AWS Security Blog
Reserved seating is new to re:Invent this year and is now open! Some important things you should know about reserved seating:
- All sessions have a predetermined number of seats available and must be reserved ahead of time.
- If a session is full, you can join a waitlist.
- Waitlisted attendees will receive a seat in the order in which they were added to the waitlist and will be notified via email if and when a seat is reserved.
- Only one session can be reserved for any given time slot (in other words, you cannot double-book a time slot on your re:Invent calendar).
- Don’t be late! The minute the session begins, if you have not badged in, attendees waiting in line at the door might receive your seat.
- Waitlisting will not be supported onsite and will be turned off 7-14 days before the beginning of the conference.
You can watch a 23-minute video that explains reserved seating and how to start reserving your seats today.
How to Help Achieve Mobile App Transport Security (ATS) Compliance by Using Amazon CloudFront and AWS Certificate Manager
Web and application users and organizations have expressed a growing desire to conduct most of their HTTP communication securely by using HTTPS. At its 2016 Worldwide Developers Conference, Apple announced that starting in January 2017, apps submitted to its App Store will be required to support App Transport Security (ATS). ATS requires all connections to web services to use HTTPS and TLS version 1.2. In addition, Google has announced that starting in January 2017, new versions of its Chrome web browser will mark HTTP websites as being “not secure.”
In this post, I show how you can generate Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates by using AWS Certificate Manager (ACM), apply the certificates to your Amazon CloudFront distributions, and deliver your websites and APIs over HTTPS. (more…)
For those of you joining this year’s Grace Hopper Celebration of Women in Computing in Houston, you may already know the conference will have a number of security-specific sessions. A group of women from AWS Security will be at the conference, and we would love to meet you to talk about your cloud security and compliance questions. Are you a student, an IT security veteran, or an experienced techie looking to move into security? Make sure to find us to talk about career opportunities.
Look for the AWS Security T-shirt (the design is a secret now, but you’ll certainly know it when you see it). We will also have some T-shirts to give out, both in sessions and at the Amazon booth (booth 2211).
I have been in the high-tech industry for more than 20 years, and it’s great to be part of a team that values diversity of thought. Having the opportunity to share widely varying perspectives and experiences as we make history is an amazing thing to do, and we do it every day. Additionally, some of the real excitement of working in AWS Security comes from the diversity of our global team.
If you have comments about this post, submit them in the “Comments” section below.
How to Create a Custom AMI with Encrypted Amazon EBS Snapshots and Share It with Other Accounts and Regions
An Amazon Machine Image (AMI) provides the information required to launch an instance (a virtual server) in your AWS environment. You can launch an instance from a public AMI, customize the instance to meet your security and business needs, and save configurations as a custom AMI. With the recent release of the ability to copy encrypted Amazon Elastic Block Store (Amazon EBS) snapshots between accounts, you now can create AMIs with encrypted snapshots by using AWS Key Management Service (KMS) and make your AMIs available to users across accounts and regions. This allows you to create your AMIs with required hardening and configurations, launch consistent instances globally based on the custom AMI, and increase performance and availability by distributing your workload while meeting your security and compliance requirements to protect your data.
In this blog post, I walk through the process of starting with a public AMI, creating a custom encrypted AMI from the public AMI, and then sharing the custom AMI with encrypted EBS snapshots across accounts and regions. This approach allows you to launch Amazon EC2 instances globally from multiple accounts by using the same base-encrypted AMI. Note: This post does not apply to Windows AMIs and other AMIs from the AWS Marketplace that have a billingProduct code associated with them. (more…)
As part of the AWS Webinar Series, AWS will present Automating Compliance Defense in the Cloud on Tuesday, September 27. This webinar will start at 9:00 A.M. and end at 10:00 A.M. Pacific Time.
AWS Cloud Compliance Strategist Jodi Scrofani will share best practices around infrastructure design, configuration setup, and monitoring to augment your compliance operating model so that you can easily automate updates and real-time notifications.
- Learn what a comprehensive governance model looks like.
- Learn why it is important for an organization to automate in its 3 lines of defense—operations, compliance, and internal audit.
- Learn what AWS services you can enable to help take human error out of your compliance functions and demonstrate comprehensive governance of your business.
The webinar is free, but space is limited and registration is required. Register today.
AWS re:Invent 2016 begins November 28, and now, the live session catalog includes 32 security and compliance sessions. 19 of these sessions are in the Security & Compliance track and 13 are in the re:Source Mini Con for Security Services. All 32se titles and abstracts are included below.
As in past years, the sessions in the Security & Compliance track will take place in The Venetian | Palazzo in Las Vegas. Here’s what you have to look forward to!
SAC201 – Lessons from a Chief Security Officer: Achieving Continuous Compliance in Elastic Environments
In June 2015, AWS Chief Information Security Officer Stephen Schmidt introduced AWS’s new Open Source implementation of the SSL/TLS network encryption protocols, Amazon s2n. s2n is a library that has been designed to be small and fast, with the goal of providing you with network encryption that is more easily understood and fully auditable.
In the 14 months since that announcement, development on s2n has continued, and we have merged more than 100 pull requests from 15 contributors on GitHub. Those active contributors include members of the Amazon S3, Amazon CloudFront, Elastic Load Balancing, AWS Cryptography Engineering, Kernel and OS, and Automated Reasoning teams, as well as 8 external, non-Amazon Open Source contributors.
At the time of the initial s2n announcement, three external security evaluations and penetration tests on s2n had been completed. Those evaluations were code reviews and testing completed by security-focused experts, and came in addition to the code reviews and testing that are applied to every code change at Amazon as standard practice. We have continued to perform such evaluations, and we are pleased to have s2n be the focus of additional analysis from external academic and professional security researchers. (more…)
In December, AWS Identity and Access Management (IAM) released service last accessed data, which helps you identify overly permissive policies attached to an IAM entity (a user, group, or role). Today, we have extended service last accessed data to support the recently launched Asia Pacific (Mumbai) Region. With this release, you can now view the date when an IAM entity last accessed an AWS service in this region. You can use this information to identify unnecessary permissions and update policies to remove access to unused services.
The IAM console now shows service last accessed data in 11 regions: US East (N. Virginia), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Mumbai), and South America (Sao Paulo).
Note: IAM began collecting service last accessed data in most regions on October 1, 2015. Information about AWS services accessed before this date is not included in service last accessed data. If you need historical access information about your IAM entities before this date, see the AWS CloudTrail documentation. Also, see Tracking Period Regional Differences to learn the start date of service last accessed data for supported regions.
For more information about IAM and service last accessed data, see Service Last Accessed Data. If you have a comment about service last accessed data, submit it below. If you have a question, please start a new thread on the IAM forum.
Amazon CloudWatch Events enables you to react selectively to events in the cloud as well as in your applications. Specifically, you can create CloudWatch Events rules that match event patterns, and take actions in response to those patterns. CloudWatch Events lets you process both AWS-provided events and custom events (those that you create and inject yourself). The AWS-provided events that CloudWatch Events supports include:
- Amazon EC2 instance state-change events.
- Auto Scaling lifecycle events, and instance launch and terminate notifications.
- Scheduled events.
- AWS API call and console sign-in events reported by AWS CloudTrail.
See the full list of supported events.
In this post, I will show how to inject your own events into CloudWatch Events, and define event patterns and their corresponding responses. (more…)