AWS Security Blog
Your AWS re:Invent 2019 guide to AWS Identity sessions, workshops, and chalk talks
November 6, 2019: Post updated to include four new sessions — SEC316, SEC317, OIG304, and ACT17.
AWS re:Invent 2019 is coming fast! You’ll soon need to prioritize your sessions. Here’s a list of AWS Identity sessions, workshops, and chalk talks at AWS re:Invent 2019. If you haven’t registered yet for re:Invent, here’s a template you can provide to your manager to help justify your trip.
AWS Identity Leadership Keynote
SEC207-L — Leadership session: AWS identity (Breakout session)
Digital identity is one of the fastest growing and fastest changing parts of the cloud. Zero-trust networks, GDPR concerns, and new IoT opportunities have been dominating cloud news coverage. In this session, learn about significant industry changes that will affect the way AWS approaches identity for both workforce and consumer customers. We announce new features, discuss our participation in open standards and industry groups, and explain how we’re making identity, access control, and resource management easier for you every day.
AWS Identity Management for your Workforce
FSI310 — The journey to least privilege: IAM for Financial Services (Chalk talk)
Enhancements to AWS Identity and Access Management and related services have made it safer and easier than ever to grant developers direct access to AWS. In this session, we share a new approach to automating identity and access management in AWS based on recent engagements with global Financial Services customers. Then, we dive deep to answer your questions about how CI/CD tools and techniques can be used to enforce separation of duties, curtail human review of policy code, and delegate access to IAM while reducing the risk of unintended privilege escalation.
MGT407-R — Automating security management processes with AWS IAM and AWS CloudFormation (Builders session)
Security is a critical element for highly regulated industries like healthcare. Infrastructure as code provides several options to automate security controls, whether it is implementing rules and guardrails or managing changes to policies in an automated yet auditable way. Learn how to implement a process to automate creation, permission changes, and exception management with AWS Service Catalog, AWS CloudFormation, and AWS IAM policies, fostering efficient collaborations between security stakeholders across teams. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC317-R — AWS Identity: Setting up single sign-on access to AWS accounts (Chalk talk)
Many organizations have adopted a multi-account model with AWS, and they want a way to manage which end users in the organization may access the various accounts. This includes setting up permissions and configuring identity federation. There are several approaches to solving these needs. This interactive chalk talk demonstrates current practices for single sign-on access to multiple AWS accounts. We share the latest identity service features from AWS and follow that with an open discussion on the best approaches for your organization. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1”.)
WIN312-R — Active Directory on AWS to support Windows workloads (Breakout session)
Want to learn your options for running Microsoft Active Directory on AWS? When moving Microsoft workloads to AWS, it’s important to consider how to deploy Microsoft Active Directory to support group policy management, authentication, and authorization. In this session, we discuss options for deploying Microsoft Active Directory to AWS, including AWS Directory Service for Microsoft Active Directory and deploying Active Directory to Windows on Amazon Elastic Compute Cloud (Amazon EC2). We cover such topics as integrating your on-premises Microsoft Active Directory environment to the cloud and leveraging SaaS applications, such as Office 365, with AWS Single Sign-On. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
WIN405-R — Active Directory design patterns on AWS (Builders session)
Want to learn about your options for running Microsoft Active Directory on AWS? When you move Microsoft workloads to AWS, it’s important to consider how to deploy Active Directory in support of name resolution, authentication, and authorization. In this session, we discuss options for deploying Microsoft Active Directory to AWS, including AWS Managed Microsoft Active Directory and deploying Active Directory to Windows on Amazon EC2. The discussion includes such topics as how to integrate your on-premises Active Directory environment to the cloud using Amazon Route 53 Resolver. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
AWS Identity Management for your Customers
SEC219-R — Build the next great app with Amazon Cognito (Chalk talk)
Are you planning to build the next great app? Are you planning to include features like AI-driven responses, a friendly user experience, and a lightning fast response time? There’s just one thing in your way: Identity. Before your users can use your app, you first have to know who they are. In this talk, we walk through how Amazon Cognito can help you deliver a unified identity management and authentication experience and help you mediate access to AWS services. We then discuss Amazon Cognito features, best practices, architectures, and how you can use Amazon Cognito to build your app today. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC403-R — Serverless identity management, authentication, and authorization (Workshop)
In this workshop, you learn how to build a serverless microservices application demonstrating end-to-end authentication and authorization using Amazon Cognito, Amazon API Gateway, AWS Lambda, and all things AWS Identity and Access Management (IAM). You have the opportunity to build an end-to-end functional app with a secure identity provider showcasing user authentication patterns. To participate, you need a laptop, an active AWS Account, an AWS IAM administrator, and familiarity with core AWS services. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC409-R — Fine-grained access control for serverless apps (Builders session)
In this small-group, hands-on builders session, you take a guided tour of how to build enterprise-grade serverless web applications with fine-grained, directory-based access controls. We show how to take a regular Express.js app, move it to AWS Lambda, add authentication using Amazon Cognito with SAML federation, and implement fine-grained authorization based on an external identity provider’s group membership (e.g., LDAP/AD). Services used: Amazon Cognito, AWS Lambda, Amazon API Gateway, Amazon DynamoDB, AWS CDK, and AWS Amplify. Prerequisites: Proficiency in basic JavaScript/TypeScript. Basic experience with AWS is recommended but not mandatory. (Note that this session is repeated twice more during the week and denoted with a suffix of “-R1” and “-R2.”)
