An honest recap of fwd:cloudsec and AWS re:Inforce 2022
Itās been a long time since Iāve traveled internationally, and coming to Boston again after four years has been a nice change and a refreshing trip down a memory lane for me. TheĀ re:InforceĀ was initially planned for June in Houston, Texas. However, it was changed to Boston without official comment,Ā someĀ speculating political reasons. So, the fwd:cloudsec event also moved to Boston, just one day before the re:Inforce. Without further ado, let's dive in.
fwd:cloudsec recap
The nice thing about fwd:cloudsec event is that it is focused and mostly free of vendor spam, which makes it a good environment for candid discussions among peers. The downside is that, probably due to late changes, the venue was small, and the attendees were limited to less than 200 people. It created a cozy atmosphere, but I know many people who meant to attend but could not due to space issues. The Cloud Security Podcast who hosted a watch party was there for re:Inforce but could not get a ticket.
The talks at fwd:cloudsec were focused and high-quality. As Resmo, weāve submittedĀ Real-time Anomaly Detection on AWS CloudTrail Events using Apache FlinkĀ but could not find a spot. The good news is we will publish it as a blog in the next weeks, which I believe most would find interesting.
As the talks at the conference had two tracks, I had to miss some of the great ones. But the video streams areĀ uploaded pretty quickly.
There were many great talks, but here is a recap of my favorite talks Iāve attended or peers at the conference recommended to watch later:
Unlocking Cloud Build Security with OIDC
I canāt believe how many years the CI/CD providers took to securely use IAM credentials in cloud providers. Most tutorials just went ahead with āJust create IAM users and put the key to the environment variable; why not?ā
This talk summarizes how cloud build security works with GitHub and how to check JWT claims to ensure only authorized builds work. The talk also mentionsĀ SigstoreĀ to sign artifacts in a secure, keyless way to ensure you are not subject to supply chain attacks. I also would like to add that Bitbucket was theĀ firstĀ to support OIDC in Pipelines. Learn more.
Everything you never wanted to know about flow logs
Flow logs from VPCs are nothing new, but this slide design is top-notch! It summarizes how flow logs work in major cloud providers such as AWS, GCP, and Azure and what you can do with those endless streams. Learn more.
Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech
GuardDuty is not a flawless service, but it can detect most issues. However, it can be easy to circumvent it with Privacy Enhancing tech such as encrypted DNS and encrypted TLS client hello, which encrypts the SNI, and hostname. As you can see, relying on DNS to detect suspicious behavior will not be enough as the malware gets smarter. One improvement is to enforce only Route53 resolver is talk goes on detail about how Route53 Firewall can also be bypassed. For the most paranoid, deploying a full firewall with custom certificates seems to be the only solution.Ā Learn more.
Auditing PassRole: Finding the Hidden Trails of a Problematic Privilege Escalation Permission
Iāll be honest, when I started using AWS, it took me an embarrassing amount of time to understand what even PassRole is. In short, it allows you to call another service and direct it to use a higher privilege than yours. Mostly itās over-provisioned because itās hard to understand and poses a security risk. Problems are that there is no Cloudtrail entry, documentation is not complete, and neither Access Analyzer nor Access Advisor does not give insights into it. If misconfigured, it can quickly lead to privilege escalation, which you donāt want.Ā Learn more.
The evolution of cloud security in a consolidating market - expanding quadrants
This was a Bird of Feather session by Jeremy Snyder and talks about how cloud security evolved, quadrants are mixing into each other. A big question is, where should the customer start buying or building tools? Building a cyber asset inventory is the first and most important step. You cannot protect what you are not aware of its existence. Learn more.
We built a community cloud vulnerability database; now what?
Itās a Birds of Feather session, so there is no recording of it. TheĀ Open Cloud Vulnerability & Security Issue DatabaseĀ is a platform to collect vulnerabilities among cloud providers in a centralized format. The contributions are made viaĀ Github.
- One of the main concerns about such a site is that itās now being sponsored by a vendor and whether the other vendors would introduce their versions.
- Another concern is that itās not like a regularĀ CVE Database; vulnerabilities in the cloud are closed for almost everyone. But there are still vulnerable Log4J, Confluence, and Apache Struts installations, making CVEs actionable.Ā Learn more about the talk.
Of course, almost all of these talks are recorded, so the sessions themselves do not justify traveling long distances for a conference. Iāve finally had a chance to meet with the people Iāve interacted with over Cloud Security Forum Slack, Twitter, and other social media; who also traveled from various parts of the world with more than 10 hours of flights, including but not limited to Australia, Brazil, Italy, Denmark, UK.
Side note: I wish the venue would be bigger next year, allow one or more tracks and more people to attend. Itās nice for fwd:cloudsec to follow re:Inforce. Next year, the re:Inforce would be on June 13-14 in Anaheim, CA (next to Disneyland, another reason to visit)...
AWS re:Inforce 2022 recap
Although not as big as re:Invent, this was a considerable big conference. The reason I liked it was because, again, it was focused on cloud security, therefore covering deep topics. However, itās an AWS conference, Itās not possible to be vendor-spam-free, but most of the talks were informative. There were too many sessions, and unfortunately, the events page of AWS does not help to discover them. There are always re:Invent schedule viewers, but there was not one for re:Inforce. Therefore weāve quickly madeĀ public Google sheetsĀ by scraping the API to browse the sessions faster. I wonder why representing this information at every conference I attend is always a hassle.
In addition to available sessions, there were many labs you could attend with your computer and start working on some Capture the Flag activities.Ā
The main theme of the re:Inforce was, in my opinion, that there are many things to get secure, stay secure, and many ways, including AWS native services such as Config, Audit Manager, KMS, IAM, GuardDuty, SecurityHub, or complementary tools, both open source and SaaS.
