Cloud Native Security Cookbook Summary

Title: Cloud Native Security Cookbook
Author: Josh Armitage
Publication Date: April 2022
Publisher: O’Reilly Media
ISBN: 978-1-098-10630-0

Overview

The “Cloud Native Security Cookbook” by Josh Armitage is a comprehensive guide designed to help organizations secure their cloud environments using practical recipes. It focuses on AWS, Azure, and GCP, providing strategies to enhance cloud security and scale securely. The book is highly recommended for professionals involved in cloud security, offering insights into implementing secure cloud environments using Terraform.

Key Themes

Cloud Security Fundamentals

The cloud has revolutionized IT, altering the fundamentals of building systems.
Security principles remain relevant but need new implementations in cloud contexts.
The book offers practical recipes to address security in cloud-native systems.

Practical Recipes and Trade-offs

Recipes cover AWS, Azure, and GCP, highlighting the necessary trade-offs in security practices.
Each recipe discusses inherent compromises and differences among cloud providers.
The book provides solutions for both horizontal and vertical security challenges within businesses.

Security Implementation

Explains how the cloud can offer superior security compared to on-premises solutions.
Offers guidance on implementing robust and secure existing solutions.
Encourages devising design solutions for new security challenges.

DevSecOps and Lean Development

Focuses on integrating security into DevOps processes, known as DevSecOps.
Emphasizes lean software development practices to enhance security.

Content Structure

Security in the Modern Organization
- Importance of security and its integration within modern organizations.
- Concepts of cloud-native security and DevSecOps.
Setting Up Accounts and Users
- Scalable structures for accounts and users across GCP, AWS, and Azure.
- Techniques for region locking and user centralization.
Getting Security Visibility at Scale
- Building cloud-native security operations centers.
- Centralizing logs and implementing log anomaly alerting.
Protecting Your Data
- Encryption strategies for data at rest and in transit.
- Methods to prevent data loss across different cloud platforms.
Secure Networking
- Networking foundations and enabling external and internal access.
- Controlling network connectivity and providing private application access.
Infrastructure as Code
- Building secure infrastructure defaults and robust deployments.
- Deployment strategies at scale.
Compliance as Code
- Resource labeling and tagging for compliance.
- Detecting, preventing, and remediating noncompliant infrastructure.
Providing Internal Security Services
- Protecting security assets and understanding machine status.
- Patching and data backup strategies.
Enabling Teams
- Project and resource sharing across platforms.
- Application security scanning.
Security in the Future
- Building capability and situational awareness for future security challenges.
Terraform Primer
- Authentication processes for GCP, AWS, and Azure using Terraform.

Author’s Background

Josh Armitage has extensive experience as a consultant for enterprises and startups, focusing on cloud-native technologies and DevSecOps transformations. His expertise spans writing production assembly on mainframes to operating globally distributed machine learning systems.

Conclusion

The “Cloud Native Security Cookbook” is a vital resource for anyone looking to secure cloud environments effectively. It combines theoretical principles with practical applications, making it an essential guide for cloud security professionals.

Summary

Introduction

The text discusses the critical role of security in modern organizations, emphasizing the need for transformation in security practices due to the advent of cloud computing. It highlights the importance of understanding cloud-native security and the shift in security’s role within organizations.

Importance of Security

In the digital-first 21st century, security is paramount as personal information is stored by third parties. Security breaches are common, necessitating robust security measures to protect this valuable data. The complexity of modern systems means that slow, traditional security assessments can be detrimental. Instead, rapid response to vulnerabilities, such as the Log4j incident, is crucial.

Cloud-Native Security

Cloud-native security leverages technology designed for cloud environments, characterized by automation, scalability, and support for modern compute offerings like serverless and containerized workloads. This approach aligns with the cloud’s benefits, such as pay-for-consumption and global scalability, enabling businesses to focus on core competencies rather than infrastructure management.

Security’s Role in Organizations

Traditionally, security acted as a gatekeeper, creating friction with delivery teams. The modern approach involves security as an enabler, collaborating with other teams to embed security competencies without hindering agility. This shift from gatekeeper to enabler is essential for leveraging cloud-native security.

Purpose of Modern Security

Security operates within the domain of risk management. Complete security is unattainable; instead, the goal is to minimize security incidents through commercially reasonable efforts. The tolerance for risk varies among organizations, but with the right principles, security can be integrated without slowing down business processes.

DevSecOps

DevSecOps extends the DevOps philosophy by integrating security into the development and operations process. It emphasizes cultural transformation, rapid deployment, and minimizing risk without hindering performance. Key principles include:

Flow and Systems Thinking: Optimize the whole system rather than individual components.
Amplify Feedback Loops: Shorten feedback loops for rapid correction and improvement.
Culture of Continual Experimentation and Learning: Embrace risk and learn from it to keep pace with technological advancements.

Conclusion

The text underscores the need for a paradigm shift in security practices, driven by cloud computing and DevSecOps principles. By adopting these modern approaches, organizations can achieve robust security while maintaining agility and innovation.

Summary

In the modern software development landscape, the rush for features often leads to technical debt, which can hinder long-term progress. Addressing this requires a focus on psychological safety, where team members feel secure to express ideas and learn from mistakes. Google’s studies highlight psychological safety as crucial for high-performing teams.

DevSecOps is the integration of security into DevOps, aiming to enable business agility securely. It involves cultural shifts, not just tool changes, focusing on minimizing risk through small, manageable changes. Key aspects include:

Size of Change: Smaller changes reduce risk and allow easier identification of issues.
Lead Time: Quick resolution of issues minimizes exposure.
Roll Forward vs. Roll Back: Mature teams should resolve issues with forward fixes rather than reverting changes.

Continuous Integration (CI) and Continuous Delivery (CD) are foundational to DevOps, ensuring code changes are tested and deployable. Security teams should integrate their processes into CI/CD pipelines, enabling changes at scale and embedding security checks like dependency analysis and static code analysis.

Version Control is essential, with systems like GitHub, GitLab, or BitBucket allowing parallel development and integration. Continuous integration involves regular testing against the main code branch, while continuous delivery maintains the code in a deployable state, making release decisions business-driven.

Security Metrics are crucial for understanding impact, including:

Time to Notify and Fix Vulnerabilities: Speed in addressing vulnerabilities is key.
Service Impacts and Attempted Breaches: Measuring service impacts and prevented breaches helps assess security effectiveness.
Compliance Statistics: Tracking configuration compliance aids in maintaining security posture.
Percentage of Changes Rejected: A decrease in rejections indicates improved security awareness.

Security Principles include:

Least Privilege: Limiting access to only what is necessary.
Defense in Depth: Layered security to minimize breach impacts.
Security as Job Zero: Integrating security from the start.
Quality Built In: Security as an integral part of system quality.

Security in modern organizations is an enablement function, supporting core business functions rather than acting as a gatekeeper. The integration of security into all aspects of development and operations ensures robust defenses against increasingly sophisticated cyber threats.

By embedding security into the culture and processes, organizations can achieve agility without compromising security, ensuring better value and safer operations.

Summary

Introduction to DevSecOps

DevSecOps represents a cultural shift in integrating security within delivery teams, emphasizing the importance of smaller, more frequent changes to mitigate risk. It is not about acquiring new tools but fostering a cultural transformation that starts and ends with people. Key metrics to track security maturity include the percentage of compliant infrastructure, issue resolution speed, and the number of potential breaches averted. Foundational security principles like least privilege and defense in depth remain unchanged, but their application has evolved.

Cloud Security Foundation

Establishing a solid cloud foundation is crucial as cloud-native becomes the industry norm. This involves setting up scalable, programmatic approaches to allow rapid team onboarding and innovation, focusing on higher-value activities.

Google Cloud Platform (GCP) Structure

On GCP, organizations should implement a three-tier resource hierarchy with core folders:

Common: Centralized resources like billing, logging, and networking.
Production: Houses production resources with shared VPCs and secrets.
NonProd: Mirrors production for nonproduction resources.
Dev: For development resources.
Bootstrap: Contains CI/CD pipeline projects for resource hierarchy management.

Two organizations are recommended for testing and measuring organizational-level changes.

Strategies for Project Migration

Migrating projects between GCP organizations can be complex. Strategies include using Cloud Asset Inventory to understand project resources, standing up workloads in new projects, or maintaining multiple organizations if merging proves too complex.

AWS Account Structure

AWS cloud estates are built from organizations, organizational units (OUs), and accounts. Recommended OUs include:

Security OU: Centralizes security resources and cross-account access.
Workload OU: Parent of team-specific OUs.
Infrastructure OU: Contains accounts for networking and operations.

Additional OUs like Exceptions, Transitional, and Sandbox can address specific scenarios. Per workload accounts include:

Production: Holds production resources with restricted human access.
Preproduction: Mirrors production without production data.
Development: Allows developers to experiment rapidly.
Shared: Contains shared infrastructure like DNS and repositories.

Conclusion

Both GCP and AWS require structured, scalable setups to manage cloud resources effectively. Proper organization, security integration, and strategic project migration are essential for maintaining a robust cloud infrastructure.

Summary

This document outlines strategies for managing cloud infrastructure across AWS, Azure, and GCP, focusing on scalable account structures, subscription management, and region locking to ensure compliance and operational efficiency.

