Tributary Logo

18 July 2023

AWS re:Inforce re:Cap

A recap of re:Inforce and Aquia's team members' experience

Lloyd Evans
Lloyd Evans Principal Information System Security Officer LinkedIn
Maril Vernon
Maril Vernon Senior Application Security Architect LinkedIn
Dustin Whited
Dustin Whited Director, Security Engineering LinkedIn

Last month, on the heels of the Amazon Web Services (AWS) Public Sector Summit, AWS hosted re:Inforce, a mid-year conference that is dedicated to security. It serves as a reminder to review, improve on, and reinforce organizational security. This conference brings together thousands of thought leaders in the cloud and application security space to provide insights and use cases on optimizing AWS services across private and public industries. As cybersecurity leaders of the digital transformation in the public and private sector and a member of the AWS Partner Network, Aquia arrived in force to learn, innovate, and collaborate on new security approaches for AWS workloads.

Team Member Perspectives

“Everyone definitely had their own way of ‘doing’ the conference and when it comes to event behemoths like this, you need to approach it strategically. We decided to explore the expo floor as a pack with each of us having ‘must-see’ booths, and then divide and conquer the sessions. My personal highlights were some of the things we saw on the expo floor. You could get coffee, ice cream, take a virtual tour of AWS facilities, or play some PacMan on the world’s largest PacMan game! But the big takeaways were the Builder’s Sessions aka hands-on labs. Learning how to automate and integrate multiple services for the purposes of incident alerts, Slackbot integrations, and even training an AI model were just a few. These are things we can walk away with and implement immediately on our teams. Those are invaluable skills taught by the folks actually working and developing tools at AWS.” - Maril Vernon, senior application security architect, Aquia

“This was my first time attending an AWS conference so I went in with the attitude of enjoying a novel experience, learning as much as I could, and meeting new folks! I took an AWS Builder Lab on compliance based auto-remediation tasks using AWS Systems Manager and AWS Config, listened to a talk on building incident response runbooks using Jupyter Notebooks with Python scripts, met with many people from different companies all working to solve customer problems using AWS, and collected many, many stickers (my favorite being an 8-bit AWS Certified Security Specialty Dragon sticker from the AWS booths that I’ll add to the laptop very soon).” - Lloyd Evans, director of governance, risk, and compliance, Aquia

Highlighted Announcements

Amazon Verified Permissions:

Amazon Verified Permissions provides fine-grained authorization and permissions for applications. Previewed at re:Invent 2022, Verified Permissions is now generally available. This service uses Cedar, AWS’s new open source permission language. Verified Permissions allows that much more finely tuned control where you can authorize based on factors such as time and location. For those using serverless, previously they had to use a customized authorizer for authentication and authorization.

Amazon Inspector SBOM Export:

Software Bill of Materials (SBOMs) are an inventory of libraries in your code. Amazon Inspector SBOM Export enables automatic, centralized management, and storage as well as one-click management and export of SBOMs. They can then be stored in AWS S3 or AWS Athena to query and gain insights. Quick export of SBOMs provides a quick way to comply with SBOM requirements detailed in Executive Order 14028. Those that do business with highly regulated industries will find this beneficial for cloud-native SDLCs.

Amazon EC2 Instance Connect Endpoint:

This feature enables remotely connecting to EC2 instances over the Internet without a bastion host or using SSM session manager. For those that need human access to EC2 instances, this offers an alternative to using a bastion host and ssh key pairs, or installing and configuring the SSM agent on the instance. Like SSM Session Manager, this feature leverages IAM for authentication and authorization. Where it differs is that it does not require an agent to be installed on the instance, nor does it require any IAM permissions on an instance profile. If SSM cannot be used, this offers a solid alternative now that it does not require public IP addresses on target instances.

Other Announcements

Amazon Inspector now supports code scanning Lambda functions

Scanning code vulnerabilities in Lambda functions can be useful for visibility into running code. It leverages CodeGuru on the backend. It is useful if you want to detect vulnerabilities after you deploy code into production.

https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-inspector-code-scans-aws-lambda-function/

Dual Layer Encryption in S3

With this feature release, it is now possible to perform two layers of server-side encryption when uploading objects to a S3 bucket. This is designed to meet more advanced regulatory requirements around encryption.

https://aws.amazon.com/blogs/aws/new-amazon-s3-dual-layer-server-side-encryption-with-keys-stored-in-aws-key-management-service-dsse-kms/

re:Inforce Recordings

For sessions that were recorded, re:Inforce Youtube playlists are now available to watch: https://www.youtube.com/@AWSEventsChannel/playlists?view=50&sort=dd&shelf_id=2

Outro

re:Inforce was a great opportunity to connect with internal AWS teams, future and past customers, and our internal team. The Aquia team looks forward to implementing knowledge gained during re:Inforce to help our customers deliver more secure workloads and reduce developer friction.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.

Categories

aws security devops identity