Tag Archives: Foundational (100)

AWS achieves FedRAMP JAB High and Moderate Provisional Authorization across 26 services in the AWS US East/West and AWS GovCloud (US) Regions

Post Syndicated from Amendaze Thomas original https://aws.amazon.com/blogs/security/aws-achieves-fedramp-jab-high-and-moderate-provisional-authorization-across-26-services-in-the-aws-us-east-west-and-aws-govcloud-us-regions/

AWS continues to expand the number of services that customers can use to run sensitive and highly regulated workloads in the federal government space. Today, I’m pleased to announce another expansion of our FedRAMP program, marking a 36.2% increase in our number of FedRAMP authorizations. We’ve achieved authorizations for 26 additional services, 7 of which have been authorized for both the AWS US East/West and AWS GovCloud (US) Regions.

We’ve achieved FedRAMP authorizations for the following 22 services in our AWS US East/West Regions:

We also received 11 service authorizations in our AWS GovCloud (US) Regions:

In total, we now offer 70 AWS services authorized in the AWS US East/West Regions under FedRAMP Moderate and 54 services authorized in the AWS GovCloud (US) Regions under FedRamp High. You can see our full, updated list of authorizations on the FedRAMP Marketplace. We also list all of our services in scope by compliance program on our Services in Scope page.

Our FedRAMP assessment was completed with a third-party assessment partner to ensure an independent validation of our technical, management, and operational security controls against the FedRAMP baselines.

We care deeply about our customers’ needs, and compliance is my team’s priority. We want to continue to onboard services into the compliance programs our customers are using, such as FedRAMP.

To learn what other public sector customers are doing on AWS, see our Government, Education, and Nonprofits Case Studies and Customer Success Stories. Stay tuned for future updates on our Services in Scope by Compliance Program page. If you have feedback about this blog post, let us know in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

author photo

Amendaze Thomas

Amendaze is the manager of the AWS Government Assessments and Authorization Program (GAAP). He has 15 years of experience providing advisory services to clients in the Federal government, and over 13 years’ experience supporting CISO teams with risk management framework (RMF) activities

Top 11 posts during 2019

Post Syndicated from Tom Olsen original https://aws.amazon.com/blogs/security/top-11-posts-during-2019/

The Security Blog set new records for page views in 2019, but we’re always looking for ways to improve. Please tell us what you want to read about in the Comments section below. We read all of your feedback and do our best to act on it.

The top 11 posts during 2019 based on page views

  1. How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
  2. How to securely provide database credentials to Lambda functions by using AWS Secrets Manager
  3. How to set up an outbound VPC proxy with domain whitelisting and content filtering
  4. How to centralize and automate IAM policy creation in sandbox, development, and test environments
  5. Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
  6. Simplify DNS management in a multi-account environment with Route 53 Resolver
  7. How to use service control policies to set permission guardrails across accounts in your AWS Organization
  8. How to share encrypted AMIs across accounts to launch encrypted EC2 instances
  9. AWS and the CLOUD Act
  10. Guidelines for protecting your AWS account while using programmatic access
  11. How to use AWS Secrets Manager to securely store and rotate SSH key pairs

We’d also like to highlight a couple recent posts that customers have shown a lot of interest in. These posts would’ve likely made it into the top 11 given another month or so:

If you’re new to AWS and are just discovering the Security Blog, we’ve also compiled a list of older posts that customers continue to find useful.

The top 10 posts of all time based on page views

  1. Where’s My Secret Access Key?
  2. Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
  3. How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
  4. Securely Connect to Linux Instances Running in a Private Amazon VPC
  5. Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
  6. IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
  7. How to Connect Your On-Premises Active Directory to AWS Using AD Connector
  8. Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
  9. A New and Standardized Way to Manage Credentials in the AWS SDKs
  10. How to Control Access to Your Amazon Elasticsearch Service Domain

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Author

Tom Olsen

Tom shares responsibility for the AWS Security Blog with Becca Crockett. If you’ve got feedback about the blog, he wants to hear it in the Comments here or in any post. In his free time, you’ll either find him hanging out with his wife and their frog, in his woodshop, or skateboarding.

author photo

Becca Crockett

Becca co-manages the Security Blog with Tom Olsen. She enjoys guiding first-time blog contributors through the writing process, and she likes to interview people. In her free time, she drinks a lot of coffee and reads things. At work, she also drinks a lot of coffee and reads things.

AWS Architecture Monthly Magazine: Manufacturing

Post Syndicated from Annik Stahl original https://aws.amazon.com/blogs/architecture/aws-architecture-monthly-magazine-manufacturing/

Architecture Monthly Magazine - Nov-Dec 2019

For more than 25 years, Amazon has designed and manufactured smart products and distributed billions of products through its globally connected distribution network using cutting edge automation, machine learning and AI, and robotics, with AWS at its core. From product design to smart factory and smart products, AWS helps leading manufacturers transform their manufacturing operations with the most comprehensive and advanced set of cloud solutions available today, while taking advantage of the highest level of security.

In this Manufacturing-themed end-of-year issue of the AWS Architecture Monthly magazine, Steve Blackwell, AWS Manufacturing Tech Leader, talks about how manufacturers can experiment with and take advantage of emerging technologies using three main architectural patterns: demand forecasting, smart factories, and extending the manufacturing value chain with smart products.

In This Issue

We’ve assembled architectural best practices about Manufacturing from all over AWS, and we’ve made sure that a broad audience can appreciate it. Note that this will be our last issue of the year. We’ll be back in January with highlights and insights about AWS re:Invent 2019 (December 2-6 in Las Vegas).

  • Case Study: iRobot Ready to Unlock the Next Generation of Smart Homes Using the AWS Cloud
  • Ask an Expert: Steve Blackwell, Manufacturing Tech Leader
  • Blog Post: Reinventing the IoT Platform for Discrete Manufacturers
  • Solution: Smart Product Solution
  • AWS Coffee Break: IoT Helps Manufacturing Hit the Right Note
  • Whitepaper: Practical Ways To Achieve Smarter, Faster, and More Responsive Operations
  • Reference Architecture: EDA on AWS with IBM Spectrum LSF

How to Access the Magazine

We hope you’re enjoying Architecture Monthly, and we’d like to hear from you—leave us star rating and comment on the Amazon Kindle Newsstand page or contact us anytime at [email protected].

Additional on-premises option for data localization with AWS

Post Syndicated from Min Hyun original https://aws.amazon.com/blogs/security/additional-on-premises-option-for-data-localization-with-aws/

Today, AWS released an updated resource — AWS Policy Perspectives-Data Residency — to provide an additional option for you if you need to store and process your data on premises. This white paper update discusses AWS Outposts, which offers a hybrid solution for customers that might find that certain workloads are better suited for on-premises management — whether for lower latency or other local processing needs.

Until this capability, you’d select the nearest AWS region to keep data closer in proximity. By extending AWS infrastructure and services to your environments, you can support workloads — including sensitive workloads — that need to remain on-premises while leveraging the security and operational capabilities of AWS cloud services.

Read the updated whitepaper to learn why data residency doesn’t mean better data security, and to learn about an additional option available for you to address various data protection needs, including data localization.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Min Hyun

Min is the Global Lead for Growth Strategies at AWS. Her team’s mission is to set the industry bar in thought leadership for security and data privacy assurance in emerging technology, trends and strategy to advance customers’ journeys to AWS. View her other Security Blog publications here.

Ramp-Up Learning Guide available for AWS Cloud Security, Governance, and Compliance

Post Syndicated from Sireesh Pachava original https://aws.amazon.com/blogs/security/ramp-up-learning-guide-cloud-security-governance-compliance/

Cloud security is the top priority for AWS and for our customers around the world. It’s important that professionals have a way to keep up with this dynamically evolving area of cloud computing. Often, customers seek AWS guidance on cloud-specific security, governance, and compliance best practices, including skills upgrade plans. To address this need, AWS recently released the AWS Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance
(PDF). AWS experts curated this learning plan to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow your career.

The guide starts with AWS Cloud fundamentals and progresses all the way through the AWS Certified Security Specialty certification. You can use the guide to find answers to questions such as, What resources are available? How do I earn AWS credentials? What order should I consume learning resources and training? Where do I find information on AWS events, blogs, and user groups to enhance my learning?

The list of resources includes free digital training offerings, classroom courses, videos, whitepapers, certifications, and other materials. The AWS Ramp-Up Guide is an extension to the AWS Training and Certification security learning path. To enroll in training and certification exams and track your progress, visit aws.training and set up a free account.

For a training plan customized for your requirements, contact your AWS Account Manager or contact us at aws.amazon.com/contact-us/aws-training/.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Sireesh Pachava

Sai Sireesh Pachava is a senior leader in the AWS Professional Services, Global Security, Risk & Compliance (SRC) practice. He specializes in solving complex issues across strategy, business risk, compliance, security, digital, and cloud. Prior to AWS, he held leadership roles at Russell Investments, Microsoft, Reuters, and KPMG. He holds an M.S. and MBA. His certifications include CRISC, CCP, US FedRAMP Level 300, and Internet Law. He’s a pro-bono Seattle director for the risk professional non-profit association PRMIA.

Kate Behbehani

Kate is a Senior Product Marketing leader at AWS. Previously, Kate served as Director, Product Marketing for Veritas’s Hybrid Cloud Data Management & Symantec’s SMB Data Protection solutions, where she developed go-to-market strategy & marketing programs. She’s held numerous senior positions in enterprise marketing & channel marketing throughout the UK, EMEA, & APJ. She has a bachelor’s degree from Southampton University and a Post Graduate Diploma in Marketing from the Chartered Institute of Marketing.

15 additional AWS services receive DoD Impact Level 4 and 5 authorization

Post Syndicated from Tyler Harding original https://aws.amazon.com/blogs/security/15-additional-aws-services-receive-dod-impact-level-4-and-5-authorization/

I’m pleased to announce that the Defense Information Systems Agency (DISA) has extended the Provisional Authorization to Operate (P-ATO) of AWS GovCloud (US) Regions for Department of Defense (DoD) workloads at DoD Impact Levels (IL) 4 and 5 under the DoD’s Cloud Computing Security Requirements Guide (DoD CC SRG). Our authorizations at DoD IL 4 and IL 5 allow DoD Mission Owners to process unclassified, mission critical workloads for National Security Systems in the AWS GovCloud (US) Regions.

AWS successfully completed an independent, third-party evaluation that confirmed we effectively implement over 400 security controls using applicable criteria from NIST SP 800-53 Rev 4, the US General Services Administration’s FedRAMP High baseline, the DoD CC SRG, and the Committee on National Security Systems Instruction No. 1253 at the High Confidentiality, High Integrity, and High Availability impact levels.

In addition to a P-ATO extension through November 2020 for the existing 24 services, DISA authorized an additional 15 AWS services at DoD Impact Levels 4 and 5 as listed below.

