And the @awscloud re:Inforce livestream is up. SPONSORED BY PALO ALTO NETWORKS.
(No not this thread, because they lack imagination; the actual keynote livestream. It's *way* more expensive.)
(No not this thread, because they lack imagination; the actual keynote livestream. It's *way* more expensive.)
The EC2 15th birthday, some Twitch shows, re:Inforce, and the Americas Online Summit are all video options you can watch today, at largely the same times. Brought to you by @awscloud.
Amusingly, this is about how well the EC2 Instance Scheduler works, too.
Amusingly, this is about how well the EC2 Instance Scheduler works, too.
I think I'm the only person watching this, because when it comes to cloud security, @awscloud and I are apparently the only ones who give a shit.
For Amazonian color commentary, I'm corey@duckbillgroup.com on Chime. Not even slightly kidding.
Now let's see what this livestream has to say!
Now let's see what this livestream has to say!
And we start with @aselipsky.
"Honestly I'm still new and was looking for the bathroom. Sure, I'll stop and chat with the camera."
"If security doesn't work, we don't have a business." It's nice to hear @aselipsky state it so directly. It's true.
"Please don't hesitate to tell us what you and your business need."
Suddenly @aselipsky realized that I'm watching this, and that he's just invited the vampire inside the house.
Suddenly @aselipsky realized that I'm watching this, and that he's just invited the vampire inside the house.
Next we have @StephenSchmidt. We can tell he's the CISO because of the dress code.
He now mentions all of the diamond sponsors by name.
I can't believe I wasn't invited to give a rebuttal.
Fortunately we all know what we're doing in cloud, right?
"Do you have the right demarcation between your work life and your home life?" asks @StephenSchmidt, briefly forgetting for which company he works.
Now starts drifting in what might be a FUD direction. If so I'm disappointed; there's a better story than that.
I dunno, I've seen similar levels of verbiage in the AWS console from time to time...
Talking about GuardDuty now.
My hot take: it should be free. Otherwise it just feels like a cash grab, and doesn't compare super well to third party offerings.
My hot take: it should be free. Otherwise it just feels like a cash grab, and doesn't compare super well to third party offerings.
"There are some things you can only get with your provider's telemetry." Yeah, so why are you charging me for that?
You absolutely don't want security to be an investment decision, but of course there's an entire industry dedicated to ensuring it is and remains so.
And there's Machine Learning®; drink!
Meanwhile over in my tiny shitposting account (seriously; it's got the coveted "shitposting" @awscloud account alias)
Lists a bunch of SecurityHub supported security services you should be using and also Amazon Macie.
Now @StephenSchmidt is at the "car analogy" portion. "You don't want your airbag to deploy after the accident when it's safe, you want it to fire when it can help you during a crash."
Toyota files a protest.
Toyota files a protest.
CloudTrail, GuardDuty, Flow Logs, Security Hub. Which does which?
I point out that @StephenSchmidt used the phrase "deploy with a single click" a few minutes ago.
I point out that @StephenSchmidt used the phrase "deploy with a single click" a few minutes ago.
Telling the story about someone who needed access so they were deployed with admin perms so things wouldn't get in the way, as if this were a bizarre thing that no one sensible would ever do it.
Buddy, I've got Lambda functions, EC2 instances, and a CodeBuild role like that.
Buddy, I've got Lambda functions, EC2 instances, and a CodeBuild role like that.
Talks about the insights this thing has, like open S3 buckets. Yes, because screaming that a static webpage is world readable is how you Earn Trust as a service.
A bunch of vendors are eagerly awaiting ransomware that targets S3 buckets.
"If you pay us, you get access to your data again. If you don't, you can't."
@StephenSchmidt describing the ransomware / cloud billing model.
@StephenSchmidt describing the ransomware / cloud billing model.
Good practices here. I'll add one more: a legitimate multi-cloud use case is "rehydrate the business" backup with segregated access.
"I also want to mention CloudEndure, because we didn't spend $200m to acquire it for me to *NOT* talk about it, y'know?"
Ooh, new service. Backups are great, but can you demonstrate that they're backing things up?
I like this very much, because nobody cares about backups. They care about restores.
I like this very much, because nobody cares about backups. They care about restores.
More info on this is available at aws.amazon.com
"We expect cyber insurers to require this level of rigor." Ah, there's the stick!
"Now let's talk about IAM."
Oh god no
Oh god no
"What if your commonly used password gets leaked?"
We've tried for decades to get people to use different passwords and it hasn't worked. I wonder if "passwords must include one slur" would make people treat them more seriously, because nobody wants THAT to leak!
We've tried for decades to get people to use different passwords and it hasn't worked. I wonder if "passwords must include one slur" would make people treat them more seriously, because nobody wants THAT to leak!
Holy hell @StephenSchmidt just pointed out that IAM is free. I'm trying to imagine a billing model for it and just blacked out for a second.
Hell yes he just referenced "Des Moines, Iowa" as an example of a faraway place. I did a project there once. He is correctd.
Talks about "wondering if someone who's left the company holds a grudge."
An @awscloud database service team salivates about how much money they'd make keeping a list of various parties who hold grudges. TO THE PR FAQ GENERATOR!
