Can't miss Security Sessions at re:Invent 2022

The sessions, chalk talks and workshops our resident Cloud Security Architect, Chris Farris, is excited about for re:Invent this year.

Chris Farris
5 min. read - Oct 09, 2022
The sessions, chalk talks and workshops our resident Cloud Security Architect, Chris Farris, is excited about for re:Invent this year.

Session registration for re:Invent 2022 opens in a few days, and Luc van Donkersgoed inspired me with his post to highlight what you can't miss in the Security, Compliance, and other cool topics.

The session planner doesn't let me deep-link, so I'll be including the session numbers. I won't include time and place since I expect those to change. The description from the session catalog is included.

Can't miss security sessions

SEC401 - AWS Identity and Access Management (IAM) policy evaluation in action (Workshop)
One of the most popular and talked about chalk talks from re:Inforce was Matt Luttrell and Dan Peebles diving deep into policy evaluation. They provided new diagrams and animations to explain how SCPs, permission boundaries, and resource policies all interact with identity-based policies, conditions, and different effects. Matt is going to reprise and extend this work into a two-hour workshop. This session is a must if you're fighting SCPs, Permission Boundaries, and Resource Policies.

In this workshop, dive deep into the logic of AWS Identity and Access Management (IAM) policy evaluation. Gain experience with hands-on labs that walk through IAM use cases and learn how different policies interact with each other. Using identity- and resource-based policies within single- and cross-account scenarios, learn about the evaluation logic that you can apply in your own environment. You must bring your laptop to participate.

SEC402 - The anatomy of a ransomware event targeting data residing in Amazon S3 (Chalk Talk)
This is a repeat of the chalk talk given at re:Inforce and was one of the best sessions from that event. Kyle works on the Customer Incident Response Team and will dive into real-world cases that AWS has seen in the field of Ransomware attacks on customers. You'll come away from this session with action items based on actual threat intel.

Ransomware events can cost governments, nonprofits, and businesses billions of dollars and interrupt operations. Early detection and automated responses are important steps that can limit your organization’s exposure. In this chalk talk, walk through the anatomy of a ransomware event that targets data residing in Amazon S3 and hear detailed best practices for detection, response, recovery, and protection.

BOA204 - When security, safety, and urgency all matter: Handling Log4Shell (Breakout Session)
The indomitable Abby Fuller will talk through how AWS internally handled Log4Shell. How a $1.6T company handled Log4Shell and how you handled Log4Shell are not really comparable, I think this session will have a lot to offer for the next time something like this hits. It's also in that quiet, sweet spot of Friday morning when nothing else is happening and everyone is wrapping up.

On December 9, 2021, there was a report of a potential remote code execution issue in the widely used open-source Apache logging library Log4j. This issue allowed a user to use Java Naming and Directory Interface (JNDI) and LDAP endpoints to execute arbitrary code on a system. Over the next 10 days, 5 additional common vulnerabilities and exposures affecting Log4j were made public. This event as is now referred to as Log4Shell. In this session, learn about the response to Log4Shell, from initial notification to hot patch, fleet scanning, and customer communications.

COP305 - Best practices for organizing and operating on AWS (Breakout Session)
Full Disclosure: The customer speaker here is my former boss, and she's talking about the AWS Organizations governance work my old team and I did while I was at Discovery. Learn how we tamed 200+ AWS accounts and balanced the needs of security, finance, and the whims of half a dozen different business units.

Managing and operating cloud environments from multiple business units can be challenging. In this session, hear from Bianca Lankford, Senior Director/Global Head of Cloud Engineering & Governance from Warner Brothers Discovery, how they organized their cloud environment to allow teams to develop with agility while being able to manage and operate their applications in a secure, automated, reliable, and cost-effective way. See how you can use AWS Organizations and AWS Systems Manager to operate your applications at scale, manage mergers and acquisitions, and develop governance as a product for your environment.

