Return
Continue
View More
View Less
Working...
Close
OK
Cancel
Confirm
System Message
Delete
Schedule
An unknown error has occurred and your request could not be completed. Please contact support.
Reserved - Scan in at least 10 minutes before the beginning of the session.
This has been added to your Planner. Please note: This is not a reserved seat.
Waitlisted - you may be assigned a reserved seat if one becomes available.

Please be sure to check the session detail of this session for a full list of repeat sessions.

Personal Calendar
 
Conference Event
Meeting
Interests
There aren't any available sessions at this time.
Conflict Found
This session is already scheduled at another time. Would you like to...
Loading...
Please enter a maximum of {0} characters.
{0} remaining of {1} character maximum.
Please enter a maximum of {0} words.
{0} remaining of {1} word maximum.
must be 50 characters or less.
must be 40 characters or less.
Session Summary
We were unable to load the map image.
This has not yet been assigned to a map.
Search Catalog
Reply
Replies ()
Search
New Post
Microblog
Microblog Thread
Post Reply
Post
Your session timed out.
Meeting Summary

I'm interested in this
I'm no longer interested
 

BTC002-R - [REPEAT] Building Serverless Compliance-as-code Compliance-as-code is the concept of automating the evaluation of recorded configurations against desired configurations, from a security and well-architected perspective. Building Serverless Compliance-as-code is a half-day, advanced-level course designed to teach you how to use, read, and write compliance-as-code to keep an AWS environment secure and optimized. The course will conclude with a hands-on Capture the Flag tournament. The goal is to build innovative compliance-as-code to be made available to millions of AWS customers on the AWS public Github. Bootcamp
BTC002-R1 - [REPEAT 1] Building Serverless Compliance-as-code Compliance-as-code is the concept of automating the evaluation of recorded configurations against desired configurations, from a security and well-architected perspective. Building Serverless Compliance-as-code is a half-day, advanced-level course designed to teach you how to use, read, and write compliance-as-code to keep an AWS environment secure and optimized. The course will conclude with a hands-on Capture the Flag tournament. The goal is to build innovative compliance-as-code to be made available to millions of AWS customers on the AWS public Github. Bootcamp
BTC006 - AWS Certification Exam Readiness: Security - Specialty The AWS Certified Security - Specialty exam validates technical skills and experience in securing and hardening workloads and architectures on the AWS platform. Attendees with two or more years of hands-on experience designing and deploying cloud architecture on AWS should join this half-day, advanced-level course to learn how to prepare and succeed in the exam. We will help you prepare for the exam by exploring the exam’s domain areas and mapping them to specific areas to study. We will review sample exam questions in each domain area, teaching you how to interpret the concepts being tested so that you can better eliminate incorrect responses. Bootcamp
BUF001-R - [REPEAT] Build Your Own Security Chaos Testing on AWS Despite spending more on security, data breaches are continuously getting bigger and more frequent across all industries. In fact, a large portion of data breaches are caused not by sophisticated nation-state actors or hacktivists, but rather simple things rooted in human error and system glitches. We will provide a simplified game day to build security chaos testing, based on the most prominent open source chaos tool, to perform a number of pre-defined “security chaos experiments” on AWS. The attendee will learn what is Chaos Engineering, how to design and implement his own security chaos testing on AWS. Builders Fair
BUF001-R1 - [REPEAT 1] Build Your Own Security Chaos Testing on AWS Despite spending more on security, data breaches are continuously getting bigger and more frequent across all industries. In fact, a large portion of data breaches are caused not by sophisticated nation-state actors or hacktivists, but rather simple things rooted in human error and system glitches. We will provide a simplified game day to build security chaos testing, based on the most prominent open source chaos tool, to perform a number of pre-defined “security chaos experiments” on AWS. The attendee will learn what is Chaos Engineering, how to design and implement his own security chaos testing on AWS. Builders Fair
BUF001-R2 - [REPEAT 2] Build Your Own Security Chaos Testing on AWS Despite spending more on security, data breaches are continuously getting bigger and more frequent across all industries. In fact, a large portion of data breaches are caused not by sophisticated nation-state actors or hacktivists, but rather simple things rooted in human error and system glitches. We will provide a simplified game day to build security chaos testing, based on the most prominent open source chaos tool, to perform a number of pre-defined “security chaos experiments” on AWS. The attendee will learn what is Chaos Engineering, how to design and implement his own security chaos testing on AWS. Builders Fair
BUF002-R - [REPEAT] Security Hub Finding Enrichment Service Quickly understanding the context and clues is critical when successfully responding to a security incident. AWS Security Hub reduces the effort of collecting and prioritizing security findings. In this Builder’s Fair demo, we show finding notifications delivered to an Amazon Chime security chat operations channel with additional context about the target EC2 Instance. Providing log data, network statistics, and vulnerability information accelerates the receiving analyst’s time to resolution. Providing URL links, relevant to the incident, allow the security analyst to focus on the appropriate next steps. Builders Fair
BUF002-R1 - [REPEAT 1] Security Hub Finding Enrichment Service Quickly understanding the context and clues is critical when successfully responding to a security incident. AWS Security Hub reduces the effort of collecting and prioritizing security findings. In this Builder’s Fair demo, we show finding notifications delivered to an Amazon Chime security chat operations channel with additional context about the target EC2 Instance. Providing log data, network statistics, and vulnerability information accelerates the receiving analyst’s time to resolution. Providing URL links, relevant to the incident, allow the security analyst to focus on the appropriate next steps. Builders Fair
BUF002-R2 - [REPEAT 2] Security Hub Finding Enrichment Service Quickly understanding the context and clues is critical when successfully responding to a security incident. AWS Security Hub reduces the effort of collecting and prioritizing security findings. In this Builder’s Fair demo, we show finding notifications delivered to an Amazon Chime security chat operations channel with additional context about the target EC2 Instance. Providing log data, network statistics, and vulnerability information accelerates the receiving analyst’s time to resolution. Providing URL links, relevant to the incident, allow the security analyst to focus on the appropriate next steps. Builders Fair
BUF003-R - [REPEAT] Protecting and Anonymizing PHI/PII data with AWS In this session, we demonstrate how AWS protects and anonymizes personal health information (PHI) and personally identifiable information (PII) data received from medical facilities (e.g., medical clinics, doctor’s offices, and laboratories). We show you how external data sources are legitimate using API Gateway, AWS WAF, and GuardDuty. We protect and anonymize PHI and PII data using Lake Formation, AWS Glue, Amazon Comprehend Medical, and Macie to ensure data privacy, data classification, and regulatory compliance. This demonstration can be shared with healthcare providers, healthcare partners, and the open source community. Builders Fair
BUF003-R1 - [REPEAT 1] Protecting and Anonymizing PHI/PII data with AWS In this session, we demonstrate how AWS protects and anonymizes personal health information (PHI) and personally identifiable information (PII) data received from medical facilities (e.g., medical clinics, doctor’s offices, and laboratories). We show you how external data sources are legitimate using API Gateway, AWS WAF, and GuardDuty. We protect and anonymize PHI and PII data using Lake Formation, AWS Glue, Amazon Comprehend Medical, and Macie to ensure data privacy, data classification, and regulatory compliance. This demonstration can be shared with healthcare providers, healthcare partners, and the open source community. Builders Fair
BUF003-R2 - [REPEAT 2] Protecting and Anonymizing PHI/PII data with AWS In this session, we demonstrate how AWS protects and anonymizes personal health information (PHI) and personally identifiable information (PII) data received from medical facilities (e.g., medical clinics, doctor’s offices, and laboratories). We show you how external data sources are legitimate using API Gateway, AWS WAF, and GuardDuty. We protect and anonymize PHI and PII data using Lake Formation, AWS Glue, Amazon Comprehend Medical, and Macie to ensure data privacy, data classification, and regulatory compliance. This demonstration can be shared with healthcare providers, healthcare partners, and the open source community. Builders Fair
BUF004-R - [REPEAT] Security @ AWS with PPE Detection We can apply AWS security solutions to the manufacturing world and create better physical environments for workers all around the world. This serves as health safety purposes as well as a competitive advantage for our clients, once they can minimize administrative processes and reduce cost on labor indemnity. This demo will demonstrate how a camera can be used to detect Personal Protective Equipment (PPE) in real-time and help to prevent injuries in the workplace. Workers without protective equipment will receive a “You are not safe” audio message, at the same time that their supervisors will be notified via email or SMS. Additionally, this demo will show a QuickSight dashboard with real-time statistics on the number of people and equipment detected. Builders Fair
BUF004-R1 - [REPEAT 1] Security @ AWS with PPE Detection We can apply AWS security solutions to the manufacturing world and create better physical environments for workers all around the world. This serves as health safety purposes as well as a competitive advantage for our clients, once they can minimize administrative processes and reduce cost on labor indemnity. This demo will demonstrate how a camera can be used to detect Personal Protective Equipment (PPE) in real-time and help to prevent injuries in the workplace. Workers without protective equipment will receive a “You are not safe” audio message, at the same time that their supervisors will be notified via email or SMS. Additionally, this demo will show a QuickSight dashboard with real-time statistics on the number of people and equipment detected. Builders Fair
BUF004-R2 - [REPEAT 2] Security @ AWS with PPE Detection We can apply AWS security solutions to the manufacturing world and create better physical environments for workers all around the world. This serves as health safety purposes as well as a competitive advantage for our clients, once they can minimize administrative processes and reduce cost on labor indemnity. This demo will demonstrate how a camera can be used to detect Personal Protective Equipment (PPE) in real-time and help to prevent injuries in the workplace. Workers without protective equipment will receive a “You are not safe” audio message, at the same time that their supervisors will be notified via email or SMS. Additionally, this demo will show a QuickSight dashboard with real-time statistics on the number of people and equipment detected. Builders Fair
BUF005-R - [REPEAT] Detect Social Engineering While It Happens In this session we will show how a potential social engineering attack is detected. As an attendee you can place a call and when you utter certain phrases, the receiver of the call is notified, via SMS, they could be under a social engineering attack. The phone number is added to a list and blocked from calling in the future. Builders Fair
BUF005-R1 - [REPEAT 1] Detect Social Engineering While It Happens In this session we will show how a potential social engineering attack is detected. As an attendee you can place a call and when you utter certain phrases, the receiver of the call is notified, via SMS, they could be under a social engineering attack. The phone number is added to a list and blocked from calling in the future. Builders Fair
BUF005-R2 - [REPEAT 2] Detect Social Engineering While It Happens In this session we will show how a potential social engineering attack is detected. As an attendee you can place a call and when you utter certain phrases, the receiver of the call is notified, via SMS, they could be under a social engineering attack. The phone number is added to a list and blocked from calling in the future. Builders Fair
BUF006-R - [REPEAT] Augmented Face Recognition with Life Detection for User Authentication Traditional authentication mechanisms involving face recognition cannot usually distinguish between real faces and photos. In this project we demonstrate an augmented face recognition mechanism, where we combine traditional visual recognition approaches with an additional test to prevent impersonations using a face photo. Our augmented approach consists of asking the user to read a random word pattern and then contrast the lip movements with the requested pattern, while checking that lip movements come from the same face. This authentication mechanism can be applied for fraud prevention and detection in ATMs, booths and other portable devices (e.g., mobile apps). Builders Fair
BUF006-R1 - [REPEAT 1] Augmented Face Recognition with Life Detection for User Authentication Traditional authentication mechanisms involving face recognition cannot usually distinguish between real faces and photos. In this project we demonstrate an augmented face recognition mechanism, where we combine traditional visual recognition approaches with an additional test to prevent impersonations using a face photo. Our augmented approach consists of asking the user to read a random word pattern and then contrast the lip movements with the requested pattern, while checking that lip movements come from the same face. This authentication mechanism can be applied for fraud prevention and detection in ATMs, booths and other portable devices (e.g., mobile apps). Builders Fair
BUF006-R2 - [REPEAT 2] Augmented Face Recognition with Life Detection for User Authentication Traditional authentication mechanisms involving face recognition cannot usually distinguish between real faces and photos. In this project we demonstrate an augmented face recognition mechanism, where we combine traditional visual recognition approaches with an additional test to prevent impersonations using a face photo. Our augmented approach consists of asking the user to read a random word pattern and then contrast the lip movements with the requested pattern, while checking that lip movements come from the same face. This authentication mechanism can be applied for fraud prevention and detection in ATMs, booths and other portable devices (e.g., mobile apps). Builders Fair
BUF007-R - [REPEAT] WOPR: WAF Operations Play Room The gamified demonstration brings out the complex, time consuming, error prone nature of crafting WAF mitigations when your Web Application is under attack. Join the game and see how fast you can mitigate a simulated web application attack. Can you block a brute force attack or bot activity? Step right up and see how quick you can stop the badness. Builders Fair
BUF007-R1 - [REPEAT 1] WOPR: WAF Operations Play Room The gamified demonstration brings out the complex, time consuming, error prone nature of crafting WAF mitigations when your Web Application is under attack. Join the game and see how fast you can mitigate a simulated web application attack. Can you block a brute force attack or bot activity? Step right up and see how quick you can stop the badness. Builders Fair
BUF007-R2 - [REPEAT 2] WOPR: WAF Operations Play Room The gamified demonstration brings out the complex, time consuming, error prone nature of crafting WAF mitigations when your Web Application is under attack. Join the game and see how fast you can mitigate a simulated web application attack. Can you block a brute force attack or bot activity? Step right up and see how quick you can stop the badness. Builders Fair
BUF008-R - [REPEAT] Securing Alexa skills with 2 Factor Authentication and Alexa for Business With a voice first design strategy, many organizations are building voice-enabled solutions using Alexa. These solutions range from mission critical operations, reporting company's KPIs to increasing worker productivity. Securing Alexa skills is a paramount need and customers are looking for options to secure Alexa Skills. We Will demonstrate how to secure Alexa Skills by deploying them as Private Skills (using Alexa for Business) and implementing 2 factor authentication using a 6 Digit Security PIN sent to enrolled Skill users via SMS and by performing Facial Recognition using AWS Recognition with Amazon Cognito. Builders Fair
BUF008-R1 - [REPEAT 1] Securing Alexa skills with 2 Factor Authentication and Alexa for Business With a voice first design strategy, many organizations are building voice-enabled solutions using Alexa. These solutions range from mission critical operations, reporting company's KPIs to increasing worker productivity. Securing Alexa skills is a paramount need and customers are looking for options to secure Alexa Skills. We Will demonstrate how to secure Alexa Skills by deploying them as Private Skills (using Alexa for Business) and implementing 2 factor authentication using a 6 Digit Security PIN sent to enrolled Skill users via SMS and by performing Facial Recognition using AWS Recognition with Amazon Cognito. Builders Fair
BUF008-R2 - [REPEAT 2] Securing Alexa skills with 2 Factor Authentication and Alexa for Business With a voice first design strategy, many organizations are building voice-enabled solutions using Alexa. These solutions range from mission critical operations, reporting company's KPIs to increasing worker productivity. Securing Alexa skills is a paramount need and customers are looking for options to secure Alexa Skills. We Will demonstrate how to secure Alexa Skills by deploying them as Private Skills (using Alexa for Business) and implementing 2 factor authentication using a 6 Digit Security PIN sent to enrolled Skill users via SMS and by performing Facial Recognition using AWS Recognition with Amazon Cognito. Builders Fair
CTC001 - Cradles to Crayon Join AWS in supporting Cradles to Crayons. The nonprofit provides children from birth through age 12 living in homeless or low-income situations and struggling with Clothing Insecurity with the essential items they need to thrive—at home, at school, and at play. At AWS re:Inforce, we will be working with Cradles to Crayons on a program that provides Hygiene Care Kits to those children between the ages of 10-12 in Massachusetts. Get involved by putting together a Hygiene Care Kit or two on Wednesday, June 26th from 7:00AM-11:00AM: Level 1, North Lobby. General Activity
CTF001-R - [REPEAT] Capture the flag There are two parts of this event that run simultaneously: a traditional Jeopardy-style part and a Castle Defense part. The Jeopardy style-part allows you to work at your own pace through a number of security challenges to identify a specific answer (flag). There are challenges that revolve around mobile apps, quantum physics, exploits, data processing, and, of course, AWS services. During the Castle Defense part, you get a production workload that you need to harden and protect against a number of security events that occur within your environment. The winner will have the top combined score of both parts. You can work on both parts during breaks, lunch, or overnight. General Activity
CTF001-R1 - [REPEAT 1] Capture the flag There are two parts of this event that run simultaneously: a traditional Jeopardy-style part and a Castle Defense part. The Jeopardy style-part allows you to work at your own pace through a number of security challenges to identify a specific answer (flag). There are challenges that revolve around mobile apps, quantum physics, exploits, data processing, and, of course, AWS services. During the Castle Defense part, you get a production workload that you need to harden and protect against a number of security events that occur within your environment. The winner will have the top combined score of both parts. You can work on both parts during breaks, lunch, or overnight. General Activity