An @awscloud database service team salivates about how much money they'd make keeping a list of various parties who hold grudges. TO THE PR FAQ GENERATOR!
(If you want a serious, less shitposty version of this, @marknca is absolutely worth following.)
Now @StephenSchmidt talks about a new vertical. Meanwhile it's so early that many of us are still horizontal. Read the room!
Talks about auditing access. "Jenny has access to WHAT?! And she left WHEN?!"
Get it together, Jenny! Don't go to prison for this; it's not worth it!
Get it together, Jenny! Don't go to prison for this; it's not worth it!
And almost without realizing it, @ajassy has stepped from the stages of re:Invent into the pages of history. He's now a mythic figure that gets quoted instead of invited.
"We should be making security easy for you." YES YES YES.
Now talking about the software supply chain. Oops. There has been damned close to malware in the AWS Marketplace previously.
Now talking about the software supply chain. Oops. There has been damned close to malware in the AWS Marketplace previously.
Not kidding. There's a non-zero chance that my shitpost actually inspired it.
Fascinating observation: AWS used to talk about "the cloud." Now @StephenSchmidt is talking about "our cloud."
Now the HBO Max CISO is here to talk about what they're doing. The HBO Max Apple TV app team was very much not invited.
Fascinating; he talks only about "HBO Max" as if it were the company. It's like he wants to be very clear that he doesn't speak for HBO.
How they do detection:
And remediation. There's Cloud Custodian!
Sidebar: This is why I do "Cost Optimization," not "Cost Reduction." You'd save money by turning all of this stuff off but you absolutely shouldn't do it.
"Everyone here is an automation away from updating their résumé." Now that's a bold thing for a tech leader to say. I approve!
"Click, innovate, change." HBO Max has a bright future in cloud marketing.
"Anything worth doing is on the other side of hard." My god, this guy's a walking quotation source. I just want to make him wear a wire for an afternoon and come up with my next sixty blog posts.
And he ends with a video. It's a bunch of clips from HBO movies. Good use of back catalog assets there.
And back to @StephenSchmidt who awkwardly segues with a reference to some HBO Max show I've never heard of.
...and now @StephenSchmidt wanders into the fantasy land of "Confidential Computing." Ugh.
Look, either you trust your provider or you don't and shouldn't use them.
Look, either you trust your provider or you don't and shouldn't use them.
And he pivots to "not trusting your own staff," which is a super key differentiator. I may not want my admins to have access to my app data / secrets. That wasn't really possible back in my admin days; we solved for it by heavy auditing and "you're fired if you read that data."
Ooh, an update: a service you don't use now integrates with a service you don't understand.
Highlights a feature that went GA a decade ago.
Now talks about the Well Architected Tool. It's not really any of those three things.
Not even slightly kidding.
Apparently the @awscloud internal culture is shifting to Hunger Games inspired approaches.
Now @StephenSchmidt demonstrates how cutting edge the team is. It used to be you weren't allowed to sponsor @RSAConference without the word "Firewall" in your product. These days it's "Zero Trust" and he's talking about it now.
Hahahah now he references that 'Zero Trust' is a marketing term that means nothing. Okay, I admit it. I like @StephenSchmidt.
AWS has increased its data privacy commitments. Ooh. They weren't weaksauce before. I'll have to dig into this.
Whoa whoa whoa. @StephenSchmidt just said "that's a mouthful, thanks lawyers."
YOU WORK AT AWS! You get to cast exactly ZERO shade about crappy terms of art / names!
YOU WORK AT AWS! You get to cast exactly ZERO shade about crappy terms of art / names!
Right?! There's a *reason* I know basically "what's your email address" and nothing else about @LastWeekinAWS subscribers.
(I'm told that the HBO Max CISO is @BrianL1775 and oh no he follows me)
I see @werner's t-shirt has been turned into an Enterprise Slide.
"We acquired Wickr earlier this year. Please do not call me 'The Wickr Man.'" --@StephenSchmidt, if I wrote his slides for him
"No one accidentally starts learning about compliance." Oh you absolutely do if you screw it up. See: every Bitcoin exchange ever.
I adore @AnnaKendrick47 as much as anyone, but this metaphor was tortured so much that Amnesty International is getting involved.
Now launching some new re:inCompetency partners. All of them are "bring money" tier.
Now it's "words from our sponsors." They're not *my* sponsors (and my twitter feed is never sponsored), so I won't be repeating their messages here. They (and you!) can contact sponsorships at lastweekinaws.com if they want to talk about fun messaging options!
Or, y'know. Just ask @CarolineVCarter because she's awesome at this.
Brand awareness is very much a marketing thing, but who the hell is going to say "I saw your logo on this slide and it resonated with me?"
Internal program at @awscloud. People who sit outside of the security org, but enforce security practices in their own org.
Interesting. More details to come at re:Invent.
Interesting. More details to come at re:Invent.
They also have a Cloud Audit Academy. I legitimately want to go through this someday.
Ooh, it counts as continuing education credits. If you need those, you know.
What the hell, @StephenSchmidt forgot to include my Twitter account on the slide!
And that ends the (surprisingly fun!) keynote. Thanks for following along with my Twitter nonsense. As always, lastweekinaws.com is where my newsletter signup lives if you'd like to get this kind of nonsense in your inbox weekly.
Loading suggestions...