AWS re: Inforce 2023-Keynote Highlights

AWS re:Inforce is the industry’s leading security learning conference. The event brings together security experts from all around the world to share insights and best practices for staying ahead of the rapidly evolving security landscape.

Ever the learning experience, the conference also features interactive educational content to address security, compliance, privacy, and identity management needs.

This year’s event took place in Anaheim, CA, and CJ Moses, Chief Information Security Officer (CISO) for AWS, served as keynote speaker.

You can watch the full video here, or read below for a summary of the key highlights.

Leading Innovation in AWS Cloud Security

Within the first minute of the keynote, CJ Moses, Chief Information Security Officer (CISO) for AWS, makes reference to generative AI, a topic that has come up a lot in recent months, highlighting that this is a growing technology that will exhibit some challenges from a security perspective but also introduce new possibilities, too.

Moses went on to highlight just how important security is to AWS, ensuring that its customers remain protected at all times using a myriad of security controls, services, and techniques. This has been the mantra of AWS since day 1, and it continues to be the same today.

From the very beginning Moses explains the AWS shared security responsibility model, a model that everyone should be familiar with when operating within the cloud. It shows where your responsibility starts and stops compared with that of AWS. Without understanding these boundaries, you leave yourself open to vulnerabilities and weaknesses in your architecture.

Moses continues to explain the timeline of events that led to the deep level of security that runs throughout the entire AWS stack of services from the ground up to today. Moses covered how AWS developed their own unique hypervisor software, ensuring that if someone ever compromised the hypervisor, access to storage and network traffic could not be tampered with. This was the birth of the AWS Nitro system.

The latest generation of the AWS Nitro chip (5th generation) has the best performance yet, offering lower latency and higher throughput, delivering more packets per second when compared with previous generations. To further emphasize the security advancements and benefits of the AWS Nitro system, it was declared that the NCC Group, a global cyber and software resilience business, had conducted a full review and found that there were no gaps in the AWS Nitro system that would compromise AWS security.

Continuing the assurance of security developments across the AWS landscape, Moses referenced AWS Firecracker, which helps you secure your serverless and container-based applications making use of kernel-based virtual machines. Firecracker uses different levels of isolation and protection, which helps to reduce the attack surface.

Moses went on to discuss application security, explaining how AWS secured millions of lines of code to address security issues by following a strict internal AppSec review process to ensure that all developments are thoroughly checked for vulnerabilities, threats, and weaknesses. Only code that has successfully passed this AppSec review will be released into production.

Cloud security on a global scale

As the discussion around AWS security measures continues, Moses hones in on the global presence of the AWS architecture and how the sheer scale of their worldwide footprint can sometimes make them a target, either directly or indirectly when their customers are attacked.  Using data captured from attempted attacks, AWS is able to compose a huge amount of information that acts as intelligence, allowing them to accurately deliver more effective protective measures across their global network of operations at the edge, availability zone, and regional levels. Using AWS services such as AWS Backup, AWS GuardDuty, Amazon Route 53 Resolver DNS Firewall, AWS WAF, and AWS Shield, more sophisticated measures can be taken to protect the AWS network. Essentially, the point being made was that AWS takes time to collate, gather, review, and assess all security information, such as threat intelligence from different sources, including internet threat sensors and active network probes, resulting in the adaptation and improvement of their security offerings to the benefit of AWS customers.

“The more telemetry we have, the better we can reduce Mean Time to Defense” – CJ Moses

Security in the cloud

Becky Weiss, Senior Principal Engineer (AWS)was then introduced to discuss security in the cloud and new launches. Becky began by discussing Zero Trust and how this has developed over the years, in fact over the past decade, with the introduction of features including:

Oct 2008 – Amazon Elastic Compute Cloud (EC2) security groups

May 2011 – Identity and Access Management (IAM) launched

Aug 2011 – Identity federation and short-term temporary AWS credentials

Jun 2012 – Introduced IAM roles for EC2 instances 

Feb 2013 – Launched managed policies

May 2013 – VPC endpoints for Amazon Simple Storage Service (S3)

Feb 2017 – Launched AWS Organizations

Apr  2017 – Introduced service-linked roles

Dec 2017 – Introduced IAM Identity Center

Noc 2018 – Introduced Attribute-Based Access Control (ABAC) support

Dec 2019 – Introduced IAM Access Analyzer

May 2021 – Added policy validation and actionable recommendations

Apr 2021 – Generated least-privilege IAM policy templates

Apr 2023 – Added policy validation to AWS Organizations

Empowering customers with AWS Verified Access, Amazon Verified Permissions and more

As development continues for Zero Trust, and to demonstrate how AWS is making it easier for customers to implement these strategies themselves, Weiss showcased how the recently launched AWS Verified Access (launched GA in April 2023) can be used to allow customers to access their corporate solutions without a VPN and utilizing Zero Trust principles. You can work with the AWS IAM Identity Center or your own OpenID Connect (OIDC) identity provider to authenticate users to your network. 