Traditional security has become increasingly challenging in cloud computing due to its dynamic nature and overlapping of tools.
One thing I love about the conferences is meeting with people in person. Although remote working is normalized everywhere, virtual interactions never substitute physical interactions, at least for me. There were sponsors and startups of all sizes in the Cloud Security area that I had a chance to meet and listen to what they solved and have a chance to talk about what we do as Resmo as well.
I also got a chance to meet fellow AWS Community Builders in person. Plus, I got toĀ meet with Brandon Caroll, and weāve interviewed about my experience as a community builder,, which should be available to watch soon.
Suggested reading: A Closer Look at the Multi-Cloud Adoption.
Important Announcements during re:Inforce
I always look forward to huge conferences of tech companies, where most employ Conference-driven development to deliver features, so itās always interesting announcements around conference times. The same goes for re:Invent and re:Inforce. Have a look at ourĀ previous re:Invent honest coverage, which is still visited every day.Ā There were some notable announcements both before and during the re:Inforce:
Malware protection is now a feature of Amazon GuardDuty
This was one of the largest announcements, making AWS a competitor to many security unicorns out there. GuardDuty can detect malicious files, including trojans, worms, crypto miners, and rootkits, by scanning EBS volumes. It can detect EC2, ECS, and EKS workloads and can classify files as suspicious or malware. There are 2 limitations you need to be aware of, though: its volumes need to be less than 1 TB to avoid alert repetition, and for cost concerns, a volume is scanned only once every 24 hours, which can also slip some of the first alerts is a false positive. Learn more.
AWS Backup now supports copying Amazon S3 backups across AWS Regions and accounts
I remember all the tedious automation weād be around setting up S3 Replication across multiple accounts with correct bucket policies. Iām very glad S3 is also covered nicely with AWS Backups. Learn more.
AWS Control Towerās Region deny guardrail expands to include additional AWS Chatbot, Amazon S3 Storage Lens, and Amazon S3 Multi-Region Access points APIs
To be honest, at the initial release, we were happy that AWS Chatbot existed but struggled with how it works securely. Although these are good developments towards a better security posture, the deny-lists donāt scale. You can have a look at all Jackson deserialization-related vulnerabilities where they disable dangerous classes; one always slips! Learn more.
AWS Control Tower now reduces AWS Config configuration items by only recording global resources in home Regions
Config is already expensive, and Control Tower recording global resource changes redundantly for 20 regions did not help. This update ensures when you enable Control Tower, Config only records changes for global resources such as IAM Roles and CloudFront Distributions in us-east-1. Learn more.
Amazon EC2 Console adds the āVerified Providerā label for public AMIs
I hope this works better than how Twitter verifies profiles. EC2 AMI sharing is a mess; an unsuspecting person can search for āUbuntuā or āOpenVPNā and end up with harmful software. Verified labels aim to resolve this by introducing some sort of checks. Learn more.
AWS Config conformance packs now provide scores to help you track resource compliance
This update allows scores of conformance packs over time to be recorded, so you can see whether you are improving your posture over time. A bonus is the metrics are also emitted to Cloudwatch, and you can write alerts if it drops a certain threshold instead of every change. In Resmo, we also have Compliance Packs that continuously keep track of your cloud and SaaS assetsā compliance. Learn more.
AWS Single Sign-On (AWS SSO) is now AWS IAM Identity Center
This is just a branding update; for all we know, Amazon loves sudden name changes. But this one is a bit puzzling for me because SSO used to describe the feature perfectly. For those who donāt know, SSO is used to manage access to AWS accounts through Organizations, but it can also be used to log in to other SaaS applications you have, like an alternative to Okta. There are major caveats; though itsĀ API is problematic, and it only works for one region, there is no way to back it up. Normally itād be okay, but this is an āIdentity Center,ā which should have much higher standards. Learn more.
Announcing AWS Marketplace Vendor Insights to help streamline vendor risk assessmentsĀ
The marketplace already makes the procurement process easier for many products. However, standards for acquiring software and services have grown over the years. Vendor Insights should make security, privacy, and operational assessments of vendors easier. It integrates with Audit Manager and AWS Config, but it also integrates with third-party reports such as SOC2 and ISO 27001. There are currently a few vendors, though. As Resmo, weāll also be on AWS Marketplace in Q4 with Vendor Insights as well! Learn more.
Now programmatically manage primary contact information on AWS accounts
Not to be confused withĀ alternate contact information; this update allows the management of primary contact accounts. However, this accesses both emails and telephones; itĀ can be used to recoverĀ ālostā MFA devices. Learn more.
AWS Lambda announces support for a new IAM condition key, lambda:SourceFunctionArn
This is a welcome development because any additional layer of security is good unless you make everything more complicated and rely on an attacker would just give up. However, what that announcement does not mentionĀ is that: āYou cannot use the lambda:SourceFunctionArn condition key in resource-based policies.ā but it works in Service Control Policies (SCP), which is nice. Learn more.
AWS Lambda announces support for Attribute-Based Access Control (ABAC)
Another additional improvement for Lambda security is that now you can use Attribute-Based Access Control (ABAC). Here is aĀ guideĀ if you need a refresher on why ABAC is important. I wish all services supported this, making managing permissions in a large-scale environment much easier. However, you must also control who can tag what resource for ABAC to fulfill its promise.Ā Learn more.
Till next event!
That's basically everything we took with us from the fwd:cloudsec and AWS re:Inforce conferences this year. But worry not fellow cloud security lovers, there are still a bunch of events to look forward to. For one, as Resmo, we'll be there at AWS re:Invent 2022. So, save the date and stay tuned!
Sign up to our newsletter for more news about Resmo and security-related content like this one.