AWS Account Structures

Types of Accounts:
- Development: Direct access for developers to experiment and iterate quickly.
- Shared: Holds shared infrastructure like DNS and artifact repositories. Changes are managed via CI/CD pipelines.
Organizational Strategies:
- Migrate Accounts/Workloads: Moving workloads is easier if infrastructure is code-based but can be complex due to data transfer and service outages.
- Upgrade/Maintain Organizations: Upgrading aligns features across organizations, while maintaining multiple organizations is not sustainable long-term.
Core Organizational Units:
- Security: For security activities.
- Workloads: For business workloads.
- Infrastructure: For shared infrastructure like Transit Gateway.

Azure Subscription Structures

Hierarchy: Built from management groups, subscriptions, and resource groups.
- Root Management Group: Centralized control point.
- Sandbox: For experimentation, not for production workloads.
- Platform: For shared services, divided into Identity, Management, and Connectivity groups.
- Decommissioned: For retiring subscriptions.
- Landing Zones: Preconfigured areas for specific application architectures.
Per Workload Subscriptions:
- Production: Access is restricted; changes are managed via CI/CD.
- Preproduction: Mirrors production for testing.
- Development: Direct access for rapid iteration.
- Shared: For shared application infrastructure.

GCP Region Locking

Organization Policies: Used to enforce region locking, ensuring resources are deployed only in approved locations, such as Australian regions for data sovereignty.
Location Levels:
- Multiregion: Spans multiple regions, typically for storage.
- Region: Geographically isolated locations.
- Zone: Isolated failure domains within a region.
Value Groups: Google-curated lists for selecting locations, simplifying policy management.

AWS Region Locking

Service Control Policies (SCPs): Used to restrict resource deployment to specific regions, such as Australian regions.
Exemptions: Certain global services or services with regional control plane requirements are exempted.
Policy Management: SCPs apply to organizational units or individual accounts but not to the management account.

Key Considerations

Infrastructure as Code: Essential for efficient migration and management.
Automation: Critical for maintaining consistency between environments.
Flexibility: Necessary to accommodate unique team requirements as cloud adoption grows.
Governance: Policies and controls should be applied at appropriate levels to balance security and agility.

This comprehensive approach ensures robust cloud infrastructure management across different platforms, aligning with organizational goals and compliance requirements.

Summary

AWS Region Locking

Service Control Policies (SCPs): SCPs enable region locking in AWS, automatically inherited across the organization. Start with permissive policies and narrow as needed.
Exceptions and Conditions: Certain resources need exceptions (e.g., us-east-1), and conditions can allow specific users to bypass region locking.
IAM Principals: SCPs do not affect IAM principals from outside the organization unless they assume a role within the account.

Azure Region Locking

Azure Policy: Used for region locking, allowing restrictions to specific regions. Policies are inherited down the organization structure.
Exceptions: Built-in policies have escape hatches for global resources, applied at management group, subscription, and resource group levels.

GCP Centralized User Management

Google Workspaces and Cloud IAM: Centralized user and group management via Google Workspaces, interacting programmatically through service accounts.
Permissions Management: Use groups for permissions to simplify management at scale. Apply permissions as high in the hierarchy as possible, adjusting for specific project needs.

AWS Centralized User Management

Dedicated Account: Centralize IAM users in a single AWS account for management and monitoring.
Role Assumption: Requires bidirectional trust; users must be allowed to call sts:AssumeRole, and the target role must permit it.

Azure Centralized User Management

Azure Active Directory (Azure AD): Central to managing users, devices, and SSO. Ideally, have separate production and testing tenancies.
Group-Based Permissions: Assign permissions through group memberships to manage effectively at scale.

General Recommendations

Least Privilege Principle: Ensure access follows the principle of least privilege for maintainability and security.
Use of Terraform: Familiarize with Terraform for managing infrastructure as code, ensuring consistent and automated deployments.
Centralization: Centralize identity management to streamline operations and enhance security across cloud platforms.

This summary encapsulates key strategies and solutions for managing cloud resources and user access across AWS, Azure, and GCP, emphasizing the importance of policy inheritance, centralized user management, and the principle of least privilege.

Summary

Identity Architecture in Azure AD

Centralized management of identity and access on Azure is recommended through a single Azure AD tenant, with a secondary tenant for testing.
User principal names must be from approved domains, which can be added via the Azure AD console by verifying domain ownership through DNS records.
Initial passwords for new users in Azure AD cannot be auto-generated by Azure AD APIs or Terraform provider, so the Terraform Random Provider is used instead.
Initial passwords are temporary and should be changed upon first login to mitigate security risks.
Authorization is best managed using Azure AD groups for scalability.

Security Visibility at Scale

OODA Loop

The OODA loop (Observe, Orient, Decide, Act) is crucial for rapid response during security incidents. The quicker the cycle, the better the performance against threats.

Building a Cloud Native Security Operations Center (SOC)

Google Cloud Platform (GCP):
- Use Security Command Center (SCC) to manage and understand security posture.
- Enable SCC through the console and set up real-time alerting for threats using Terraform.
- Create a service account for API interactions and set up a notification mechanism using Pub/Sub and Cloud Functions.
- SCC is available in Standard (free) and Premium (paid) editions, offering various security analytics and compliance monitoring.
Amazon Web Services (AWS):
- AWS Security Hub provides a centralized view of security across AWS services and third-party solutions.
- It supports automated reporting against standards like CIS AWS Benchmarks and PCI DSS.
- Use Terraform to set up Security Hub with a delegated admin account.
- Python scripts can enable Security Hub across existing accounts.
Microsoft Azure:
- Azure Sentinel is the native SOC solution, integrating data from Azure, on-premises, and other cloud environments.
- Use Terraform to deploy Sentinel and integrate with Azure Security Center and Microsoft Threat Intelligence.

Key Takeaways

Centralization: Centralized management of identity and security operations is crucial for scalability and efficiency.
Automation and Integration: Use automation tools like Terraform to streamline setup and integration of security solutions.
Proactive Monitoring: Implement real-time alerts and integrate findings into processes to ensure timely responses to security incidents.
Compliance and Standards: Leverage built-in tools and services to maintain compliance with industry standards and enhance security posture.

Summary

This document provides a comprehensive guide on configuring cloud-based security operations and log centralization using Terraform across Azure, GCP, and AWS.

Azure Sentinel Configuration

Azure Sentinel: A managed service providing SOC functionality in the cloud. It requires configuring and enabling data connectors for optimal performance.
Analytics Rules: Five types include Microsoft Security, Fusion, Machine Learning Behavioral Analytics, Anomaly, and Scheduled. These rules help detect incidents by generating alerts with a high signal-to-noise ratio, preventing alert fatigue.
Key Vault Operations: Terraform configuration examples are provided for enabling Key Vault operations and creating Sentinel alert rules for sensitive operations.

Centralizing Logs on GCP

Objective: Centralize audit logs for retrospective analysis and real-time alerting.
Configuration: Use Terraform to set up a logging project. Create necessary files (variables.tf, provider.tf, main.tf) to deploy resources. Logs are stored in BigQuery for immediate querying.
Audit vs. Application Logs: Audit logs capture API activities, while application logs are from workloads. Organization sinks forward audit logs to BigQuery, and project sinks forward logs from specific projects.

Centralizing Logs on AWS

Objective: Centralize audit logs for security incident analysis.
Setup: Run the recipe in the organization root account. Use Terraform to create necessary files and configure CloudTrail for organizational-level logging. Logs are stored in S3 buckets.
Audit Logs: Managed via CloudTrail, capturing all actions against AWS Control Plane. Application logs are managed via CloudWatch.
Extensions: Logs can be written to CloudWatch, trigger SNS notifications, or use Lambda functions for custom actions.

Centralizing Logs on Azure

Objective: Centralize activity logs for tenant-wide security incident analysis.
Configuration: Utilize Log Analytics workspaces and Diagnostic Settings to define log destinations. Activity logs capture control plane interactions, while resource logs come from running services.
Log Types: Include Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, and ResourceHealth.
Resource Logs: For application logs, infrastructure must be deployed into each subscription. Log Analytics workspaces are used for streaming logs to a central location.

Each section emphasizes the importance of maintaining a high signal-to-noise ratio, ensuring that alerts are relevant and actionable to prevent alert fatigue. The document provides detailed Terraform configurations for each cloud provider, enabling centralized logging and improved security visibility at scale.

Summary

This document provides detailed instructions for setting up centralized logging and anomaly detection across different cloud platforms using Terraform. It focuses on Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS), outlining the necessary configurations and resources for each.

Azure Centralized Logging

Provider Configuration: Two Azure Resource Manager (azurerm) providers are configured for separate subscriptions (delivery and central).
Resource Setup:
- Resource Groups: Two resource groups are created for centralized application logs and delivery.
- Log Analytics Workspace: Set up in the central resource group for log storage and querying.
- App Service: A containerized app service is deployed in the delivery resource group, configured to forward logs to the Log Analytics workspace.
Log Forwarding: Diagnostic settings are configured to forward logs to the centralized workspace, allowing dynamic gathering of log categories.

GCP Log Anomaly Alerting

Provider Configuration: Google provider is set up with project and region variables.
Resource Setup:
- Network and Subnetwork: A network and subnetwork are configured with logging enabled.
- IAM Audit Config: Audit logs for admin read, data read, and data write are enabled.
- DNS and Firewall Logging: DNS policies and firewall rules are configured to log activities.
Event Threat Detection: Integrated with Security Command Center Premium to analyze logs for anomalies.

AWS Log Anomaly Alerting

Provider Configuration: AWS provider is set up with a delegated admin account for cross-account role assumption.
Resource Setup:
- GuardDuty: Configured for threat detection, analyzing CloudTrail events, VPC flow logs, and more.
- Organization Level: GuardDuty is enabled at the organizational level to automatically enroll new accounts.
Python Script: A script is provided to enable GuardDuty for existing accounts.