This led the discussion to ease into one of the biggest problems and challenges that AWS sees their customers having: how to design and build authorization systems for the resources within their own applications. Doing this within your business at scale can be a huge task that’s resource intensive and difficult to implement both effectively and accurately. Fortunately, AWS now has a solution to this with the announcement of new Amazon Verified Permissions!

Amazon Verified Permissions allows you to control access to resources and data within your applications using policy-based access controls, acting as a fine-grained authorization service that is powered by Cedar. Cedar is a language that’s used to define permissions as policies that determine who has access to what through evaluating logic of policies.

Amazon Verified Permissions is scalable, granular, and provides an effective method of creating policies using templates, which can then be associated with roles for easier deployment. To learn more about Amazon Verified Permissions, take a look here to see how it aligns with Zero Trust principles.

The second new announcement made by Weiss addressed how we can securely connect to our EC2 instances using SSH/RDP through private endpoints with the GA release of Amazon EC2 Instance Connect Endpoint!

It essentially allows you to connect to an EC2 instance using SSH/RDP (even if those EC2 instances are tucked away within a private subnet) without having to go via a Bastion Host first, and designed with high availability in mind! Instance Connect Endpoint brings with it a host of other benefits too, enhancing your overall security when connecting to these instances, including:

• Strong authentication and authorization before reaching the host
• Single click connect from the EC2 Management Console
• Fully auditable with AWS CloudTrail Logs
• Support for 3rd party SSH tools

Following this, the discussion pivoted towards data perimeter security with the recent launch of AWS Management Console Private Access. Weiss explained how this security feature enables you to define a list of trusted and known AWS accounts and organizations that can access the AWS Management Console from within your own network. This means you can prevent access to the Management Console for unapproved AWS accounts (for example, preventing your employees from accessing any private and personal AWS accounts they may have from the company network). As a result, access to the AWS Management Console will be blocked for any account that you as an organization are not expecting!

Intelligent threat detection

Weiss then turned her attention to discussing the latest release of features and services relating to detection controls starting with AWS GuardDuty, which is an intelligent threat detection service. There were 3 new announcements with this service:

1. Added threat detection for Amazon Aurora to detect suspicious logins
2. Added EKS runtime monitoring to detect runtime threats
3. Expanded threat detection to coverage to support AWS Lambda functions

This was quickly followed by the third new service announcement of Amazon Inspector Code Scans for Lambda, which allows you to scan your AWS Lambda code for security vulnerabilities, making it easier to ensure you’re following security guidelines when writing code for your Lambda functions.

Code scans will highlight security weaknesses such as weak cryptography, data leaks, and injection flaws, all centered around security best practices. As with other remediation recommendations, Amazon Inspector will provide details for issues it finds and explain how to address the problem with suggested remediation steps to resolve any detected vulnerabilities.
Sticking with Amazon Inspector, another new capability was also announced, Amazon Inspector SBOM Export.

This new enhanced feature of Amazon Inspector will allow you to automatically and centrally manage software bill of materials exports for all resources monitored by the Amazon Inspector service. Using standard industry formats such as CycloneDx and SPDX, you can gain valuable insights about your software supply chain. Having SBOMs exported to an Amazon S3 bucket, you have the flexibility to utilize tools like Amazon Athena, or create Amazon QuickSight dashboards to highlight and identify software supply chain trends. 

This was the last announcement made by Weiss before the reins were handed over for a customer talk given by Debbie Wheeler, SVP & CISO, Delta Airlines to explain how they leverage AWS to secure their systems.

Growth of Amazon Security Lake

In the closing section of the Keynote, Moses once again took to the stage to discuss the AWS Partner Network and how Amazon Security Lake now integrates with over 50 partners.

Amazon Security Lake enables you to gather, collate, monitor, and analyze security data in a single centralized location from multiple different sources, including the cloud as well as your own on-premises environments, in addition to specific custom sources.  

