Episode Description
What We Discuss with Arjen Schwarz:
- Ambassador Lounge Podcast
- AWS re:invent 2019 : Security announcements Recap — including updates that were not called security updates but you should know
- Introducing AWS Identity and Access Management (IAM) Access Analyzer
- Introducing Amazon Detective
- Nitro Enclaves
- AWS announces Amazon CodeGuru for automated code reviews and application performance recommendations
- Introducing Amazon Fraud Detector – Now in Preview
- AWS Now Available from a Local Zone in Los Angeles | AWS News Blog
- Announcing AWS Managed Rules for AWS WAF | AWS News Blog
- New – VPC Ingress Routing – Simplifying Integration of Third-Party Appliances | AWS News Blog
- Monitor, review, and protect Amazon S3 buckets using Access Analyzer for S3 | AWS Storage Blog
- Easily Manage Shared Data Sets with Amazon S3 Access Points | AWS News Blog
- Coming Soon – Graviton2-Powered General Purpose, Compute-Optimized & Memory-Optimized EC2 Instances | AWS News Blog
- Introducing Amazon EventBridge schema registry and discovery – In preview | AWS Compute Blog
- Amazon Web Services Announces AWS Transit Gateway Network Manager to Centrally Monitor Your Global Network
- And much more…
If you enjoyed this session with Arjen Schwarz, let him know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Arjen Schwarz on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: [00:00:00] The way I would be going to talk about this DevSecOps episode is we were going to separate out the database security products, the new products that were released. We’re going to talk about any new features or changes to existing security products. And we were going to talk about the AWS security features that are out of existing production, not necessarily security products.
So let’s just go with the first one. I am access analyzer, what you have to work towards.
Arjen Schwarz: Obviously it’s a very intense. You too, you are probably better suited.
Ashish Rajan: Yeah. Yeah. I want to put demos. Let’s go. Let’s go demos. Wasn’t dentist.
Arjen Schwarz: So. Allows you to detect permissions that how they’ve been used for the day are kind of publicly across account, things like that. So at the moment it seems mostly clearly security feature. Yeah. From the whole perspective, in that case, it would just be, it makes it easier to detect these things, but I can also see more.
Coming out of it when the service grows that you will get a bit more information out of it that you can use it to, for example, find out exactly what is being used by users, [00:01:00] overalls, and that way, ensure that you get more fine grain commission.
Ashish Rajan: And to your point, it’s actually quite difficult if you were to think about from an engineering perspective, as well as where if you have a large enough team and you feel a lot of I am users, or I enrolls after a certain scale that we’ve got square difficulties.
How many people have access to, I guess an admin nexus list is how many people have read only access. How many people have like a mix of admin and read only yet. So I, I see what you mean. Like the potential is a lot more than just being, oh, I’m just going to, because the way it is positioned at the moment, it looks at any I role or policy, which has been provided with public access or across account access.
It’s only a region based, but still it kind of gets, gives you that perspective that, oh no, these many roles in my account has permission and enough permission. For it to give a resource cross account access or have public access. So as here there’s a potential. So what about use cases? So if you’re going to mention one use case, a Prudential use case, the security use case that I thought of was a, if you have a say, if you’re a [00:02:00] startup or a small company, which is primarily relying on IAM users, or even if you’re a big enterprise, which is using I roles to map out what kind of privileges you have.
It’s a great tool to start analyzing the current state, which depending on what your scale is, you could be looking at, or how many people have crossed the account access. How many people have, should they have cross account access or how many people have public access? Is that intentional or unintentional?
The if you look at the service in AWS console, it allows you to kind of resolve as well as color, which is an intentional service. So they obviously understand this. Public access service that S3 buckets sometimes need to be public. So you need to allow that. So that’s why I think that your point, I like the service because it gives a huge potential for future more depth, psychology.
Coming in. Cool. All right. Next one. And as always, we appreciate if you guys and girls have more thoughts on yes, I’ll be, would love to hear back from you. You can reach out to our socials or reach out on the podcast pages that we would have on the hosting sites, but putting that in there before we go on to the next one.
Cool. Right.
