The article is shared from Amazon Cloud Technology Community Builder: Li Shaoyi
On June 14, 2023, the annual Amazon Cloud Technology re:Inforce Global Conference came to an end in Anaheim, USA. re:Inforce is one of the largest events in the world for Amazon Cloud Technology. It brings together security experts from all over the world to learn and discuss cloud security innovation technologies. It mainly focuses on six topics: application security, data privacy protection, security compliance, Topics like authentication and authorization, network and infrastructure security, and threat detection and incident response. As a representative of the developer community, the author participated in this conference with the security product team of Amazon Cloud Technology.
With the promulgation of laws and regulations in the field of security such as the "Personal Information Protection Law", "Data Security Law", and "Network Security Law", security and compliance have become rigid needs in the process of business development. Data security and data governance have become challenges for enterprises to face during cloud migration and digital transformation. The holding of the re:Inforce Global Conference and the innovative security services released at the conference provide better practical solutions for enterprises to solve security compliance issues.
"Safety is our number one priority"
At the Amazon Cloud Technology re:Inforce Global Conference in June this year, CJ Moses, Chief Information Security Officer of Amazon Cloud Technology, emphasized that "security is our top priority", which shows the importance that Amazon Cloud Technology attaches to cloud security. Cloud security is no longer a simple business requirement, but has become an active, spontaneous and continuous thinking concept, which has already developed into one of the core competitiveness of the business.
"Use the security of the cloud itself to ensure the security of user services on the cloud"
CJ first introduced how Amazon Cloud Technology uses security technology innovation to realize deep full-stack security protection from the underlying chip Nitro System , the virtualization layer Nitro Hypervisor to the application layer DevSecOps, making the service security of users on the cloud "impeccable".
At the same time, he introduced how Amazon cloud technology can help users shift security to the left, assist users to consider security protection at the program design stage, and run through the entire development life cycle of development, construction, testing, and release, allowing developers to discover and fix in real time Vulnerabilities, threats, and weaknesses in programs, enhance code security, reduce security attack surface, and realize DevSecOps on the cloud. Representative services include Amazon CodeWhisperer , a development plug-in that scans code in real time in the IDE, detects vulnerabilities and gives suggestions for repairs, and Amazon CodeGuru Secuirty, a code review tool integrated throughout the development lifecycle .
Nitro System
https://aws.amazon.com/cn/ec2/nitro/
Amazon CodeWhisperer
https://aws.amazon.com/cn/codewhisperer
Amazon CodeGuru Secuirty
https://https://aws.amazon.com/cn/codeguru
"Using AI to empower cloud security, and then empower developers"
When it comes to cloud security, of course, the recent hot AI/ML cannot be missed. At the Amazon Cloud Technology re:Inforce Global Conference, CJ also introduced that in the era of large language models, since hackers can use generative AI to write malicious code, the cost and threshold of security attacks/threats will become lower. Amazon Cloud Technology is actively integrating AI/ML innovative technologies into its cloud security services from the perspective of white hats to deal with frequent threat activities.
Users can use AI/ML technology in security services to achieve security protection on the cloud, such as Amazon Bedrock , a large language model released by Amazon Cloud Technology in April, to develop their own security threat and malicious program hunting and security event analysis models for Amazon Amazon Inspector Code scans for Lambda, which scans code and its dependent packages for vulnerabilities in Lambda, and Amazon CodeGuru Security , a static code tool integrated into the IDE and CI/CD release process, conduct SCA, SAST, and DAST code security tests throughout the development process.
Amazon Bedrock
https://aws.amazon.com/cn/bedrock/
Amazon Inspector Code scans for Lambda
https://aws.amazon.com/cn/inspector/
Amazon CodeGuru Secuirty
https://https://aws.amazon.com/cn/codeguru
Security Technology Innovation Service of Amazon Cloud Technology
At the re:Inforce global conference of Amazon Cloud Technology in June this year, popular security services that can help developers and enterprises build secure cloud systems were also released, improving the visibility of security on the cloud and protecting user data security on the cloud .
The establishment, maintenance and management of security infrastructure used to become an obstacle to enterprise security, such as the internal SIEM system, identity verification and authorization modules, and so on. Moreover, in the context of today's increasingly active cyber threats and IT architectures becoming larger and more complex, event and system access rights management on the cloud has become more difficult. The series of cloud services released this time can help enterprises greatly reduce this part of the burden.
