In this session, learn how Vanguard has matured their IAM controls and automation to support a micro-account strategy, providing further agility to developers while reducing blast radius and improving governance. You learn how Vanguard uses STS Federation at the OU level, builds common roles across all micro accounts, implements AWS Organizations SCPs, and uses different network control zones for admin vs. non-admin functions. Vanguard also shares how they are using AWS Lambda to block escalation of privilege.
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
Are you interested in becoming a IAM policy master and learning about powerful techniques for controlling access to AWS resources? If your answer is “yes,” this session is for you. Join us as we cover the different types of policies and describe how they work together to control access to resources in your account and across your AWS organization. We walk through use cases that help you delegate permission management to developers by demonstrating IAM permission boundaries. We take an in-depth look at controlling access to specific AWS regions using condition keys. Finally, we explain how to use tags to scale permissions management in your account. This session requires you to know the basics of IAM policies.
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
GE has very deep security requirements for their cloud applications. In this session, hear their story on replacing on premises complex solutions with AWS native services like Amazon GuardDuty, VPC Flow logs, AWS CloudTrail, and AWS Config rules. Learn how large enterprises can accelerate their cloud adoption by meeting established security standards with AWS native services. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...Amazon Web Services
Zocdoc, an online healthcare scheduling service, receives more than 6 million patient visits monthly. In less than 12 months, Zocdoc became a cloud-first organization to meet their business goals. This digital transformation allowed for rapid innovation and the ability to deliver products that align with demands of the 21st-century patient. In this session, Brian Lozada, CISO at Zocdoc, and Jay Ball, Head of Application Security, explain how Zocdoc uses AWS security services to seamlessly and automatically monitor, audit, and enforce their security policies within all their AWS environments. They use AWS security services, such as AWS Config, Amazon GuardDuty, Amazon Inspector, and AWS Shield, while using AWS Lambda functions to augment their security team, all without slowing down their developers.
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
The AWS Landing Zone solution provides a consolidated collection of AWS best practices, prescriptive guidance, and templates for automatically configuring and securing AWS multi-accounts, networks, and core services. In this workshop, you will learn the Landing Zone solution design. With your laptop, you will go through demonstrations of AWS Landing Zone deployment, automated new account creation using the built-in account vending machine, and Landing Zone customization for additional services. You will leave the workshop with an understanding of the AWS Landing Zone solution mechanisms, CI/CD deployment pipeline, and Landing Zone extension methods. This workshop is intended for architects, IT administrators, and engineers of consulting and technology partners as well as customers who will design, deploy, extend, or operate AWS Landing Zones. We encourage you to attend the full AWS Landing Zone track including SEC303; search for #awslandingzone in the session catalog.
Stephen Schmidt, Chief Information Security Officer at AWS, addresses the current state of security in the cloud, with a particular focus on feature updates, the AWS internal "secret sauce," and what's on horizon in terms of security, identity, and compliance tooling.
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...Amazon Web Services
SaaS presents developers with a unique blend of architectural challenges. Supporting a multi-tenant model often means re-thinking your approach to almost every layer of your architecture. Onboarding, security, data partitioning, tenant isolation, identity—these are areas that must be factored into how you design, build, and deploy your SaaS solution. Of course, the best way to wrap your mind around these SaaS architectural principles is to dig into a working example. In this workshop, we’ll expose you to the core concepts of SaaS architecture then dive into a reference SaaS architecture where you can see the moving parts of a SaaS solution in action. The goal here is to provide a series of activities that allow you to interact with a functional solution, introducing code and configuration that realizes and extends the capabilities of this SaaS environment. Through this combination of a brief lecture and hands-on exercises, you’ll get a healthy dose of SaaS best practices all through the lens of a working reference solution.
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
Operating a security practice on AWS brings many new challenges and opportunities that have not been addressed in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session, learn how your security team can leverage AWS Lambda as a tool to monitor, audit, and enforce your security policies within an AWS environment.