Newly authorized AWS services at DoD Impact Levels 4 and 5

With these additional 15 services, we can now offer AWS customers a total of 39 services, authorized to store, process, and analyze DoD mission critical data at Impact Level 4 and Impact Level 5.

To learn more about AWS solutions for DoD, please see our AWS solution offerings. Stay tuned for future updates on our Services in Scope by Compliance Program page. If you have feedback about this blog post, let us know in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Tyler Harding

Tyler is the DoD Compliance Program Manager within AWS Security Assurance. He has over 20 years of experience providing information security solutions to federal civilian, DoD, and intelligence agencies.

Migration to AWS CodeCommit, AWS CodePipeline and AWS CodeBuild From GitLab

Post Syndicated from Martin Schade original https://aws.amazon.com/blogs/devops/migration-to-aws-codecommit-aws-codepipeline-and-aws-codebuild-from-gitlab/

This walkthrough shows you how to migrate multiple repositories to AWS CodeCommit from GitLab and set up a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. Event notifications and pull requests are sent to Amazon Chime for project team member communication.

AWS CodeCommit supports all Git commands and works with existing Git tools. I can keep using my preferred development environment plugins, continuous integration/continuous delivery (CI/CD) systems, and graphical clients with AWS CodeCommit.

Over the years the number of repositories hosted in my GitLab environment grew beyond 100 and maintaining it with patches, updates, and backups was time consuming and risky. Migrating over to AWS CodeCommit project by project manually would have been a tedious process and error pone. I wanted to run a script to handle the AWS setup and migration of code for me.

The documentation for AWS CodeCommit has an example how to migrate a single repository, I wanted to migrate many though.

As part of the migration, I had a requirement to set up a CI/CD pipeline using AWS CodePipeline and send notifications on activity in the repository to Amazon Chime, which I use for communication between project members.

Overview

Component overview of migration setup for AWS CodeCommit from GitLab

The migration script calls the GitLab API to get a list of git repositories and subsequently runs

git clone --mirror <ssh-repository-url> <project-name> 

commands against the SSH endpoint of the repositories.

For every GitLab repository, a CloudFormation template creates a AWS CodeCommit repository and the AWS CodePipeline, AWS CodeBuild resources. If an Amazon Chime webhook is configured, also the Lambda function to post to Amazon Chime is created.

One S3 bucket for artifacts is also setup with the first AWS CodeCommit repository and shared across all other AWS CodeCommit and AWS CodePipeline resources.

The migration script can be executed on any system able to communicate with the existing GitLab environment through SSH and the GitLab API and with AWS endpoints and has permissions to create AWS CloudFormation stacks, AWS IAM roles and policies, AWS Lambda, AWS CodeCommit, AWS CodePipeline, .

To pull all the projects from GitLab without needing to define them previously, a GitLab personal access token is used.

You can configure to migrate user specific GitLab project, repositories for specific groups or individual projects or do a full migration of all projects.

For the AWS CodeCommit, CodePipeline, and CodeBuild – following best practices – I use CloudFormation templates that allow me to automate the creation of resources.

The Amazon Chime Notifications are setup using a serverless Lambda function triggered by CloudWatch Event Rules and are optional.

Walkthrough

Requirements

I wrote and tested the solution in Python 3.6 and assume pip and git are installed. Python 2 is not supported.

The GitLab version that we migrated off of and tested against was 10.5. I expect the script to work fine against other versions that support REST calls as well, but didn’t test it against those.

Prerequisites

For this walkthrough, you should have the following prerequisites:

  1. An AWS account
  2. An EC2 instance running Linux with access to your GitLab environment or a Laptop or Desktop running MacOS or Linux. The solution has not been tested on Windows/Cygwin
  3. Git installed
  4. AWS CLI installed.

Setup

  1. Run a pip install on a command line: pip install gitlab-to-codecommit-migration
  2. Create a personal access token in GitLab (instructions)
  3. Configure ssh-key based access for your user in GitLab (Create and add your SSH public key in GitLab Docs)
  4. Setup your AWS account for CodeCommit following (Setup Steps for SSH Connections to AWS CodeCommit Repositories on Linux, macOS, or Unix). You can use the same SSH key for both, GitLab and AWS.
  5. Setup your ~/.ssh/config to have one entry for the GitLab server and one for the CodeCommit environment. Example:
    Host my-gitlab-server-example.com
      IdentityFile ~/.ssh/<your-private-key-name>
    
    Host git-codecommit.*.amazonaws.com
      User APKEXAMPLEEXAMPLE-replace-with-your-user
      IdentityFile ~/.ssh/<your-private-key-name>

    This way the git client uses the key for both domains and the correct user. Make sure to use the SSH key ID and not the AWS Access key ID.

  6. “Configure your AWS Command Line Interface (AWS CLI) environment. This environment helps execute the CloudFormation template creation part of the script. For setup instructions, see (Configuring the AWS CLI
  7. When executing the script on a remote server on AWS or in your data center, use a terminal multiplexer like tmux
  8. If you migrate more than 33 repositories, you should check the CloudWatch Events limit, which has a default of 100 https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/cloudwatch_limits_cwe.html. The link to increase the limits is on the same page. The setup uses CloudWatch Events Rules to trigger the pipeline (one rule) and notifications (two rules) to Amazon Chime for a total of three CloudWatch Events Rule per pipeline.
  9. For even larger migrations of more than 200 repos you should check CloudFormation limits, which default to max 200 (aws cloudformation describe-account-limits), CodePipeline has a limit of 300 and CodeCommit has a default limit of 1000, same as the CodeBuild limit of 1000. All the limits can be increased through a support ticket and the link to create it is on the limits page in the documentation.

Migrate

After you have set up the environment, I recommend to test the migration with one sample project. On a command line, type

gitlab-to-codecommit --gitlab-access-token youraccesstokenhere --gitlab-url https://yourgitlab.yourdomain.com --repository-names namespace/sample-project

It will take around 30 seconds for the CloudFormation template to create the AWS CodeCommit repository and the AWS CodePipeline and deploy the Lambda function. While deploying or when you are interested in the setup you can check the state in the AWS Management Console in the CloudFormation service section and look at the template.

Example screenshot

AWS CloudFormation stack creation output for migration stack

Time it takes to push the code depends on the size of your repository. Once you see this running successful you can continue to push all or a subset of projects.


gitlab-to-codecommit --gitlab-access-token youraccesstokenhere --gitlab-url https://gitlab.yourdomain.com --all

I also included a script to set repositories to read-only in GitLab, because once you migrated to CodeCommit it is a good way to avoid users still pushing to the old remote in GitLab.


gitlab-set-read-only --gitlab-access-token youraccesstokenhere --gitlab-url https://gitlab.yourdomain.com --all

Cleaning up

To avoid incurring future charges for test environments, delete the resources by deleting the CloudFormation templates account-setup and the stack for the repository you created.

The CloudFormation template has a DeletionPolicy: Retain for the CodeCommit Repository to avoid accidentally deleting the code when deleting the CloudFormation template. If you want to remove the CodeCommit repository as well at one point, you can change the default behavior or delete the repository through API, CLI, or Console. During testing I would sometimes fail the deployment of a template because I didn’t delete the CodeCommit repository after deleting the CloudFormation template. For migration purposes you will not run into any issues and not delete a CodeCommit repository by mistake when deleting a CloudFormation template.

In order to delete the repository use the AWS Management Console and select the AWS CodeCommit service. Then select the repository and click the delete button.

Example screenshot

Delete AWS CodeCommit repository from AWS Management Console

Conclusion

The blog post did show how to migrate repositories to AWS CodeCommit from GitLab and set up a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild.

The source code is available at https://github.com/aws-samples/gitlab-to-codecommit-migration

Please create issues or pull requests on the GitHub repository when you have additional requirements or use cases.

re:Invent 2019 guide to AWS Cryptography sessions, workshops, and chalk talks at AWS

Post Syndicated from Phil Lin original https://aws.amazon.com/blogs/security/reinvent-2019-guide-to-aws-cryptography-sessions-workshops-and-chalk-talks-at-aws/

re:Invent AWS Cryptography announcement

AWS re:Invent 2019 is just over a week away! We have many Security, Identity, and Compliance sessions, and this is a post about AWS Cryptography-related breakout sessions, workshops, builders sessions, and chalk talks at AWS re:Invent 2019.

The AWS Cryptography mission is to help you get encryption right. We build tools that help you navigate this process, whether we’re helping you secure the encryption keys that you use in algorithms or the certificates used in asymmetric cryptography.

AWS Certificate Manager

SEC218-R – Deploying private certificates using ACM Private CA
Organizations are looking at projects requiring a private certificate infrastructure like service meshes for microservices, full path encryption of traffic, device manufacturing, and app development and deployment. In this session, we discuss how to deploy AWS Certificate Manager Private Certificate Authority to provide certificate infrastructure and walk through a few examples of projects like these. During the session, learn how to build a CA hierarchy, choose the correct CA templates, configure IAM permission options, and manage certificate lifecycle. Participants will be able to apply these lessons and use cases to their own PKI infrastructure to accelerate their projects. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Todd Cignetti, Josh Rosenthol

SEC314-R – Building and operating a private certificate authority on AWS
In this workshop, we cover private certificate management on AWS employing the concepts of least privilege, separation of duties, monitoring for privileged actions and automation. You learn operational aspects of creating a complete certificate-authority (CA) hierarchy, building a simple web app, and issuing a private certificate. You learn how job functions—including CA Admins, application developers, and security admins—can follow the principal of least privilege to perform various functions associated with certificate management. The workshop includes quizzes throughout with information to enhance your understanding of the AWS Certificate Manager Private Certificate Authority capability. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Workshop
Ram Ramani

AWS CloudHSM

SEC305-R – Achieving security goals with AWS CloudHSM
In this talk, we compare AWS CloudHSM with other AWS cryptography services for common use cases. We dive deep on how to build scalable, reliable workloads with CloudHSM, and we teach you how to configure the service for performance, error resilience, and cross-region redundancy. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Session
Avni Rambhia

SEC406-R – Deep dive on AWS CloudHSM
Organizations building applications that handle confidential or sensitive data are subject to many types of regulatory requirements. They also often rely on hardware security modules (HSMs) to provide validated control of encryption keys and cryptographic operations. AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud using FIPS 140-2 Level 3 validated HSMs. In this talk, we demonstrate best practices in configuring and scaling your CloudHSM cluster, implementing cross-region disaster recovery, and optimizing throughput. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Rohit Mathur, Avni Rambhia

AWS Key Management Service

SEC340-R – Using AWS KMS for data protection, access control, and audit
This session focuses on how customers are using AWS Key Management Service (AWS KMS) to raise the bar for security and compliance with their workloads. Along with a detailed explanation of how AWS KMS fits into the AWS suite of services, we walk you through popular and sophisticated examples of how AWS KMS can be deployed in the context of access control, separation of duties, data protection, and auditability. We also cover the latest developments in AWS KMS functionality that will further expand the range of use cases to include additional cryptographic capabilities and system integrations. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Session
Raj Copparapu, Peter O’Donnell

SEC322-R – Deep dive into AWS KMS
In this session, learn the dos and don’ts of using AWS Key Management Service (AWS KMS). We cover topics such as envelope encryption, encryption context, and permissions. We also dig into common scenarios that customers encounter. At the end of this presentation, you leave with a working knowledge of how to use the permissions and authorization systems built into AWS KMS and with an understanding of how to appropriately encrypt data using AWS KMS. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Paul Radulovic, Jim Irving

SEC337 – Toyota Motor North America: Securing the cloud with AWS KMS
Imagine being tasked with collecting, analyzing, and securing data from hundreds of sources around the world, in multiple cloud and on-premises environments. Toyota Motor North America, along with Booz Allen Hamilton, has created a secure, cloud-native solution to analyze billions of messages per day using AWS Key Management Service (AWS KMS). We discuss how AWS KMS with AWS native services provides granular access and secures corporate assets with data segregation using AWS KMS encryption. Toyota uses AWS Glue, Amazon Athena, and Amazon SageMaker to generate actionable intelligence in its corporate IT and vehicle telematics environments to solve its business and analytics challenges.

