AWS Security Blog

Reserved Seating Now Open for AWS re:Invent 2016 Sessions

by Craig Liebendorfer | on | | Comments

re:Invent 2016 logo

Reserved seating is new to re:Invent this year and is now open! Some important things you should know about reserved seating:

  1. All sessions have a predetermined number of seats available and must be reserved ahead of time.
  2. If a session is full, you can join a waitlist.
  3. Waitlisted attendees will receive a seat in the order in which they were added to the waitlist and will be notified via email if and when a seat is reserved.
  4. Only one session can be reserved for any given time slot (in other words, you cannot double-book a time slot on your re:Invent calendar).
  5. Don’t be late! The minute the session begins, if you have not badged in, attendees waiting in line at the door might receive your seat.
  6. Waitlisting will not be supported onsite and will be turned off 7-14 days before the beginning of the conference.

You can watch a 23-minute video that explains reserved seating and how to start reserving your seats today.

Or you can log in and start reserving seats now. That login page is also available from the AWS re:Invent 2016 home page.

– Craig

How to Help Achieve Mobile App Transport Security (ATS) Compliance by Using Amazon CloudFront and AWS Certificate Manager

by Lee Atkinson | on | in Announcements, How-to guides | | Comments

Web and application users and organizations have expressed a growing desire to conduct most of their HTTP communication securely by using HTTPS. At its 2016 Worldwide Developers Conference, Apple announced that starting in January 2017, apps submitted to its App Store will be required to support App Transport Security (ATS). ATS requires all connections to web services to use HTTPS and TLS version 1.2. In addition, Google has announced that starting in January 2017, new versions of its Chrome web browser will mark HTTP websites as being “not secure.”

In this post, I show how you can generate Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates by using AWS Certificate Manager (ACM), apply the certificates to your Amazon CloudFront distributions, and deliver your websites and APIs over HTTPS. (more…)

Meet AWS Security Team Members at Grace Hopper 2016

by Lisa Grimm | on | in Announcements | | Comments

Grace Hopper Conference image

For those of you joining this year’s Grace Hopper Celebration of Women in Computing in Houston, you may already know the conference will have a number of security-specific sessions. A group of women from AWS Security will be at the conference, and we would love to meet you to talk about your cloud security and compliance questions. Are you a student, an IT security veteran, or an experienced techie looking to move into security? Make sure to find us to talk about career opportunities.

Look for the AWS Security T-shirt (the design is a secret now, but you’ll certainly know it when you see it). We will also have some T-shirts to give out, both in sessions and at the Amazon booth (booth 2211).

I have been in the high-tech industry for more than 20 years, and it’s great to be part of a team that values diversity of thought. Having the opportunity to share widely varying perspectives and experiences as we make history is an amazing thing to do, and we do it every day. Additionally, some of the real excitement of working in AWS Security comes from the diversity of our global team.

Come say hello in person, or follow @AWSSecurityInfo on Twitter (#GHC16) during the conference to find out more.

If you have comments about this post, submit them in the “Comments” section below.

– Lisa

How to Create a Custom AMI with Encrypted Amazon EBS Snapshots and Share It with Other Accounts and Regions

by Eugene Yu | on | in How-to guides | | Comments

An Amazon Machine Image (AMI) provides the information required to launch an instance (a virtual server) in your AWS environment. You can launch an instance from a public AMI, customize the instance to meet your security and business needs, and save configurations as a custom AMI. With the recent release of the ability to copy encrypted Amazon Elastic Block Store (Amazon EBS) snapshots between accounts, you now can create AMIs with encrypted snapshots by using AWS Key Management Service (KMS) and make your AMIs available to users across accounts and regions. This allows you to create your AMIs with required hardening and configurations, launch consistent instances globally based on the custom AMI, and increase performance and availability by distributing your workload while meeting your security and compliance requirements to protect your data.

In this blog post, I walk through the process of starting with a public AMI, creating a custom encrypted AMI from the public AMI, and then sharing the custom AMI with encrypted EBS snapshots across accounts and regions. This approach allows you to launch Amazon EC2 instances globally from multiple accounts by using the same base-encrypted AMI.  Note: This post does not apply to Windows AMIs and other AMIs from the AWS Marketplace that have a billingProduct code associated with them. (more…)

Register for and Attend This September 27 Webinar—Automating Compliance Defense in the Cloud

by Craig Liebendorfer | on | in Announcements, Compliance | | Comments

AWS webinars logo

Update: This webinar is now available as an on-demand video and slide deck.

As part of the AWS Webinar Series, AWS will present Automating Compliance Defense in the Cloud on Tuesday, September 27. This webinar will start at 9:00 A.M. and end at 10:00 A.M. Pacific Time.

AWS Cloud Compliance Strategist Jodi Scrofani will share best practices around infrastructure design, configuration setup, and monitoring to augment your compliance operating model so that you can easily automate updates and real-time notifications.

You will:

  • Learn what a comprehensive governance model looks like.
  • Learn why it is important for an organization to automate in its 3 lines of defense—operations, compliance, and internal audit.
  • Learn what AWS services you can enable to help take human error out of your compliance functions and demonstrate comprehensive governance of your business.

The webinar is free, but space is limited and registration is required. Register today.

– Craig

Register for and Attend This September 28 Webinar—Addressing Amazon Inspector Assessment Findings

by Craig Liebendorfer | on | in Announcements | | Comments

AWS webinars logo

Update: This webinar is now available as an on-demand video and slide deck.

As part of the AWS Webinar Series, AWS will present Addressing Amazon Inspector Assessment Findings on Wednesday, September 28. This webinar will start at 9:00 A.M. and end at 10:00 A.M. Pacific Time.

