re:Invent Recap: Security Week at the SF Loft

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
2018 re:Invent Recap: Security
Bill Reid
Leader, North American Security and Compliance Solution Architecture
December 2018 San Francisco Loft

WARNING: Obligatory Eye Chart. Do not attempt to read it all.
We’ll take it step by step. #LargerFonts

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ROBOTICS
AWS RoboMaker
Build robotic applications easily using Robot
OS
Announcements At-a-Glance
TRANSFER and MIGRATION
AWS Transfer for SFTP
AWS DataSync
Copy, move, sync large amounts of data
between on-prem & AWS
NETWORKING and CONTENT DELIVERY
AWS Global Accelerator
Performance and availability for your global
user base
AWS Transit Gateway
Interconnect on-premises networks and VPCs
at scale
AWS Elemental MediaConnect
Broadcast quality video transport
Elastic Fabric Adapter
Run HPC workloads with high inter-node
communications
AWS Cloud Map
Map of your cloud complete with friendly
names
AWS App Mesh
Monitor and control microservices
COMPUTE
EC2 Spot Instance
Use spot instance in auto-scale groups
AWS Outposts
Bring AWS services to any data center or on-
premises
CodeDeploy ECR as a Source Action
ECS supports Blue/Green Deployments
EC2 A1 Arm Instance
EC2 C5n Instance
EC2 P3Dn Instance
Firecracker
AWS License Manager
Lightsail Tagging
Lightsail Export to EC2
Hibernation for EC2 Instances
IoT
AWS IoT SiteWise
Collect telemetry data into cloud
AWS IoT Events
Event detection and action logic for IoT
AWS IoT Things Graph
represent Things such as devices and services
as Models
AWS IoT Service Delivery Designations
Core, Greengrass, Analytics Partners in IoT
Service Delivery
Amazon FreeRTOS
Operating system for microcontrollers
SATELLITE
AWS Ground Station
Process satellite data and downlink from the
cloud
DATABASE
Dynamo Transactional APIs
All-or-nothing queries for mission critical
logic
Amazon Timestream
Time-series database for IoT and operational
apps
Amazon Quantum
Fully managed ledger database
DynamoDB on Demand
Remove capacity planning, Pay by the
request
Amazon RDS on VMware
Run RDS on VMware vSphere
Aurora Global Database
Replicate updates globally from single region
MARKETPLACE
AWS Private Marketplace
Create a private catalog of pre-approved
products
AWS Marketplace for SageMaker
Build machine learning apps using ready
made models
AWS Marketplace for Containers
Find contain products in AWS marketplace
MANAGEMENT and GOVERNANCE
CloudWatch Automatic Dashboards
Pre-built best practices dashboards for
CloudWatch
CloudWatch Logs Insights
Log analytics service for CloudWatch logs
AWS Well Architected Partner Program
Training partners to deliver Well Architected
reviews
AWS Control Tower
Automates setup of baseline environments
STORAGE
S3 Batch Operations
Manage billions of objects using APIs or
console
S3 Intelligent Tiering
Automatically optimize pricing based on S3
based on access frequency
S3 Object Lock
Write once, read many object locking for S3
S3 Glacial Deep Archive
Lowest price storage tier - for long term
S3 PUT to Glacier
four new features to reduce your storage
costs
Amazon FSx for Windows File Server
Fully managed Microsoft Windows file
system
Amazon FSx for Lustre
Fully managed Lustre file system
AWS Snowball Edge Compute Optimized
Run compute-intensive application offline
EBS doubles peak IOPS
EFS Infrequent Access
EFS Multi-VPC Access
ANALYTICS
Amazon Kinesis Data Analytics for Java
Apps
Analyze streaming data, gain insights,
respond real-time
AWS Lake Formation
Setup secure data lakes in days
SECURITY, IDENTITY, COMPLIANCE
AWS Security Hub
Unified security management with actionable
prompts
BLOCKCHAIN
Blockchain on AWS
Fully managed Blockchain network in
minutes
MACHINE LEARNING
Comprehend Medical
Scan and extract unstructured medical data
with ML
AWS Ground Truth
Build quality training sets using AI labeling
Amazon Elastic Inference
Add GPU to any EC2 or SageMaker instance
AWS Inferentia
Custom inference chip for inferencing
workloads
Amazon Textract
Extract text and data from virtually any
document
Amazon DeepRacer
Learn Reinforcement Learning (RL) easily
Amazon Personalize
Managed recommendations engine
Amazon Forecast
Accurate time-series forecasting service
SageMaker Neo
Train model once, run them anywhere
Dynamic Training with Apache MXNet on
AWS
MOBILE
AWS Amplify Console
Continuous deployment and hosting for
modern web apps
DEVELOPER TOOLS
AWS Tools for PyCharm
AWS Toolkits for Visual Studio Code, IntelliJ,
and PyCharm
Ruby Support for Lambda
AWS Lambda as a Target for App Load
Balancer
AWS Lambda Layers
Amazon Managed Streaming for Kafka
AWS Well Architected Tool