MOB304 — Implement auth and authorization flows in your iOS apps (Workshop)
Learn how to leverage social-provider identity federation (log in with Google, Amazon, Facebook, etc.) as well as easily set up custom authentication flows configured and deployed by the AWS Amplify CLI. You do this hands-on by building and deploying a modern iOS app using AWS Amplify and serverless services. This workshop is suitable for all, even if you’re not a cloud expert. Please bring your own Mac with XCode already installed.
MOB315-R — Breaking down the OAuth flow (Chalk talk)
Are you lost when reading about OAuth implicit grants vs. code grants? Are you always struggling to understand the difference between Amazon Cognito user pools and Amazon Cognito federated identities? And how your corporate Active Directory fits into that picture? During this chalk talk, we demystify identity federation and whiteboard the main flows, allowing you to understand how to leverage these services to bring identity federation to your web or mobile applications. (Note that this session is repeated twice more during the week and denoted with a suffix of “-R1” and “-R2.”)
AWS Access Management
SEC209-R — Getting started with AWS identity (Breakout session)
The number, range, and breadth of AWS services are large, but the set of techniques that you, as a builder in the cloud, will use to secure them is not. Your cloud journey starts with this breakout session, in which we get you up to speed quickly on the practical fundamentals to do identity and authorization right in AWS. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC217-R — Delegate permissions management using permissions boundaries (Builders session)
The new permissions boundaries feature in AWS IAM addresses how to delegate permissions management to many users. If you have developers who need to be able to create roles for Lambda functions or system administrators who need to be able to create AWS IAM roles and users, or if you find yourself in a similar scenario, permissions boundaries might be a solution for you. (Note that this session is repeated multiple times during the week and denoted with a suffix of “-R1,” “-R2,” and “-R3.”)
SEC316-R — Access control confidence: Grant the right access to the right things (Breakout session)
As your organization builds on AWS, granting developers and applications the right access to the right resources at the right time for the right actions is critical to security. In this session, we share an approach to setting permissions in AWS environments. We demonstrate configuring permission guardrails and delegating permission administration to development teams. We show how to set fine-grained permissions that scale with your organization using attribute-based access control (ABAC). Finally, we discuss how to confidently dial in permissions. We guide you through each step and provide examples, helping you gain the confidence to set access controls in your organization. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1”.)
SEC326-R — AWS identity-dynamic permissions using employee attributes (Chalk talk)
To access AWS resources, you can configure your IdP in AWS to be your corporate directory, letting your users federate into AWS for single sign-on access to AWS accounts using their corporate credentials. Along with employee credentials, your directory also stores employee attributes such as cost center, department and email address. Now, you can rely on the employee attributes to create fine-grained permissions in AWS. Permissions can then be automatically applied based on attributes when employees change departments or new employees are added in AWS. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC402-R — AWS identity: Permission boundaries & delegation (Workshop)
A permissions boundary is an AWS IAM feature that makes it easier to delegate permissions management to trusted employees. These employees can now configure IAM permissions to help scale permissions management and move workloads to AWS faster. For example, developers can create IAM roles for AWS Lambda functions and Amazon EC2 instances without exceeding certain permissions boundaries. In this workshop, using a sample application that we provide, practice delegating IAM permissions management so that developers can create roles without being able to either escalate their permissions or impact the resources of other teams. All attendees need a laptop and familiarity with core AWS services. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC405-R — Access management in 4D (Breakout session)
In this session, we take “who can access what under which conditions” and deeply explore “under which conditions.” We demonstrate patterns that allow you to implement advanced access-management workflows such as two-person rule, just-in-time privilege elevation, real-time adaptive permissions, and more using advanced combinations of AWS identity services, a range of environmental and contextual information sources, and automated and human-based approval workflows. We keep things fun, engaging, and practical using a lively mix of demos and code that you can take home and implement in your own environment. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC409-R — Fine-grained access control for serverless apps (Builders session)
In this small-group, hands-on builders session, you take a guided tour of how to build enterprise-grade serverless web applications with fine-grained, directory-based access controls. We show how to take a regular Express.js app, move it to AWS Lambda, add authentication using Amazon Cognito with SAML federation, and implement fine-grained authorization based on an external identity provider’s group membership (e.g., LDAP/AD). Services used: Amazon Cognito, AWS Lambda, Amazon API Gateway, Amazon DynamoDB, AWS CDK, and AWS Amplify. Prerequisites: Proficiency in basic JavaScript/TypeScript. Basic experience with AWS is recommended but not mandatory. (Note that this session is repeated twice more during the week and denoted with a suffix of “-R1” and “-R2.”)
