An honest recap of fwd:cloudsec and AWS re:Inforce 2022
Table of contents
It’s been a long time since I’ve traveled internationally, and coming to Boston again after four years has been a nice change and a refreshing trip down a memory lane for me. The re:Inforce was initially planned for June in Houston, Texas. However, it was changed to Boston without official comment, some speculating political reasons. So, the fwd:cloudsec event also moved to Boston, just one day before the re:Inforce. Without further ado, let's dive in.
The nice thing about fwd:cloudsec event is that it is focused and mostly free of vendor spam, which makes it a good environment for candid discussions among peers. The downside is that, probably due to late changes, the venue was small, and the attendees were limited to less than 200 people. It created a cozy atmosphere, but I know many people who meant to attend but could not due to space issues. The Cloud Security Podcast who hosted a watch party was there for re:Inforce but could not get a ticket.
The talks at fwd:cloudsec were focused and high-quality. As Resmo, we’ve submitted Real-time Anomaly Detection on AWS CloudTrail Events using Apache Flink but could not find a spot. The good news is we will publish it as a blog in the next weeks, which I believe most would find interesting.
As the talks at the conference had two tracks, I had to miss some of the great ones. But the video streams are uploaded pretty quickly.
There were many great talks, but here is a recap of my favorite talks I’ve attended or peers at the conference recommended to watch later:
Unlocking Cloud Build Security with OIDC
I can’t believe how many years the CI/CD providers took to securely use IAM credentials in cloud providers. Most tutorials just went ahead with “Just create IAM users and put the key to the environment variable; why not?”
This talk summarizes how cloud build security works with GitHub and how to check JWT claims to ensure only authorized builds work. The talk also mentions Sigstore to sign artifacts in a secure, keyless way to ensure you are not subject to supply chain attacks. I also would like to add that Bitbucket was the first to support OIDC in Pipelines. Learn more.
Everything you never wanted to know about flow logs
Flow logs from VPCs are nothing new, but this slide design is top-notch! It summarizes how flow logs work in major cloud providers such as AWS, GCP, and Azure and what you can do with those endless streams. Learn more.
Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech
GuardDuty is not a flawless service, but it can detect most issues. However, it can be easy to circumvent it with Privacy Enhancing tech such as encrypted DNS and encrypted TLS client hello, which encrypts the SNI, and hostname. As you can see, relying on DNS to detect suspicious behavior will not be enough as the malware gets smarter. One improvement is to enforce only Route53 resolver is talk goes on detail about how Route53 Firewall can also be bypassed. For the most paranoid, deploying a full firewall with custom certificates seems to be the only solution. Learn more.
Auditing PassRole: Finding the Hidden Trails of a Problematic Privilege Escalation Permission
I’ll be honest, when I started using AWS, it took me an embarrassing amount of time to understand what even PassRole is. In short, it allows you to call another service and direct it to use a higher privilege than yours. Mostly it’s over-provisioned because it’s hard to understand and poses a security risk. Problems are that there is no Cloudtrail entry, documentation is not complete, and neither Access Analyzer nor Access Advisor does not give insights into it. If misconfigured, it can quickly lead to privilege escalation, which you don’t want. Learn more.
The evolution of cloud security in a consolidating market - expanding quadrants
This was a Bird of Feather session by Jeremy Snyder and talks about how cloud security evolved, quadrants are mixing into each other. A big question is, where should the customer start buying or building tools? Building a cyber asset inventory is the first and most important step. You cannot protect what you are not aware of its existence. Learn more.
We built a community cloud vulnerability database; now what?
It’s a Birds of Feather session, so there is no recording of it. The Open Cloud Vulnerability & Security Issue Database is a platform to collect vulnerabilities among cloud providers in a centralized format. The contributions are made via Github.
- One of the main concerns about such a site is that it’s now being sponsored by a vendor and whether the other vendors would introduce their versions.
- Another concern is that it’s not like a regular CVE Database; vulnerabilities in the cloud are closed for almost everyone. But there are still vulnerable Log4J, Confluence, and Apache Struts installations, making CVEs actionable. Learn more about the talk.
Of course, almost all of these talks are recorded, so the sessions themselves do not justify traveling long distances for a conference. I’ve finally had a chance to meet with the people I’ve interacted with over Cloud Security Forum Slack, Twitter, and other social media; who also traveled from various parts of the world with more than 10 hours of flights, including but not limited to Australia, Brazil, Italy, Denmark, UK.
Side note: I wish the venue would be bigger next year, allow one or more tracks and more people to attend. It’s nice for fwd:cloudsec to follow re:Inforce. Next year, the re:Inforce would be on June 13-14 in Anaheim, CA (next to Disneyland, another reason to visit)...
AWS re:Inforce 2022 recap
Although not as big as re:Invent, this was a considerable big conference. The reason I liked it was because, again, it was focused on cloud security, therefore covering deep topics. However, it’s an AWS conference, It’s not possible to be vendor-spam-free, but most of the talks were informative. There were too many sessions, and unfortunately, the events page of AWS does not help to discover them. There are always re:Invent schedule viewers, but there was not one for re:Inforce. Therefore we’ve quickly made public Google sheets by scraping the API to browse the sessions faster. I wonder why representing this information at every conference I attend is always a hassle.
In addition to available sessions, there were many labs you could attend with your computer and start working on some Capture the Flag activities.
The main theme of the re:Inforce was, in my opinion, that there are many things to get secure, stay secure, and many ways, including AWS native services such as Config, Audit Manager, KMS, IAM, GuardDuty, SecurityHub, or complementary tools, both open source and SaaS.