SEC206 - Security operations metrics that matter (Chalk Talk)
One of the things I never finished at my last job was building out cloud security key risk indicators (KRIs) for my program. Anna was one of my partners in crime for my adversary emulation chalk talk at last year's re:Invent, so I'm keen to hear what she's built for her customers.

Security tooling can produce thousands of security findings to act on. But what are the most important items and metrics to focus on? In this chalk talk, learn about a framework you can use to develop and implement security operations metrics in order to prioritize the highest-risk issues across your AWS environment. This includes applying critical business context and capturing the metrics across your multi-account environment so you can take action with confidence.

SEC330 - Harness the power of temporary credentials with IAM Roles Anywhere (Chalk Talk)
I'll be honest. I have not yet kicked the tires on IAM Roles Anywhere. This service promises to eliminate the need for IAM Users, but the key management issues make me wonder how many enterprises will do it right. This is a chalk talk, so I hope for some lively discussion and to discover some of the risks and edge cases with this new service.

In this chalk talk, get an introduction to AWS Identity and Access Management (IAM) Roles Anywhere, and dive deep into how you can use IAM Roles Anywhere to access AWS services from outside of AWS. Learn how IAM Roles Anywhere securely delivers temporary AWS credentials to your workloads. Discover the different use cases that IAM Roles Anywhere is designed to address as well as best practices for using it.

COP323 - Delegating access in a multi-account environment with IAM Identity Center (Chalk Talk)
AWS SSO (I refuse to use the new name) has changed a lot since I first deployed it for the SECCDC. We started using it at my last job, and I want to see the additional capabilities they introduced.

In this chalk talk, learn about delegating access management with AWS Organizations and AWS Control Tower using AWS IAM Identity Center. Using customer-managed policies and permissions boundaries, you can enable a decentralized access management model with permissions guardrails that enforce coarse-grained authorization standards that apply in both role-based and attribute-based access control (RBAC and ABAC) models.

MKT304 - Faster vendor risk assessments with AWS Marketplace Vendor Insights (Chalk Talk)
One of the more under-appreciated announcements from AWS re:Inforce was AWS Marketplace Vendor Insights, or as I thought of it at the time Simplify Vendor Risk Management as a Service. I'm hoping this chalk talk will help me understand the capabilities of this new service and how security practitioners can use it to make their lives easier.

Validating the compliance and security posture for third-party SaaS products is often a complex process. In this chalk talk, explore how AWS Marketplace Vendor Insights simplifies the SaaS risk assessment process to help enterprises procure trusted software. Built upon AWS Config, AWS Audit Manager, and AWS Artifact, Vendor Insights streamlines the process by providing on-demand access to security and compliance information via a web-based dashboard. Learn how vendors can provide customers with on-demand access to security and compliance information to showcase security and compliance excellence.

SEC321 - Building your forensics capabilities on AWS (Chalk Talk)
I've spent a lot of time recently giving talks and classes on Incident Response in AWS, and EC2 Forensics is still a topic that lacks a definitive way of doing it. I look forward to Jonathon Poling's discussion of the topic in this chalk talk.

You have a compromised resource on AWS. How do you acquire evidence and artifacts? Where do you transfer the data, and how do you store it? How do you analyze it safely within an isolated environment? Join this chalk talk to walk through building a forensics lab on AWS, methods for implementing effective data acquisition and analysis, and how to make sure you are getting the most out of your investigations. Learn how to identify the tools and capabilities you need to effectively analyze it, as well as how to maintain least-privilege access to the evidence. Finally, walk through how to learn from your analysis and investigation to improve your security.

SEC202 - Vulnerability management with Amazon Inspector and AWS Systems Manager (Builder's Session)
Vulnerability Management sucks. I hate it. I'd rather farm alpaca than work in the VM space as it's implemented in most enterprises. That said, I've got ideas on how to improve it for cloud workloads (spoiler alert: that was one of the reasons I went to my current job). I've not done a builder's session before, and it's only a 200-level session, but I know one of the builders, so I'll be signing up for this one.

