🏇 Starting in a few minutes: "Building for the future with @AWSIdentity Services" with Karen Haberkorn, Director of Product Management for AWS Identity 💫 I'll be tweeting the highlights. @AWSIdentity @AWSSecurityInfo #reInforce 
1/ Building for the future with @AWSIdentity Services: Karen notes our exceptional year - not just for humans, but also for companies, who have shifted to accommodate remote work; a shift to remote identities and their access controls. @AWSIdentity @AWSSecurityInfo #reInforce
3/ "ZT is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters." @AWSIdentity @AWSSecurityInfo #reInforce
5/ Karen: We know we have to securely manage identities, resources, and permissions to move towards ZT.
6/ AWS provides the foundation for this through scale (400M requests per second for #AWSIAM!) and with a breadth of functionality - attribute-based access control, access analysis, integration with AWS services & partners. @AWSIdentity @AWSSecurityInfo #reInforce
7/ Now Karen is moving on to how we can use AWS to help create this identity & access management foundation.
8/ Organizing your AWS environment: use your AWS account as a security boundary for your apps. Structure your accounts with AWS Organizations. Check out AWS Control Tower. All this to help you govern centrally! @AWSIdentity @AWSSecurityInfo #reInforce
9/ There's a white paper on organizing your AWS environment: docs.aws.amazon.com/whitepapers/la… @AWSIdentity @AWSSecurityInfo #reInforce
10/ Centralizing identity management: "Come as you are" - not just a Nirvana song, it's also AWS's identity philosophy. @AWSIdentity @AWSSecurityInfo #reInforce
11/ AWS will let you use the identities you already have whether they're on-prem, in AWS, or with an AWS partner. That's what #AWSSSO is about. @AWSIdentity @AWSSecurityInfo #reInforce
12/ 📝Reminder from Karen: You can use #AWSSSO along with what you use already. Integrate it with your existing IdP. Or use it with the your existing way you're accessing AWS. Many options to get started - your choice! @AWSIdentity @AWSSecurityInfo #reInforce
13/ Establishing a data perimeter: What's this? It's a "set of preventative guardrails that ensures that access to trusted resources is restricted to trusted identities from expected network locations". @AWSIdentity @AWSSecurityInfo #reInforce
14/ How do you put one together? With these components: service control policies, VPC endpoint policies, and resource-based policies. And more to come! [I'm guessing that this means more goodies in the future for us!] @AWSIdentity @AWSSecurityInfo #reInforce
15/ The last foundational component - the Journey to Least Privilege. @AWSIdentity @AWSSecurityInfo #reInforce
16/ SET permissions by using Access Analyzer to generate policies from your access activity. And you can do this through your org's CloudTrail logs! And validate your policies with the new policy validation feature.
https://twitter.com/bjohnso5y/status/1428788874478690304@AWSIdentity #reInforce
17/ VERIFY your proposed permissions with AA's policy preview. And this integrates with Security Hub. aws.amazon.com/about-aws/what… @AWSIdentity @AWSSecurityInfo #reInforce
18/ Finally, REFINE your permissions with the action last accessed feature, which tells you what AWS services were last used so that you can pare down your policies. And we'll more investment & automation to come in this area. @AWSIdentity @AWSSecurityInfo #reInforce
19/ Now @bjohnso5y, Sr. SDM @AWSIdentity and Jesse Fuchs, Sr. Security Solutions Architect join the convo with Karen about identity and access!
20/ Many companies had to change due to the past year. AWS has seen this reflected in customers' AWS Cognito usage. Another customer pivoted to implementing a new mobile drink dispenser solution.
21/ Data perimeters: Jesse sees customers implementing more ZT-relevant services & protocols - higher usage of OAuth, API Gateway. Brigid: we're seeing a blend of identity centric, network centric controls as holistic data perimeters. @AWSIdentity @AWSSecurityInfo #reInforce
22/ The least-privilege journey - Brigid's been in the permissions space for years! It was common for central security teams to create IAM policies. Then they needed to delegate policy creation to developers for more agility. Customers realize this is a process.
23/ AWS is moving towards having policy creation and validation earlier in the development cycle to help the dev process. IAM's policy validation feature now has 100's of checks, and customers are putting this in their dev pipelines! @AWSIdentity @AWSSecurityInfo #reInforce
24/ @bjohnso5y welcomes your suggestions for new additional policy validation checks! (this is your opportunity to ping her, go for it!). @AWSIdentity @AWSSecurityInfo #reInforce
25/ AWS will keep on iterating for all these validation and last access checks. Example, last week IAM Access Analyzer now can point to your Organization's trail - a central log aggregated from all your org's accounts. @AWSIdentity @AWSSecurityInfo #reInforce
26/ #AWSSSO allows you to update your permission sets centrally, propagating policies to all targeted accounts. #AWSIAM has role last used info to help you know if you need those extra roles in your accounts. All this helps you organize your perms in AWS. @AWSIdentity #reInforce
27/ Tips for our customers? Continually get educated on the different policy types! docs.aws.amazon.com/IAM/latest/Use… @AWSIdentity @AWSSecurityInfo #reInforce
28/ Tip #2: Make trimming down permissions part of your culture, and do this with automation! @AWSIdentity @AWSSecurityInfo #reInforce
29/ That's a wrap for the Building for the future with @AWSIdentity Services! Thanks for checking in to this tweet thread.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