Arjen Schwarz: So [00:03:00] with pointing out, this is all based on an article that you wrote or. Check out and it’s
Ashish Rajan: shown us. Perfect. Thanks. Thanks for the plug. Really appreciate the bucket. All right. Next up is AWS detective, would you think of this one? I think it’s
Arjen Schwarz: interesting. So it’s in a way it’s yet another collation
Ashish Rajan: yeah.
Yep. I I’ve never felt done as well. It’s really interesting. And it’s my bed be, right. Because as soon as to how engineering would have a lot of monitoring dashboards for a lot of application, Yeah, I I’ve fought the way. If you were to imagine this as an engineer or if a dev ops person who’s managing the fleet of applications for an entire enterprise, you have multiple dashboards to look at already, right?
You don’t want to be like individually looking at dashboard one for certain features, Dan, who are due for certain features just want everything in one, one space. And to your point about, this being like not yet another dashboard, cause I kind of felt that the whole AWS security. It was a great start, but you kind of mentioned something initially when we were talking offline that there is a bit of a different between AWS security hub and AWS detective.
When
Arjen Schwarz: was that? Yeah, so in my opinion, and again,[00:04:00] as it’s still in preview, you haven’t had any hands-on yet. From my understanding, the security hub is focused on giving you a broad overview of all the security related features running in your accounts. Potential issue stale. Italy’s detective is more focused on root cause analysis for basically more the application level.
So workload level.
Ashish Rajan: So if I had, I guess, an application which is behaving incorrectly, like say for example, if I had a hundred requests per second, that used to be the average, but now suddenly I’m receiving 10,000 requests per second. It could be a potential and again, it’s a preview. So we just like, yeah, there’s
Arjen Schwarz: pure speculation.
It’s I wouldn’t be surprised if it as possible, if that I still feel like it’s probably mostly focused on the security aspect, but the 10,003 quests per second would likely indicate something. Either something has gone really wrong with the application. Paul, we mentioned your site on our podcasts
Ashish Rajan: and then some the additional load, a spike.
And you’re like, oh my God, I’m so popular.
Arjen Schwarz: But the most likely case is probably the and Adidas or
Ashish Rajan: [00:05:00] similar tech. Yeah. Yeah. Fair enough. And I think that’s a really good rate of, I think it’s a really good service from that perspective that a security force should definitely be, I guess, considering as well, boards from your perspective that I, and again, this is very engineering and security can work together to identify what’s regular.
Versus what’s not a regular button and realism when something is a thread was meant something friends, like I think that’s kind of where there could be a local collaboration done as well between security and DevOps. The, the use cases that they mentioned at the sort of listed is triad security, finding incident investigation.
I’ve tried hunting, which kind of goes back to what we were saying. Oh, you’re primarily a security tool right now, but could be much more than that.
Arjen Schwarz: Yeah. In many ways I feel like it’s a, think of it that way. I feel like security hub is a what’s going on at the moment. And detective is more for after the fact finding.
What happened?
Ashish Rajan: Oh yeah. Actually that’s a little bit important. Yeah. I like, I liked that. Yeah. Perfect. Hopefully,
Arjen Schwarz: and you can, you can use that to also find things before they happen.
Ashish Rajan: Yeah. Yeah. More detect rather than [00:06:00] respond, I guess. Yep. Cool. AWS nitrates and clays.
Arjen Schwarz: Yeah. So this is really interesting.
One, in my opinion men, the way. You mentioned it is using everything they’ve done for nitrile, basically, that allows all the fancy new instance types, like now the graviton tool and all of that. And building on top of that’s de now allow an extra layer of isolation from the
from the. From the data yeah. Between the data and the underlying hostess. Well, so there’s, it’s even more isolated than just as a field.
Ashish Rajan: Oh yeah. And I kind of liked the fact that it’s not just isolation of, and I think all this is a new kind of, processing that that’s been, that’s been provided from an instance tags for different instance types.
The security feature for me in this is the fact that. Isolation for BI and health Stata, or any kind of sensitive data is great. But having a faster processing also means that you will not feel your latency between, oh, it needs to go to this contained [00:07:00] riots or this isolated space inside my processes.
