Immediate download Aws cookbook: recipes for success on aws john culkin and mike zazon ebooks 2024
AWS Cookbook: Recipes for Success
on AWS John Culkin And Mike Zazon
Visit to download the full and correct content document: https://ebookmass.com/product/aws-cookbook-recipes-for-success-on-aws-john-culki n-and-mike-zazon/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
AWS Cookbook: Recipes for Success on AWS 1st Edition
This practical guide provides over 70 self-contained recipes to help you creatively solve common AWS challenges you’ll encounter on your cloud journey. If you’re comfortable with rudimentary scripting and general cloud concepts, this cookbook provides what you need to address foundational tasks and create high-level capabilities.
Authors John Culkin and Mike Zazon share real-world examples that incorporate best practices. Each recipe includes a diagram to visualize the components. Code is provided so that you can safely execute in an AWS account to ensure solutions work as described. From there, you can customize the code to help construct an application or fix an existing problem. Each recipe also includes a discussion to provide context, explain the approach, and challenge you to explore the possibilities further.
Go beyond theory and learn the details you need to successfully build on AWS. The recipes help you:
• Redact personal identifiable information (PII) from text using Amazon Comprehend
• Automate password rotation for Amazon RDS databases
• Use VPC Reachability Analyzer to verify and troubleshoot network paths
• Lock down Amazon Simple Storage Service (S3) buckets
• Analyze AWS Identity and Access Management policies
• Autoscale a containerized service
ISBN: 978-1-492-09260-5
“There’s something sorely missing from official AWS documentation: a sense of reality. Most of us aren’t attempting to win points for collecting as many AWS services as we can; we’re trying to complete a task somewhere that isn’t a whiteboard. AWS Cookbook speaks to real users with a collection of recipes and pragmatic examples we can all benefit from.”
—Corey Quinn Chief Cloud Economist, The
Duckbill
Group
John Culkin is a senior solutions architect at AWS. He now focuses on creating transformative business solutions that utilize cloud services.
Mike Zazon is a senior cloud architect at AWS. His passion for technology education blossomed while working in an engineering research university setting.
There’s something sorely missing from official AWS documentation: a sense of reality. Most of us aren’t attempting to win points for collecting as many AWS services as we can; we’re trying to complete a task somewhere that isn’t a whiteboard. AWS Cookbook speaks to real users with a collection of recipes and pragmatic examples we can all benefit from.
—Corey Quinn, Chief Cloud Economist, The Duckbill Group
Inside you’ll find a great deal of information on typical AWS use cases plus a reference implementation that’s easy to follow. If you like to learn AWS concepts in a practicedriven, example-based, hands-on manner, I highly recommend this book.
—Gaurav Raje, author of Security and Microservice Architecture on AWS
I’ve never read a book packed so densely with ninja level tips and tricks for AWS; it’s the book I wish I had five years ago. If you use AWS day to day, you need this in your toolkit, not only for the things it contains but also for the inspiration it provides. In my view, it’s the best AWS book there is.
—Adrian Cantrill, AWS Trainer, learn.cantrill.io
Putting AWS into practice with hands-on experience is the difference between cloud literacy and cloud fluency. AWS Cookbook serves up practical scenarios for working in the cloud to help individuals level up their career.
—Drew Firment, AWS Community Hero and Head Enterprise Strategist, Pluralsight
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com
AcquisitionsEditor: Jennifer Pollock
DevelopmentEditor: Virginia Wilson
ProductionEditor: Christopher Faucher
Copyeditor: nSight, Inc.
Proofreader: Sharon Wilkey
December 2021: First Edition
Revision History for the First Edition 2021-12-02: First Release
Indexer: Ellen Troutman-Zaig
InteriorDesigner: David Futato
CoverDesigner: Karen Montgomery
Illustrator: Kate Dullea
See http://oreilly.com/catalog/errata.csp?isbn=9781492092605 for release details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. AWS Cookbook, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc.
The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-492-09260-5
[LSI]
Dedicated to my father, who taught me that a spreadsheet could be used for much more than totaling up columns.
—John
Dedicated to my aunt, Judy Dunn. Thank you for the Tandy 1000 PC that sparked my fascination with computer programming and technology.