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
Are you interested in becoming a IAM policy master and learning about powerful techniques for controlling access to AWS resources? If your answer is “yes,” this session is for you. Join us as we cover the different types of policies and describe how they work together to control access to resources in your account and across your AWS organization. We walk through use cases that help you delegate permission management to developers by demonstrating IAM permission boundaries. We take an in-depth look at controlling access to specific AWS regions using condition keys. Finally, we explain how to use tags to scale permissions management in your account. This session requires you to know the basics of IAM policies.
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
GE has very deep security requirements for their cloud applications. In this session, hear their story on replacing on premises complex solutions with AWS native services like Amazon GuardDuty, VPC Flow logs, AWS CloudTrail, and AWS Config rules. Learn how large enterprises can accelerate their cloud adoption by meeting established security standards with AWS native services. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...Amazon Web Services
Zocdoc, an online healthcare scheduling service, receives more than 6 million patient visits monthly. In less than 12 months, Zocdoc became a cloud-first organization to meet their business goals. This digital transformation allowed for rapid innovation and the ability to deliver products that align with demands of the 21st-century patient. In this session, Brian Lozada, CISO at Zocdoc, and Jay Ball, Head of Application Security, explain how Zocdoc uses AWS security services to seamlessly and automatically monitor, audit, and enforce their security policies within all their AWS environments. They use AWS security services, such as AWS Config, Amazon GuardDuty, Amazon Inspector, and AWS Shield, while using AWS Lambda functions to augment their security team, all without slowing down their developers.
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
The AWS Landing Zone solution provides a consolidated collection of AWS best practices, prescriptive guidance, and templates for automatically configuring and securing AWS multi-accounts, networks, and core services. In this workshop, you will learn the Landing Zone solution design. With your laptop, you will go through demonstrations of AWS Landing Zone deployment, automated new account creation using the built-in account vending machine, and Landing Zone customization for additional services. You will leave the workshop with an understanding of the AWS Landing Zone solution mechanisms, CI/CD deployment pipeline, and Landing Zone extension methods. This workshop is intended for architects, IT administrators, and engineers of consulting and technology partners as well as customers who will design, deploy, extend, or operate AWS Landing Zones. We encourage you to attend the full AWS Landing Zone track including SEC303; search for #awslandingzone in the session catalog.
Stephen Schmidt, Chief Information Security Officer at AWS, addresses the current state of security in the cloud, with a particular focus on feature updates, the AWS internal "secret sauce," and what's on horizon in terms of security, identity, and compliance tooling.
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...Amazon Web Services
SaaS presents developers with a unique blend of architectural challenges. Supporting a multi-tenant model often means re-thinking your approach to almost every layer of your architecture. Onboarding, security, data partitioning, tenant isolation, identity—these are areas that must be factored into how you design, build, and deploy your SaaS solution. Of course, the best way to wrap your mind around these SaaS architectural principles is to dig into a working example. In this workshop, we’ll expose you to the core concepts of SaaS architecture then dive into a reference SaaS architecture where you can see the moving parts of a SaaS solution in action. The goal here is to provide a series of activities that allow you to interact with a functional solution, introducing code and configuration that realizes and extends the capabilities of this SaaS environment. Through this combination of a brief lecture and hands-on exercises, you’ll get a healthy dose of SaaS best practices all through the lens of a working reference solution.
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
Operating a security practice on AWS brings many new challenges and opportunities that have not been addressed in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session, learn how your security team can leverage AWS Lambda as a tool to monitor, audit, and enforce your security policies within an AWS environment.
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
Traditional data center environments have regarded the network boundary as a stable perimeter of defense, using gateway firewalls for effective protection. The public cloud, however, is exposing a plethora of hosted services directly to its users, bypassing traditional network filtering technologies, and effectively creating new perimeters around the various services and data element. Examples of these new perimeters include Amazon S3 buckets, Amazon EBS snapshots, and AWS Lambda functions. This session is brought to you by AWS partner, Dome9 Security Inc.
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
In this session, we discuss how you should be building your runbooks and security incident report system (SIRS) using your company's real-world configuration and processes. Our goal is to give you an easier way to start your runbooks and create a SIRS. Now you can be the hero for your company by building a strategy and finding out how secure you are. You also learn more about why you should be running a DevSecOps pipeline and how it will help your team find threats in your production environment. Finally, learn how things are different in each level of environment and where your developers should be working.
Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...Amazon Web Services
In an ever-growing cloud environment, scaling to a number of accounts can range in the thousands— where edge cases dominate your firm’s spectrum and changes in your environment happen quickly. The Goldman Sachs cloud engineering team finds enforcement of best security practice as a growing concern. With developers managing infrastructure as code (IaC), learn how Goldman Sachs uses distributed serverless logging pipelines and leverages AWS formal verification tools to help enforce access policy in the process. In this session, we cover AWS Config, AWS Lambda, Amazon DynamoDB, and Amazon Simple Notification Service (Amazon SNS) as distributed infrastructure that can help catch security issues early and remediate those that happen unexpectedly.
Secure your AWS Account and your Organization's Accounts Amazon Web Services
The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
You want your current incident response (IR) runbooks to account for your AWS workloads ASAP, and eventually, you want cloud-based IR superpowers, too. In this session, we cover the basics that you must get in place, runbook updates specific to AWS, and we show you how to build initial IR capabilities that blend well with existing processes and partner offerings. We also walk through a hypothetical IR scenario for an AWS environment that uses an evolved on-premises IR runbook that accounts for the differences of an AWS environment. In this scenario, we demonstrate unique AWS platform capabilities for IR success. Go beyond updating your IR runbooks, and start your journey toward gaining cloud-based IR superpowers today!
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
Performing forensics on AWS resources is a new experience for many customers who might have older runbooks based on on-premises workflows using manual steps, or perhaps no processes in place at all. In this session, get a deeper insight into the various runbooks to perform practical forensic tasks on AWS resources like Amazon EC2 instances, using a combination of industry tooling, AWS serverless services like AWS Lambda and AWS Step Functions, and managed services like Amazon Athena.
AWS supports logging in with Federated Access, using SAML or integration with Active Directory. This is integrated with user Roles in AWS which provide the permissions to access various services. in this session we will explain the options for authentication. we will cover basic access control concepts and in addition we will use AWS Systems Manager to talk about how you can also facilitate secured access to your Instances.
AWS Services: IAM, AWS SSO, Managed Active Directory, AWS Systems Manager (With Demo)
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Amazon Web Services
Enabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance autoEnabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance automation using data events from Amazon S3 and AWS Lambda.
mation using data events from Amazon S3 and AWS Lambda.
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
Join us for this hands-on workshop where you learn about a number of AWS services involved with threat detection and remediation as we walk through some real-world threat scenarios. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, Amazon VPC flow logs, Amazon CloudWatch Events, Amazon SNS, Amazon Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector and, of course, Amazon GuardDuty.
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
Credential compromise in the cloud is not a threat that a single company faces. Rather, it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes, depending on the motive of the attacker. In certain cases, this has led to erroneous AWS service usage for bitcoin mining or other nondestructive yet costly abuse. In other cases, it has led to companies shutting down due to the loss of data and infrastructure.
This session will review how to secure your enterprise adoption of AWS at scale. At AWS security is job zero and at the heart of everything we build. This session will review the patterns of usage for AWS Identity and Access Management, AWS Key Management Service, AWS CloudTrail, AWS Config, Amazon GuardDuty AWS Systems Manager Parameter Store, Amazon EC2 Run Command, AWS Single Sign-On, AWS WAF, AWS Shield, and AWS Service Catalog to an create end-to-end security approach for your AWS cloud adoption. You will gain insight how these AWS services come together to increase your security posture in ways that are unique to AWS workloads.
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Amazon Web Services
The cloud offers a first-in-a-career opportunity to constantly optimize your costs as you grow and stay on the leading edge of innovation. By developing a cost-conscious culture and assigning the responsibility for efficiency to the appropriate business owners, you can deliver innovation efficiently and cost effectively. In this session, we share The Vanguard Group’s real-world experience of optimizing their costs, and we review a wide range of cost planning, monitoring, and optimization strategies.
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we cover the most common cloud security questions that we hear from customers. We provide detailed answers for each question, distilled from our practical experience working with organizations around the world. This session is for everyone who is curious about the cloud, cautious about the cloud, or excited about the cloud.