So it’s going to take some time. So I like the fact that they’ve optimized that as well considering, that, oh, you should get the security benefits of isolation without losing. The performance of how it would be like lonely, I guess that is, that is not a good way to put it across. Yeah, I
Arjen Schwarz: think
Ashish Rajan: so. Cool.
And I think from a, you kind of touched on this already, the use cases, additional isolation and security for high sensitive data. And you can do memory-based encryption from what I understand as well. So yeah. Would be really interesting to see how we
Arjen Schwarz: go. I’m interested in with this one as well is if it’s for many use cases, it might be.
We placed dedicated instances. Oh, which obviously at the moment, carry a think $1 per VM, per hour surcharge
Ashish Rajan: and reduce it
Arjen Schwarz: further. Well, as far as my understanding is this is basically a software solution that you don’t pay
Ashish Rajan: for part of the process. So you just pay for the instance type and that’s pretty much it.
Yes, that’s right. And it’s a, it’s a, it’s a feature. The instance site that you’re using rather than, so whatever the instance that cost is, you just pay that [00:08:00] and reserve. And since you’re definitely. Security as well as I guess, engineering capability at a low cost while the magic combined all three, like great job, AWS, Amazon Gord guru.
What are you talking to? This one?
Arjen Schwarz: It’s interesting. I say that a lot. I know this. But it’s because it is at the moment is its biggest limitation, in my opinion is still support. It’s only supports Java. Yup.
Ashish Rajan: And who wants to learn? Who
Arjen Schwarz: wants to learn? And now all the enterprise people listening, shouting at us,
Ashish Rajan: like what, why not Java?
Best language ever.
Arjen Schwarz: Yeah. So, yeah, at the moment the big use case for code girls has two parts to it. It has a, basically a code review process where it tells you, Hey, you can do this better, which is really nice. And obviously has some good, there’s some strong potential as it’s been trained on the actual AWS and.
Ashish Rajan: Yeah, that’s the best part I think is it’s and it’s like, you know, to your point, it’s because it’s the Amazon court, not that we’re saying that, oh, it trusts it because it’s Amazon, but it’s a fact more that, well, someone who has a much bigger [00:09:00] scale of business than an average company in Australia, or any other average company in the U S anywhere as well, it’s, it’s a lot more information for a machine learning algorithm to go through and consume and understand.
I was limited. So I would just say any local company over here, I don’t wanna name a company, but if you were to imagine the biggest telecom company that you would have in your company, in your, I guess, in your country, these, this is like that nine Sten or that times the number of regions that are covered by AWS.
That’s a scale of Gord that is being processed over
Arjen Schwarz: here. Yeah, exactly. And that’s also why there’s a lot of a lot of the recommendations that will be made about optimization and for obvious reasons. Any millisecond that eight of us can shave off a coat will have massive impact. So that is something that’s from the,
Ashish Rajan: Yeah.
And especially if you’re like a digital first kind of organization, you would find that multi-scale milliseconds can really add up slowly, but every time a page loads and every time a chord Lords, a millisecond delay can add up depending on how much of it is actually accumulating. I guess I [00:10:00] love the service from one perspective.
That again, it’s a preview more so, that is a lot more to be seen from the service at this point in time before it becomes GA. But I like the potential in this, that it could be something that we can use from an application security review perspective. We, at the moment we have other, I guess, providers that we rely on for it, or we have, I guess, application security guys in the organization who are going through.
But I think of this from a smaller scale perspective, if it was a startup, it was like Brian Malley on AWS. Or if it’s a small to medium size business, primarily on AWS, doesn’t have the money for a security person, but they could just use a service like this to say, I can optimize and performance and get rid of the obvious security wants as well.
Any security falls may come out of it, but that’s a future Prudential for the service. That’s why I am excited. I find that to be something that I’ll definitely keep it. Cool. All right. We kind of spoke about the use case for you. So we moved to the next one, Amazon fraud detector.
Arjen Schwarz: Yeah. So, I guess based on the name, it is very obvious what the use case for this is again, similar to some [00:11:00] of the services released last year.
Like recommendations the recommendation engine from Amazon, this uses Amazon’s 40.
