AWS re:Inforce 2024 re:Cap

Even if you are not working a lot with AWS, you are most likely to be aware of our annual conference called AWS re:Invent, that is happening each November in Las Vegas.

That event is a whole week technical learning experience associated with announcing new services and updates to the existing ones. There is so much happening - that AWS and the AWS community all around the world organises re:Invent re:Caps - which is an event format focused on extracting the most important takeaways and announcements from the latest iteration of re:Invent. However, at the same time it's not the only one major event done by AWS!

Taking into account peculiar approach to security at AWS, every single June (starting from 2019), AWS doesn't just unveil its latest products and services, but delves into the critical realm of cybersecurity, data protection, and compliance. Such event is called AWS re:Inforce, it took place last week - and even that usually it is not so rich in announcements like the mentioned re:Invent, there are many takeaways and great learning materials - so it's definitely worth recapping!

As stated above, AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. And thanks to that, you’ll leave with actionable next steps to raise your security posture.

As every big event, AWS re:Inforce is no different and it starts with a keynote. And I can personally recommend this year's opening session!

It was delivered by Chris Betz, AWS CISO and joined by Ash Edmondson, AVP of Security Architecture and Engineering at Eli Lilly, and Steve Schmidt, Amazon CSO. Throughout the keynote Chris covered a significant number of updates and announcements, but the talk was a refreshing reminder about importance of security on all levels - from the foundation to the innovation. Even that things in the cloud move fast and change is constant, customers inherit a world-class security team by standing on shoulders of AWS, who is making the internet a safer place.

Everything started with a reminder about importance of security culture, that AWS and Amazon cultivate internally as well. It is deeply ingrained, and definitely not built overnight. Can you recall how many companies have a weekly meetings with CEO and leadership team on the most recent security issues? AWS is one of those very rare examples that implements that. Another great example of embedding the culture is Security Guardians program. They are members in various teams as security is everyone's job! Last, but not least, it is very important to take care about the escalation processes - as it affects feeling of ownership by the teams and specific metrics e.g., mean time to resolution (MTTR) across the company.

For AWS is important to secure by design and reinvent on all levels. That's why we start from hardware - with such great examples as AWS Graviton (e.g., pointer authentication, branch target identification, eliminating SMT to isolate cores, etc.), AWS Nitro (again, isolation - also on the data level from AWS operators), AWS Nitro Enclaves - through all software layers (adding the above to operating systems like Amazon Linux 2023), and using memory and type-safe languages programming languages - like Rust (it is the fastest growing language at AWS, many teams either rewrote or are rewriting critical components into that language).

One of the biggest themes this year was automated reasoning, that is prevalent across AWS infrastructure and software development approaches inside.

Why is it so popular? As you can imagine, testing is greatly important, but it's limited by the inputs. Automated reasoning is bar raising those assumptions by exploring the whole space, even infinite way - by systematic and exhaustive search of rigorous proofs. For such critical pieces of infrastructure like cryptographic protocols, authorization logic, and in general - correctness verification of those (also for distributed systems) - it is an approach definitely worth investing.

A great example of application is the seamless switch of an engine for AWS Identity and Access Management (IAM). Yes, you read it right - a switch of an internal engine, that does permission evaluation, a cloud backbone that does 1 bilion calls per second worldwide! The development of the new version was based on the automated reasoning. Team prepared a model that matched old behaviour, new implementation - and tooling allowed for verifying if we did not introduce any bad behaviours and potential new issues.

Personally, I loved the fact that Open Source, Rust and Cedar were explicitly mentioned in the keynote. They are directly referring to the previous theme, as they are foundation for one of the layers of the provable security stack.

In addition to that, Rust was highlighted not only as a secure building block for the open source tools that you can use, but also as a transformative programming language used for internal services - like Amazon S3 ShardStore implementation.

Another big theme is obviously zero trust, but in practical approach. New announcements are supporting pragmatic application to achieve zero trust architectures in your organisations.

Last, but not least - one of the biggest themes this year is not surprisingly generative AI. It is important, both from perspective of securing new types of workloads (as stated above - even that security fundamentals are evergreen, evolution is inevitable as new types of workloads bring new attack surfaces to the table) and how those novel applications and technology is impacting how we work with security (e.g., by enriching our tools).

