AWS re:Invent 2023 Security releases & reinvent 2023 highlights- A security attendee’s guide to AWS re:Invent 2023 with Adam & Werner Keynote analysis and announcements that matter to us cloud security folks.
Chapters covered during the episode:|
00:00 Introduction
04:49 GenAI at AWS re:Invent
06:01 No new security service announced
06:48 Updates from CEO and CTO Keynotes
11:29 What is Amazon Inspector?
12:10 Amazon Inspector Security Updates
15:09 What is AWS Security Hub?
15:52 AWS Security Hub Security Updates
18:52 What is Amazon GuardDuty?
20:10 Amazon GuardDuty Security Updates
22:49 What is Amazon Detective?
23:45 Amazon Detective Security Updates
26:22 What is IAM Access Analyser?
28:06 IAM Access Analyser Security Updates
30:33 What is AWS Config?
31:25 AWS Config Security Updates
32:35 Other Security Updates
33:46 3 Layers of AI
35:21 What is Amazon CodeWhisperer?
36:36 Amazon Application Composer
37:34 Guardrails for Bedrock
38:13 Amazon Q
41:17 Zero Trust
41:45 Ransomware
44:29 Security Talks
45:54 Input filtering and validation for WAF
50:31 Enterprise IAM and data perimeter
53:00 Conclusion and find out more!
You can check out the Top announcements of AWS re:Invent 2023 + AWS re:Invent 2023 - Security Compliance & Identity
Ashish Rajan: [00:00:00] AWS reInvent 2023 security announcements. are probably the final ones for the year. Now in 2023, as expected, there was a lot of gen AI conversation at AWS reInvent. Shilpi and I from Cloud Security Podcast were representing Cloud Security Podcast, talking to Cloud Security people on the ground, meeting you folks at the meetup we organized, and also just having conversations with other CISOs, what top priority for them for 2024.
Now AWS reInvent is known as a conference that is setting the tone for what you can expect the other cloud providers to start doing as well. This is towards the end. So April is Google Next. It would be really interesting to see , what more is announced by Google Cloud because in the first keynote Adam, and this is just a short snippet before we start the episode, Adam Selipsky who is the CEO announced a partnership exclusively with Nvidia for all those companies that want to use enhanced hardware that is provided by NVIDIA that is exclusively available from AWS.
That's right. And towards the third day when Werner [00:01:00] Vogel, who's the CTO of Amazon, he spoke about how builders can use, and I'm sure you'll be surprised by this, no code. Yes, there is a whole drag and drop option as well. Now they spoke about Code Whisperer, how Code Whisperer has been able to increase productivity, lower the cost, and also in some cases supercharged the overall business as well. So all that and a lot more in this episode of Cloud Security Podcast, where we cover AWS re:Invent shout out to Amazon Web Services for having us on the ground as well. It definitely was a great experience for meeting builders, heroes, CISOs, and other people who are in the cloud security community who joined us for a coffee meetup. As you can imagine, we did coffee meetup over there while we were there as well.
And thank you to everyone who came and said hello to us. I'm always grateful that I got to hug so many of you and say thank you in person for giving us all the support for all these years.
I really appreciate this and I hope you enjoyed this episode which is a recap of the AWS re:Invent. As always, if you know someone who could not go to AWS re:Invent and is a security professional wants to know the highlights of what was [00:02:00] announced, security announcements, specifically from the keynote perspective, as well as the announcement that was made by Amazon in general definitely share this episode with them.
They'll definitely find this valuable. And as always, if you're here for the second or third time, I would really appreciate if you can drop us a review or rating, if you're listening to this on Apple podcasts or Spotify, if you're watching this just on YouTube, definitely give us a follow or subscribe to this on the YouTube channel as well, because it helps us be found by more people and we can help more people in cloud security as well.
By the way, for people who would end up watching the video. It is super cold in London and I am wearing a beanie. Yes, it is that cold and it is that time of the year. So this is the first time for me to be in a winter Melbourne has winter, but not like this.
If you have any advice on how can I stay warm, definitely let me know. I think at the moment beanie is what I'm holding on to, but I hope you enjoyed this episode with Shilpi and myself, where we covered the recap of AWS re:Invent and I will see you next episode. Peace.
Time is the currency of the cloud. Companies move to the cloud to speed time to market and to [00:03:00] drive revenue. Things are moving fast in the cloud. We're expected to be very innovative. It's really all about businesses staying competitive and remaining relevant. In the new world of the cloud, every second counts.
Every second needs to be secure. That's what we do at Sysdig. Secure every single second.
We interrupt this episode for a message from our sponsor. A growing business likely means more tools, third party vendors, and data sharing. In other words, way more risk. Vanta brings GRC and security efforts together, integrate information from multiple systems, and reduce risk to your business and your brand, all without the need for additional staffing.
And because Vanta automates up to 90 percent of the work for SOC 2, ISO 27001, and more, you will be able to focus on strategy and security, not maintaining compliance. Join 6, 000 fast growing companies like ChilliPiper, Patch, and Autodesk that use Vanta to manage risk and prove security in real time. [00:04:00] You can try Vanta free for seven days by going to vanta. com slash cloud, that's V A N T A dot com slash C L O U D to start a free trial, no cost or obligations. Now let's get back to the episode.
Hey, what's up? Hello everyone. Welcome to another show of CloudSquare Podcast. We're talking about AWS reInvent announcements from a security perspective. But to kick it off is Shilpi Bhattacharjee. Shilpi, over to you.
Thank you for having me and welcome everyone and thanks for joining us. We are very much fresh from re:Invent we were there for the last few days. I even have tears from re:Invent right now. All the jet lag tears, yes so yep, very fresh pretty much just came back to London yesterday but we just wanted to, make sure that we keep everyone updated in terms of what were all the security updates and we will not hold it against you if you've been looking at stuff and just been hearing about AI. So as we predicted there was a lot of gen AI mentioned. So [00:05:00] just for context the CEO, pretty much in his keynote, 20 minutes in, started talking about GenAI it was a two hour keynote and 20 minutes in, he was talking about GenAI and there were lots of updates. Also, if you were to look up all the announcements that happened in AWS re:Invent the largest section of updates have actually happened from AI and machine learning.