Session
Raj Copparapu, Matthew Costello (Booz Allen Hamilton), Kell Rozman (Toyota)

SEC401-R – Using the AWS Encryption SDK for multi-master key encryption
In this workshop, learn the basics of client-side encryption, perform encrypt/decrypt operations using AWS Key Management Service (AWS KMS) and the AWS Encryption SDK, and discuss security and performance considerations when implementing client-side encryption in your software. We cover the basic challenges of this domain: a best practice for protecting data end-to-end with client-side encryption; KMS-style services and their uses, including AWS KMS; the open-source, open-format AWS Encryption SDK; and considerations for advanced integrations, such as performance trade-offs and high-availability strategies. All attendees need a laptop, an active AWS account, an AWS IAM administrator, and familiarity with core AWS services. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Workshop
Liz Roth, Jamie Angell

AWS Secrets Manager

SEC354-R – How the BBC uses AWS Secrets Manager to manage secrets
Join this chalk talk to hear from the BBC about their journey adopting AWS Secrets Manager for managing the lifecycle of their secrets such as database passwords, API keys, and third-party keys. In this session, you learn the key features and benefits of Secrets Manager and what factors to consider while adopting Secrets Manager across your enterprise. You will also learn how the BBC chose to go all in on Secrets Manager to meet their secrets management needs. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Divya Sridhar, Andrew Carlson

SEC302-R – DevSecOps: Integrating security into pipelines
In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Workshop
Jonathan VanKim, Nathan Case

GPSTEC418-R – Securing your .NET container secrets
Although this Global Partner Summit builders session is open to anyone, it is geared toward current and potential AWS Partner Network Partners. As customers move .NET workloads to the cloud, many start to consider containerizing their applications because of the agility and cost savings that containers provide. Combine those compelling drivers with the multi-OS capabilities that come with .NET Core, and customers have an exciting reason to migrate their applications. A primary question is how they can safely store secrets and sensitive configuration values in containerized workloads. In this builders session, learn how to safely containerize an ASP.NET Core application while leveraging services like AWS Secrets Manager and AWS Fargate. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Builders Session
Carmen Puccio

MOB318-R – AWS AppSync does that: Support for alternative data sources
AWS AppSync supports a number of data sources out of the box, but can also support a variety of alternative data sources, including Amazon ElastiCache and Amazon Neptune. During this chalk talk, we discuss how to GraphQL-ify subscriptions to alternative data sources, including AWS services such as AWS Secrets Manager and AWS Step Functions. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Josh Kahn, Sarah Vine

Other cryptography-related sessions you might be interested in

AIM327 – Security for ML environments with Amazon SageMaker, featuring Vanguard
Amazon SageMaker is a modular, fully managed platform that enables developers and data scientists to quickly and easily build, train, and deploy machine learning models at any scale. In this session, we dive deep into the security configurations of Amazon SageMaker components, including notebooks, training, and hosting endpoints. A representative from Vanguard joins us to discuss the company’s use of Amazon SageMaker and its implementation of key controls in a highly regulated environment, including fine-grained access control, end-to-end encryption in transit, encryption at rest with customer master keys (CMKs), private connectivity to all Amazon SageMaker API operations, and comprehensive audit trails for resource and data access. If you want to build secure ML environments, this session is for you.

Session
Ilya Epshteyn, Ritesh Shah

CMP335 – Streamlining Amazon EC2 instance provisioning and management
Provisioning and managing instances is fundamental to creating a secure, scalable environment for your application. This session guides you through recommended practices for selecting instance types, provisioning resources, connecting to instances, building automation and governance, and monitoring and optimizing instance usage for your workloads. Learn how to move seamlessly from a proof of concept to an automated production environment using launch templates and newly launched features. We also cover some best practices and share tips on how you can simplify your instance launch experience.

Chalk Talk
Saloni Sonpal, Laura Thomson

CON205-R – Deploying applications using Amazon EKS
Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. In this hands-on workshop, we cover how to set up Amazon EKS to run common production applications, including how to build a deployment pipeline, perform code updates and rollbacks with health checks, run batch workloads, set up load balancing, and manage secrets. This is the second of three workshops for running Kubernetes on AWS. Come prepared to build with a laptop; AWS credits are provided. (Note that this session is repeated three more times during the week and the additional session(s) is denoted with a suffix of “-R1, -R2, -R3”.)

Workshop
Michael Hausenblas, Theodore Salvo

DAT303 – Data security best practices on Amazon DynamoDB
In this session, learn about the security features built into Amazon DynamoDB and how you can best use them to protect your data. We show you how customers are using the available options for controlling access to their tables and the content stored within those tables. We also show you how customers are protecting the contents of their tables with encryption, and how they monitor access to their data.

Chalk Talk
Somu Perianayagam, Padma Malligarjunan

DOP409-R – Faster Cryptography in Java with Amazon Corretto Crypto Provider (ACCP)
In this session, learn how to integrate Amazon Corretto Crypto Provider (ACCP) into a sample Java application, which will significantly speed up the common cryptographic algorithms that are being performed. Then use Amazon CloudWatch to measure how ACCP improves both the latency and the throughput of the sample application. Please bring your laptop. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Builders Session
Petr Praus

MGT406-R – Eliminate bastion hosts with AWS Systems Manager Session Manager
AWS Systems Manager Session Manager improves a customer’s security posture for instance access with a browser-based and CLI interactive shell experience that requires no open inbound ports or access/jump servers, and enables customer key encryption using AWS KMS. With IAM access control, sessions audited using AWS CloudTrail, and session output logged to Amazon S3 or Amazon CloudWatch Logs, Session Manager makes it easy to control and secure access to instances in operational scenarios while complying with corporate policies and security best practices. Dive deep with the Session Manager team to see how it works for Linux or Windows instances, in the cloud, or on-premises. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Builders Session (various speakers, each with 1 session)
Spiros Liolis, Nitika Goyal

SEC205-R – The fundamentals of AWS cloud security
The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Session
Becky Weiss

SEC319-R – Deep dive on security in Amazon S3
At AWS, security is our top priority, and Amazon Simple Storage Service (Amazon S3) provides some of the most advanced data-security features available in the cloud today to help you mitigate security risks. In this chalk talk, learn directly from the AWS engineering team that builds and maintains Amazon S3 security functionality such as encryption, block public access, and much more. Bring your feedback, questions, and expertise to discuss innovative ways to ensure that your data is available only to the users and applications that need it. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)

Chalk Talk
Sam Parmett, Felix Davis

SEC348-R – Protecting sensitive data in your AWS workloads
As you start moving your data to AWS, you want to employ the appropriate controls and mechanisms to protect it. In this builders session, learn how to protect data on AWS using services such as AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), AWS CloudHSM, and AWS Secrets Manager. In particular, learn about data protection best practices that you can incorporate into your AWS architecture and use in the pursuit of your security and compliance objectives. (Note that this session is repeated three more times during the week and the additional session(s) is denoted with a suffix of “-R1, -R2, -R3”.)

Builders Session (various speakers, each with 1 session)
Ben Eichorst, Nigel Harris, Somasundaram Subbu, Soumya Sagiri

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Phil Lin

Phil Lin is a Senior Manager, Product Marketing for Security, Identity, and Compliance. Outside of work you’ll find him enjoying time with his wife and kids, reading the occasional fix-it-yourself book, and finally learning D&D with his kids.

AWS Security Profiles: Dan Plastina, VP of Security Services

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-dan-plastina-vp-security-services/

In the weeks leading up to re:Invent 2019, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do as the VP of Security Services?

I’ve been at Amazon for just over two years. I lead the External Security Services organization—our team builds AWS services that help customers improve the security of their workloads. Our services include Amazon Macie, Amazon GuardDuty, Amazon Inspector, and AWS Security Hub.

What drew me to Amazon is the culture of ownership and accountability. I wake up every day and get to help AWS customers do things that transform their world—and I get to do that work with a whole bunch of people who feel the same way and take the same level of ownership. It’s very energizing.

What’s your favorite part of your job?

That’s hard! I love most aspects of my job. Forced to pick one, I’d have to say my favorite part is helping customers. Our Shared Responsibility Model says that AWS is accountable for the security of AWS, and customers are responsible for the resources and workloads they manage in AWS. My job allows me to sit on the customer side of the shared responsibility model. Our team builds the services that help customers improve the security of their workloads on AWS. Being able to help in that way is very rewarding.

One of Amazon’s widely-known leadership principles is Customer Obsession. Can you speak to what that looks like in the context of your work?

Being customer obsessed means that you’re in tune with the needs of the customer you’re working with. In the case of external security services, “customer obsessed” requires you to deeply understand what it means for individual customers to protect their assets in AWS, to empathize with those needs, and then to help them figure out how to get from where they are, to where they want to be. Because of this, I spend a lot of time with customers.

Our team participates in many in-person executive customer briefings. We hold a lot of conference calls. I’m flying to the UK on Monday to meet with customers—and I was there three weeks ago. I’ve spent over six weeks this fall traveling to talk with customers.  That much travel time can be hard, but it’s necessary to be in front of customers and listen to what they tell us. I’m fortunate to have a really strong team and so when I’m not traveling, I’m still able to spend a lot of time thinking about customer needs and about what my team should do next.

You’re on an elevator packed with CISOs, and they want you to explain the difference between Security Hub, GuardDuty, Macie, and Inspector before the doors open. What do you say?

