Post Syndicated from Brandon Carroll original https://aws.amazon.com/blogs/security/building-secure-foundations-a-guide-to-network-and-infrastructure-security-at-aws-reinforce-2025/
A full conference pass is $1,099. Register today with the code flashsale150 to receive a limited time $150 discount, while supplies last.
Securing cloud infrastructure has never been more critical as organizations continue to expand their digital footprint and embrace modern architectures. At AWS re:Inforce 2025, the Network and Infrastructure Security track brings together security experts, practitioners, and industry leaders to share insights on building and maintaining secure, automated, and observable cloud foundations.This year’s track focuses on several key themes that are shaping the future of cloud security. Learn how to implement comprehensive defense-in-depth strategies through multiple layers of controls, from perimeter to workload protection. Discover the latest approaches to network visibility and inspection, including tools and architectures for deep packet inspection and enhanced traffic analysis across cloud environments.As organizations scale their cloud presence, automated policy management becomes crucial. This track showcases solutions and approaches for scaling security policy deployment, management, and compliance validation through automation and infrastructure as code (IaC). You’ll also dive deep into zero trust infrastructure implementations, exploring frameworks for identity-based network segmentation and access controls aligned with zero trust principles.With the growing complexity of distributed applications, protecting workloads across cloud, edge, and hybrid environments requires integrated security architectures. Sessions in this track demonstrate how to build comprehensive protection strategies that secure your entire infrastructure footprint while maintaining operational excellence.
Whether you’re just beginning your cloud security journey or leading mature enterprise security initiatives, the Network and Infrastructure Security track at re:Inforce 2025 will equip you with practical guidance and actionable insights to advance your organization’s security posture. Join in on the fun, and register for re:Inforce 2025!
Breakout sessions, chalk talks, and lightning talks
Breakout sessions are lecture-style, 1-hour sessions delivered by AWS experts, customers, and partners—perfect for deepening your knowledge on important topics, gaining actionable insights, and connecting with industry leaders.
Chalk talks are 1-hour long, highly interactive sessions with a small audience. This format is ideal for diving deep into specific topics, engaging directly with AWS experts, and getting your questions answered in real time.
Lightning talks are short (20 minutes) theater presentations dedicated to a specific customer story, service demo, or AWS Partner offering.
NIS301 | Breakout session | Egress control deployments made easy
Speakers: Sofía Aluma (AWS), Jesse Lepich (AWS)
Discover the latest AWS Network Firewall features that simplify implementation and enhance your security posture. In this hands-on workshop, learn how recent updates to AWS Network Firewall and Amazon Route 53 Resolver DNS Firewall streamline deployment, reduce threat exposure, and strengthen security policies. We’ll share practical recommendations for configuring firewall rules that match your specific use cases and help verify that your security controls meet intended objectives.
NIS302 | Breakout session | How Itaú Bank leverages AWS Shield Advanced to combat DDoS events
Speakers: Douglas Lopes (AWS), Guilherme Greco (AWS), Ricardo Donadel (Itaú Bank)
Learn how Itaú, Latin America’s largest bank, uses AWS Shield Advanced to protect their critical financial infrastructure from sophisticated DDoS events. In this session, Itaú’s security team shares how they architected their defense strategy by integrating Shield Advanced with existing security operations and collaborating with the AWS DDoS Response Team. Discover how they maintain robust protection while meeting financial regulatory requirements and examine the business value of their implementation. Whether you work in financial services or other regulated industries, you’ll gain actionable insights for enterprise-grade DDoS protection.
NIS303 | Breakout session | Thinking beyond traditional firewalling architectures
Speakers: Tom Adamski (AWS), Ankit Chadha (AWS)
In this session, we’ll discuss a brave new world where we think beyond traditional firewalling architectures. We’ll explore the use-cases that require firewalls including workload-to-workload, client-to-workload, and workload-to-internet traffic flows. After defining the use cases, we’ll discuss AWS services that allow customers to retain their desired security posture without inserting inline firewalls. We’ll wrap with specific considerations on when firewalling is a good option. For example, for scenarios when customers require AppId-like functionality, or for creating data loss prevention (DLP) deployments for egress traffic.