So they were like about 19 updates. If you look at their list there is a blog article that AWS has put out about the top announcements of AWS re:Invent, which we will link in the show notes. And then that you can quite easily see. see where the I guess the focus of the event was, but for this purpose and for our love of security, we are going to be talking about all the security updates.
Now, if you've been watching our reviews for a while, for all the different conferences that we do we do like to go from, if there were any new security product or services that were announced and then from there we like to talk about updates to current products, security products and if there were any other security things [00:06:00] that were added on to other products.
The first section is going to be pretty short and sweet and there were no new security products that were released which is not unexpected because I think it they do have a security conference that happens, which is AWS re:Inforce, which is in the middle of the year. And they've just announced the next one, which is happening in June of next year as well.
And usually from my experience, they do reserve those product releases for reinforce instead of reinvent. So I wasn't surprised not to see any security product releases, but I don't know, Ashish were you disappointed to not see any? We aren't always disappointed, not to see security update.
for making me come across as a positive person. I'm always so positive that I don't have any I haven't turned British yet, but I think I definitely would say that it is expected that re:Invent is a lot about, so I guess to set the stage, they were more than three keynotes, the three that we primarily focused on for the context of Cloud Security Podcast, the first one from Adam Selipsky, who is the CEO, the second one from the [00:07:00] CTO of Amazon, which is Werner Vogel.
Those are the two primarily what we focused on. I think the AI one we probably would cover on the AI Cyber Security Podcast. So probably doesn't make sense to do cover that keynote over here. I think. It is expected for people who probably would have seen this before. So this might just be music to your ears, but for people who have not ever heard a keynote from Amazon, what usually happens is the CEO normally talks about the business, the partnership, and where would they see that next 2024 or the next year, what kind of partnerships would you see more often and the CTO, Werner Vogel, those conversations are primarily driven by hey, this is what we're doing in Amazon. This is a customer who has worked with us and solved this problem using the services that we have created and by the way this is our prediction for the next year. Some announcements that we'll talk about happened a couple of days before re:Invent aswell so we go to those, but primarily to what should be said, most of the announcements were driven by non security, but business needs, there were definitely security [00:08:00] updates, but to specific products, but it would not be a big security announcement. And I think this kind of brings me to the first theme of the conversation as well, for people who have checked out our episode of 2022, what you would realize is that last year they spoke about security quite a bit at re:Invent and it was obviously no, there was no AI because November 2022, we're still trying to figure out as to what that is. But in a way at the moment this year, it was a lot about AI, a lot about partnership with NVIDIA, partnership with Anthropic and everything else.
But I'll let Shilpi get into the keynote analysis as well. The only thing I'll call out from my notes before we go into some of the announcement from a security perspective is a quick one. Nvidia partnership was announced by Amazon at the CEO keynote.
And the idea behind that was, Hey, by the way, we're trying to be exclusive for being the only source of the NVIDIA for anyone who wants to create a custom LLM. That was, I think the most interesting one. From a Werner Vogel one, I think the interesting one, actually one more for Adam was [00:09:00] Anthropic which is a customer of Amazon and they wanted to call out that they have exclusive features that would only be available in the beginning to people who are using amazon web services also they were definitely trying to sell the idea that if you're on amazon and you're using amazon it's a great thing to be able to do continue working on your large language model on Amazon and the team got to continue on the last keynote with one of Vogel as well.
He had a Nubank which is one of the largest banks in Brazil who has done exceptional work in the banking industry for Brazil. And otherwise they definitely spoke a lot about what does that mean for their usage and cost and everything. I think the whole theme of Vogel's talk was about the frugal architect.
Him being a video person or a video I guess he had the whole matrix thing going on. The thing I will take away, which the highlight was. Pay your debt in the context of people who use Sprint or Agile, you probably would understand tech debt. The [00:10:00] idea behind this was if you don't address your tech debt more frequently, you are not only exposing yourself to huge amounts of costs because you have not looked at something for a long time, but also from a security perspective, you're leaving yourself exposed to a lot of risk as well.
There was a huge focus on sustainability, which I think is a great thing because considering climate change, which is real, hopefully none of our listeners believe that it's not real. That's pretty much what I would call out. Sustainability, cost, and I think there were a couple of other announcements which we'll go into.
But without talking too much about the AI piece, this is what the main keynote highlights were.
I think that I resonated with similar things as well. I think one thing from the CEO keynote, which was good was the fact that he didn't call out specifically the security focus on AI. So I think they spoke a lot, as I said pretty much 1 hour 40 minutes of the keynote was about AI, but there was a lot of conversation around like how it is really important for them to make sure that the AI and the LLMs are quite secure and they did go into sort of speaking [00:11:00] about that as well. The responsible AI part.
The responsible AI part, that's right. So yeah, so now we'll go into obviously the security product updates. Now, the way we've categorized this, and I think it's just easier that I've grouped all the updates for each of the security products. Now, if you're a AWS user, you'll probably be familiar with a lot of these things, but I think just to level the playing field, I'll probably get Ashish to explain each of these services now we've picked the popular services or the ones that have had a lot of updates.
And obviously you'd see a theme here, but just to start off with the updates that I'm going to talk about next are the ones for Amazon inspector.
All right. Amazon inspector for people who have not heard of Amazon inspector. This is the vulnerability management service from Amazon. What does that mean? That just basically means that if you have a image or an operating system that you use from Amazon using their AMI or Amazon Machine Image. You can run vulnerability scan on those images using Amazon Inspector.
So that's what [00:12:00] Amazon Inspector helps you with normally. And it has extensions that go beyond just the images. It does Lambdas. It does other things as well, but. EKS as well to some point, but that's it. Perfect. So now that we know what Amazon Inspector is, so there were a few updates on there and it is, one of the popular Amazon or AWS services in terms of a security tool.