Azure Log Anomaly Alerting

Provider Configuration: Azurerm provider is set up for security center deployment.
Resource Setup:
- Log Analytics Workspace: Configured for security data collection.
- Security Center: Policies and remediation tasks are set up to ensure compliance and enable Azure Defender.
Azure Defender: Automatically analyzes various Azure resource types for threats.

Infrastructure Registry on GCP

Provider Configuration: Google provider is set up with project and region variables.
Resource Setup:
- Cloud Asset Inventory: Configured to track and manage resources like networks and routers.
- Pub/Sub Integration: Changes are published to a Pub/Sub topic for monitoring.

These configurations enable robust log management and threat detection across cloud environments, leveraging Terraform for infrastructure as code. The document emphasizes automation and scalability, ensuring security and compliance across multiple cloud platforms.

Summary

This text provides a comprehensive guide on building infrastructure registries across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure, focusing on security visibility and data protection.

GCP Infrastructure Registry

Pub/Sub Topic Creation: A Pub/Sub topic is configured to trigger notifications for network resource changes, enhancing security posture by allowing a “trust but verify” model. This enables teams to make necessary changes while allowing security reviews.
Cloud Asset Inventory Feeds: These feeds can be configured at organizational, project, and folder levels, allowing selective notifications based on environment and resource type.
Filtering Conditions: Terraform is used to apply conditions to feeds, filtering for specific events like resource creation, improving the signal-to-noise ratio.

AWS Infrastructure Registry

AWS Config Setup: A delegated administrator account is established for AWS Config, creating an organization-level aggregator to centralize data from all accounts.
Terraform Configuration: The setup involves creating variables and provider configurations, including cross-account roles and bucket policies for data storage.
Resource Inventory and Compliance: AWS Config helps manage compliance and resource inventories at scale. Delivery channels are deployed to every account for centralized data collection.
SNS and S3 Integration: An SNS topic is used for notifications, and an S3 bucket for storing configuration data, enabling queries and triggering workflows.

Azure Infrastructure Registry

Azure Monitor Workbook: A workbook is deployed to dynamically query resources, using Azure Resource Graph for sophisticated queries about resources across the tenant.
ARM Templates: Terraform deploys ARM templates to manage resources not directly supported by Terraform, such as Azure Monitor workbooks.
Centralized Observability: Azure Monitor provides centralized observability, with capabilities like Application Insights, VM Insights, and custom reporting through workbooks.

Data Protection Overview

Envelope Encryption: Describes the process of encrypting keys with other keys (DEKs and KEKs) to secure data. This method is used by major cloud providers to enhance data security.
Data States: Discusses handling data in two states: at rest and in transit, emphasizing encryption as a fundamental strategy for data protection.

This guide emphasizes using Terraform for infrastructure management across cloud platforms, focusing on security visibility and data protection through strategic configuration and resource management.

Summary

Encrypting Data at Rest on GCP

To securely host data on Google Cloud Platform (GCP), encrypting data at rest across various storage options is crucial. This process involves using Cloud Key Management Service (KMS) for managing encryption keys. Key steps include:

Setup with Terraform:
- Define variables for project ID and region.
- Initialize Terraform with the necessary providers (google and google-beta).
Resource Configuration:
- Cloud Compute Disk: Create a service account and assign encryption roles. Configure the disk with encryption keys.
- Cloud SQL Database: Set up a VPC network and configure the database to use a KMS key for encryption.
- Cloud Storage Bucket: Apply encryption settings using a KMS key.
Best Practices:
- Use multiple keys for different resources to enhance security and limit breach impact.
- Assign appropriate permissions to service accounts to leverage encryption keys.

Encrypting Data at Rest on AWS

AWS Key Management Service (KMS) is central to encrypting data at rest on AWS. The process involves creating and managing customer-managed keys (CMKs) to control access and usage explicitly:

Setup with Terraform:
- Define roles and subnet IDs.
- Initialize Terraform with the AWS provider.
Resource Configuration:
- EBS Volumes: Enable encryption by default and use CMKs for new volumes.
- RDS Databases: Encrypt databases by creating snapshots and restoring them with encryption.
- S3 Buckets: Enforce encryption with CMKs using bucket policies.
Policy Management:
- Define IAM policies to control key usage by administrators, users, and AWS services.
- Use grants for temporary permissions for AWS services.

Encrypting Data at Rest on Azure

Azure encryption involves using Azure Key Vault for managing keys and ensuring data at rest is secure:

Setup with Terraform:
- Define location and storage account name variables.
- Initialize Terraform with the Azure provider.
Resource Configuration:
- Create a Key Vault and configure it for disk encryption.
- Set up resource groups and apply encryption settings to storage accounts.
Key Management:
- Use Key Vault to manage encryption keys and control access.
- Enable features like soft delete and purge protection for added security.

General Recommendations

Always use distinct keys for different resources to maintain the principle of least privilege.
Regularly review and update IAM policies to ensure only necessary permissions are granted.
Leverage Terraform for consistent and repeatable infrastructure deployments, ensuring encryption is applied uniformly across environments.

Summary

This text provides a detailed guide on how to manage encryption on various cloud platforms (Azure, GCP, AWS) using Terraform and Python scripts. The focus is on creating, managing, and applying encryption keys, including customer-managed keys (CMKs) and customer-supplied encryption keys (CSEKs).

Azure Encryption

Key Vault Setup:
- Create RSA keys in Azure Key Vault with specific permissions for encryption and decryption.
- Define access policies for different resources to control key usage.
Resource Encryption:
- Managed Disks: Use azurerm_disk_encryption_set with a system-assigned identity.
- PostgreSQL Database: Configure with identity and threat detection.
- Storage Account: Set up with customer-managed keys and access policies.
IAM and Policies:
- Implement access control using distinct identities for key management.
- Use Azure Policy to enforce compliance and detect non-use of CMKs.
Python Scripts:
- Demonstrate generating encryption keys and uploading files to Azure Storage using customer-provided keys.

GCP Encryption

Setup:
- Use Terraform to create storage buckets and manage resources.
- Python scripts for generating keys and uploading/downloading files.
Encryption Options:
- Use Cloud KMS, Cloud HSM, or Cloud EKM for managing keys.
- CSEKs are used for specific compliance needs, but come with higher management overhead.

AWS Encryption

S3 Bucket Encryption:
- Create S3 buckets and manage objects using customer-supplied keys.
- Python scripts for key generation and object management.
Key Management:
- Emphasize the burden of managing customer-supplied keys and recommend AWS KMS for most use cases.
- Use IAM policies to enforce encryption standards.

Key Takeaways

Encryption Management: Across Azure, GCP, and AWS, encryption requires careful management of keys, with options for both cloud-managed and customer-supplied keys.
Access Control: Implementing strict IAM policies and using managed identities help control access to encryption keys.
Compliance and Security: Use cloud-native tools like Azure Policy and IAM policies to ensure compliance and secure data at rest.
Python Integration: Python scripts facilitate the automation of key generation and data encryption processes.

The guide stresses the importance of understanding the responsibilities and complexities involved in managing encryption keys, especially when opting for customer-supplied options. It advises leveraging cloud-native solutions where possible to reduce management overhead and enhance security.

Summary

This document outlines various strategies for encrypting data in transit across Azure, GCP, and AWS, emphasizing the importance of encryption and data protection.

Azure Encryption

Customer-Supplied Keys: Azure allows the use of customer-supplied keys for encrypting data at rest, primarily for storage. This approach requires significant responsibility for key management and should only be used when necessary.
Azure Policies: Azure Security Center offers recommendations for encrypting data in transit, such as enforcing HTTPS and SSL connections. Automated remediation can help but may conflict with infrastructure-as-code practices. Training and secure patterns are crucial for ensuring comprehensive encryption.

GCP Encryption

In-Transit Data Encryption: Terraform scripts can configure GCP to use Cloud Asset Inventory and BigQuery for monitoring resource configurations. This setup helps identify unencrypted traffic and allows for scheduled queries to alert on noncompliance.
Data Loss Prevention (DLP): GCP’s DLP service can scan storage buckets for sensitive data. This service integrates into various architectures, but caution is advised due to potential costs.

AWS Encryption

Managed Config Rules: AWS provides Config rules to detect unencrypted traffic, such as HTTP connections on load balancers or unsecured S3 buckets. These rules create a feedback loop for identifying noncompliant infrastructure.
VPC Flow Logs: Analyzing VPC flow logs can also detect unencrypted traffic, though it requires additional tools or development efforts.

General Recommendations

Training and Awareness: Teams should be educated on the importance and methods of encryption. Threat modeling and secure infrastructure patterns are essential.
Cloud Native Services: Migrating to cloud-native services can simplify encryption management and enhance security.
Automation and Monitoring: Automated tools and scheduled tasks can help maintain compliance, but they must be balanced with infrastructure-as-code practices to avoid discrepancies.

Overall, the document emphasizes a proactive approach to encryption, combining automated tools with human oversight and training to ensure data security across cloud platforms.

Summary

This document outlines strategies for preventing data loss across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Azure, focusing on data governance and security measures.

Google Cloud Platform (GCP)

Data Loss Prevention (DLP) Service: GCP’s DLP service is essential for managing sensitive data at scale. It can automatically scan storage locations like BigQuery, Datastore, and Cloud Storage to classify data and report findings.
Cost Management: To manage costs, focus scans on risky areas, use sampling, and scan only modified data.
Features: DLP offers pseudonymization and redaction to reduce data risk while maintaining utility.