First, I would tell them that the services are best understood as a suite of security services, and that AWS Security Hub offers a single pane of glass [Editor: a management tool that integrates information and offers a unified view] into everything else: Use it to understand the severity and sensitivity of findings across the other services you’re using.

Amazon GuardDuty is a continuous security monitoring and threat detection service. You simply choose to have it on or off in your AWS accounts. When it’s enabled, it detects highly suspicious activity and unauthorized access across the entirety of your AWS workloads. While GuardDuty alerts you to potential threats, Amazon Inspector helps you ensure that you address publicly known software vulnerabilities in a timely manner, removing them as a potential entry point for unauthorized users. Amazon Macie offers a particular focus on protecting your sensitive data by giving you a highly scalable and cost effective way to scan AWS for sensitive data and report back what is found and how it is being protected with access controls and encryption.

Then, I’d invite the entire elevator to come to re:Invent, to learn more about the new work my team is doing.

What can you tell us about your team’s re:Invent plans?

We have some exciting things planned for re:Invent this year. I can’t go into specifics yet, but we’re excited about it. A lot of my team will be present, and we’re looking forward to speaking with customers and learning more about what we should work on for next year.

We’ve got a variety of sessions about Security Hub, GuardDuty, and Inspector. If you can only make it to three security-specific sessions, I recommend Threat management in the cloud (SEC206-R), Automating threat detection and response in AWS (SEC301-R), and Use AWS Security Hub to act on your compliance and security posture (SEC342-R).

Is there some connecting thread to all of the various projects that your teams are working on right now?

I see a few threads. One is the concept of security being priority zero. It’s a theme that we live by at AWS, but customers ask us to stretch a little bit further and include their workloads in our security considerations. So workload security is now priority zero too. We’re spending a lot of time working that out and looking for ways to improve our services.

Another thread is that customers are asking us for prescriptive guidance. They’re saying, “Just tell me how I can ensure that my environment is safe. I promise you won’t offend me. Guide me as much as you can, and I’ll disregard anything that isn’t relevant to my environment.”

What’s one currently available security feature that you wish more customers were aware of?

A service, not a feature: AWS Security Hub. It has the ability to bring together security findings from many different AWS, partner, and customer security detection services. Security Hub takes security findings and normalizes them into our Amazon Security Findings Format, ASFF, and then sends them all back out through Amazon CloudWatch events to many partners that are capable of consuming them.

I think customers underestimate the value of having all of these security events normalized into a format that they can use to write a Splunk Phantom runbook, for example, or a Demisto runbook, or a Lambda function, or to send it to Rapid7 or cut a ticket in Jira. There’s a lot of power in what Security Hub does and it’s very cost effective. Many customers have started to use these capabilities, but I know that not everyone knows about it yet.

How do you stay up to date on important cloud security developments across the industry?

I get a lot of insight from customers. Customers have a lot of questions, and I can take these questions as a good indicator of what’s on peoples’ minds. I then do the research needed to get them smart answers, and in the process I learn things myself.

I also subscribe to a number of newsletters, such as Last Week In AWS, that give some interesting information about what’s trending. Reading our AWS blogs also helps because just keeping up with AWS is hard. There’s a lot going on! Listening to the various feeds and channels that we have is very informative.

And then there’s tinkering. I tinker with home automation / Internet of Things projects and with vendor-provided offers such as those provided to me by Splunk, Palo Alto, and CheckPoint of recent. It’s been fun learning partner offerings by building out VLANs, site-to-site tunnels, VPNs, DNS filters, SSL inspection, gateway-level anonymizers, central logging, and intrusion detection systems. You know, the home networking ‘essentials’ we all need.

You’re into riding Superbikes as a hobby. What’s the appeal?

I ride fast bikes on well-known race tracks all around the US several times a year. I love how speed and focus must come together. Going through different corners requires orchestrating all kinds of different motor and mental skills. It flushes the brain and clears your thoughts like nothing else. So, I appreciate the hobby as a way of escaping from normal day-to-day routine. Honestly, there’s nothing like doing 160 mph down a straightaway to teach you how to focus on what is needed, now.

You’re originally from Montreal. What’s one thing a visitor should eat on a trip there?

Let me give you two, eh. If you find yourself in a small rural Quebec restaurant, you must have poutine, the local ‘delicacy’. If you find yourself downtown, near my Alma matter Concordia University, you must enjoy our local student staple, Kojax. That said, it’s honestly hard to make a mistake when you’re eating in Montreal. They have a lot of good food there.

Want more AWS Security news? Follow us on Twitter.

The AWS External Security Services team is hiring! Want to find out more? Check out our career page.

Dan Plastina

Dan is Vice President, Head of Security Services for Amazon Web Services (AWS). He’s most often seen working alongside his team leaders on product design, management and engineering development efforts to enable business and government customers to secure themselves, when using AWS. He has travelled extensively, meeting c-suite and security leaders at all corners of the globe.

AWS Security Profiles: Sarah Cecchetti, Principal Product Manager, Amazon Cognito

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-sarah-cecchetti-principal-product-manager-amazon-cognito/

Sarah Cecchetti photo

In the weeks leading up to re:Invent 2019, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


What do you do in your current role at AWS?

I’m an identity nerd! I think most login experiences are terrible today, especially passwords. The login experience is very important. It’s usually the first way that consumers interact with companies directly and far too often it’s frustrating and off-putting. My job as principal product manager for Amazon Cognito is to build products that make that experience easy and secure. Cognito is the front door to many of the brands you use on the internet today.

How did you enter the IAM field?

I was a full-stack developer for many years before I was recruited to the University of Washington’s Identity and Access Management (IAM) team. I knew nothing about IAM, but they were happy to train me. Because the team built and maintained a lot of their own tools, “growing up” on it helped me master the subject quickly. The team sent me to some Identity and Access Management conferences, and I loved the community and the people so much that I used my vacation time and my own money to go to more conferences.

As I was establishing myself in the field, I met lots of identity teams who were struggling to find more people to bring on. There are no formal training programs for Identity and Access Management. They asked me to consider consulting in addition to my day job, and I did (and called my company Engage Identity because I have an unhealthy obsession with Captain Picard, who always says Engage!) It did so well that I eventually turned the consulting role into my full-time job.

I later accepted an offer from Ping Identity, a company that makes cloud and on-premises identity software. I continued to go to a lot of conferences but was getting tired of the travel. About this time, I had lunch with Darin McAdams (principal engineer on AWS Identity), who told me about Jim Scharf, the new VP of Identity at AWS, who was making some big team investments. Darin suggested I come talk about an open position, and I was amazed by how smart and hardworking the people I met were, and how quickly they were building things. The level of productivity at AWS is just shocking. I joined AWS this past February.

What’s the most useful piece of career advice you’ve ever received?

I have a quote on my office wall from Albert Einstein that’s provided a lot of inspiration: Try to become not a man of success, but try rather to become a man of value. If you talk to the people who started AWS, you’ll find that they didn’t do it because they thought it would make them rich and famous. They did it because they hoped the service would be valuable to lots of people. When you face decision points in your career, it’s tempting to take the path that looks like it will make you “successful.” The truth about success is unintuitive. In order to achieve success in your career, you actually have to focus on making other people successful—on providing so much value that people come to rely on the work you’ve done. That’s why the Amazon leadership principles focus so much on customer obsession and delivering results. We wouldn’t be where we are today if our leadership principles were “make money” and “get famous.”

The Amazon leadership principle “Are right, a lot” can be a source of anxiety—can you share your take on what it means and why it matters?

A lot of people think that “Are right, a lot” means that AWS hires geniuses, pundits, and people who have very high opinions of themselves—people who think they’re constantly right about everything. That’s the exact opposite of what this leadership principle is about. The description says that leaders should work to disconfirm our own beliefs and seek out the opinions of other people.

Diversity is the driving force behind “Are right, a lot.” If you’re a leader at Amazon, your job is to create a diverse team that will call you out when you’re wrong. Part of being “right, a lot” involves learning how to be wrong. It forces you to start thinking two steps ahead of your team, and then two steps ahead of customers from all over the world, from all sorts of backgrounds. If your team is all the same, and you think about technology systems in the same way, your product will never be good enough to meet the security needs of all of your customers.

Can you talk about some of the recent enhancements to IAM that you’re excited about?

Recently, the AWS Identity team has been doing more work at the multi-account level. Customers can have hundreds or even thousands of AWS accounts, and figuring out how to secure that many accounts is the sort of thing that can keep you up at night. So we’re increasingly focused on building tools that allow you to secure multiple accounts at once.

For example, we now have service control policies that you can set at an organizational level. You can say, I want all of these accounts to have AWS CloudTrail turned on, and I want to make sure none of these accounts can turn it off. If an unauthorized user gains access to an account, the first thing they’ll try to do is turn off logging. When we asked, What’s one thing that can help customers with thousands of accounts sleep better at night? the answer was, Make it so people can’t turn off logging.

You’re doing a Leadership session on AWS Identity at re:Invent with Jim Scharf. What do you plan to cover?

We’ll announce a lot of new releases at the session. We’ve been building new services for our customers, and during the session, we’ll be pairing these releases with themes that we’ve seen in the industry.

For example, one really broad theme is interoperability. Think of the IAM industry as a student getting graded in kindergarten: We’re pretty good at keeping our hands and feet to ourselves. We’re pretty good at responding to questions. But we’re absolutely terrible at playing well with others. As an industry, IAM does not play well with others. When our customers try to integrate AWS with Microsoft, Google, or Apple, it’s a frustrating experience. We know that to make it less frustrating, we have to work with our peers in the industry. We have to say, It’s not important what product customers are using, or what cloud they’re using. What’s important is that they have a great experience. Identity experiences can be especially painful because “identity” isn’t what customers are trying to do. It’s not the end goal. Identity is the process you have to go through to get into the system that actually allows you to do your work. When we get in the way of that, it’s a uniquely terrible customer experience. And so, it’s our job to make these systems work together in a simple way that’s easy for our customers.

During your time as a consultant, you worked with NIST to rewrite identity guidelines for US federal agencies. Can you talk to us about this work, and why it was important?

So, NIST is the National Institute of Standards and Technology. NIST was founded in 1901 with a mission to measure things. For example, how long is a second? How much is a gallon? How heavy is a kilogram? These standards allow for fair competition in a free market. Well, now it’s the twenty-first century, and NIST is answering questions like how secure is a given digital identity system? A few years back, I got to work for NIST to rewrite the digital identity guidelines for the federal government. We actually transformed the way the government measures identity, which was really amazing.

When NIST first created digital identity guidelines, they only provided one measure of security: a system could achieve an “level of assurance” on a scale of 1 to 4, and that rating had to do with identity proofing (how well you know who a person is), and authentication (how secure the person is in terms of logging in).