Join this builders’ session to learn how to use Amazon Inspector and AWS Systems Manager Patch Manager to scan and patch software vulnerabilities on Amazon EC2 instances. Walk through how to understand, prioritize, suppress, and patch vulnerabilities using AWS security services. You must bring your laptop to participate.

SEC208 - Executive security simulation (Workshop)
I've not done much with tabletop exercises, and I've not yet done one focused on Cloud Security, so I think this one is a better use of my time than cheap beer and big crowds on the expo floor.

This workshop features an executive security simulation, designed to take senior security management and IT or business executive teams through an experiential exercise that illuminates key decision points for a successful and secure cloud journey. During this team-based, game-like simulation, use an industry case study to make strategic security, risk, and compliance decisions and investments. Experience the impact of these investments and decisions on the critical aspects of your secure cloud adoption. Learn about the major success factors that impact security, risk, and compliance in the cloud and applicable decision and investment approaches to specific secure cloud adoption journeys. You must bring your laptop to participate.

SEC329 - AWS security services for container threat detection (Breakout Session)
I will admit I'm not an expert on container security. My personal development path jumped from EC2 straight to Lambda functions. So, I'm interested in a deeper dive into what my former colleague Mrunal did with the topic.

Containers are a cornerstone of many AWS customers’ application modernization strategies. The increased dependence on containers in production environments requires threat detection that is designed for container workloads. To help meet the container security and visibility needs of security and DevOps teams, new container-specific security capabilities have recently been added to Amazon GuardDuty, Amazon Inspector, and Amazon Detective. In this session, learn about these new capabilities and the deployment and operationalization best practices that can help you scale your AWS container workloads. Additionally, the head of cloud security at HBO Max shares container security monitoring best practices.

Sessions highlighting the massive awesomeness of AWS

SEC404 - A day in the life of a billion requests (Breakout Session)
Eric Brandwine will dive into the scale and operational considerations of IAM (ignore the ironically bad session number). Let's face it: there is nothing actionable here for you. This is just a chance to nerd-out on a cool topic.

Every day, sites around the world authenticate their callers. That is, they verify cryptographically that the requests are actually coming from who they claim to come from. In this session, learn about unique AWS requirements for scale and security that have led to some interesting and innovative solutions to this need. How did solutions evolve as AWS scaled multiple orders of magnitude and spread into many AWS Regions around the globe? Hear about some of the recent enhancements that have been launched to support new AWS features, and walk through some of the mechanisms that help ensure that AWS systems operate with minimal privileges

SEC327 - Zero-privilege operations: Running services without access to data (Breakout Session)
If you recall the Twitter compromise in 2020, or the more recent Okta incident, both had the same things in common: Employees had high levels of access to production and customer data. In this session Colm MacCarthaigh will discuss how AWS keeps its employees out of your data. Who knows, I may even change my opinion on Encryption in AWS.

AWS works with organizations and regulators to host some of the most sensitive workloads in industry and government. In this session, learn how AWS secures data, even from trusted AWS operators and services. Explore the AWS Nitro System and how it provides confidential computing and a trusted runtime environment, and dive deep into the cryptographic chains of custody that are built into AWS Identity and Access Management (IAM). Finally, hear how encryption is used to provide defense in depth and why we focus on verified isolation and customer transparency at AWS.

ARC310 - Beyond five 9s: Lessons from our highest available data planes (Breakout Session)
Another session from Colm MacCarthaigh on the scale and reliability of AWS Services. If I can't make this in-person, it will be at the top of my viewing list when I get home.

Updated with recent learning, this session dives deep into building and improvising resilience in AWS services. Every AWS service is designed to be highly available, but a small number of what are called Tier 0 services get extra-special attention. In this session, hear lessons from how AWS has built and architected Amazon Route 53 and the AWS authentication system to help them survive cataclysmic failures, enormous load increases, and more. Learn about the AWS approach to redundancy and resilience at the infrastructure, software, and team levels and how the teams tasked with keeping the internet running manage themselves and keep up with the pace of change that AWS customers demand.

