AWS re:Invent 2022
Proactive Security Considerations and Approaches Sec201

Title

AWS re:Invent 2022 - Proactive security: Considerations and approaches (SEC201)

Summary

  • Speakers: Sarah Berry (Security Manager, AWS Security) and Eric Docter (VP of Software Builder Experience, AWS).
  • Main Topics:
    • Collaboration between builder and security teams to ship software securely.
    • Use of data and information to reduce friction in the security process.
    • Elimination of undifferentiated building to focus on high-value activities.
    • Measurement of success in builder experience and security.
  • Key Initiatives:
    • AWS Security Guardian Program: Training builders to handle basic security tasks.
    • Affinity Model: Assigning dedicated security engineers to AWS services.
    • Talos: Automating the security engagement process.
    • Mechanic: A tool for managing software applications remotely.
    • Software Assurance Service (SAS): Managing out-of-date dependencies.
  • Results:
    • Over 2000 software development engineers trained in security.
    • Reduction in high and medium security findings by 22.5%.
    • Security reviews completed 26.9% faster.
  • Tools and Services Mentioned:
    • AWS Key Management Service (KMS), Amazon Connect, AWS Workshop Studio, IAM, AWS Systems Manager, AWS Inspector, AWS Code Artifact, AWS Security Workflow Automation.

Insights

  • Security as a Shared Responsibility: The talk emphasizes the shared responsibility model, where builders own the security of the services they build, and AWS Security owns the security of AWS as a whole.
  • Efficiency Through Automation: AWS is focused on automating security processes to reduce manual steps, as evidenced by the response to the Log4J incident and the development of tools like Mechanic and SAS.
  • Security Embedded in the Development Lifecycle: AWS is shifting security left by embedding it into the software development lifecycle, starting with the design phase, to catch issues early and reduce remediation time.
  • Training Builders in Security: AWS has created the Security Guardian Program to train builders in basic security practices, enabling them to handle common security tasks and freeing up security engineers for more complex issues.
  • Measurement and Feedback: AWS uses metrics and feedback mechanisms to drive security-conscious behavior among builders and to measure the effectiveness of security practices and tools.
  • Leveraging AWS Services for Security: The talk suggests that AWS customers can use services like IAM, AWS Systems Manager, AWS Inspector, and AWS Code Artifact to replicate some of the internal security practices of AWS.
  • Continuous Improvement: AWS's approach to security is iterative, with ongoing training, community building, and feedback mechanisms to continually improve security practices and builder experiences.
Proactive Governance and Compliance for Aws Workloads Cop204Productionize Ml Workloads Using Amazon Sagemaker Mlops Feat Natwest Aim321