So I'll run through these quickly because obviously we do have a few updates to get through, so I wouldn't go into too much detail. This will be, followed up by a blog on our newsletter as well, where we'll link all the updates. So that's something that you can follow on. But basically, the updates to Amazon Inspector were that they have added container image security by integrating developer tools, which means that you can integrate with developer tools like Jenkins, TeamCity for container image assessment.
So that was one of the first one. And this kind of leads into sort of the whole CI CD security conversation that I guess we've been having all of 2023. You can also do agentless vulnerability assessments for Amazon EC2. Now, this service is currently still in preview, but this is [00:13:00] again going into that whole continuous monitoring for Amazon EC2 instances, which I think I know some people would be excited about, but still in preview.
And the last one for Amazon Inspector was they've expanded the Inspector to be now be able to do AWS Lambda code scanning with their generative AI. Powered remediation. So you can do assisted code remediation, auto reasoning, all of those things. So a few updates there. Ashish just from a practitioner or a CSO lens, how does that resonate with you?
Are there things that you think will be useful for security practitioners?
So from a practitioner lens. So as a CISO, I would say the whole builder mentality or developer mentality that has always been promoted in tech companies that is definitely being highlighted in this announcement with integration with development tool.
The one thing that I'll call out, which probably would be really exciting for a lot of vulnerability management people or CISOs as well or head of securities as well is the agentless scan even though it's in preview the reason I think it'll be interesting is because a lot of us don't have SSM agents [00:14:00] on the images, which is what's required for Amazon Inspector to run a scan without installing an agent usually.
So you should be an agent for SSM. Now what they're saying with this release is that similar to how all the other. vulnerability management providers do where they can take a snapshot of your volume and scan for software packages and etc. That's how they would come to identify what vulnerabilities are on your EC2 which is pretty great for people who have migrated their on premise servers to cloud and could not install SSM agent for whatever reason.
Or have not updated it. So I think that'll be once it's out of preview, it'd be a great service. So I think overall, I would say it's definitely a welcoming change. Not sure about the AI powered remediation yet. I think I just have to play around with it to see and I'll think we'll cover that in the AI part of the episode as well. But I think that's a spot on from my perspective for Amazon Inspector, the updates that came in.
Perfect. Thank you for that. And also anyone listening in feel free to chime in if you have any thoughts about [00:15:00] these good or bad. That's what we love to hear.
The second one AWS security hub.
So again, Something that, you know I know a lot of security practitioners do utilize.
So AWS security hub, essentially for people who have tried working on a large AWS account base environment.
If you have more than one account, you definitely come across challenges where, how do I, have all my security events from all the security products that Amazon has into one particular location. That's what AWS Security Hub is about. It's basically the equivalent of a central place for you to measure your overall posture based on the tools that are available from Amazon.
That's the simplest way to put it. And AWS Security Hub can work across all your AWS accounts. I have heard it being described as AWS's CSPM I don't know if people will agree with that, but I know a lot of people are familiar with all the acronyms.
So with the AWS Security Hub they have been quite a few announcements there. So I think they're just looking to enrich it and level it up. So there [00:16:00] were new data visualization, filtering and customization enhancements that they've made.
So it means what they're hoping people will be able to utilize this for is they being able to focus on risks that require your attention. So you could be filtering things out for okay, these are the production accounts that have got some critical severity risk or these are where my crown jewels are.
So those are the things you can filter for. They've also announced new finding enrichment in AWS Security Hub. So that means if there's new metadata enrichment for finding aggregated in AWS Security Hub. So you can better contextualize, prioritize, and also take action on your security findings.
The other one that they've done is a new central configuration capability for the AWS Security Hub. So that means that you can centrally enable and configure Security Hub, your controls and your standards across all your accounts and your regions. So basically, overall, the way I'm seeing this is that they've just made it so that you can see more, you can filter more, you can customize more just making it a little bit more powerful than it [00:17:00] used to be.
I think I would probably say dashboard enhancements are great and maybe it may not be that significant from anyone who's probably never used a service before, but Security Hub is not the best and the most convenient one from a visualization perspective to Shilpi's point.
If you're called a CSPM or cloud security posture manager, it has not been known as the interface that is probably the most friendliest for people, especially if you just want a central view. If you're selling the idea that it is a central viewpoint for an entire I guess the security part.
So it, that used to be a bit of a challenge for a lot of people. And because of that, now the dashboard enhancement is definitely welcomed from people. I imagine that would definitely be something for people who are primarily using AWS. The dashboard enhancement will go a long way and including the finding enrichment.
And I think probably the finding enrichment is based more on people who are using partners as well. I think it definitely can vary because a lot of people don't just use a service from AWS. [00:18:00] They also end up using services from Amazon partners, which is in the marketplace. They might end up using other services as well.
So it does. help, but I don't know how much of it would be valuable for everyone, but for the far and few, or maybe for the ones who focus primarily on using AWS Security Hub for everything as a central point. And they're primarily an AWS environment. I think they would benefit from that. Yeah. It looks like, if I take a step back and look at these updates, it looks like they're allowing people to be make AWS Security Hub their own. So you filter what you want. You customize it to how you want. Hopefully, they would probably, I'm hoping like they would eventually look at what are the customizations that people are doing and create something that, would have a better UI.
So that could be maybe down the track, something that they're hoping to do. Moving on from that one. So we've had updates to Amazon Inspector. We've had updates to AWS Security Hub. I guess the next one we're going to talk about is Amazon GuardDuty.
That is the Threat Intelligence Service from Amazon. And I think [00:19:00] the simplest way to explain this is that anyone who has tried keeping up with what's the latest Hack that is available or what's the latest quote unquote threat that is available on the internet? That's pretty much what threat analysis is.
How do I access sources that are collecting this information instead of me going on the internet trying to find everything that could go wrong with Amazon. So that's where the threat intelligence service comes in. The whole idea is threat intelligence service provide a regular feed of what's the most recent or more updated threat that would be something that you should consider in your Amazon environment.