Amazon Web Services (AWS)

Amazon Macie: Macie helps identify sensitive data stored in S3 buckets across an organization. It evaluates bucket configurations for public access, encryption enforcement, and sharing settings.
Data Classification: Macie uses managed data identifiers for automatic classification and allows custom identifiers for unique organizational needs.
Findings Management: Issues are raised as findings with severity ratings, and can be integrated into AWS Security Hub and EventBridge for workflow automation.

Azure

Azure Purview: A centralized data governance service that classifies data using default rules. It supports data governance across multicloud and hybrid environments.
Data Access: Managed identity access is required for Purview to scan resources. Role assignments help manage permissions efficiently.
Scalability and Integration: Azure Purview supports integration with external data sources like SAP HANA, on-premise SQL servers, Amazon S3, and Google BigQuery.

Key Takeaways

Data Governance: Understanding and classifying data is crucial for security and compliance across cloud platforms.
Automation and Integration: Automated scanning and integration with existing security tools enhance data protection strategies.
Cost and Performance: Efficient scanning and data classification help manage costs and maintain system performance.
Cross-Platform Support: Tools like Azure Purview provide seamless data governance across different cloud services, offering a unified approach to data management.

These strategies collectively ensure robust data protection and governance, aligning with best practices in cloud security management.

Summary

This document outlines secure networking practices for deploying workloads on Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure using Terraform. Here’s a concise overview of each platform’s networking strategies:

Google Cloud Platform (GCP)

VPC and Firewall Rules: GCP uses Virtual Private Clouds (VPCs) that span globally, with region-specific subnets. Firewall rules are essential to control access, with options for targeting all instances, specific tags, or service accounts. Service accounts are recommended for determining connectivity to enhance security.
Zero-Trust Networking: Emphasis is placed on zero-trust principles, prioritizing identity-based access over network-based access. This approach supports scalable and secure networking.
Firewall Configuration: Examples include creating firewall rules for specific service accounts to control access to resources like databases, using default PostgreSQL ports for communication.

Amazon Web Services (AWS)

VPC Structure: AWS VPCs are region-locked but can span multiple availability zones. Security groups are the primary control for traffic, being stateful and defaulting to deny unless explicitly allowed.
Three-Tier Architecture: The setup includes public, private, and internal subnets:
- Public Subnets: Allow internet ingress, suitable for load balancers and NAT gateways.
- Private Subnets: Facilitate internal communications without public internet exposure.
- Internal Subnets: Restrict access to internal resources, enhancing security.
Network ACLs: Stateless rules that define traffic flow between subnets, preventing misconfigurations in security groups.
Route Tables: Custom route tables manage external routing, ensuring controlled access through internet and NAT gateways.

Microsoft Azure

VNet Configuration: Azure’s Virtual Networks (VNets) use a three-tier architecture routing traffic through an Azure Firewall, with optional DDoS protection.
Subnets and Security: Subnets are categorized into public, private, and internal, each with specific security group associations to control access.
Firewall and DDoS: Azure Firewall and DDoS protection can be enabled for enhanced security, though they incur significant costs.
Terraform Setup: The document provides Terraform configurations for setting up VNets, subnets, NAT gateways, and security groups across all platforms, emphasizing a defense-in-depth strategy.

Overall, the document stresses the importance of structured and secure network configurations across cloud platforms, leveraging Terraform for automation and consistency. Key principles include minimizing default access, using identity-based security, and employing layered defenses to safeguard resources.

Secure Networking and External Access on Cloud Platforms

Azure Networking and Security

When creating a network security group in Azure, default rules allow VNet and load balancer traffic for ingress, and VNet and internet traffic for egress, denying everything else. A specific rule can be added to allow all traffic to a public subnet, while private and internal subnets block public traffic. For internal subnets, internet-bound traffic is routed to a black hole, whereas public and private subnets route through a firewall. The firewall, by default, blocks all outbound traffic.

Azure Policy network compliance checks include enabling Network Watcher, routing internet traffic via Azure Firewall, and enabling Azure DDoS Protection Standard. Network Watcher is a monitoring service that captures flow logs and assists in diagnosing connectivity issues. It should be deployed independently on a per-region, per-subscription basis. Terraform can be used to create Network Watcher and a Log Analytics workspace for collecting flow logs.

Key Azure Concepts:

Virtual Networks (VNets): Base networking construct in Azure.
Subnets: VNets can be divided into subnets with individual network security groups and route tables.
Azure Firewall: Routes all internet-bound traffic.
Network Watcher: Used for monitoring and debugging VNet connectivity.

Google Cloud Platform (GCP) Networking

For secure access to machines within a VPC, GCP uses SSH and Identity-Aware Proxy (IAP). IAP allows engineers to manage machine access via IAM, eliminating the need to manage keys. Terraform can deploy a Compute Engine instance that is accessible only through IAP.

Key GCP Concepts:

IAP for SSH/RDP: Uses IAM for authentication, enhancing security and efficiency.
Tunneling: Allows secure connections to private resources within VPCs.

AWS Networking

AWS Systems Manager allows private access to EC2 instances without direct internet access. VPC endpoints enable private instances to communicate with AWS APIs. Terraform can deploy an EC2 instance with the necessary configurations for Systems Manager access.

Key AWS Concepts:

AWS Systems Manager: Facilitates SSH access to instances.
VPC Endpoints: Enable API access through private networking.
Session Manager: Used for tunneling to internal resources.

Azure Bastion Host

Azure Bastion enables SSH and RDP access directly through the Azure Portal, providing secure access to VMs without exposing them to the public internet. Terraform can deploy an Azure Bastion host along with a Linux VM for testing.

Key Azure Bastion Concepts:

Bastion Host: Provides secure access to VMs via the Azure Portal.
Application Security Groups: Allow identity-based connectivity for resources.

Summary

Cloud platforms offer various methods to secure network access and manage connectivity. Azure, GCP, and AWS each provide unique tools and configurations to ensure secure and efficient network operations, leveraging services like Network Watcher, IAP, and Systems Manager. Understanding and implementing these tools is crucial for maintaining a secure and compliant cloud environment.

Summary

Azure Networking with Azure Bastion

Azure Bastion provides a fully managed bastion host service for secure SSH access without exposing virtual machines (VMs) directly to the internet. It operates agentlessly, with authentication managed via IAM and host OS methods like LDAP or SSH keys. Azure Key Vault allows secure storage of SSH keys, enhancing security and operational efficiency.

GCP Networking with Shared VPCs

To facilitate communication across GCP projects and on-premises resources, a Shared VPC architecture is used. This setup includes a central hub VPC containing the VPN endpoint for on-premises connectivity. Key considerations include:

Shared VPCs: Separate environments (production, non-production, development) should each have a Shared VPC, peered to a hub VPC for centralized resource sharing.
Firewall Management: Centralized in the host project, requiring efficient lifecycle management to avoid security risks.
VPC Service Controls: Enable fine-grained perimeter controls to prevent data exfiltration and manage multitenant services.
VPN and Interconnect Options: Use VPNs for cost-effective on-premises connectivity, with options for Dedicated or Partner Interconnects for higher bandwidth needs.

AWS Networking with Transit Gateway

AWS Transit Gateway acts as a central networking hub, enabling connectivity between VPCs across accounts and on-premises resources. This approach offers:

Centralized Traffic Management: Transit Gateway routes traffic between VPCs and on-premises, allowing for centralized security controls.
Resource Access Manager (RAM): Facilitates sharing of resources across accounts.
VPN and Direct Connect: VPNs are easy to configure but limited in bandwidth, while Direct Connect offers higher performance at a premium cost.

Azure Networking with Hub-and-Spoke Topology

For Azure, a hub-and-spoke network topology is implemented, using ExpressRoute for on-premises connectivity. This setup supports traffic between different Azure subscriptions and on-premises resources, ensuring scalable and secure networking.

Overall, the deployment of these network architectures across Azure, GCP, and AWS provides scalable, secure, and efficient connectivity solutions tailored to the unique requirements of each platform and organizational needs.

Summary

This document provides a detailed guide on configuring secure networking infrastructure using Terraform on Azure, GCP, and AWS, highlighting key components and configurations.

Azure Virtual Hub Configuration

Variables and Provider Setup:
- Define variables hub_subscription_id and hub_cidr for the Hub Network.
- Configure azurerm provider with a hub alias.
Resource Creation:
- Create a resource group, virtual WAN, virtual hub, and connections using azurerm resources.
- Set up an ExpressRoute gateway and a firewall within the virtual hub.
Routing and Security:
- Implement custom route tables for isolated and shared virtual networks.
- Discuss the importance of transitive routing for east-west traffic and securing sensitive workloads.
ExpressRoute vs. VPN:
- ExpressRoute offers low-latency, high bandwidth at a higher cost, while VPNs are more cost-effective.

GCP External Connectivity

Architecture Overview:
- Deploy an NGINX container exposed over HTTPS using a load balancer.
- Utilize a public DNS zone for SSL certificate provisioning.
Resource Configuration:
- Define variables for application deployment region, zone, and DNS records.
- Set up Google Cloud resources such as DNS records, SSL certificates, and load balancing rules.
Security and Optimization:
- Leverage Google Cloud Armor for DDoS protection and web application firewall capabilities.
- Discuss the use of Cloud Storage for hosting static sites and routing through a load balancer for HTTPS.

