Stephen Schmidt’s Security Leadership Session at AWS re:Invent 2021

8 minute read | Last updated 7-Aug-2022 | An icon depicting a retail tag with a heart for 'favourite' AWS AWS re:Invent Cloud Security

The leadership session at AWS re:Invent provide a deeper dive into a specific area of focus. Stephen Schmidt, CISO at AWS takes the stage to talk all things security.

I missed the first 10 minutes of the session and will update this post when I watch it on demand.

The First 10 Minutes

THe session is now available on demand so I was able to watch the first ten minutes. Here are my takeaways as a list, instead of a tweet storm;

“If we wanted continuous improvement, we need to lower the friction of security”, Stephen Schmidt
“If a process is inefficient or overly taxing, people will just work around. We’ve got to make security as easy choice.”, Stephen Schmidt
“Getting start is simple, and you start seeing value quickly…” This was mentioned in relation to making security easier to use. 100% spot on
Guard Duty has added a bunch of great Amazon S3 findings
AWS Security Hub now allows you to designate an “aggregation region.” This makes using AWS Security Hub so much easier
Amazon Detective uses a bunch of techniques (machine learning, statistical analysis, and graph theory) to help accelerate your security investigations
AWS’s security strategy is to remain focused on tangible ways to make customers safer
“We need to train people on security best practices in a manner that’s engaging”, Stephen Schmidt. He segues this into highlight the newly released & free security awareness training
The launch of Incident Manager from AWS Systems Manager was highlighted. Lots to love in this feature set
Focus on making the service better through collaboration with builders. That’s critical for better security outcomes. “Let’s makes security a great experience for developers”, Stephen Schmidt

Live Tweets

This is the Twitter thread of my coverage of the keynote…

Tweet 1/44 Next tweet

…ahhh, jumping in late to this one

#reinvent https://twitter.com/66780587/status/1466510060784394253

marknca @marknca tweeted at 02-Dec-2021, 21:15

Tweet 2/44 Next tweet Start

Sarah from @AWSIdentity up now…

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:17

Tweet 3/44 Next tweet Start

“MFA is the best way to secure your work as you build”, Sarah from @AWSIdentity with a Yubikey on her earrings!

her plates…

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:19

Tweet 4/44 Next tweet Start

ok, now I want a Yubikey on my earrings too. Sarah recommended this one, the 5c nano: https://www.yubico.com/ca/product/yubikey-5c-nano/

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:19

Tweet 5/44 Next tweet Start

“All workloads on @awscloud should be multi-account, that’s how we’ve designed @AWSIdentity”

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:20

Tweet 6/44 Next tweet Start

“If you are a human, you should be logging into @awscloud through SSO”, Sarah from @AWSIdentity

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:20

Tweet 7/44 Next tweet Start

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:20

Tweet 8/44 Next tweet Start

more on @AWSIdentity SSO at https://aws.amazon.com/single-sign-on/

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:21

Tweet 9/44 Next tweet Start

the “data perimeter” idea is all about protecting your solutions from all angles

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:21

Tweet 10/44 Next tweet Start

Sarah covering some @AWSIdentity recent releases. top of the list: IAM Access Analyzer

more at https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:23

Tweet 11/44 Next tweet Start

…there is also Network Access Analyzer

more on that new release at https://aws.amazon.com/blogs/aws/new-amazon-vpc-network-access-analyzer/

#reinvent #securtiy

marknca @marknca tweeted at 02-Dec-2021, 21:23

Tweet 12/44 Next tweet Start

another one in the list, Access Analyzer policy validation

more on that at https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:24

Tweet 13/44 Next tweet Start

Sarah also calls out the IAM Access Analyzer policy generation feature released by @AWSIdentity a little while back

more at https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:25

Tweet 14/44 Next tweet Start

great list. everyone should be using these tools regularly

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:25

Tweet 15/44 Next tweet Start

. @StephenSchmidt back up to switch gears…updates!

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:26

Tweet 16/44 Next tweet Start

162 checks now in @awscloud Security Hub!

VPC endpoint support (https://docs.aws.amazon.com/securityhub/latest/userguide/security-vpc-endpoints.html)

#reinvent

marknca @marknca tweeted at 02-Dec-2021, 21:27

Tweet 17/44 Next tweet Start

Amazon Detective got support S3 and DNS finding types

more at https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-detective-s3-dns/

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:28

Tweet 18/44 Next tweet Start

. @awscloud Shield automatically does application layer DDoS mitigation

more: https://aws.amazon.com/about-aws/whats-new/2021/12/aws-shield-advanced-application-layer-ddos-mitigation/

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:29

Tweet 19/44 Next tweet Start

Amazon Inspector got a big update. I covered that at https://markn.ca/2021/first-look-at-the-brand-new-amazon-inspector/

lots of great stuff in this complete revamp

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:29

Tweet 20/44 Next tweet Start

there is a dedicated session on site for Amazon Inspector. will be on demand in a few days

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:30

Tweet 21/44 Next tweet Start

simple win: update the alternative security contact for your accounts. you can do this via Orgs and the CLI now

more on that at https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/

#reinvent #security

marknca @marknca tweeted at 02-Dec-2021, 21:31

Tweet 22/44 Next tweet Start

“Consider the Security Pillar of the AWS Well-Architected Framework” << …and the rest of the framework! there’s a ton of amazing stuff in there that contributes to security

more https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

#reinvent #security