And that is available as a service called GuardDuty. And if enabled, it looks at everything in all the accounts in terms of what it may consider as a malicious behavior. And obviously, It doesn't cover all the services. It's just primarily covering certain services, which you can look into if you like.
You can do a whole episode on GuardDuty as well. But the idea being that you are able to use GuardDuty as a threat intelligence service for detecting, Hey, is someone doing [00:20:00] Bitcoin mining in my AWS account. So things like that definitely come up as well. Again, if you have some thoughts on the whole GuardDuty that we've spoken about.
Or Security Hub or the Inspector feel free to share that as well,
So Amazon GuardDuty AWS's threat intelligence Service, so there was a few updates to that and it's all centering around runtime monitoring So runtime monitoring is something that we've seen a transition in the industry as well.
I would say a lot of people have been building products or introducing products when runtime monitoring. So I'm not surprised to see that AWS or Amazon is adding that into their services as well. So they have announced EC2 runtime monitoring. So which is an expansion of their Amazon GuardDuty. And it is just going to introduce runtime threat detection. So this is currently now in preview. So it's not GA yet, but that's something that they have announced. I think the other thing that they have announced is Runtime ECS, Runtime Monitoring, which includes AWS Fargate as well. So ECS is their Amazon Elastic Container Service.
So if you've been following us on our [00:21:00] Cloud Native or Kubernetes Month, you would be familiar with that as well. So overall, they have announced Runtime Monitoring to ECS as well as their EC2 workloads as well. I think this would be a welcome change.
I would probably say is I guess the one with preview service is always just a, let's see what happens when it comes up. The other one, which is the ECS runtime one, I think that would definitely be interesting for people who don't understand what runtime is.
I think it's probably like the holy grail of things that maybe were a gap between AWS before and the idea runtime idea is that hey How do I find out if something is going on right now? in my account and that's basically what the Bitcoin mining one used to be for EC2 and the support for Runtime Monitoring for EC2, maybe expanding onto that as well.
Runtime basically is a Runtime Threat Detection on EC2 instances that would be interesting. And they're doing it for ECS, including AWS Fargate. I [00:22:00] think that's definitely an exciting one for people who are primarily serverless or container based. Yeah. Overall useful. Perfect. Would I be right in saying like Runtime Monitoring?
We can say it's like like real time monitoring? Yeah. So a lot of people would also call it like endpoint security as well real time monitoring yeah, multiple names for the same thing. But I think some people just would just prefer calling it endpoint protection as well.
This is also interesting announcement from a perspective that Microsoft Azure has had some of these services always available for some of their, I think with Microsoft Defender otherwise. But GuardDuty is great to see it expanding across the wider landscape as well. And I think I remember when the runtime monitoring was announced for Amazon and EKS earlier this year, people were quite excited about it. So I would assume that this would probably be met with similar excitement.
Next one we're going to talk about is Amazon Detective.
Amazon detective is basically your service that helps you know how I spoke about if you have multiple AWS accounts and there's no easy way [00:23:00] to look at hey what is going on across I don't know 50 60 200 AWS accounts and Detective is one service that collectively helps you troubleshoot what may or may not have happened in terms of, Hey, let me help you instead of you scouring through large amount of logs and events that are going on, let me just basically make it super easy and present a few options for you on how you can quickly investigate a security incident. That's probably the simplest way to put it. Perfect. Thanks for that. So Amazon Detective, again, GuardDuty and Inspector.
It is a popular service. It's a name that you'll hear quite often. And I think one of the things that we do see with these big announcements is obviously you'll see the services that are popular actually get a lot of updates. So with Amazon Detective, few updates. So it now supports security investigation for Amazon GuardDuty ECS runtime monitoring.
So we heard about the update for Amazon GuardDuty just before. So the Amazon [00:24:00] Detective is supporting that as well, which kind of makes sense. It's closing the loop, you're not just detecting the threats, but you're also, being able to tie that back into where did it stem from and do the remediation as well.
So again, it's the whole thing of that enhanced visualization. You've got additional context. It's going to tie in quite nicely, at least in theory, when I hear about it. They have also announced investigations for IAM. This is all about the ability to automatically investigate AWS IAM.
Indicators for different compromise that you might see. The intention probably is that you would be able to help with the security analysis and also figure out, where IAM entities have potentially been compromised or involved in any sort of, TTP or MITRE attacks as well.
So it's using again the Detective capabilities to tie back into have any of these things actually come from compromised identities. And we know that, a lot of the breaches, a lot of the vulnerabilities in cloud actually do come from IAM. So I can see that this is a good integration.
It also now [00:25:00] supports log retrieval from Amazon security Lake. So Amazon security Lake was announced. It was one of the bigger announcements, if I remember clearly from last reinvents. So now they're tying that into the security side of things. So it will integrate into Amazon Security Lake and you'll be able to again, query and retrieve all the logs that are stored in Security Lake.
The last one with Amazon Detective is they've also introduced group summaries. So finding group summaries using GenAI so that means you can find, group summaries automatically analyze finding groups and hopefully be able to provide insights into natural language, which can help you maybe do, security investigations a bit faster.
So again, they're adding a lot of different features and integrations into Amazon Detective,
I think IAM is probably the most interesting one because most people would think data and identity are probably the two most important things in a cloud context.
So I think it would be really interesting that they have been able to do the identify IAM as an indicator of compromise. That probably would be [00:26:00] really significant for people who always think that, hey, I can't. manage enough identities or whatever the case may be to be able to automatically investigate that using Amazon detective and maybe even have metrics tied into TTPs or tactics, techniques, and procedures from the MITRE ATT& CK framework.
I think that's definitely the one that stands out for me over here. Perfect. Yeah. And ties quite nicely actually to the next service I was going to talk about. The next one I'm going to talk about is IAM Access Analyzer. And as Ashish was saying, IAM is, a conversation like, funnily enough, Ashish, I know you started your career in IAM and it continues to be something that is very important.
