AWS Security Blog
re:Invent 2019 – Your guide to AWS Cryptography sessions, workshops, and chalk talks
February 10, 2021: We provided updated links to the AWS re:Invent 2019 breakout sessions. You can also view these sessions on the AWS Events channel on YouTube.
AWS re:Invent 2019 is just over a week away! We have many Security, Identity, and Compliance sessions, and this is a post about AWS Cryptography-related breakout sessions, workshops, builders sessions, and chalk talks at AWS re:Invent 2019.
The AWS Cryptography mission is to help you get encryption right. We build tools that help you navigate this process, whether we’re helping you secure the encryption keys that you use in algorithms or the certificates used in asymmetric cryptography.
AWS Certificate Manager
SEC218-R – Deploying private certificates using ACM Private CA
Organizations are looking at projects requiring a private certificate infrastructure like service meshes for microservices, full path encryption of traffic, device manufacturing, and app development and deployment. In this session, we discuss how to deploy AWS Certificate Manager Private Certificate Authority to provide certificate infrastructure and walk through a few examples of projects like these. During the session, learn how to build a CA hierarchy, choose the correct CA templates, configure IAM permission options, and manage certificate lifecycle. Participants will be able to apply these lessons and use cases to their own PKI infrastructure to accelerate their projects. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Todd Cignetti, Josh Rosenthol
SEC314-R – Building and operating a private certificate authority on AWS
In this workshop, we cover private certificate management on AWS employing the concepts of least privilege, separation of duties, monitoring for privileged actions and automation. You learn operational aspects of creating a complete certificate-authority (CA) hierarchy, building a simple web app, and issuing a private certificate. You learn how job functions—including CA Admins, application developers, and security admins—can follow the principal of least privilege to perform various functions associated with certificate management. The workshop includes quizzes throughout with information to enhance your understanding of the AWS Certificate Manager Private Certificate Authority capability. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Workshop
Ram Ramani
AWS CloudHSM
SEC305-R – Achieving security goals with AWS CloudHSM
In this talk, we compare AWS CloudHSM with other AWS cryptography services for common use cases. We dive deep on how to build scalable, reliable workloads with CloudHSM, and we teach you how to configure the service for performance, error resilience, and cross-region redundancy. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Session
Avni Rambhia
SEC406-R – Deep dive on AWS CloudHSM
Organizations building applications that handle confidential or sensitive data are subject to many types of regulatory requirements. They also often rely on hardware security modules (HSMs) to provide validated control of encryption keys and cryptographic operations. AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud using FIPS 140-2 Level 3 validated HSMs. In this talk, we demonstrate best practices in configuring and scaling your CloudHSM cluster, implementing cross-region disaster recovery, and optimizing throughput. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Rohit Mathur, Avni Rambhia
AWS Key Management Service
SEC340-R – Using AWS KMS for data protection, access control, and audit
This session focuses on how customers are using AWS Key Management Service (AWS KMS) to raise the bar for security and compliance with their workloads. Along with a detailed explanation of how AWS KMS fits into the AWS suite of services, we walk you through popular and sophisticated examples of how AWS KMS can be deployed in the context of access control, separation of duties, data protection, and auditability. We also cover the latest developments in AWS KMS functionality that will further expand the range of use cases to include additional cryptographic capabilities and system integrations. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Session
Raj Copparapu, Peter O’Donnell
SEC322-R – Deep dive into AWS KMS
In this session, learn the dos and don’ts of using AWS Key Management Service (AWS KMS). We cover topics such as envelope encryption, encryption context, and permissions. We also dig into common scenarios that customers encounter. At the end of this presentation, you leave with a working knowledge of how to use the permissions and authorization systems built into AWS KMS and with an understanding of how to appropriately encrypt data using AWS KMS. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Paul Radulovic, Jim Irving
SEC337 – Toyota Motor North America: Securing the cloud with AWS KMS
Imagine being tasked with collecting, analyzing, and securing data from hundreds of sources around the world, in multiple cloud and on-premises environments. Toyota Motor North America, along with Booz Allen Hamilton, has created a secure, cloud-native solution to analyze billions of messages per day using AWS Key Management Service (AWS KMS). We discuss how AWS KMS with AWS native services provides granular access and secures corporate assets with data segregation using AWS KMS encryption. Toyota uses AWS Glue, Amazon Athena, and Amazon SageMaker to generate actionable intelligence in its corporate IT and vehicle telematics environments to solve its business and analytics challenges.