AWS Principal Security Engineer Eric Fitzgerald will review Amazon Inspector security assessment findings, and show how best to interpret and take action on them as a seamless part of your DevOps lifecycle.

You will learn how to:

  • Interpret Amazon Inspector security assessment findings.
  • Use AWS services to automate ticketing and change management submissions for findings.
  • Automate remediation based on assessment findings.

The webinar is free, but space is limited and registration is required. Register today.

– Craig

32 Security and Compliance Sessions Now Live in the re:Invent 2016 Session Catalog

by Craig Liebendorfer | on | in Announcements | | Comments

re:Invent 2016 logo

AWS re:Invent 2016 begins November 28, and now, the live session catalog includes 32 security and compliance sessions. 19 of these sessions are in the Security & Compliance track and 13 are in the re:Source Mini Con for Security Services. All 32se titles and abstracts are included below.

Security & Compliance Track sessions

As in past years, the sessions in the Security & Compliance track will take place in The Venetian | Palazzo in Las Vegas. Here’s what you have to look forward to!

SAC201 – Lessons from a Chief Security Officer: Achieving Continuous Compliance in Elastic Environments

Does meeting stringent compliance requirements keep you up at night? Do you worry about having the right audit trails in place as proof?
Cengage Learning’s Chief Security Officer, Robert Hotaling, shares his organization’s journey to AWS, and how they enabled continuous compliance for their dynamic environment with automation. When Cengage shifted from publishing to digital education and online learning, they needed a secure elastic infrastructure for their data intensive and cyclical business, and workload layer security tools that would help them meet compliance requirements (e.g., PCI).
In this session, you will learn why building security in from the beginning saves you time (and painful retrofits) later, how to gather and retain audit evidence for instances that are only up for minutes or hours, and how Cengage used Trend Micro Deep Security to meet many compliance requirements and ensured instances were instantly protected as they came online in a hybrid cloud architecture. Session sponsored by Trend Micro, Inc.


SAC302 – Automating Security Event Response, from Idea to Code to Execution

With security-relevant services such as AWS Config, VPC Flow Logs, Amazon CloudWatch Events, and AWS Lambda, you now have the ability to programmatically wrangle security events that may occur within your AWS environment, including prevention, detection, response, and remediation. This session covers the process of automating security event response with various AWS building blocks, taking several ideas from drawing board to code, and gaining confidence in your coverage by proactively testing security monitoring and response effectiveness before anyone else does.


Automated Reasoning and Amazon s2n

by Colm MacCarthaigh | on | in Announcements | | Comments

In June 2015, AWS Chief Information Security Officer Stephen Schmidt introduced AWS’s new Open Source implementation of the SSL/TLS network encryption protocols, Amazon s2n. s2n is a library that has been designed to be small and fast, with the goal of providing you with network encryption that is more easily understood and fully auditable.

s2n logo

In the 14 months since that announcement, development on s2n has continued, and we have merged more than 100 pull requests from 15 contributors on GitHub. Those active contributors include members of the Amazon S3, Amazon CloudFront, Elastic Load Balancing, AWS Cryptography Engineering, Kernel and OS, and Automated Reasoning teams, as well as 8 external, non-Amazon Open Source contributors.

At the time of the initial s2n announcement, three external security evaluations and penetration tests on s2n had been completed. Those evaluations were code reviews and testing completed by security-focused experts, and came in addition to the code reviews and testing that are applied to every code change at Amazon as standard practice. We have continued to perform such evaluations, and we are pleased to have s2n be the focus of additional analysis from external academic and professional security researchers. (more…)

IAM Service Last Accessed Data Now Available for the Asia Pacific (Mumbai) Region

by Zaher Dannawi | on | in Announcements | | Comments

In December, AWS Identity and Access Management (IAM) released service last accessed data, which helps you identify overly permissive policies attached to an IAM entity (a user, group, or role). Today, we have extended service last accessed data to support the recently launched Asia Pacific (Mumbai) Region. With this release, you can now view the date when an IAM entity last accessed an AWS service in this region. You can use this information to identify unnecessary permissions and update policies to remove access to unused services.

The IAM console now shows service last accessed data in 11 regions: US East (N. Virginia), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Mumbai), and South America (Sao Paulo).

Note: IAM began collecting service last accessed data in most regions on October 1, 2015. Information about AWS services accessed before this date is not included in service last accessed data. If you need historical access information about your IAM entities before this date, see the AWS CloudTrail documentation. Also, see Tracking Period Regional Differences to learn the start date of service last accessed data for supported regions.

For more information about IAM and service last accessed data, see Service Last Accessed Data. If you have a comment about service last accessed data, submit it below. If you have a question, please start a new thread on the IAM forum.

– Zaher

How to Use Amazon CloudWatch Events to Monitor Application Health

by Saurabh Bangad | on | in How-to guides | | Comments

Amazon CloudWatch Events enables you to react selectively to events in the cloud as well as in your applications. Specifically, you can create CloudWatch Events rules that match event patterns, and take actions in response to those patterns. CloudWatch Events lets you process both AWS-provided events and custom events (those that you create and inject yourself). The AWS-provided events that CloudWatch Events supports include:

  • Amazon EC2 instance state-change events.
  • Auto Scaling lifecycle events, and instance launch and terminate notifications.
  • Scheduled events.
  • AWS API call and console sign-in events reported by AWS CloudTrail.

See the full list of supported events.

In this post, I will show how to inject your own events into CloudWatch Events, and define event patterns and their corresponding responses. (more…)