And with, the Gen AI that's come through identity, again, is becoming even more important. For people who have not used Access Analyzer, Ashish, how would you describe IAM Access Analyzer? I think it's just, to simply put, when you have a lot of identities in AWS and you're trying to, marry that to something which is least [00:27:00] privileged, because a very common problem in Amazon is that there are a lot of roles that have a lot of excessive permissions.
So I would say it is probably the way how you can investigate least privilege, whether it's enabled or not how do you set that, verify that and refine permissions for it to be. I guess least privilege is probably the easiest way to put it. I think it uses math, mathematical calculations, something in the background to identify.
By the way, Ashish seems to have access to these things and out of the 20 things he has access to, he only uses three. So the 17 extra that he has around him that he should be removed. So that's what Access Analyzer does. I actually had a great conversation with Brigid as well about this. Yeah. Yeah. While we were at reinvent and what we do, we did a lot of conferences while we are there, we get to interview a lot of really interesting people.
So we did interview some of the key people from AWS. And one of the people we interviewed was Brigid, who actually is the GM for IAM Access Analyzer. So you'll get to hear that in one of the upcoming episodes. So do make sure, you're [00:28:00] subscribing to our channels on YouTube or LinkedIn just so that when that does drop, you're able to see that.
But with regards to that, what they have now added on is they've just simplified the way you can find all the unused access. And it's again, tying back to this whole notion of least privilege. So one of the things, or one of the, holy grail of IAM is always moving towards this notion of least privilege, which is and correct me if I'm wrong.
I think my version of that is that you're making sure that people only have access to things that they truly need access to. So they don't either have access all or they're not holding on to accesses that they needed at some point in time, but no longer need. As security people, we always want to make sure that, our organizations, everyone just has least privilege in terms of, the accessibility.
So they have added features in IAM Access Analyzer so that if there are any unused accesses, you're able to find them even more easily. So the way it does that apparently is I haven't used it. That's one thing apparently continuously analyzes your accounts and it will [00:29:00] identify unused access and then it creates a centralized dashboards of all the findings and the security team can obviously use that dashboard to remove accesses that are no longer required. They have also introduced custom policy checks and which is powered by automated reasoning. So you can validate that the IAM policies are adhering to the security standards of your organization ahead of your deployments.
When I'm like reading up these updates, I definitely feel these two are actually really valuable. They might not sound as, sexy for lack of a better word, but I know when it comes to IAM and security the, these being able to just see these things and put them in place can actually be really powerful.
I think there's a comment about Zero Trust. That is definitely something that was not spoken about enough at the re:Invent, and I think the the comment is from Kavitha.
So Zero Trust was not spoken about, so I think we'll finish all the updates and we'll talk about it later towards the end, but Kavitha, that's a really good comment, because we had the exact thing. Another thing I'll add there is ransomware also was not spoken about [00:30:00] enough in terms of, putting it out there, but I'll come back to that.
I think from an update perspective to what you said for IAM access analyzer, I think I'll probably definitely recommend people check out the interview we did with Brigid. We spoke about what the service is, what they see the change is going to be and how our enterprise versus startups versus small to medium sized companies using this for their advantage and obviously doing it at scale. I would probably say it makes it even less challenging for you to have. journey towards least privilege. So that is definitely exciting updates.
Definitely. I think the next one that I'm going to talk about is AWS config.
Config is basically as one would describe everything in Amazon is. Defined by say me asking Amazon for, I want five servers, which each one of them having a network or not too many networks or so many servers so that is technically described as a. configuration in most cases, and Amazon has a [00:31:00] capability where it can record resources or inventory, as we call it, in a service called AWS Amazon Config. And AWS Config basically allows you to record inventory of every service that is there being used by your accounts.
And it can also help you, see if there is any drift from, you wanted five servers, but now you have six. Like that kind of differentiation, so it definitely helps with managing config as well.
Awesome. And just to keep up with the theme, they did announce a GenAI powered natural language query which as Ashish was mentioning, because it is a repository of all this information now you can use something like, what I'm thinking would be something like a a chat GPT or an Amazon Q to be able to query, what's actually in that.
Amazon config, but rather than putting it in a codified fashion, you can just do it in a natural language query. Now this one again is in preview but I'm guessing they'll be expanding on this one going forward. AWS config also now supports periodic recordings. So this is to be able [00:32:00] to scale your change tracking as well.
So those are a couple of updates that they've done to AWS config.
The thing with AWS config is, I think some people use it, some people don't because of the cost associated with it. So I would still like to see a lot of examples where it's being heavily used.
But it definitely is a great place to keep a record for. What the inventories as a good starting point. So I think I'm excited, but also at the same time, I want to see what this looks like in real time. So I'll hold off my updates for now for that. Awesome. Perfect. So those were the kind of like the big security updates, and I think we've gone through all of the different services as well.
So obviously you spoke about Inspector, Security Hub, GuardDuty, Detective, IAM Access Analyser, and Config tool. There were a few sort of random ones as well. So there was one in regards to the AWS secret manager. So it is, I think I would save you having to explain that one, but pretty much it's the name is what it does.
It manages your secret and they have allowed for [00:33:00] batch retrieval of secrets for this particular one. There was also another update in regards to Control Tower so they have added 65 new controls to AWS Control Tower. I know some of our audience members are quite like Control Tower is one that I know divides people, but so there are, 65 more controls.
So you will be able to get that granularity on that as well. They have also introduced an AI powered, code remediation, infrastructure as Code support and integration with Visual Studio for Amazon CodeWhisperer. So Amazon CodeWhisperer is again a new service that was announced I think last year at re:Invent, if I'm not mistaken.
And now they've added code remediation and Infrastructure as Code support onto that.
Yeah, so I would probably describe, and I think Adam did a good job on describing the whole AI space, how it works, basically the description was it's almost three layers.
One is people who would require specific kind of [00:34:00] hardware to build their own LLMs. Or I guess people who would require Nvidia to give them a special kind of compute power that they can create the LLM and the layer above that would be, Hey, how do I make a LLM myself? What would that look like? And what would my application, which is the LLM application look like?