Having a centralized source of this information helps simplify your ability to analyze critical security data, allowing you to understand weaknesses and potential threats across your entire organization and infrastructure. Using automation, Amazon Security Lake will take care of collating your security data across multiple regions, enabling your security teams to work on identifying gaps in your environment, preventing security issues and helping them respond quickly to any security incidents that may occur.

The Security Lake is stored in a specific region and pulls data from a variety of different security sources including AWS CloudTrail, VPC Flow Logs, Route 53 Resolver query logs, and Security Hub, where all data is normalized using OCSF (Open Cybersecurity Schema Framework).

Continuing the theme of Partner solutions, another new announcement was made introducing AWS Built-In Partner Solutions (in preview), which will allow you to find, purchase and deploy AWS-validated partner software that integrates with foundational AWS services.

These new built-in partner solutions will make it easier for customers to deploy their partner software using automated infrastructure as code tools, with the added benefit of these products integrating with the core and foundational AWS services. Using a Modular Code Repository, deployments can be reduced from weeks and months down to just one day. At the time of writing this post, these built-in partner solutions offer access to two AWS Built-in Multi-account Categories:

Image source: https://aws.amazon.com/built-in/partner-solutions/

The future of cloud security: from generative AI to machine learning

The final section of Moses’ Keynote focused on the areas of investment that AWS is working on for advancing security going forward.  

The first on the list was Generative AI. He explained how there will always be bad actors out there who will try to use this technology as a threat. However, this same technology can also be used as a tool to help increase your security posture.

An example of this is with Amazon Bedrock, which was released in April 2023 and is a fully managed service that allows you to build and scale generative AI applications using foundation models (FMs). Features include:

• Accelerated development of generative AI applications using FMs through an API, without managing infrastructure
• Choose FMs from AI21 Labs, Anthropic, Stability AI, and Amazon to find the right FM for your use case
• Privately customize FMs using your organization’s data
• Use AWS tools and capabilities you’re already familiar with to deploy scalable, reliable, and secure generative AI applications
• Integration with other AWS services such as AWS SageMaker ML to test different models, AWS IAM for access control, AWS KMS for encryption, and AWS CloudTrail for auditing

AWS CodeWhisper was also highlighted as another example of how generative AI can be used to enhance security, this time from within your code. AWS CodeWhisper is used to suggest snippets of code based upon your comments and any existing code. This allows you to quickly develop code based upon security best practices using built-in security scanning mechanisms, which leads to improved productivity.

From a security standpoint, AWS CodeWhisper can scan your code, detect vulnerabilities, and suggest recommendations to make your code more secure.

The next announcement made by Moses related to security through the full development lifecycle, with Amazon CodeGuru Security (in preview), which has been designed to identify and resolve code vulnerabilities at any stage of the developer workflow.

Used for static application security testing (SAST) and combined with Machine Learning (ML), Amazon CodeGuru Security will help your developers spot and identify vulnerabilities faster and more efficiently. It will also offer support as to which code patches should be used to remediate any issues that are detected. Some of the security issues Amazon CodeGuru Security can identify include:

• Log injection
• Hardcoded credentials
• Resource leaks

The final announcement made was an additional feature added to Amazon Detective called Finding Groups, which is now GA.

Finding Groups for Amazon Detective uses ML and graph theory to distill thousands of discrete findings into a single connected security event, allowing you to collate and group together multiple events that relate to a single security compromise. This makes it much easier for security engineers to understand how the threat actor gained access to your resources, traversed your network, and potentially compromised other resources, too. Using graph analysis techniques, relationships can be made between different findings made by Amazon Detective, Amazon GuardDuty, and Amazon Inspector, highlighting the severity of a group and the tactics used, such as:

• Initial access
• Privilege escalation
• Defense evasion
• Lateral movement
• Exfiltration
• …and many more

When combining findings from multiple sources, Amazon Detective can group these together to show any vulnerabilities and weaknesses within your architecture, showing how the threat actor proceeded to compromise your environment. This allows you to rectify and remediate these security threats more quickly and efficiently.

Moses rounded up the keynote by giving us insight into how AWS is leading the way with investments in Quantum Computing security and Post Quantum Cryptography (PQC) within existing AWS encryption services.

As you can see, this was a jam-packed keynote filled with great new product and feature announcements that further “re:Inforces” AWS’ ongoing commitment to security for its customers.