AWS External Connectivity

Architecture Overview:
- Deploy an NGINX container over HTTPS using an application load balancer.
- Use Route53 for domain management and SSL certificate provisioning.
Resource Configuration:
- Create ECS clusters, services, and task definitions for container management.
- Set up security groups, load balancers, and WAF for enhanced security.
Load Balancer Options:
- Discuss alternatives like Network Load Balancers, CloudFront, API Gateway, and AppSync for service exposure.
Security Measures:
- Implement AWS WAF to protect against common web vulnerabilities and manage traffic.

This guide emphasizes the importance of a structured approach to cloud networking, focusing on scalability, security, and cost-effectiveness across different cloud platforms. It highlights the use of Terraform for infrastructure as code, enabling efficient resource management and deployment.

Summary

Web Application Firewall (WAF): WAF enables rule-based control over HTTP/HTTPS traffic to protect applications from web threats like SQL injection and cross-site scripting. It allows filtering based on IP, country, and request characteristics. Rule groups can be managed by AWS, sourced from the AWS marketplace, or custom-created.

Network Load Balancer (NLB): NLB is suitable for handling non-HTTP traffic and maintaining encryption to application servers. It operates at Layer 4, unlike Application Load Balancers (ALBs) which function at Layer 7 for HTTP/HTTPS traffic. Terraform configurations can set up NLBs for TLS offloading.

Static Sites on AWS: Hosting static sites on AWS S3 buckets is more secure and cost-effective when using CloudFront and WAF. CloudFront uses an origin access identity for secure access to S3 files, ensuring public exposure is controlled through explicit access policies.

Azure Front Door: Azure Front Door offers global HTTP load balancing and built-in WAF services, focusing on OWASP top 10 threat vectors. It allows custom rule creation and uses IP and header filtering to prevent circumvention. For non-HTTP traffic, Azure Traffic Manager and Load Balancers are recommended.

Private Application Access on GCP: Service attachments in GCP enable private access to applications within the organization. Traffic remains within GCP’s private network, but encryption in transit is advised. Service attachments are not suitable for peered connections or directly over VPNs, requiring alternative deployment strategies for centralized access.

Private Application Access on AWS: AWS PrivateLink facilitates internal application access across AWS accounts without internet exposure. It involves deploying an architecture where applications can be securely accessed within the AWS ecosystem.

Key Takeaways:

WAF and load balancers (NLB, ALB) enhance security and traffic management.
CloudFront and S3 provide secure static site hosting on AWS.
Azure Front Door and Traffic Manager manage global load balancing and security.
GCP service attachments ensure private application access within the organization.
AWS PrivateLink allows secure, internal application connectivity across AWS accounts.

Summary

This text provides a detailed guide on setting up private application access using AWS and Azure, focusing on secure networking and infrastructure as code (IAC) practices.

AWS Private Application Access

Terraform Configuration:
- Define variables for consumer account ID and cross-account role in variables.tf and terraform.tfvars.
- Create nginx.tf with resources for AWS VPC endpoint service, network load balancer, ECS cluster, and task definitions.
- Use security groups to manage ingress and egress rules, ensuring the application is accessible over private networking.
TLS and Security:
- Highlight the use of insecure protocols for simplicity but suggest using TLS for encryption.
- Configure AWS Private Certificate Authority for secure communications, noting the cost implications.
Cost and Network Management:
- Emphasize using centralized configurations with Transit Gateway to reduce costs.
- Discuss the flexibility of VPC endpoints in avoiding CIDR overlap issues compared to peering.
Summary:
- VPC endpoints facilitate private application deployment.
- Secure by default configurations help maintain security across AWS services.

Azure Private Application Access

Terraform Configuration:
- Set up variables for service CIDR and create service.tf with resources for Azure resource groups, virtual networks, subnets, and load balancers.
- Implement Azure Private Link services to expose applications securely within the Azure environment.
Network Security:
- Use network security rules to control inbound and outbound traffic through private endpoints.
- Enable cross-region and cross-subscription service access with Private Link.
Benefits:
- Protect against data leakage by deploying services in isolated network environments.
- Simplify network security and access management with centralized provisioning.
Summary:
- Azure private endpoints allow secure deployment of services over private networking.
- Service links enable cross-subscription access, enhancing security and connectivity.

Infrastructure as Code (IAC)

Terraform for Secure Defaults:
- Create a Terraform module for a Google Cloud Platform (GCP) Compute Engine instance with encrypted disks.
- Use Terraform to automate and standardize infrastructure deployment, ensuring secure configurations by default.
Module Development:
- Highlight the importance of encapsulating complexity in Terraform modules to reduce cognitive load on delivery teams.
- Caution against excessive flexibility in modules to avoid breaking changes and maintain secure defaults.
Iterative Improvement:
- Focus on current requirements and iteratively add features to modules as business needs evolve.
- Ensure secure defaults remain intact as modules are updated and expanded.

This comprehensive guide emphasizes the use of Terraform and IAC to maintain secure, scalable, and cost-effective cloud infrastructure across AWS and Azure environments.

Summary

This document outlines the use of Terraform for building secure infrastructure defaults across major cloud platforms: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. It emphasizes the importance of using modules to encapsulate complexity and enforce security best practices.

GCP Infrastructure

Module Sources: Terraform modules can be sourced from Cloud Storage buckets or Git repositories, allowing for flexibility in deployment.
Private Catalog: Offers a console-driven option for deploying prepackaged solutions, suitable for teams preferring a simplified experience.
Security: Modules help enforce standard security practices, reducing cognitive load and improving security posture.

AWS Infrastructure

Secure Patterns: Provides security-approved infrastructure patterns by creating a Terraform module that deploys a Compute Engine instance with encrypted disks.
Module Hosting: Modules can be shared via S3 buckets or Git repositories. AWS Service Catalog supports CloudFormation, not Terraform.
Complexity and Trust: Modules should abstract complexity without overwhelming users with options, maintaining trust and usability.

Azure Infrastructure

Encryption by Default: Deploys a virtual machine with encrypted disks using Terraform modules, ensuring default security controls.
Module Sharing: Modules can be shared using Git repositories. Azure Managed Applications do not support Terraform, but HashiCorp offers alternatives.
Abstraction: Well-written modules reduce cognitive load by handling complex configurations internally.

Functions as a Service on GCP

Deployment: Use Terraform to deploy code that runs daily, with email alerts for failures.
Configuration: Variables like project, region, function name, and email address are defined for resource deployment.
Logging and Error Reporting: Utilizes Google Cloud’s logging and error reporting for monitoring function execution.

Key Takeaways

Modules: Essential for embedding best practices and security at scale across cloud platforms.
Sharing and Distribution: Git repositories are a common method for sharing modules, with specific cloud solutions offering additional capabilities.
Security Posture: Properly designed modules enhance the overall security posture by ensuring best practices are consistently applied.

This summary highlights the strategic use of Terraform for secure infrastructure deployment, focusing on modularity, ease of use, and effective distribution across cloud environments.

Summary

This document outlines the deployment of serverless functions using Infrastructure as Code (IaC) across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure, leveraging Terraform for automation. The focus is on setting up and managing functions, ensuring operability through logging, monitoring, and alerting, and integrating with event-driven architectures.

Google Cloud Platform (GCP)

Cloud Functions: GCP’s Cloud Functions allow running code triggered by events, providing a low total-cost-of-ownership. Functions are deployed with specific permissions for logging and error dispatching.
Monitoring and Alerts: Functions are observed via monitoring alert policies that send email notifications when errors are detected.
Eventarc: Offers a unified event-driven approach, producing events from GCP services and third-party vendors. However, it currently interoperates only with Cloud Run, which requires container knowledge.

Amazon Web Services (AWS)

AWS Lambda: Provides a fully serverless environment for running code, triggered by various events. AWS EventBridge is used for event-driven architecture, allowing functions to extend AWS services.
Logging and Alerts: CloudWatch captures logs and errors, with alerts configured to notify via email on failures.
Container Support: Lambda supports running containers, offering flexibility but introducing a learning curve for container management.

Microsoft Azure

Azure Functions: Offers a cost-effective way to run code, triggered by events or on a schedule. The setup includes Application Insights for comprehensive monitoring.
Event Grid: Enables triggering functions from a wide range of Azure events, facilitating automation and integration with other services.
Monitoring: Configures alerts for exceptions, ensuring operational awareness and automatic email notifications on failures.

Deployment and CI/CD

Terraform: Used across all platforms for IaC, ensuring consistent and repeatable deployments.
CI/CD Integration: On GCP, Cloud Build is used for continuous integration and deployment, with triggers set for different branches in a source repository.
Version Control: Source code is managed in repositories, with configurations for automated deployments based on branch updates.

Key Takeaways

Operability: Ensure functions are operable with logging, monitoring, and alerting enabled by default.
Event-Driven Architecture: Utilize event-driven services like Eventarc (GCP), EventBridge (AWS), and Event Grid (Azure) for triggering functions.
Managed Services: Functions as a Service (FaaS) provide a managed environment, reducing the overhead of server management and allowing focus on code functionality.
Scalability and Flexibility: These serverless solutions offer scalability and flexibility, with support for multiple programming languages and integration with cloud-native services.

This approach allows for efficient deployment and management of serverless functions, supporting robust and scalable cloud architectures.

Summary

This text discusses the implementation of Continuous Integration (CI) and Continuous Deployment (CD) using Terraform on three major cloud platforms: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure.