DEM01-R - [REPEAT] Build anywhere; Secure everywhere Developers want to build quickly and deliver powerful application experiences to every user. In this session, we show how you can enable agile development while securing your entire application footprint. Akamai’s intelligent edge security solutions surround and extend your entire architecture for a single policy that’s adaptive, integrated, and consistently secure. Combine that with the power of AWS, and you have a total edge ecosystem that’s unparalleled in its ability to deliver and protect amazing experiences everywhere. Don’t just build—build better with Akamai. Demo Session Ari Weil
DEM01-R1 - [REPEAT 1] Build anywhere; Secure everywhere Developers want to build quickly and deliver powerful application experiences to every user. In this session, we show how you can enable agile development while securing your entire application footprint. Akamai’s intelligent edge security solutions surround and extend your entire architecture for a single policy that’s adaptive, integrated, and consistently secure. Combine that with the power of AWS, and you have a total edge ecosystem that’s unparalleled in its ability to deliver and protect amazing experiences everywhere. Don’t just build—build better with Akamai. Demo Session Ari Weil
DEM02-R - [REPEAT] Accelerated Threat Detection: Alert Logic and AWS Over the last 7 years, Alert Logic has helped AWS customers achieve enhanced security and peace of mind. Learn how positive security outcomes are attained by combining human expertise and the latest in AWS security in this engaging session with Jack Danahy, SVP of Security at Alert Logic, and Zach Vinduska, VP of IT Infrastructure and Security at ClubCorp. Hear real-world examples of how expert defenders in Alert Logic’s 24/7 Security Operations Center can help you quickly detect threats, verify them as incidents, and support you in responding quickly and effectively. Demo Session Jack Danahy Zach Vinduska
DEM02-R1 - [REPEAT 1] Accelerated threat detection: Alert Logic and AWS Over the last seven years, Alert Logic has helped AWS customers achieve enhanced security and peace of mind. Learn how positive security outcomes are attained by combining human expertise and the latest in AWS security in this engaging session with Jack Danahy, SVP of security at Alert Logic, and Zach Vinduska, VP of IT infrastructure, security, and compliance at ClubCorp. Hear real-world examples of how expert defenders in Alert Logic’s 24/7 security operations center can help you quickly detect threats, verify them as incidents, and respond swiftly and effectively. Demo Session Jack Danahy Zach Vinduska
DEM03-R - [REPEAT] How to Leverage Traffic Analysis to Navigate through Cloudy Skies How do you establish and maintain consistent security and governance across your dynamic AWS environments, with visibility and control of your security posture? Zohar Alon, Head of Cloud Product Line at Check Point and former CEO of Dome9, discusses security best practices as you scale across VPCs, accounts and regions. He covers considerations and recommendations for network, control plane and identities when building your cloud security strategy. Understand how security orchestration and active protection tools secure your cloud journey. Discover new ways to leverage traffic analysis for security intelligence, threat detection and auto-remediation. Demo Session Zohar Alon
DEM03-R1 - [REPEAT 1] How to leverage traffic analysis to navigate through cloudy skies How do you establish and maintain consistent security and governance across your dynamic AWS environments with visibility and control of your security posture? Zohar Alon, head of cloud product line at Check Point and former CEO of Dome9, discusses security best practices for scaling across virtual private clouds (VPCs), accounts, and regions. He covers considerations and recommendations for networks, control planes, and identities when building your cloud security strategy. In this session, learn how security orchestration and active protection tools secure your cloud journey. Discover new ways to leverage traffic analysis for security intelligence, threat detection, and auto-remediation. Demo Session Zohar Alon
DEM04-R - [REPEAT] Best practices for privileged access & secrets management in the cloud In this session, you learn from real-world scenarios related to privileged access security in cloud environments. Experts from TOTVS and CyberArk provide insights from lessons learned while securing commercial SaaS applications, cloud infrastructure, and internal applications deployed in the cloud. Topics covered include privilege and cloud scenarios (e.g., human access models, support for automation, proactive controls, and programmatic deployment), as well as best practices and augmentation of existing security controls for privilege and secrets management on the AWS Cloud. We also cover limited use of root accounts, considerations for human administrator access in the cloud, and success with hybrid cloud environments. Demo Session Leandro Soares Costa Brandon Traffanstedt
DEM04-R1 - [REPEAT 1] Best practices for privileged access & secrets management in the cloud  In this session, you learn from real-world scenarios related to privileged access security in cloud environments. Experts from TOTVS and CyberArk provide insights from lessons learned while securing commercial SaaS applications, cloud infrastructure, and internal applications deployed in the cloud. Topics covered include privilege and cloud scenarios (e.g., human access models, support for automation, proactive controls, and programmatic deployment), as well as best practices and augmentation of existing security controls for privilege and secrets management on the AWS Cloud. We also cover limited use of root accounts, considerations for human administrator access in the cloud, and success with hybrid cloud environments. Demo Session Brandon Traffanstedt Leandro Soares Costa
DEM05-R - [REPEAT] Shifting everywhere: Security and the cloud at 3M in the ’20s The cloud has been a topic of interest and excitement for more than a decade, but many organizations are still trying to figure out how to balance security with the freedom to use the cloud to innovate. Jason Pryor, cloud security engineering manager for 3M, shares how he is approaching cloud security at 3M today and where he believes that cloud security needs to go as we enter a new decade. Come hear how security has to adapt in the cloud era to support new business rules everywhere. Demo Session Jason Pryor
DEM05-R1 - [REPEAT 1] Shifting Everywhere: Security and Cloud at 3M in the ’20s Cloud has been the talk of the town for more than a decade, but many organizations are still trying to figure out how to balance security with the freedom to use the cloud to innovate. Jason Pryor, Cloud Security Engineering Manager for 3M, shares how he is approaching cloud security at 3M today, and where he believes cloud security needs to go as we enter a new decade. Come hear how security has to adapt in the cloud era to support new business rules everywhere. Demo Session Jason Pryor
DEM06 - Making application threat intelligence practical The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls. Demo Session Preston Hogue
DEM07 - Integrating network and API security into your application lifecycle In this session, we discuss the contention between traditional network security practices and the agile development processes typically associated with cloud computing. We also introduce new approaches used by Fortinet customers that help cloud teams and security teams share a common language and secure their business more effectively—without introducing additional friction and operational overhead. Demo Session Lior Cohen
DEM08 - Build security into your golden AMI pipeline In agile and elastic environments, having real-time visibility into instances and ensuring that they are secure and compliant is critical. Solutions must work with your DevOps tools to provide visibility without slowing down your release cadence. In this session, Qualys shares how you can implement an AWS golden AMI pipeline that is integrated with Qualys to assess your AMIs and monitor the instances for changes in production. Learn how Ancestry uses Qualys in its CI/CD pipeline to secure its applications and track-approved AMIs. Using Qualys, Ancestry was able to reduce the vulnerabilities in its application deployments by 80 percent in a few months. Demo Session Hari Srinivasan
DEM09 - Monitoring and administrating privileged access in the cloud A key security consideration for the enterprise is monitoring and administrating privileged access for business-critical applications that are running on the AWS Cloud. Join Saviynt in this session and learn how to request, fulfill, certify, and govern privileged assets in the cloud with Saviynt’s Cloud privileged access management (PAM) solution. Saviynt covers best practices and the benefits of securing privileged access in the cloud, ranging from the AWS Management Console to elastic workloads. This session helps you understand why privileged access is a cornerstone of best practices and compliance for cloud security. Demo Session Nabeel Nizar
DEM10 - Keep That Silver Lining Inside Your Cloud Cloud is here, and AWS is leading the charge in enabling customers to migrate their data centers and data to the cloud. With these changing needs, enterprises need a proactive, automated approach to monitoring and securing the cloud infrastructure. During this session, learn how a major financial institution made a smooth transition to the AWS Cloud and their journey in securing their IaaS infrastructure starting from visibility, protecting their workloads, data, and users, and at the same time staying compliant to PCI-DSS and SOC2. AWS services working in tandem with Symantec solutions make this automation and continuous protection possible. Demo Session Anand Visvanathan
DEM11-R - [REPEAT] Pragmatic container security Containers accelerate development and address the challenges of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages that containers bring. In this talk, we use practical examples to understand the security strategy using the AWS shared responsibility model, and we cover tactics that you need to continue accelerating development while meeting your container deployment security goals on AWS. Demo Session Jeff Westphal
DEM11-R1 - [REPEAT 1] Pragmatic Container Security Containers accelerate development. They address the challenge of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages containers bring. In this talk, we use practical examples to understand the security strategy, using the AWS Shared Responsibility Model, and cover tactics you need to continue to accelerate development while meeting your container deployment security goals on AWS. Demo Session Jeff Westphal
DEM12-R - [REPEAT] Governance for the Cloud Age In this session, we define cloud governance and explain its role in achieving security, compliance, and architecture best practices. Using real-world case studies from Fortune 100 enterprises, we demonstrate how governance automation is being used to accelerate the migration and ongoing operations of hundreds of enterprise applications, all while increasing visibility and control for the enterprise. Demo Session Nathan Wallace
DEM12-R1 - [REPEAT 1] Governance for the cloud age In this session, we define cloud governance and explain its role in achieving security, compliance, and architecture best practices. Using real-world case studies from Fortune 100 enterprises, we demonstrate how governance automation is being used to accelerate the migration and ongoing operations of hundreds of enterprise applications. We also explain how this is achieved while increasing visibility and control for the enterprise. Demo Session Nathan Wallace
DEM13 - Modernizing Traditional Security As containers become the commonplace method for delivering and deploying applications, we’ve seen more of our customers taking a “lift-and-shift” approach to migrating their existing applications. In this session, John Morello from Twistlock discusses a non-profit that provides environmental science and engineering oversight to some of the world’s largest civil waterworks projects. This organization relies on a critical 14-year-old app that models storm surge. The move to containers for this application delivered immediate benefits, making it easier to manage vulnerabilities, ensure regulatory compliance, and provide runtime defense. In this session, we break down the security advantages of containers relative to traditional architectures. Demo Session John Morello
DEM14 - Integrating AppSec into Your DevSecOps on AWS DevSecOps is driving the use of security testing throughout the application lifecycle, from initial development to product monitoring. Application security testing is unlike other forms of security in that it directly impacts the daily routines of developers. John Maski, the former director of DevSecOps at AT&T, discusses securing CI/CD pipelines in enterprise environments and “shifting left” with security. He reveals best practices gained from moving AT&T’s primary DevOps practice to a DevSecOps practice using static and dynamic application security testing. You’ll discover why strong executive sponsorship, a cultural shift, and solid cross-organization teaming are critical and how they can be the way forward to your own DevSecOps success.   Demo Session John Maski
DEM15 - AWS Security Hub: Centrally manage security alerts & automate compliance Stop by for an introduction to AWS Security Hub, a security service that gives you a comprehensive view of your high-priority security alerts and compliance statuses across AWS accounts. Demo Session Ely Kahn Scott Ward
DEM16 - Centralize software procurement governance & enable quick innovation Developers use third-party solutions to build faster. IT admins rely on procurement systems to ensure that these solutions comply with company security policies. Procurement system integration is a new feature that supports both developers and IT admins by allowing enterprises to integrate AWS Marketplace with leading procurement systems like Coupa. In this demonstration, we walk through how AWS Marketplace and Coupa work together to help builders find, buy, and deploy over 4,800 solutions, while letting IT admins streamline approvals and manage spending directly from Coupa. We also provide step-by-step instructions on how to set up Procurement System Integration. Demo Session Sagar Khasnis
DEV01 - Advanced security automation made simple Security is often misunderstood and addressed in the last stages of a build. Operationally, it’s ignored until there is an emergency. In this talk, we review a few advanced security processes and discuss how to easily automate them using common tools in the AWS Cloud. This approach helps you and your team increase the security of your build while reducing the overall operational requirement of security in your stack. Leave this dev chat with everything you need to start automating security. Dev Chat Mark Nunnikhoven
DEV02 - How to use AI to make your cloud more secure From bots to robots, intelligence engineering is changing the way we interact with the world around us. Cybersecurity systems that run in cloud environments have the ability to create massive data sets, which can benefit from real-time analysis and action. Learn how artificial intelligence (AI) and machine learning can be leveraged across your enterprise to transform cloud security at scale. Dev Chat Alice Rison
DEV03 - Learn to love the AWS Command Line Interface The AWS Command Line Interface (AWS CLI) allows developers to automate some of the most common tasks. Learn 20 of A Cloud Guru’s favorite commands in just 20 minutes! Dev Chat Ryan Kroonenburg
DEV04 - IoT security: Prevent your devices from becoming attack vectors The Internet of Things (IoT) is enabling new and existing businesses to build better products, provide new services, and improve business outcomes through a more connected world. The same connectivity provides malicious actors with billions of new targets to steal data from, take control of systems from, or otherwise wreak havoc on. In this talk, we discuss key threats to be aware of when building an IoT device or platform. We also cover ways to mitigate the risks. Dev Chat Amir Kashani
DEV05 - Security from a developer perspective Developers often think of security as an external requirement to their work or even as an implementation on top of the systems that they build. In this talk, we review why developers should care about security in their own work, how they should think about risk, and how they can become security champions in their organizations. Dev Chat Ben Kehoe
DEV06 - Tips and best practices for the AWS security specialty certification AWS launched a security certification that allows specialists to demonstrate their skills, which are in high demand. Learn about the major areas of security and the AWS services that you need to know in order to become a security specialist and obtain the AWS certification. Dev Chat Faye Ellis
DEV07 - Dear devs, impress your CISO by building strong from the start With the move to full-stack developers taking on more responsibilities for their infrastructure and applications, having a thorough understanding of security best practices is a critical skill. Join this dev chat to learn the ten biggest issues that are created by poor development practices and how developers can avoid becoming a security threat to their own company. Leave with the know-how to avoid common pitfalls and to ensure that you are strengthening your company’s security. Dev Chat Terren Peterson
DEV08 - Threat hunting in CloudTrail and GuardDuty This dev chat covers how WarnerMedia uses Amazon GuardDuty, AWS CloudTrail, and an in-house inventory tool (Antiope) to root out cloud vulnerabilities, insecure behavior, and potential account compromise activities across a large number of accounts. We cover how WarnerMedia centralizes and automates its security tooling, offer detailed Splunk queries for GuardDuty and CloudTrail, and discuss how Antiope is used for vulnerability hunting. Leave this chat with a strategy and an actionable set of detections for finding potential data breaches and account compromises. Dev Chat Chris Farris
DEV09 - Architecting your cloud with security in mind Learn how you can use the AWS Well-Architected Tool to help you ask the right questions when building an AWS environment with security in mind. In this talk, we review the principles of architecture with a focus on security best practices from the perspective of the AWS WA Tool. Dev Chat Chris Williams
DEV10 - Are you ready for a Cloud pentest? What exactly is an AWS penetration test? This session covers the different aspects of cloud security that a penetration test can address. Do you know your test scope? Do you want an internal scan? An external scan? What about exploitation? Exfiltration? What about devices and software that are accessing your cloud? What about social engineering and phishing? And are you ready for a penetration test? Other options could be more effective at improving cloud security in your organization prior to carrying out a penetration test. Join us to chat about these topics! Dev Chat Teri Radichel
DEV11 - Stop PII leaks in a hybrid cloud environment with AI The business need to protect sensitive data, such as personally identifiable information (PII), on premises and in the cloud cannot be overemphasized. Enterprises must effectively detect and quarantine sensitive data based on their own data classification schemes before that data crosses the perimeter. Join Sri Krishnamacharya from Equifax as he demonstrates the use of Natural Language Toolkit (NLTK) libraries and Amazon Comprehend to consistently read, tag, and classify data based on a proprietary classification scheme, both on premises and in the cloud. Dev Chat Sri Krishnamacharya
DEV12 - Serverless security: Best practices and mitigation strategies There are many inherent security benefits of using serverless, such as the elimination of the need to patch servers or allow direct network access to functions. However, using serverless does introduce additional complexities to how we build, deploy, and secure applications. In this talk, we examine some common attack vectors, introduce several serverless security best practices, and discuss how we can apply those best practices to increase our overall security posture. Dev Chat Jeremy Daly
FND201-R - [REPEAT] AWS Executive Security Simulation In this workshop, senior security management, IT, and business executive teams participate in an experiential exercise that illuminates the key decision points of a successful and secure cloud journey. During the team-based, game-like simulation, participants leverage an industry case study and make strategic decisions and investments around security, risk, and compliance. Participants experience the impact of these investments and decisions on the critical aspects of their secure cloud adoption. They also learn applicable decision and investment approaches to specific secure cloud adoption journeys. They walk through real-life examples, receive practical advice from AWS facilitators, and they leave with an understanding of the major success factors for building security, risk, and compliance in the cloud. This workshop is designed for executives who are leading a secure cloud journey, including the CISO, senior security and risk management leaders, and CIO/CTO. Non-IT participants who are key to executing the cloud security strategy are also encouraged to attend. Workshop Gili Lev
