Amazon Web Service (AWS) Security Conference: Re:inforce 2019 - Recap (What they didn’t tell you on stage)

This article was originally published on my medium page.

Amazon Web Services (AWS) are the largest Cloud provider service in the world period. I won’t need to explain anything more about them, so you can imagine when they announce their first AWS Security conference, it was going to be big.

The conference was everything you can imagine a security conference to have — Security product booths, SWAGs, Food, magicians, unicycle artists, vintage game booths, metal detectors, sniffer dogs (this is Boston after all :)). The conference would have had about 12,000 attendees from about 50 countries being represented over 2 days of talks, workshops, bootcamps, security jams and capture the flags. Amazing opportunity to learn from others and share stories and share meal/margaritas with some to make life-long friends.

The conference was kicked off by a Keynote from Steve Schmidt, the CISO of AWS. I will only go into major annoucements from the keynote and the fine print they excluded from the talk. <insert devil’s advocate emoji>

Major Annoucements

• VPC Traffic Mirroring for Amazon EC2 instances
• AWS Security Hub is GA
• AWS Control Tower is GA
• Encryption by default available for opt-in on EBS volumes
• AWS Certificate Manager supports root CA hierarchies
• AWS Marketplace now integrated with procurement system

Fine Print that was not included on the stage

• VPC Traffic Mirroring is only available for EC2 instances using Nitro-based Instances.
• VPC Traffic Mirroring is kind of GA but not really. Sydney and China regions are currently not supported.
• AWS Security Hub was beta was primarily free so far, now you would need to pay for using it.
• Control Tower is only available in 3 (US East, US West and Europe) instead of all regions (or even 15 regions like Security Hub) so not really sure how this is GA. <insert confused cloud emoji>
• Encryption by default is only available on new EBS volumes but not enabled automatically on existing EBS Volumes. The old EBS volumes will still need to have encryption enabled. Update (based on feedback-3Jul2019): — (i)This feature is only available for nitro system based instance types (ii)Once enabled you will not be able to launch any more C1,M1, M2 or T1 instance types or attach newly encrypted EBS volumes to existing instance of these types.
• AWS Marketplace integration of procurement system is only available with Coupa, other providers have to use industry standard open procurement communication protocol, commerce XML (cXML) to integrate, if needed.

All these annoucements will help continue a positive evolution of how everyone architects their products and solutions in AWS. Feel free to listen to the whole keynote on youtube in your own time. Some of the other highlights included success stories of Liberty Mutual Insurance and Capital One that were shared during the keynote. Both the companies have launched their products too Radar by Liberty Mutual Insurance and Critical Stack by Capital One.

Personal takeways from the conference

My personal take-aways and moments that I will cherish from the 2 day AWS re:inforce conference

• Steve Schmidt throwing few punches at their competitors in the first few mins of the keynote on the recent region failures the competition experienced compared to minimal outage from AWS.
• Fun fact shared; 95% of internet web traffic is HTTPS or encrypted but about 90% of Internet of Things (IoT) traffic is HTTP or unencrypted.
• AWS are noticing the shift to containerisation, serverless and the use of AppMesh to manage security across multiple clusters.
• Key Takeway from Liberty Insurance section of keynote— Have flexible set of guardrails
• 2 Key takeaway from the Capital One part of the talk was — “cyber is changing from a trained craft to a science based profession” & “A multi-layer approach to safeguarding data is a hallmark of cloud native companies”
• Changes in the way folks will do Security Audit, a cloud first company would have APIs which their auditors can consume to know the change in state from the last audit. No one would want auditors with check-list spread sheets.
• Anomaly detection and machine learning driven security would mean security can use predictive intelligence to spend time working on complex problems.
• Physical security is being affected by technology and algorithms to detect intruders via security video feed and not rely on a human manning the video feed.
• “DevSecOps” — Like every security professional out there, security should always be there in everything you care about but the term helps get the message across to mostly everyone across the tech landscape.
• Getting selfies with security peers from around the world. :)

Overall message from all the speakers in the conference was a hope that every conference attendee would hopefully takeaway a “tool, feature or service that helps make you more secure” when they leave the conference after the 2 days.

All the talks from the conference are available online, I would recommend watching the talks related to the following topics

• VPC Mirroring
• Serverless Security
• Container Security
• Governance and Compliance as Code
• SOAR (Secure, Operate, Automate, Repeat) for incident response folks

What was your takeaway from the 2 days of AWS #reinforce 2019?

Help me improve this article by leaving a comment if you see something that I have listed is wrong?