Key Concepts

Terraform and State Management:
- Terraform is used for infrastructure as code, requiring secure management of state files, which contain sensitive information.
- State files should be stored in cloud storage with versioning enabled to recover from failures.
CI/CD on Google Cloud Platform:
- CloudBuild: A managed platform for CI/CD tasks, allowing container-based operations on code.
- Cloud Source Repositories: Managed version control on GCP, though GitHub is recommended for better version control features.
- Integration with Terraform requires uploading state to a Cloud Storage bucket.
- CI checks include Terraform formatting, Python tests, and security scans with tools like Checkov.
CI/CD on Amazon Web Services:
- CodeBuild: AWS’s managed build platform, which integrates with CodeCommit for version control.
- Terraform state is stored in S3 buckets with versioning for security and recovery.
- CI/CD pipelines enforce security standards, reducing the need for users to have high-level permissions.
- Automation tools like Checkov can be integrated to prevent deployment of noncompliant infrastructure.
CI/CD on Microsoft Azure:
- Uses Azure DevOps for CI/CD with Terraform.
- Requires a preexisting Azure DevOps organization and a personal access token.
- Terraform state is stored in Azure Storage Accounts with versioning enabled.
- PRs (Pull Requests) trigger CI jobs to ensure changes are tested before merging.
- Tools like Checkov can be embedded to enhance security and compliance.

Best Practices

Security and Version Control: Ensure state files are secure and version-controlled to prevent data loss and unauthorized access.
CI/CD as a Change Mechanism: Use CI/CD pipelines to enforce security and compliance standards before changes are applied.
Tool Integration: Incorporate tools like Checkov into pipelines to automate compliance checks and enhance security posture.

Conclusion

By leveraging CI/CD pipelines across cloud platforms, organizations can standardize processes, enforce security, and improve infrastructure management. This approach minimizes risk and maximizes efficiency by automating the deployment and management of cloud resources.

Summary

This text explores the implementation of CI/CD practices and Infrastructure as Code (IaC) using Azure DevOps, Google Cloud Platform (GCP), and AWS, focusing on security, automation, and compliance.

CI/CD and Infrastructure as Code

Azure DevOps: Offers CI/CD capabilities, allowing code storage in Git repositories and automated deployment, which facilitates embedding security tools into workflows. This reduces the need for highly privileged access by implementing the principle of least privilege.
State Management: Critical for maintaining system integrity, states should be stored securely as they contain sensitive information.

Deployment at Scale

GCP

Objective: Deploy baseline resources across projects using Terraform.
Setup: Utilize a variables.tf file for configuration and a main.tf file to define resources and APIs.
Execution: Use the setproduct function to create project and API pairs for deployment across multiple projects. The google_projects data provider filters projects based on specific criteria, simplifying the deployment process.

AWS

Objective: Deploy resources across multiple accounts.
Setup: Requires boto3 for account management. Define variables.tf and provider.tf files, and use Python scripts for account iteration.
Execution: Python scripts create Terraform workspaces for each account, ensuring sandboxed environments. This approach is useful for tasks like configuring AWS Config recorders across accounts.

Azure

Objective: Deploy resources across subscriptions.
Setup: Requires azure-mgmt-resource and azure-identity. Define necessary Terraform files and use Python scripts to iterate over subscriptions.
Execution: Terraform workspaces are used to maintain distinct states for each subscription. This method is effective for organization-wide deployments, like configuring Azure Security Center.

Compliance as Code

Challenges: Compliance in cloud environments requires detecting, preventing, and remediating noncompliant infrastructure.
Approach: Continuous monitoring and automated compliance checks replace traditional auditing methods, enabling faster resolution of compliance gaps.
Resource Labeling: Assigning metadata to resources (e.g., cost center, data classification) is crucial for compliance and cost management. In GCP, labels and security marks facilitate resource management and compliance tracking.

By integrating these practices, organizations can enhance security, streamline operations, and maintain compliance in cloud environments.

Summary

This document provides guidance on tagging resources across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure for compliance, security, and cost management purposes.

GCP Tagging and Marks

Marks and Tags: Marks are metadata controlled by the security team, more stable than labels, and ideal for static resources like databases. Network tags control network flows for Compute Engine VMs, while resource tags apply to organizations, folders, and projects, used for conditional access policies.
Implementation: Use gcloud commands, the SCC web console, or programming languages like Python to manage marks. For resource tags, Terraform can instantiate policies using service account credentials.

AWS Tagging

Purpose: Tags help in cost allocation and data classification. AWS supports tags like Environment, Owner, and Data Classification.
Implementation: Use Terraform’s default_tags to apply tags automatically. Tag policies enforce standardization, and resource groups help manage and update tags.
Enforcement: AWS supports Attribute Based Access Control (ABAC) and tag policies to ensure compliance. Terraform can help configure these policies for EC2 instances and other resources.

Azure Tagging

Purpose: Similar to AWS, Azure uses tags for cost attribution and data classification.
Implementation: Use Terraform to set tags in a centralized location and apply them to resources. Azure Policy supports tagging compliance and enforcement.
Enforcement: Azure Policy can enforce tag inheritance from resource groups and prevent resource creation without required tags.

Compliance Monitoring on GCP

Objective: Detect noncompliant infrastructure using Cloud Asset Organization Feed and Cloud Functions to notify via Slack.
Implementation: Use Terraform to set up service accounts and permissions, enabling monitoring and notifications for noncompliance.

Key Takeaways

Tags and Marks: Essential for resource management, cost tracking, and compliance across cloud platforms.
Automation: Terraform and cloud-native tools streamline tagging and policy enforcement.
Compliance: Policies and automation help maintain high levels of compliance and security across cloud environments.

Summary

This document outlines the implementation of compliance as code across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure, focusing on detecting and preventing noncompliant infrastructure.

Google Cloud Platform (GCP)

Asset Monitoring: A google_cloud_asset_organization_feed is set up to monitor network changes, notifying users when networks are created or updated with automatic subnets. This is achieved using Google Pub/Sub and Cloud Functions to send notifications to Slack channels.
Cloud Functions: A Python function is deployed in GCP to handle asset changes, using Google Cloud Secret Manager to manage secrets securely. The function checks for noncompliant resources and sends alerts to a specified Slack channel.
Compliance Detection: The architecture captures compliance when changes occur but does not retroactively check for existing noncompliance. It emphasizes using industry-standard benchmarks for compliance.

Amazon Web Services (AWS)

AWS Config: The setup involves deploying AWS Config rules across accounts to enforce compliance. Organization-managed rules and configuration aggregators are used to centralize compliance data.
Custom Rules: Custom compliance rules can be created and integrated with AWS Config, allowing for tailored compliance checks.
EventBridge: AWS EventBridge is used to centralize compliance notifications, capturing compliance change events and forwarding them to a designated account for monitoring.

Microsoft Azure

Azure Policy: Azure Event Grid and Azure Functions are used to notify users of compliance changes. Azure Policy provides an aggregated view of compliance across the tenant.
Custom Policies: Custom Azure Policies can be created to enforce specific compliance requirements, treated as first-class citizens within Azure Policy.
Event Notifications: Azure Functions are triggered by Event Grid to send compliance notifications, allowing real-time monitoring of compliance state changes.

Key Points

GCP: Utilizes Cloud Asset feeds and Cloud Functions for real-time compliance notifications. Focuses on network changes and automatic subnet configurations.
AWS: Deploys AWS Config rules and uses EventBridge for centralized compliance monitoring. Custom rules enhance flexibility in compliance checks.
Azure: Leverages Azure Policy and Event Grid for real-time compliance tracking. Supports custom policy creation for specific compliance needs.

These solutions enable organizations to automate compliance monitoring and notifications, providing a robust framework for managing infrastructure compliance across cloud platforms.

This text provides detailed guidance on preventing noncompliant infrastructure across Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure using various tools and policies.

GCP Compliance

Organization Policies:
Organization policies in GCP allow enforcement of compliance at the organization, folder, and project levels. These policies are robust and cannot be bypassed through identity and access management (IAM). They provide a consistent enforcement mechanism whether changes are made via the console or automation.

Checkov for GCP:
Checkov is an open-source tool that checks Terraform resource definitions for compliance. It identifies noncompliant configurations and provides guides to resolve issues. For example, a simple Cloud Storage bucket definition can be checked and fixed to ensure access logging and uniform bucket-level access are enabled.

AWS Compliance

Service Control Policies (SCPs):
SCPs restrict access within AWS accounts by enforcing compliance guardrails. They are applied outside the account boundary, making them difficult to circumvent. SCPs can include exceptions for privileged roles and are limited by what IAM policies can express. A common use case is preventing the deletion of VPC flow logs, which are crucial for forensic analysis.

Checkov for AWS:
Checkov can also be used with AWS to identify noncompliant infrastructure. It provides documentation to help resolve issues such as ensuring S3 buckets are encrypted and have access logging enabled.

Azure Compliance

Azure Policy:
Azure Policy can enforce compliance by defining custom policies with various effects, such as deny, audit, or modify. Policies can prevent the creation of noncompliant resources, like G-series virtual machines. The deny effect is used to stop noncompliant requests, although it may not support self-service fixes effectively.

Checkov for Azure:
Checkov checks Azure Terraform definitions for compliance, offering guides for resolving issues such as ensuring storage accounts use customer-managed keys for encryption.

Infrastructure as Code

Across all platforms, infrastructure as code (IaC) is emphasized as the primary method for managing cloud resources. IaC enables the use of tools like Checkov to preemptively identify and rectify compliance issues before deployment. This approach supports a shift-left security strategy, integrating compliance checks early in the development pipeline.