—Mike
2.6 Using VPC Reachability Analyzer to Verify and Troubleshoot Network
2.7 Redirecting HTTP Traffic to HTTPS with an Application Load Balancer
2.8 Simplifying Management of CIDRs in Security Groups with Prefix Lists
2.9 Controlling Network Access to S3 from Your VPC Using VPC Endpoints
2.10 Enabling Transitive Cross-VPC Connections Using Transit Gateway
2.11 Peering Two VPCs Together for Inter-VPC Network
3. Storage.
3.0 Introduction
3.1 Using S3 Lifecycle Policies
3.2 Using S3 Intelligent-Tiering Archive Policies to Automatically Archive S3
3.3 Replicating S3 Buckets to Meet Recovery Point Objectives
3.4 Observing S3 Storage and Access Metrics Using Storage Lens
3.5 Configuring Application-Specific Access to S3 Buckets with S3 Access
3.6 Using Amazon S3 Bucket Keys with KMS to Encrypt Objects
3.7 Creating and Restoring EC2 Backups
3.8
4. Databases.
4.0 Introduction
4.1
4.3 Leveraging RDS Proxy for Database Connections from Lambda
4.4 Encrypting the Storage of an Existing Amazon RDS for MySQL Database
4.5 Automating Password Rotation for RDS Databases
4.7 Migrating Databases to Amazon RDS Using AWS DMS
4.8 Enabling REST Access to Aurora Serverless Using RDS Data API 171
5. Serverless.
5.0 Introduction
5.1 Configuring an ALB to Invoke a Lambda Function
5.2 Packaging Libraries with Lambda Layers
5.3 Invoking Lambda Functions on a Schedule
5.4 Configuring a Lambda Function to Access an EFS File System
5.5 Running Trusted Code in Lambda Using AWS Signer
5.6 Packaging Lambda Code in a Container Image 194
5.7 Automating CSV Import into DynamoDB from S3 with Lambda 198
5.8 Reducing Lambda Startup Times with Provisioned Concurrency 201
5.9 Accessing VPC Resources with Lambda 204
6. Containers. .
6.0 Introduction
6.1 Building, Tagging, and Pushing a Container Image to Amazon ECR
6.2 Scanning Images for Security Vulnerabilities on Push to Amazon ECR 214
6.3 Deploying a Container Using Amazon Lightsail 217
6.4 Deploying Containers Using AWS Copilot 220
6.5 Updating Containers with Blue/Green Deployments 223
6.6 Autoscaling Container Workloads on Amazon ECS 227
6.7 Launching a Fargate Container Task in Response to an Event 231
6.8 Capturing Logs from Containers Running on Amazon ECS
7. Big Data.
7.0
7.1 Using a Kinesis Stream for Ingestion of Streaming
7.2 Streaming Data
7.3
7.4
7.5
8. AI/ML.
8.0
8.1
8.2
8.3
8.4
8.5 Detecting
8.6 Physician Dictation
8.7 Determining
9. Account Management.
9.0
9.1
9.2
9.3 Enabling CloudTrail Logging
9.4
9.5 Setting Up Multi-Factor Authentication for a Root User
9.6 Setting Up AWS Organizations and AWS Single Sign-On
Appendix. Fast Fixes.
Index.
x | TableofContents
Foreword
As part of the Amazon Web Services (AWS) team since the beginning, I have been able to watch it grow in scale, richness, and complexity from a unique vantage point. Even after writing thousands of blog posts and millions of words, I learn something new and useful about AWS just about every day.
With well over two hundred services in production and more launching regularly, AWS could easily leave you feeling overwhelmed. In addition to tens of thousands of pages of official AWS documentation, bloggers, AWS Heroes, AWS Partners, and oth‐ers have created innumerable pieces of content—including blog posts, videos, webi‐nars, overviews, and code samples.
While there’s no substitute for having a full and complete understanding of a particu‐lar AWS service, the reality is that you often simply need to solve a “point” problem. Even after you understand a service, remembering how to use it to solve that problem can be a challenge—at least it is for me.
And that is where this cookbook comes in. Because of its broad selection of topics and carefully chosen recipes, I am confident that you will be able to quickly find one that addresses your immediate need and to put it into practice in short order. You can solve your problem, refresh your knowledge of that aspect of AWS, and move for‐ward to create value for your customers!