Obviously, like in case of AWS re:Invent - a big part of the conference are announcements. It's not different this year, and everything started even before the conference - in a period that is called pre-re:Inforce.

I have selected my list of top 3 announcements, and it had to start with this feature: Amazon GuardDuty Malware Protection for Amazon S3. This is one of the most requested features across many years. It detects malicious file uploads to selected S3 buckets. Previously, GuardDuty Malware Protection provided agentless scanning capabilities to identify malicious files on Amazon EBS volumes attached to Amazon EC2 and container workloads. Now, you can continuously evaluate new objects uploaded to S3 buckets for malware and take action to isolate or eliminate any malware found there.

Next one for me is Amazon Verified Permissions expanded support for securing Amazon API Gateway APIs, with fine grained access controls when using an Open ID connect (OIDC) compliant identity provider. The feature expands an existing Getting Started wizard experience for connecting Verified Permissions with API Gateway and an identity provider, and defining permissions based on user groups. The purpose of the experience is to automatically generates an authorization model and Cedar policies that allow only authorized user groups access to application’s APIs. This wizard deploys a Lambda authorizer that calls Verified Permissions to validate that the API request has a valid OIDC token and is authorized. Additionally, the lambda authorizer caches authorization decisions to reduce latency and cost.

Last, but not least - I would like to mention updates to AWS IAM Access Analyzer, as now it has new custom policy checks (powered by automated reasoning), that help you to detect policies that grant access to specific, critical AWS resources, or that grant any type of public access. Both of the checks are designed to be used ahead of deployment, possibly as part of your CI/CD pipeline, and will help you proactively detect updates that do not conform to your organization’s security practices and policies, and also guided revocation, which now gives you guidance that you can share with your developers so that they can revoke permissions that grant access that is not actually needed. This includes unused roles, roles with unused permissions, unused access keys for IAM users, and unused passwords for IAM users.

If you are looking for more detailed blog posts for specific announcements, you can find them on the official AWS News Blog under AWS re:Inforce category.

First, things first - videos from all sessions are already available on the official AWS Events YouTube channel, so subscribe to not miss the future events.

Here you can find a complete playlist of all AWS re:Inforce 2024 sessions (including the keynote).

At this point, the YouTube playlist linked above has exactly 150 videos - which is a nice pile of shame for content hoarders like me, so instead of leaving you with this ocean of great knowledge, below you can find my top 4 sessions that I think are worth watching. That list, with the addition of the main keynote, presents my five favourite sessions from this year (so far, because generative AI did not help me to watch and summarize all of that great material ... yet 😅).

Amazing session with a practical explanation of automated reasoning and provable security stack (yes, it is a term - check this video) by Dr. Neha Rungta. It is a pure joy for everyone interested in either how to design your systems in a better (by using proofs and automated reasoning), how are designed such critically important systems like AWS IAM, and what is provable security stack.

It's not a surprise, that I will recommend a session about how customers like StrongDM and Simply Business are leveraging Cedar and Amazon Verified Permissions in practice. If you are looking for a way to externalise your authorization rules or you are evaluating Cedar and/or Amazon Verified Permissions, this may be a really good session to watch.

Another session really close to my heart - because it's about open source and about security. Last years showed us how critically important is to take care about software supply chain security, also in the context of open source tools. If you share this sentiment - it's a must watch!

It shouldn't be surprising, that author who praised for this many paragraphs the benefits of automated reasoning, will recommend you session how you can improve your designs and verify code using automated reasoning. It is a truly 400 level session, but definitely worth exploring (especially, if you are a computer science nerd like me 😉).

Also, if you have your other favourite sessions worth recommending - put down the links and titles in the comments below, as I am also looking for other thoughts what to watch next.

I have to admit that I really enjoyed this year re:Inforce from a perspective of a remote participant. Security was always important for AWS and Amazon, but every year it is especially visible during and right after AWS re:Inforce. It is a great learning experience, where compliance and security experts, cloud enthusiasts, and computer science nerds can find something for themselves.

If you share this sentiment, and you would like to host the AWS re:Inforce 2024 re:Cap event for your local AWS User Group, please leave your interest in this form - and we will be more than happy to support you, also by providing official materials and/or speakers.

Last, but not least, if you liked this article and/or you found it useful - please leave a like, comment down below, and share it in your social media feeds to reach out more cloud security enthusiasts!