And the third layer will be a platform for AI or LLM. And now those are three layers, how they describe it. And I think that was really interesting because you can actually put that in the business context also as. If I'm using as a CISO, if I'm going on the path of using AI, the few things you might look out for is that, oh, okay.
I wanna be able to increase productivity overall of the company without having to impact the workforce in any way. When I say impact the workforce, without decreasing the number of people I have while maintain the same people, but also at the same time, if I can save them time.
So increasing productivity and maybe they feel much more happier because that means they can spend the time that [00:35:00] they save because of the help from AI or doing more productive things and be able, I think that the third one, which is probably the pillar for everything, even that was called out by Werner Vogel is the whole cost associated with running AI LLMs because the hardware is quite expensive and if you build your own LLM, what does that mean?
Where does that lead you to? And there's a whole conversation on that as well. But I would say that CodeWhisperer is definitely for people who don't know what that is essentially it helps you understand, Hey, in my IDE for this is for people who are developers or builders who are writing code.
Or even infrastructure as code for that matter, if you go on CodeWhisperer, it helps you, it basically shows you that, hey, by the way, you can use this as an option to help generate code for developers who just need help. And there are some examples where people have saved hours worth of work or days worth of work just by using a recommendation from AWS CodeWhisperer.
And there's a comment from VJ1900 as well. CodeWhisperer also [00:36:00] has a CLI component like IntelliSense on Mac command complete on terminal. Yep that's right. Which is very IDE specific thing. And I think it definitely is being looked at as a good competitor to GitHub Copilot, which I think is very interesting depending on how much you are allowing yourself to use a product or a tool. I think they claim they have about a million users of Copilot already. So it would be interesting if CodeWhisperer kind of cracks that. The other thing I'll call out is from a CodeWhisperer perspective, I love the fact that now most of the Amazon resources are inching towards no code. But that what I mean is one of the announcements that happened was for something called app I think it's called App Composer or something.
Essentially the idea was, hey, I want to be able to drag and drop things and you should just suggest me the code. And the service that you're looking for is called AWS Application Composer, and I would leave a link for this in the show notes as well. But essentially it's an extension that you can add to your IDE.
It helps [00:37:00] you drag and drop images and icons of services from Amazon. And as you drop them, it would generate the code required for it as an IaC. Now you can imagine as a cloud security engineer or even a cloud engineer or even as an architect as well, this is pretty amazing because at least you have a good starting point, whether it works or not, it's a whole different thing, but it's a good starting point for you to be able to go, Oh, I can do a lot more than just Google stack overflow for what my code should be.
They are allowing you to do that using no code capability, but no code for people don't know is basically as the name suggests, don't use any code. Oh and VJ900 also love the PartyRock service as well. based on Bedrock. I think worthwhile calling about Bedrock as well. They did announce the guardrails for Bedrock.
And I think specifically that was called out around roles as well as identity. You still cannot go down to the granular level of saying, Hey, by the way, Bedrock, if I am saying that I have Ashish and Shilpi. Ashish can only access things which are in development environment, and Shilpi can go [00:38:00] for production.
If those are separate resources, I think then you can have an IAM role assigned to it. But going a bit more deeper into individual data, that is an interesting one. And I don't think they have figured that out yet. And continuing with the theme of the whole AI LLM thing Amazon Q, which was mentioned earlier by vj1900 as well.
The service is on by default and it's available for everyone. And unfortunately there's a way to stop I guess opt in or opt out of the service. So even if you don't want it, it's there for to use. And I think they are going to charge you money on using that service as well. But then there is a whole question around the fact that, Hey, is it already scanning all the data that you have in your Amazon account? But then again, people who we spoke to at re:Invent who wanted to experiment with it, they said it is not as great as charGPT. Please have the same expectation as chatGPT when you use Amazon Q.
It is still a work in progress, but the fact that this could become something like a [00:39:00] ChatGPT for all your AWS accounts, that's what made it super interesting for a lot of people that there was potential at the moment it may not be just there. So there's definitely potential in the service. I might just chime in and just because I know Amazon Q was one of the big new services announced at re:Invent and I'll just quickly give an update in terms of what it is for those of you who haven't caught it. So they're calling it the generative AI powered work assistant, and I think that's an important piece because one big differentiation for Amazon Q versus something like ChatGPT is that they are calling it out that it is for enterprises and businesses.
So it is being specifically tailored for that, and the notion is so that you can ask like business questions on that. It is the data set that they've used as they've said, the 17 years of knowledge that AWS has gone into it. And they also have a extension feature on there, which is called code transformation.
And the example that the CEO gave was like how quickly you can do like different upgrades. I think they specifically use the [00:40:00] Java example, but how quickly you can do it something that used to take probably a couple of days. Now only takes a few minutes. And I think they gave an example that they were able to do 1000 services updates it's in two days and things like that. So it's very much tailored towards that. But as Ashish said, it is probably still fairly new and a work in progress, but that's the intention behind it. So I just wanted to add that for anyone who hasn't caught the update in terms of what Amazon Q is.
I would probably add something to, we were talking about Amazon CodeWhisperer for people who are using Amazon CodeWhisperer or Amazon Recognition or Amazon Transcribe or Contact Lens for Amazon Connect, you should know this that the data that you put in it, if you don't exclusively call out the fact that you want to opt out of the AI usage, Amazon may use some of the data that they collect from your environment for improving their service. This is not on by default, you have to, like everything else, you have to specifically go into a setting. You can do this at an organization level, and if you like I can put the link somewhere as [00:41:00] well.
You have to opt, I guess put in the fact that you're opting out of sharing data with AWS. at a global level that you're opting out of, sharing your data for them to improve the AWS AI services.
I think we've done the major security one. So I think it'll be good to get into like overall themes and things. I think to answer Kavita, Zero Trust definitely wasn't as popular this re:Invent. I think it's because with Gen AI, I think that's definitely something that's very top of mind for people and top of mind for companies as well.