My favorite aspect of this book is that it does not hand-wave past any of the details. Each recipe assumes that you start fresh and then helps you to cook up a perfectly seasoned solution. Nothing is left to chance, and you can use the recipes as is in most cases. The recipes also cover the all-important cleanup phase and ensure that you leave your AWS environment as you found it.
Where appropriate, the recipes use the AWS Cloud Development Kit (CDK) and include all of the necessary “moving parts.” The CDK provides a double benefit; in addition to helping you to move forward more quickly, these CDK elements can help you learn more about how to put infrastructure as code (IaC) into practice.
Most cookbooks are designed to be browsed and savored, and this one is no excep‐tion. Flip through it, read an entire chapter, or use just a recipe or two, as you wish. I also recommend that you go through all of Chapter 1, just to make sure that your environment is set up and ready to go. Then, when you are presented with a problem to solve, find the appropriate recipe, put it into practice, and reap the benefits.
Jeff Barr —VP and Chief Evangelist at AWS Seattle, WA November 2021
| Foreword
Preface
The vast majority of workloads will go to the cloud. We’re just at the beginning—there’s so much more to happen.
Andy Jassy
Cloud usage has been gaining traction with enterprises and small businesses over the last decade and continues to accelerate. Gartner said the worldwide infrastructure as a service (IaaS) public cloud services market grew 40.7% in 2020. The rapid growth of the cloud has led to a huge demand for cloud skills by many organizations. Many IT professionals understand the basic concepts of the cloud but want to become more comfortable working in the cloud. This gap between the supply and demand of cloud skills presents a significant opportunity for individuals to level up their career.
Through our combined 20+ years of cloud experience, we have had the benefit of working on Amazon Web Services (AWS) projects in many different roles. We have provided guidance to hundreds of developers on how and when to use AWS services. This has allowed us to understand the common challenges and easy wins of the cloud. We would like to share these lessons with you and give you a leg up for your own advancement. We wrote this book to share some of our knowledge and enable you to quickly acquire useful skills for working in the cloud. We hope that you will find yourself using this book as reference material for many years to come.
Who This Book Is For
This book is for developers, engineers, and architects of all levels, from beginner to expert. Beginners will learn cloud concepts and become comfortable working with cloud services. Experts will be able to examine code used to stand up recipe founda‐tions, explore new services, and gain additional perspectives. If the plethora of cloud services and combinations seem overwhelming to you, then this book is for you. The recipes in this book aim to provide “Hello, World” proofs of concept and components of enterprise-grade applications. This will be accomplished using common use cases with guided walk-throughs of scenarios that you can directly apply to your current or
future work. These curated and experience-building recipes are meant to demystify services and will immediately deliver value, regardless of your AWS experience level.
What You Will Learn
In addition to opening up new career opportunities, being able to harness the power of AWS will give you the ability to create powerful systems and applications that solve many interesting and demanding problems in our world today. Would you like to handle 60,000 cyber threats per second using AWS machine learning like Siemens does? Or reduce your organization’s on-premises footprint and expand its use of microservices like Capital One has? If so, the practical examples in this book will help expedite your learning by providing tangible examples showing how you can put the building blocks of AWS together to form practical solutions that address common scenarios. The on-demand consumption model, vast capacity, advanced capabilities, and global footprint of the cloud create new possibilities that need to be explored.
The Recipes
We break the book into chapters that focus on general areas of technology (e.g., secu‐rity, networking, artificial intelligence, etc.). The recipes contained within the chap‐ters are bite-sized, self-contained, and easily consumable. Recipes vary in length and complexity. Each recipe has a problem statement, solution (with diagram), and dis‐cussion. Problem statements are tightly defined to avoid confusion. Solutions contain required preparation and steps to walk you through the work needed to accomplish the goal. When appropriate, explicit validation checks will be provided. We’ve also added extra challenges to the recipes to help you advance your learning if you wish to do so. Finally, we end each recipe with a short discussion to help you understand the solution and why it matters, suggestions to extend the solution, and ways to utilize it for real impact.
To keep your AWS bill low and keep your account tidy, each recipe has cleanup steps provided in the repositories associated with the book.