Introducing
AWS Transit Gateway
Networking
General Availability
A new service that allows customers to interconnect
thousands of Virtual Private Clouds (VPCs) and on-premises networks
VPN connection
VPN connectionCustomer gateway Amazon VPC Amazon VPCVPC peering
AWS Direct
Connect GatewayVPC peering VPC peeringVPC peering
VPN connection Amazon VPC
Amazon VPC
VPC peering
Transit
gateway
Amazon VPC
Amazon VPC
Amazon VPC
Amazon VPC
AWS direct
connect gateway
Customer
gateway
VPN
connection
Network topology today After Transit Gateway

Introducing
Amazon S3 Glacier Deep Archive
Storage
Limited Preview
Secure, durable, and extremely low-cost storage service for long term data archival
Fully
managed
without tape
burden
Less than 1/10
of 1 cent/GB/
month
Designed for
99.999999999
% durability
Recover
data in
hours

Introducing
CloudWatch Logs Insights
Management Tools
Pay-as-you-go log analytics service for CloudWatch
Purpose-built
for log diving
Resolve operational
problems faster
Connect the dots
between logs and
metrics
Fully
managed

Introducing
AWS Transfer for SFTP
Storage
Fully managed service makes it easy to integrate SFTP-based file transfers into AWS
Move your existing SFTP workflows to AWS in 3 steps
Seamless
migration
of existing
workflows
Data available for
archiving and
processing in S3
Simple
to use
Cost
effective
Fully managed,
highly available,
and elastically
scalable
1 2 3

Introducing
KMS Custom Key Store
Security
Create a dedicated, single-tenant key store in KMS using AWS CloudHSM
• Increases the level of control over encryption keys that
protect your data across AWS
• Helps you meet mandates to manage keys using hardware
security modules (HSMs) under your control
• Satisfy those requirements and leverage the AWS KMS
integrations offered across dozens of AWS services

Introducing
AWS Resource Access Manager
Security
Simple, secure service to share AWS resources
eliminating the need to
provision duplicate resources in every account
AWS IAM policies to
govern the consumption of shared resources, and AWS
CloudWatch and AWS CloudTrail to provide visibility
efficiently using your resources
across different departments
Share Route 53 Resolver Rules, License Manager Config, Transit Gateways and Subnets

Introducing
Private Marketplace
AWS Marketplace Software
Build a private marketplace that includes
approved vendors and software from AWS Marketplace
Ensure your AWS users are purchasing and launching software that
meets the company’s procurement, legal, and security controls
Customize your private marketplace with company branding, such
as logo, color, and messaging
Define and control permissions for your users in AWS
Private Marketplace
Always know when products are added or removed through
notifications from AWS

Introducing
AWS Control Tower
Management Tools
Limited Preview
Set-up a multi-account environment in a single location to govern AWS workloads
Automate the creation of a landing zone with best practice blueprints
AWS Control Tower automates the set-up of a well-architected multi-account environment with best practices,
and guides you through a step-by-step process to customize it to your organization
Guardrails for policy enforcement
Control Tower offers curated guardrails. Guardrails are high-level rules that provide on-going governance for
your overall AWS environment
Dashboard for continuous visibility
The Control Tower dashboard gives you continuous visibility into your AWS environment. You can view the
number of organizational units and accounts provisioned, guardrails enabled, and the compliance status of
your enabled guardrails

Introducing
AWS Well-Architected Tool
Management Tools
A tool to help review the state of cloud workloads
and compare them to the latest AWS architectural best practices

Introducing
AWS Marketplace for Containers
AWS Marketplace Software
Container products available in AWS Marketplace
Choose from more than 160 curated
and trusted container products in AWS
Marketplace and run them on AWS
Container product images
are verified and scanned
Products are available with free, bring your own
license, and usage-based pricing models
Deploy container products on
Amazon ECS, AWS Fargate, or EKS
AWS Marketplace
for Containers

Introducing
AWS Security Hub
Security
Public Beta
Centrally view and manage security alerts & automate compliance checks
• Enabled in minutes to aggregate security findings from AWS
and Partner services across your accounts
• Quickly assess security and compliance in one location and
take action on findings
• Built-in and customizable insights help you track security
issues that are unique to your environment
• Improve compliance with automated, continuous account-
level configuration and compliance checks

Problem statement
1
Large volume of
alerts and the
need to prioritize
3
Dozens of security
tools with
different data
formats
2
Ensure that your
AWS
infrastructure
meets compliance
requirements
1
PrioritizationMultiple formats VisibilityCompliance
Lack of a single
pane of glass
across security
and compliance
tools
4

