Highlights and takeaways from AWS re:Inforce 2024

As cloud security professionals, we seek to confidently manage risk in our environments against ever-changing threats. We look inward to constantly evaluate our position but it’s also important to connect with the broader security community to navigate the changing landscape of cloud security.

AWS included a wide variety of security-related themes: architecture of secure networks and applications; managing threats through observation, detection, and response; IAM and data protection; and several more. I’ll focus on a few of my other favorite themes below.

I was impressed with how often security culture was discussed throughout the conference and how many attended the content. The keynote started strong by talking about the difficulty in building and evolving security culture but also providing examples of how AWS overcomes those challenges. One example mentioned was the CEO meeting with service teams across the AWS organization to better understand security concerns from each. This focus was apparent in much of the content where they opened discussion, asked questions, and sought to understand the difficulties that organizations are facing with security.

Removing barriers of communication empowers others to innovate with constant change. It allows businesses to move from a model of a single individual or team owning security culture to one of inclusion across cultures: teams, organizations, and even partnerships. One of the reasons this works so well is that “security culture” as a concept moves away from stringent policies, blockers, and complications. Instead it becomes a dynamic reinforcement loop that allows continual improvement.

I enjoyed how AWS shows how they are using this approach with partnerships. The keynote highlighted how they understand that many businesses are required to centralize systems and operations across multiple environments, not just AWS. They can lead and support others by sharing the ownership across hardware, services, partners, and education. In years past, it would be difficult to find talks about hybrid and multi-cloud solutions but that was not the case this year. Not only were relevant vendors there to talk through solutions, content throughout demonstrated how AWS internally has embraced changes in its own services that embrace multi-environment approaches. You may have noticed a push from AWS towards implementing foundational security principles in your own organization. They do so by discussing blockers or difficulties with services and offer support to resolve security findings.

I was surprised to see that AWS teams are actively using external tools and services more as a result. I watched a code talk where they created an architecture for root Service Control Policies (SCPs) in AWS. However, instead of only supporting CloudFormation, they were applying Terraform modules live from within VS Code. This shows that the culture first approach to security through shared ownership can unify strategy, intelligence, and lifecycle management so all parties can innovate with confidence.

I was happy to see that governance, risk, and compliance (GRC) was a focus topic in much of the content. After building a unified culture, it becomes easier to establish strong resilience to constant change through GRC. Managing controls and maintaining compliance still requires diligent effort to understand and define risk.

Many speakers highlighted how AWS services are evolving to create more features and controls for GRC support. Foundational services like SCPs, IAM, Cognito, and Verified Access are continuously improving to create well managed governance patterns. Compliance auditing automation has many players in the space including Bedrock, Q, IAM Access Analyzer, AWS Resilience Hub, and AWS Fault Injection Service. Creating solutions that fit your organization’s needs without requiring additional tooling goes a long way. Another hot topic was using generative AI to confidently and securely automate risk management, which we’ll talk a bit more about below.

AWS understands that many organizations struggle with discovering gaps that arise over time. They offer that employees and partners are always available to support GRC solutions that fit customer needs. They also provide the Cloud Audit Academy where one can “learn skills and best practices to audit for security in the cloud.”

AWS was never shy about the attention AI would get at re:Inforce. Many are eager to get their feet with AI but many also jump in head first without understanding how to do it securely. Not only does this provide threat actors with an opportunity to stay ahead of the game but it exposes businesses and potentially their customers to new risks. Whether or not an organization subscribes to the direction AI is going, they must at least be aware of regulatory controls and even indirect consequences of its usage.

Throughout the conference, the answer to finding an organization’s AI stance looked like the following:

1. Start with a culture-first strategy for AI approaches.
2. Use governance, risk, and compliance (GRC) controls and auditing to tighten the feedback loop.
3. Securely architect AI applications, data, and foundational models (FM) to ensure they are protected.

I’ve talked about the first two, but the path to architecting AI securely is still an evolving picture for many. It’s also difficult to create culture and GRC solutions around AI when getting started. A couple of simple options that don’t require drastic changes are Amazon Q for Business/Developer and AWS Chatbot.

Generative AI is a great way for organizations to get their feet wet with AI use. Ideally these use cases should target processes that slow humans down, but where an AI model shines. Generative AI can be used to automate SOC operations and initial security investigations to reduce overhead. It can be used to analyze AWS Security Lake and generate reports. Generative AI is also great for reinforcing security confidence with analysis of internal diagrams, code, and data to identify gaps in understanding and awareness. Services like Q, Bedrock, Kendra, and SageMaker are great places to start stretching your AI muscles.

Once you’re more comfortable with AI within the organization, it becomes easier to work with Foundational Models (FMs) that solve more difficult problems. One of the first things to decide is how you want to manage your models. Do you want to use a third party or fine tune internally? A newer option called retrieval augmented generation (RAG) is a middle path that creates gates across the prompt, model query, model instruction, and data transmission. This allows better security and protection across an entire AI workload by mitigating opportunities for attack. Businesses can use these approaches to protect business assets securely but it also provides ways to confidently remove bias in data and decisions and also reduce cost.

I had a great time at re:Invent 2024 learning, discussing, and experimenting with all things cloud security. I’m really excited to see the results of the conversations and collaboration emerging after the conference. If you want to learn more, I highly recommend checking out the curated playlists by focus topics at re:Inforce 2024.