Each chapter has its own repository at https://github.com/awscookbook. The reposi‐tory contains preparation steps for easy copying and pasting, required files, and infra‐structure as code. We have also created GitHub templates for reporting bugs and sug‐gesting new recipes. We encourage you to leverage GitHub to submit issues, create requests for new recipes, and submit your own pull requests. We will actively maintain the chapter repositories with updates for recipe steps and code in the README files of each recipe. Be sure to check these for any new or alternative
xiv | Preface
approaches. We look forward to interacting with you on GitHub with new fun chal‐lenges and hints to assist you.
Some recipes are “built from scratch,” and others include preparation steps to allow you to interact with common scenarios seen in the real world. We have provided code to enable you to easily deploy the prerequisites. For example, Recipe 6.5, “Updating Containers with Blue/Green Deployments”, assumes that you are a container devel‐oper creating an application deployment that requires an existing network stack. When prerequisites exist, they can be “pre-baked” with preparation steps using code provided in the repositories. When substantial preparation for a recipe is needed, you will use the AWS Cloud Development Kit (CDK), which is a fantastic tool for intelli‐gently defining and declaring infrastructure. The majority of the recipes are CLI based; when appropriate, we use console walk-throughs including screenshots or descriptive text.
There are many ways to achieve similar outcomes on AWS; this book will not be an exhaustive list. Many factors will dictate the best overall solution for your use case. We have selected recipe top‐ics to help you learn about AWS and make the best choices for your specific needs.
You’ll find recipes for things like the following:
• Redacting personally identifiable information (PII) from text by using Amazon Comprehend
• Automating password rotation for Amazon Relational Database Service (RDS) databases
• Using VPC Reachability Analyzer to verify and troubleshoot network paths
Along with the recipes, we also provide short lines of code in the Appendix that will quickly accomplish valuable and routine tasks. We feel that these are great tidbits to add to your cloud toolbox.
AWS has a free tier, but implementing recipes in this book could incur costs. We provide cleanup instructions, but you are responsi‐ble for any costs in your account. We recommend checking out the Well-Architected Labs developed by AWS on expenditure aware‐ness and leveraging AWS Budgets actions to control costs. Preface |
What You Will Need
Here are the requirements to get started and some tips on where to find assistance:
• AWS account
Setup instructions
An IAM user with console and programmatic access
Administrator privileges for your IAM user
• Personal computer/laptop
• Software
Web browser (e.g., Microsoft Edge, Google Chrome, or Mozilla Firefox)
Terminal with bash or Z shell (Zsh)
Git
Install instructions
Homebrew (optional but recommended to install other requirements)
Install instructions
Code editor (e.g., VSCodium or AWS Cloud9)
Recommended install: brew install --cask vscodium
AWS CLI version 2 (2.1.26 or later)
Install guide
Recommended install: brew install awscli@2
Python 3.7.9 (and pip) or later
Example install: brew install python@3.7
AWS Cloud Development Kit version 2.0 or later
Getting started guide
Recommended install: brew install npm and npm i -g aws-cdk@next
• Recommended: Create a folder in your home directory called AWSCookbook. This will allow you to clone each chapter’s repository in one place:
At the time of publishing, the AWS CDK has two versions: version 1 and version 2 (developer preview). The code we have provided is written for version 2. You can find out more information about how to migrate to and install CDK version 2 in this AWS CDK v2 article
Getting Started
This section provides examples of techniques and approaches we perform throughout the book to make the recipe steps easier to follow. You can skip over these topics if you feel comfortable with them. You can always come back and reference this section.
Setups
In addition to the installation of the prerequisites listed previously, you will need the following access.
AWS account setup
You will need a user with administrative permissions. Some of the recipes require the ability to create AWS Identity and Access Management (IAM) resources. You can fol‐low the AWS guide for creating your first IAM admin user and user group.
General workstation setup steps for CLI recipes
We have created a group of code repositories available at https://github.com/awscook book. Create a folder called AWSCookbook in your home directory (or any place of your choosing) and cd there:
mkdir ~/AWSCookbook && cd ~/AWSCookbook
This will give you a place to check out chapter repositories (e.g., Security): git clone https://github.com/AWSCookbook/Security
Set and export your default Region in your terminal: export AWS_REGION=us-east-1
AWS offers many Regions across the world for cloud deployments. We’ll be using the us-east-1 Region for simplicity. As long as the services are available, there is no reason these recipes won’t work in other Regions. AWS has a list of Regions and services
Set your AWS ACCOUNT_ID by parsing output from the aws sts get-calleridentity operation: Preface | xvii
The aws sts get-caller-identity operation “returns details about the IAM user or role whose credentials are used to call the operation.”