Session
Raj Copparapu, Matthew Costello (Booz Allen Hamilton), Kell Rozman (Toyota)
SEC401-R – Using the AWS Encryption SDK for multi-master key encryption
In this workshop, learn the basics of client-side encryption, perform encrypt/decrypt operations using AWS Key Management Service (AWS KMS) and the AWS Encryption SDK, and discuss security and performance considerations when implementing client-side encryption in your software. We cover the basic challenges of this domain: a best practice for protecting data end-to-end with client-side encryption; KMS-style services and their uses, including AWS KMS; the open-source, open-format AWS Encryption SDK; and considerations for advanced integrations, such as performance trade-offs and high-availability strategies. All attendees need a laptop, an active AWS account, an AWS IAM administrator, and familiarity with core AWS services. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Workshop
Liz Roth, Jamie Angell
AWS Secrets Manager
SEC354-R – How the BBC uses AWS Secrets Manager to manage secrets
Join this chalk talk to hear from the BBC about their journey adopting AWS Secrets Manager for managing the lifecycle of their secrets such as database passwords, API keys, and third-party keys. In this session, you learn the key features and benefits of Secrets Manager and what factors to consider while adopting Secrets Manager across your enterprise. You will also learn how the BBC chose to go all in on Secrets Manager to meet their secrets management needs. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Divya Sridhar, Andrew Carlson
SEC302-R – DevSecOps: Integrating security into pipelines
In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Workshop
Jonathan VanKim, Nathan Case
GPSTEC418-R – Securing your .NET container secrets
Although this Global Partner Summit builders session is open to anyone, it is geared toward current and potential AWS Partner Network Partners. As customers move .NET workloads to the cloud, many start to consider containerizing their applications because of the agility and cost savings that containers provide. Combine those compelling drivers with the multi-OS capabilities that come with .NET Core, and customers have an exciting reason to migrate their applications. A primary question is how they can safely store secrets and sensitive configuration values in containerized workloads. In this builders session, learn how to safely containerize an ASP.NET Core application while leveraging services like AWS Secrets Manager and AWS Fargate. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Builders Session
Carmen Puccio
MOB318-R – AWS AppSync does that: Support for alternative data sources
AWS AppSync supports a number of data sources out of the box, but can also support a variety of alternative data sources, including Amazon ElastiCache and Amazon Neptune. During this chalk talk, we discuss how to GraphQL-ify subscriptions to alternative data sources, including AWS services such as AWS Secrets Manager and AWS Step Functions. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Josh Kahn, Sarah Vine
Other cryptography-related sessions you might be interested in
AIM327 – Security for ML environments with Amazon SageMaker, featuring Vanguard
Amazon SageMaker is a modular, fully managed platform that enables developers and data scientists to quickly and easily build, train, and deploy machine learning models at any scale. In this session, we dive deep into the security configurations of Amazon SageMaker components, including notebooks, training, and hosting endpoints. A representative from Vanguard joins us to discuss the company’s use of Amazon SageMaker and its implementation of key controls in a highly regulated environment, including fine-grained access control, end-to-end encryption in transit, encryption at rest with customer master keys (CMKs), private connectivity to all Amazon SageMaker API operations, and comprehensive audit trails for resource and data access. If you want to build secure ML environments, this session is for you.