FND201-R1 - [REPEAT 1] AWS Executive Security Simulation In this workshop, senior security management, IT, and business executive teams participate in an experiential exercise that illuminates the key decision points of a successful and secure cloud journey. During the team-based, game-like simulation, participants leverage an industry case study and make strategic decisions and investments around security, risk, and compliance. Participants experience the impact of these investments and decisions on the critical aspects of their secure cloud adoption. They also learn applicable decision and investment approaches to specific secure cloud adoption journeys. They walk through real-life examples, receive practical advice from AWS facilitators, and they leave with an understanding of the major success factors for building security, risk, and compliance in the cloud. This workshop is designed for executives who are leading a secure cloud journey, including the CISO, senior security and risk management leaders, and CIO/CTO. Non-IT participants who are key to executing the cloud security strategy are also encouraged to attend. Workshop Gili Lev
FND202-R - [REPEAT] Privacy by design on AWS This workshop is designed to support customers who apply due diligence and discovery efforts around data privacy regulations and compliance frameworks. We provide an introductory overview of AWS and data privacy. We also discuss the AWS shared responsibility model and where data can live in AWS environments. Finally, we give an overview of the available AWS services and features that support data privacy compliance. Workshop Jonathan Jenkyn Tomas Clemente Sanchez
FND202-R1 - [REPEAT 1] Privacy by design on AWS This workshop is designed to support customers who apply due diligence and discovery efforts around data privacy regulations and compliance frameworks. We provide an introductory overview of AWS and data privacy. We also discuss the AWS shared responsibility model and where data can live in AWS environments. Finally, we give an overview of the available AWS services and features that support data privacy compliance. Workshop Tomas Clemente Sanchez Jonathan Jenkyn
FND203-R - [REPEAT] Mitigate risk using cloud-native infrastructure security Whether you're migrating existing workloads or creating something new in AWS, it can be tempting to bring your current security solutions with you. In this builder session, we help you identify which cloud-native solutions can mitigate the same risks while providing scalability, reliability, and cost optimization at a low operational burden. Builders Session Cassia Martin
FND203-R1 - [REPEAT 1] Mitigate risk using cloud-native infrastructure security Whether you're migrating existing workloads or creating something new in AWS, it can be tempting to bring your current security solutions with you. In this builder session, we help you identify which cloud-native solutions can mitigate the same risks while providing scalability, reliability, and cost optimization at a low operational burden. Builders Session Cassia Martin
FND203-R2 - [REPEAT 2] Mitigate risk using cloud-native infrastructure security Whether you're migrating existing workloads or creating something new in AWS, it can be tempting to bring your current security solutions with you. In this builder session, we help you identify which cloud-native solutions can mitigate the same risks while providing scalability, reliability, and cost optimization at a low operational burden. Builders Session Cassia Martin
FND203-R3 - [REPEAT 3] Mitigate risk using cloud-native infrastructure security Whether you're migrating existing workloads or creating something new in AWS, it can be tempting to bring your current security solutions with you. In this builder session, we help you identify which cloud-native solutions can mitigate the same risks while providing scalability, reliability, and cost optimization at a low operational burden. Builders Session Cassia Martin
FND204-R - [REPEAT] Sharing services securely across VPCs and accounts In this builder session, we briefly introduce AWS PrivateLink, and then we build an application service that we will securely make available to consumers in a different account using AWS PrivateLink. Attendees also experience using AWS services that support secure access using VPC endpoints. Builders Session Neeraj Verma
FND204-R1 - [REPEAT 1] Sharing services securely across VPCs and accounts In this builder session, we briefly introduce AWS PrivateLink, and then we build an application service that we will securely make available to consumers in a different account using AWS PrivateLink. Attendees also experience using AWS services that support secure access using VPC endpoints. Builders Session Neeraj Verma
FND204-R2 - [REPEAT 2] Sharing services securely across VPCs and accounts In this builder session, we briefly introduce AWS PrivateLink, and then we build an application service that we will securely make available to consumers in a different account using AWS PrivateLink. Attendees also experience using AWS services that support secure access using VPC endpoints. Builders Session Neeraj Verma
FND205-R - [REPEAT] IAM at enterprise scale: Patterns and tradeoffs In order to balance developer productivity and security goals, like the principle of least privilege, AWS recommends that enterprises implement a multi-account strategy using AWS Organizations, AWS Identity and Access Management (IAM) roles, and other related services. However, this presents operational challenges for identity and access management. In this chalk talk, we describe the key building blocks of an enterprise solution using IAM, and we compare four patterns for addressing this challenge: fine-grained, departmental, AWS centric, and native IAM. Chalk Talk Kenneth Jackson Ilya Epshteyn
FND205-R1 - [REPEAT 1] IAM at enterprise scale: Patterns and tradeoffs In order to balance developer productivity and security goals, like the principle of least privilege, AWS recommends that enterprises implement a multi-account strategy using AWS Organizations, AWS Identity and Access Management (IAM) roles, and other related services. However, this presents operational challenges for identity and access management. In this chalk talk, we describe the key building blocks of an enterprise solution using IAM, and we compare four patterns for addressing this challenge: fine-grained, departmental, AWS centric, and native IAM. Chalk Talk Kenneth Jackson Ilya Epshteyn
FND206-R - [REPEAT] Delegating permissions management using IAM permissions boundaries As organizations grow, administrators want to allow trusted employees to configure and manage IAM permissions so their organizations can scale permission management and move workloads to AWS faster. In this session, we introduce permissions boundaries—a powerful tool that controls the maximum permissions an employee can grant—and we demonstrate how to use them to delegate permissions to developers. We also help customers implement a use case for permissions boundaries and help them delegate permissions to their developers. Attendees should know how to create IAM permissions policies, users, and roles. Chalk Talk Dan Popick Sulay Shah
FND206-R1 - [REPEAT 1] Delegating permissions management using IAM permissions boundaries As organizations grow, administrators want to allow trusted employees to configure and manage IAM permissions so their organizations can scale permission management and move workloads to AWS faster. In this session, we introduce permissions boundaries—a powerful tool that controls the maximum permissions an employee can grant—and we demonstrate how to use them to delegate permissions to developers. We also help customers implement a use case for permissions boundaries and help them delegate permissions to their developers. Attendees should know how to create IAM permissions policies, users, and roles. Chalk Talk Sulay Shah Dan Popick
FND207-R - [REPEAT] Building a well-engaged and secure AWS account access management Building a well-managed and secure AWS account access management for enterprise customers and AWS partners is essential for managing a large number of AWS accounts. In this session, we review new features, best practices, and the risks involved when architecting organizational units. We also cover how to build dynamic access structures. Workshop Marcus Fritsche
FND207-R1 - [REPEAT 1] Building a well-engaged and secure AWS account access management Building a well-managed and secure AWS account access management for enterprise customers and AWS partners is essential for managing a large number of AWS accounts. In this session, we review new features, best practices, and the risks involved when architecting organizational units. We also cover how to build dynamic access structures. Workshop Marcus Fritsche
FND208-R - [REPEAT] SOARing in AWS Is your organization struggling to keep up with the current threat landscape? Security operations rely primarily on manually created and maintained document-based procedures, which lead to issues such as long mean time to response, ancestral knowledge, and inconsistencies in executing operational functions. If these are your challenges, then you can use a Security Orchestration, Automation, and Response (SOAR) mechanism within AWS. In traditional environments, this required considerable investment, but on AWS, the same objectives are achieved in a cost-effective manner. This session allows you to explore and dive deep into AWS services that can enable SOAR in your AWS environment. Builders Session Farhan Farooq
FND208-R1 - [REPEAT 1] SOARing in AWS Is your organization struggling to keep up with the current threat landscape? Security operations rely primarily on manually created and maintained document-based procedures, which lead to issues such as long mean time to response, ancestral knowledge, and inconsistencies in executing operational functions. If these are your challenges, then you can use a Security Orchestration, Automation, and Response (SOAR) mechanism within AWS. In traditional environments, this required considerable investment, but on AWS, the same objectives are achieved in a cost-effective manner. This session allows you to explore and dive deep into AWS services that can enable SOAR in your AWS environment. Builders Session Farhan Farooq
FND208-R2 - [REPEAT 2] SOARing in AWS Is your organization struggling to keep up with the current threat landscape? Security operations rely primarily on manually created and maintained document-based procedures, which lead to issues such as long mean time to response, ancestral knowledge, and inconsistencies in executing operational functions. If these are your challenges, then you can use a Security Orchestration, Automation, and Response (SOAR) mechanism within AWS. In traditional environments, this required considerable investment, but on AWS, the same objectives are achieved in a cost-effective manner. This session allows you to explore and dive deep into AWS services that can enable SOAR in your AWS environment. Builders Session Farhan Farooq
FND209-R - [REPEAT] The fundamentals of AWS cloud security The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption. Session Becky Weiss
FND209-R1 - [REPEAT 1] The fundamentals of AWS cloud security The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption. Session Becky Weiss
FND210 - Implementing your landing zone One of the first questions that customers ask during their cloud journeys is how to establish and build AWS environments or landing zones. In this session, we discuss best practices for establishing a scalable approach and necessary landing zone framework. We present an overview of the approach and solutions to help you implement a landing zone. We also introduce the AWS Landing Zone, which is an automated solution for setting up a robust, flexible AWS environment, and we discuss how it reduces the time needed to get started. Finally, we provide a high level overview of AWS Control Tower and how it fits into the overall approach. Session Sam Elmalak
FND211-R - [REPEAT] AWS VPN solutions Many enterprises, on their journey to the cloud, require consistent and highly secure connectivity among their existing data centers, their staff, and AWS environments. In this session, we walk through the different architecture options for establishing this connectivity using AWS Site-to-Site VPN and AWS Client VPN. For each option, we evaluate the considerations and discuss performance, high availability, encryption, and cost. Builders Session Tom Adamski
FND211-R1 - [REPEAT 1] AWS VPN solutions Many enterprises, on their journey to the cloud, require consistent and highly secure connectivity among their existing data centers, their staff, and AWS environments. In this session, we walk through the different architecture options for establishing this connectivity using AWS Site-to-Site VPN and AWS Client VPN. For each option, we evaluate the considerations and discuss performance, high availability, encryption, and cost. Builders Session Kaartik Viswanath
FND211-R2 - [REPEAT 2] AWS VPN solutions Many enterprises, on their journey to the cloud, require consistent and highly secure connectivity among their existing data centers, their staff, and AWS environments. In this session, we walk through the different architecture options for establishing this connectivity using AWS Site-to-Site VPN and AWS Client VPN. For each option, we evaluate the considerations and discuss performance, high availability, encryption, and cost. Builders Session Kaartik Viswanath
FND212 - Amazon FreeRTOS security best practices Amazon FreeRTOS is an open-source operating system for cloud-connected embedded devices. As customers start working on embedded Internet of Things projects, they ask AWS for security best practices. In this session, we discuss provisioning, device authentication and authorization, secure software updates, and monitoring. Finally, we show these lifecycle considerations in context by demonstrating an over-the-air firmware update to an embedded developer board, highlighting the many security-relevant steps in the workflow. Session Dan Griffin
FND213-R - [REPEAT] Hands-on with AWS Security Hub AWS Security Hub has the ability to ingest security findings from third-party security partners or security findings that organizations generate on their own. Additionally, the custom event feature of Security Hub allows organizations to make the appropriate response to a finding. In this session, get hands-on experience with Security Hub by integrating third-party security findings for your AWS environment, building out your own custom security finding integration, and defining and implementing custom events to respond to the security findings in your AWS environment. Workshop Scott Ward Joshua Hammer
FND213-R1 - [REPEAT 1] Hands-on with AWS Security Hub AWS Security Hub has the ability to ingest security findings from third-party security partners or security findings that organizations generate on their own. Additionally, the custom event feature of Security Hub allows organizations to make the appropriate response to a finding. In this session, get hands-on experience with Security Hub by integrating third-party security findings for your AWS environment, building out your own custom security finding integration, and defining and implementing custom events to respond to the security findings in your AWS environment. Workshop Joshua Hammer Scott Ward
FND214 - An AWS approach to higher standards of assurance with provable security In this session, learn about the AWS provable security initiative, a collection of automated reasoning technologies that help prove the correctness of key security components both in and out of the cloud. Also learn about AWS tools, such as Tiros and Zelkova, that reason with respect to AWS IAM governance and networks, and are setting new standards for how to protect virtualization layers of the cloud. Further, we discuss how these technologies can help customers remain secure both today and in the future. Session Byron Cook
FND215 - Best practices for choosing identity solutions for applications + workloads Identity requirements for consumer-facing applications differ significantly from those for workforce applications and cloud resources. Learn the best practices for choosing the right identity platform on AWS for your consumer-facing applications and for centrally managing access to all your business applications and AWS resources. Come learn about the proper use cases for implementing single sign-on (SSO) and Amazon Cognito, security best practices, and configuration guidance. Session Karen Haberkorn
FND216 - Threat detection on AWS: An introduction to Amazon GuardDuty Amazon GuardDuty is a threat detection system that is reimagined and purpose-built for the cloud. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. You do not have to deploy or manage any additional security software, sensors, or network appliances. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. This session introduces you to GuardDuty, walks you through the detection of an event, and discusses the various ways you can react and remediate. Session Ryan Holland
FND217 - It’s in my backlog: The truth behind DevSecOps The term DevSecOps has often been confused with securing DevOps, with security operations, or with using a secure development lifecycle in agile development. When you build security into DevOps and even into agile development, when do practices such as threat modeling, static application security testing, and dynamic application security testing occur? This session explains how sound architecture and implementation is key to providing DevSecOps capability with AWS. A core concept is that cybersecurity requirements are foundational and cannot be placed on a backlog indefinitely while development and operations are actively worked on. Session Shawn Harris Randall Brooks
FND218 - How to act on your security and compliance alerts with AWS Security Hub Learn about AWS Security Hub and how it gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. See how Security Hub aggregates, prioritizes, and helps you act on your alerts from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Session Scott Ward Ely Kahn Rob Morris Jason Fuller
FND219 - Capital One case study: Addressing compliance and security within AWS Capital One is a leading global financial institution that has reimagined banking. Attend this session to learn how the company is governing and securing mission-critical infrastructure, its AWS environment, and its users and customers by building an integrated identity governance program that secures the organization and enables its workforce. Capital One shares its successes and lessons learned while building its identity strategy, and it covers what the company recommends that you consider when building or expanding your identity program. Learn how Capital One secures the wallet that it refers to when asking, “What’s in your wallet?” Session Jing Zhu Kevin Bumgarner
FND220-R - [REPEAT] Best practices for proactive security testing One of the core tenets of DevSecOps and the world of Application security is to build security right from design and test as early as possible. This reduces the cost of remediating vulnerabilities in production. In this session, we walk you through how to build a threat model and drive security implementation and proactive security testing including attacker scenarios for penetration testing/red teaming exercises. Builders Session Reef Dsouza
FND220-R1 - [REPEAT 1] Best practices for proactive security testing One of the core tenets of DevSecOps and the world of Application security is to build security right from design and test as early as possible. This reduces the cost of remediating vulnerabilities in production. In this session, we walk you through how to build a threat model and drive security implementation and proactive security testing including attacker scenarios for penetration testing/red teaming exercises. Builders Session Kevin Higgins
FND221-R - [REPEAT] Implement access control to data in AWS services using KMS AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. In this builders session, we demonstrate how to create key policies to limit access to encrypted data. Learn how to create encryption keys in AWS KMS and how to implement key policies using conditions. We also show you how to use Amazon CloudWatch to alarm on your encryption key usage. Builders Session Raj Copparapu
FND221-R1 - [REPEAT 1] Implement access control to data in AWS services using KMS AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. In this builders session, we demonstrate how to create key policies to limit access to encrypted data. Learn how to create encryption keys in AWS KMS and how to implement key policies using conditions. We also show you how to use Amazon CloudWatch to alarm on your encryption key usage. Builders Session Raj Copparapu
