My Key Takeaways from AWS re:Inforce 2023
The much-awaited AWS re:Inforce 2023 videos have finally landed on YouTube. You can now pick your favorite track and watch the sessions at your own pace here - https://www.youtube.com/@AWSEventsChannel/playlists?view=50&sort=dd&shelf_id=2.
This year’s re:Inforce was a real treat, with talks introducing a host of new security services and features. While the number of new security services was limited, there were plenty of new security features introduced in existing services. And let’s not forget the plethora of sponsored talks that came with re:Inforce 2023.
Friendly Reminder: All sessions have their talk ID in the YouTube videos (like
APS202
,IAM302
, etc). All sponsored talks have a suffix of-S
(likePRT211-S
,TDR206-S
, etc), so you can easily skip the talks if you wish.
TL;DR:
- AWS re:Inforce 2023 videos are now available on YouTube
- Major themes included zero trust, data security, incident response, and customer experiences
- New services launched include Amazon CodeGuru Security, Amazon Security Lake, and Amazon Bedrock
- New features were added to Amazon Detective, Amazon Inspector, AWS WAF, Amazon S3, and DynamoDB
Major Themes
After binge-watching all the non-sponsored re:Inforce talks, I noticed a few recurring themes:
- Zero trust and least privilege are getting even better - There were some fascinating talks on Human-to-Application communication (using AWS Verified Access), Service-to-Service communication (using VPC Lattice) and fine-grained authorization for apps (using Amazon Verified Permissions).
- Data Security is getting the spotlight - Whenever I chat about securing AWS with other security folks, data security often comes up last. Part of the reason is not knowing where to start. The talks in this event provide a great starting point for data security.
- Incident Response is being evangelized, especially with the use of Amazon Detective. This service has immense potential. Unlike Security Hub, which mostly collates data to a single place, Amazon Detective correlates findings. The only downside, I feel, is its pricing.
- Customer experience with AWS security services - Many talks shared the experiences of AWS customers who used the security services/features. It’s like a sneak peek into what your journey might look like if you decide to follow in their footsteps.
New services
- Amazon CodeGuru Security (PREVIEW) - This is a SAST service that uses machine learning to automate code analysis from the IDE to production. It currently covers Java, Python, and JavaScript, with more languages on the way. In some cases, it can even provide code fixes for identified vulnerabilities. (Video)
- Amazon Security Lake is now generally available. It’s a one-stop-shop for data across AWS logs, other cloud providers, on-prem, and SaaS services. It optimizes all data, making it efficient to query and store for the long term. Also, Amazon OpenSearch can ingest data from Amazon Security Lake making the visualization part easier. (Video)
- Amazon Bedrock - This managed service lets users build and deploy generative AI models within their own accounts, following their encryption and security policies. It ensures that user data is not used to improve the models, shared with other customers, or shared with third-party model providers. (Video)
New features
- Amazon Detective now groups Amazon Inspector and Amazon GuardDuty findings. Detective uses ML to infer relationships between findings and groups them together. This feature allows you to examine multiple activities as they relate to a single security compromise event. (Video)
- Amazon Inspector now supports exporting software bill of materials (SBOM) and code scanning in Lambda (now generally available). The SBOM feature provides an inventory of all your packages and applications, which can be exported in SPDX and CycloneDX formats. The Lambda code scanning feature scans for code vulnerabilities like OWASP Top 10 in your Lambda functions. (Video)
- AWS WAF has released a new feature “Account Creation Fraud Prevention”. This feature monitors sign-up or registration pages for unusual digital activity and blocks it based on identifiers like IP addresses, client data, request attributes, and client behavior. It also checks for browser automation, inconsistencies in client telemetry, and reputation scores. Plus, unlike WAF ACLs, the challenge and captcha actions are free for Fraud Control. (Video)
- Amazon S3 now supports dual-layer server-side encryption with keys stored in KMS (DSSE-KMS). Also, server-side encryption with customer-provided keys is termed as SSE-C. Both these options might be used by companies in highly-regulated industries. (Video)
- AWS Database Encryption SDK for DynamoDB provides client-side encryption library (PREVIEW). It supports attribute-level encryption and searchable encrypted attributes, improving performance and multi-tenancy. Currently, it’s a Java library and only for DynamoDB. (Video)
The technical talk I loved the most
AWS re:Inforce 2023 - Security design of the AWS Nitro System (DAP401) - This technical talk was a deep dive into the AWS Nitro System and its components like Nitro Cards, Nitro Security Chip, and Nitro Hypervisor.
That’s all for now, folks! I hope you find these resources as useful as I did. Please share this blog post with others who would find this useful.
Happy learning!
If you have any doubts/ideas/suggestions, feel free to reach out on LinkedIn.