What we found during the process of revising these guidelines is that there are a bunch of use cases where the organization shouldn’t know who the person is when they log in—maybe the person is a political dissident, or a spy, or just a “normal” person who wants to protect their own privacy. But those people still need a high level of security. So we needed a way for organizations to verify that this person logging in is the same person who created the account, without needing to see their photo ID or verify their documentation, or even verify their email address.

So we recreated the guidelines to separate those two measures. Instead of having a single “1 to 4” scale of how secure you are, there are now three scales—how well do we know who you are, how secure is your authentication, and then if you’re going cross between two different systems, how secure is that federation?

You co-founded an organization called IDPro. What led you to found it, and what should people know about it?

The idea for IDPro stemmed from all the time I spent at IAM conferences. Industry folks would have fascinating productive conversations at those conferences but there wasn’t really a forum for discussions outside of that. Security has professional organizations, like ISACA. Privacy has a professional organization, IAPP. But there was nothing for Identity.

So I worked with Ian Glazer, one of the heads of identity at Salesforce, and together we founded IDPro. We wanted to create a grassroots movement, so we got people to join first, and later went looking for corporate sponsors. IDPro is a good way for people who are new to Identity and Access Management to learn from people who have been in the field for years. We now also support a big conference each year called Identiverse.

One of the first things we did when we started the organization was to survey identity professionals. Most of the people who took the survey had more than ten years of experience in the field. We asked how long it took them to feel proficient in IAM (because everyone learns it on the job—it’s the only way to learn IAM). The most common response was ten to fifteen years. And the next most common response was I still don’t feel proficient. As a person who loves identity and access management and wants more people to become identity nerds, those responses broke my heart.

The responses reflected a very real problem. There’s just not enough educational material out there about identity. So we looked to other professional organizations, specifically to the field of project management, for inspiration. In 1996, a group of project management professionals built a body of knowledge that outlined methodologies like waterfall and agile, and tools like stand-ups and kanban boards. Most technology professionals know these words now because back in the 90s that industry deliberately built that body of knowledge. So we began gathering a group of volunteers to build a similar body of knowledge for IAM. Some of our corporate sponsors then asked if we could build a certification, too. We’re working on creating both of those things now. It’s the most ambitious project any of us have ever taken on.

Do you think identity products will be able to replace firewall products in the next five years?

In my opinion, not completely. That said, we’re finding that whether you’re inside or outside a firewalled network is a really weak indicator of whether or not you’re an attacker.

We used to think security was all about the network: The network is the castle, and we had to defend the castle. The people inside the castle were “good,” and the people outside the castle were “bad.” But that’s simply not accurate. Security isn’t just about keeping outsiders out. Legitimate users work from all sorts of devices all over the world. But people with malicious intentions can sometimes find their way onto secure networks. For these reasons, many security professionals are coming around to the idea that identity is the new perimeter. We’re realizing that the key to separating the legitimate users from the unauthorized users is very secure authentication. By secure, I mean things like 2-factor authentication. A factor might be something you know, like a password; something you have, like a YubiKey; or something you are, like a fingerprint. Two-factor authentication requires two of those three things.

The other part of identity that’s important to this “secure authentication” story is access management. You should have access to the things you need to do your job—not more, not less. The AWS Identity team is working on intelligence tools that give administrators the ability to see what roles a person used, what resources they’ve accessed, and what type of work they’re doing, so that admins can confidently scope their users’ permissions to the actions they actually perform. This is called “the principle of least privilege.” And it’s hard. People change jobs, they need to do certain tasks only once a year, or they need access to systems that most people in their role wouldn’t need access to. It’s a complicated problem but it’s one that’s important to solve for the future of the industry.

In your opinion, what’s the biggest challenge facing Identity right now?

Recruiting and education. It’s really hard to get people in the door. The field is exciting. It’s incredibly challenging and provides a lot of value. But it’s hard to explain Identity and Access Management to people so that they know exactly what they’re signing up for. It’s a very wide and very deep field. And once people are in the door, we have to help them figure out how the whole thing works—ideally without needing to spend ten to fifteen years on it.

You sing soprano in an award-winning choir. Tell us about that.

I sing in a choir called Opus 7. One of the things that we like to do is sing more obscure pieces, and pieces by living composers. We recently gave a concert where one of our composers was in attendance. It was a piece that he had written several years ago for a teacher at University of Washington who died. The teacher’s widow was also there, which was really amazingly powerful. Then, we also sang a song by one of his composing students who was also in attendance. One of the things you get when you sing a lot of living composers is an opportunity to sing pieces by female composers. So this female composer wrote a beautiful piece that hardly ever gets sung because people sing a lot of Mozart, Beethoven, and old stuff that people have sung before. We’re bored with that, and we want to highlight the amazing pieces that are being written by new composers.

Author

Sarah Cecchetti

Sarah is the Principal Product Manager for Amazon Cognito. She co-founded and serves on the board of directors of IDPro. She is a co-author of NIST Special Publication 800-63C Digital Identity Guidelines, which outlines federated authentication standards for all US federal agencies. She has been named one of the top 100 influencers in identity. She has been quoted as an industry expert in The LA Times, Forbes, and Wired. Sarah holds a Bachelor of Physics and a Master of Science in Information Management from the University of Washington where she was a NASA Space Grant Scholar.

Serverless at AWS re:Invent 2019

Post Syndicated from George Mao original https://aws.amazon.com/blogs/architecture/serverless-at-aws-reinvent-2019/

Our annual AWS re:Invent conference is just two weeks away! We can’t wait to meet you for an AWSome week in Las Vegas. The Serverless team is now hard at work preparing to deliver over 130 sessions at re:Invent. Come meet us and learn about how to use the newest Serverless innovations to build and architect for modern applications.

reInvent 2019

Breakouts, Talks, Builders, & Demos!

To find any Serverless session, you can search our Agenda for the key words “SVS” or you can visit our re:Invent 2019 Session Catalog. Lets take a look at some of the Architecture-focused sessions you might want to join:

Workshops

  • SVS305-RHow to secure your Serverless APIs
    You’ll get hands on with Amazon API Gateway and learn how to architect for scale and security.
  • SVS303-R: Monolith to Serverless
    This workshop shows you how to re-architect monolithic applications to AWS Lambda-based microservices.

Breakouts

  • SVS308Moving to event-driven architectures
    Learn about the new event-driven world and how our newest tools help you develop event-centric applications.
  • SVS407: Architecting and operating resilient Serverless systems
    This is an excellent session to learn best practice patterns for building reliable applications.
  • SVS401Optimizing your Serverless applications
    Learn how to choose the correct services in your architecture and how to design your Lambda functions and APIs for security and scale.

Chalk Talks

  • SVS338: API Patterns and architectures (REST vs GraphQL APIs)
    We’ll help you evaluate your choices for modern APIs. Come learn how to choose between Amazon S3 REST and GraphQL
  • SVS213: Thinking Serverless
    How do you go from a flowchart to a Serverless application? Come to this session to learn the techniques you can use to design Serverless architectures.
  • SVS323: Mastering AWS Lambda streaming event sources
    This talk will go in depth on the common architecture patterns for consuming and scaling Amazon Kinesis and Amazon DynamoDB streams with AWS Lambda.

Builders Sessions

  • SVS330: Build secure Serverless mobile or web applications
    Get hands on experience building a serverless web application using AWS AppSync, AWS Lambda, Amazon API Gateway, and Amazon DynamoDB.

Come Meet Us

Don’t forget to come stop by our Serverless expert booth in the main Expo Hall. We will have many people from the Serverless team ready to speak with you!

Our Serverless team, including specialist solutions architects and developer advocates will be onsite throughout the week. We’d love to meet you, hear about your projects, and help with any architecture questions. Reach out to Sam Dengler, Brian McNamara, Chris Munns, Eric Johnson, James Beswick, and me, George Mao. See you onsite!

See You in Las Vegas!

I can’t wait to meet you in Las Vegas and hear about your projects. Please reach out to us and let’s chat about Serverless! As a side note, reserved seating is available for all sessions, so be sure to log in to your re:Invent account to reserve a seat and join us for all kinds of Serverless architecture discussions and hands-on training.

Fall 2019 SOC 2 Type I Privacy report now available

Post Syndicated from Hadis Ali original https://aws.amazon.com/blogs/security/fall-2019-soc-2-type-i-privacy-report-now-available/

We understand that the protection of personal data that is uploaded to AWS is critical for many of our customers, and the SOC2 Type 1 Privacy report provides the information you need to understand how your content is protected at AWS.

The Fall 2019 SOC 2 Type I Privacy report provides you with a third-party attestation of our systems and the suitability of the design of our privacy controls. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports. You can download the latest SOC 2 Type I Privacy report through AWS Artifact in the AWS Management Console.

As always, we value your feedback and questions. Please feel free to reach out to the team through the Contact Us page.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Hadis Ali

Hadis is a Security & Privacy Manager at Amazon Web Services. He leads multiple security and privacy initiatives within AWS Security Assurance. Hadis holds Bachelor’s degrees in Accounting and Information Systems from the University of Washington.

2019 ISO certificates are here, with a 12 percent increase of in-scope services

Post Syndicated from Anastasia Strebkova original https://aws.amazon.com/blogs/security/2019-iso-certificates-are-here-with-a-12-percent-increase-of-in-scope-services/

AWS successfully completed the re-certification audits with no findings. Ernst and Young Certify Point auditors issued the new certificates on November 6, 2019, marking the start of the new three-year cycle. We increased the number of ISO services in scope to 134 services in total that have been validated against ISO 9001, 27001, 27017, and 27018. We also added three new Regions to the scope, two of which (*) were compliant before the general launch:

  • Middle East (Bahrain)*
  • Asia Pacific (Hong Kong)
  • EU (Milan)*

The certificates validate ISO compliance of our Information Security Management System from the perspective of third-party auditors.

The following services are new to our ISO program:

The list of ISO certified services is available on a webpage, and we provide the certifications online and in the console via AWS Artifact, as well.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Anastasia Strebkova

Anastasia is a Security Assurance Manager at Amazon Web Services on the Global Audits team, managing the AWS ISO portfolio. She has previously worked on IT audits, governance, risk, and information security program management for cloud enterprises. Anastasia holds a Bachelor of Arts degree in Civil Law from Moscow Law Academy.

New guidance to help you navigate Australian Prudential Regulation Authority requirements

Post Syndicated from Paul Curtis original https://aws.amazon.com/blogs/security/new-guidance-navigate-australian-prudential-regulation-authority-requirements/

There have been two noteworthy 2019 updates for Australian Prudential Regulation Authority (APRA) regulated entities such as banks, insurance companies, credit unions, deposit takers, and the superannuation industry.

On June 25, APRA released an updated version of the Prudential Practice Guide CPG 234 Information Security, which provides guidance on how to implement the revised Prudential Standard CPS 234 Information Security. The new Prudential Practice Guide has been expanded significantly compared to the previous version. The revised guidance reflects the evolving cybersecurity landscape and focuses on areas of importance to APRA regulated entities.