FND222-R - [REPEAT] Modernizing security architecture for the cloud This session shows security professionals how to move to the cloud in a way that is similar to traditional security architecture, with demilitarized zones, inbound and outbound proxies, and more. We show architecture patterns on AWS that can help you migrate to AWS products and services. This is important for those with traditional backgrounds who are uncomfortable with how to meet security policies on AWS. Leave with an understanding of security architecture patterns that you can use to design a secure AWS environment at your company. Services covered include Amazon VPC, AWS PrivateLink, AWS WAF, CloudFront, Elastic Load Balancing, Amazon EC2, and GuardDuty. Builders Session Stephen Quigg
FND222-R1 - [REPEAT 1] Modernizing security architecture for the cloud This session shows security professionals how to move to the cloud in a way that is similar to traditional security architecture, with demilitarized zones, inbound and outbound proxies, and more. We show architecture patterns on AWS that can help you migrate to AWS products and services. This is important for those with traditional backgrounds who are uncomfortable with how to meet security policies on AWS. Leave with an understanding of security architecture patterns that you can use to design a secure AWS environment at your company. Services covered include Amazon VPC, AWS PrivateLink, AWS WAF, CloudFront, Elastic Load Balancing, Amazon EC2, and GuardDuty. Builders Session Stephen Quigg
FND223-R - [REPEAT] Security cartography: Assembling the building blocks needed for cloud security In this chalk talk, we describe the key building blocks of a comprehensive cloud security strategy. We also walk you through the process of building a security baseline using the AWS Cloud Adoption Framework Security Perspective, security cartography techniques, and the Center for Internet Security (CIS) framework. Attending this chalk talk helps you build the confidence and security capabilities necessary to move increasingly sensitive workloads to AWS. Chalk Talk Steven Laino
FND223-R1 - [REPEAT 1] Security cartography: Assembling the building blocks needed for cloud security In this chalk talk, we describe the key building blocks of a comprehensive cloud security strategy. We also walk you through the process of building a security baseline using the AWS Cloud Adoption Framework Security Perspective, security cartography techniques, and the Center for Internet Security (CIS) framework. Attending this chalk talk helps you build the confidence and security capabilities necessary to move increasingly sensitive workloads to AWS. Chalk Talk Steven Laino
FND224 - Building a security knowledge management platform for AWS Learn about how AWS security built a security knowledge management platform to distribute guidance at the scale of the AWS organization using Amazon API Gateway, AWS Lambda, Amazon RDS, and Amazon S3. This platform defines the AWS security bar and empowers AWS with the knowledge that is needed to build secure products and protect customer data. In this session, we look at how the content is consumed by tools and how it powers automated threat modeling for security reviews. Session Esha Pendharkar
FND301-R - [REPEAT] Build end-to-end IT lifecycle management on AWS In this workshop, cloud architects, Cloud Center of Excellence (CCOE) team members, and IT managers learn how to launch and operate governed cloud workloads on AWS by leveraging AWS management tools. They extend a sample catalog containing Amazon EC2, Amazon S3, and so on, and enable catalog users to only manage the resources they create. They then perform the IT service management process integration using ServiceNow as an example solution.   For this hands-on session, you are required to bring your own laptop and an AWS account.     Workshop Sagar Khasnis MaSonya Scott
FND301-R1 - [REPEAT 1] Build end-to-end IT lifecycle management on AWS In this workshop, cloud architects, Cloud Center of Excellence (CCOE) team members, and IT managers learn how to launch and operate governed cloud workloads on AWS by leveraging AWS management tools. They extend a sample catalog containing Amazon EC2, Amazon S3, and so on, and enable catalog users to only manage the resources they create. They then perform the IT service management process integration using ServiceNow as an example solution. This hands-on session requires each participants to bring a laptop to the workshop. Workshop MaSonya Scott Sagar Khasnis
FND302 - Data encryption and certificate management concepts in AWS In this hands-on workshop, we use the AWS Cloud9 IDE to learn about data encryption services, such as AWS Key Management Service (KMS) and AWS Certificate Manager (ACM). We also explore various aspects of AWS KMS and AWS ACM private certificate authority. Workshop Ram Ramani
FND304-R - [REPEAT] Implementing authentication for your serverless workloads Serverless applications can reduce operational overhead, allowing you to focus on the innovation and security of your application. One way to add security to Amazon S3 is with Amazon S3 Block Public Access and CloudFront origin access identities. Amazon Cognito can provide additional security with user sign-up, sign-in, and access control. In this talk, we show and discuss the advantages of using CloudFront, Amazon S3, Amazon Cognito, and IAM to create a secure, serverless application. If you want to learn more about S3 security and about integrating identity into your application with Amazon Cognito, this talk is for you. Chalk Talk James Meyer
FND304-R1 - [REPEAT 1] Implementing authentication for your serverless workloads Serverless applications can reduce operational overhead, allowing you to focus on the innovation and security of your application. One way to add security to Amazon S3 is with Amazon S3 Block Public Access and CloudFront origin access identities. Amazon Cognito can provide additional security with user sign-up, sign-in, and access control. In this talk, we show and discuss the advantages of using CloudFront, Amazon S3, Amazon Cognito, and IAM to create a secure, serverless application. If you want to learn more about S3 security and about integrating identity into your application with Amazon Cognito, this talk is for you. Chalk Talk James Meyer
FND305-R - [REPEAT] Supercharging your workload defenses with AWS WAF, Amazon Inspector, and AWS Systems Manager Your mission in this builder session is to use AWS WAF, Amazon Inspector, and AWS Systems Manager to build an effective set of controls around your AWS workloads. Learn to use AWS WAF to mitigate common attack vectors against web applications such as SQL injection and cross-site scripting. Additionally, learn how to use Amazon Inspector and Systems Manager to automate security assessments and operational tasks, such as patching and configuration management, across your Amazon EC2 fleet.   You need a laptop, an active AWS account, an AWS IAM administrator, and familiarity with core AWS services. Builders Session Jeff Levine
FND305-R1 - [REPEAT 1] Supercharging your workload defenses with AWS WAF, Amazon Inspector, and AWS Systems Manager Your mission in this builder session is to use AWS WAF, Amazon Inspector, and AWS Systems Manager to build an effective set of controls around your AWS workloads. Learn to use AWS WAF to mitigate common attack vectors against web applications such as SQL injection and cross-site scripting. Additionally, learn how to use Amazon Inspector and Systems Manager to automate security assessments and operational tasks, such as patching and configuration management, across your Amazon EC2 fleet. You need a laptop, an active AWS account, an AWS IAM administrator, and familiarity with core AWS services. Builders Session Cameron Worrell
FND306-R - [REPEAT] How to secure your Active Directory deployment on AWS Many enterprises use Active Directory for authentication, server and workstation management, group policy management, and more. It’s also one of the first applications to be deployed on AWS by those building or migrating Windows applications at scale. There are two primary models for running Active Directory on AWS: AWS Managed Microsoft AD and self-managed Active Directory on Amazon EC2. We discuss best practices for securing Active Directory deployment on AWS and the shared responsibility model for running AWS Managed Microsoft AD. We also examine a reference architecture that follows these best practices. Services include AWS Managed Microsoft AD, Amazon EC2, Amazon EBS, Amazon VPC, and AWS KMS. Session Vinod Madabushi
FND306-R1 - [REPEAT 1] How to secure your Active Directory deployment on AWS Many enterprises use Active Directory for authentication, server and workstation management, group policy management, and more. It’s also one of the first applications to be deployed on AWS by those building or migrating Windows applications at scale. There are two primary models for running Active Directory on AWS: AWS Managed Microsoft AD and self-managed Active Directory on Amazon EC2. We discuss best practices for securing Active Directory deployment on AWS and the shared responsibility model for running AWS Managed Microsoft AD. We also examine a reference architecture that follows these best practices. Services include AWS Managed Microsoft AD, Amazon EC2, Amazon EBS, Amazon VPC, and AWS KMS. Session Vinod Madabushi
FND307-R - [REPEAT] Securing your workloads in the cloud: Best practices using AWS Well-Architected Framework Security best practices help you secure your workloads in the cloud to meet organizational, legal, and compliance requirements. This chalk talk guides you through core security best practices aligned with the AWS Well-Architected Framework. This session discusses how to secure an Amazon EC2-based web application covering identity and access management, detective controls, infrastructure protection, data protection, and incident response. Chalk Talk Ben Potter
FND307-R1 - [REPEAT 1] Securing your workloads in the cloud: Best practices using AWS Well-Architected Framework Security best practices help you secure your workloads in the cloud to meet organizational, legal, and compliance requirements. This chalk talk guides you through core security best practices aligned with the AWS Well-Architected Framework. This session discusses how to secure an Amazon EC2-based web application covering identity and access management, detective controls, infrastructure protection, data protection, and incident response. Chalk Talk Ben Potter
FND307-R2 - [REPEAT 2] Securing your workloads in the cloud: Best practices using AWS Well-Architected Framework Security best practices help you secure your workloads in the cloud to meet organizational, legal, and compliance requirements. This chalk talk guides you through core security best practices aligned with the AWS Well-Architected Framework. This session discusses how to secure an Amazon EC2-based web application covering identity and access management, detective controls, infrastructure protection, data protection, and incident response. Chalk Talk Ben Potter
FND308-R - [REPEAT] Managing InfoSec risk during cloud adoption: The executive view Most enterprises have developed bodies of knowledge about risk governance for on-premise data centers. This knowledge influences information security risk management through objectives, priorities, standards, metrics, processes, and roles. The cloud journey offers new perspectives and opportunities for automation and continuous risk mitigation. Customers recognizing the need for change and implementing proactive, top-down approaches find it easier to manage risk. This session covers methods used in advanced stages of cloud adoption and patterns for risk governance that enterprise customers can use. It touches on the AWS security services portfolio and how some customers use these for maturing risk governance. Builders Session Pablo Salazar
FND308-R1 - [REPEAT 1] Managing InfoSec risk during cloud adoption: The executive view Most enterprises have developed bodies of knowledge about risk governance for on-premise data centers. This knowledge influences information security risk management through objectives, priorities, standards, metrics, processes, and roles. The cloud journey offers new perspectives and opportunities for automation and continuous risk mitigation. Customers recognizing the need for change and implementing proactive, top-down approaches find it easier to manage risk. This session covers methods used in advanced stages of cloud adoption and patterns for risk governance that enterprise customers can use. It touches on the AWS security services portfolio and how some customers use these for maturing risk governance. Builders Session Dave Mcdermitt
FND309 - Policy as code: Automating security management processes with AWS IAM and AWS CloudFormation Security is a critical element for highly regulated industries like healthcare. Infrastructure as code provides several options to automate security controls, whether it is implementing rules and guardrails or managing changes to policies in an automated yet auditable way. Learn how 3M implemented a process to automate creation, permission changes, and exception management with IAM policies and AWS CloudFormation, fostering efficient collaborations between security stakeholders across teams. Chalk Talk Dan Blanco Luis Colon James Martin
FND310-R - [REPEAT] How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? Customers who want their data encrypted on AWS increasingly take advantage of AWS services that allow them to encrypt data and manage access to the encryption keys. This session discusses how your data is encrypted in transit and at rest in AWS services like Amazon EC2, Amazon S3, and Elastic Load Balancing. Learn about the AWS key management options available, such as AWS KMS, CloudHSM, and ACM. The session also covers some of the security controls that AWS uses to minimize risk of compromise by unauthorized users as it works to keep your data safe. Session Ken Beer
FND310-R1 - [REPEAT 1] How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? Customers who want their data encrypted on AWS increasingly take advantage of AWS services that allow them to encrypt data and manage access to the encryption keys. This session discusses how your data is encrypted in transit and at rest in AWS services like Amazon EC2, Amazon S3, and Elastic Load Balancing. Learn about the AWS key management options available, such as AWS KMS, CloudHSM, and ACM. The session also covers some of the security controls that AWS uses to minimize risk of compromise by unauthorized users as it works to keep your data safe. Session Ken Beer
FND311 - Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service Catalog and Control Tower Security is a growing concern. Misconfigurations and inconsistent deployments provide opportunities for attackers to find vulnerabilities. This underscores the need to enforce policies as more and more production workloads move to the cloud. In this session, we focus on how customers are using Service Catalog as a layered defense-in-depth mechanism to mitigate misconfigurations and variability in workload deployments. In addition, we discuss how Control Tower provides guardrails for policy enforcement. These help customers like World Bank enforce security and manage compliance. Session Darren House Kaushik Mohanty Yu Gao
FND312 - Harnessing diversity to solve a people problem Gender diversity is a challenge facing many organizations as they try to offer solutions that work for everyone. Women currently make up less than 24 percent of the Information Security workforce and less than 7 percent of CEOs in Fortune 500 companies. Decades of research prove that inclusive, diverse teams lead to more innovation, better solutions, and improved outcomes for organizations and customers. In this session, Jenny Brinkley (AWS), Teri Radichel (2nd Sight Lab), Patricia Smith (Cox Automotive), Fiona Williams (Deloitte), and Avni Rambhia (AWS) discuss how they’ve used diversity to produce superior outcomes and offer steps that you can take to replicate their successes. Session Michael Wasielewski Avni Rambhia Jenny Brinkley Teri Radichel FIONA Williams Patricia Smith
FND313-L - Leadership session: Foundational security Senior Principal Security Engineer Don "Beetle" Bailey and Corey Quinn from the highly acclaimed "Last Week in AWS" newsletter present best practices, features, and security updates you may have missed in the AWS Cloud. With more than 1,000 service updates per year being released, having expert distillation of what's relevant to your environment can accelerate your adoption of the cloud. As techniques for operationalizing cloud security, compliance, and identity remain a critical business need, this leadership session considers a strategic path forward for all levels of enterprises and users, from beginner to advanced.  Session Rohit Gupta Donald (Beetle) Bailey Fitz (Philip Fizsimons) Corey Quinn
FND314 - Managing and governing multi-account AWS environments using AWS Organizations As you continue to grow your footprint on AWS, centralized tools and features are required to help govern multiple AWS accounts for account management, security and access control, and resource sharing. This session discusses how you can use AWS Organizations to manage and govern multi-account environments on AWS with security and compliance in mind. This session covers AWS Organizations, IAM, AWS Config, AWS Firewall Manager, CloudTrail, CloudWatch Events, Directory Service, License Manager, Resource Access Manager, and Single Sign-On. Session Raymond Ma
FND315 - Porting a traditional workstation with age-old methodology to the cloud Moving a workstation to the cloud doesn’t need to come with all the baggage of the past. This session covers the process of porting a traditional, standalone workstation with age-old methodology to the cloud and shows you some of the capabilities that are possible in the new world. Attendees also learn best practices for conducting Digital Forensics and Incident Response (DFIR) in a bespoke manner that is made possible by absolute visibility. Services covered in this session include AWS Management Console, AWS CLI, Amazon VPC, Amazon EC2, security groups, and Amazon S3. Builders Session Ryan Washington
FND316 - Secure Amazon SageMaker notebooks and training jobs In this session, cloud architects, Cloud Center of Excellence (CCoE) team members, and IT managers learn how to configure, govern, and monitor Amazon SageMaker managed Jupyter notebooks and training jobs with a focus on security. Attendees are provided AWS CloudFormation scripts to create an infrastructure resource such as a VPC, subnets, Amazon S3 endpoints, a NAT gateway, or VPC flow logs. They then configure and launch Amazon SageMaker managed notebooks and training jobs. Finally, they perform tests to validate security objectives and monitor traffic on notebook and training instances. Builders Session Vikrant Kahlir
FND317-R - [REPEAT] How to audit and remediate resource misconfigurations using AWS management tools In this session, you learn about native AWS tools that can help with inventory management and configuration compliance management. Learn how to use management and governance tools such as AWS Config to query the configuration state of your resources, identify resources that are noncompliant with your policies, and remediate those resources using AWS Systems Manager (SSM) automation documents. Builders Session Eryn Sawyer
FND317-R1 - [REPEAT 1] How to audit and remediate resource misconfigurations using AWS management tools In this session, you learn about native AWS tools that can help with inventory management and configuration compliance management. Learn how to use management and governance tools such as AWS Config to query the configuration state of your resources, identify resources that are noncompliant with your policies, and remediate those resources using AWS Systems Manager (SSM) automation documents. Builders Session Eryn Sawyer
FND318-R - [REPEAT] Simplify and secure your overall network architecture at scale For this session, please familiarize yourself with AWS Transit Gateway and how transit gateways work by referring to material on the public AWS Documentation site. In this session, we introduce AWS Transit Gateway and its functionalities, such as routing domains, attachments, and propagation. We offer a hands-on lab for developing an architecture that provides isolation between environments like production, development, and testing. We also discuss designing, and we design an outbound virtual private cloud for centralized internet access, outbound URL filtering, and data loss prevention scenarios. We conclude by demonstrating the integration of AWS Direct Connect with AWS Transit Gateway. Builders Session Bhavin Desai
FND318-R1 - [REPEAT 1] Simplify and secure your overall network architecture at scale For this session, please familiarize yourself with AWS Transit Gateway and how transit gateways work by referring to material on the public AWS Documentation site. In this session, we introduce AWS Transit Gateway and its functionalities, such as routing domains, attachments, and propagation. We offer a hands-on lab for developing an architecture that provides isolation between environments like production, development, and testing. We also discuss designing, and we design an outbound virtual private cloud for centralized internet access, outbound URL filtering, and data loss prevention scenarios. We conclude by demonstrating the integration of AWS Direct Connect with AWS Transit Gateway. Builders Session Bhavin Desai
