AWS re:Inforce 2024
How Organizations Are Actually Applying Aws Security Best Practices Com224

Title: AWS re:Inforce 2024 - How organizations are actually applying AWS security best practices (COM224)

Insights:

  • The session was led by Shun Yoshi, Hirokazu Yoshida, and Keisuke Usuda, core members of the Japan AWS User Group Security Branch, known as Security Jaws.
  • The presentation focused on findings and takeaways from a survey on AWS security best practices in Japan, with some comparisons to South Korea.
  • The survey was open to anyone in Japan involved in their company's use of AWS and was distributed via SNS, seminars, events, and meetups.
  • The survey results were analyzed based on various factors such as company size, years of AWS experience, and roles within the organization.
  • Experienced AWS users (10+ years) predominantly referenced AWS Web Architect documents, while some found official documents difficult to read and preferred technical books.
  • In the financial industry, the security department primarily keeps up with AWS security best practices, whereas in other industries, development divisions are more involved.
  • 60% of Japanese users continue risk assessments, a trend also observed in Korea, though smaller organizations do it less frequently.
  • Most Japanese companies use MFA or MFA with switch roles for AWS access, but 18% of large companies (5,000+ employees) still use only IDs and passwords.
  • Infrastructure protection is mainly done using AWS features, but there is a low adoption rate for AWS Shield Advanced.
  • Preventive controls like AWS Organizations and AWS Control Tower show varying adoption rates, with AWS Organizations being more widely adopted.
  • Detective controls such as Amazon GuardDuty have a high adoption rate (86%) among mid-sized companies, but services like AWS Security Hub and IAM Access Analyzer are underutilized.
  • More experienced users tend to use a variety of tools for analyzing CloudTrail logs, with Amazon Athena and GuardDuty being common choices.
  • A significant number of companies delete sensitive data without encryption, highlighting a need for better data disposal practices using cryptographic erase.
  • The presentation concluded with a call to action for companies to adopt more AWS security features and improve their security practices.

Quotes:

  • "Participants will be able to compare the results of this Japanese survey with your own country's AWS security implementation status."
  • "We believe that the documents reference when designing and building AWS changes based on the experience of the individual user, rather than the size of the business or industry."
  • "In the financial industry, the security department plays a central role in catching up on best practices. But other departments are also involved."
  • "I was surprised that 18% of big companies in Japan with over 5,000 people only use IDs and passwords. This is clearly lower than the usual trend."
  • "For AWS users, infrastructure protection is mainly done using AWS features for the AWS environment. It does not go inside the EC2 instances."
  • "The adoption rate of Amazon GuardDuty was relatively high, but I will continue to evangelize its use to reach 100% adoption."
  • "Many Korean AWS users still use AWS like an on-premise system. They do not use the helpful security features that AWS provides."
  • "The results clearly show the gap between the practices that were implemented and those that were not, depending on the difficulty level of the best practices."
  • "If you feel your company is lagging behind in implementation compared to these results, use this report to convince the management to take action."
How Natwest Uses Aws Services to Manage Vulnerabilities at Scale Tdr201How Picpay Achieved Temporary Elevated Access Control on Aws Iam323