NIS304 | Breakout session | Integrate Zero Trust into your cloud network
Speakers: Dave DeRicco (AWS)
In this session, learn how to adopt Zero Trust alongside traditional network security functions such as firewalls and VPNs. Explore how services like Amazon VPC Lattice and AWS Verified Access complement your existing network security posture by leveraging identity and network controls to continuously authenticate and monitor access. and how these services can integrate into your existing network architecture. Learn about common adoption approaches and migration patterns and hear best practices for building Zero Trust mechanisms into a secure, modern network architecture.
NIS305 | Breakout session | Advanced network defense: From basics to global scale with AWS Cloud WAN
Speakers: Sidhartha Chauhan (AWS)
Starting with core security principles, this session demonstrates how to build robust network security architectures in AWS. Learn to establish effective network isolation boundaries using AWS Cloud WAN and AWS PrivateLink, followed by implementing traffic filtering through strategic firewall deployments. We’ll compare centralized versus distributed inspection architectures, culminating in how AWS Cloud WAN’s service insertion and policy-based approach enables global-scale centralized inspection flows. Through practical scenarios, attendees will master designing scalable network security architectures that maintain security posture across complex cloud environments. Ideal for security engineers and architects managing enterprise-scale AWS deployments.
DAP332 | Chalk talk | Executive perspective: Risk management for generative AI workloads
Speakers: Jason Garman (AWS) & Mark Ryland (AWS)
Don’t let the perceived complexity of responsible AI keep you from deploying generative AI applications on AWS. In this chalk talk, we will present a framework for breaking down AI safety and security risks, introduce AWS best practices for keeping enterprise data secure in generative AI applications using zero trust principles, and mitigate safety risks using technologies such as Amazon Bedrock Guardrails. Discover as a group with fellow security leaders how to identify safety and security risks relevant to your workload, implement appropriate mitigation strategies, and measure efficacy over time.
NIS306 | Breakout session | Securing AWS networks: Observability meets defense-in-depth
Speakers: Anandprasanna Gaitonde (AWS), Ankush Goyal (AWS), Amish Shah (AWS)
AWS customers use multiple security services to build strong network defenses, but visibility into threats, misconfigurations, and vulnerabilities across multi-VPC and multi-account environments can remain a challenge. This session covers AWS network security fundamentals – Security Groups, NACLs, AWS Network Firewall, DNS Firewall, and Gateway Load Balancer—for a layered defense strategy. We will also highlight observability tools like VPC Flow Logs, Reachability Analyzer, and Network Access Analyzer to detect security gaps and troubleshoot access issues. By integrating these tools, organizations can proactively enhance network security, detect vulnerabilities, and ensure secure, scalable architectures across AWS accounts and environments.
NIS231 | Chalk talk | High noon duel: Live events tamed by AWS WAF
Speakers: Tzoori Tamam (AWS), Harith Gaddamanugu (AWS)
In this thrilling session, we’ll build a robust protection setup using AWS WAF and Amazon CloudFront, demonstrating how to fend off increasingly sophisticated live events. Learn to leverage Amazon CloudFront, configure rate-based rules, implement AWS WAF Managed Rule groups, bot control, and create custom defenses. As we construct our digital fortress, our resident “black hat” will launch progressively complex events, showcasing how each layer of defense performs under pressure. Suitable for both newcomers and experienced AWS security professionals.
