Security for Cloud Native Applications : The practical guide for securing modern applications using AWS, Azure, and GCP

Cover
Title Page
Copyright Page
Dedication Page
About the Author
About the Reviewer
Acknowledgement
Preface
Table of Contents
1. Introduction to Cloud Native Applications
Introduction
Structure
Objectives
Recap of cloud services
Cloud-native services
Cloud-native applications
Conclusion
References
2. Securing Modern Design Architectures
Introduction
Structure
Objectives
Application programmable interfaces
Understanding APIs
Benefits of using APIs
Common use cases for using APIs
Best practices for securing APIs
Transport layer
Authentication and authorization
HTTPS methods
Input validation
API Gateway
Network and application controls
Auditing
Information leakage
Event-driven architectures
Understanding Event-driven architecture
Pub/Sub model
Event streaming model
Benefits of using Event-driven architecture
Common use cases for using Event-driven architecture
External integration
Cross-account/Cross-region data replication
Business workflow
APIs versus Event-driven architecture
Communication method
Data transfer size
Development effort
Resiliency to load and failure
Best practices for securing Event-driven architecture
Network layer
Transport layer
Encryption at rest
Authentication and authorization
Auditing
Microservices architecture
Understanding microservice architecture
Benefits of using microservices architecture
Decoupled architecture
Scalability
Fault isolation and resiliency
Continuous Integration/Continuous Delivery
Language and technology agnostic
Common use cases for using microservices architecture
Modernizing legacy applications
Big data applications
Real-time data processing
Security in Microservices architecture
Conclusion
References
3. Containers and Kubernetes for Cloud Native Applications
Introduction
Structure
Objectives
Containers technology
Understanding Containers
Container components
Benefits of using containers
Excellent use of resources
Reduced overhead
Small footprint
Scalability
Portability
Speed
Developer experience
Best practices for securing containers
Container registry
Least privileged user
Read-only file system
Container image size
Container base image
Container image signing
Handling third-party vulnerabilities
Secrets management
Container host
Network Layer (Docker images)
Container operating systems
Understanding container operating systems
Benefits of container operating system
Small footprint
Improved security
Update mechanism
Immutable file system
Fast boot time
Examples of Container operating systems
AWS Bottlerocket
Google Container-optimized OS
Kubernetes as a Container orchestrator
Understanding Kubernetes
Kubernetes components
Control plane
Serverless control plane
Worker node
Benefits of using Kubernetes
Run anywhere
Automation
Community support
Cloud support
Self-healing capability
Horizontal scaling capability
Portability and vendor lock-in
Cost efficiency
Best practices for securing the Kubernetes platform
Managed Kubernetes
Container OS
Confidential computing
Pod Security
Network layer
Pod to Pod communication
Service mesh
Transport layer
Certificate management
Encryption at Rest
Secrets management
Authentication and authorization
Configuration standard
Security updates
Auditing
Conclusion
References
4. Serverless for Cloud Native Applications
Introduction
Structure
Objectives
Serverless fundamentals
Types of Serverless Services
Compute
Database
Storage
Application integration
Benefits of using Serverless
Time to market
Scalability
High availability
Security
Cost
Introducing Serverless/Function as a Service
Introducing AWS Lambda
Introducing Azure Functions
Introducing Google Cloud Functions
Best practices for securing Serverless/Function as a Service
Securing Containerized Functions
Function isolation
Network layer
Transport layer
Secrets management
Authentication and authorization
Code signing
Vulnerability management
Code repository
Configuration Management
Auditing
Conclusion
References
5. Building Secure CI/CD Pipelines
Introduction
Structure
Objectives
CI/CD pipeline fundamentals
Static Application Security Testing tools
Introducing Static Application Security Testing tools
Embedding SAST as part of the CI/CD pipeline
Examples of open-source SAST tools
Software Composition Analysis tools
Introducing SCA tools
Embedding SCA tools as part of the CI/CD pipeline
Examples of open-source SCA tools
Static code analyzers for Infrastructure as Code
Embedding IaC scanning tools as part of the CI/CD pipeline
Examples of open-source IaC scanning tools
Repositories and artifacts
Using repositories as part of the CI/CD process
Source code and library repositories
AWS CodeCommit
Azure Repos
Google Cloud Source Repositories
Artifact package repositories
AWS CodeArtifact
Azure Artifacts
Google Artifact Registry
Container image repositories
Amazon Elastic Container Registry
Azure Container Registry
Google Artifact Registry
Software supply chain
Definition of software supply chain
Common threats relating to the software supply chain
Introducing Software bill of materials
Amazon Inspector
Azure SBOM Tool
Google Artifact Analysis
Best practices for securing the CI/CD pipeline
Network layer
Transport layer
Authentication and authorization
Design/Plan phase
Code development phase
Build phase
Test phase
Delivery phase
Deployment phase
Operational/Maintenance phase
Auditing
Conclusion
References
6. The 12-Factor Application Methodology
Introduction
Structure
Objectives
The twelve-factor app methodology
Introduction to the 12-Factors application methodology
Codebase
Security best practices
Dependencies
Security best practices
Config
Security best practices
Backing services
Security best practices
Build, release, run
Security best practices
Processes
Security best practices
Port binding
Security best practices
Concurrency
Disposability
Security best practices
Dev/prod parity