Summary

Organization Policies (GCP): Enforce compliance at multiple levels and are robust against circumvention.
Service Control Policies (AWS): Restrict access and enforce compliance, with exceptions for privileged roles.
Azure Policy: Custom policies enforce compliance, though self-service fixes can be challenging.
Checkov: A versatile tool for pre-deployment compliance checks across GCP, AWS, and Azure.
Infrastructure as Code: Essential for leveraging cloud capabilities and maintaining a compliant environment.

By integrating these tools and practices, organizations can effectively manage and enforce cloud compliance across different platforms.

Summary

This text outlines strategies for remediating noncompliant infrastructure on Google Cloud Platform (GCP), Amazon Web Services (AWS), and Azure, emphasizing automation, infrastructure as code, and compliance.

GCP Remediation

Infrastructure Setup: Uses Terraform to create a Google Cloud Function for remediating noncompliant storage buckets.
Automation: The function checks if public access is allowed and enforces prevention if necessary.
Considerations: Automated remediation can cause infrastructure drift, conflicting with infrastructure as code principles. It is effective for low-risk changes but may prevent users from learning proper configurations.

AWS Remediation

Infrastructure Setup: Involves AWS Config to automatically close public S3 buckets using a Python script and Terraform.
Automation: AWS Config rules trigger remediation actions for noncompliant resources.
Considerations: Automated actions can cause drift from code-defined infrastructure. Tools like Checkov are recommended for compliance enforcement. Automated remediation is crucial for high-risk issues like public S3 buckets.

Azure Remediation

Infrastructure Setup: Utilizes Azure Event Grid and Functions to automatically remediate noncompliant resources.
Automation: Azure Policy is leveraged for remediation tasks, but lacks built-in automation for execution, necessitating custom solutions.
Considerations: Automated remediation can undermine infrastructure as code by causing drift. Prevention is preferable to remediation.

General Insights

Automation vs. Infrastructure as Code: Automated remediation can conflict with infrastructure as code by causing infrastructure drift.
Learning and Compliance: Automated remediation may prevent users from learning proper configurations. It’s critical for high-risk issues but should be balanced with education.
Prevention is Key: Emphasizes the importance of preventing noncompliant infrastructure rather than relying solely on remediation.

Overall, while automated remediation provides a powerful tool for maintaining compliance, it must be carefully integrated with infrastructure as code practices to prevent drift and ensure that users understand how to configure resources correctly. Prevention remains the most effective strategy for maintaining compliance and security.

Summary of Security Asset Protection Across Cloud Providers

Google Cloud Platform (GCP)

Problem

Prevent users from escalating their permissions within a project.

Solution

Utilize Terraform to manage IAM roles and permissions. Create specific Terraform files (variables.tf, provider.tf, main.tf) to define roles and conditions. Implement IAM conditions to limit privilege escalation by allowing users to grant only specific roles, such as computeAdmin, preventing them from assigning more privileges than they possess.

Discussion

Assign roles using conditions to prevent privilege escalation.
Use groups to manage permissions, allowing a user to manage group membership instead of directly assigning roles.
Control service account permissions to prevent unauthorized access and lateral movement.
Enforce organization policy constraints to disable service account key creation and upload unless necessary.
Use Google Cloud Recommender for insights into IAM configuration, identifying excessive permissions and redundant service accounts.

Amazon Web Services (AWS)

Problem

Restrict a principal from escalating privileges by creating another principal with higher permissions.

Solution

Implement permission boundaries with Terraform to ensure roles and policies do not exceed initial permissions. Define a permissions_boundary policy to restrict access to cost and billing services and enforce permission boundaries on new roles and users.

Discussion

Use permission boundaries to prevent privilege escalation while allowing role creation.
SCPs (Service Control Policies) can restrict access to specific APIs, allowing exemptions for certain roles.
SCPs and permission boundaries together determine effective permissions.

Microsoft Azure

Problem

Prevent a principal from elevating their privilege on a given resource.

Solution

Use Terraform to manage Azure resources and roles. Implement a custom Azure Policy to prevent users from modifying their own permissions, thus blocking privilege escalation.

Discussion

Permissions are applied directly to resources and inherited from management groups to resources.
Utilize Azure Policy to prevent escalation to Owner level.
Azure PIM (Privileged Identity Management) provides just-in-time, auditable access to privileged roles, though not manageable via Terraform.

Key Insights Across Platforms

GCP: Use IAM conditions and groups to manage permissions, control service accounts, and leverage Google Cloud Recommender for insights.
AWS: Employ permission boundaries and SCPs to manage and restrict permissions, preventing privilege escalation.
Azure: Apply permissions directly to resources, use Azure Policy to block privilege escalation, and leverage Azure PIM for controlled access.

These strategies ensure robust security asset protection across different cloud environments by preventing unauthorized privilege escalation and managing access effectively.

Summary

Google Cloud Platform (GCP)

GCP’s VM Manager offers inventory, configuration, and patch management for virtual machines. Using Terraform, you can configure services like containerscanning.googleapis.com and osconfig.googleapis.com to manage VM inventories and configurations. A simple VM can be deployed using Terraform, and with the OS Config agent preinstalled, it will appear in inventory listings. GCP allows you to enforce package installations through OS policies, which are defined in YAML files and applied on a zone-by-zone basis.

Amazon Web Services (AWS)

AWS Systems Manager (SSM) manages EC2 instances at scale. It requires the SSM agent, an instance profile with permissions, and API access. Terraform can deploy EC2 instances with these configurations. SSM provides inventory data and allows package installations across instances using document associations like AWS-GatherSoftwareInventory and AWS-ConfigureAWSPackage. Compliance is tracked and can be queried using AWS CLI commands.

Microsoft Azure

Azure Automation manages fleets of VMs, supporting Windows and Linux, on-premises or in other clouds. VMs need extensions to report data to Log Analytics. Desired State Configuration (DSC) scripts manage package installations and compliance. Terraform can set up Linux VMs with DSC configurations. For Linux, Open Management Infrastructure (OMI) and DSC packages must be installed; for Windows, they are preinstalled.

Patching at Scale on GCP

GCP’s VM Manager offers a managed patching service. You can create patching plans targeting specific OS types using labels. The service supports multiple Linux distributions and Windows Server. Patching schedules can be customized, and pre- and post-patch scripts can be executed. VM Manager also provides vulnerability reports for known CVEs on machines.

Key Points

GCP: VM Manager supports inventory, configuration, and patch management. OS policies enforce package installations.
AWS: SSM manages EC2 instances. It requires an SSM agent, instance profile, and API access. Inventory and package management are automated.
Azure: Automation manages VM fleets. DSC scripts manage package installations. Extensions are needed for Log Analytics reporting.
Patching: GCP’s VM Manager offers managed patching with customizable schedules and vulnerability reporting.

These cloud services provide comprehensive solutions for managing virtual machines, ensuring they are configured correctly, have necessary packages installed, and are up-to-date with security patches.

Patching and Data Backup at Scale on AWS, Azure, and GCP

AWS Patching and Backup

Patching

AWS Patch Manager: Manages patching of AWS instances, configurable for scheduled and on-demand patching.
Configuration: Uses Terraform to set up maintenance windows and tasks for patching.
Patch Groups: Instances tagged with a “Patch Group” get patched according to predefined or custom baselines.
Custom Baselines: Allows for specific configurations, such as a custom Ubuntu baseline for production environments.
Lifecycle Hooks: Enable pre- and post-patching tasks, with options on reboot settings.

Backup

AWS Backup: Automates backup processes using Terraform, creating vaults and plans for resource backup.
Scheduling: Uses cron expressions for scheduling backups, with lifecycle rules for data retention.
Continuous Backups: Supports point-in-time recovery but has retention limitations.
Application Consistency: For Windows, VSS-based recovery ensures application-consistent backups.

Azure Patching

Azure Automation: Manages patching schedules and on-demand updates for virtual machines.
Terraform Configuration: Uses variables for tagging, timezone, and update timing.
Targeting: Machines can be selected for updates based on tags or explicitly listed.
Runbooks: Pre- and post-patch tasks are automated using Azure Automation runbooks.

GCP Backup

Snapshot Scheduling: Regular disk snapshots are managed using Terraform.
Policy Attachment: Policies must be explicitly attached to disks for scheduled backups.
Application Consistency: Ensured through guest_flush settings, with specific scripts for Linux and VSS for Windows.
Regional Resilience: Configured through storage location settings, ensuring data availability across regions.
Monitoring: Logging metrics and alert policies are set up for backup failure notifications.

General Insights

Service-Specific Approaches: Each cloud provider has unique mechanisms and configurations for patching and backup.
Automation and Monitoring: Essential for scaling operations and ensuring reliability.
Custom Baselines and Policies: Allow for tailored configurations to meet specific organizational needs.
Lifecycle Management: Critical for cost management and data retention strategies.

Summary

AWS Backup and Centralized Vault Setup

AWS Backup: Provides a managed backup service for various resource types.
Centralized Vault: Use Terraform to set up a centralized vault for an organization. Configure backup policies at the organization level to manage backup plans centrally.
Backup Policy: Create a daily backup policy using Terraform, which applies to the entire organization. This includes setting up lifecycle events to archive and delete redundant backups.

Data Backup on Azure

Azure Backup: Offers secure resource backups using recovery services for virtual machines and file shares, and data protection services for other resources.
Terraform Configuration: Set up variables, provider, and main configuration files to deploy resources. Define a backup policy for virtual machines and apply it to ensure daily backups with a 14-day retention period.
Azure Policy: Use built-in policies to report on backup status and apply default backup policies to resources.