Ashish Rajan: Yeah. And I think, and the way I would see it as like, if you’re a bank or a financial Institute, which has been doing fraud for a very long time, you’re like, well, why am I going to use this service? I think the potential of the service is that if you can use a service to make a fraud model template, the Amazon guys are providing a model that can consume a template.
Focused toward fraud, use your learning and combine that with machine learning to actually do enhance what you may have already learned. If you’re already doing machine learning then you might still want to check out if they’re doing something different to what you are, what you are doing, you will find the most benefit from this as the fact that it just adds onto that existing template.
You may have, I guess, in an organization, would you agree?
Arjen Schwarz: Yeah. Also of course, in addition to that, I would say that for smaller companies, not just the big banks and like, they might be able to just more easily hook into this and get some of the fraud detection. [00:12:00] It may not be as advanced as what the banks with everything combined get, but it will be a lot more than nothing.
And building something from scratch. Yeah. A lot
Ashish Rajan: of work, especially if you think about all the the neobanks and all the micro finance, whatever. I mean, I guess the, the FinTech space is exploding at the moment. So those guys can definitely use this. That that would be a great feature for them at your point.
It makes sense for them to at least start building on this now, maybe, and see how far they can go with it. Maybe you start collecting users as a benchmark or a base, or this is how we should be doing it.
Arjen Schwarz: Yeah, it might be good enough. For a lot of time to just stick to it. Yeah.
Ashish Rajan: Yeah. That’s right. It could just be good enough just to stick to stick to this one.
Cool. The next one is AWS.
Arjen Schwarz: This is something I did not expect, but it’s a logical next step forward outposts that finally came out for those who are not familiar with it. Local zones is basically a sort of mini availability zone. That is in a different city from the actual region. [00:13:00] So the one, the only one currently available is in Los Angeles, which is tied to the Oregon
Ashish Rajan: region.
Yeah. And I guess the potential for this is like, if you’re not happy, if you’re, if you’re a country or a state or a region, which is not close to an Amazon region, which is a different region, you can extend a close by region to to somewhere local to you, a local data center through. Now I guess from a security perspective, you would find you can probably use extend your existing data center, security privileges across to, a partner or a us.
And to match those on to this, I, this, this is again speculation because we don’t really know what it looks like. It’s still in dreamy mortar, and the way it’s been described it as extending you, you should still be able to use your AWS API. And you should still be able to use AWS services, which are available in the region that you’re closer that you or the region that’s acting as a local zone for you.
So my, I guess, 2 cents from a security perspective, one that is, that means you’re either you’re looking at extending your on-prem privilege. On-prem security [00:14:00] features onto this, I guess, local zone, or it could also mean that extending your Amazon features from your Amazon region onto your local. You can only do, or it could be a matchup or it could be a matting the two together.
So it will be we’ll wait and see how we go. But I feel like it’s, it’s going to be a interesting from a lot of people doing migration, people moving towards hybrid. I think it’s going to be a really interesting mix, especially if you have some kind of a regional governance requirement where you need to be in a certain region for all your data, that may be a good feature, our good service for people.
Arjen Schwarz: Yeah. Yeah, definitely. And in addition, obviously it is if you are very far from any region, but an obvious example here in Australia is we have the one single region in Sydney. If you’re based in Perth at four, is it 400 kilometers?
Ashish Rajan: It’s a long day.
Arjen Schwarz: Yeah. That’s a bit more latency than you might want.
So if you have something running locally, it just the direct interface probably because. Keep in mind this a lot less high availability and similar things that are possible. But if you [00:15:00] have it in a way, it brings more compute to your local end
Ashish Rajan: points. It does. It does. And I think that that’s the best part with having the same features as a cloud, but more local to you then I guess then to service, which probably comes from somebody.
Yeah. Cool. So with that, that was the segment where we spoke about the new products, security products that were released by AWS. The next segment is AWS security, product updates, existing products. The first one is AWS LEF Todd, and it’ll be this plastic bath, plastic, sorry.
Arjen Schwarz: So this was a release that when ferry under the radar, for some reason, I have no idea why it was hidden in a blog post that just said, oh, we now have managed rules.