Validate AWS Command Line Interface (AWS CLI) setup and access: aws ec2 describe-instances
If you don’t have any EC2 instances deployed, you should see output similar to the following: { "Reservations": [] }
AWS CLI version 2 will by default send command output with multiple lines to less in your terminal. You can type q to exit. If you want to override this behavior, you can modify your ~/.aws/ config file to remove this default functionality
AWS CloudShell is a browser-based terminal that you can use to quickly create a terminal environment in your authenticated AWS Console session to run AWS CLI commands from. By default, it uses the identity of your browser session to interact with the AWS APIs. Many of the recipes can be run using CloudShell. You can use CloudShell to run recipe steps, clean up commands, and other AWS CLI commands as your authenticated user, if you do not want to create a session that you use in your own local terminal environ‐ment on your workstation.
Techniques and Approaches Used in This Book
The next few sections will explain and give examples of some ways of using the CLI to help you with recipes.
Querying outputs, environment variables, and command substitution
Sometimes when subsequent commands depend on outputs from the command you are currently running. The AWS CLI provides the ability for client-side filtering of output. At times, we will set environment variables that contain these outputs by lev‐eraging command substitution
xviii | Preface
We’ll combine these three techniques to make things easier for you as you proceed through steps in the book. Here is an example:
Use the AWS Security Token Service (AWS STS) to retrieve your IAM user (or role)
Amazon Resource Name (ARN) with the AWS CLI:
aws sts get-caller-identity
You should see output similar to the following: { "UserId": "EXAMPLE", "Account": "111111111111", "Arn": "arn:aws:iam::111111111111:user/UserName" }
An example of querying for the ARN value and outputting it to the terminal follows:
aws sts get-caller-identity --query Arn --output text
You should see output similar to the following:
arn:aws:iam::111111111111:user/UserName
Query for the ARN value and set it as an environment variable using command sub‐stitution:
To check the value of an environment variable, for example, you can echo it to the terminal:
echo $PRINCIPAL_ARN
You should see output similar to the following:
arn:aws:iam::111111111111:user/UserName
Using the --dry-run flag is always a good idea when performing an operation that makes changes—for example, aws ec2 create-vpc --dry-run --cidr-block 10.10.0.0/16.
Replacing values in provided template files
Where possible, to simplify the learning experience for you, we have provided tem‐plate files in the chapter code repositories that you can use as a starting point as input to some of the commands you will run in recipe steps. For example, when you create an AWS CodeDeploy configuration in Recipe 6.5, “Updating Containers with Blue/ Green Deployments”, we provide codedeploy-template.json with AWS_ACCOUNT_ID, PROD_LISTENER_ARN, and TEST_LISTENER_ARN placeholders in the JSON file. We expect you to replace these placeholder values and save the file as codedeploy.json.
Preface | xix
To further simplify your experience, if you follow the steps exactly and save these to environment variables, you can use the sed command to replace the values. Where possible, we provide you a command to do this, such as this example from Chapter 6:
Use the sed command to replace the values with the environment variables you exported with the helper.py script:
During some of the steps in the recipes, you will create passwords and temporarily save them as environment variables to use in subsequent steps. Make sure you unset the environment variables by following the cleanup steps when you complete the recipe. We use this approach for simplicity of understanding. A more secure method (such as the method in Recipe 1.8) should be used in production environments by leveraging AWS Secrets Manager.
Generation. You can use AWS Secrets Manager via the AWS CLI to generate pass‐words with specific requirements. An example from Chapter 4 looks like this:
Usage and storage. In production environments, you should use AWS Secrets Man‐ager or AWS Systems Manager Parameter Store (using secure strings) with IAM poli‐cies to control who and what can access the secrets. For simplicity, some of the poli‐cies of passwords and secrets used in the recipes might not be as locked down from a policy perspective as you would want in a production environment. Be sure to always write your own IAM policies to control this behavior in practice.
Random suffixes
We generate a lot of random suffixes when we deal with global services like Amazon S3. These are needed because S3 bucket names need to be globally unique across the entire AWS customer base. Secrets Manager can be used via the CLI to generate a string that satisfies the naming convention and adds this random element to ensure all book readers can create resources and follow along using the same commands:
You can also use any other utilities to generate random strings. Some local tools may be preferred.
