AWS re:Invent 2023
Defense in Depth Securely Building a Multi Tenant Generative Ai Servicesec334

Title

AWS re:Invent 2023 - Defense in depth: Securely building a multi-tenant generative AI service (SEC334)

Summary

  • Speaker: Eric Brandwein, a distinguished engineer with the Amazon security team.
  • Topic: Building defense in depth into AWS's new generative AI offering, CodeWhisperer Customizations.
  • Key Points:
    • CodeWhisperer Customizations allows tuning of CodeWhisperer for locally appropriate code completions.
    • Defense in depth is compared to stitching panoramas in photography, emphasizing multiple dimensions of security.
    • Threats include external actors, insider threats, credential theft, and software correctness.
    • Security invariants are crucial, and tests for these invariants should run in production.
    • AWS services like IAM, KMS, and Amazon OpenSearch Serverless are used to ensure security.
    • Mechanisms like forward access sessions (FAS) and identity firewall are employed for secure access to customer data.
    • Employee access is tightly controlled with MFA, Mechanic, contingent authorization, and Chronicle.
    • Encryption context in KMS is used as a confused deputy protection.
    • Amazon Verified Permissions is used for authorization.
    • Culture and mechanisms are both essential for long-term security.

Insights

  • Defense in Depth: The concept of defense in depth is expanded beyond traditional models to include cultural and temporal dimensions, ensuring security as teams and services evolve.
  • Security Invariants: The emphasis on security invariants and their testing in production highlights the proactive approach to security, aiming to prevent issues before they occur.
  • AWS Services Integration: The integration of various AWS services like IAM, KMS, and Amazon OpenSearch Serverless demonstrates the power of AWS's ecosystem in building secure, scalable services.
  • Employee Access Control: The detailed explanation of employee access control mechanisms like MFA, Mechanic, and contingent authorization reflects AWS's commitment to internal security and the prevention of insider threats.
  • Encryption Context: The use of encryption context in KMS for confused deputy protection illustrates a nuanced approach to security, considering potential attack vectors and mitigating them.
  • Cultural Importance: The talk underscores the importance of culture in security, where the right mindset and practices among employees can significantly enhance the effectiveness of security mechanisms.
  • Incremental Security Development: The speaker's reflection on the years-long development of AWS's security infrastructure serves as a reminder that robust security is a gradual process, encouraging organizations to start building towards it incrementally.
Defend Your Data at Scale 3 Steps to Increase Cyber Security Stg348Delight Customers with Customized Right Sized Cloud Based Solutions Biz113