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
In this workshop, we present best practices for establishing an AWS Landing Zone. We provide a demonstration of the automated AWS Landing Zone solution, and we show you how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes. You have the opportunity to modify the code for custom deployments. Leave the workshop with an understanding of the mechanism to update the AWS Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
Cloud-native and with security integrated early in the software development process, Nubank is the largest digital bank in the world outside of Asia. Demand for higher levels of service and value, constantly evolving technology capabilities, and stringent regulatory requirements are all powerful forces reshaping retail banking. In this session, Nubank CTO Edward Wible discusses how the company mixes engineering culture, security philosophy and structure, automation, and integration with AWS security services. Learn how to leverage the day-to-day software development workflow for extensive security and maximum engineering throughput while minimizing the operational pain of running a large infrastructure.
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
In this session, learn how LogMeIn moves quickly and stays secure through the power of automation on AWS. We walk through core AWS security building blocks, such as IAM, AWS CloudTrail, AWS Config, and Amazon CloudWatch. We dive deep into LogMeIn’s approach for empowering developers on AWS while also meeting required security controls.
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
Identity Round Robin Workshop - Serverless Round: Security Week at the San Francisco Loft
Start the day off by learning how to properly configure identity and access controls for a serverless application built with Amazon S3, Amazon CloudFront, and Amazon Cognito. With a combination of talking and hands-on exercises we will be diving into AWS IAM policy types to better understand the differences and learn how the policy evaluation logic works. We will also be diving into how you can use Cognito User Pools for user management within your serverless applications.
Level: 300
Speaker: Jesse Fuchs - Sr. Solutions Architect, AWS
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
by Fritz Kunstler, Sr. AWS Security Consultant, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop. Level 200
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
Traditional data center environments have regarded the network boundary as a stable perimeter of defense, using gateway firewalls for effective protection. The public cloud, however, is exposing a plethora of hosted services directly to its users, bypassing traditional network filtering technologies, and effectively creating new perimeters around the various services and data element. Examples of these new perimeters include Amazon S3 buckets, Amazon EBS snapshots, and AWS Lambda functions. This session is brought to you by AWS partner, Dome9 Security Inc.
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
In this session, we discuss how you should be building your runbooks and security incident report system (SIRS) using your company's real-world configuration and processes. Our goal is to give you an easier way to start your runbooks and create a SIRS. Now you can be the hero for your company by building a strategy and finding out how secure you are. You also learn more about why you should be running a DevSecOps pipeline and how it will help your team find threats in your production environment. Finally, learn how things are different in each level of environment and where your developers should be working.
Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...Amazon Web Services
In an ever-growing cloud environment, scaling to a number of accounts can range in the thousands— where edge cases dominate your firm’s spectrum and changes in your environment happen quickly. The Goldman Sachs cloud engineering team finds enforcement of best security practice as a growing concern. With developers managing infrastructure as code (IaC), learn how Goldman Sachs uses distributed serverless logging pipelines and leverages AWS formal verification tools to help enforce access policy in the process. In this session, we cover AWS Config, AWS Lambda, Amazon DynamoDB, and Amazon Simple Notification Service (Amazon SNS) as distributed infrastructure that can help catch security issues early and remediate those that happen unexpectedly.
Secure your AWS Account and your Organization's Accounts Amazon Web Services
The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
You want your current incident response (IR) runbooks to account for your AWS workloads ASAP, and eventually, you want cloud-based IR superpowers, too. In this session, we cover the basics that you must get in place, runbook updates specific to AWS, and we show you how to build initial IR capabilities that blend well with existing processes and partner offerings. We also walk through a hypothetical IR scenario for an AWS environment that uses an evolved on-premises IR runbook that accounts for the differences of an AWS environment. In this scenario, we demonstrate unique AWS platform capabilities for IR success. Go beyond updating your IR runbooks, and start your journey toward gaining cloud-based IR superpowers today!
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
Performing forensics on AWS resources is a new experience for many customers who might have older runbooks based on on-premises workflows using manual steps, or perhaps no processes in place at all. In this session, get a deeper insight into the various runbooks to perform practical forensic tasks on AWS resources like Amazon EC2 instances, using a combination of industry tooling, AWS serverless services like AWS Lambda and AWS Step Functions, and managed services like Amazon Athena.