AWS Cloud Development Kit and helper.py
A good place to start is the “Getting started with the AWS CDK” guide. After you have CDK 2.0 installed, if this is the first time you are using the AWS CDK, you’ll need to bootstrap with the Region you are working on with the AWS CDK toolkit:
cdk bootstrap aws://$AWS_ACCOUNT_ID/$AWS_REGION
We use the AWS CDK when needed throughout the book to give you the ability to deploy a consistent scenario that aligns with the problem statement you see in the recipe. You can also choose to execute the recipe steps in your own existing environ‐ments, as long as you have the input variables required for the recipe steps. If things don’t work in your environment, you can stand up the provided environment and compare.
The CDK code we included in the repositories deploys resources using the AWS CloudFormation service, and we wrote output variables that you use in recipe steps. We created a Python script called helper.py which you can run in your terminal to take the CloudFormation output and set local variables to make the recipe steps eas‐ier to follow—in most cases, even copy and paste.
An example set of commands for deploying CDK code for a recipe after checking out the chapter repository for Chapter 4, looks like the following:
You can easily copy and paste the preceding code from the root of the chapter reposi‐tory (assuming you have Python, pip, and CDK installed as prerequisites) to deploy the scenario that the solution will address in the solution steps of the recipe.
The helper.py tool we created can then be run in your terminal after the cdk deploy is complete:
python helper.py
You should see output that you can copy and paste into your terminal to set environ‐ment variables from the CDK CloudFormation stack outputs:
$ python helper.py
Copy and paste the commands below into your terminal
Finally, a reminder that although we work for AWS, the opinions expressed in this book are our own.
Put on your apron, and let’s get cooking with AWS!
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program ele‐ments such as variable or function names, databases, data types, environment variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values deter‐mined by context.
This element signifies a tip or suggestion.
This element signifies a general note.
This element indicates a warning or caution.
Using Code Examples
Supplemental material (code examples, exercises, etc.) is available for download at https://github.com/awscookbook.
If you have a technical question or a problem using the code examples, please send email to bookquestions@oreilly.com.
This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require per‐mission.
We appreciate, but generally do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “AWS Cookbook by John Culkin and Mike Zazon (O’Reilly). Copyright 2022 Culkins Coffee Shop LLC and Mike Zazon, 978-1-492-09260-5.”
If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com.
O’Reilly Online Learning
For more than 40 years, O’Reilly Media has provided technol‐ogy and business training, knowledge, and insight to help companies succeed.
Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit http://oreilly.com.
How to Contact Us
Please address comments and questions concerning this book to the publisher:
O’Reilly Media, Inc.
1005 Gravenstein Highway North
Preface | xxiii
Sebastopol, CA 95472
800-998-9938 (in the United States or Canada)
707-829-0515 (international or local)
707-829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/AWS-cookbook.
Email bookquestions@oreilly.com to comment or ask technical questions about this book.
For news and information about our books and courses, visit http://oreilly.com
Find us on Facebook: http://facebook.com/oreilly
Follow us on Twitter: http://twitter.com/oreillymedia
Watch us on YouTube: http://youtube.com/oreillymedia
Acknowledgments
Thank you to Jeff Armstrong, author of Migrating to AWS, A Manager’s Guide for introducing us to O’Reilly.
We want to recognize the tech reviewers who helped get this book to where it is today. Their keen eyes, opinions, and technical prowess are greatly appreciated. Jess Males, Gaurav Raje, Jeff Barr, Paul Bayer, Neil Stewart, David Kheyman, Justin Domingus, Justin Garrison, Julian Pittas, Mark Wilkins, and Virginia Chu—thank you.
Thanks to the knowledgeable community at r/aws for always providing great insights and opinions.
Thank you to our production editor, Christopher Faucher, for getting the book in tiptop shape for release. Thanks also to our editor, Virginia Wilson, for taking the time to work with first-time authors during a pandemic. Your patience, suggestions, and guidance allowed us to complete this book and remain (somewhat) sane :-)
xxiv | Preface
CHAPTER 1 Security
1.0 Introduction
The average cost of a data breach in 2021 reached a new high of USD 4.24 million as reported by the IBM/Ponemon Institute Report. When you choose to run your appli‐cations in the cloud, you trust AWS to provide a secure infrastructure that runs cloud services so that you can focus on your own innovation and value-added activities.