So I think we notice this with most years and most conferences and like when there's one big hot topic, which was zero trust I think in 2023 everything else gets a bit like sidelined and I think that's what happened with zero trust I won't say no one's talking about it, but it's definitely Not top of mind for most people.
Yeah, and I think I would probably say one more thing that comes up which was not spoken about and specially from a ransonware perspective there was an announcement made for backup testing, which I think it was almost like it was announced, but there was [00:42:00] not a lot of press coverage for it.
It was around the whole automatic restore testing validation. And for context, this is for the AWS backup service for context. The whole point over here is the fact that, hey, by the way, if One of the things people look for when they get impacted by ransomware or they are trying to prevent being impacted by ransomware is making sure you have great backup and that you can restore from your backup.
Now the restore from your backup part is an interesting one because how do you know how much of your business needs to be restored if ransomware is impacting everything that you have? And you're like, okay how many businesses out there make a call for, by the way, I only have five applications and I have made my minimum, I think the AWS people call it minimum viable business or something like that, and MVB and the idea behind this is that what would be the minimum number of services that I would require running for me to come back to operational state while I restore everything else.
And[00:43:00] there's a whole challenge of that. If for whatever reason, if you were to lose access to your entire AWS account and everyone deletes that, you need some time to bring back up things as well. So you can't just build up hundreds of VPCs in a short time. So it definitely is very much along the path of how do I manage the backups. So the whole automatic restore testing is a good one from an AWS backup perspective, because a lot of people may not be testing their restore. So this is a service from Amazon where you can give your test plan, and it can actually validate the fact that, Hey, by the way, your testing plan for their business continuity plan or disaster recovery plan is definitely working as you're expecting. So that was a ransomware part that is worthwhile calling out with an update for people who are trying to find backups. You can use AWS backup for it, but make sure you are testing restore to the point that, Hey, if you are, especially if you're an industry that is impacted by ransomware, I think I saw something a couple of days ago as well for ransomware.
So it's still there it hasn't gone away [00:44:00] and the and I probably would be there for some time. The zero trust one, the only one I would probably say, even though it wasn't called out, I would probably say identity one was the probably the best one where a lot of people from a zero trust perspective have been focusing on identity and identity IAM access analyzer update as well as your identity center and anything else that's primarily IAM based is definitely a great progress towards the zero trust architecture or design that you want to go down the path of, we found a YouTube playlist for all the security talks and I was scrolling past it.
I think there were like 36 for. I guess for AWS security topics, there are definitely AI on scaling, monitoring how do you do coding in cloud and S3 bucket, but there was not a single talk there's backup disaster recovery, but there's not a single talk on the whole zero trust or even ransomware for that matter.
So that made me think that's interesting that. This like probably two of the hottest topics that were still relevant before [00:45:00] AI became a thing suddenly have disappeared, but hopefully by the way, if anyone has any opinion on that as well, would love to hear if you are confident in your backup or if you've been able to do restore properly, or if you like the service, are you considering doing zero trust?
Is that important for you? That would be great to hear as well. Yeah, we've got a sad smiley from Kavita saying zero trust is quite important, which we do totally agree. It is really important as a notion. I know it got highlighted last year because of the executive order and the push for organizations to do it.
But achieving complete zero trust is I think a notion that people are aspiring towards, but I don't know how realistic it is, but definitely it is something that, helps organizations just be secure. So we do agree. Unfortunately, it just isn't top of mind this year for people, but again, that doesn't mean people aren't working on it.
It is definitely something that people are working on. It's just that I think AI has just been a bit more exciting for people. We do have a question actually from Ken who has said that, were there any discussions around input [00:46:00] filtering and validation between gen AI endpoints and services? It seems like a natural potential for a feature of AWS WAF.
Yep, and unfortunately Ken, there was no conversation about it. I think worthwhile calling out, a lot of people are using some kind of proxy or something similar already. Because mind you, the Gen AI I think exploded in people's face. Over what so just been a year and now everyone's using it. It is definitely a use case.
One would think AWS WAF might be applicable on, but another place where I would see this as valuable is the API gateway. So for context, one thing that came out of all the conversations we had on the floor was a lot of CISOs and all of the executives for 2024, they have got data security, AI security and zero trust ransomware in their budget item for 2024.
So you would definitely start seeing a lot more investment, a lot more conversation around API security and data security when people talk about [00:47:00] AI. I would probably say the only reason WAF may be, well, not valuable is that if something is coming into your environment, like for example, most conversations around the fact that we are building our own LLM.
And that would be only for our internal users. And in most scenarios, you would find that AWS WAF works on OWASP top 10, the SQL injection, blah, blah, blah. But none of those actually work for a prompt injection, which is very different to how people would try and impact that as well. So I think, I thought that was really interesting.
And the other part that most people talk about was. As the data security becomes a top conversation, some of the services overall, Amazon would love for you to put the data in to the cloud on. I would call it out that it is important for you. If you are building your own LLM systems or AI systems, you would have to put your own data in whatever, even if it's Amazon, Microsoft, Google Cloud, whichever one you go for, you just have to put your own [00:48:00] data into it to get some value out of it. So they are providing features for you to feel, hey, it's okay for me to put my data in. But it is also something that is a challenge for a lot of people who are looking at Gen AI as something as a problem because Data, a lot of people may have data classification.
A lot of people may have a data flow diagram, but how many people maintain a data lineage? How many people maintain a what's the word is more on the fact that if you have classification. Have you looked at data sprawl, data sprawl for people who don't know what that means is that I am the owner of a data, let's just say our dog Simba we are responsible for his data.
And for some reason, I only want that data to be with myself, but she'll be wanted that data as well. At some point in time, I gave it to her and she used it. She said she'll delete from a system because I'm technically the owner, so I should be the only one with the full copy. She used it, but she left the organization or she forgot to give it to me.
And I forgot as well. Now, technically there are two copies to that data. [00:49:00] I may have a version of that data and she may have another version of the data. In my mind, I'm the only owner, but the data sprawl is basically the same data might exist at multiple places across the environment. One more update which happened was zero ETL is what they called it for people who don't know what ETL is essentially is how do you transform a data, which is unstructured or does not make sense by looking at it into a structured data and there is something called zero ETL.