Other Sessions I'm going to

STG215 - Unlocking business value in media and entertainment with Amazon S3 (Breakout Session)
2016 was the year of the spreadsheet for me. I was designing the financial model for moving the (then 14PB) CNN Library into AWS S3. Glacier Expedited Retrieval wasn't a thing then, so it was lots of "how can we use S3 IA". I'm excited to see how this project has moved forward with former colleague Jay Brown talking about how they're now using S3.

Media and entertainment companies are creating more content than ever to engage audiences and grow revenue, but many are overlooking the hidden value of content locked in their media archives. The proliferation of screens connected to the internet provides customers with more ways of consuming content whenever and wherever. Between the influx of choice and ubiquitous connectivity, storing media content is challenged to keep up with not only growth in storage but also capabilities needed to support this multiscreen world. In this session, Amazon S3 customers Warner Bros., CNN, and PGA Tour share how migrating media archives from on-premises systems to the cloud can unlock business value for your organization.

DOP402 - Implementing DevSecOps pipelines with compliance in mind (Chalk Talk)
I'll admit I don't know enough about CI/CD, and I don't practice what the cloud security community preaches in this regard. I can't pass up a 400-level chalk talk on a subject I need to do more with.

In this chalk talk, review a DevSecOps CI/CD pipeline that includes software composition analysis, static application security testing, and dynamic application security testing. Also learn about best practices for incorporating security checkpoints across various pipeline stages and aggregating vulnerability findings into a single pane of glass. Finally, hear about processes and tools that can increase an organization’s ability to deliver applications and services in a secure manner.

COP325 - Migrate AWS accounts like an expert (Chalk Talk)
While this isn't my job anymore, I spent a lot of time thinking through this process, and I'm curious about what AWS will suggest here.

This chalk talk is for you if you’ve ever had to migrate an AWS account from one organization to another during a merger and acquisition activity, while migrating to AWS Control Tower, or just while organizing your AWS environment according to best practices. In this talk, learn how to identify dependencies in your current organization that you can proactively address before the migration. The talk covers code for detecting resource policies and identity policies with dependencies. Walk through additional checks that can help you achieve a quick and efficient migration.

STG404 - Explore Amazon EBS direct APIs with flexible snapshot proxy (Chalk Talk)
Until recently, the only way to get EBS data out of the cloud was to mount it to a machine and run dd | ssh. The EBS Direct APIs are new to me, and there are some interesting security implications with these capabilities I want to know more about.

Amazon EBS snapshots are a feature-rich data protection function used by enterprises for block-level data. Join this chalk talk to learn how flexible snapshot proxy, an open-source project that uses Amazon EBS direct APIs, can enable you to efficiently move data between applications in a cross-Region, cross-organization, logically air-gapped replication scenario without temporary copies. Understand how a block of data moves through systems, services, and geographies. Also learn how to eliminate temporary copies, reduce transfer costs, improve RTO/RPO, and integrate your on-premises applications and systems with Amazon EBS. This talk dives into field-proven architectural patterns for building global-scale real-world solutions.

I joke that my annual pilgrimage to re:Invent is my "Cloud Nerd Rave in the Desert". Thursday night's re:Play is that rave. Even if you hate crowds and loud music, you should attend once to see the spectacle and realize that Frugality is a selective leadership principle.

Open Source Zone and Steampipe

I didn't pitch a talk for re:Invent this year, but I will be presenting. Come by the Open Source Zone (Third floor of the Venetian near San Polo and the Press area) on Tuesday from 1pm to 3pm and I'll be demoing our open source tool Steampipe and a number of the nifty things it can do to help manage your cloud sprawl and reduce risk in your organization.


Pre-Registration opens on October 11th at 1pm EDT for a guaranteed seat in these sessions. I'm told that 25% capacity is reserved for walk-ups, and in the past there have been a number of no-shows. I've also been denied entrance to a colleague's presentation because they ran out of open seats, and AWS policy doesn't allow anyone to stand in the back. So may the odds be ever in your favor.