FND318-R2 - [REPEAT 2] Simplify and secure your overall network architecture at scale For this session, please familiarize yourself with AWS Transit Gateway and how transit gateways work by referring to material on the public AWS Documentation site. In this session, we introduce AWS Transit Gateway and its functionalities, such as routing domains, attachments, and propagation. We offer a hands-on lab for developing an architecture that provides isolation between environments like production, development, and testing. We also discuss designing, and we design an outbound virtual private cloud for centralized internet access, outbound URL filtering, and data loss prevention scenarios. We conclude by demonstrating the integration of AWS Direct Connect with AWS Transit Gateway. Builders Session Bhavin Desai
FND319-R - [REPEAT] Supercharge Amazon GuardDuty with partners: Operationalizing threat detection and response at scale Amazon GuardDuty can detect a variety of threats related to your AWS account and workloads. However, detection is only the first step! By combining high-fidelity GuardDuty findings with partner products, you can quickly identify, respond to, remediate, and prevent security incidents. In this session, we highlight many of the partner solutions that integrate with GuardDuty and show how they help with identification, response, remediation, and prevention, enabling you to supercharge and centralize your cloud security operations. Builders Session Patrick McDowell
FND319-R1 - [REPEAT 1] Supercharge Amazon GuardDuty with partners: Operationalizing threat detection and response at scale Amazon GuardDuty can detect a variety of threats related to your AWS account and workloads. However, detection is only the first step! By combining high-fidelity GuardDuty findings with partner products, you can quickly identify, respond to, remediate, and prevent security incidents. In this session, we highlight many of the partner solutions that integrate with GuardDuty and show how they help with identification, response, remediation, and prevention, enabling you to supercharge and centralize your cloud security operations. Builders Session Scott Ward
FND320 - Root CA hierarchies for AWS Certificate Manager (ACM) Private CA AWS recently announced root certificate authority (CA) hierarchies for AWS Certificate Manager (ACM) Private CA. CA administrators can now quickly and easily create a complete CA hierarchy, including root and subordinate CAs, with no need for external CAs. In this presentation, we provide an overview of ACM Private CA and discuss some common use cases, such as issuing private certificates in order to identify devices. You learn how to create a two-level CA hierarchy and use it to issue private certificates. You also learn security best practices for creating and managing a CA hierarchy, and you have a chance to ask questions. Session Todd Cignetti Ram Ramani
FND321 - Keeping edge computing secure Edge computing is one of the most important enablers of the future. It saves lives, democratizes resources, and reduces costs in scenarios where near real-time action is required. This session covers how to keep edge computing secure. We dive deep into how AWS IoT Greengrass authenticates and encrypts device data for local and cloud communications so that data is never exchanged without proven identity. You can leverage hardware-secured, end-to-end encryption for messages exchanged between devices, an AWS IoT Greengrass core, and the AWS Cloud, and for messages between an AWS IoT Greengrass core and other local devices using the AWS IoT device SDK.   Builders Session Indraneel Mitra
FND322 - How I learned to stop worrying and love the cloud In this session, learn how AWS and Barclays worked together to make the move to the cloud. From hesitancies and concerns to the features, added controls, and compliance affirmations that allayed them, this is a true customer story of a cloud migration journey. Session Ken Beer Oliver Newbury
FND323-R - [REPEAT] Best practices for preventing data exposure In this session, learn how to configure AWS Config, Amazon CloudWatch Events, and AWS Lambda to prevent unauthorized exposure of enterprise data. This session also provides best practices for preventing misconfiguration of resources, including Amazon S3 and other services. Builders Session Aaron Lima
FND323-R1 - [REPEAT 1] Best practices for preventing data exposure In this session, learn how to configure AWS Config, Amazon CloudWatch Events, and AWS Lambda to prevent unauthorized exposure of enterprise data. This session also provides best practices for preventing misconfiguration of resources, including Amazon S3 and other services. Builders Session Aaron Lima
FND324 - Secure interactive access to instances using Session Manager AWS Systems Manager Session Manager increases the security posture for instance access with a browser-based, AWS CLI interactive shell experience that requires customer key encryption using AWS KMS and requires no open inbound ports or access or jump servers. Session Manager IAM access control, CloudTrail-audited sessions, and session outputs logged to Amazon S3 or CloudWatch Logs make it easy for IT professionals to control and secure access to instances in operational scenarios while complying with corporate policies and security best practices. Learn how Session Manager works for Linux or Windows instances in the cloud or on premises, and help drive our road map. Builders Session Eric Westfall
FND325-R - [REPEAT] Securing your .NET container secrets As customers move .NET workloads to the cloud, many start to consider containerizing their applications because of the agility and cost savings that containers provide. Combine those compelling drivers with the multi-OS capabilities that come with .NET Core, and customers have an exciting reason to migrate their applications. A primary question is how they can safely store secrets and configuration values that are sensitive to their organizations in containerized workloads. In this builders session, learn how to safely containerize an ASP.NET Core application while leveraging services like ASP.NET Core AWS Secrets Manager and AWS Fargate. Builders Session Carmen Puccio
FND325-R1 - [REPEAT 1] Securing your .NET container secrets As customers move .NET workloads to the cloud, many start to consider containerizing their applications because of the agility and cost savings that containers provide. Combine those compelling drivers with the multi-OS capabilities that come with .NET Core, and customers have an exciting reason to migrate their applications. A primary question is how they can safely store secrets and configuration values that are sensitive to their organizations in containerized workloads. In this builders session, learn how to safely containerize an ASP.NET Core application while leveraging services like ASP.NET Core AWS Secrets Manager and AWS Fargate. Builders Session Carmen Puccio
FND326-S - Data-driven storytelling and security stakeholder engagement Storytelling is a powerful tool for cybersecurity leaders aiming to improve communication with IT and non-IT stakeholders alike; the most trusted advisors are effective storytellers. With the right data—like the recently released 2019 Verizon Data Breach Investigations Report—CISOs and their teams can tell meaningful and relevant stories that help organizations strengthen their security cultures and empower executives to make better decisions about resource allocation and risk tolerance. Session David Grady
FND327 - A security-first approach to delivering end-user computing services Enterprise customers in regulated industries often struggle to meet security and data sovereignty requirements for desktop applications and mobile workers. End-user devices present the challenge of risky endpoints, making critical data vulnerable to attack, loss, or theft. With AWS, you can improve security and compliance by centrally managing endpoints within your VPC without the cost and complexity of on-premises solutions. AWS makes data delivered on end-user devices ephemeral so that employees can access internal applications from personal devices without a local trusted network. Learn how AWS improves security and reduces cost by moving data to the cloud while providing secure, fast access to desktop applications and data.     Session Nathan Thomas Ron Bledsoe
FND328-R - [REPEAT] View and manage your AWS service quotas through Service Quotas Learn how you can view and manage your service quotas using a new AWS service, Service Quotas. In this session, we demonstrate this service’s functionality, both through the console and the application programming interface/command line interface (API/CLI). You learn how to view service quota details, raise and track quota increase requests, proactively monitor quotas by setting up Amazon CloudWatch alarms, and define and use organization-level templates for quota increase requests for new accounts created through AWS Organizations. Builders Session Caitlyn Shim
FND328-R1 - [REPEAT 1] View and manage your AWS service quotas through Service Quotas Learn how you can view and manage your service quotas using a new AWS service, Service Quotas. In this session, we demonstrate this service’s functionality, both through the console and the application programming interface/command line interface (API/CLI). You learn how to view service quota details, raise and track quota increase requests, proactively monitor quotas by setting up Amazon CloudWatch alarms, and define and use organization-level templates for quota increase requests for new accounts created through AWS Organizations. Builders Session Caitlyn Shim
FND328-R2 - [REPEAT 2] View and manage your AWS service quotas through Service Quotas Learn how you can view and manage your service quotas using a new AWS service, Service Quotas. In this session, we demonstrate this service’s functionality, both through the console and the application programming interface/command line interface (API/CLI). You learn how to view service quota details, raise and track quota increase requests, proactively monitor quotas by setting up Amazon CloudWatch alarms, and define and use organization-level templates for quota increase requests for new accounts created through AWS Organizations. Builders Session Caitlyn Shim
FND330 - Securing the edge with AWS IoT services Edge computing is one of the most important enablers of the future. It saves lives, democratizes resources, and reduces costs in scenarios where near real-time action is required. This session covers how to keep edge computing secure. We dive deep into how AWS IoT Greengrass authenticates and encrypts device data for local and cloud communications so that data is never exchanged without proven identity. You can leverage hardware-secured, end-to-end encryption for messages exchanged between devices, an AWS IoT Greengrass core, and the AWS Cloud, and for messages between an AWS IoT Greengrass core and other local devices using the AWS IoT device SDK.   Session Indraneel Mitra Scott Allison
GRC201 - Design for compliance: Practical patterns for meeting your IT compliance requirements AWS offers a wide variety of services and features that help regulated firms meet IT governance requirements and operate in an agile manner. This session is a guided tour of emerging patterns and solutions that help address common IT governance concerns such as zero-trust architecture, immutable production, and controlled change management. Session Kurt Gray
GRC202 - Cloud control fitness Security and compliance are moving from obligation to advantage. Realizing this advantage requires taking a risk-based approach to your cloud control environment and identifying where AWS does the heavy lifting for you. This approach involves using AWS world-class services to create robust directive, preventative, reactive, and responsive controls, and demonstrating the effectiveness of all of them. In this session, you learn how to evaluate your cloud control environment to ensure that it is considering the risks that are relevant for your workloads, giving you a clear path of what needs to be done to confidently move workloads into AWS. Session Brian Wagner Kristen Haught
GRC203-R - [REPEAT] Aligning to the NIST Cybersecurity Framework in the AWS Cloud The NIST Cybersecurity Framework (CSF) is recognized as the de facto guide for best practices in cybersecurity and risk-management for organizations of any size and in any sector or location. In this session, learn how to implement AWS services to align to the 108 outcome-based security activities in the NIST CSF. We discuss the AWS whitepaper and customer workbook, which cover the many AWS services customers can use to align to the NIST CSF, including IAM, AWS CloudTrail, Amazon CloudWatch, Amazon GuardDuty, Amazon Macie, Amazon EC2, Amazon Cognito, AWS SSO, VPC Flow Logs. Session Min Hyun Michael South
GRC203-R1 - [REPEAT 1] Aligning to the NIST Cybersecurity Framework in the AWS Cloud The NIST Cybersecurity Framework (CSF) is recognized as the de facto guide for best practices in cybersecurity and risk-management for organizations of any size and in any sector or location. In this session, learn how to implement AWS services to align to the 108 outcome-based security activities in the NIST CSF. We discuss the AWS whitepaper and customer workbook, which cover the many AWS services customers can use to align to the NIST CSF, including IAM, AWS CloudTrail, Amazon CloudWatch, Amazon GuardDuty, Amazon Macie, Amazon EC2, Amazon Cognito, AWS SSO, VPC Flow Logs. Session Michael South Min Hyun
GRC204 - Unify security, compliance, and finance teams with governance at scale Cloud users typically feel that security, compliance, and finance teams throttle speed and innovation. However, the concerns of security misconfigurations and cloud budget overruns are real threats to the enterprise as adoption scales. Organizations struggle with finding the right balance to empower these teams while giving end-users the autonomy required. The governance at scale framework provides visibility, control, autonomy, and confidence to move enterprises to the cloud. It was built on a decade of lessons learned from the largest customers, including AWS itself. This session shares stories of customer successes using this framework and the impacts to their cloud journeys. Session Brett Miller Doug Vanderpool Brian Price
GRC205 - Implement identity guardrails using permissions boundaries Would you like to enforce the principle of least privilege while allowing your teams the freedom to create and manage their own IAM entities? Using permissions boundaries, you can define the maximum permissions that an identity-based policy can grant to an IAM entity. Join us in this session to learn how to implement permissions guardrails and enforce them on your AWS accounts. Builders Session Mahmoud Matouk
GRC206 - Technology as a means for compliance For regulated data types, such as personally identifiable information, customers often ask the same questions. This session addresses questions on topics that range from deletion of data to third-party assurance reports, and it connects you with the corresponding risk discussions and the applicable AWS technology or supporting language from AWS documentation. Learn how to speed up your risk assessment by equipping yourself with facts and knowledge that will help you make informed decisions about your AWS journey. Session Bertram Dorn
GRC207 - Securing your block storage on AWS Want to simplify the process of meeting compliance goals in a world of increasing data regulation? AWS customers run mission-critical workloads—SQL and NoSQL databases, business applications, data analytics, log analysis—on Amazon EC2, backed by Amazon EBS and EC2 instance storage. Securing data content and storage access is critical to maintaining uptime and meeting compliance needs. In this session, we discuss data security and review the security capabilities of Amazon EBS and EC2 instance storage. Learn how you can benefit from new Amazon EBS features such as encryption by default, launch of encrypted instances from unencrypted AMIs, and simplified sharing of encrypted AMIs. Session Ashish Palekar
GRC208 - Everything you wanted to know about compliance but were afraid to ask This session is for those who are new to cloud security at AWS. We discuss common compliance programs, such as PCI DSS, any ISO, SoC, FedRAMP, and so on. We also cover which industries care about them and how we support them in the context of the AWS Shared Responsibility Model. In addition, we describe why these compliance programs are important to understand at a basic level. Our goal is to help you feel comfortable in describing certain compliance programs when a customer asks you about them. Session Scott Paddock
GRC301 - New ways to automate compliance verification on AWS using provable security The traditional audit methodology of manually sampling, interviewing, and observing provides limited insight into the adherence of a customer’s cloud environment to common regulatory frameworks. The auditor and customer’s challenge is to generate and evaluate evidence of an entire system’s compliance with specific controls, which becomes increasingly difficult with larger code bases. The AWS Provable Security initiative applies automated reasoning technology to automatically prove that a customer’s cloud environment meets certain regulatory standards. In this session, Chad Woolf, AWS VP of Security Assurance, and Byron Cook, director of the AWS Automated Reasoning Group, sit down with a representative from Coalfire, assessor of AWS, to discuss how the Provable Security initiative is creating new, higher-assurance models for auditors and customers. Session Byron Cook Chad Woolf Tom McAndrew
GRC302 - Audibility in Kubernetes with Amazon EKS Amazon Elastic Container Service for Kubernetes (Amazon EKS) is an AWS service offering a managed Kubernetes control plane for customers to orchestrate their containerized applications on Amazon EC2. In this chalk talk, Micah Hausler, AWS system development engineer, explains how customers can ensure the integrity and auditability of their applications on Amazon EKS. He demonstrates the exploitation of a misconfigured web application container, and he conducts a forensic analysis of what happened in the system. Workshop Micah Hausler
GRC304 - Security at the speed of cloud: How to think about it & how you can do it now In this session, we explain how customers can enable business agility by evolving their governance approach to run at the speed of cloud. Learn how to think about security in the AWS Cloud, and receive prescriptive guidance on implementing technology to support your business. Hear about what good looks like, and learn how you can apply this approach in your organization today. Session Raisa Hashem Paul Hawkins
GRC305-R - [REPEAT] Your first compliance-as-code Auditors and security staff can improve their security capabilities by learning how to code. In this workshop, they have the opportunity to start coding for security using AWS CLI, Amazon CloudWatch metrics, Python boto3 (one-liner or AWS Lambda), AWS Config rules, and so on. Throughout the workshop, participants try to solve several security and audit activity issues using AWS services. To join, participants should have a Python 3.x environment on their laptop. While it’s important to know AWS security fundamentals and have some experience applying them, coding experience isn’t necessary. Workshop Shogo Matsumoto
GRC305-R1 - [REPEAT 1] Your first compliance-as-code Auditors and security staff can improve their security capabilities by learning how to code. In this workshop, they have the opportunity to start coding for security using AWS CLI, Amazon CloudWatch metrics, Python boto3 (one-liner or AWS Lambda), AWS Config rules, and so on. Throughout the workshop, participants try to solve several security and audit activity issues using AWS services. To join, participants should have a Python 3.x environment on their laptop. While it’s important to know AWS security fundamentals and have some experience applying them, coding experience isn’t necessary. Workshop Shogo Matsumoto
GRC306 - Architect proper segmentation for PCI DSS workloads on AWS In this session, we discuss how to successfully architect for proper segmentation involving PCI DSS workloads running on AWS. We show you how the segmentation strategies and controls are different from those designed in a traditional on-premises environment, keeping in mind the unique characteristic of the AWS platform. Session Avik Mukherjee Aditya Patel
