AWS re:Inforce is the security-focused offshoot of AWS re:Invent. AWS shows its dominance of the cloud provider market with its ability to draw substantial crowds for both in-person events.

Amazon uses the event to announce new security services and as a way to provide training through its many workshops. This year, the focus was on the future, with many references on how AWS prepares for a world with AI/ML and Post-Quantum computing. I felt safer hearing the measures they are taking to secure things at a fundamental hardware layer, even if we cannot be sure of coming threats.


The keynote highlighted the importance of cloud security in AWS’s shared responsibility model, which focuses on both infrastructure security and organizational best practices. AWS is leveraging new hardware and code, such as Nano and Firecracker, to increase infrastructure security. AWS is also addressing future threats with post-quantum cryptography.

AWS encourages organizations to prioritize security in the cloud, emphasizing that anything you can configure is your responsibility. AWS announced new solutions and initiatives to support this goal, such as SBOM tracking, Amazon Lambda code scanning, and Amazon Detective clustering. They are exploring how Generative AI can prevent security issues in code and detect malicious intent. Amazon uses ML to target anomalous security events; clustering related events together makes finding and addressing potential threats easier.

Delta shared its approach to building security into the DevOps process from the start, using a Cloud Center of Excellence and company awareness programs. The company has a “Safety First, Always” motto for their aircraft, which they adopted for their cloud security approach.

Overall, the keynote offered valuable insights into AWS’s approach to cloud security and the company’s commitment to providing cutting-edge solutions that help keep customers safe. They want to ensure customers can trust their cloud infrastructure, so they focused on showing their innovations to stay ahead of emerging threats.

AWS re:Inforce 2023 – Keynote with CJ Moses

"Safety First, Always"

Stand Out Session

Exposure Management: Comprehensive visibility into your attack surface

This talk on Exposure Management by Sambit Misra of IBM Security was one of my favorites but, sadly was not recorded. It covered creating a cloud operations framework to better understand your organizational attack surface. It highlighted how businesses could use centralized observability for faster resolution, consistent security policy enforcement, and anomaly detection. By automating data collection, analysis, detection, and remediation tasks across environments, Exposure Management helps organizations identify and reduce risk through exposure assessment.

Many organizations have significant blindspots in their attack surface. Lots of effort was spent on fixing vulnerabilities, while they only accounted for about 3% of breaches last year. Meanwhile, 7 in 10 organizations were compromised by an unknown or unmanaged asset in the past year. On average, 30% of assets are unknown or unmanaged to an organization due to rapid transformation. These gaps leave organizations exposed to unknown risks.

Shifting left brings a lot of value as developers adopt secure practices earlier in the pipeline, but it is equally important we don’t forget to verify right. While organizations continue to adopt a bevy of tools, breach simulations show that organizations have up to a 50% gap in their security controls. The organization is exposed to further risk if security controls are not verified in production.

Organizations should identify and reduce risk through Exposure Assessment. To do so, start with a cyber asset inventory. This can then drive your attack surface management (ASM), vulnerability management, cloud security posture management (CSPM), and breach attack simulations (BAS). Next, bring in threat intelligence and automate validation to drive your remediation and your crown jewel defensive techniques.

A slide showing how to identify and reduce risk through exposure management.

To do so, start with a cyber asset inventory. This can then drive your attack surface management (ASM), vulnerability management, cloud security posture management (CSPM), and breach attack simulations (BAS). 

Next, bring in threat intelligence and automate validation to drive your remediation workflows and defensive techniques for your crown jewel targets.

7 in 10 organizations were compromised by an unknown or unmanaged asset in the past year.

Overall, Exposure Management is a cloud operations framework that provides comprehensive visibility into an organization’s attack surface, enabling it to take a risk-based approach to improve its security posture. By identifying and reducing risk through exposure assessment, integrating threat intelligence, and verifying security controls, Exposure Management helps organizations prioritize and take action while managing complex distributed environments that are continuously changing.

Exposure Management with Paladin Cloud

If you want to implement Exposure Management, our holistic approach to security can cover much of the process. Paladin Cloud identifies and visualizes your cyber assets and security controls. Our CSPM module monitors your multi and hybrid cloud environments for vulnerabilities, misconfigurations, and security risks. Combining these findings with threat intelligence can rapidly scale up an exposure management practice.

Key Takeaways

Organizations and industries are still at very different security maturity levels.

In one session where attendees shared their SLAs around remediating the most critical security issues, results ranged from 30 days to 30 minutes. This maturity variance is applied to enforcing mandatory tags, adopting AWS Well-Architected, and much more.

Machine learning (ML) feels like magic

In the session Developing new findings using machine learning in Amazon Guard Duty the team shared how ML reduced unwanted benign findings by 88% and increased highly suspicious findings by 1200%. It did so by converting all network activity into a vector and then plotting it on a plane to see if it fell within the region of normalcy.  This session was recorded, so I recommend checking it out if this interests you.

AWS re:Inforce 2023 – Developing new findings using machine learning in Amazon GuardDuty (TDR310)

Breach simulations show that organizations have up to a 50% gap in their security controls.

Open source is important to the world

This line from Security in the Open was followed by “It’s the underpinning of everything we do on the web.” Since open source is so important to the web, it’s no surprise that open source security is also essential to the web. Here AWS shared its three pillars for increasing open source security.
1. Work upstream

  1. Release security libraries & tools as open source
  2. Provide financial support

The session shared specifics on how they worked towards these, for example, donating to fund developers to work full-time on projects like OSSF. They challenged the audience to consider how to work upstream, share our code, and support the OSS projects we care about.

AWS re:Inforce 2023 – Security in the Open: OSS and AWS (SEC201-L)

Here at Paladin Cloud, open source is at the center of everything we do. Our core product is always free and open source to use. It also gives visibility into our security practices so organizations know how we handle their data.

Threats evolve but don’t go away

Misconfigurations, Vulnerabilities, Malware, and Identity Management are top organizational concerns, with ransomware being one of the most feared outcomes. Every year thousands of folks learn from the FBI, for the first time, that they were breached and their data was found exposed. The reason security conferences and tooling are continuing to grow despite the challenging economic conditions is that breaches prove to be far more costly.


Some of the best learnings I had at re:Inforce weren’t from a session but over lunch or breakfast with fellow practitioners. The session speakers were knowledgeable, but AWS had tight control over who spoke, and there was a prevailing sentiment of wishing for more speaking slots for customers.

The AWS keynote made me feel they had things under control as they talked about tackling challenges at a scale I couldn’t even grasp, like the 350 billion WAF rules they process daily. I was impressed as they shared the new cryptology algorithms built to thwart quantum supercomputers that don’t even exist yet but, hypothetically, may exist in the future. And then, a few sessions later, the AWS US-East-1 Lamda outage hit, causing my, and everyone else’s, workshops to fail. It was a vivid reminder that nothing is 100% reliable and why redundancies and defense in depth are our profession’s watchwords.

Still, I would put this event in the success column as I learned a ton and met some fantastic people. I’d encourage you to check out the sessions on demand.


Open source security is essential to the web