Yeah. And underneath them I didn’t really realize until I saw the CloudFormation updates that had a weft two. Yeah.
Ashish Rajan: 2.0.
Arjen Schwarz: So
Ashish Rajan: it’s an hour. I think that’s an interesting one as well. Cause you kind of mentioned when we were talking offline, you’re going to mention that there was a S it makes it’s I got to have a [00:16:00] lot more free DNO or you kind of mentioned on the word it’s optimized.
Arjen Schwarz: So the, one of the biggest changes to it is I think there are some, billing changes as well. But the other big change is to do with the limited. Oh, so please tell more it usually with the original, with, with classic, I guess we pull it now. You had a limit of how many rules she could have in your web?
I believe there was a limit of 10 rules, actual ACL. Well now everything is point-based and you can, so if you look in the web console and you look at the minister rules from AWS, which, I know free to
Ashish Rajan: use for cost
Arjen Schwarz: effectiveness, that’s the big advantage cost-wise but you can have 1500 points is
Ashish Rajan: yeah.
Wow.
Arjen Schwarz: Yeah. So it’s not a one-to-one relationship because that so now the points are based on complexity. Oh, interesting. So there are some that have, that are maybe 50 points. There might be one that has a thousand points and it’s all, I assume it’s based [00:17:00] on the complexity of the calculations or the speed with which it can.
Last Rudy’s.
Ashish Rajan: Oh, so that makes me question. So I guess it goes one common raffle that a lot of people that I talk to in our customers, I’m sure you’re talking to as well they ask for is the all Stockton 10 is, is that cause earlier there was no managed rule for it, from my understanding that we had to create our own or use a vendor base, a window offering offer.
Now, I don’t know what the complexity level for that is probably going to be high. But did you, I didn’t even, I I’m sure. Not sure if the managed rules actually covered that, but is that something that you can call out? Like when you did the confirmation templates, when he saw the cloud formation update, did you see in terms of what the easy to call out that?
Oh, I just want a one-stop ban. I don’t know, in this top 10 or something, like, obviously I’m making up and they stop them, but I’m just like, can you pick and choose complexity or is it going to be more of a, no, this is what you get. I think it sounds more like it’s.
Arjen Schwarz: Yeah. So based on a specific room, you, that is the complexity that it has.
So that’s the number of [00:18:00] points it has. So, honestly, none of that was show of like the top 10. I wouldn’t be surprised if, for example, they just split that out into 10 different.
Ashish Rajan: Oh yeah. Cause there’s no charge. If it’s an AWS managed rule, there’s no charge for it anyways. So you could just say, oh, I just wanted to production with secret detection, but I’ve got CloudFront for DDoS.
So I don’t really care about that or what something else for object and an object reference or whatever. So, yeah.
Arjen Schwarz: If that’s not the case, I believe that is what they should do because not everybody has the same needs. If you run a static site, you don’t really care as much about
Ashish Rajan: SQL injection on data is at the back.
Or are you protecting resynchronization that there’s no data is in the back. Cool. Yeah, th that funny enough, that was the only change to an existing security product. And as I’d mentioned, yeah. Under the radar as well. So no one really saw it coming until you actually logged into the console or like Aryan, you were on a platform mission, then they try to update it.
You won’t even notice it. So that’s a good one that AWS sneaked in, but for some reason it wasn’t spoken about much. We moved [00:19:00] on to the next section. Now the next session is on, update security features to existing products and Amazon VPC, English routing is.
Arjen Schwarz: Yeah. So, this, it does exactly what it says.
You can now route all your traffic, that incoming traffic to a single point. Yup. If only there were appliances that were dedicated to dealing with those kinds of,
Ashish Rajan: yeah. And so I guess the short version that I understand is you can assign it out tables to VPC which means that you can have, if you have an appliance that does a deep packet inspection or an appliance that looks at, I dunno, just what else you could be doing on it.
Yeah. It’s a whole separate discussion on whether you need them or not, but, it it’s a possibility if you are an organization, which requires the back inspection, there was VPC mirroring, which was kind of like a first version of if you could meet our VPC. But funny enough, because we could see flow logs, doesn’t really give you that detail information you, this is, I feel like this is a great addition for anyone who was trying to do deep packet inspection that, oh, all my dog traffic is going to go through here.