Amazon Security Lake
At the end of May, the Amazon Security Lake service was officially launched. Security Lake can centralize security-related data from users on Amazon cloud technology, local and custom sources into a data lake based on S3. Users can centrally manage data across accounts and different regions under organizational accounts, which is convenient for maintenance, allowing users to have a more comprehensive understanding of security data within the entire organization, and improving security visibility on the user cloud. At the same time, users can custom-place data in one availability zone or multiple zones to meet data governance requirements. Security Lake adopts the Open Cybersecurity Schema Framework (OCSF) open source standard. This service automatically converts security data from Amazon Cloud Technology and various third-party services into the OCSF unified standard format, improving the efficiency of security event query and response.
Users can integrate Security Lake with OpenSearch as a SIEM solution on the cloud, integrate it with Athena for security event and threat analysis, or integrate it with Amazon SageMaker to leverage custom ML/AI models for threat and malware analysis detection.
Amazon Security Lake
https://aws.amazon.com/cn/security-lake/
Open Cybersecurity Schema Framework(OCSF)
https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html
OpenSearch
https://aws.amazon.com/cn/opensearch-service/?nc1=h_ls
Zero Trust Network
https://www.amazonaws.cn/en/knowledge/what-is-zero-trust-network/
Becky Weiss, senior chief engineer of Amazon Cloud Technology, also introduced how to use Amazon Cloud Technology authentication and network services to build an enterprise zero trust network . The zero trust model is one of the hottest topics in the security field at present. With the strengthening of regulatory requirements in the network security industry and the background of gradually blurring network boundaries, each user's system access needs continuous dynamic verification and refinement Authorization, limit lateral movement within the system, and better protect sensitive information and assets on the cloud. She introduced the following two cloud services to help users build a zero-trust security framework:
Amazon Verified Access
This service allows users to connect personal devices to the corporate network and access internal services on the corporate intranet without using a VPN. The service verifies application requests based on information such as user identity and device status, and defines fine-grained access policies for each system application, greatly simplifying the construction of an enterprise zero trust framework.
Amazon Verified Access
https://aws.amazon.com/cn/verified-access/
Amazon Verified Permission
This service extends the capability of zero trust to the applications developed by users themselves. It is used for developers to authorize users to access resources, and implements zero trust in the application development stage.
Amazon Verified Permission
https://aws.amazon.com/cn/verified-permissions/
On-site cloud security developer experiment exhibition area
The Amazon cloud technology re:Inforce global conference in June this year prepared a number of security hands-on experiments and project demonstration sessions for developers:
1. Continuously evaluate IAM user redundant permissions to achieve cloud security compliance (IAM354: Refining IAM permissions like a pro)
This experiment is given by Senior Security Consultant: Bohan Li of Professional Service Team. The main content is how to use IAM Access Analyzer, Lambda, EventBridge and other services to continuously and proactively detect IAM redundant permissions (including services and operations) through Python script automation. , to implement the principle of least privilege on the cloud. Finally, a permission audit report is generated and sent to the compliance team for audit through the SNS service to achieve security visibility on the cloud.
Security compliance has special requirements for user authority assessment. For example, financial compliance PCI-DSS requirement 7.2.4 points out that transaction service providers involved in the processing, storage and transmission of bank card sensitive information need to evaluate the cloud on a semi-annual basis. System user permissions. The first is to monitor the latest access time of user permissions and delete unused permissions within a certain period of time (usually within 90 days, see PCI DSS requirement 8.1. Unauthorized access to cloud resources. At the same time, it is also necessary to monitor the use of business-critical permissions to ensure that authorized personnel can only be assigned permissions that match their roles (PCI DSS requirement 7.2.2), to ensure the principle of least privilege (PoLP), and to reduce misoperations and unauthorized operations on the cloud harm caused by illegal activities. At the same time, the entire process needs to reflect the visibility of security on the cloud, and audit reports need to be provided to the internal compliance team for self-assessment.
On Amazon Cloud Technology, developers can use the security solution in the figure below to meet the requirements for continuous evaluation of permissions. The solution is mainly composed of two parts. The first part is to obtain the last access information of each cloud service through the two Boto3 APIs generate_service_last_accessed_details and get_service_last_accessed_details, list the unused IAM permissions within a certain period of time and generate an audit report. The second part is to trigger Lambda through event rule matching through EventBridge when users add IAM permissions or modify permissions. Lambda will extract the permission information in the Event event to obtain specific policy documents, and match with the pre-defined business key permission list. If there is a match, an alarm will be sent to the authority administrator through SNS.