Session
Ilya Epshteyn, Ritesh Shah
CMP335 – Streamlining Amazon EC2 instance provisioning and management
Provisioning and managing instances is fundamental to creating a secure, scalable environment for your application. This session guides you through recommended practices for selecting instance types, provisioning resources, connecting to instances, building automation and governance, and monitoring and optimizing instance usage for your workloads. Learn how to move seamlessly from a proof of concept to an automated production environment using launch templates and newly launched features. We also cover some best practices and share tips on how you can simplify your instance launch experience.
Chalk Talk
Saloni Sonpal, Laura Thomson
CON205-R – Deploying applications using Amazon EKS
Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. In this hands-on workshop, we cover how to set up Amazon EKS to run common production applications, including how to build a deployment pipeline, perform code updates and rollbacks with health checks, run batch workloads, set up load balancing, and manage secrets. This is the second of three workshops for running Kubernetes on AWS. Come prepared to build with a laptop; AWS credits are provided. (Note that this session is repeated three more times during the week and the additional session(s) is denoted with a suffix of “-R1, -R2, -R3”.)
Workshop
Michael Hausenblas, Theodore Salvo
DAT303 – Data security best practices on Amazon DynamoDB
In this session, learn about the security features built into Amazon DynamoDB and how you can best use them to protect your data. We show you how customers are using the available options for controlling access to their tables and the content stored within those tables. We also show you how customers are protecting the contents of their tables with encryption, and how they monitor access to their data.
Chalk Talk
Somu Perianayagam, Padma Malligarjunan
DOP409-R – Faster Cryptography in Java with Amazon Corretto Crypto Provider (ACCP)
In this session, learn how to integrate Amazon Corretto Crypto Provider (ACCP) into a sample Java application, which will significantly speed up the common cryptographic algorithms that are being performed. Then use Amazon CloudWatch to measure how ACCP improves both the latency and the throughput of the sample application. Please bring your laptop. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Builders Session
Petr Praus
MGT406-R – Eliminate bastion hosts with AWS Systems Manager Session Manager
AWS Systems Manager Session Manager improves a customer’s security posture for instance access with a browser-based and CLI interactive shell experience that requires no open inbound ports or access/jump servers, and enables customer key encryption using AWS KMS. With IAM access control, sessions audited using AWS CloudTrail, and session output logged to Amazon S3 or Amazon CloudWatch Logs, Session Manager makes it easy to control and secure access to instances in operational scenarios while complying with corporate policies and security best practices. Dive deep with the Session Manager team to see how it works for Linux or Windows instances, in the cloud, or on-premises. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Builders Session (various speakers, each with 1 session)
Spiros Liolis, Nitika Goyal
SEC205-R – The fundamentals of AWS cloud security
The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Session
Becky Weiss
SEC319-R – Deep dive on security in Amazon S3
At AWS, security is our top priority, and Amazon Simple Storage Service (Amazon S3) provides some of the most advanced data-security features available in the cloud today to help you mitigate security risks. In this chalk talk, learn directly from the AWS engineering team that builds and maintains Amazon S3 security functionality such as encryption, block public access, and much more. Bring your feedback, questions, and expertise to discuss innovative ways to ensure that your data is available only to the users and applications that need it. (Note that this session is repeated once more during the week and the additional session(s) is denoted with a suffix of “-R1”.)
Chalk Talk
Sam Parmett, Felix Davis
SEC348-R – Protecting sensitive data in your AWS workloads
As you start moving your data to AWS, you want to employ the appropriate controls and mechanisms to protect it. In this builders session, learn how to protect data on AWS using services such as AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), AWS CloudHSM, and AWS Secrets Manager. In particular, learn about data protection best practices that you can incorporate into your AWS architecture and use in the pursuit of your security and compliance objectives. (Note that this session is repeated three more times during the week and the additional session(s) is denoted with a suffix of “-R1, -R2, -R3”.)
Builders Session (various speakers, each with 1 session)
Ben Eichorst, Nigel Harris, Somasundaram Subbu, Soumya Sagiri
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.