Highlights from AWS re:Inforce 2019

This week I had the pleasure of attending the first ever edition of AWS re:Inforce. In this post I'll try to summarize my impressions of the event, plus include comments and references to the main points of attention and associated documentation and related session videos.

The Big News

VPC Traffic Mirroring, was, in my opinion, the most market-relevant announcement at the conference.

This holds the promise of allowing several security product categories to be first-class citizens in AWS for the first time. After all, AWS has full control into what integration points they allow for traditional security vendors. They are slowly adding integration points, from early days as firewalls using Marketplace AMIs to act as NAT instances to something more explicit like WAF Managed Rules. Though not explicitly associated with partners, this is still a big deal for many of them.

Impacted product categories include Network Detection and Response, Network IDS, Network DLP and Network Forensics players. There have been a few announcements of support from vendors already, and be sure to expect more.

As far as the customer base goes, this will mostly benefit mixed environment companies. Imagine you are a large, mature organization that has a large Bro / Zeek deployment, trained personnel and lots of bespoke analytics content built on top of it. Being able to extend it to your AWS environment and leverage your existing investments is a no-brainer. I fully expect that the main driver behind AWS developing this functionality was from large representative customers in this situation.

As usual this is a first release and will be surely improved upon by AWS. Major caveats I noticed so far:

  • Despite the name, collection must be set up one ENI at a time. No way to set this up across the entire VPC as you would with Flow Logs.

  • The replicated traffic generated by each instance will count against the overall bandwidth available to the instance, so do your capacity planning before deploying this in production.

Other Noteworthy Announcements

Out of the other many new features and announcements, these were the ones that caught my attention:

  • Security Hub is now GA. Security Hub's main advantage is providing a single dashboard, event format and 3rd party integration point for your AWS security, including native services like Macie and Guard Duty. The main limitation at this point is that even though it has cross-account support, it is a per-region service. So large organizations will still have multiple "panes of glass". Hope to see AWS work on that in the future.
  • Control Tower is now GA. Essentially AWS is taking the lessons learned from Landing Zone, which is a professional-services-only offer, and working towards allowing self-service automation of multi-account management as a native service. At this point it still is very much an MVP with several limitations, but should soon evolve into something invaluable so pay attention to future announcements from this team. The most relevant current limitations are:

    • Will only work on new environments and has no way to incorporate an existing Organizations hierarchy;

    • Does not allow you to create your own service control policies or "guard rails" as they call them in Control Tower lingo;

    • Does not allow you to customize provided guard rails except for per-account On/Off status;

    • Does not have its own API, seems at this point to be basically a UI layer on top of existing services.

  • Opt-in to Default Encryption for EBS Volumes which should make meeting compliance requirements by default a lot easier on larger organizations. Does not handle existing unencrypted EBS volumes, but then again it's simple enough to find those with Config. This is a per-region setting, but can be automated through API calls. Most importantly, it only seems to work with Nitro instances:

Keynote Highlights

During the keynote, Stephen E. Schmidt (AWS VP and CISO) was the ranking executive and led the announcements. By the way don't miss out on the hilarious Corey Quinn's live-tweet thread, and you can also take a look at non-threaded posts from Fernando Montenegro and I.

During the keynote two moments caught my attention. The first was when Schmidt jabbed Azure and other competitors for the comparatively bad track record on availability and regional redundancy:

The other one was having a representative from Capital One go on stage to claim they will be entirely cloud-based by 2020. This is a major indication (if you still needed any) of the penetration that cloud adoption is having even on compliance-heavy industries.

Venue and Overall Impressions

The event was held at the Boston Convention and Exhibition Center on June 25th and 26th. This was my first contact with this venue, but I found it perfectly accommodated an event of this size. I did, however, find a telling lack of available lodging with some astronomical hotel rates and a severe shortage of close-by AirBnb offers even registering about one month in advance.

Overall, I fully support AWS' wonderful idea to start separate focused conferences. I attended re:Invent last year in Las Vegas and it was quite simply too big to be enjoyable. I had a much better time at re:Inforce and was pleasantly surprised to actually make it to a few sessions as a walk-in without needing to queue a full hour in advance.

The show floor had a decent size, but a portion of the size of a single of the original rooms of the RSA Conference Expo in Moscone West or East. Still, it was a single large room containing both the sponsor booths, the AWS Developer Lounge, CTF, Breakout Session spaces and tables used for lunch, a break from it all or impromptu meetings. Again a very pleasant, spacious experience.

There were areas with supported charities, plus a couple of really nice touches I wish more conference organizers learn from. First, swag donation collectors:

Additionally, this is a good way to make the conference more inclusive:

In summary, my overall impression is that this was absolutely worth the time and money and I fully intend to attend re:Inforce again next year.


Here are a few other resources if you want to learn more about what went on at re:Inforce:

Thank you to David Severski for helping review an early draft of this document and providing valuable feedback.

Go Top