NIS331 | Chalk talk | Enhance your cloud security infrastructure using Zero Trust techniques
Speakers: Pablo Sánchez Carmona (AWS), Adam Palmer (AWS)
Traditional perimeter-based security and network segmentation often fall short in today’s dynamic microservices environments, creating operational overhead and potential security gaps. Join us in this session to discuss how to evolve beyond conventional security models by implementing Zero Trust architecture in AWS. We will cover different services and techniques such as AWS Verified Access in the human-to-application connectivity, Amazon VPC Lattice for service-to-service communication, and the use of AWS Verified Permissions for fine-grained application authorization. We’ll explore how these services can work together to enable continuous authentication.
NIS332 | Chalk talk | Build secure connectivity with Amazon VPC Lattice and AWS PrivateLink
Speakers: Alexandra Huides (AWS), Jordan Rojas Garcia (AWS)
In this chalk talk, we review the best practices and reference architectures for building secure connectivity with Amazon VPC Lattice and AWS PrivateLink. We focus on service and resource oriented connectivity as we dive into the new VPC Lattice capabilities, such as support for VPC Resources and service network endpoints, and cross-region support for AWS PrivateLink.
NIS333 | Chalk talk | Build defense-in-depth network designs to safeguard apps and data
Speakers: Raghavarao Sodabathina (AWS), Brian Soper (AWS)
Strong adherence to architecture best practices and proactive controls are the foundation of web application security. These techniques allow developers to build applications that are more resilient. In this chalk talk, learn how to build a layered network security approach to achieve defense-in-depth; to protect, detect, and respond to issues faster; and to accelerate your secure migrations to AWS. Discover key considerations, best practices, and reference architectures that include Amazon VPC, Amazon Route 53, Amazon CloudFront, AWS WAF, AWS Shield, Application Load Balancer, and AWS Elastic Disaster Recovery to achieve your defense-in-depth objectives.
NIS431 | Chalk talk | Cloud network defense: Advanced visibility and analysis on AWS
Speakers: Kyle Hanrahan (AWS), Anand Kumar Mandilwar (AWS)
Organizations struggle to maintain comprehensive network visibility in complex cloud environments. This session demonstrates how to implement advanced network monitoring and analysis using AWS’s native services. Learn to leverage VPC Flow Logs, AWS Network Firewall Logs, Route 53 Resolver Logs, AWS WAF Logs and other data sources for traffic analysis. Discover practical implementation of tools for enhanced security and real-time monitoring. Walk away with reference architectures and best practices for building robust network visibility solutions that scale across your AWS environment while maintaining performance. Perfect for security teams modernizing their network defense strategy.
NIS321 | Lightning talk | How Meta enabled secure egress patterns using AWS Network Firewall
Speakers: Syed Shareef (AWS), Robin Rodriguez (AWS)
Meta envisions 2025 as the breakthrough year for its leading AI assistant, aiming to reach over 1 billion people with highly intelligent and personalized interactions. Partnering with AWS, Meta has made substantial investments in AI infrastructure, providing its developers with specialized compute resources for AI training. To secure this ambitious initiative, Meta has had to evolve not just their cloud security but also culture and mindset to secure a growing AWS footprint/infrastructure. Meta leverages AWS Network Firewall (ANF) to centrally inspect and filter VPC traffic before reaching external destinations, using rule-based filtering to control domain access, block malicious IPs, and prevent data exfiltration.
NIS322 | Lightning talk | I didn’t know Network Firewall could do that!
Speakers: Brandon Carroll (AWS), Mary Kay Sondecker (AWS)
This lightning talk will uncover powerful yet often overlooked capabilities that can transform your network security game. In just 20 minutes, we’ll speed through eye-opening features including flow capture and flush operations, advanced Suricata rule capabilities, dynamic packet filtering tricks, and lesser-known integration patterns that even experienced practitioners might have missed. From stateful traffic manipulation to sophisticated protocol inspection and real-world architectural patterns, you’ll discover practical techniques to leverage AWS Network Firewall’s full potential. Whether you’re managing complex multi-account deployments or hunting for advanced threats, this rapid-fire session will equip you with new tools for your security arsenal.
