AWS re:Invent took place last week in Las Vegas with around 50,000 attendees and 2,750 sessions. AWS has already uploaded over 700 videos of the more popular sessions, which is over 3 weeks of content if watched continuously! Here are some of our favorites:
Reimagining multi-account deployments for security and speed (NFX305)—Joseph Kjar, Patrick Sanders, and Prateek Sharma discuss Netflix’s unique multi-account approach where they have one large monolithic account that contains all compute resources, but is only compute. They then use individual application accounts for other resources and for the IAM roles of those applications that are in turn passed to the EC2s in that monolithic account! The EC2s run the applications, but use IAM roles from other accounts. All the EC2s run proxies to intercept the requests to the instance metadata service in order to provide the IAM role credentials from the application accounts.
Accelerate insights using AWS SDK instrumentation (NFX302)—Nick Siow, Scott Pack, and Prateek Sharma discuss a novel technique used by Netflix to record the AWS API calls made by applications. There are various limitations to using CloudTrail logs, Access Advisor, client-side monitoring, and network proxying to get full visibility into the AWS API calls made. In this talk, they explain how they use existing, but poorly documented, SDK functionality they discovered when looking at AWS X-Ray in order to see all the calls and the parameters used.
Zero-privilege operations: Running services without access to data (SEC327)—Colm MacCárthaigh, a VP and Distinguished Engineer at AWS, discusses the mechanisms AWS uses to ensure customer data cannot be accessed by AWS employees. These same concepts can be used by others in their own architectures.
When security, safety, and urgency all matter: Handling Log4Shell (BOA204)—Abby Fuller, a senior principal security engineer at AWS, discusses the response to the Log4Shell vulnerability. She explains how AWS uses Ghostbusters, a cross-team group focused on security, to handle escalations and assess the impact of issues. She goes on to describe the different conference calls used for operational and security events and the role of security operations (SecOps) in responding to potential security issues. Finally, she discusses the response to the Log4shell vulnerability and the challenges that AWS faced in addressing it.
Context is everything: CNAPP revolution to secure AWS deployments (PRT254)—I'm biased in liking this talk, but in it, Yinon Costica, co-founder and VP Product at Wiz, and guest speaker John Visneski, CISO at MGM Studios, give a great explanation on what Wiz does and the value it provides to customers.
AWS re:Invent 2022 was a content packed conference that I was lucky to attend. It was great to connect with friends across the industry and meet new ones. Things have roared back to life with this massive conference. AWS continues to unleash new and exciting features and some of my favorite content is about how customers are using these in unique and interesting ways.