If you’re interested in securing workloads in AWS, re:Inforce is the conference for you, but the size of the catalog can be overwhelming! This guide is for you if you’re a security professional and you want to make sure your organization is adopting good security practices. My own background is software development, particularly in infrastructure software like containers and networking, but over time I’ve become more focused on security, particularly in the cloud, and new technologies like eBPF. As I’m an AWS Container Hero I’ve picked a couple of sessions that will apply to you if you’re adopting containers and/or Kubernetes, but most of my picks are more generally applicable even if you’re not using containers. I’ve highlighted some talks and workshops that offer practical guidance on implementing security principles and best practices. There are lots of interesting sessions that relate to encryption and cryptography. My last pick is a talk that will remind us why security is so important.
TDR304 – New AWS security services for container threat detection
As an AWS Container Hero with an interest in security, I’m excited about this session. Bonus: HBO Max’s head of cloud security will be sharing how they monitor containers for security events.
TDR372 – Detecting and managing vulnerabilities with Amazon Inspector
People often ask what they can do to improve the security of their containers, and vulnerability scanning is an easy first step that can let you know if you’re running with dangerously vulnerable dependencies. This workshop shows you one approach to scanning images in Amazon Elastic Container Registry (Amazon ECR).
Implementing security principles and best practices
There are plenty of well-understood security principles and best practices, such as least privilege, defense in depth, and the desirability of backup data in the event of a disaster. Here are some sessions with practical guidance on achieving them.
IAM303 – Strategies for achieving least privilege
The principle of least privilege is an important fundamental in security: any actor (be it human or a software entity) should only have the bare minimum set of privileges to do their job, and no more. But it’s all too easy to end up with lax permissions models, so this is an important session on models and methods that can help you achieve least privilege.
DPP372 – Secrets lifecycle management with AWS Secrets Manager
I hope you aren’t still hard-coding secrets into source code! This hands-on workshop shows you best practices for secrets management and rotation with AWS Secrets Manager, as well as how to monitor the compliance status of your secrets.
IAM307 – Hybrid workload IAM credentials, featuring Discover Financial Services
This session shows a different approach to managing key rotation in an automated fashion. You’ll see how Discover manages their AWS Identity and Access Management (IAM) credentials and key rotation with a solution built on AWS Lambda and other AWS services.
DPP234 – Data protection practices to meet resiliency objectives
A word of advice: if you’ve never tried to restore from a backup, it probably won’t work when you need it. This chalk talk discusses how to use AWS services to safely back up that critical data.
TDR203 – Raise your security posture with CIS security controls and benchmarks
As a one-time co-author of the CIS benchmarks for Kubernetes, I know that these controls can be a helpful tool for assessing the security posture of your deployments. Not all benchmark recommendations make sense in every single use case, so use them intelligently!
If we want to keep information secure, it needs to be encrypted at rest and in transit as much as possible, and there are several interesting sessions about practical uses of cryptography and the cutting edge of research in this area.
DPP307 – Cryptography for everyone with AWS libcrypto
As the saying goes, “never roll your own crypto”—so it will be fascinating to hear about some of the challenges that came up around open-source crypto library AWS libcrypto. This approach promises performance as well as security benefits!
DPP352 – TLS offload and containerized applications with AWS CloudHSM
When you have really serious encryption requirements, you’ll need hardware security modules. This is a builders’ session on using AWS CloudHSM with containerized applications. I’m not sure what platform those containers are running on, but this session promises to walk through some real scenarios, as well as showing how to get observability data that can help with compliance requirements.
SEC204-L – Cryptography from the future: Research & innovation to protect customer data
The session catalog only mentions “quantum” twice, and both times are in the description of this leadership session. I would definitely attend this session for an insight into the future of security and encryption.
DPP371 – Building and operating a certificate authority on AWS
Encrypted connections and data signing use X.509 certificates to validate the identity of the parties involved. This workshop will show you how to set up your own certificate authority hierarchy for generating certificates for use in TLS and signing use cases.
Not just what, but why
We don’t make things secure just for the fun of it. This session reminds us why security is so important in the real world.
DPP205 – Using Wickr to fight human trafficking
Security and data protection can be dry subjects, but this session will bring to life why they are so important. We’ll hear how the Freedom Shield Foundation secures the private data of, and communications between, their team members and the people they help.