AWS re:Inforce 2019 re:Cap

A wide angle shot of the conference registration desk for AWS re:Inforce with an endcap wall in a slight teal blue saying, "Welcome to AWS re:Inforce"

The inaugural AWS Cloud security conference—AWS re:Inforce—was held in Boston this week. Well over 8,000 attendees descended on the Boston Convention and Exhibition Center for two days jammed packed with security education and cloud content.

This was a very interesting conference because the dynamics of the attendees felt very different from typical AWS events. Usually at an AWS event, security teams are the odd people out. Making up a small portion of the attendees. At re:Inforce, the script flips and it seemed that the majority of attendees are in primarily security roles.

That’s great news for the show and for the community in general. Everyone in attendance and online was eager to learn about AWS Security Services, offers from AWS APN Partners, and what works—and what doesn’t—when it comes to securing cloud deployments.


As with any AWS event, there were a number of announcements that covered new features and functionality. We didn’t get any new services but the size of these features makes up for that. Here’s my quick take on each of the major announcements and how it might be useful for you.

AWS Security Hub Goes GA

AWS Security Hub was first announced as a preview at AWS re:Invent 2018. This tool helps consolidate security information into one place. Data from various AWS Security Services (like Amazon GuardDuty, Amazon Macie, and Amazon Inspector) and from various AWS APN Partners feeds into Security Hub in order to highlight compliance issue and various security findings.

That term is key. A finding isn’t a log entry or an event or even an incident (as defined in infosec). A finding is generated by one of the security tools and is likely to start a security or compliance incident.

The goal of Security Hub is to make security data more visibility and actionable. It is not a replacement for a SIEM or a team of analysts. It is a fantastic tool to help highlight security issues with other teams.

Read more from Brandon West over on the AWS Blog.

AWS Control Tower Comes Out Of Preview

This service helps you to create strong, well-architected baselines for new AWS accounts within your organization. Control tower works with landing zones a concept first brought to the forefront at AWS re:Invent 2018.

Multi-account strategies are common within larger organizations and there are a number of security benefits to the approach if is well managed. The challenge is standardizing settings, configuration, and policy across accounts.

This is where AWS Control Tower comes into the picture. Working with AWS Organizations, AWS IAM, AWS Config, AWS CloudTrail, and AWS Service Catalog, you can configure what every new account within your organization should look it. This helps ensure that all of your teams are setup for success.

Read more from Jeff Barr.

VPC Traffic Mirroring

Up until now, you’ve only been able to glimpse at what’s going on with the network traffic in your VPC using AWS native features. The VPC Flow Log functionality provides the basics of source, destination, and size of traffic but actual packet analysis requires a better source of flow data.

VPC mirroring does exactly as promised, leveraging the AWS network layer to mirroring specific targets, sessions, or filters in order to analyze that traffic in another tool.

This can be helpful in network forensic analysis, troubleshooting, or operational analysis.

Jeff Barr has a walk through of the feature on the AWS Blog.

AWS Incident Response Whitepaper

Though published a few weeks before the event, AWS is highlighting the new AWS Security Incident Response Whitepaper. This paper helps security teams understand how traditional incident response maps to the AWS Cloud.

It’s a well-written, practical paper that can help teams understand how a process they are familiar with, changes in a new environment like the AWS Cloud.

Get an overview from Joshua Du Lac over on the AWS Security Blog.

AWS Marketplace Procurement System Integration

During the AWS re:Inforce keynote, Stephen Schmidt announced a new AWS Marketplace integration for existing procurement systems. On first blush, this seems like an odd feature to call out at a security conference.

But security is always a critical question in any enterprise sales engagement and procurement headaches abound. The AWS Marketplace can address some of those headaches.

This new integration (initially with Coupa and others via cXML) will make it easier for some enterprises to test and acquire new technologies, reducing the barrier to acquire new security tools.

Read more in the AWS Marketplace documentation.

What’s Next

At the end of the keynote, Stephen Schmidt announced that AWS re:Inforce will be held again next year, this time in Houston. That’s fantastic news as shows that AWS acknowledges that security is a critical pillar of well-built cloud deployments and that the community is strong enough to support events of this size dedicated to the topic.

The breakouts sessions from the show were recorded and will be posted to the AWS YouTube channel, the day 1 keynote by AWS CISO Stephen Schmidt has already been posted so you can start catching up now.

I did a take over on the Trend Micro LinkedIn page and went live twice during the show. Check that out for a bit of an insiders view and—as always—ping me on Twitter, where I’m @marknca to talk more about this and cloud security in general.

Read More HERE