All the updates from AWS re:inforce, Google Cloud Security Summit + fwd:Cloudsec
AWS re:inforce, Google Cloud Security Forum Highlights
Thank You - This Newsletter is for You
It was quite the week for cloud security and conferences as we made our way to Anaheim, California - The land of the very original Disneyland, that opened way back in 1955 where Walt Disney himself took folks on tours.
This year it was also the home of AWS re:inforce, AWS’s dedicated security conference in its 4th year of running. The day before AWS re:inforce, there is usually a non profit cloud security community conference - fwd:cloudsec which has been running since 2020, we were fortunate to get the golden tickets for the event this year ( trust me they are hard to come by).
PS fwd:cloudsec is a play on re:inforce - i.e. fwd vs re (those will old school cassette players make just have a reminiscing moment here)
While all of this was happening in Anaheim, in the virtual world Google Cloud Security Summit was also underway. So its safe to say we have a few cloud security related updates this week - so grab a coffee ☕️, tea 🫖 or any liquid pleasure of you choice (that is safe to consume 😜) and lets get this show on the road.
What is AWS re:inforce?
AWS’s Security focused conference that started in 2019, this was the 3rd year it was held as an in person event. It is usually attended by people who either work with or interested in AWS Security, no surprises you also get to meet a lot practitioner who work in various parts of AWS and can learn about different services and offerings from them. Most of the talks are by AWS employees who are leading various divisions and initiatives, this was very similar to what we saw at Google Cloud Security Summit. Both conferences also have talks from partners and of course customer. In next week’s newsletter we will have a list of some of our favourite talks and some nuggets from them too.
Key Announcements from AWS re:inforce
GA for Amazon Verified Permissions - Now you can have fine-grained authorization and permissions management for applications that you build.
They spoke about Cedar, which is the open-source language for access control which is what is behind Verified permissions (allowing you to define permissions as easy-to-understand policies).
Just towards the end of April this year, GA for announced for Amazon Verified Access, which was released in preview at re:invent. - this was the feature that allows secure access to applications without VPN, the verified permissions layer on top of that for that fine grain authorisation (time, location, role based access)
GA for Amazon EC2 Connect Endpoint - You can connect SSH and RDP to your EC2 instances without using public IP addresses. This is probably the announcement folks are most excited about, from what we have heard at the conference and also on our poll (which is still LIVE so vote there and let us know if you agree)
Threat detection for Amazon Aurora (relational database engine that's compatible with MySQL and PostgreSQL)
EKS Runtime Threat Detection
Threat Detection Coverage
Amazon Inspector which is their vulnerability scanning tool, didn’t get any updates last re:inforce but this year we have code scans for lambda functions. Lambda code scanning can detect injection flaws, data leaks, weak cryptography, or missing encryption in your code.
It was only a matter of time that we saw something around SBOM from AWS and here it is Amazon Inspector SBOM Export - automatically and centrally manage SBOM exports
One click export
Store SBOM exports to Amazon S3
Can use Athena or Quicksight to query and gain insights
Some of you may remember Amazon CodeWhisperer was announced in preview last re:inforce in preview and was made GA in April this year. CodeWhisperer has the following features
generate. code suggestions in real time
flag code that resembles open source training data or filter by default
Scan code for hard to find vulnerabilities
They layered on the announcement Amazon CodeGuru Security (In preview) - so that you can identity and resolve. code vulnerabilities at any stage of the development workflow. This may sound like some vendor solutions in the market out there and may compete with those, however this would be purely for AWS environments.
Amazon Detective (brings together AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty.)- they extended finding group to Inspector GA. Using ML + Graph to distill thousands of discrete findings to a connected security event.
And last but not the least they launched Amazon S3 Dual-Layer Server-Side Encryption with Keys Stored in AWS Key Management Service (DSSE-KMS) so you can create and control keys to encrypt and digitally sign your data
Key Announcements from Google Cloud Security Summit
Chronicle TDIR for Google Cloud - Threat Detection and Incident Response - you will be able to collect and analyze data from Google Cloud, detect and investigate threats, and automate responses to mitigate risks. This was their attempt to go beyond Shared Responsibility and having skin in the game. Interesting both AWS and GCP made a nod to shared responsibility in their keynotes. AWS’s approach was to define what shared responsibility was to them - AWS is responsible for security of the Cloud and Customer is responsible for the security in the cloud,
Attack path simulation added to their Security Command Centre to find high value cloud resources most vulnerable to attack to prioritise controls
Secure Web Proxy - Cloud Native Egress Proxy -cloud-based service that can help monitor and secure egress web traffic and you can better better enforce granular access policies
They introduced reCAPTCHA Enterprise Fraud Prevention
What themes are we starting to see?
Both AWS + Google Cloud made moves for fine grain or granular authorization and access controls, identity and access remains a critical components of cybersecurity and more so with the adoption of Generative AI
Speaking on Generative AI, both AWS + Google Cloud made mention of the power of LLMs, highlighting that it will accelerate our ability to help people who keep us secure and using the power of LLM for good. Both did not shy away from sharing that machine learning and AI has been the part of their fabric for many years and nothing new.
AWS made reference to announcements from April 2023 for Amazon Bedrock that allows you to build and scale GenAI applications with foundational models from AI21 Labs, Anthropic, Stability AI, and Amazon Titan (Amazon’s high-performing foundation model).
Google spoke about their Security AI BenchMark that is powered by Security LLM (Sec- PaLM2), making reference to VirusTotal Code Insight and Chronicle AI.
AI powered remediation with comprehensive and up to the minute frontline threat intel
Cloud security posture is kept up to date with automated compliance configs and threat detection policies (Vulnerable code never makes it into production)
Democratize security expertise + the notion of scaled talent
There were a few more themes about shifting left and security being baked in from the beginning + being addressed at the code level. We will get into all that and whole lot more next week.
Cloud Security Podcast in June
We are at Infosec Europe as Media/Press partners, so if you are attending do say hello. As always we will be bringing some fun updates from our encounters and conversations with cybersecurity folks from Europe this time.
If you want a deeper dive into all the updates from AWS re:inforce and a practitioner’s perspective don’t miss our AWS ReInforce 2023 Recap & Highlights episode.
This month on Cloud Security Podcast, we have AWS Month and have some in incredible guests and topics lined up.
Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)
Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.
Was this forwarded to you? Sign up here
Want to partner with Cloud Security Podcast ! Lets make it happen
Have a topic or idea to share? Submit it here
Need Cloud Security or AI Security advice? Ask Ashish and Shilpi here