AWS Cloud Operations & Migrations Blog

A sneak peek at the Governance, Risk, and Compliance (GRC) sessions for re:Inforce 2023

A full conference pass is $1,099. Register today with the code secure150off to receive a limited time $150 discount, while supplies last.

AWS re:Inforce is just around the corner and this post covers sessions on cloud governance, risk management, and compliance that you should add to your agenda. AWS re:Inforce is a security learning conference where you can learn more about cloud security, compliance, identity, and privacy. You’ll have access to hundreds of technical and non-technical sessions, an AWS Partner Expo featuring AWS experts and security partners with AWS Cloud Operations Competency and AWS Security Competency, keynote and leadership sessions featuring AWS Security leadership. AWS re:Inforce 2023 will take place in-person in Anaheim, CA, on June 13 and 14.

The Governance, Risk, and Compliance (GRC) track will share recommended best practices and tips for cloud governance, risk management, and compliance in your environments. In these sessions, you’ll hear directly from AWS leaders and experts, and can learn how to develop your GRC strategy, implement best practices for governance and compliance, manage risks, centralize your compliance and audit data, and use automation and AI/ML to improve your security and compliance posture. This post highlights a few sessions that you can sign up for to learn more about cloud GRC.

To learn about all the sessions from across the content tracks, see the AWS re:Inforce catalog preview.

Breakout sessions

GRC201 – Optimizing audits with automation

Internal audit and compliance teams that are preparing for IT audits need to be fluent in collecting and interpreting evidence on AWS. In this session, explore compliance of the cloud (AWS Artifact) and compliance in the cloud (AWS Audit Manager), and dive deeper into the audit data collection use case to help you prepare for an IT audit. Deloitte shares their insights on the pros and cons of the traditional evidence collection approach (e.g., screenshots) versus evaluating evidence collected via APIs and logging user activity.

GRC302 – Managing risk in a regulated environment, feat. Japan’s Digital Agency

Understanding risk is paramount when you’re managing sensitive workloads, dealing with a highly regulated environment, and navigating cloud adoption for multiple organizations with disparate missions. Join this session to hear from AWS experts and Japan’s Digital Agency about how they used AWS cloud services (including AWS Control Tower, AWS Organizations, AWS Systems Manager, and AWS CloudFormation) to establish a common cloud platform and multi-account governance for 13 central agencies and more than 1,700 local government entities.

GRC304 – Engineer application resilience with compliance in mind

Engineering to meet requirements for conflicting or inconsistent compliance frameworks is hard enough already. When you add resilience considerations like back-up processes, storage locations, and Availability Zone selections, you’re in for a challenge. In this session, hear from AWS experts how resilience and compliance considerations are embedded in customer environments and new AWS Regions. The session describes how you can use AWS Resilience Hub to assess applications in AWS CloudFormation, Terraform, resource groups, and AWS Service Catalog AppRegistry, as well as how you can use the assessment to determine resiliency weaknesses and obtain assistance with specific controls in common and regional-specific frameworks.

GRC305 – Best practices for cloud governance at scale

From startups to enterprises, organizations are migrating and accelerating their usage of cloud services. It can be challenging to determine where to start, how to manage hybrid or regulated environments, or how to onboard an entire organization to the cloud. In this session, learn best practices in cloud governance for building a well-architected, scalable foundation on AWS, including strategies for permission management, secure workload deployments, and environment governance. Discover insights AWS has learned from organizations that have successfully adopted the cloud. Explore recommended approaches for AWS Control Tower, AWS Organizations, AWS Service Catalog, AWS Config, and IAM Identity Center.

GRC306 – Modernizing your security and GRC strategy with AWS

Security and compliance in the cloud needs to scale with a company’s tech strategy to meet business needs. Creating a strategy to mature security functions to address new threats and emerging compliance requirements is paramount. In this session, explore the shared responsibility model, mapping compliance requirements to cloud services, and strategies for monitoring and auditing cloud environments to meet regulatory requirements. Explore real-world examples and case studies to illustrate how organizations successfully navigate the complexities of GRC in the cloud today.

Builder’s Sessions

GRC352 – Preventive, proactive security controls for multi-account environments

Join this builders’ session to learn how you can prevent the launch of noncompliant resources across your AWS organization through preventive and proactive security controls. Get hands-on experience using service control policies, the comprehensive controls in AWS Control Tower, and AWS CloudFormation hooks. Find out how to create your own preventive and proactive controls in your AWS environment and how to apply AWS Control Tower’s managed comprehensive controls to improve your security posture.