AWS IAM Policies: Use conditions to selectively allow access to resources, enabling account sharing while maintaining security boundaries. Implement Attribute Based Access Control (ABAC) to manage access dynamically based on resource properties.
GCP Project Sharing: Use IAM policies with conditions to allow access based on resource properties like names. This ensures that teams can work within the same project securely.
Azure Resource Group Sharing: Migrate resources between resource groups to establish new security boundaries. Use Terraform to configure and manage these migrations.

Key Takeaways

Centralized Management: Both AWS and Azure offer ways to centralize backup management, ensuring consistent application of policies across resources.
Security and Access Control: Implementing IAM policies with ABAC in AWS and using conditions in GCP allows for secure sharing of resources within the same account or project.
Terraform Usage: Across platforms, Terraform is used to automate and manage infrastructure, ensuring replicable and consistent configurations.
Resource Migration: On Azure, migrating resources between groups can establish new security boundaries, essential for teams that need to split and maintain data security.

This summary highlights the use of Terraform to manage backup services and resource sharing across AWS, Azure, and GCP, focusing on security and centralized management.

Summary

This document provides a comprehensive guide on managing resources and performing security scans using Terraform across Azure, GCP, and AWS. Here’s a summary of the key points:

Azure Resource Management

Terraform Commands: Use terraform import to re-import resources after moving them between resource groups. Update configurations to match new settings.
Resource Movement: Differentiate between stateless and stateful resources. Stateless resources are easier to recreate, while stateful ones may require migration.
ABAC on Azure: Currently limited to storage blobs. It’s advisable to recreate stateless resources using Infrastructure as Code (IAC) and handle stateful components case-by-case.

GCP Application Security Scanning

Web Security Scanner: GCP offers managed and custom scans. Managed scans run weekly and only perform GET requests, while custom scans are more invasive and should initially be run on non-production systems.
Scan Configuration: Scans can authenticate using Google or non-Google accounts. For applications protected by IAP, grant the Web Security Scanner service account appropriate roles.
Traffic Management: Scans can originate from known IP ranges for better traffic management.

AWS Application Security Scanning

OWASP ZAP with CodeBuild: AWS lacks a managed scanning tool, but CodeBuild can run the OWASP ZAP container for security testing.
Report Preservation: Store scan reports in S3 by configuring CodeBuild to upload results.

Azure Application Security Scanning

OWASP ZAP with Azure Container Instances: Azure doesn’t provide a managed tool, so use Azure Container Instances for running OWASP ZAP.
Report Storage: Mount an Azure storage account to preserve scan reports. Integrate scanning into CI/CD pipelines to prevent vulnerable applications from reaching production.

Security Strategy

Cloud Native Tooling: Embrace cloud services for security to benefit from rapid innovation and reduced total cost of ownership (TCO).
Team Capacity: Protect team capacity by adopting low-TCO solutions, allowing teams to manage workload efficiently and adapt to new security challenges.
Infinite Game of Security: Security is an ongoing process. Focus on preventing breaches, enabling secure business operations, and maintaining team well-being.

Future Security Considerations

Zero Trust Models: Shift from network-based to identity-based access control, reducing reliance on trusted corporate intranets and enhancing security posture.

This guide emphasizes using Terraform for resource management and highlights the importance of integrating security scans into development workflows across cloud platforms.

Summary

Zero Trust and Supply Chain Security

Google’s transition to a zero trust model is detailed in the “Migrating to BeyondCorp” whitepaper, emphasizing productivity and security. The SolarWinds breach highlighted the need for secure software supply chains, leading to Google’s Supply Chain Levels for Software Artifacts (SLSA) framework. While zero trust and supply chain security are vital, they may not be the most pressing issues for every organization. It’s crucial to maintain a low total cost of ownership (TCO) and be ready to explore emerging domains.

Building Capability

To ensure effective security functions, organizations need a plan for building capabilities, focusing on knowledge, skills, and operational capability. Knowledge involves understanding security concepts, skills require hands-on experience, and operational capabilities involve solving real problems like threat response. Game days and simulations are essential for building these capabilities safely. Training should focus on operational capabilities, supported by necessary knowledge and skills.

Building Situational Awareness

Wardley Mapping helps teams understand the current landscape and plan future actions. It involves mapping technologies and capabilities to identify misalignments and opportunities. This process encourages conversations and common understanding, enabling better decision-making. Mapping can reveal when to adopt market-standard solutions, reducing complexity and maintenance.

Cloud Native Security

Cloud native security combines traditional security practices with cloud-specific tools and automation. It offers visibility into security posture and compliance, leveraging automation to improve over time. Organizations should evaluate tools and processes based on their total cost of ownership. As new services and approaches emerge, mindful training and mapping will help make informed choices.

Terraform Primer

Terraform, by HashiCorp, is an open-source infrastructure-as-code (IaC) tool for multicloud environments. It uses a declarative language to describe infrastructure, simplifying deployment. Key steps include defining variables, installing providers, generating a plan, and applying changes. Authentication varies by cloud provider: GCP uses gcloud, AWS uses CLI tools, and Azure uses az login. Terraform supports commands like terraform fmt, validate, and destroy for workflow management.

Conclusion

Cloud native security requires balancing cost and efficiency while preparing for future changes. By integrating modern tools and processes, organizations can focus on higher-level concerns and deliver greater value. The chapter encourages using Wardley Mapping and mindful training to adapt to evolving security needs.

Summary of Cloud Native Security

Cloud Native Security focuses on enhancing security through cloud-native practices across AWS, Azure, and GCP. The book emphasizes key security principles such as defense in depth, least privilege access, and zero-trust models.

Key Security Principles

Defense in Depth: Layered security measures to protect data and resources.
Least Privilege Access: Restricting access rights for users to the bare minimum.
Zero Trust Models: No implicit trust; verification is required for all access.

Encryption Practices

Data at Rest: Encryption methods for AWS, Azure, and GCP to secure stored data.
In-Transit Encryption: Protects data as it moves across networks.
Use of Own Keys: Options for customers to manage their encryption keys.

Deployment and Infrastructure

Infrastructure as Code (IaC): Automates deployment, ensuring consistency and security.
Robust Deployment: Strategies for deploying at scale on AWS, Azure, and GCP.
Version Control: Importance of managing changes through systems like GitHub and GitLab.

Networking and Access

External Network Access: Securing access to resources on AWS, Azure, and GCP.
Virtual Private Clouds (VPCs): Creating isolated network environments.
Identity and Access Management (IAM): Managing user permissions and access controls.

Security Operations

Security Operations Centers (SOCs): Monitoring and responding to security incidents.
Log Management: Centralizing and analyzing logs for anomaly detection.
Security Incident and Event Management (SIEM): Tools for comprehensive security monitoring.

Compliance and Governance

Compliance as Code: Automating compliance checks and infrastructure labeling.
Preventing Noncompliance: Strategies to detect and remediate infrastructure issues.
Service Control Policies (SCPs): Enforcing governance rules across cloud environments.

Future Security Trends

Supply Chain Security: Addressing vulnerabilities in software supply chains.
Zero Trust and Cloud Native Tools: Emphasizing security through modern cloud practices.
Building Situational Awareness: Enhancing capabilities to respond to emerging threats.

Conclusion

The book provides a comprehensive guide to securing cloud environments by leveraging automation, consistent practices, and modern tools. It underscores the importance of integrating security into every aspect of cloud deployment and management, ensuring both compliance and robust protection against threats.

About the Author: Josh Armitage, a technologist and speaker, shares insights from his experience with cloud technologies and digital transformations, advocating for IT as a business differentiator.

This summary captures the essence of cloud-native security practices, focusing on encryption, deployment, networking, operations, compliance, and future trends.

🪴 Frclba Garden

Explorer

cloudnativesecuritycookbook_summary

Cloud Native Security Cookbook Summary

Overview

Key Themes

Cloud Security Fundamentals

Practical Recipes and Trade-offs

Security Implementation

DevSecOps and Lean Development

Content Structure

Author’s Background

Conclusion

Summary

Introduction

Importance of Security

Cloud-Native Security

Security’s Role in Organizations

Purpose of Modern Security

DevSecOps

Conclusion

Summary

Summary

Introduction to DevSecOps

Cloud Security Foundation

Google Cloud Platform (GCP) Structure

Strategies for Project Migration

AWS Account Structure

Conclusion

Summary

AWS Account Structures

Azure Subscription Structures

GCP Region Locking

AWS Region Locking

Key Considerations

Summary

AWS Region Locking

Azure Region Locking

GCP Centralized User Management

AWS Centralized User Management

Azure Centralized User Management

General Recommendations

Summary

Identity Architecture in Azure AD

Security Visibility at Scale

OODA Loop

Building a Cloud Native Security Operations Center (SOC)

Key Takeaways

Summary

Azure Sentinel Configuration

Centralizing Logs on GCP

Centralizing Logs on AWS

Centralizing Logs on Azure

Summary

Azure Centralized Logging

GCP Log Anomaly Alerting

AWS Log Anomaly Alerting

Azure Log Anomaly Alerting

Infrastructure Registry on GCP

Summary

GCP Infrastructure Registry

AWS Infrastructure Registry

Azure Infrastructure Registry

Data Protection Overview

Summary

Encrypting Data at Rest on GCP

Encrypting Data at Rest on AWS

Encrypting Data at Rest on Azure

General Recommendations

Summary

Azure Encryption

GCP Encryption

AWS Encryption

Key Takeaways

Summary

Azure Encryption

GCP Encryption

AWS Encryption

General Recommendations

Summary