On July 1, APRA’s Prudential Standard CPS 234 Information Security became effective. This standard represents a set of legally enforceable information security requirements for APRA regulated entities. CPS 234 aims to:

“…ensure that an APRA regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”

In response to these updates, we have updated our AWS User Guide to Financial Services Regulations & Guidelines in Australia, which provides APRA regulated entities with a summary of APRA’s requirements, plus recommendations related to outsourcing and IT risk in the cloud. In addition to introducing the shared responsibility model, AWS Compliance Assurance Programs, and the AWS Global Infrastructure, our user guide summarizes four APRA documents that regulated entities should be aware of: APRA’s Prudential Standard CPS 231 Outsourcing, Information Paper on Outsourcing Involving Cloud Computing Services, CPS 234 Information Security, and the updated CPG 234 Information Security.

To assist our customers in meeting the updated recommendations in CPG 234 Information Security, we’ve also updated the APRA CPG 234 Workbook. The workbook is available for download through AWS Artifact (you’ll need an AWS account). Our updates reflect the revised content in APRA’s guidance, and the workbook now includes guidance on how to meet CPG 234’s recommendations for security “IN the cloud” by mapping to the five pillars of the AWS Well-Architected Framework.

As the regulatory environment continues to evolve, we’ll provide further updates on the AWS Security Blog and the AWS Compliance page. The user guide and workbook add to the resources AWS provides about financial services regulation across the world. You can find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS account manager for help finding the resources you need.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Paul Curtis

As an FSI Compliance Specialist in the Global Financial Services Industry Team, Paul works with financial organisations, supporting their risk management and compliance functions. He works with our customers’ risk teams to help them manage their technology risk in a scalable way that unlocks their ability to realize cloud benefits. Paul has over fifteen years of experience working in risk and technology across the financial services industry in Australia, Southeast Asia and South Africa. Paul holds an MBA (Corporate Governance) and is a Graduate member of the Australian Institute of Company Directors.

Fall 2019 SOC reports now available with 116 services in scope

Post Syndicated from Oliver Bell original https://aws.amazon.com/blogs/security/fall-2019-soc-reports-now-available-with-116-services-in-scope/

We’re excited to announce the addition of 12 new services in scope under our latest System and Organizational Controls (SOC) audit cycle, for a total of 116 total services in scope. In addition to the new services, AWS has also expanded the list of controls covered within the reports to include more controls over employee screening procedures and new Region risk assessments.

These SOC reports are now available in the AWS Management Console. The SOC 3 report can also be downloaded online as a PDF.

Here are the 12 new services in scope (followed by their SDK names):

As always, my team strives to bring services into the scope of our compliance programs based on your architectural and regulatory needs. Please reach out to your AWS representatives to let us know what additional services you would like to see in scope across any of our compliance programs.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

AWS Security Profiles: Avni Rambhia, Senior Product Manager, CloudHSM

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-avni-rambhia-senior-product-manager-cloudhsm/


In the weeks leading up to re:Invent 2019, we’ll share conversations we’e had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do enjoy most in your current role?

It’s been two and a half years already! Time has flown. I’m the product manager for AWS CloudHSM. As with most product managers at AWS, I’m the CEO of my product. I spend a lot of my time talking to customers who are looking to use CloudHSM, to understand the problems they are looking to solve. My goal is to make sure they are looking at their problems correctly. Often, my role as a product manager is to coach. I ask a lot of why’s. I learned this approach after I came to AWS—before that I had the more traditional product management approach of listening to customers to take requirements, prioritize them, do the marketing, all of that. This notion of deeply understanding what customers are trying to do and then helping them find the right path forward—which might not be what they were thinking of originally—is something I’ve found unique to AWS. And I really enjoy that piece of my work.

What are you currently working on that you’re excited about?

CloudHSM is a hardware security module (HSM) that lets you generate and use your own encryption keys on AWS. However, CloudHSM is weird in that, by design, you’re explicitly outside the security boundary of AWS managed services when you use it: You don’t use AWS IAM roles, and HSM transactions aren’t captured in AWS CloudTrail. You transact with your HSM over an end-to-end encrypted channel between your application and your HSM. It’s more similar to having to operate a 3rd party application in Amazon Elastic Compute Cloud (EC2) than it is to using an AWS managed service. My job, without breaking the security and control the service offers, is to continue to make customers’ lives better through more elastic, user-friendly, and reliable HSM experiences.

We’re currently working on simplifying cross-region synchronization of CloudHSM clusters. We’re also working on simplifying management operations, like adjusting key attributes or rotating user passwords.

Another really exciting thing that we’re working on is auto-scaling for HSM clusters based on load metrics, to make CloudHSM even more elastic. CloudHSM already broke the mold of traditional HSMs with zero-config cluster scaling. Now, we’re looking to expand how customers can leverage this capability to control costs without sacrificing availability.

What’s the most challenging part of your job?

For one, time management. AWS is so big, and our influence is so vast, that there’s no end to how much you can do. As Amazonians, we want to take ownership of our work, and we want bias for action to accomplish everything quickly. Still, you have to live to fight another day, so prioritizing and saying no is necessary. It’s hard!

I also challenge myself to continue to cultivate the patience and collaboration that gets a customer on a good security path. It’s very easy to say, This is what they’re asking for, so let’s build it—it’s easy, it’s fast, let’s do it. But that’s not the customer obsessed solution. It’s important to push for the correct, long-term outcome for our customers, and that often means training, and bringing in Solutions Architects and Support. It means being willing to schedule the meetings and take the calls and go out to the conferences. It’s hard, but it’s the right thing to do.

What’s your favorite part of your job?

Shipping products. It’s fun to announce something new, and then watch people jump on it and get really excited.

I still really enjoy demonstrating the elastic nature of CloudHSM. It sounds silly, but you can delete a CloudHSM instance and then create a new HSM with a simple API call or console button click. We save your state, so it picks up right where you left off. When you demo that to customers who are used to the traditional way of using on-premises HSMs, their eyes will light up—it’s like being a kid in the candy store. They see a meaningful improvement to the experience of managing HSM they never thought was possible. It’s so much fun to see their reaction.

What does cloud security mean to you, personally?

At the risk of hubris, I believe that to some extent, cloud security is about the survival of the human race. 15-20 years ago, we didn’t have smart phones, and the internet was barely alive. What happened on one side of the planet didn’t immediately and irrevocably affect what happened on the opposite side of the planet. Now, in this connected world, my children’s classrooms are online, my assets, our family videos, our security system—they are all online. With all the flexibility of digital systems comes an enormous amount of responsibility on the service and solution providers. Entire governments, populations, and countries depend on cloud-based systems. It’s vital that we stay ten steps ahead of any potential risk. I think cloud security functions similar to the way that antibiotics and vaccinations function—it allows us to prevent, detect and treat issues before they become serious threats. I am very, very proud to be part of a team that is constantly looking ahead and raising the bar in this area.

What’s the most common misperception you encounter with customers about cloud security?

That you have to directly configure and use your HSMs to be secure in the cloud. In other words, I’m constantly telling people they do not need to use my product.

To some extent, when customers adopt CloudHSM, it means that we at AWS have not succeeded at giving them an easier to use, lower cost, fully managed option. CloudHSM is expensive. As easy as we’ve made it to use, customers still have to manage their own availability, their own throttling, their own users, their own IT monitoring.

We want customers to be able to use fully managed security services like AWS KMS, ACM Private CA, AWS Code Signing, AWS Secrets Manager and similar services instead of rolling their own solution using CloudHSM. We’re constantly working to pull common CloudHSM use cases into other managed services. In fact, the main talk that I’m doing at re:Invent will put all of our security services into this context. I’m trying to make the point that traditional wisdom says that you have to use a dedicated cryptographic module via CloudHSM to be secure. However, practical wisdom, with all of the advances that we’ve made in all of the other services, almost always indicates that KMS or one of the other managed services is the better option.

In your opinion, what’s the biggest challenge facing cloud security right now?

From my vantage point, I think the challenge is the disconnect between compliance and security officers and DevOps teams.

DevOps people want to know things like, Can you rotate your keys? Can you detect breaches? Can you be agile with your encryption? But I think that security and compliance folks still tend to gravitate toward a focus on creating and tracking keys and cryptographic material. When you try to adapt those older, more established methodologies, I think you give away a lot of the power and flexibility that would give you better resilience.

Five or more years from now, what changes do you think we’ll see across the security landscape?

I think what’s coming is a fundamental shift in the roots of trust. Right now, the prevailing notion is that the roots of trust are physically, logically, and administratively separate from your day to day compute. With Nitro and Firecracker and more modern, scalable ways of local roots of trust, I look forward to a day, maybe ten years from now, when HSMs are obsolete altogether, and customers can take their key security wherever they go.

I also think there is a lot of work being done, and to be done, in encrypted search. If at the end of the day you can’t search data, it’s hard to get the full value out of it. At the same time, you can’t have it in clear text. Searchable encryption currently has and will likely always have limitations, but we’re optimistic that encrypted search for meaningful use cases can be delivered at scale.

You’re involved with two sessions at re:Invent. One is Achieving security goals with AWS CloudHSM. How did you choose this particular topic?

I talk to customers at networking conferences run by AWS—and also recently at Grace Hopper—about what content they’d like from us. A recurring request is guidance on navigating the many options for security and cryptography on AWS. They’re not sure where to start, what they should use, or the right way to think about all these security services.

So the genesis of this talk was basically, Hey, let’s provide some kind of decision tree to give customers context for the different use cases they’re trying to solve and the services that AWS provides for those use cases! For each use case, we’ll show the recommended managed service, the alternative service, and the pros and cons of both. We want the customer’s decision process to go beyond just considerations of cost and day one complexity.

What are you hoping that your audience will do differently as a result of attending this session?

I’d like DevOps attendees to be able to articulate their operational needs to their security planning teams more succinctly and with greater precision. I’d like auditors and security planners to have a wider, more realistic view of AWS services and capabilities. I’d like customers as a whole to make the right choice for their business and their own customers. It’s really important for teams as a whole to understand the problem they’re trying to solve. If they can go into their planning and Ops meetings armed with a clear, comprehensive view of the capabilities that AWS offers, and if they can make their decisions from the position of rational information, not preconceived notions, then I think I’ll have achieved the goals of this session.

You’re also co-presenting a deep-dive session along with Rohit Mathur on CloudHSM. What can you tell us about the session that’s not described in the re:Invent catalog?

So, what the session actually should be called is: If you must use CloudHSM, here’s how you don’t shoot your foot.