GRC354 – Simplify and automate security with compliance as code

Managing compliance for thousands of resources in the cloud does not have to be complicated. The key is to automate and simplify. In this builders’ session, walk through concepts of compliance as code and practice building a DevSecOps compliance pipeline that allows you to automate, validate, test, and deploy with minimum effort. This CI/CD pipeline for compliance provides full coverage of automated remediations in code for a selected compliance conformance pack using custom-built AWS Systems Manager automation documents and incorporates these automated and continuous remediations on detected violations by integrating into AWS CodePipeline.

Chalk talks

GRC333 – Centralize compliance and audit data for hybrid environments

As organizations accelerate migrations to the cloud and transform their businesses, some find themselves in situations where they have to manage IT operations in hybrid environments. Does this sound like you? In this chalk talk, walk through how you can enable AWS CloudTrail Lake, import historical CloudTrail logs, and aggregate audit logs from partner integrations, custom solutions, and many AWS resources. Also discover how to query this data for investigative analysis and security purposes.

GRC334 – Automate change management and manage risk using AWS

No one wants to regret emergency changes when an assessment comes around. Learn how to proactively track unapproved critical changes and trigger approvals in an automated manner using Change Manager, a capability of AWS Systems Manager. This chalk talk also covers best practices for change management and how you can leverage Change Manager and AWS Config to track operational changes and proactively check for compliance prior to provisioning.

Code Talks

GRC441 – Proactive compliance in CI/CD pipelines with Amazon CodeCatalyst 

In today’s rapidly changing and highly regulated environments, it is crucial that software applications comply with industry standards and regulations. This requires proactive compliance in continuous integration and continuous delivery (CI/CD) pipelines. In this code talk, explore how to implement proactive compliance in CI/CD pipelines using Amazon CodeCatalyst and AWS Config.

Lightning talks

GRC222 – Using AI/ML to scale governance, risk management, and audits

Linguistics, computer science, and artificial intelligence can be harnessed to derive meaning and valuable insights into your compliance workflows. In this lightning talk, learn how Amazon Comprehend can be used to build a deep learning model that can help you easily map external security controls to your security control environment, automating manual control review and increasing the speed and agility of your organization’s compliance baseline. Find out how you can use Amazon Comprehend for security control governance and predicting accurate audit requirements.

GRC322 – Centralize security data from external sources in AWS CloudTrail Lake

Customers often use multiple tools to aggregate and analyze their security data. In this lightning talk, learn how you can use AWS CloudTrail Lake to centralize security event data from external sources in one place. Find out how CloudTrail Lake enables you to quickly query, analyze, and troubleshoot for potential operational issues and security concerns.

Workshops

GRC371 – Cloud compliance and assurance at scale

Assessing and managing compliance and security drift in the cloud can be difficult. In this workshop, explore stepwise, hands-on guidance for the setup of foundational capabilities on AWS for automated compliance management, continual oversight and assessment, and automated evidence gathering and reporting. In this workshop, learn about the operationalization of compliance at scale on AWS. Next, establish baselines to manage risk and remediate compliance violations. Then, conduct interactive exercises to learn about embedding compliance in development workflows, deploying AWS Config custom rules with remediations, and transforming conformance packs into audit assessments.

GRC373 – Implementing governance and compliance for modern applications

Many organizations trying to modernize often struggle with implementing governance and compliance. For modern containerized or serverless applications, this challenge is magnified due to their distributed and ephemeral nature. In this workshop, learn how to design and create purpose-driven governance, risk, and compliance solutions on AWS for modern applications. Discover how to use AWS services such as AWS Control Tower, AWS Config, AWS Systems Manager, and AWS Lambda to get insights for identifying, analyzing, and mitigating risk at scale.

If these sessions look interesting to you, join us in California by registering for re:Inforce 2023. We look forward to seeing you there!

Want more AWS Governance, Risk, and Compliance news? Learn more about governance here and about compliance and auditing here!

About the authors:

Tiffany Chen

Tiffany Chen (cwtiff@amazon.com) is a Solutions Architect on the CSC team at AWS. She has supported AWS customers with their deployment workloads and currently works with Enterprise customers to build well-architected and cost-optimized solutions. In her spare time, she enjoys traveling, gardening, baking, and watching basketball.

Winnie Chen

Winnie Chen (winniec@amazon.com) is a Solutions Architect currently on the CSC team at AWS supporting greenfield customers. She supports customers of all industries as well as sizes such as enterprise and small to medium businesses. She has been with AWS for over 3 years helping customers migrate and build their infrastructure on AWS. In her free time, she enjoys traveling and spending time outdoors through activities like hiking, biking, and rock climbing.