Dylan Shields - AWS Security

When I first joined AWS, I knew almost nothing about security on the platform. I was fortunate to sit and talk with many of the different security teams and get an introduction to everything AWS security. I remember one of the teams I met with early on was the Automated Reasoning Group. They built several security tools based on automated reasoning, but one really stood out to me: Zelkova. At the time, you could give it two IAM policies, and it would tell if they were effectively the same or if one was more permissive (or not comparable). The tool does much more now, and powers features in S3, Config, GuardDuty, and Trusted Advisor. But even back then, it was an incredible tool. The team had many examples of IAM policies that had unexpected behavior that wasnt obvious by just reading them. Then, they showed how you could easily identify the issues with Zelkova.

I remember being so excited after that demo that I talked about it to everyone I knew who used AWS. But instead of excitement, I mostly got questions. And not questions about Zelkova but basic questions about IAM, like Whats a resource policy? IAM, like a lot of security tools on AWS, is necessarily complicated. And for most people, the information on how these services work isnt readily discoverable. Sure, theres documentation on resource policies, but you wouldnt know to look for it if you didnt know that it exists. That was when I first thought about writing this book. I had been given a crash course in AWS security by learning from the people who were building all of these tools and services, and I wanted to find a way to share this information with everyone outside of the company who doesnt have the same access.

AWS and cloud computing in general are growing nonstop, and security is such an important piece of it that I find this topic almost inescapable. Even while working at other companies that dont use AWS for their primary infrastructure, AWS security knowledge has still come in handy. In my current role at Facebook, I review security and privacy concerns for companies we acquire, and almost all of them run on AWS. Its getting harder and harder to find organizations that dont use AWS in some way or another. Part of the growth of the platform is due to how fast AWS pushes out new features and services. Theyre constantly improving and making it easier to build new things. But every new addition makes the platform a little more complex and makes securing it just a little bit harder. I hope the information in this book will help you to navigate that complexity and better secure the applications you run on AWS.

Over the last couple years, Ive learned how hard it is to write a book and that you cant do it without a great deal of support from others. Id like to thank those people who helped me get to this point.

I have to start by thanking you, my wife, Shannon. Thank you for supporting me throughout the whole process and for encouraging me whenever I felt like I couldnt do it.

Thank you, the incredible leaders I worked for in AWS Security, who brought me into the space and helped me get started: Chris Kasprowicz, Eric Schultze, and Andrew Doane. Thank you, Ralph Flora, Yogesh Pandey, Anand Sharma, Sandeep Lagisetty, Craig Pearce, Ely Kahn, and everyone else I worked with at AWS who taught me everything I know about cloud security.

Id also like to thank my editors at Manning: Susan Ethridge, Helen Stergius, and Toni Arritola. Thank you for everything youve taught me about writing. Thank you for wanting to make this a great book and for pushing to make that happen. I couldnt have done this without all of your support. Thanks as well go to John Guthrie, the technical editor. I cant thank you enough for all of your comments. I appreciated you being a sounding board, especially in the early chapters when I was trying to find my footing. Thank you, everyone else at Manning: Deirdre Hiam, my project editor; Christian Berk, my copyeditor; and Katie Tennant, my proofreader.

Thank you, everyone who read the manuscript while it was in progress: Alex Lucas, Amado Gramajo, Antonio Pessolano, Borko Djurkovic, Bryan Miller, Burkhard Nestmann, David Hartley, Enrico Mazzarella, Hilde Van Gysel, Ilya Sakayev, Jeremy Chen, Jrg Discher, Jorge Ezequiel Bo, Kelly E. Hair, Michael Langdon, Peter Singhof, Sanjeev Jaiswal, Sau Fai Fong, Sbastien Portebois, Shawn P. Bolan, Thorsten Weber, Tony Mullen, Tyler Flaagan, Victor Durn, Wendell Beckwith, and Yakov Boglev. Thank you for taking the time to help shape this project. Its a better book for all of your comments. Thank you, the MEAP readers, who posted questions and comments in the forum.