AWS supports logging in with Federated Access, using SAML or integration with Active Directory. This is integrated with user Roles in AWS which provide the permissions to access various services. in this session we will explain the options for authentication. we will cover basic access control concepts and in addition we will use AWS Systems Manager to talk about how you can also facilitate secured access to your Instances.
AWS Services: IAM, AWS SSO, Managed Active Directory, AWS Systems Manager (With Demo)
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Amazon Web Services
Enabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance autoEnabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance automation using data events from Amazon S3 and AWS Lambda.
mation using data events from Amazon S3 and AWS Lambda.
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
Join us for this hands-on workshop where you learn about a number of AWS services involved with threat detection and remediation as we walk through some real-world threat scenarios. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, Amazon VPC flow logs, Amazon CloudWatch Events, Amazon SNS, Amazon Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector and, of course, Amazon GuardDuty.
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
Credential compromise in the cloud is not a threat that a single company faces. Rather, it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes, depending on the motive of the attacker. In certain cases, this has led to erroneous AWS service usage for bitcoin mining or other nondestructive yet costly abuse. In other cases, it has led to companies shutting down due to the loss of data and infrastructure.
This session will review how to secure your enterprise adoption of AWS at scale. At AWS security is job zero and at the heart of everything we build. This session will review the patterns of usage for AWS Identity and Access Management, AWS Key Management Service, AWS CloudTrail, AWS Config, Amazon GuardDuty AWS Systems Manager Parameter Store, Amazon EC2 Run Command, AWS Single Sign-On, AWS WAF, AWS Shield, and AWS Service Catalog to an create end-to-end security approach for your AWS cloud adoption. You will gain insight how these AWS services come together to increase your security posture in ways that are unique to AWS workloads.
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Amazon Web Services
The cloud offers a first-in-a-career opportunity to constantly optimize your costs as you grow and stay on the leading edge of innovation. By developing a cost-conscious culture and assigning the responsibility for efficiency to the appropriate business owners, you can deliver innovation efficiently and cost effectively. In this session, we share The Vanguard Group’s real-world experience of optimizing their costs, and we review a wide range of cost planning, monitoring, and optimization strategies.
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we cover the most common cloud security questions that we hear from customers. We provide detailed answers for each question, distilled from our practical experience working with organizations around the world. This session is for everyone who is curious about the cloud, cautious about the cloud, or excited about the cloud.
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
In this workshop, we present best practices for establishing an AWS Landing Zone. We provide a demonstration of the automated AWS Landing Zone solution, and we show you how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes. You have the opportunity to modify the code for custom deployments. Leave the workshop with an understanding of the mechanism to update the AWS Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
Cloud-native and with security integrated early in the software development process, Nubank is the largest digital bank in the world outside of Asia. Demand for higher levels of service and value, constantly evolving technology capabilities, and stringent regulatory requirements are all powerful forces reshaping retail banking. In this session, Nubank CTO Edward Wible discusses how the company mixes engineering culture, security philosophy and structure, automation, and integration with AWS security services. Learn how to leverage the day-to-day software development workflow for extensive security and maximum engineering throughput while minimizing the operational pain of running a large infrastructure.
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
In this session, learn how LogMeIn moves quickly and stays secure through the power of automation on AWS. We walk through core AWS security building blocks, such as IAM, AWS CloudTrail, AWS Config, and Amazon CloudWatch. We dive deep into LogMeIn’s approach for empowering developers on AWS while also meeting required security controls.
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
Identity Round Robin Workshop - Serverless Round: Security Week at the San Francisco Loft
Start the day off by learning how to properly configure identity and access controls for a serverless application built with Amazon S3, Amazon CloudFront, and Amazon Cognito. With a combination of talking and hands-on exercises we will be diving into AWS IAM policy types to better understand the differences and learn how the policy evaluation logic works. We will also be diving into how you can use Cognito User Pools for user management within your serverless applications.