A lot of people had concern around the fact that, hey, zero ETL means that I would lose the data lineage because I just gave it and now I have no idea who was the original owner. And if the owner has left the organization, I'm even much more in a situation that I can't come out of.
So hopefully that long rant is basically just to call out the fact that I would probably see that much more updates or conversations more in data security and AI security before we go down the AWS WAF path because most LLM models out there, they're primarily being designed for [00:50:00] internal employees and not for external people, unless someone's making a product.
And I think we had a conversation with LexisNexis, which is a. I think a legal firm that has started using LLM systems for their customers, so they might have WAF scenarios because they actually have external people trying to access their information. But unless WAF has rules specifically for prompt injection, which it doesn't unfortunately at the moment and there were no announcements for it.
We would still have to keep an eye out for it, but at the moment, most people have gone down the path of putting a proxy themselves just to manage that.
And we actually have another question from Ruby, who's just joined us as well. She's saying, were there any takeaways for enterprise IAM and data perimeter space? Thanks for the question, Ruby. So in terms of IAM, Yes, there were actually lots of updates. I think after this episode gets published, you will be still be able to access it on LinkedIn, YouTube, and we'll be publishing it on our podcast networks as well.
But there was several announcements that happened for the IAM access analyzer and integration. So yes, there were [00:51:00] lots of updates and, granularity that is being offered in these. Data perimeter space, I didn't hear anything specific and I know there were people that were wanting to get more information on data, perimeter and data security.
In saying that, I felt like a lot of the conversations we had on the ground in what you call lobbycon, a lot of people are talking a lot about data security. So obviously with LLM and GenAI data is it's always been important, but it's becoming even more important because data is what drives a lot of these things.
So not so much in terms of any data perimeter stuff. I know a lot of the keynotes did speak to data. I know Adam's spoke about data as well in his keynote as well, but it was more about, how do we make sure that the data is protected when we are feeding them into LLM, what kind of data are we using?
If you put data into these custom LLMs, it's making sure that does not feed back into the Amazon Q or the Amazon Bedrock. So there was conversation around that.
Great question, Ruby. [00:52:00] Thank you for asking that as well.
And I think the quick summary is what Shilpi shared, but I would probably say another way to look at the data perimeter. And I don't know if that's where you're coming from, is the SCPs in organizations for using data parameter over there to, restrict what people can do. There was definitely no update to SCP.
Unfortunately, there was a lot of IAM conversation on Access Analyser to what Shilpi mentioned. There was also conversation on the fact that, Hey, how can we do identity and enterprise level for AIs or LLMs, but that was. Primarily, unfortunately, the updates are from IAM, not a lot in data perimeter from an IAM perspective no updates to SCP, no updates to number of SCPs you can add, as frustrating as that would be for a lot of people, it is still limited in the amount of SCPs you can create but I think we'll just keep an eye out for throughout the year.
I think there's AWS re:Inforce coming in June as well, so I imagine we'll you can definitely expect something for that. But that is definitely a great question. I'll probably put that on to the AWS folks as well so that they can maybe, if they have any updates, we can share that [00:53:00] as well.
We're at the hour of the episode and I think things with conferences like re:Invent there's so much that happens.
I'm sure like there may be something that we have missed. Anyone who's listening in if there is something that we missed, feel free to comment on this. Obviously this will be still available on YouTube, on LinkedIn, and in the next couple of days, it should be available on our podcast platforms as well.
So keep an eye out on that. We did do a lot of interviews while we were at reInvent as Ashish said, we spoke to the CISO of LexisNexis, who's one of the partners for AWS who are using Amazon Bedrock with the custom LLMs. We spoke to a few AWS people as well. So those will be coming out soon as well.
But overall it was still good to see that a lot of the security products didn't get updates. The themes that we start to see was, these upgrades in runtime monitoring, a lot of granularity that is being introduced. Also, there's a lot of, Gen AI powered things. So a lot of the services are getting Gen AI powered capabilities, and I'm pretty sure that is something that we'll look to see in the [00:54:00] upcoming re:Inforce as well.
So that's a little prediction. I'm pretty sure in re:Inforce, we'll have Gen AI powered upgrades as well. But time will tell. Hopefully a little bit of zero trust to keep Kavita happy and something around AWS WAF as Ken has called out as well. Yeah, I think this is the point of the interview, or this is the point of the episode where we say AI AI
yes. Someone just needs to make a meme for that now, . But hopefully this was valuable for everyone. Thank you. And for tuning in as Shilpi mentioned, this episode would be available on the podcast later on, but we'll also we are I think dropping a hint for what you can expect for 2024. There is an AI war coming and it would be really interesting.
By war, I don't mean literal war, but more in the context of technology war coming in terms of who would win the race for becoming the default platform for AI. Amazon has made their move basically it'll be interesting to see because Google Next is happening in April and Microsoft has their conference as well soon coming up.
So now, because Nvidia made their [00:55:00] partnership, like exclusively with AWS, it would be really interesting to see what Google and Microsoft announced as well, because. No, I'm sure no one wants to be in behind the race of all these people and businesses trying to make LLMs in their system, but hopefully this was valuable as always we appreciate you dropping us a review or rating.
If you're listening to this on the podcast later on, or subscribe to the YouTube channel so you get. To see and hear the episode of the AWS interviews that we did including the one from CISO of LexisNexis in the next week or so as well. We hope this was helpful until next time. Thank you so much for your time and we'll see you next episode.
Thanks, everyone. We'll see you soon. And we will be publishing all of this on our newsletter as well. So if you're not following Cloud Security Newsletter make sure you do follow that you'll have a written update of all of this if you do want to dive into all of the updates. And if you are interested in AI and want a bit more deep dive, we do have our sister podcast, which is the AI Cybersecurity Podcast, so you can follow that as well.
But thank you so much for your time. We'll see you next time. Yeah.[00:56:00]