But security in the cloud is a shared responsibility between you and AWS. You are responsible for the configuration of things like AWS Identity and Access Manage‐ment (IAM) policies, Amazon EC2 security groups, and host based firewalls. In other words, the security of the hardware and software platform that make up the AWS cloud is an AWS responsibility. The security of software and configurations that you implement in your AWS account(s) are your responsibility.
As you deploy cloud resources in AWS and apply configuration, it is critical to under‐stand the security settings required to maintain a secure environment. This chapter’s recipes include best practices and use cases focused on security. As security is a part of everything, you will use these recipes in conjunction with other recipes and chap‐ters in this book. For example, you will see usage of AWS Systems Manager Session Manager used throughout the book when connecting to your EC2 instances. These foundational security recipes will give you the tools you need to build secure solu‐tions on AWS.
In addition to the content in this chapter, so many great resources are available for you to dive deeper into security topics on AWS. “The Fundamentals of AWS Cloud Security”, presented at the 2019 AWS security conference re:Inforce, gives a great overview. A more advanced talk, “Encryption: It Was the Best of Controls, It Was the Worst of Controls”, from AWS re:Invent, explores encryption scenarios explained in detail. 1
AWS publishes a best practices guide for securing your account, and all AWS account holders should be familiar with the best prac‐tices as they continue to evolve.
We cover important security topics in this chapter. It is not possible to cover every topic as the list of services and configurations (with respect to security on AWS) continues to grow and evolve. AWS keeps its Best Practices for Security, Identity, and Compliance web page up-to-date.
Workstation Configuration
You will need a few things installed to be ready for the recipes in this chapter.
General setup
Follow the “General workstation setup steps for CLI recipes” on page xvii to validate your configuration and set up the required environment variables. Then, clone the chapter code repository:
git clone https://github.com/AWSCookbook/Security
1.1 Creating and Assuming an IAM Role for Developer Access
Problem
To ensure that you are not always using administrative permissions, you need to cre‐ate an IAM role for development use in your AWS account.
Solution
Create a role using an IAM policy that will allow the role to be assumed later. Attach the AWS managed PowerUserAccess IAM policy to the role (see Figure 1-1).
Figure 1-1. Create role, attach policy, and assume role
Steps
1. Create a file named assume-role-policy-template.json with the following content. This will allow an IAM principal to assume the role you will create next (file pro‐vided in the repository):
If you are using an IAM user, and you delete and re-create the IAM user, this policy will not continue to work because of the way that the IAM service helps mitigate the risk of privilege escalation. For more information, see the Note in the IAM documentation about this.
2. Retrieve the ARN for your user and set it as a variable: PRINCIPAL_ARN=$(aws sts get-caller-identity --query Arn --output text)
3. Use the sed command to replace PRINCIPAL_ARN in the assume-role-policytemplate.json file and generate the assume-role-policy.json file: sed -e "s|PRINCIPAL_ARN|${PRINCIPAL_ARN}|g" \ assume-role-policy-template.json > assume-role-policy.json
4. Create a role and specify the assume role policy file: ROLE_ARN=$(aws iam create-role --role-name AWSCookbook101Role \ --assume-role-policy-document file://assume-role-policy.json \ --output text --query Role.Arn)
5. Attach the AWS managed PowerUserAccess policy to the role: aws iam attach-role-policy --role-name AWSCookbook101Role \ --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
AWS provides access policies for common job functions for your convenience. These policies may be a good starting point for you to delegate user access to your account for specific job functions; however, it is best to define a least-privilege policy for your own specific requirements for every access need.
The AssumeRole API returns a set of temporary credentials for a role session from the AWS Security Token Service (STS) to the caller as long as the permissions in the AssumeRole policy for the role allow. All IAM roles have an AssumeRole policy associated with them. You can use the output of this to configure the creden‐tials for the AWS CLI; set the AccessKey, SecretAccessKey, and Ses‐sionToken as environment variables; and also assume the role in the AWS Console using the Switch Role feature. When your appli‐cations need to make AWS API calls, the AWS SDK for your pro‐gramming language of choice handles this for them.
Cleanup
Follow the steps in this recipe’s folder in the chapter code repository.