Meetup Recap: AWS Cloud Security — Machine Learning & the Path to the Cloud
The AWS Cloud Security meetup is an interest group for how to make secure applications in AWS. Maybe you really wanted to go to July’s event, all about Machine Learning & the Path to the Cloud, but you got rained out, I’m here for you with the recap.
First of all, I was super excited to see *5* other women at the meetup!! Familiar faces from Women Who Code DC and DevOps DC.
The organizers want you to know if you’re ever wait listed on meetup, come anyway because usually there is always space — it might be tight or there might not be enough snacks, but you can take a chance.
The first talk is on Machine Learning in Cloud Security — from Banjo Obayomi. Banjo is a great speaker, here’s a gif of him engaging with the audience
Here’s a summary of his talk:
Let’s quickly review the AWS shared security model
- what is customers responsibility?
- what is AWS security’s responsibility?
What does cloud security really mean? At a high level it is protection of Data, infrastructure, etc. There’s A LOT of things to secure— like network security, it’s possible to lock some of it down but things can slip through and then your entire system is compromised. In inventory and config, there is a high volume of data and information that would require manual review. Add in data security, whether it’s S3 buckets, secrets, or access control — when you scale, it can be difficult to manage and secure all these systems at once.
What is Machine learning? It’s a type of data analysis that gives us a model which learns how to make its own decisions.
Quick overview of the machine learning pipeline -> get data, then clean it, then prepare it, then train it, then evaluate the model, then deploy to production then monitor and collect data / evaluate it.
What kind of decisions can machine learning help us make regarding security in the cloud?
Machine learning is supposed to automate, make it easier, and result in less manual processing.
Introducing Amazon Macie — the machine learning powered security service to discover classify, and protect sensitive data. The idea is to use AI to understand access patterns of historical data — is data being accessed in an irregular pattern? we can set up an alert. Or if you update a RSA token, it could catch it and give you an alert. If you’re HIPAA compliant, you could automatically detect violations.
Going into the Macie demo — Banjo showed the classification of data by content type. It shows score based on risk level based on examples of what has happened in the past . It works on binary files, .exe, all types of files. You set up the tool to point to your account, it gives you an estimate of how much it will cost — and you can also link it to multiple accounts with a parent— child relationship.
He showed a bucket that had global read rights — sometimes people accidentally set that up and organizations don’t notice for days. With Macie you could find it in a couple of an hours. It also makes it easier for a non-technical person to see what’s happening and help to resolve it.
Questions from the audience:
- The cost model — is it on a per execution basis? Answer: It’s a one-time fee to classify the data, and then it’s on a rolling average from how much data gets uploaded from there. It’s doing the API monitoring for free — as long as you turn on Macie, you get that analysis.
- Is it limited to S3 and standard data fields? Yes it’s limited to S3, CloudTrails, and CloudWatch.
- It runs on a schedule? As soon as you upload it, it begins to classify it — but it takes time. Uploading RSA token it took 2 hours to classify it.
- For the compliance people out there — is this a substitute for a Pen test? The tool can help check the boxes that you have controls, but it is not pen testing.
End of talk 1
— — -
Carl Belso from Sony
First, the History of Computing — starting with the Harvard Mark Computer in 1940s, all switches and gears and stuff. Shoutout to Lovelace, ENIAC, then the transistor, integrated circuit, first CPU. CPUs got faster and faster.
Moore’s Law — the number of transistors in a dense integrated circuit double approximately every two years. They are now extremely dense.
Clock speeds have peaked because electricity, but also because we’ve increased the number of logical cores per chip and so it’s still processing faster.
Then Virtualization — now we are abstracted the OS from the underlying hardware. Getting to Serverless. Going to the Cloud & AWS!
Security in AWS is like love — it’s complicated.
There’s no firewalls, there’s security groups. Auditors want an inventory of EC2 groups, so my question is, at what time? There’s no firmware patching, no centralized firewall, no computer room door or racks - security monitoring changes.
Here’s a mapping of traditional data centers vs the cloud:
One key tool for security in AWS — Private Link ,allows you to establish a front end, VPS, and allows you to create endpoints to direct services. We run all our services through two regions and it saved our project money by half the cost. You always have to route traffic around between regions — our original stance was we’re going to do everything independent of region, but when you start building the old transit VPC and CISICO VPC, it was a bear to maintain. But the Private link made it a lot easier.
On getting AWS Certified —
With working in AWS for a living, it seems all I do now is learn about new AWS services.
Recommend acloudguru, reading white papers, and follow the recommended pats. The exam is 170 minutes, so you don’t have a lot of time, don’t drink too much water beforehand. And the exams are hard. WizLabs and CloudAcademy has good practice tests. Also linux academy.
The exam questions are paragraph form, with paragraph answers. And there’s multiple right answers, but you need to pick the one with lowest cost or some other trick in the question.
I used to be anti-cert, but these certs actually make you study pretty deeply and you realize that maybe you weren’t doing it right the way or the best way.
— -
That’s all folks! hopefully next time I can get a meetup recap out in less than 3 months of attending 😆