NIS323 | Lightning talk | WAF logs to security gold: A 20-minute dashboard revolution
Speakers: Emmanuel Isimah (AWS), Victor Babasanmi (AWS)
Drowning in AWS WAF logs? Transform raw security data into actionable insights with Amazon CloudWatch dashboards. In this high-energy session, discover how to build powerful visualizations that expose threats in real-time. We’ll cut through the complexity to show you battle-tested patterns for threat detection and alerting that security teams love. Twenty minutes to level up your WAF monitoring game – no fluff, just results.
NIS421 | Lightning talk | VPN-less access to AWS private services with AWS Verified Access
Speakers: John Sol (AWS), Mike Cornstubble (AWS)
In hybrid environments where employees need to access a file server outside their corporate network, they typically use a VPN. This session demonstrates how to establish secure, VPN-free connectivity to an Amazon FSx for Windows File Server using the new TCP protocol support of AWS Verified Access (AVA). Learn how AVA provides fine-grained access controls using AWS.
Interactive sessions (builders’ sessions, code talks, and workshops)
Interact with small groups led by an AWS expert providing interactive learning about how to build on AWS. Each builders’ session begins with a short explanation or demonstration of what attendees are building, then it’s your turn to build! The expert guides you end-to-end through this hands-on experience. Or join code talks, our code-focused interactive sessions where AWS experts lead a discussion featuring live coding or code samples as they illuminate the why behind AWS solutions. Attendees are encouraged to ask questions and follow along.
Workshops are 2-hour interactive sessions where you collaborate in teams or work individually to solve real-world challenges by using AWS services, making them perfect for hands-on learning. Each workshop begins with a brief lecture, followed by dedicated time to work through the problem.
Note: Don’t forget to bring your laptop to build alongside AWS experts.
NIS251 | Builders’ session | Build dashboards to gain visibility into your network perimeter
Speakers: Victor Babasanmi (AWS), Tom Adamski (AWS), Todd Pula (AWS), Vamsi Manthapuram (AWS)
Effective network security requires comprehensive visibility into your security posture and traffic patterns. This hands-on session demonstrates how to build and customize Amazon CloudWatch dashboards for real-time insights into AWS Network Firewall operations. Learn to visualize critical metrics including dropped packets, traffic patterns, and potential threats. We’ll explore creating dynamic widgets to track stateful rule matches, analyze top talkers, and identify suspicious patterns. Through step-by-step guidance, discover how to monitor bandwidth utilization, track rule effectiveness, and create custom alarms. Leave with ready-to-implement templates for enhancing your security operations. You must bring your laptop to participate.
NIS252 | Builders’ session | Mastering Amazon VPC Block Public Access for secure cloud networks
Speakers: Ankush Goyal (AWS), Salman Ahmed (AWS), Kunj Thacker (AWS)>, Ravi Kumar (AWS)
Join this interactive workshop to explore Amazon VPC Block Public Access, a feature designed for secure, scalable cloud environments. Learn to block ingress and egress traffic, enforce compliance, and configure granular exclusions for public and private subnets, with a focus on both IPv4 and IPv6 traffic. Through practical labs, you’ll enable Block Public Access, create exclusions, and use Reachability Analyzer to test connectivity before and after enabling the feature. By the end, you’ll be equipped to secure VPCs effectively while maintaining flexibility for modern workloads. You must bring your laptop to participate.
NIS351 | Builders’ session | Streamlining DNS resource sharing across multiple VPCs and accounts
Speakers: Aanchal Agrawal (AWS), Anushree Shetty (AWS), Mike Torro (AWS), Tyler Pack (AWS)
Amazon Route 53 Profiles is an innovative feature of Route 53 that enables the effortless sharing of hosted zones, resolver rules, and DNS firewall rules across multiple VPCs. This builders’ session will guide you through the process of creating Route 53 profiles and demonstrate how to restrict access using various features tailored to your specific needs, such as different environments. You must bring your laptop to participate.