Traditional security has become increasingly challenging in cloud computing due to its dynamic nature and overlapping of tools.
One thing I love about the conferences is meeting with people in person. Although remote working is normalized everywhere, virtual interactions never substitute physical interactions, at least for me. There were sponsors and startups of all sizes in the Cloud Security area that I had a chance to meet and listen to what they solved and have a chance to talk about what we do as Resmo as well.
I also got a chance to meet fellow AWS Community Builders in person. Plus, I got to meet with Brandon Caroll, and we’ve interviewed about my experience as a community builder,, which should be available to watch soon.
Suggested reading: A Closer Look at the Multi-Cloud Adoption.
Important Announcements during re:Inforce
I always look forward to huge conferences of tech companies, where most employ Conference-driven development to deliver features, so it’s always interesting announcements around conference times. The same goes for re:Invent and re:Inforce. Have a look at our previous re:Invent honest coverage, which is still visited every day. There were some notable announcements both before and during the re:Inforce:
Malware protection is now a feature of Amazon GuardDuty
This was one of the largest announcements, making AWS a competitor to many security unicorns out there. GuardDuty can detect malicious files, including trojans, worms, crypto miners, and rootkits, by scanning EBS volumes. It can detect EC2, ECS, and EKS workloads and can classify files as suspicious or malware. There are 2 limitations you need to be aware of, though: its volumes need to be less than 1 TB to avoid alert repetition, and for cost concerns, a volume is scanned only once every 24 hours, which can also slip some of the first alerts is a false positive. Learn more.
AWS Backup now supports copying Amazon S3 backups across AWS Regions and accounts
I remember all the tedious automation we’d be around setting up S3 Replication across multiple accounts with correct bucket policies. I’m very glad S3 is also covered nicely with AWS Backups. Learn more.
AWS Control Tower’s Region deny guardrail expands to include additional AWS Chatbot, Amazon S3 Storage Lens, and Amazon S3 Multi-Region Access points APIs
To be honest, at the initial release, we were happy that AWS Chatbot existed but struggled with how it works securely. Although these are good developments towards a better security posture, the deny-lists don’t scale. You can have a look at all Jackson deserialization-related vulnerabilities where they disable dangerous classes; one always slips! Learn more.
AWS Control Tower now reduces AWS Config configuration items by only recording global resources in home Regions
Config is already expensive, and Control Tower recording global resource changes redundantly for 20 regions did not help. This update ensures when you enable Control Tower, Config only records changes for global resources such as IAM Roles and CloudFront Distributions in us-east-1. Learn more.
Amazon EC2 Console adds the ‘Verified Provider’ label for public AMIs
I hope this works better than how Twitter verifies profiles. EC2 AMI sharing is a mess; an unsuspecting person can search for “Ubuntu” or “OpenVPN” and end up with harmful software. Verified labels aim to resolve this by introducing some sort of checks. Learn more.
AWS Config conformance packs now provide scores to help you track resource compliance
This update allows scores of conformance packs over time to be recorded, so you can see whether you are improving your posture over time. A bonus is the metrics are also emitted to Cloudwatch, and you can write alerts if it drops a certain threshold instead of every change. In Resmo, we also have Compliance Packs that continuously keep track of your cloud and SaaS assets’ compliance. Learn more.
AWS Single Sign-On (AWS SSO) is now AWS IAM Identity Center
This is just a branding update; for all we know, Amazon loves sudden name changes. But this one is a bit puzzling for me because SSO used to describe the feature perfectly. For those who don’t know, SSO is used to manage access to AWS accounts through Organizations, but it can also be used to log in to other SaaS applications you have, like an alternative to Okta. There are major caveats; though its API is problematic, and it only works for one region, there is no way to back it up. Normally it’d be okay, but this is an “Identity Center,” which should have much higher standards. Learn more.
Announcing AWS Marketplace Vendor Insights to help streamline vendor risk assessments
The marketplace already makes the procurement process easier for many products. However, standards for acquiring software and services have grown over the years. Vendor Insights should make security, privacy, and operational assessments of vendors easier. It integrates with Audit Manager and AWS Config, but it also integrates with third-party reports such as SOC2 and ISO 27001. There are currently a few vendors, though. As Resmo, we’ll also be on AWS Marketplace in Q4 with Vendor Insights as well! Learn more.
Now programmatically manage primary contact information on AWS accounts
Not to be confused with alternate contact information; this update allows the management of primary contact accounts. However, this accesses both emails and telephones; it can be used to recover “lost” MFA devices. Learn more.
AWS Lambda announces support for a new IAM condition key, lambda:SourceFunctionArn
This is a welcome development because any additional layer of security is good unless you make everything more complicated and rely on an attacker would just give up. However, what that announcement does not mention is that: “You cannot use the lambda:SourceFunctionArn condition key in resource-based policies.” but it works in Service Control Policies (SCP), which is nice. Learn more.
AWS Lambda announces support for Attribute-Based Access Control (ABAC)
Another additional improvement for Lambda security is that now you can use Attribute-Based Access Control (ABAC). Here is a guide if you need a refresher on why ABAC is important. I wish all services supported this, making managing permissions in a large-scale environment much easier. However, you must also control who can tag what resource for ABAC to fulfill its promise. Learn more.
Till next event!
That's basically everything we took with us from the fwd:cloudsec and AWS re:Inforce conferences this year. But worry not fellow cloud security lovers, there are still a bunch of events to look forward to. For one, as Resmo, we'll be there at AWS re:Invent 2022. So, save the date and stay tuned!
Sign up to our newsletter for more news about Resmo and security-related content like this one.