Chapter 6 — Compute Security

PART III — COMPUTE, CONTAINERS, AND IAC

6.1 Virtual Machines

Hardened Image Strategy

Base Hardening Requirements

VMHardening:
  OS_Hardening:
    - Remove_unused_packages
    - Disable_unused_services
    - Configure_firewall_rules
    - Implement_fail2ban
    - Secure_ssh_configuration

  SecurityUpdates:
    - Auto_update_security_patches
    - Scheduled_reboot_maintenance
    - Vulnerability_scanning_integration

  Monitoring:
    - File_integrity_monitoring
    - Intrusion_detection_system
    - Security_logging_and_forwarding

Immutable Infrastructure Pattern

ImmutableDeployment:
  Process:
    1. Create_new_VM_image
    2. Run_security_scans
    3. Deploy_to_staging
    4. Run_integration_tests
    5. Deploy_to_production
    6. Terminate_old_instances

  Benefits:
    - No_configuration_drift
    - Easy_rollback
    - Consistent_security_posture
    - Simplified_compliance

VM Access Management

SSH Access Controls

SSHAccessControl:
  Authentication:
    - Disable_password_authentication
    - Require_key_based_authentication
    - Implement_MFA_for_privileged_access

  AccessMethods:
    - AWS_SSM_Session_Manager
    - Bastion_hosts_with_MFA
    - Teleport_zero_trust_access

  SessionManagement:
    - Session_recording
    - Time_limit_enforcement
    - Automatic_idle_timeout

6.2 Serverless Security

Function Security Controls

IAM Policy Best Practices

{
  "FunctionRole": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "dynamodb:GetItem",
          "dynamodb:PutItem"
        ],
        "Resource": [
          "arn:aws:dynamodb:*:*:table/user-data"
        ],
        "Condition": {
          "ForAllValues:StringEquals": {
            "dynamodb:LeadingKeys": [
              "${context.identity.cognitoIdentityId}"
            ]
          }
        }
      }
    ]
  }
}

Function Security Configuration

ServerlessSecurity:
  RuntimeSecurity:
    - Use_supported_runtimes_only
    - Regular_dependency_updates
    - Vulnerability_scanning_before_deployment

  ExecutionEnvironment:
    - VPC_isolation
    - Resource_based_policies
    - Execution_timeout_limits
    - Memory_allocation_controls

  DataProtection:
    - Environment_variable_encryption
    - Temporary_data_sanitization
    - API_key_rotation
    - Sensitive_data_masking

API Gateway Security

APIGatewaySecurity:
  Authentication:
    - JWT_authorization
    - API_key_management
    - OAuth_2.0_scopes

  RateLimiting:
    - Per_user_limits
    - Per_API_limits
    - Burst_protection

  Protection:
    - WAF_integration
    - Input_validation
    - CORS_configuration
    - Request_response_transformation