Developers can scan the following QR code to participate in this experimental WorkShop online and practice by themselves:
2. Use Amazon Cloud Technology IoT Device Defender service to detect and prevent device intrusion
This experiment is an IoT security solution brought by Cloud Architects: Xin Chen and Bin Liu of the Australian Amazon Cloud Technology Professional Service team. Guests participating in the conference can act as "hackers" in person, try to use remote devices to hack into smart cars that simulate driverless cars, and learn how Amazon Cloud Technology uses artificial intelligence to help users achieve multi-layer security protection for IoT devices and create a safe IoT environment. networking platform.
In this IoT security solution, the IoT devices are two 4-wheel-drive smart cars equipped with Raspberry Pi, which are used to simulate driverless cars and register them to the cloud through Amazon cloud technology IoT Core service , Establish a secure MQTT data link. The two smart cars are set to run on a circular predefined track. At the same time, the solution uses Amazon cloud technology IoT Device Management service to remotely manage and keep the truck system updated as part of preventive control. Guests participating in the demonstration will act as a "hacker" and take over one of the trucks through a remote controller to hack into it. This solution uses the IoT Device Defender service to continuously collect and monitor security data from devices. Users can customize the Security Profile to select indicators for monitoring IoT devices, and use the service's native machine learning technology to monitor abnormalities of important indicators in real time to make data judgments. Is there a hack. If a device intrusion is detected, the service will import the security findings to the Amazon Cloud Technology Security Hub to display the system security status. At the same time, it will trigger an SES email notification to alert the administrator, and finally trigger a Lambda script through an SNS message to create an IoT Device Management service. The mission remotely automatically repairs vulnerabilities and regains control of compromised trucks, so as to realize rapid and automated accident detection and response, and achieve business continuity for users.
IoT Core
https://aws.amazon.com/cn/iot-core/
IoT Device Management
https://aws.amazon.com/cn/iot-device-management/
IoT Device Defender
https://aws.amazon.com/cn/iot-device-defender/
Amazon Cloud Technology Security Hub
https://aws.amazon.com/cn/security-hub/
Amazon Cloud Technology re:Inforce China 2023 will be held tomorrow (August 31) at the Kerry Hotel in Beijing. The theme will be " Comprehensive Intelligent Security in the AI Era" . Developers will learn the main content of this re:Inforce 2023 China station in advance from the wonderful review of the Amazon cloud technology re:Inforce Global Conference above, so that the effect of on-site participation will be better.
Click on the picture to sign up for Amazon Cloud Technology re:lnforce 2023 in China
The Amazon Cloud Technology re:Inforce 2023 China Station is also of great value for domestic enterprises to implement localized cloud security solutions, AI/LLM models, data protection and compliance solutions, and use AI to build enterprise intelligent cloud security services.
Developers and business representatives who are interested in participating in the re:Inforce 2023 China station are welcome to click on the picture above to sign up for the event to learn more about cloud security content that meets the needs of Chinese customers, including: compliance for overseas companies, AI data compliance challenges, How to build intelligent security services for enterprises under the wave of AI+, how to build an end-to-end security solution across the entire link, etc.
In addition to celebrity guests who will bring you new insights, insights and ideas on AI-related security, there will also be an exclusive experience for developers—the Security Jam competition is waiting for you!
Security Jam Competition
A gamified, fun, interactive, hands-on activity, it is an immersive experiential learning offering that helps learners develop skills built on the cloud by simulating real-world use cases. Learners form teams and compete in friendly competition to top the leaderboard by solving a series of security challenges. Learners participate in a series of security challenges hands-on in a lab-based cloud infrastructure.
Kind tips:
Quota is free, sign up quickly. Because there is a hands-on experiment session, please bring your own computer.
Everyone is welcome to actively participate and see you tomorrow!
The author of this article
Li Shaoyi
Amazon Cloud Technology Security and Compliance Community Builder, co-author of Amazon Cloud Technology Training and Certification "Cloud Leader", has rich experience in financial compliance such as PCI-DSS, and is mainly responsible for cloud platform compliance, local compliance, Enterprises go overseas to localize security compliance and other fields.
I heard, click the 4 buttons below
You will not encounter bugs!
