AWS re:Invent 2022
A Day in the Life of a Billion Requests Sec404

Title

AWS re:Invent 2022 - A day in the life of a billion requests (SEC404)

Summary

  • Eric Brandwein, a distinguished engineer with the Amazon security team, discusses AWS's approach to handling inbound API requests, focusing on authentication over authorization.
  • AWS Identity and Access Management (IAM) handles trillions of requests per day, making it one of the most scaled systems on Earth.
  • The talk covers the evolution of AWS's request authentication system, from the early days when TLS was not widely used to the current state with AWS Signature Version 4 (SIGV4).
  • AWS's authentication system uses HMAC (Hash-Based Message Authentication Code) for speed and efficiency, and has evolved to include key specialization and regional key derivation to reduce inter-service dependencies and improve scalability.
  • AWS Signature Version 2 (SIGV2) is still supported for backward compatibility, but all new regions and services use SIGV4.
  • The Secure Token Service (STS) is introduced as a way to issue short-term sessions at scale, which are automatically expired and can be used across regions without the need for a centralized database of sessions.
  • The system's design has allowed AWS to innovate and support new use cases, such as opt-in regions, while maintaining a high level of security and minimal customer impact.

Insights

  • AWS's authentication system has been designed to handle an immense scale of requests while maintaining security and efficiency.
  • The use of HMAC and key specialization allows AWS to reduce the computational overhead associated with asymmetric cryptography, which was a significant concern in the early days of AWS.
  • The introduction of AWS Signature Version 4 (SIGV4) was a significant evolution in AWS's authentication system, allowing for regional key derivation and reducing the load on the authentication service (ARS).
  • The Secure Token Service (STS) is a critical component that enables the issuance of short-term, automatically expiring sessions, which can be used across regions without a centralized session database.
  • AWS's commitment to backward compatibility ensures that older signature versions remain supported, reducing the impact on customers who rely on legacy systems.
  • The authentication system's design has provided AWS with the flexibility to adapt to new business requirements, such as the introduction of opt-in regions, without compromising on security or scalability.
A Closer Look at Aws Lambda Svs404 RA Deep Dive on the Current Security Threat Landscape with Aws Net207