In the first half of the deep dive, we explain how CloudHSM is different than traditional HSMs. When we made it agile, elastic, and durable, we changed a lot of the traditional paradigms of how HSMs are set up and operated. So we’ll spend a good bit of time explaining how things are different. While there are many things you don’t have to worry about, there are some things that you really have to get right in order for your CloudHSM cluster to work for you as you expect it to.

We’ll talk about how to get maximum power, flexibility, and economy out of the CloudHSM clusters that you’re setting up. It’s somewhat different from a traditional model, where the HSM is just one appliance owned by one customer, and the hardware, software, and support all came from a single vendor. CloudHSM is AWS native, so you still have the single tenant third party FIPS 140-2 validated hardware, but your software and support are coming from AWS. A lot of the integrations and operational aspect of it are very “cloudy” in nature now. Getting customers comfortable with how to program, monitor, and scale is a lot of what we’ll talk about in this session.

We’ll also cover some other big topics. I’m very excited that we’ll talk about trusted key wrapping. It’s a new feature that allows you to mark certain keys as trusted and then control the attributes of keys that are wrapped and unwrapped with those trusted keys. It’s going to open up a lot of flexibility for customers as they implement their workloads. We’ll include cross-region disaster recovery, which tends to be one of the more gnarly problems that customers are trying to solve. You have several different options to solve it depending on your workloads, so we’ll walk you through those options. Finally, we’ll definitely go through performance because that’s where we see a lot of customer concerns, and we really want our users to get the maximum throughput for their HSM investments.

Any advice for first-time attendees coming to re:Invent?

Wear comfortable shoes … and bring Chapstick. If you’ve never been to re:Invent before, prepare to be overwhelmed!

Also, come prepared with your hard questions and seek out AWS experts to answer them. You’ll find resources at the Security booth, you can DM us on Twitter, catch us before or after talks, or just reach out to your account manager to set up a meeting. We want to meet customers while we’re there, and solve problems for you, so seek us out!

You like philosophy. Who’s your favorite philosopher and why?

Rabindranath Tagore. He’s an Indian poet who writes with deep insight about homeland, faith, change, and humanity. I spent my early childhood in the US, then grew up in Bombay and have lived across the Pacific Northwest, the East Coast, the Midwest, and down south in Louisiana in equal measure. When someone asks me where I’m from, I have a hard time answering honestly because I’m never really sure. I like Tagore’s poems because he frames that ambiguity in a way that makes sense. If you abstract the notion of home to the notion of what makes you feel at home, then answers are easier to find!
 
Want more AWS Security news? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Avni Rambhia, Senior Product Manager

Avni Rambhia

Avni is the Senior Product Manager for AWS CloudHSM. At work, she’s passionate about enabling customers to meet their security goals in the AWS Cloud. At leisure, she enjoys the casual outdoors and good coffee.

AWS Artifact is now available in AWS GovCloud (US) Regions

Post Syndicated from Ira Tiwari original https://aws.amazon.com/blogs/security/aws-artifact-is-now-available-in-aws-govcloud-us-regions/

AWS Artifact is now available in the AWS GovCloud (US) Regions, where you’ll now have on-demand access to AWS compliance reports and select online AWS agreements with a single-click in the AWS Management Console.

The AWS GovCloud (US) Regions are isolated and designed to host sensitive data and regulated workloads in the cloud, assisting customers who have United States federal, state, or local government compliance requirements.

AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, and Payment Card Industry (PCI), AWS Federal Risk and Authorization Management Program (FedRAMP) Partner Package, and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company’s internal controls.

AWS Artifact can also be used to review AWS GovCloud (US) terms and conditions, accept agreements with AWS and designate AWS accounts that process restricted information (such as protected health information), and to track the status of multiple AWS agreements. To learn how to use Artifact to accept agreements for multiple accounts, see Managing Your Agreements in AWS Artifact.

Learn more about AWS Artifact here, and consult the Artifact FAQ here.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Ira Tiwari

Ira’s focus area is to build strategic initiatives to automate compliance workflow for Amazon Web Services. She’s very excited about building innovations in the audit domain and providing assurance to customers to adopt AWS for regulated workloads.

AWS Security Profiles: Maritza Mills, Senior Product Manager, Perimeter Protection

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-maritza-mills-senior-product-manager-perimeter-protection/

Maritza Mills, Senior Product Manager
In the weeks leading up to re:Invent 2019, we’ll share conversations we’e had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

How long have you been at AWS, and what do you do in your current role?
I’ve been at AWS almost two years. I’m a product manager for our Perimeter Protection team, which includes products like AWS Web Application Firewall (WAF), AWS Shield and AWS Firewall Manager. I spend a lot of my time talking with customers—primarily security specialists and network engineers—about how they can protect their web applications and how they can defend against Distributed Denial of Service (DDoS) attacks. My work is about deeply understanding the technical challenges customers are facing. I then use that information to inform what we need to build next, and then I work with our engineering team to figure out how we deliver it.

What’s the most challenging part of your job?

Deciding how to prioritize what we work on next. We have AWS customers with a lot of different needs, but we only have so much time in a day. My team has to balance the most pressing customer challenges along with the challenges we anticipate customers will face in the future, plus how quickly we’ll be able to deliver solutions to those challenges. I wish that we could do everything, all the time, but we have to make difficult choices about which things we’re going to do first.

What’s your favorite part of your job?

Constantly learning something new from our customers. A big part of what I do involves listening to customers to understand their most difficult technical challenges, and every customer is different. A customer in healthcare will have different needs from a customer in finance versus one in gaming. It’s exciting to learn about the different problems each customer faces. Even at the same company, different teams may have different goals and approaches to security. Often, I might educate customers on the tools currently available to fit their needs, but there are also times when the solution a customer needs has not been invented yet, and that’s when things really get interesting.

What does cloud security mean to you on a personal level?

When I think about security in the cloud, it’s about security for individual people. If you store data in the cloud, part of “security” is protecting access to your personal information, like your messages and photos, or credit card numbers, or personal healthcare data.

But it’s not just about preventing unauthorized access. It’s also about making sure that peoples’ data are available for them when they need it. One of the big things that we focus on in Perimeter Protection—particularly in AWS Shield—is protecting applications from denial of service attacks so that the applications are always available. This means that when you need to access the money in your bank account, or say, when a hospital needs to access vital information about a patient, the apps are always up and available. When I think about security and what we’re doing at scale here at AWS, that’s what’s most important to me on a personal level.

What’s the most common misperception you encounter about cloud security?

Sometimes, customers might be tempted to use blanket protections without thinking about why their particular application or business is unique, and what different protections they should put in place as a result.

Cloud security is an ongoing discipline that requires continuously monitoring your applications and updating your controls as your applications change. At AWS, we have this concept of the shared responsibility model, where AWS handles security of the cloud itself and customers are responsible for securing the applications which they run on the cloud. We’ve designed several tools to help customers manage that responsibility and adapt and scale as quickly as their applications do. In Perimeter Protection specifically, services like AWS Firewall Manager are designed to give our customers central visibility of their security controls, such as Amazon VPC security groups, AWS WAF rules, and AWS Shield Advanced protections. Services like Firewall Manager also constantly monitor these configurations so that customers can be alerted when changes have occurred.

I encourage customers to think carefully about how their applications will change over time, and how to best monitor and adjust to those changes as they occur.

What challenges do you currently see in the application security space, and how do you think the field will evolve to meet those challenges?

One challenge that I currently see is the pace of change, and the fact that customers need ways to keep up with these changes.

In the past, many security controls have been static—you set them up, and they don’t change. But as our customers have migrated into AWS, they’re able to operate in a more dynamic way and to scale up or down more quickly than they could before. At the same time, we’ve seen the techniques used to gain unauthorized access or to launch DDoS attacks scale and become more sophisticated. Here at AWS, we’re constantly looking ahead to anticipate how customers will need to actively monitor and secure their applications, and then we build those capabilities into our services.

Today, services like AWS Shield can automatically detect and mitigate DDoS attacks and provide you with alarms and the ability to continuously monitor your network flows. AWS WAF gives you the ability to write custom rules so you can create granular protections for your specific environment. We also provide you with information regarding security best practices so you can proactively architect your applications in a way that allows you to quickly react to new and unique attack vectors. That’s part of what we’ll be addressing in our upcoming re:Invent talk, as well.

You and Paul Oremland are leading a re:Invent session called A defense-in-depth approach to building web applications. What can you tell us about the session that’s not described in the catalog?

In this session, we’ll start by reviewing common security vulnerabilities, and then provide detailed examples of how to mitigate them at each layer of their application. I expect attendees will gain a better sense of how those layers fit together and how to think creatively about their individual security needs based on how they’ve architected their system, or based on their specific business case. Finally, I want all customers, from startups to enterprise, to understand how those challenges change as they scale. We’ll be touching on all of that.

It’s a 400-level session, so it’s a technical deep dive. It’s going to have a lot of good information for security specialists and engineers who want to have hands-on examples that they can go back and use. But I also want to encourage people who are exploring or are newer to this space to join us because even if the hands-on portion is a little too advanced, I think the strategy and philosophy of how to think about application security is going to be very relevant even to those less familiar with the subject matter, and to the work that they might do in the future.

What are you hoping that your audience will do differently as a result of attending?

I want to motivate attendees to perform a review of their current architecture and consider the current controls that they have in place. Then, I’d like them to ask themselves, “Why did I put this control here?” and “Do I know exactly what risk each control is mitigating?” I’d also like them to consider whether there are protections they’ve opted not to use in the past, and whether that decision is still an acceptable risk.

How did you choose your topic?

We developed it based on numerous conversations we’ve had with customers when they’re exploring how to protect their applications at the edge. But, we usually find that the conversation expands into other parts of the stack that need protection as well. One goal of this session is to talk about these needs up front, so that customers can come into conversations with us already knowing how they’d like to protect their entire application.

Any advice for first-time attendees coming to re:Invent?

Make sure you have enough time to get to your next session. There’s a lot of different things going on at re:Invent, and they take place in a lot of different buildings. While I think we do a great job with the schedule and spacing, first-time attendees should be aware that they might have a session in one building and then need to immediately be in another building for their next session. Factor that into your commute plans.

You enjoy discussing song lyrics. Who have you enjoyed the most?

Rush is one of my favorite bands when it comes to lyricism. As a kid, the music was just interesting. But as I’ve gotten older, certain lines hit me differently.

In the song “Dreamline,” there’s a particular verse that says:

When we are young
Wandering the face of the earth
Wondering what our dreams might be worth
Learning that we’re only immortal
For a limited time

When I was younger, I really could relate to that feeling of immortality in a way, as if I was going to be around forever. But as I’ve gotten older, I’ve realized that life is very short and very precious, and I want to make the most of it. So I enjoy going back to that song every single time. It’s changed for me as I’ve grown.

And what song has created the lengthiest discussion for you?