GRC307 - Build a PCI SAQ A-EP-compliant serverless service to manage credit card payments OLX, the world's leading online classifieds service platform, operates a network of online trading platforms, with over 300M monthly users in over 45 countries. In this session, learn how we built a serverless PCI SAQ A-EP-compliant credit card payment service. Understand how regulation changes affected the solution and the importance of defining the right PCI scope on AWS. Also learn which AWS artifacts are critical and which AWS services can help meet compliance requirements. Session Joaquin Rinaudo
GRC308 - Compliance-level capabilities of RDS & Aurora database engines: Deep dive Amazon RDS and Amazon Aurora make it easy to set up, operate, and scale a relational database in the cloud. In this chalk talk, learn about the specific capabilities that Amazon RDS and Aurora provide that help you satisfy many of the available compliance levels, such as PCI, HIPAA BAA, and FedRAMP. We cover the new capabilities in access management, auditing, and security that have enabled the Amazon RDS and Aurora database engines to meet the various compliance levels. We also cover how to configure and create the Amazon RDS and Aurora instances that satisfy these compliance levels, and we discuss any performance impacts to be aware of when enabling these compliance features. Chalk Talk Josh Joy Timothy Winston
GRC310 - Pop the hood: Using AWS resources to attest to security of the cloud Customers must regularly attest to the security and compliance of AWS services in order to confidently operate within the cloud. To support customers with this task, AWS provides a number of resources to define our 13 control domains, differentiate between customer and AWS responsibilities, and demonstrate the mapping of an organization’s attestation needs to an AWS audit framework. During this session, customers familiarize themselves with our compliance reports (e.g., FedRAMP, SOC, ISO, PCI, etc.), dive deep on AWS compliance tools, and discuss mechanisms for leveraging the knowledge of AWS security subject matter experts. Session Kate Wildman Brian Wagner
GRC311 - Customer audits of AWS - at an AWS Audit Symposium This builder session gives a small group of strategic financial services customers a deeper study into the AWS control environment as they explore how to use an AWS Audit Symposium to complete their institution's audit of AWS. Participants get an intimate look into the AWS control framework and are given access to the AWS Audit portal to explore the populations of evidence made available to customers for review at an AWS Audit Symposium. AWS customer audit experts discuss frequently audited controls, how customers can audit AWS data centers at an AWS Audit Symposium, and explore how customers can prepare their third-party due diligence frameworks to get ready to audit AWS directly. This information enables customers to meet their regulatory needs, gain assurance of AWS support of their contractual commitments, and gain exclusive access to AWS confidential information. Builders Session Kate Wildman
GRC313-R - [REPEAT] Using AWS Control Tower to govern multi-account AWS environments at scale AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard. Session Chandar Venkataraman
GRC313-R1 - [REPEAT 1] Using AWS Control Tower to govern multi-account AWS environments at scale AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard. Session Chandar Venkataraman
GRC315-R - [REPEAT] How to create a CIO dashboard of key security metrics using AWS Join this builder session, and learn how to create a CIO dashboard on AWS and provide executives and operations on-demand visibility of their security state. We show you how to build this using AWS Systems Manager, Amazon Inspector, AWS Config, Amazon GuardDuty, AWS Lambda, Amazon S3, and Amazon QuickSight to create automation and update the dashboard that displays key CIO metrics. Builders Session Darren House
GRC315-R1 - [REPEAT 1] How to create a CIO dashboard of key security metrics using AWS Join this builder session, and learn how to create a CIO dashboard on AWS and provide executives and operations on-demand visibility of their security state. We show you how to build this using AWS Systems Manager, Amazon Inspector, AWS Config, Amazon GuardDuty, AWS Lambda, Amazon S3, and Amazon QuickSight to create automation and update the dashboard that displays key CIO metrics Builders Session Darren House
GRC315-R2 - [REPEAT 2] How to create a CIO dashboard of key security metrics using AWS Join this builder session, and learn how to create a CIO dashboard on AWS and provide executives and operations on-demand visibility of their security state. We show you how to build this using AWS Systems Manager, Amazon Inspector, AWS Config, Amazon GuardDuty, AWS Lambda, Amazon S3, and Amazon QuickSight to create automation and update the dashboard that displays key CIO metrics. Builders Session Darren House
GRC315-R3 - [REPEAT 3] How to create a CIO dashboard of key security metrics using AWS Join this builder session, and learn how to create a CIO dashboard on AWS and provide executives and operations on-demand visibility of their security state. We show you how to build this using AWS Systems Manager, Amazon Inspector, AWS Config, Amazon GuardDuty, AWS Lambda, Amazon S3, and Amazon QuickSight to create automation and update the dashboard that displays key CIO metrics. Builders Session Darren House
GRC316 - Continuous compliance with AWS management tools In today’s world, security threats arise daily, and it’s challenging to become and stay compliant with the requirements of all the various compliance frameworks. To react quickly, the most successful teams apply continuous automation, not only to provision and maintain their infrastructure, but also to constantly detect security vulnerabilities. In this session, learn how to achieve this level of automation and compliance using AWS management tools. Discover how to organize your applications using AWS Resource Groups, apply the Chef InSpec framework to use ready-made CIS profiles, and implement dynamic compliance checking using AWS Config rules. Session Rahul Gulati
GRC317 - Balancing cloud innovation and security In an accreditation system, it’s critical to balance the needs for cloud service provider (CSP) security assurance and ensuring an efficient path towards cloud adoption and use. In this session, we share best practices from observing and learning from our participation in a number of government CSP accreditation programs. Information from this session benefits decision makers and cloud users in gaining a broad knowledge of the global CSP accreditation systems that are in operation today. Attendees also gain a deeper understanding of their respective strengths and opportunities for excellence, in addition to how to apply them in their own cloud journey. Session Meng Chow Kang
GRC318-R - [REPEAT] Fear no auditor: Leveraging a DevOps approach to compliance and assessment When the same CI/CD approach that propelled the Cloud Adoption Framework is applied to compliance, it informs the selection and implementation of solutions, and it virtually eliminates the risk of discovering compliance gaps during assessments. This approach also continues to improve compliance, and it reduces assessment efforts during the on-going development and operations of applications. In this builder session, attendees learn how to leverage AWS compliance, customer experiences, AWS Professional Services consultants, and AWS Security Assurance Services team’s Qualified Security Assessors (QSA) to build applications that are compliant with Payment Card Industry Data Security Standard (PCI DSS) at all times. They also learn how to be ready to demonstrate this compliance to assessors. Builders Session Timothy Winston
GRC318-R1 - [REPEAT 1] Fear no auditor: Leveraging a DevOps approach to compliance and assessment When the same CI/CD approach that propelled the Cloud Adoption Framework is applied to compliance, it informs the selection and implementation of solutions, and it virtually eliminates the risk of discovering compliance gaps during assessments. This approach also continues to improve compliance, and it reduces assessment efforts during the on-going development and operations of applications. In this builder session, attendees learn how to leverage AWS compliance, customer experiences, AWS Professional Services consultants, and AWS Security Assurance Services team’s Qualified Security Assessors (QSA) to build applications that are compliant with Payment Card Industry Data Security Standard (PCI DSS) at all times. They also learn how to be ready to demonstrate this compliance to assessor. Builders Session Timothy Winston
GRC319 - Untangling audits using graph databases The security assurance automation team at AWS built a service that aggregates data on various internal AWS resources and enables them to discover insightful relationships among these resources. This service was built using the AWS graph database service, Amazon Neptune. It is being used to generate audit populations and proactively identify security and compliance risks. This chalk talk dives deep into potential compliance challenges that could be addressed using a graph database solution. Chalk Talk Paras Malhotra Adam Irr
GRC320-R - [REPEAT] Build an enterprise compliance management & remediation system on AWS In this builder session, we show you how to build a fleet-wide, cross-account/cross-region, hybrid-cloud enterprise compliance management and remediation system using AWS Systems Manager and Amazon CloudWatch. In addition, we provide compliance stakeholders visibility into the performance of the compliance system by using Amazon QuickSight and Amazon Athena for reporting. Builders Session Rodney Bozo
GRC320-R1 - [REPEAT 1] Build an enterprise compliance management & remediation system on AWS In this builder session, we show you how to build a fleet-wide, cross-account/cross-region, hybrid-cloud enterprise compliance management and remediation system using AWS Systems Manager and Amazon CloudWatch. In addition, we provide compliance stakeholders visibility into the performance of the compliance system by using Amazon QuickSight and Amazon Athena for reporting. Builders Session Siavash Irani
GRC320-R2 - [REPEAT 2] Build an enterprise compliance management & remediation system on AWS In this builder session, we show you how to build a fleet-wide, cross-account/cross-region, hybrid-cloud enterprise compliance management and remediation system using AWS Systems Manager and Amazon CloudWatch. In addition, we provide compliance stakeholders visibility into the performance of the compliance system by using Amazon QuickSight and Amazon Athena for reporting. Builders Session Rodney Bozo
GRC323 - Cloud auditing workshop Auditing in the cloud is different from auditing in on-premises environments. In this workshop, we discuss those differences and share best practices for auditing in the cloud. We provide a cloud- and customer-agnostic foundation for cloud security auditing. In addition to covering necessary building blocks of cloud security, we cover cloud-specific considerations and guidelines that auditors should keep in mind when verifying security controls. Join us, and learn the cloud considerations for auditing from the experts. Workshop Scott Paddock Marianne Brockhaus
GRC324-R - [REPEAT] Use AWS Config rules to satisfy your compliance needs In this session, we show you how to satisfy your compliance department using AWS Config rules. We walk you through enabling Config in a multiaccount environment, mapping your compliance requirements to AWS-managed Config rules to demonstrate continuous compliance, and building and deploying your own AWS Config rules. Learn the basics of AWS Config, Config rules, and the central aggregation of AWS Config information in a single pane of glass. Chalk Talk Koen van Blijderveen Sergiu Radulea
GRC324-R1 - [REPEAT 1] Use AWS Config rules to satisfy your compliance needs In this session, we show you how to satisfy your compliance department using AWS Config rules. We walk you through enabling Config in a multiaccount environment, mapping your compliance requirements to AWS-managed Config rules to demonstrate continuous compliance, and building and deploying your own AWS Config rules. Learn the basics of AWS Config, Config rules, and the central aggregation of AWS Config information in a single pane of glass. Chalk Talk Koen van Blijderveen Sergiu Radulea
GRC325 - Establishing AWS as a trusted partner Customers trust AWS with mission-critical workloads because AWS is designed and built to deliver the most flexible, reliable, scalable, and secure cloud computing environment available today. AWS works to earn that trust by offering transparency, demonstrating consistency, and providing best practices to keep themselves secure. As customers adopt AWS, they traverse several trust-building milestones with due-diligence activities, such as assurance report and AWS Well-Architected Tool reviews and deep dives with AWS subject matter experts. This session addresses these milestones at common AWS adoption stages with examples, questions that customers often ask, and suggestions for how to get started. Session Chris Pennisi
GRC326-L - Leadership session: Governance, risk, and compliance Vice President of Security Chad Woolf, Director of Global Security Practice Hart Rossman, and Security Engineer Rima Tanash explain how governance functionality can help ensure consistency in your compliance program. Some specific services covered are Amazon GuardDuty, AWS Config, AWS CloudTrail, Amazon CloudWatch, Amazon Macie, and AWS Security Hub. The speakers also discuss how customers leverage these services in conjunction with each other. Additional attention is paid to the concept of "elevated assurance," including how it may transform the audit industry going forward. Finally, the speakers discuss how AWS secures its own environment, as well as talk about the control frameworks of specific compliance regulations. Session Rima Tanash Hart Rossman Chad Woolf Jason Kao
GRC327-R - [REPEAT] Up and running with multi-account security guardrails In this session, we provide a crash course on building security guardrails for AWS Landing Zone, as well as templates that you can use in your own environment. We show you how to integrate continuous auditing into the account creation process, and we highlight the immutability and auditability of controls that are deployed by AWS Landing Zone. Topics also include an overview of the security guardrails concept in AWS Landing Zone, best practices for development, and code accelerators to help reduce the time from idea to first detection. Workshop Andy Wickersham Eric Rose
GRC327-R1 - [REPEAT 1] Up and running with multi-account security guardrails In this session, we provide a crash course on building security guardrails for AWS Landing Zone, as well as templates that you can use in your own environment. We show you how to integrate continuous auditing into the account creation process, and we highlight the immutability and auditability of controls that are deployed by AWS Landing Zone. Topics also include an overview of the security guardrails concept in AWS Landing Zone, best practices for development, and code accelerators to help reduce the time from idea to first detection. Workshop Eric Rose Andy Wickersham
GRC328 - Account automation and temporary AWS credential service Riot Games struggled with providing new AWS accounts and API access that met its security requirements, so it built an account provisioning service to ensure that all accounts are created consistently with the required security controls. Riot also built a credential service where developers can grab temporary API keys with one command. This works wherever the developers work, and the credentials automatically expire each day. Riot now provisions new accounts with security guardrails within an hour, and the number of permanent AWS API keys is reduced by 70 percent. Learn how to build similar services using AWS Organizations, AWS Step Functions, AWS Lambda, Amazon CloudFront, and Amazon API Gateway. Session REZA NIKOOPOUR William Green
GRC330-R - [REPEAT] Compliance automation: Set it up fast, then code it your way In this workshop, learn how to detect common resource misconfigurations using AWS Security Hub; how to extend coverage by deploying additional sets of existing rules or your own custom AWS Config rules using our Rule Development Kit (written in Python); and how to automatically remediate compliance violations when they are detected. Python basic skills and a basic understanding of boto3 are required for the coding portion of this workshop. Workshop Jonathan Rault Raisa Hashem
GRC330-R1 - [REPEAT 1] Compliance automation: Set it up fast, then code it your way In this workshop, learn how to detect common resource misconfigurations using AWS Security Hub; how to extend coverage by deploying additional sets of existing rules or your own custom AWS Config rules using our Rule Development Kit (written in Python); and how to automatically remediate compliance violations when they are detected. Python basic skills and a basic understanding of boto3 are required for the coding portion of this workshop. Workshop Jonathan Rault Raisa Hashem
GRC332-R - [REPEAT] Building your DevSecOps tool chain Organizations don’t need to move slowly to move cautiously. AWS offers a suite of tools that make adding automated security and compliance into the DevOps process easy. Use AWS Config to automate compliance (such as Amazon S3 bucket and Amazon EBS volume encryption, security group and subnet security, and AWS IAM role access), and use Amazon GuardDuty to monitor overall security status. We also go over how GuardDuty collects and displays both potential and actual security incidents, and how to make that part of your organization’s DevSecOps process. Builders Session Robert Sosinski
GRC332-R1 - [REPEAT 1] Building your DevSecOps tool chain Organizations don’t need to move slowly to move cautiously. AWS offers a suite of tools that make adding automated security and compliance into the DevOps process easy. Use AWS Config to automate compliance (such as Amazon S3 bucket and Amazon EBS volume encryption, security group and subnet security, and AWS IAM role access), and use Amazon GuardDuty to monitor overall security status. We also go over how GuardDuty collects and displays both potential and actual security incidents, and how to make that part of your organization’s DevSecOps process. Builders Session Robert Sosinski
GRC332-R2 - [REPEAT 2] Building your DevSecOps tool chain Organizations don’t need to move slowly to move cautiously. AWS offers a suite of tools that make adding automated security and compliance into the DevOps process easy. Use AWS Config to automate compliance (such as Amazon S3 bucket and Amazon EBS volume encryption, security group and subnet security, and AWS IAM role access), and use Amazon GuardDuty to monitor overall security status. We also go over how GuardDuty collects and displays both potential and actual security incidents, and how to make that part of your organization’s DevSecOps process. Builders Session Robert Sosinski
GRC333 - Security in the cloud means more than you might think For public sector customers, ensuring compliance and security is vital. AWS provides these organizations with a broad set of cloud-based services to build world-class solutions. In this session, we go over native logging tools in AWS, such as AWS CloudTrail, Amazon CloudWatch Alarms, Amazon CloudWatch Logs, and Amazon GuardDuty. We also cover automated remediation of compliance events, alerting tools, and other methods of implementing compliance. Builders Session Rob Nolen
GRC334 - Build an effective security compliance program that continuously evaluates and remediates your security posture In this session learn how to build a solution that will continuously evaluate your AWS resources for security compliance using AWS Config Rules, Amazon CloudWatch Events, and AWS Lambda. You will also learn how to improve your security posture by correcting or eliminating non-compliant resources. Builders Session Rodney Bozo
GRC335 - Enhancing data lake security with Amazon S3 tools At AWS, security is a top priority, and Amazon S3 is designed primarily to protect our customers’ data. In this session, hear about different management tools you can use to restrict access to sensitive objects stored in your data lake. Learn how to configure finely tuned access policies with resource-based policies and how to define user access policies with AWS IAM. Also learn how to use Amazon S3 Block Public Access, a feature that helps S3 customers enforce a “no public access” policy for an individual bucket, a group of buckets, or an entire account. We also review different encryption options available to S3 data lake customers. Builders Session Nur Sheikhassan
GRC336-R - [REPEAT] Deep Dive on Security in Amazon S3  At AWS, security is our top priority and Amazon S3 provides some of the most advanced data security features available in the cloud today to help you mitigate security risks. In this chalk talk, learn directly from the AWS engineering team that builds and maintains Amazon S3 security functionality, like encryption, block public access, and much more. Bring your feedback, questions, and expertise to discuss innovative ways to ensure that your data is available only to the users and applications that need it. Chalk Talk Felix Davis Sam Parmett
