377 Summary 378
Summary 378
13 Security in Large-Scale Environments
Technical requirements 382 Managing governance and policies at a large scale 382 Governance in AWS 384 Governance in Azure 388 Governance in Google Cloud 392
Automation using IaC 395 AWS CloudFormation 396 Azure Resource Manager (ARM) templates 397 Google Cloud Deployment Manager 397 HashiCorp Terraform 398 Summary 399
Security in large-scale cloud environments 399 Managing security at a large scale while working with AWS 399 Managing security at a large scale while working with Azure 402 Managing security at a large scale while working with Google Cloud 403
Summary 404 What's next? 404 Plan ahead 404 Automate 405 Think big 405 Continue learning 405
xvi Table of Contents
Index Other Books You May Enjoy
Preface Cloud Security Handbook provides complete coverage of security aspects when designing, building, and maintaining environments in the cloud. This book is filled with best practices to help you smoothly transition to the public cloud, while keeping your environments secure. You do not have to read everything – simply find out which cloud provider is common at your workplace, or which cloud provider you wish to focus on, and feel free to skip the rest.
Who this book is for This book is for IT or information security personnel taking their first steps in the public cloud or migrating existing environments to the cloud. DevOps professionals, cloud engineers, or cloud architects maintaining production environments in the cloud will also benefit from this book.
What this book covers Chapter 1, Introduction to Cloud Security, in order to give you a solid understanding of cloud security, helps you to understand concepts such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), private cloud, public cloud, hybrid cloud, multi-cloud, and the Shared Responsibility Model. This and the rest of the chapters in this book will allow you to understand how to implement security in various cloud environments.
Chapter 2, Securing Compute Services, covers how Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) implement virtual machines, managed databases, containers, Kubernetes, and serverless architectures, and what the best practices for securing those services are.
Chapter 3, Securing Storage Services, covers how AWS, Microsoft Azure, and GCP implement object storage, block storage, and managed file storage, and what the best practices for securing those services are.
xviii Preface
Chapter 4, Securing Network Services, covers how AWS, Microsoft Azure, and GCP implement virtual networks, security groups, DNS services, CDN, VPN services, DDoS protection services, and web application firewalls, and what the best practices for securing those services are.
Chapter 5, Effective Strategies to Implement IAM Solutions, covers how AWS, Microsoft Azure, and GCP implement directory services, how these cloud providers implement identity and access management for modern cloud applications, how to implement multi- factor authentication, and how to secure all these services.
Chapter 6, Monitoring and Auditing of Your Cloud Environment, covers how AWS, Microsoft Azure, and GCP implement audit mechanisms, how to detect threats in automated and large-scale environments, and how to capture network traffic for troubleshooting and security incident detection (digital forensics).
Chapter 7, Applying Encryption in Cloud Services, covers when to use symmetric and asymmetric encryption in a cloud environment, what the various alternatives for key management services in AWS, Azure, and GCP are, what the alternatives and best practices for storing secrets in code are, and how to implement encryption in traffic and encryption at rest on the AWS, Azure, and GCP cloud services.
Chapter 8, Understanding Common Security Threats to Cloud Computing, covers what the common security threats in public cloud environments are, how to detect those threats, and what the countermeasures to mitigate such threats using built-in services in AWS, Azure, and GCP are.
Chapter 9, Handling Compliance and Regulation, covers what the common security standards related to cloud environments are, what the different levels of Security Operations Center (SOC) are, and how to use cloud services to comply with the European data privacy regulation, GDPR.
Chapter 10, Engaging with Cloud Providers, covers how to conduct a risk assessment in a public cloud environment, what the important questions to ask a cloud provider prior to the engagement phase are, and what important topics to embed inside a contractual agreement with the cloud provider.
Chapter 11, Managing Hybrid Clouds, covers how to implement common features such as identity and access management, patch management, vulnerability management, configuration management, monitoring, and network security aspects in hybrid cloud environments.
Preface xix
Chapter 12, Managing Multi-Cloud Environments, covers how to implement common topics such as identity and access management, patch management, vulnerability management, configuration management, monitoring, and network security aspects in multi-cloud environments.
Chapter 13, Security in Large-Scale Environments, covers what the common Infrastructure as a Code (IaC) alternatives are, how to implement patch management in a centralized manner, how to control configuration and compliance management, and how to detect vulnerabilities in cloud environments (managed services and sample tools) in a large production environment.
To get the most out of this book The following are some of the requirements to get the most out of the book:
Download the color images We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/ downloads/9781800569195_ColorImages.pdf.
Conventions used There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "If a resource node has set inheritFromParent = true, then the effective policy of the parent resource is inherited."
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Azure Event Hubs: This is for sending audit logs to an external SIEM system for further analysis."
xx Preface
Tips or Important Notes Appear like this.
Get in touch Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors. packtpub.com.
Share your thoughts Once you've read Cloud Security Handbook, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
On completion of this part, you will have a solid understanding of how to secure the basic building blocks of cloud services (cloud deployment and service models, compute, storage, and network)
This part of the book comprises the following chapters:
• Chapter 1, Introduction to Cloud Security
• Chapter 2, Securing Compute Services
• Chapter 3, Securing Storage Services
• Chapter 4, Securing Network Services
Section 1: Securing
Infrastructure Cloud Services
1 Introduction to Cloud Security
This book, Cloud Security Techniques and Best Practices, is meant for various audiences. You could be taking your first steps working with cloud services, or you could be coming from an IT perspective and want to know about various compute and storage services and how to configure them securely. Or, you might be working in information security and want to know the various authentication, encryption, and audit services and how to configure them securely, or you might be working with architecture and want to know how to design large-scale environments in the cloud in a secure way.
Reading this book will allow you to mak