If I, if you have a [00:20:00] host based agent as well, that you can, you can channel that through, or you can refer it on channel, but you can route that through a certain appliance as well. And that is for me, that’s a great feature. But obviously it comes with its own engineering challenges.
Arjen Schwarz: Yeah. In a way it does on the other hand, last year when we got trends with gateways, one off the common bed already happened.
That I assume you’ve seen as well, is that that is a single entry point for all your different VPCs. So in a way, this built on top of that or makes it a bit easier, I guess. So in that regard, this is already happening.
Ashish Rajan: But at the moment now there’s like a, probably a better pattern for it, I guess. Or there’s an obvious button you don’t have, so yeah, you don’t have to hack your way around it.
You just have an old table that goes to VPC endpoint, or you just go, all right, I’m going to consume everything from this hardware blinds. Yeah. I think the Baton definitely makes it a bit more easier now actually, from the sounds of it, next one is access analyzer for AWS S3. This is an interesting one.
Maybe I can pick up, take this off. Cause I feel like it’s like it’s one of those ones that you’re like a very [00:21:00] security focused when kind of like the detection one and the IMX analyzer. So this is funny enough how the name do things very similar. So I wonder if there’s a watching coming on for VPC access, analyze that as well or something like that.
But the, the, the whole point is that it goes through permission buckets. And it would identify S3 buckets that maybe open to the internet. It, I think the whole point behind this is a lot of products have been, I guess, introduced on other SAS products have been introduced in this space where, because S3 buckets were being made public left, right.
And center. Everyone talks about S3 bucket as that thing that, oh, what if your S3 buckets go public? That’s kind of like the fund approach and order people. So I think this is Amazon. Again, being more proactive, they’ve already taken out the I guess they’ve already made it a four or five step process to make an S3 bucket public on the console.
So it’s not a, it’s not, it’s not a straightforward process, but on top of it they’ve even gone down the path of saying, oh, well, we would ongoingly analyze the access you have on the bucket policies to make [00:22:00] sure if hunting goes public, we notify you straight away and you can swift for you. I mediated.
Waiting for a SAS service, which probably updates and every 12 hours or whatever, or maybe one an hour to figure it out. A Publix an S3 bucket is public. Do you want to agree? Disagree?
Arjen Schwarz: I agree. You want to add, actually, I’m going to have a question for you that I do, you know, if it only looks at the bucket level or also the object level,
Ashish Rajan: I think it does board.
From what I answer, but then again I have have barely just one, two onto the roads I haven’t seen because I didn’t have enough data to go through it, to know if it looks,
Arjen Schwarz: I don’t know. That’s why I was just wondering, because one of the common issues I see is that a bucket itself might be mostly, not public, an object.
Ashish Rajan: The public. Yeah. And it’s an interesting one goes to test the ride. Ran was for the bucket. I didn’t run a test for an object one. So yeah, maybe if someone in the audience has done it, if you’re listening to this and if you’ve done it, or if you want. Recess thirty-seven feedback. We would love a hearing, although I’m pretty sure we are in and I’m going to just test it out pretty much after we finished the garden.
But, [00:23:00] it’s a great thing. I love the question. And if you guys want to come back to us as well, we will appreciate that next one. I’m running quickly to a time where we here, we just have a few more to go access points,
Arjen Schwarz: access points. SPX plans, obviously you, it allows you to limit access to specific data from specific places.
It’s on top of all the existing things. It’s a way easier way to manage access from within a VPC, two buckets, where before you had to go through the PPC and point have 700 buckets in there. And it was a free application, had the same access. Yep. One big thing here also is it allows you to differentiate, read and write access more easily.
Ashish Rajan: Yeah. I was going to say the feature, the role-based access control features. Amazing. I think the way the use case of what I was, the way it was explained was kind of like what you just mentioned. You may have a, I dunno, a HR team with what does, I want access to data of how, how Austin is the ambassador program that AWS APN ambassador program that you and I are part of how many people are there, which is [00:24:00] growing quite a bit.