NIS352 | Builders’ session | Accessing private VPC resources using CloudFront VPC origin
Speakers: Anushree Shetty (AWS), Ramya Mikkilineni (AWS), Aanchal Agrawal (AWS), Anjana Krishnan (AWS)
You can now privately access Amazon VPC resources, including load balancers and Amazon Elastic Compute Cloude (Amazon EC2) instances, and restrict these resources to be only accessed via Amazon CloudFront distribution through a new feature in CloudFront. In this builders’ session, we will set up a website located in a private subnet and access it via a CloudFront distribution. You must bring your laptop to participate.
NIS353 | Builders’ session | Scaling threat prevention on AWS with Suricata
Speakers: Ivo Pinto (AWS), Jesse Lepich (AWS), Michael Leighty (AWS), Miguel Silva (AWS)
Suricata is an open-source network intrusion prevention system (IPS) that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall lets you define rules to inspect and control traffic to and from your VPC using IP, port, protocol, domain names, and general pattern matches. Building rules, in this format, for your security needs can be challenging but rewarding. During this session you will learn how you can utilize Suricata-compatible rules in AWS Network Firewall and build rulesets for common use cases as well as complex scenarios. You must bring your laptop to participate.
NIS354 | Builders’ session | Use AWS PrivateLink to set up private access to Amazon Bedrock
Speakers: Akshay Karanth (AWS), Du’An Lightfoot (AWS), Mike Gillespie (AWS), Salman Ahmed (AWS)
When building generative AI applications using Large Language Models on Amazon Bedrock, customers want to generate responses without going over the public internet or without exposing your proprietary data. This builders’ session introduces the Amazon Bedrock VPC endpoint, powered by AWS PrivateLink, as a solution for establishing secure and private connections between customer VPCs and Amazon Bedrock services. You’ll learn how this technology enables communication without public IP addresses, mitigating potential threat vectors from internet exposure. We’ll cover security challenges in generative AI, the architecture of VPC endpoint solution, and hands-on labs for implementation. You must bring your laptop to participate.
NIS451 | Builders’ session | Troubleshooting real-world perimeter protection scenarios
Speakers: Tzoori Tamam (AWS), Manuel Pata (AWS), Kaustubh Phatak (AWS)
Suspicious of an activity spike? Seeing odd traffic patterns? Introduced a new AWS WAF rule and want to make sure it is operating as it should? Join this session for a walkthrough of a day in the life of a security engineer operating AWS WAF, reviewing dashboards, exploring data in the logs, and building new dashboard widgets to make your life easier. You must bring your laptop to participate.
NIS341 | Code talk | A deep dive into Amazon VPC Lattice granular security
Speakers: Pablo Sánchez Carmona (AWS), Cristobal Lopez Callejon (AWS)
Join us for a session exploring Amazon VPC Lattice’s security capabilities and fine-grained access controls. We’ll explore authentication mechanisms, authorization policies, and service-level permissions that enable precise control over network traffic between services. You’ll learn how to leverage authorization policies in VPC Lattice to create layered security controls, and see practical examples of implementing Zero Trust principles within your application network. The session will cover best practices for auditing and monitoring service-to-service communications, managing cross-account access, and implementing security patterns for microservices architectures.
NIS342 | Code talk | Sticky situations: Building advanced AWS WAF honeypots for better security
Speakers: Harith Gaddamanugu (AWS), Manuel Pata (AWS)
Discover how to transform AWS WAF into a powerful threat intelligence platform by building sophisticated honeypots that attract, analyze, and adapt to emerging threats. In this code talk, we’ll demonstrate how to combine AWS WAF with AWS Lambda functions to create intelligent traps that not only capture malicious activity but also generate actionable security insights. Through live coding demonstrations, you’ll learn to implement advanced honeypot techniques including dynamic bait generation, automated attacker profiling, and real-time threat pattern analysis.