Level: 300
Speaker: Jesse Fuchs - Sr. Solutions Architect, AWS
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
by Fritz Kunstler, Sr. AWS Security Consultant, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop. Level 200
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
In this session, Comcast discusses its AWS cloud governance strategy, focusing on self-service tooling and account management, and explaining how it improved the developer experience by leveraging federated identities, AWS Organizations, and AWS Identity and Access Management permissions boundaries.
Understanding the Critical Building Blocks of AWS Identity and GovernanceAmazon Web Services
by Jeff Levine, Sr. Solutions Architect AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
Most workloads on AWS resemble a finely crafted cake, with delight at every layer. In this session, we help you master identity at each layer of deliciousness: from platform, to infrastructure, to applications, using services like AWS Identity and Access Management (IAM), AWS Directory Service, Amazon Cognito, and many more. Leave with a firm mental model for how identity works both harmoniously and independently throughout these layers, and with ready-to-use reference architectures and sample code. We keep things fun and lively along the way with lots of demos, which will hopefully make up for our decided lack of anything resembling the sweet confections we'll be talking so much about!
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
by Jeff Levine, Security Specialist, Solutions Architect, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop.
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksAmazon Web Services
Learning Objectives:
- Understand the identity and access management evolution
- Learn best practices for managing AWS root user credentials and Users, Groups, and Roles, especially as the number of users and AWS accounts grow
- Better understand identity federation by viewing two demos
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
Serverless architecture and a microservices approach has changed the way we develop applications. Increased composability doesn't have to mean decreased auditability or security. In this talk, we discuss the security model for applications based on AWS Lambda functions and Amazon API Gateway. Learn about the security and compliance that comes with Lambda right out of the box and with no extra charge or management. We also cover services like AWS Config, AWS Identity and Access Management (IAM), Amazon Cognito, and AWS Secrets Manager available on the platform to help manage application security.
In these slides, you’ll learn to use AWS tools to secure your environment and maintain a high bar in cloud security. We'll deep dive into the features of AWS CloudTrail, AWS Guard Duty, AWS Inspector, AWS WAF and Shield, and more. We'll also cover how to keep your credentials safe in the cloud using AWS Secrets Manager.
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
External Security Services Round: Security Week at the San Francisco LoftAmazon Web Services
External Security Services Round: Security Week at the San Francisco Loft
In this round we will talk about how you can delegate access to External Security Services such as GuardDuty, Inspector, and Macie. This will enable you to grant limited access to services for users who need, for example, view-only access to AWS services while restricting full access to more senior administrators.
Level: 300
Speaker: Jeff Levine - Sr. Solutions Architect, AWS
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
In this workshop, create guardrails to ensure governance is applied and identify when people stray. This session will deep dive into AWS Landing Zone, AWS Organizations, AWS Config, and Identity and Access Management. We will focus on the Operational Excellence and Security pillar best practices, of the AWS Well-Architected Framework, using a multi-account strategy. We address the architectural and operational decisions you need to make. In the cloud, you can start at the core and create defense in depth at the individual resource level. This session is designed for security and compliance practitioners interested in estate management, auditing of infrastructure, advanced IAM techniques, and overall governance management.
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
Securing your workload in alignment with best practices is necessary to protect information, systems and assets while delivering business value through risk assessments and mitigation strategies. In this tech talk, we’ll walk you through how to secure your workload using AWS Identity & Access Management, AWS CloudTrail, Amazon GuardDuty and AWS Config services.
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogAmazon Web Services
In this session, data analysts, big data administrators, system administrators, developers, and IT managers learn how to create a robust computing environment for their teams. As enterprises move to the cloud, providing secure, governed turnkey solutions at scale to a broad set of users has its challenges. We show you how organizations are building solutions that enable data scientists to provision AWS resources through an ITSM system to create a robust, governed, and easy self-service capability.
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
by Quint Van Deman, Sr. Business Development Manager, AWS
Across the AWS customer base there's a wide spectrum of experience levels. In this session, we'll dive deep into a number of advanced patterns that some of our most advanced customers are using to make themselves successful. By equipping you with these deep learnings, you'll be able to raise the bar within your organization, allowing you to achieve greater levels of control, speed, and visibility at a greatly accelerated pace. Level 400
Similar to IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accounts (SEC324) - AWS re:Invent 2018 (20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.