GRC336-R1 - [REPEAT 1] Deep Dive on Security in Amazon S3  At AWS, security is our top priority and Amazon S3 provides some of the most advanced data security features available in the cloud today to help you mitigate security risks. In this chalk talk, learn directly from the AWS engineering team that builds and maintains Amazon S3 security functionality, like encryption, block public access, and much more. Bring your feedback, questions, and expertise to discuss innovative ways to ensure that your data is available only to the users and applications that need it. Chalk Talk Felix Davis Bryant Cutler
GRC337-R - [REPEAT] Secure your data lake on AWS like a bank In this session, we discuss key considerations that customers in the financial services industry (FSI) must focus on as they build out their data lakes on AWS. We dive deep on topics such as selecting the right service based on compliance requirements; authentication and authorization; data governance; data protection requirements, including encryption at rest and in transit; and network protection. We also review proven patterns based on actual FSI data lakes deployed on AWS. Chalk Talk Ilya Epshteyn Songzhi Liu
GRC337-R1 - [REPEAT 1] Secure your data lake on AWS like a bank In this session, we discuss key considerations that customers in the financial services industry (FSI) must focus on as they build out their data lakes on AWS. We dive deep on topics such as selecting the right service based on compliance requirements; authentication and authorization; data governance; data protection requirements, including encryption at rest and in transit; and network protection. We also review proven patterns based on actual FSI data lakes deployed on AWS. Chalk Talk Songzhi Liu Ilya Epshteyn
GRC338 - Continuous compliance: Automating compliance concerns using AWS services Moving to the cloud in a compliant way can be time-consuming, and ensuring compliance over time can be complicated and difficult. With services such as AWS Config, AWS CloudTrail, Amazon CloudWatch, AWS CloudFormation, and Amazon GuardDuty, it's possible to create a centralized view of compliance across multiple accounts—both existing and new. This view is deployed in an automated fashion and is visible as a one-stop dashboard for compliance across an organization. You walk away from this session knowing how to use compliance as code to make your journeys to and in the AWS Cloud easier, with concrete use cases and supporting examples. Builders Session Andrew Langhorn
GRC339 - How FINRA achieves DevOps agility while securing its AWS environments In this presentation, FINRA discusses different aspects of its holistic security strategy. Topics covered include how to leverage AWS native security solutions, how to use logs that tie IP and identity together for network access, how to implement a software-defined perimeter model to augment network-layer security controls, and how FINRA sped up DevOps through a unified and frictionless access strategy. Session Stephen Mele Daniel Koo Jason Garbis
GRC340-R - [REPEAT] Container runtime security and automation The scanning of both container behavior and container vulnerability is important to any modern application environment. In this session, learn how to leverage Amazon EKS and AWS Lambda, along with CNCF Sandbox project Falco, to automate rules and conditions for container security. Builders Session Tres Vance
GRC340-R1 - [REPEAT 1] Container runtime security and automation The scanning of both container behavior and container vulnerability is important to any modern application environment. In this session, learn how to leverage Amazon EKS and AWS Lambda, along with CNCF Sandbox project Falco, to automate rules and conditions for container security. Builders Session Tres Vance
GRC341-R - [REPEAT] Continuous server hardening Many organizations still have static application environments with servers that run for months. Over time, these instances can drift from the desired configuration, increasing the risk to organizations of a breach. In this session, we demonstrate how organizations can use Ansible to harden their servers in accordance with CIS Benchmarks, using AWS Systems Manager and AWS Developer Tools. Learn how easy it is to manage secure server configurations as code using DevOps practices such as CI/CD. Builders Session Luis Tapia
GRC341-R1 - [REPEAT 1] Continuous server hardening Many organizations still have static application environments with servers that run for months. Over time, these instances can drift from the desired configuration, increasing the risk to organizations of a breach. In this session, we demonstrate how organizations can use Ansible to harden their servers in accordance with CIS Benchmarks, using AWS Systems Manager and AWS Developer Tools. Learn how easy it is to manage secure server configurations as code using DevOps practices such as CI/CD. Builders Session Luis Tapia
GRC342 - Scalable encryption: A key to public sector compliance This session dissects two public sector regulations (FERPA and CJIS) to demonstrate how you can use encryption when building on AWS to comply with regulatory requirements and enforce the principle of least privilege. Specifically, we cover how the AWS shared responsibility model offers an opportunity for you to keep regulated data private while taking advantage of the security, scalability, reliability, and innovation of the AWS Cloud. Session Patrick Woods
GRC343 - Presenting Radar: Validation and remediation of AWS cloud resources Liberty Mutual is opinionated about how application teams deliver and deploy code into AWS. Applications must be able to secure all data types, meet security standards, and deploy via automation. Radar is an event-driven, rules-based service for validating and remediating AWS cloud resources, and it ensures that security standards are enforced. In this session, learn about Radar, which is built on AWS and designed to ensure compliance across hundreds of AWS accounts in 14 regions while providing flexibility for rule variation. Whether risks are prevented during continuous integration or detected upon deployment and remediated, the goal is the same: all policy is enforced at the earliest moment of risk. Session Jai Schniepp Jason Mahosky
GRC344 - AWS GovCloud (US): A path to high compliance in the cloud AWS GovCloud (US) is an offering of isolated AWS infrastructure and services that address stringent US regulatory and compliance requirements. Government agencies and private sector enterprises in regulated industries leverage AWS GovCloud to run mission-critical and sensitive workloads on the cloud. This session details AWS GovCloud and the use cases and workloads that are fit for it, including how it can help address ITAR, FedRAMP, DOD SRG, CJIS, DFARS, and other requirements. We cover the Authority to Operate on AWS program and how it helps speed up the time to compliance for workloads in AWS GovCloud. Come learn about AWS GovCloud and the benefits of automating security and compliance. Session Keith Brooks Tim Sandage
GRC345 - An approach to multi-tenancy in Amazon Cognito Building multi-tenant identity solutions using Amazon Cognito could quickly become an operational burden. With hundreds or even thousands of user pools, automation becomes a key player in effective operation of such a solution. Join us in this talk to learn how to use AWS products and services to operate multi-tenant identity solutions in Amazon Cognito with services like AWS CloudFormation, AWS CodePipeline, and AWS Lambda functions. Chalk Talk Mahmoud Matouk
GRC346 - DNS governance in multi-account and hybrid environments In hybrid environments with workloads running between multiple AWS accounts and customer data centers, DNS management becomes a critical and highly distributed piece of the architecture. A centralized DNS approach allows you to focus governance of this critical piece in a protected account with limited privileges, and it improves your ability to audit and monitor DNS components in your environment. In this session, learn how to implement centralized DNS architecture using AWS native services. We use Amazon Route 53 Resolver, conditional forwarding rules, and AWS Resource Access Manager to implement a centralized DNS solution in a multi-account AWS environment. Builders Session Mahmoud Matouk
GRC348 - Enforce whitelist-only policy through conditional forwarding rules DNS whitelisting provides a pathway to reduce the risk of online threats such as viruses, malware, and ransomware, and it allows you to enforce compliance with a DNS protection strategy and the policy of whitelist only. In this session, learn a simple yet effective approach to implementing DNS whitelisting using AWS native services. We use Amazon Route 53 Resolver and conditional forwarding rules to implement DNS whitelisting of allowed domains. Other domain queries are sent to a sinkhole, where the query is logged and later analyzed using Amazon Athena. Builders Session Mahmoud Matouk
GRC349 - How to truly delegate permissions with an effective GRC program A good governance, risk, and compliance (GRC) program establishes the foundation for meeting security and compliance objectives. However, many GRC programs are viewed as bureaucracy getting in the way of exciting cybersecurity and system development. Permissions boundaries addresses the issue of how to delegate administration to developers while maintaining a strong GRC program. If you have developers that need to create IAM roles and policies for AWS Lambda functions or instances, then you need permissions boundaries. In this session, we demonstrate that with the proper use of permissions boundaries, you can enforce a GRC program and provide flexibility to developers. Builders Session Stephen Alexander
GRC350 - We all want the same things: Meeting controls objectives on AWS This session is for technical practitioners as well as audit and compliance professionals. You learn the range of capabilities and patterns on AWS for implementing and achieving controls objectives. This session focuses on bridging the gap between IT and infosec technical experts and their stakeholders on audit and compliance teams. The purpose is for both groups to learn about the other’s domain and foster closer, more productive working relationships. We all want the same things. Chalk Talk Peter O'Donnell
GRC351 - Protect customer privacy with AWS Come to this session to learn a new approach for reducing risk and costs while increasing productivity, organizational alacrity, and customer experience, resulting in a competitive advantage and assorted revenue growth. We share how a de-identified data lake on AWS can help you comply with General Data Protection Regulation and California Consumer Privacy Act requirements. Session Rohit Pujari Anhad Singh
HOL001-R - [REPEAT] Hands-on Labs Visit Hands-on Labs for the opportunity to practice with AWS in a live sandbox environment. In Hands-on Labs, choose a lab from our catalog (including many security-focused labs) and learn at your own pace as you walk through scenarios step-by-step. Lab topics range in level from introductory to expert and take approximately 30–60 minutes to complete. Registration is not required; walk-ups are welcome! Hands-on Lab
HOL001-R1 - [REPEAT 1] Hands-on Labs Visit Hands-on Labs for the opportunity to practice with AWS in a live sandbox environment. In Hands-on Labs, choose a lab from our catalog (including many security-focused labs) and learn at your own pace as you walk through scenarios step-by-step. Lab topics range in level from introductory to expert and take approximately 30–60 minutes to complete. Registration is not required; walk-ups are welcome! Hands-on Lab
ISL001-R - [REPEAT] AWS International Security Lounge AWS celebrates and honors the diversity of our customer base. The International Security Lounge is open to all re:Inforce attendees. Come meet AWS team members from around the globe, enjoy some refreshments, charge your devices and learn about our security events coming to a region near you! General Activity
ISL001-R1 - [REPEAT 1] AWS International Security Lounge AWS celebrates and honors the diversity of our customer base. The International Security Lounge is open to all re:Inforce attendees. Come meet AWS team members from around the globe, enjoy some refreshments, charge your devices and learn about our security events coming to a region near you! General Activity
JAL001-R - [REPEAT] Jam Lounge Security and incident response is one of the top priorities for organizations that move their workloads to the cloud. Just understanding the the types of controls that are available through AWS and our partners is no longer enough. The Jam Lounge provides self-paced challenges that can be completed within the Jam Lounge or during breaks, lunch, and even overnight. The challenges will help you learn new skills and practice current ones against simulated environments. General Activity
JAL001-R1 - [REPEAT 1] Jam Lounge Security and incident response is one of the top priorities for organizations that move their workloads to the cloud. Just understanding the the types of controls that are available through AWS and our partners is no longer enough. The Jam Lounge provides self-paced challenges that can be completed within the Jam Lounge or during breaks, lunch, and even overnight. The challenges will help you learn new skills and practice current ones against simulated environments. General Activity
JAL001-R2 - [REPEAT 2] Jam Lounge Security and incident response is one of the top priorities for organizations that move their workloads to the cloud. Just understanding the the types of controls that are available through AWS and our partners is no longer enough. The Jam Lounge provides self-paced challenges that can be completed within the Jam Lounge or during breaks, lunch, and even overnight. The challenges will help you learn new skills and practice current ones against simulated environments. General Activity
MEA001 - Breakfast - Tuesday Breakfast will be provided in the Securty Learning Hub, Exhibit Level from 7am - 9am. Meal
MEA002 - Lunch - Tuesday Lunch will be provided in the Securty Learning Center, Exhibit Level (Buffet) and Wicked Good Market, Level 1 (Grab & Go) 11am - 1pm. Meal
MEA004 - Breakfast - Wednesday Breakfast will be provided in the Securty Learning Hub, Exhibit Level from 7am - 9am. Meal
MEA005 - Lunch - Wednesday Lunch will be provided in the Securty Learning Center, Exhibit Level (Buffet) and Wicked Good Market, Level 1 (Grab & Go) 11am - 1pm. Meal
NSL001-R - [REPEAT] AWS Network Services Lounge Your AWS network is at the foundation of your security. It plays a critical part in securing your environment by isolating resources, encrypting data, and connecting privately on the AWS global network. Come and join us for a chance to meet and ask questions to AWS networking experts about our latest services, such as AWS Transit Gateway, AWS Client VPN, Amazon Route 53 Resolver, and AWS PrivateLink. Whiteboard architectures and see demonstrations of networking services, including our very latest announcements. General Activity
NSL001-R1 - [REPEAT 1] AWS Network Services Lounge Your AWS network is at the foundation of your security. It plays a critical part in securing your environment by isolating resources, encrypting data, and connecting privately on the AWS global network. Come and join us for a chance to meet and ask questions to AWS networking experts about our latest services, such as AWS Transit Gateway, AWS Client VPN, Amazon Route 53 Resolver, and AWS PrivateLink. Whiteboard architectures and see demonstrations of networking services, including our very latest announcements. General Activity
RCP001 - Reception Closing reception General Activity
SDD201 - Build a dashboard using serverless security analytics In this session, we walk you through a demo of how a security team can build dashboards in minutes without having to gain deep knowledge on analytics. The AWS serverless services we use include AWS WAF logs, AWS Glue, Amazon Athena, and Amazon QuickSight. Session Umesh Ramesh Rohit Rangnekar
SDD202 - Create & customize a Lambda rotation function for AWS Secrets Manager In this chalk talk, we dive deep into creating and customizing an AWS Lambda rotation function for AWS Secrets Manager. We develop an example from scratch to create an AWS Lambda rotation function for Amazon ElastiCache for Redis. We explain how the Lambda rotation function can help automate compliance (automated credential rotation every n days), pitfalls to watch for, and where to add customizations. We also cover how to enable and enforce least privilege and how to enable monitoring and audit trails for the rotation function. Finally, we show you how to test the rotation function. Chalk Talk Josh Joy
SDD203 - Secure access to internal apps using Amazon WorkLink In this chalk talk, we cover how Amazon WorkLink securely isolates content in AWS containers and then uses split rendering technology to deliver a seamless user experience while ensuring that no data is ever stored by web browsers on end-user devices. We dive deep into the security measures that Amazon WorkLink incorporates to ensure granular access control and protection of your critical internal data. Chalk Talk Collin Scott Supriya Kher
SDD204 - Using analytics to set access controls in AWS Administrators need to enable developers to move quickly when building applications on AWS while also controlling access to meet security needs. In this session, we demonstrate how administrators put permissions guardrails in place that enable them to grant broader access for their applications and developers. Then, we demonstrate how administrators can analyze activity to dial in access controls as applications and developers settle into common patterns. Finally, we show how to simulate permissions changes to understand and assess their impact. This session expects that participants are knowledgeable about IAM permission policies and AWS Organizations.     Session Ujjwal Pugalia
SDD301 - Lean and clean SecOps using AWS native services cloud "Cloud first" and "cloud native" are the new mindsets for many IT & business teams operating on AWS. In this new world, security functions need to scale for rapidly growing AWS accounts and VPCs in the organization. In this session, we show you how to build a world-class security operations organization with the same "cloud native" mindset using AWS tools. By the end of this session, you will understand how to run a lean and clean SecOps center for a fast-paced organization. The key objective of this session is to transform the security team from "no” to everything, to "know” everything. By knowing everything, you will sleep better. Session Ramesh Adabala
SDD302-R - [REPEAT] Methods for emergency privileged access Customers often want to provide an approved method for emergency privileged access to a secured environment. Use cases include providing remote shell access to instances in a production environment and providing temporary credentials for users to access high-privilege AWS API calls. You may not allow the creation of an internet gateway in nonproduction environments by default, but there are times when there is a need to allow someone to create an internet gateway in response to a legitimate requirement, such as load or stress testing. In this chalk talk, we build automation using AWS native tools, such as AWS Systems Manager Agent, Amazon CloudWatch Events, AWS Lambda, AWS Service Catalog, and IAM. Chalk Talk Nirav Kothari
SDD302-R1 - [REPEAT 1] Methods for emergency privileged access Customers often want to provide an approved method for emergency privileged access to a secured environment. Use cases include providing remote shell access to instances in a production environment and providing temporary credentials for users to access high-privilege AWS API calls. You may not allow the creation of an internet gateway in nonproduction environments by default, but there are times when there is a need to allow someone to create an internet gateway in response to a legitimate requirement, such as load or stress testing. In this chalk talk, we build automation using AWS native tools, such as AWS Systems Manager Agent, Amazon CloudWatch Events, AWS Lambda, AWS Service Catalog, and IAM. Chalk Talk Nirav Kothari
SDD303-R - [REPEAT] Using AWS Firewall Manager and AWS WAF to protect your web applications In this chalk talk, we highlight a specific architecture and demo the solution for how to use both AWS WAF and AWS Firewall Manager—and have both development and security teams work together—in developing AWS WAF rules to ensure the security of a web application. Discover how this solution also helps in building more AWS WAF rules than the existing limits by doubling the number of rules per web ACL by using AWS WAF rule groups within a rule. Chalk Talk Umesh Ramesh Kevin Lee