Governance of Multi-account Environments
SEC325-R — Architecting security & governance across your landing zone (Breakout session)
A key element of your AWS environment is having a framework to provide resource isolation, separation of duties, and clear billing separation (i.e., a landing zone). In this session, we discuss updates to multi-account strategy best practices for establishing your landing zone, new guidance for building organizational unit structures, and a historical context. We cover security patterns, such as identity federation, cross-account roles, consolidated logging, and account governance. We wrap up with considerations on using AWS Landing Zone, AWS Control Tower, or AWS Organizations. We encourage you to attend all the landing zone sessions. Search for “landing zone” in the session catalog. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
SEC341-R — Set permission guardrails for multiple accounts in AWS Organizations (Chalk talk)
AWS Organizations provides central governance and management for multiple accounts. Central security administrators use service control policies (SCPs) with Organizations to establish controls that all AWS Identity and Access Management (IAM) principals (users and roles) adhere to. For example, you can use SCPs to restrict access to specific AWS Regions or prevent your IAM principals from deleting common resources, such as an IAM role used by your central administrators. You can also define exceptions to your governance controls, restricting service actions for all IAM entities (users, roles, and root) in the account except a specific administrator role. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
MGT302-R — Enable AWS adoption at scale with automation and governance (Breakout session)
Enterprises are taking advantage of AWS so they can move quickly while maintaining governance control over costs, security, and compliance. In this session, we discuss how AWS Control Tower, AWS Service Catalog, AWS Organizations, and AWS CloudFormation simplifies compliance and makes ongoing governance easier. You learn how to set up and govern your multi-account AWS environment or landing zone through automation, blueprints, and guardrails. Finally, you learn how to launch governed and secure resources on AWS through a DevOps CI/CD pipeline. (Note that this session is repeated once more during the week and denoted with a suffix of “-R1.”)
MGT307-R — Governance at scale: AWS Control Tower, AWS Organizations, and more (Chalk talk)
As you move to an organization-wide multi-account, multi-region strategy for your AWS environment, new questions emerge. How do I control budgets across many accounts, workloads, and users in a large organization? How do I automate account provisioning and maintain good security when hundreds of users and business units are requesting cloud resources? How can I ensure the organization is adhering to security and governance requirements? Bring all your questions about using AWS Landing Zones, AWS Control Tower, AWS Organizations, AWS Config, and more to build an AWS environment with governance
control built in. (Note that this session is repeated multiple times during the week and denoted with a suffix of “-R1,” “-R2,” and “-R3.”)
MGT313 — Architect governance at enterprise scale with Goldman Sachs (Breakout session)
As AWS customers accelerate their AWS adoption, going from managing a few AWS accounts to supporting pilot applications to operating on an enterprise scale, they encounter common challenges to maintaining necessary governance. They face issues such as how to control budgets across accounts, workloads, and users; how to automate account provisioning and maintain good security; and how to automate compliance. In this session, we define cloud governance and provide best practices to achieve security, optimized costs, and compliance. Come learn how these best practices for managing your AWS environment have been applied in the real world by Goldman Sachs.
OIG304 — Organize resources & consolidate data centers with AWS Organizations (Chalk talk)
In this chalk talk, learn how the cloud simplifies asset organization during the migration of physical data centers to the cloud. By moving multiple physical data centers comprising enterprise application and heterogeneous technologies, Marathon Petroleum was able to drive consistent governance and security to allow for a focus on business fulfillment.
Activities
ACT17 — Women in Identity, Security, and Privacy re:Invent Gathering (Activity)
Spend a few hours networking with women in the fields of Identity, Security, and Privacy. Meet female leaders in AWS identity-related services and hear lightning talks from women in the Identity and Security industry. Connect with other women and allies while sampling wine and chocolates from around the world. Create your own security-themed craft project to take home with you! Most of all, take this time to enjoy a relaxed environment, expand your connections, and learn something new. The event is co-hosted by Women in Identity and Women in Security & Privacy. Heavy appetizers will be served. Dress code is casual. Allies are welcome.
Want more AWS Security news? Follow us on Twitter.