I’ve had some great conversations about Fast Car by Tracy Chapman. The themes in that song are relatable to people in so many different ways, and at different times in their lives. One of the great things about song lyrics is that the way people interpret a song is influenced by their personal experiences in life, and this song in particular has always opened up meaningful conversations for me.

Want more AWS Security news? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Maritza Mills, Senior Product Manager

Maritza Mills

Maritza is a Senior Product Manager for AWS WAF, Shield and Firewall Manager.

AWS re:Invent 2019 security guide: sessions, workshops, and chalk talks

Post Syndicated from Shllomi Ezra original https://aws.amazon.com/blogs/security/aws-reinvent-2019-security-guide-sessions-workshops-and-chalk-talks/

With re:Invent 2019 just weeks away, the excitement is building and we’re looking forward to seeing you all soon! If you’re attending re:Invent with the goal of improving your organization’s cloud security operations, here are some highlights from the re:Invent 2019 session catalog. Reserved seating is now open, so get your seats in advance for your favorite sessions.

Getting started

These sessions cover the basics, including conceptual overviews and demos for AWS Security services, AWS Identity, and more.

  • The fundamentals of AWS cloud security (SEC205-R)

    By the end of this session led by Becky Weiss, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. It covers the basics of network security, the process of reading and writing access management policies, and data encryption.

  • Threat management in the cloud: Amazon GuardDuty and AWS Security Hub (SEC206-R)

    Amazon GuardDuty and AWS Security Hub in tandem provide continuous visibility, compliance, and detection of threats for AWS accounts and workloads.

  • Getting started with AWS Identity (SEC209-R)

    The number, range, and breadth of AWS services are large, but the set of techniques that you, as a builder in the cloud, will use to secure them is not. Your cloud journey starts with this breakout session, in which we get you up to speed quickly on the practical fundamentals to do identity and authorization right in AWS.

Inspiration

  • Leadership session: AWS Security (SEC201-L)

    Stephen Schmidt, Chief Information Security Officer for AWS, addresses the current state of security in the cloud, with a focus on feature updates, the AWS internal “secret sauce,” and what’s to come in terms of security, identity, and compliance tooling.

  • Provable access control: Know who can access your AWS resources (SEC343-R)

    In this session, we discuss the evolution of automated reasoning technology at AWS and how it works in the services in which it is embedded, including Amazon Simple Storage Service (Amazon S3), AWS Config, and Amazon Macie.

  • Amazon’s approach to failing successfully (DOP208-R)

    In this session, we cover Amazon’s favorite techniques for defining and reviewing metrics — watching the systems before they fail — as well as how to do an effective postmortem that drives both learning and meaningful improvement.

  • Speculation & leakage: Timing side channels & multi-tenant computing (SEC355)

    In January 2018, the world learned about Spectre and Meltdown, a new class of issues that affects virtually all modern CPUs via nearly imperceptible changes to their micro-architectural states and can result in full access to physical RAM or leaking of state between threads, processes, or guests. In this session, Eric Brandwine examines one of these side-channel attacks in detail and explore the implications for multi-tenant computing. He discusses AWS design decisions and what AWS does to protect your instances, containers, and function invocations.

  • Security benefits of the Nitro architecture (SEC408-R)

    Hear Mark Ryland speak about how the Nitro computers carefully control the workload computer access, providing a layer of protection. Learn about the security properties of this powerful architecture, which significantly increases cloud reliability and performance.

Threat detection and response

  • Continuous security monitoring and threat detection with AWS (SEC321-R)

    In this session, we talk about a number of AWS services involved in threat detection and remediation and we walk through some real-world threat scenarios. You get answers to your questions about threat detection on AWS and learn about the threat-detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options.

  • Threat detection with Amazon GuardDuty (SEC353-R)

    Amazon GuardDuty is a threat detection system that is purpose-built for the cloud. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real time and at scale. You don’t have to deploy or manage any additional security software, sensors, or network appliances. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. In this session, we introduce you to GuardDuty, walk you through the detection of an event, and discuss the various ways you can react and remediate.

  • Mitigate risks using cloud-native security (SEC216-R)

    Whether you are migrating existing workloads or creating something new on AWS, it can be tempting to bring your current security solutions with you. In this hands-on builders session, we help you identify which cloud-native solutions can mitigate your existing risks while providing scalability, reliability, and cost optimization at a low operational burden. During this session, learn how to use cloud-native controls such as those found in AWS CloudTrail, Amazon Virtual Private Cloud (Amazon VPC) security groups, and Amazon GuardDuty to secure your cloud architecture.

  • Monitoring anomalous application behavior (NFX205)

    In this talk, Travis McPeak of Netflix and Will Bengtson introduce a system built strictly with off-the-shelf AWS components that tracks AWS CloudTrail activity across multi-account environments and sends alerts when applications perform anomalous actions.

  • Workshop

    • Automating threat detection and response in AWS (SEC301-R)

      This workshop provides the opportunity for you to get familiar with AWS security services and learn how to use them to identify and remediate threats in your environment. Learn how to use Amazon GuardDuty, Amazon Macie, Amazon Inspector, and AWS Security Hub to investigate threats during and after an attack, set up a notification and response pipeline, and add additional protections to improve your environment’s security posture.

Advanced topics in threat detection and response

  • Actionable threat hunting in AWS (SEC339)

    Learn how WarnerMedia leveraged Amazon GuardDuty, AWS CloudTrail, and its own serverless inventory tool (Antiope) to root out cloud vulnerabilities, insecure behavior, and potential account compromise activities across a large number of accounts.

  • How to prepare for & respond to security incidents in your AWS environment (SEC356)

    In this session, Paul Hawkins and Nathan Case walk through what you need to do to be prepared to respond to security incidents in your AWS environments.

  • DIY guide to runbooks, incident reports, and incident response (SEC318-R)

    In this session, we explore the cost of incidents and consider creative ways to look at future threats.

  • A defense-in-depth approach to building web applications (SEC407-R)

    In this session, learn about common security issues, including those described in the Open Web Application Security Project (OWASP) Top 10. Also learn how to build a layered defense using multi-layered perimeter security and development best practices.

Identity

  • Failing successfully: The AWS approach to resilient design (ARC303-R)

    AWS global infrastructure provides the tools customers need to design resilient and reliable services. In this session, we explore how to get the most out of these tools.

  • Access control confidence: Grant the right access to the right things (SEC316-R)

    Hear Brigid Johnson explain that, as your organization builds on AWS, granting developers and applications the right access to the right resources at the right time for the right actions is critical to security.

Advanced topics in AWS Identity

  • Access management in 4D (SEC405-R)

    Listen to Quint Van Deman demonstrate patterns that allow you to implement advanced access-management workflows such as two-person rule, just-in-time privilege elevation, real-time adaptive permissions, and more using advanced combinations of AWS Identity services.

Data protection

  • Using AWS KMS for data protection, access control, and audit (SEC340-R)

    This session focuses on how customers are using AWS Key Management Service (AWS KMS) to raise the bar for security and compliance with their workloads.

Compliance

  • Use AWS Security Hub to act on your compliance and security posture (SEC342)

    Join us for this chalk talk where we discuss how to continuously assess and act on your AWS security and compliance issues using AWS Security Hub.

  • Workshop

    • Compliance automation: Set it up fast, then code it your way (SEC304-R)

      In this workshop, learn how to detect common resource misconfigurations using AWS Security Hub.

Best practices

  • AWS Well-Architected: Best practices for securing workloads (SEC202-R1)

    Security best practices help you secure your workloads in the cloud to meet organizational, legal, and compliance requirements. In this chalk talk, Ben Potter will guide you through core security best practices aligned with the AWS Well-Architected Framework.

  • Architecting security & governance across your landing zone (SEC325-R)

    In this session, Sam Elmalak discusses updates to multi-account strategy best practices for establishing your landing zone.

  • Best practices for your full-stack security practice (GPSTEC307)

    At AWS, security is our top priority. In this chalk talk, discover proven techniques and key learnings to elevate your ability to identify, protect against, detect, respond to, and recover from security events. We’ll leverage industry frameworks, reference architectures, the latest AWS services and features.

  • Artificial Intelligence & Machine Learning (AIM337-R)

    Join us for this chalk talk as we dive into the many features of Amazon SageMaker that enable customers to build highly secure data science environments and support stringent security requirements.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

author

Shllomi Ezra

Shllomi Ezra is on the AWS Business Development team for AWS Security services. He cares about making customers’ journeys to the cloud more enjoyable. In his spare time, Shllomi loves to run, travel, and have fun with his family and friends.

Accept an ANDB Addendum for all accounts within your AWS Organization

Post Syndicated from Adam Star original https://aws.amazon.com/blogs/security/accept-an-andb-addendum-for-all-accounts-within-your-aws-organization/

For customers who use AWS to store or process personal information covered by the Australian Privacy Act 1988, I’m excited to announce that you can now accept a single AWS Australian Notifiable Data Breach Addendum (ANDB Addendum) for all accounts within your AWS Organization. Once accepted, all current and future accounts created or added to your AWS Organization will immediately be covered by the ANDB Addendum.

My team is focused on improving the customer experience by improving the tools used to perform compliance tasks. Previously, if you wanted to designate several AWS accounts, you had to sign in to each account individually to accept the ANDB Addendum. Now, an authorized master account user can accept the ANDB Addendum once to automatically designate all existing and future member accounts in the AWS Organization as ANDB accounts. This capability addresses a frequent customer request to be able to quickly designate multiple ANDB accounts and confirm those accounts are covered under the terms of the ANDB Addendum.

If you have an ANDB Addendum in place already and want to leverage this new capability, a master account user can accept the new AWS Organizations ANDB Addendum in AWS Artifact today. To get started, your organization must use AWS Organizations to manage your accounts, and “all features” need to be enabled. Learn more about creating an organization.

Once you’re using AWS Organizations with all features enabled and you have the necessary user permissions, accepting the AWS Organizations ANDB Addendum takes about two minutes. We’ve created a video that shows you the process, step-by-step.

If your organization prefers to continue managing ANDB accounts individually, you can still do that. It takes less than two minutes to designate a single account as an ANDB account in AWS Artifact. You can watch our video to learn how.

As with all AWS Artifact features, there is no additional cost to use AWS Artifact to review, accept, and manage individual account ANDB Addendums or the new AWS Organizations ANDB Addendum. To learn more about AWS Artifact, please visit the AWS Artifact FAQ page.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author photo

Adam Star

Adam joined Amazon in 2012 and is a Program Manager on the Security Obligations and Contracts team. He enjoys designing practical solutions to help customers meet a range of global compliance requirements including GDPR, HIPAA, and the European Banking Authority’s Guidelines on Outsourcing Arrangements. Adam lives in Seattle with his wife & daughter. Originally from New York, he’s constantly searching for “real” bagels & pizza. He’s an active member of the Washington State Bar Association and American Homebrewers Association, finding the latter much more successful when attempting to make friends in social situations.