NIS231 | Chalk talk | High noon duel: Live events tamed by AWS WAF
Speakers: Tzoori Tamam (AWS), Harith Gaddamanugu (AWS)
In this thrilling session, we’ll build a robust protection setup using AWS WAF and Amazon CloudFront, demonstrating how to fend off increasingly sophisticated live attacks. Learn to leverage CloudFront, configure rate-based rules, implement WAF-managed rules and bot control, and create custom defenses. As we construct our digital fortress, our resident “black hat” will launch progressively complex attacks, showcasing how each layer of defense performs under pressure. Suitable for both newcomers and experienced AWS security professionals.
NIS331 | Chalk talk | Enhance your cloud security infrastructure using Zero Trust techniques
Speakers: Pablo Sánchez Carmona (AWS), Adam Palmer (AWS)
Traditional perimeter-based security and network segmentation often fall short in today’s dynamic microservices environments, creating operational overhead and potential security gaps. Join us in this session to discuss how to evolve beyond conventional security models by implementing Zero Trust architecture in AWS. We will cover different services and techniques such as AWS Verified Access in the human-to-application connectivity, Amazon VPC Lattice for service-to-service communication, and the use of AWS Verified Permissions for fine-grained application authorization. We’ll explore how these services can work together to enable continuous authentication.
NIS332 | Chalk talk | Build secure connectivity with Amazon VPC Lattice and AWS PrivateLink
Speakers: Alexandra Huides (AWS), Jordan Rojas Garcia (AWS)
In this chalk talk, we review the best practices and reference architectures for building secure connectivity with Amazon VPC Lattice and AWS PrivateLink. We focus on service and resource oriented connectivity as we dive into the new VPC Lattice capabilities, such as support for VPC Resources and service network endpoints, and cross-Region support for AWS PrivateLink.
NIS333 | Chalk talk | Build defense-in-depth network designs to safeguard apps and data
Speakers: Raghavarao Sodabathina (AWS), Brian Soper (AWS)
Strong adherence to architecture best practices and proactive controls are the foundation of web application security. These techniques allow developers to build applications that are more resilient. In this chalk talk, learn how to build a layered network security approach to achieve defense-in-depth; to protect, detect, and respond to issues faster; and to accelerate your secure migrations to AWS. Discover key considerations, best practices, and reference architectures that include Amazon VPC, Amazon Route 53, Amazon CloudFront, AWS WAF, AWS Shield, Application Load Balancer, and AWS Elastic Disaster Recovery to achieve your defense-in-depth objectives.
NIS431 | Chalk talk | Cloud network defense: Advanced visibility and analysis on AWS
Speakers: Kyle Hanrahan (AWS), Anand Kumar Mandilwar (AWS)
Organizations struggle to maintain comprehensive network visibility in complex cloud environments. This session demonstrates how to implement advanced network monitoring and analysis using AWS’s native services. Learn to leverage VPC Flow Logs, AWS Network Firewall Logs, Route 53 Resolver Logs, WAF Logs and other data sources for traffic analysis. Discover practical implementation of tools for enhanced security and real-time monitoring. Walk away with reference architectures and best practices for building robust network visibility solutions that scale across your AWS environment while maintaining performance. Perfect for security teams modernizing their network defense strategy.
Register Now
Don’t miss this opportunity to learn from industry experts and AWS leaders about building secure, automated, and observable cloud foundations. Register for AWS re:Inforce 2025 today to reserve your spot in these Network and Infrastructure Security sessions covering everything from Zero Trust implementations to advanced DDoS protection, network visibility, and defense-in-depth strategies. Browse the full re:Inforce catalog to explore additional tracks, partner sessions, and code talks that can complement your network security journey.
If you have feedback about this post, submit comments in the Comments section below.
