AWS re:invent 2018 — Day 4 & 5 reflections
On day four I got in line for the AWS Security Jam a Capture the flag type AWS security event. It was very interesting and educational to go through all the exercises to secure AWS infrastructure and applications. Unfortunately our team, called The Walk-in, only managed to avoid ending last, but we did learn an AWSome lot ;)
The rest of the day was spent at the vendor booths talking to potential new partners.
Thursday is obviously the day of the party
Day 5 is my final day and I just have time for one talk: ‘Mastering Identity At Every Layer Of The Cake’.
Identity ids everywhere in AWS. From the credentials you use to create a service, the credentials you use to access the service, but also the identity the resource has itself.
Lots of AWS’ security modem centres itself around identity and AWS has a lot of tools to do that.
- Amazon SSO (for teams ~< 20 people)
- Integrations with SAML (for larger organisations)
- IAM delegated administration via boundary policies (allow others to build IAM policies within certain restrictions)
- Cloud Formation Macros to make building IAM roles easy for developers
- IAM based authentication for infrastructure (Using IAM credentials to log into infrastructure)
- AWS Secrets Manager (to allow auto rotation for secrets)
- Cognito (to manage end-user identities and login, but also to manage login credentials for infrastructure or to authenticate machine-to-machine communications)
Next the speaker showed an example where these services were all put together to create a automated breaking glass procedure.