AWS Security Hub overview

Rollout plans and pricing
AWS Security Hub is available today as a
public preview service
Available at no additional cost except for AWS
Config costs for new AWS Config users
Open to everyone
Get started in a few clicks
Goal is to iterate on latest features with customers
before releasing as generally available (GA)
Full API/CLI/SDK support
C++, Go, Java, JS, .Net, PHP, Python, Ruby
Supported Regions (15)
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
EU (Frankfurt
EU (Ireland)
EU (London)
EU (Paris)
South America (Sao Paulo)
US East (N. Virginia)
US East (Ohio)
US West (N. California)
US West (Oregon)

Some of our current users

Partner integrations
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other

Partner integration examples — Armor

A few clicks to enable Security Hub

Simple multi-account setup

Automated compliance checks
43 fully automated,
nearly continuous
checks

Insights help identify resources that require attention

Customizable response and remediation actions
Event (event-
based)
Rule

Key takeaways
Collect and process security findings from multiple accounts within a region
Evaluate your compliance against regulatory and best practice frameworks
Identify and prioritize the most important issues by grouping and correlating
security findings with Insights
Understand and manage your overall AWS security and compliance posture

Next steps
Try the preview: https://console.aws.amazon.com/securityhub/
Learn more: https://aws.amazon.com/security-hub/

Security, Identity, and Compliance Recorded Sessions
SEC201-R Security Framework Shakedown: Chart Your Journey with AWS Best Practices (YouTube)
SEC202-R Top Cloud Security Myths - Dispelled! (YouTube)
SEC203-R A Practitioner's Guide to Securing Your Cloud (Like an Expert) (YouTube)
SEC301 The Theory and Math Behind Data Privacy and Security Assurance (YouTube)
SEC302 How LogMeIn Automates Governance and Empowers Developers at Scale (YouTube)
SEC303 Architecting Security & Governance across your AWS Landing Zone (YouTube)
SEC304 AWS Secrets Manager: Best Practices for Managing, Retrieving, Rotating Secrets at Scale (YouTube)
SEC310 0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Security (YouTube)
SEC316-R Become an IAM Policy Master in 60 Minutes or Less (YouTube)
SEC319 Meeting Enterprise Security Requirements with AWS Native Security Services (YouTube)
SEC320 Policy Verification and Enforcement at Scale with AWS (YouTube)
SEC321-R How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as Code (YouTube)
SEC322-R Using AWS Lambda as a Security Team (YouTube)
SEC324 IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accounts (YouTube)
SEC325-R Data Protection: Encryption, Availability, Resiliency, and Durability (YouTube)
SEC326 Orchestrate Perimeter Security Across Distributed Applications (YouTube)
SEC327 AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (YouTube)
SEC389 Netflix: Detecting Credential Compromise in AWS (YouTube)
SEC391 Netflix: Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (YouTube)
SEC392 Netflix Cloud Forensics (YouTube)
SEC401-R Mastering Identity at Every Layer of the Cake (YouTube)
SEC402-R AWS, I Choose You: Pokemon's Battle against the Bots (YouTube)
SEC403 Five New Security Automations Using AWS Security Services & Open Source (YouTube)

AWS Security Keynote
SEC305-L Leadership Session: AWS Security
Stephen Schmidt, Chief Information Security Officer at AWS, addressed the current state of security in the
cloud, with a particular focus on feature updates, the AWS internal "secret sauce," and what's on horizon in
terms of security, identity, and compliance tooling. (YouTube)
Steve Schmidt
Vice President
and CISO for AWS
Michele Iacovone
SVP, Chief Information
Security & Fraud Officer,
Intuit

Coming in 2019: AWS re:Inforce

AWS re:Inforce – The Cloud Security Conference
Join us for AWS re:Inforce, our first conference dedicated to cloud
security!
Dates: June 25-26, 2019
Venue & location: Boston Conference and Exhibit Center in Boston, MA
Price: $1,099
Details available on the AWS Security Blog.
Sign up to receive more information on the re:Inforce website.

OK Deep Breath. Anything else?

From reactive to proactive
Pace of innovation: 1800+ updates
Meets pace of protection: 239 security updates
… through automation

Amazon GuardDuty adds three new threat detections
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
CryptoCurrency:EC2/BitcoinTool.B.

Processes an average
92.7million/sec
flow log records

Amazon GuardDuty = CloudTrail Optimization =
Automatic Cost Savings
• Travel company | 44% reduction in GuardDuty spend
• Financial services company | 82% reduction
• Automotive company | 79% reduction
• Social media company | 86% reduction

Now offers agentless
network assessments

Resource-based
policies

Store the compliance
history of AWS resources
evaluated by Config
rules

Amazon S3: Block Public Access

Now: Compliance certifications at launch

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

re:Invent Recap: Security Week at the SF Loft

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to re:Invent Recap: Security Week at the SF Loft

Similar to re:Invent Recap: Security Week at the SF Loft (20)

More from Amazon Web Services

More from Amazon Web Services (20)

re:Invent Recap: Security Week at the SF Loft