And so now we give them access, but tomorrow engineering team comes in. We have this really awesome thing that we want to do for AWS, AP ambassadors. We want access to that data. Now, if you look at it, you know, oh, the second thing, then there’s a third thing. Everyone wants access to the same data, but now you have almost these four or five or more different sets of users that you have to control access to and do your point.
You may have some may require, read access, some medic wide, right? And ISX access. It’s a great way to centralize all of that. Just say, do you just pass the same access point to everyone and define the kind of service that they can or define the kind of mission that they can have? They can have reader write.
I think that’s a great way to you. That’s why I like the service from a security perspective. You can control access at scale. You can go granular if you want to, but at the same time you can keep it gore screen as well. Cool. I think we kind of spoke about the youth gets already. So what about next generation OnBase, gravitation to processes?
What a long title?
Arjen Schwarz: Awesome. For many use cases, we can easily run a,
Ashish Rajan: I don’t know, a lot of time to [00:25:00] think.
Hello? Hello? Hello? Hello? Hello? Yeah. Okay. Let’s start recording again. So we did a bit, so the next one is next generation. ARM-based AWS gravitation to processor with memory encryption, long word. How do you, what do you think of this?
Arjen Schwarz: It’s awesome. We’ve seen not just everywhere. People are moving more towards.
Yeah, we see them in our phones and tablets and things like that all the time, because they’ve got a much smaller energy footprint. And a lot of those percent, the processes are getting faster than the traditional Intel one. Oh,
Ashish Rajan: yeah, I think, I think for me it wasn’t every encryption as the name suggests they have made the encryption process 50% faster.
So incubation performance has obviously accelerated as well. So that’s a great feature from my perspective. Right. We’ve got two more to go skip through I’ll quickly go through them, the event bridge schema registry as an investment. Interesting one, because at least from a security perspective, what I found interesting was that if you’re already using.
And event driven model for for like a slip security findings and security emendation, the company you can define a template for, or you can define, and if I go [00:26:00] over there, but you can define a schema for what it would look like in an event. And based on that you can have notification center. That’s kind of what I like about it, but again, just a preview, lot of speculation, I don’t know how effective it would be downtown in Saudi to only support Java, I guess Jason support, but I’d, Hey, I’m on complaining at the moment as well.
We’ll see how we go.
Arjen Schwarz: Yeah. So the other flip side of that is the detection part as well. So it will discovery. It’s what it’s called. It allows you to just say, okay, please generate the code snippets for me that I can put in my car that match the structure of the events that are incoming. Oh
Ashish Rajan: really?
Yeah. Oh, favorite. So the way I, so the way I see here that is, if I look at me that I’m not even based at the moment, but I want to be, I can probably use your services started off and said foundation.
Arjen Schwarz: Yeah. So you can enable the discovery in your dev environment. See all the incoming events, see, notice, Hey, this is what the structure will be like generally called for me and somebody fuck you called completion and effing in your ID.
Ashish Rajan: But I like this. I was even more now. Last one, AWS transit gateway network.
Arjen Schwarz: Yeah, I haven’t had [00:27:00] a chance to play with this one yet.
Ashish Rajan: I think the way I am, if I were to add, I would probably say it, I guess it’s rightly so, because it’s a service where a lot of people are talking about that. A lot of people have stockings.
A lot of people have operational teams. They all have all these sitemaps score on practically from one end to the other. Imagine like a massive room with a lot of that. Lord allusion to the Lord dashboards. And this, this would be all one dashboard where you can see what’s going through your transit gateway VPN what’s the traffic flowing through it.
It’s basically well, the way AWS has framed it, you can have your own premise as well as AWS network traffic. And the way I read it is you can have your Azure traffic, GCB traffic, or any traffic going in and go into a central place. But network manager is basically to reduce operational complexity.
Of managing multiple networks across multiple global networks. That’s how I did it. But then again, I haven’t used it much myself. I don’t think we have big enough scale that people are ready to start off. So if anyone in the audience has already done this ad or using it, we would love to hear what you guys think because it’s available in Sydney as well.
So I don’t know how many [00:28:00] people are here do global. I am AWS. I’m sure. Quite a few do. So we’d love to hear from you guys.