Taking on AWS re:Inforce by Force

AWS re:Inforce 2019,

the first security-focused AWS event, was held at the Boston Convention and Exposition Center—An incredible 516,000 sq ft modern-art well-architected venue of steel and glass. The event occupied 4 floors with ground 0 being the main expo of vendor booths, buffet lunch, and breakfast meals. They kept the same AWS feel of their other events. This was a common experience in their organization, keeping the registration process clean and clear with early badging/onsite registration(I think they’re starting to learn their lesson), in addition to offering a great variety of topics and presenters.

One item they did not carry from the Summits (which I am grateful for) was a “certified engineer lounge” which had offered coffee, chairs and charging stations to those who held an official cert. It felt odd, at previous events, sitting with my phone charging and watching the plebs wander by. Instead re:Inforce had lots of areas where work and charging could be accomplished without the “Elite” status of being certified and dismissed all the pretentious air afloat. 

There was an arcade center and coffee bar at the “Well-Architected Lounge” at which anyone could participate. The staff from PAXs East (a video game nerd event) were very enthusiastic for the arcade games. Not to mention that the coffee station had a “printer” which could take your photograph and then print it onto the foam of your coffee/cappuccino.

There were also some challenges AWS events have yet to overcome. Most classes were ‘sold-out’ or ‘walk-up only’ a short time after event topics opened for seat-reservation, a month before. There were a lot of LONG walk-in lines at the most popular topics, many of which were in the hands-on labs which held 8-10 tables in a single venue room and only had 6-8 seats per table. At one point there was a walk-in line over 70 people long. People at the back actually stuck it out for half an hour hoping to sit in one or two of the remaining seats on their choice topic.

In the past there have been whitepapers, presentations and numerous discussions regarding the security technologies present, leveraged and integrated in AWS Cloud Services. Their shared security model was hammered repeatedlyinforming the unaware that AWS takes care of the hardest piece which a lot of smaller and start-up companies fall down onproviding the proper security for their infrastructure. This was the buzz phrase of several topics, presentations and side-bar conversations. AWS also provides heavy infrastructure at a low introductory costproper redundancy, high availability and durability while maintaining the security-first focuswhich is truly unmatched (as one of the opening Keynote presentations spoke to with some small digs at competitors).

AWS offered a security specialty exam in the past, which returned a couple years ago with a beta round and then the latest full specialty certification. re:Inforce offered onsite testing, bootcamps, and smaller “exam preparedness” courses. Having our security pod onsite with two certs already in hand made the event a reassurance in our knowledge and progressive stance in the AWS security space.

AWS and those in the cloud space often describe Security being ground-0—the 1st level of any project in the public cloud. Professionals in the info-sec space know the potential dangers and concerns about putting private data anywhere accessible outside of the private network, and the difficulty of maintaining the security of that data. Every week, month, and year it seems like another team, large or small, has been compromised due to a misunderstanding of configuration requirements for securing their architecture. As the largest cloud services provider, AWS is challenged with their large attack surface across many different offerings. Trolling public S3 buckets, broken DB tables and security groups, or permissive permission policies are all too common and were spoken to repeatedly. AWS continues to move towards a strong security posture on all fronts.

Every Summit, re:Invent and sometimes even AWS pop-ups have a number of “surprise” release for new services or enhancements. At this point everyone was trying to guess what security related offerings this event held in store and it is doubtful anyone was disappointed:

  • Opt-in for default EBS encryption – Enables encryption on new volumes, making it easier for people to do the right thing (encryption-at-rest)
  • VPC Traffic Mirroring – IDS, DLP and Forensics companies will all have major stakes in this development. Several key vendors were privy to early integration and had products dropped that same day.
  • Security Hub and Control Tower are now GA – Both offer a central location for a variety of security related offerings and most of us see as boilerplate for other serviceslowering the bar for proper security entry.

During the event, there was a “Security Jam” which we participated in. The Jam was held in “Capture the Flag” style which offers competitors a series of different challenges that they have to solve to uncover a special string, or the flag, to verify solving the puzzle. We came in strong. Even though we started late, we held 4th place for a long time and came two questions away from tying for first. The topics ranged from secure architecture and IAM permissions, to some more bizarre forensics and IoT security scenarios. We’re definitely planning a full assault at re:Invent this winter.

Next year they will be holding re:Inforce in Houston, TX June 16th and 17th and announced next year’s start date right in the kick-off keynote. It is clear they are continuing to make security a priority in their documentation, training and offerings.

Check out the re:Inforce recordings here: https://www.youtube.com/playlist?list=PLhr1KZpdzuke2ncPH0DVp9PswBFY5dIl6

Hope to see you at my first re:Invent in early December (2nd – 6th) https://reinvent.awsevents.com/ 

Say “Hi” – you can’t miss us in our RunAsCloud blue attire.

Cai Walkowiak

Leave a Comment


Capital One and EC2 Hack – an Overview

By Nate Aiman-Smith | August 5, 2019 |

There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!).  Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it also impacts any similarly-configured applications that are *not* in AWS (see, for example, this PR piece…um,…

Read More