SDD303-R1 - [REPEAT 1] Using AWS Firewall Manager and AWS WAF to protect your web applications In this chalk talk, we highlight a specific architecture and demo the solution for how to use both AWS WAF and AWS Firewall Manager—and have both development and security teams work together—in developing AWS WAF rules to ensure the security of a web application. Discover how this solution also helps in building more AWS WAF rules than the existing limits by doubling the number of rules per web ACL by using AWS WAF rule groups within a rule. Chalk Talk Kevin Lee Umesh Ramesh
SDD304 - Deep dive into AWS KMS In this session, learn the dos and don'ts of using AWS Key Management Service (KMS). We cover topics such as envelope encryption, encryption context, and permissions. We also dig into common situations that customers encounter, how to get out of them, and how to avoid them. At the end of this presentation, you leave with a working knowledge of how to use the permissions and authorization systems built into AWS KMS and with an understanding of how to appropriately encrypt data using AWS KMS. Chalk Talk Jim Irving Paul Radulovic
SDD305-R - [REPEAT] Building a DevSecOps culture In this chalk talk, we examine how to build a DevSecOps culture, which includes developing foundational practices and scaling functions to instantiate and resiliently operate a DevSecOps model. To achieve this shift, we analyze common success patterns, mechanisms for culture change, and mechanisms to reinforce this culture change. We also discuss the key points for building a DevSecOps culture. Takeaways include a blueprint for building a DevSecOps operating model in your organization, an understanding of the security practitioner’s point of view and how to embrace it to drive innovation, and ways to identify operating characteristics in your organization and use them to drive a strategy for DevSecOps. Chalk Talk Tim Anderson
SDD305-R1 - [REPEAT 1] Building a DevSecOps culture In this chalk talk, we examine how to build a DevSecOps culture, which includes developing foundational practices and scaling functions to instantiate and resiliently operate a DevSecOps model. To achieve this shift, we analyze common success patterns, mechanisms for culture change, and mechanisms to reinforce this culture change. We also discuss the key points for building a DevSecOps culture. Takeaways include a blueprint for building a DevSecOps operating model in your organization, an understanding of the security practitioner’s point of view and how to embrace it to drive innovation, and ways to identify operating characteristics in your organization and use them to drive a strategy for DevSecOps. Chalk Talk Tim Anderson
SDD306 - Securing serverless and container services Most customers are uncertain of how to secure their serverless services because these services deviate from traditional perimeter security. Additionally, many security stakeholders do not have as much insight into serverless architectures as developer communities. In this session, we provide best practices, patterns, and demos on securing serverless services using a combination of secure coding practices with partner code libraries, DevOps principles, code/container version control using code, and a deep understanding of serverless services such as AWS Lambda, AWS Fargate, and Amazon EKS. We aim to provide some baselining mechanisms and patterns to build full serverless and secure service architectures. Session Tomas Clemente Sanchez
SDD307-R - [REPEAT] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Megan O'Neil
SDD307-R1 - [REPEAT 1] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Hong Pham
SDD307-R2 - [REPEAT 2] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Hong Pham
SDD307-R3 - [REPEAT 3] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Megan O'Neil
SDD307-R4 - [REPEAT 4] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session John Yi
SDD307-R5 - [REPEAT 5] Protecting your IoT fleet Whether you’re selling millions of IoT devices to customers or deploying thousands to your own factories, protecting your IoT fleet can be difficult. With AWS, you can quickly deploy, manage, and audit your devices' security posture consistently and continuously. In this builder session, learn how to securely deploy a provided IoT sensor with its own certificate, register the device with a simple function, and then audit the device's security posture against best practices. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session John Yi
SDD308 - Integrating security testing into your container build pipeline In this workshop, you learn to leverage AWS development tools and open-source projects to integrate automated security testing into a CI/CD pipeline. Learn about a variety of patterns for integrating security testing and security-centric release control into AWS CodePipeline. Additionally, learn how to add feedback loops and fix common security vulnerabilities in your container-based application. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Workshop Aditya Patel Avik Mukherjee
SDD309 - Maturing and scaling your security remediation Leveraging multiple AWS security data sources and partner sources, we demonstrate how you can start slowly and work your way up to full, automated remediation at scale. We also introduce Aero, an AWS Professional Services remediation offering, and we showcase how you can integrate it to help augment your existing playbooks. Chalk Talk Michael Wasielewski Michael St.Onge
SDD310 - DevSecOps: Integrating security into pipelines In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Workshop Byron Pogson
SDD311 - Using AWS WAF to protect against bots and scrapers In this workshop, you learn how to deploy AWS WAF in front of your application, how to set up AWS WAF full logging for compliance and monitoring purposes, and how to increase your security posture by creating custom rules using Amazon Elasticsearch Service with Kibana. You also learn how to protect your application against bad bots, web scrapers, and scanners by configuring bad and benign bot signatures and then automating your AWS WAF rules by parsing AWS WAF full logs using an AWS Lambda function. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Workshop Yuri Duchovny Gene Ting
SDD312-R - [REPEAT] Scaling threat detection and response in AWS This workshop provides the opportunity for you get familiar with AWS security services and learn how to use them to identify and remediate threats in your environment. Learn how to use Amazon GuardDuty, Amazon Macie, Amazon Inspector, and AWS Security Hub to investigate threats during and after an attack, set up a notification and response pipeline, and add additional protections to improve your environment’s security posture.   All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Workshop Ross Warren
SDD312-R1 - [REPEAT 1] Scaling threat detection and response in AWS This workshop provides the opportunity for you get familiar with AWS security services and learn how to use them to identify and remediate threats in your environment. Learn how to use Amazon GuardDuty, Amazon Macie, Amazon Inspector, and AWS Security Hub to investigate threats during and after an attack, set up a notification and response pipeline, and add additional protections to improve your environment’s security posture. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Workshop Ross Warren
SDD313-R - [REPEAT] Understanding where and how to use permissions boundaries and service control policies The service control policies (SCPs) in AWS Organizations now support resources and conditions! Learn how you can use a combination of SCPs and permissions boundaries to further secure your environments. We also dive into the tradeoffs of using one or the other to fit certain situations. Chalk Talk Megan O'Neil
SDD313-R1 - [REPEAT 1] Understanding where and how to use permissions boundaries and service control policies The service control policies (SCPs) in AWS Organizations now support resources and conditions! Learn how you can use a combination of SCPs and permissions boundaries to further secure your environments. We also dive into the tradeoffs of using one or the other to fit certain situations. Chalk Talk Megan O'Neil
SDD314 - Enforcing security invariants with AWS Organizations The builder in you wants to move fast in the cloud, taking advantage of the agility, flexibility, and scale that it offers. The security professional in you needs to ensure that—no matter what your team is doing in the cloud—certain security and compliance invariants are guaranteed to hold. This session is for the security builders among you. We show you how to take advantage of the security perimeters offered by AWS Organizations to simply, securely, and definitively assert your security rules at the perimeter. Session Becky Weiss
SDD315 - Securing your Amazon SageMaker model development in a highly regulated environment Amazon SageMaker is a fully managed platform that enables developers and data scientists to quickly and easily build, train, and deploy machine learning models at any scale. In this session, we dive deep into the security configurations of Amazon SageMaker components, including notebooks, distributed and batch training, and hosting endpoints. We also review Vanguard’s implementation of key controls in a highly regulated environment. These include fine-grained access control, end-to-end encryption in transit, encryption at rest with AWS KMS customer-managed customer master keys (CMKs), private connectivity to all Amazon SageMaker APIs, and comprehensive audit trails for resource and data access. Session Ritesh Shah Hung Pham
SDD316 - How Dow Jones uses AWS to create a secure perimeter around its web properties Dow Jones, a world-leading data, media, and intelligence solutions provider with brands like the Wall Street Journal and MarketWatch, has numerous applications that need protection. The company was seeking a protection solution and a way to gain more control over security, and it looked to AWS to secure the cloud right at the edge. This session explores how Dow Jones implemented innovative architecture to meet its software security framework using CloudFront, AWS Shield, AWS WAF, Lambda, and more. Learn how to use AWS services to architect software environments for securing applications. Join Kamal Verma, senior principal engineer at Dow Jones, for a deep dive into their implementation and learnings. Session Kamal Verma
SDD318 - Security best practices the well-architected way As you continually evolve your use of the AWS platform, it’s important to consider ways to improve your security posture and take advantage of new security services and features. In this advanced session, we share architectural patterns for meeting common challenges, service limits and tips, tricks, and ways to continually evaluate your architecture against best practices. Automation and tools are featured throughout, and there will be code giveaways! Be prepared for a technically deep session on AWS security. Session Ben Potter
SDD319 - Ensure the integrity of your code for fast and secure deployments DevOps practices help push applications faster into production through better collaboration and automated testing. During that process, security is often seen as an inhibitor to speed. The challenge for many organizations is delivering applications at a fast pace while embedding security at the speed of DevOps. In this session, learn how products and customers in the AWS Marketplace help make DevSecOps a well-orchestrated methodology for ensuring the speed, stability, and security of your applications.     Session Benjamin Andrew
SDD323-R - [REPEAT] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD323-R1 - [REPEAT 1] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD323-R2 - [REPEAT 2] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD323-R3 - [REPEAT 3] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD323-R4 - [REPEAT 4] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD323-R5 - [REPEAT 5] Automating remediation of noncompliant configurations This builders session focuses on developing automation to immediately remediate issues and notify security teams of noncompliance to expected baselines through several simple yet powerful implementations of AWS Config and AWS Lambda. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Aaron Franco
SDD324-R - [REPEAT] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Vikrama Adethyaa
SDD324-R1 - [REPEAT 1] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Gururaj Bayari
SDD324-R2 - [REPEAT 2] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Vikrama Adethyaa
SDD324-R3 - [REPEAT 3] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Gururaj Bayari
SDD324-R4 - [REPEAT 4] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Vikrama Adethyaa
SDD324-R5 - [REPEAT 5] Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images A container image is built up from a series of layers. It is incredibly difficult and time-consuming to manually track all of the files, packages, libraries, and so on that are included in an image along with the vulnerabilities that they may possess. This session guides you through setting up automated vulnerability scanning using AWS CodePipeline to scan your container images for known security vulnerabilities and to deploy the container only if the vulnerabilities are within a defined threshold. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Gururaj Bayari
SDD325 - Bose uses AWS IoT to securely connect millions of devices and improve IT agility As a result of moving to AWS, Bose retired its first data center in 2018, and its second data center is closing later this year. In this session, Bose’s head of security discusses the company’s journey to the cloud and how it moved hundreds of workloads and services to AWS using a shared services model. This included business-critical environments that are in scope for regulatory compliance and SAP applications that are paramount to running the business. On the product side, this session covers how Bose securely connected millions of devices to AWS IoT, which required multiple iterations of security controls, policies, and standards. Session Peter Buonora Satyendra Thakur
SDD326-R - [REPEAT] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session James Meyer
SDD326-R1 - [REPEAT 1] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session James Meyer
SDD326-R2 - [REPEAT 2] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session James Meyer
SDD326-R3 - [REPEAT 3] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session Apoorva Kulkarni
SDD326-R4 - [REPEAT 4] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session James Meyer
SDD326-R5 - [REPEAT 5] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session Apoorva Kulkarni
SDD326-R6 - [REPEAT 6] Security best practices for Amazon EKS This builders session takes you through the process of securing Kubernetes pods running on Amazon Elastic Container Service for Kubernetes (Amazon EKS). We set up a VPC with proper tagging, configure kubectl, and create the required trust, roles, and AWS Identity and Access Management (IAM) policies that are required to apply pod-level security using kube2iam for Amazon EKS. We also apply IAM roles to a namespace in order to restrict pods to a specific IAM role. Builders Session Apoorva Kulkarni
SDD328 - How Pokémon’s SecOps team enables its business Pokémon’s SecOps team built an automated PII datalake pipeline allowing them to categorize data into profiles and manage permissions. We discuss how, using AWS Lambda, Amazon DynamoDB, and Amazon Simple Queue Service (Amazon SQS), they can validate any person in Active Directory, build the approval to the appropriate manager, write to DDB with a TTL, and push the appropriate access controls. This has two benefits: First, Pokémon can reuse this architecture for other permissions-based business processes, meaning a security layer can be added at the beginning. Second, it frees up security engineers to tackle larger, more important challenges. Session Jacob Bornemann
SDD329 - Separation of duties, least privilege, delegation, and CI/CD: IAM strategy for financial services Enhancements to AWS Identity and Access Management (IAM) and related services in the past year have made it safer and easier than ever to grant developers direct access to AWS. In this session, security and DevOps specialists share a new approach to automating IAM in AWS based on recent engagements with Global Financial Services customers. Learn how they've used CI/CD tools and techniques to enforce separation of duties, curtail human review of policy code, and delegate access to IAM while reducing the risk of unintended permissions escalation. Session Fritz Kunstler Alan Garver
SDD330 - Tax returns in the cloud: The journey of Intuit’s data platform With Amazon EC2, Amazon EBS, Amazon S3, AWS KMS, and more, Intuit’s data platform was able meet the requirements of high availability and rapid infrastructure scaling for 100 percent of the tax year’s seasonal demands. In this session, Intuit answers questions such as: Which portions of a complex system can be forklifted directly? Which need to be reengineered? How can highly sensitive data be migrated and stored securely in AWS? Are operational best practices in AWS different than those on premises? Intuit shares its strategy for establishing sufficient confidence in your business partners and delivering 100 percent product uptime. Session Amit Matety Ben Covi
SDD331 - Evolving perimeters with guardrails, not gates: Improving developer agility In this session, Comcast discusses its AWS cloud governance strategy, focusing on self-service tooling and account management, and explaining how it improved the developer experience by leveraging federated identities, AWS Organizations, and AWS Identity and Access Management permissions boundaries. Session Charlie Hammell David Hocky Christopher Power
SDD333 - Achieving security goals with AWS CloudHSM This talk compares AWS CloudHSM to other AWS cryptography services for common use cases. We dive deep on how to build scalable, reliable workloads with CloudHSM, and we cover configuration of the service for performance, error resilience, and cross-region redundancy. Session Avni Rambhia Stephen Quigg
SDD334-L - Leadership session: Security deep dive In this session, Bill Reid, Senior Manager of Security Solutions Architects, and Bill Shinn, Senior Principal in the Office of the CISO, walk attendees through the ways in which security leadership and security best practices have evolved, with an emphasis on advanced tooling and features. Both speakers have provided frontline support on complex security and compliance questions posed by AWS customers; join them in this master class in cloud strategy and tactics.  Session Bill Shinn William Reid
SDD335 - Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation of cloud automation at scale McGraw-Hill discusses how to effectively manage cloud operations for over 80 different agile DevOps teams by leveraging automated guardrails. In this talk, you learn about the challenges of running cloud operations at scale. Join us to learn what guardrails are, how you implement them at scale, and how they work across the entire cloud stack: networking, security, IAM, service whitelisting, OS hardening, and patching. Session Chinmay Tripathi Nathan Wallace
SDD336-R - [REPEAT] How to build secure, cross-account pipelines This builder session shows you how to build secure, cross-account pipelines for deploying applications from a central tools account to development, staging, and production accounts. This session focuses on how to leverage AWS CodePipeline, AWS CodeBuild, AWS CloudFormation, AWS CodeDeploy, AWS KMS, and Amazon S3 to build secure pipelines across multiple AWS accounts. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Sarma Palli
SDD336-R1 - [REPEAT 1] How to build secure, cross-account pipelines This builder session shows you how to build secure, cross-account pipelines for deploying applications from a central tools account to development, staging, and production accounts. This session focuses on how to leverage AWS CodePipeline, AWS CodeBuild, AWS CloudFormation, AWS CodeDeploy, AWS KMS, and Amazon S3 to build secure pipelines across multiple AWS accounts. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Sarma Palli
SDD336-R2 - [REPEAT 2] How to build secure, cross-account pipelines This builder session shows you how to build secure, cross-account pipelines for deploying applications from a central tools account to development, staging, and production accounts. This session focuses on how to leverage AWS CodePipeline, AWS CodeBuild, AWS CloudFormation, AWS CodeDeploy, AWS KMS, and Amazon S3 to build secure pipelines across multiple AWS accounts. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Sarma Palli
SDD336-R3 - [REPEAT 3] How to build secure, cross-account pipelines This builder session shows you how to build secure, cross-account pipelines for deploying applications from a central tools account to development, staging, and production accounts. This session focuses on how to leverage AWS CodePipeline, AWS CodeBuild, AWS CloudFormation, AWS CodeDeploy, AWS KMS, and Amazon S3 to build secure pipelines across multiple AWS accounts. All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services. Builders Session Seetarama Sarma
Get More Results