Security best practices
Logs
Security best practices
Admin processes
Security best practices
Conclusion
References
7. Using Infrastructure as Code
Introduction
Structure
Objectives
Introduction to Infrastructure as Code
IaC: Declarative versus imperative
Imperative programming
Declarative programming
Benefits of using IaC
AWS CloudFormation
Introduction to AWS CloudFormation templates
Best practices for securing AWS CloudFormation
Identity management
Secrets management
Parameters management
Syntax validation
Policy as code
Network connectivity
Auditing
HashiCorp Terraform
Benefits of using Terraform
Multi-cloud provider support
Community support
State management
Authentication
Authorization
Best practices for securing Terraform
Authentication and authorization
Code repository
State management
Secrets management
Static code analysis
Policy as Code
Auditing
CI/CD pipeline
Configuration management
Using secure Terraform modules
Terraform code samples
Terraform modules on AWS
Terraform modules on Azure
Terraform modules on GCP
Conclusion
References
8. Authorization and Policy as Code
Introduction
Structure
Objectives
Introduction for Policy as Code
Benefits of using Policy as Code
Using AWS Service control policies
Using Azure Policy
Using Google Organization Policy service
Introduction to the HashiCorp Sentinel framework
Using Sentinel to complement Terraform modules
Code samples for Sentinel policies
Introduction to Open Policy Agent
Benefits of using OPA
Authorization process using OPA
Sample “Hello World” policy
Sample code for using OPA to secure Kubernetes
Introduction to Cedar policy language
Authorization process using Cedar
Sample Cedar code
Conclusion
References
9. Implementing Immutable Infrastructure
Introduction
Structure
Objectives
Introduction to immutable infrastructure
Differences between stateful and stateless applications
Introducing Immutable Infrastructure
Benefits of using immutable infrastructure
Building a golden image
Best practices for creating container golden image
Virtual machine image source
Virtual Machine Image update
Virtual Machine Image builder
Container Image source
Container Image Builder
Container registry
Managing persistent data
Managing environment variables
Secrets management
Creating deployment pipeline
Implementing Immutable Infrastructure as part of the CI/CD pipeline
CI/CD pipeline using AWS services
CI/CD pipeline using Azure services
CI/CD pipeline using GCP services
CI/CD pipeline using vendor-agnostic tools
Conclusion
References
10. Encryption and Secrets Management
Introduction
Structure
Objectives
Introducing encryption and key management services
Introducing key management services
Best practices for securing key management services
Introduction to AWS KMS
Best practices for securing AWS KMS
Introduction to Azure Key Vault
Best practices for securing Azure Key Vault
Introduction to Google Cloud KMS
Best practices for securing Google Cloud KMS
Introduction to secrets management in cloud-native applications
Secrets management risks
Best practices for securing secrets management services
Introduction to AWS Secrets Manager
Best practices for securing AWS Secrets Manager
Secrets Management in Azure
Best practices for securing secrets using Azure Key Vault
Introduction to Google Secret Manager
Best practices for securing secrets using Google Secret Manager
Introduction to HashiCorp Vault
Best practices for securing secrets using HashiCorp Vault
Secrets management in Git repositories
Secrets management in the CI/CD pipeline
AWS CodeBuild
Azure DevOps pipelines
Google Cloud Build
Secrets management in Containers
Scanning for secrets inside Container images
Securing access to secrets in Kubernetes
Secrets management in Function-as-a-Service
AWS Lambda
Azure Functions
Google Cloud Functions
Secrets management in Infrastructure-as-Code
Conclusion
References
11. Threat Management in Cloud Native Applications
Introduction
Structure
Objectives
Vulnerability versus threat versus risk
Introducing vulnerability management in Cloud-native applications
Introduction to Amazon Inspector
Amazon Inspector for Containers
Amazon Inspector for Lambda
Best practices for implementing Amazon Inspector
Introduction to Microsoft Defender for Cloud
Microsoft Defender for Containers
Microsoft Defender for Cloud DevOps Security
Best practices for implementing Microsoft Defender for Cloud
Introducing GitHub advanced security for Azure DevOps
Best practices for implementing GitHub Advanced Security for Azure DevOps
Introducing Google vulnerability management services
Best practices for implementing Google vulnerability management services
Implementing threat intelligence at scale
Introduction to Amazon GuardDuty
Best practices for implementing Amazon GuardDuty
Introducing Microsoft Sentinel
Best practices for implementing Microsoft Sentinel
Introducing Google Security Command Center
Best practices for implementing Google Security Command Center
Conclusion
References
12. Summary and Key Takeaways
Introduction
Structure
Objectives
Introducing Pet Store
Key takeaways from the book
Chapter 1, Introduction to Cloud Native Applications: Key takeaways
Chapter 2, Securing Modern Design Architectures: Key takeaways
Chapter 3, Containers and Kubernetes for Cloud Native Applications: Key takeaways
Chapter 4, Serverless for Cloud Native Applications: Key takeaways
Chapter 5, Building Secure CI/CD Pipelines: Key takeaways
Chapter 6, The 12-Factor Application Methodology: Key takeaways
Chapter 7, Using Infrastructure as Code: Key takeaways
Chapter 8, Authorization and Policy as Code: Key takeaways
Chapter 9, Implementing Immutable Infrastructure: Key takeaways
Chapter 10, Encryption and Secrets Management: Key takeaways
Chapter 11, Threat Management in Cloud Native Applications: Key takeaways
Recommendations for the readers of the book
Gain hands-on experience
Share knowledge with your peers
Learn from experts
Index