DevOps engineers, developers, and security engineers have ever-changing roles to play in today's cloud native world. In order to build secure and resilient applications, you have to be equipped with security knowledge. Enter security as code.
 

In this book, authors BK Sarthak Das and Virginia Chu demonstrate how to use this methodology to secure any application and infrastructure you want to deploy. With Security as Code, you'll learn how to create a secure containerized application with Kubernetes using CI/CD tooling from AWS and open source providers.
 

This practical book also provides common patterns and methods to securely develop infrastructure for resilient and highly available backups that you can restore with just minimal manual intervention.
 

• •  Learn the tools of the trade, using Kubernetes and the AWS Code Suite
• •  Set up infrastructure as code and run scans to detect misconfigured resources in your code
• •  Create secure logging patterns with CloudWatch and other tools
• •  Restrict system access to authorized users with role-based access control (RBAC)
• •  Inject faults to test the resiliency of your application with AWS Fault Injector or open source tooling
• •  Learn how to pull everything together into one deployment
  
  The authors of this book work with enterprise AWS customers who have business-critical applications running in the cloud, so we think about security on a daily basis. In recent years, we’ve noticed that the term DevSecOps pops up in nearly every security strategy discussion. Everyone wants it, but not as many people understand it—and it seems like almost nobody knows where to start or what to do.
   

DevSecOps is a relatively new field, and few books are available to guide those who want to learn more about it. We decided to write this book to help fill that gap by showing you how and where to get started on DevSecOps in AWS.
 

This book is not an enterprise-grade solution kit for copying and pasting into production (and since every project and organization has different needs, we sincerely hope you would never do that!). Instead, it’s designed to introduce you to the building blocks of the DevSecOps mindset, and to guide you along the way with practical examples. We use popular open source tools where possible, to show you that it’s not always necessary to buy expensive products to do security the right way.
 

We use a fictitious company called Automatoonz to illustrate some of the real-world issues you’re likely to face in your DevSecOps journey. As we discuss a problem, the Automatoonz team works on it too, giving you a sense of how real teams approach solving the problem at hand. Although the scenarios are fictionalized, these examples come from our extensive personal experience, and we think they’ll resonate with you. The solutions we provide in this book are intended as guidance on the art of the possible.

Who Is This Book For?

This book is for AWS security engineers, DevOps engineers, security analysts, security engineering managers, and other practitioners and leaders at intermediate and senior levels who want to automate more of their security. We recommend that readers have some practical AWS development knowledge and familiarity with Git before starting this book: ideally, enough to do basic coding and debugging within AWS. In Chapter 2, for example, we use CloudFormation, Python, and Kubernetes to demonstrate Infrastructure as Code. You should also be comfortable navigating Git repositories.

What Do You Need To Get Started? In practical terms, aside from intermediate knowledge of AWS, to follow the exercises in this book you will need an AWS account where you can deploy. You will also need to install the following, if you do not already have them:

• •  AWS Command Line Interface (AWS CLI) (latest version)
• •  Access to an AWS account
• •  Docker (Community Edition)
• •  Python (version 3.x.x or higher)
• •  Git (latest version)
• •  Kubectl (latest version)
• •  Kubernetes (version 1.21 or higher)

Chapter 2 has a detailed walkthrough of setting up all these tools.You will also need access to the book’s GitHub repository, which includes code samples and other supplemental materials.

What’s in This Book?

We’ve tried to ensure that the seven chapters in this book are as independent as possible from one another, so that you can pick it up at any point. However, we recommend that you start from the beginning.

Chapter 1 will introduce you to what DevSecOps is, why it is important, and what kind of mindset you’ll need to get started.

Chapter 2 helps you install the software you’ll need for the rest of the book, then walks you through a sample application built with secure configurations to ensure you have your toolkit working.

Chapter 3, you’ll learn how to validate Infrastructure as Code to make your resources secure.

Chapter 4 looks at how to set up appropriate logging and monitoring to identify and debug issues with your infrastructure.

Chapter 5, you’ll learn about controlling access through automation, including assessing your organization’s identity and access management (IAM) policies and refining them according to the principle of least privilege.

Chapter 6 is all about testing: we’ll introduce you to the practice of Chaos Engineering, show you how to use it to make your infrastructure more resilient, and discuss how to focus on possible points of failure.

Finally, in Chapter 7, we wrap up with a look at the roles and processes that should be part of any DevSecOps team.


About the Author

BK is a security engineer at Google. He was previously a senior security architect at AWS and has helped multiple Fortune 500 customers in securing their cloud environments. BK started his career as a full-stack web developer and grew into the security domain, which led him to get his master's from the University of Washington (Seattle) with a focus on cybersecurity. BK has published multiple AWS tech blogs and regularly builds solutions that can be adopted by AWS users.

Virginia is a principal DevSecOps engineer at AWS. She works with enterprise-scale customers around the globe to design and implement a variety of solutions in the cloud. Virginia started as a Linux system administrator and developer, wearing many hats. She's self-taught, so in her spare time she's digging deep and trying to learn everything she doesn't already know. Virginia has published AWS tech blogs and provides modern solutions to the cloud community.