AWS re:Invent 2023
Modernize Authorization Lessons from Cryptography and Authentication Sec209

Title

AWS re:Invent 2023 - Modernize authorization: Lessons from cryptography and authentication (SEC209)

Summary

  • Eric Brandwein, a distinguished engineer with the Amazon security team, discusses the importance of choosing the right building blocks for security and shares his experiences with SSL/TLS and the development of Amazon's own TLS library, S2N.
  • Neha, an applied science director in AWS identity, introduces Cedar, an authorization building block for applications, and explains its benefits, including consistency, scalability, and a complete view of access across applications.
  • Cedar is designed with security-first principles, is not Turing-complete, and uses automated reasoning to prove security properties.
  • Cedar policy validation tools are provided to ensure error-free policy authoring.
  • Amazon Verified Permissions (AVP) is a managed service that leverages Cedar for permissions management, offering low latency, centralized policy storage, and an ecosystem of authorization tools.
  • AVP integrates with Amazon Cognito for identity management and provides visualization tools, strict mode for policy validation, and a policy test bench for verifying permissions.
  • Eric and Neha advise on how to get started with Cedar and AVP for both new (Greenfield) and existing (Brownfield) applications, emphasizing the importance of authorization as a key building block for any complex application.

Insights

  • Choosing the Right Building Blocks: The talk emphasizes the importance of carefully selecting the building blocks upon which applications are built. This is crucial for security, scalability, and maintainability.
  • Lessons from SSL/TLS: Eric's experience with SSL/TLS vulnerabilities highlights the need for continuous evaluation and updating of security protocols. It also showcases the benefits of owning and controlling the security components you rely on, as demonstrated by Amazon's creation of the S2N library.
  • Cedar as an Authorization Framework: Cedar is presented as a customizable, secure, and scalable authorization framework for applications, distinct from AWS IAM, which is tailored for AWS infrastructure.
  • Security-First Design: Cedar's design prioritizes security over expressiveness, avoiding features like loops and recursion to ensure security properties can be formally proven.
  • Managed Service Advantage: AVP offers a managed experience for authorization, reducing the complexity and overhead of managing permissions and ensuring consistency across different application instances.
  • Integration with Existing Systems: The talk provides a strategy for integrating Cedar and AVP into existing applications, acknowledging the challenges but also providing a clear path forward.
  • Future-Proofing Applications: Eric's advice to use AVP even for applications with simple permission models at launch is a strategy for future-proofing, as it prepares the application for potential future complexity.
  • Community Engagement: Cedar is open source, and the talk encourages community engagement through RFCs, Slack channels, and contributions to the project, highlighting the collaborative nature of security advancements in AWS.
Modernize Application Workloads Using Red Hat Openshift Service on Aws Biz208Modernize Business Reporting with Amazon Quicksight Bsi204