Episode 095: AWS Security in Practice

In this episode I chat with Dylan Shields about his new book AWS Security. Dylan is a software engineer working on Quantum Computing at AWS. Previously, Dylan was the first engineer on the AWS Security Hub team. He has also worked at Google Cloud, focusing on the security and reliability of their serverless data warehouse, BigQuery.

In this episode, we talk about…

  • Dylan breaks down his history in IT and the inspiration behind his book
  • Why IAM and AWS can be intimidating to a lot of people
  • Taking people through policies, JSON Syntax, and API operations
  • Examining the AWS pattern of building IAM roles and handling some of the setups
  • Covering AWS Security and best practices in the book
  • Dylan has worked in other parts of the cloud platform
  • Digging into security certifications and security specialties at AWS
  • Diving into the concepts in the book and applying them to different applications
  • Some of the most common attacks that customers are defending against
  • New integrations to manage DDoS protection and VPC
  • Difficulties of keeping up with AWS innovations

Resources from this episode:

Don’t forget to subscribe to our mailing list at cloudskills.io/subscribe for weekly updates, exclusive training, and advice on how to amplify your career.

Full Transcript:

Mike Pfeiffer:
Hey, what’s up everybody, it’s Mike Pfeiffer and you’re listening to the CloudSkills.fm podcast. All right, everybody, welcome back to another episode of CloudSkills.fm. In today’s episode, I’m talking to Dylan Shields. He’s a software engineer working on quantum computing over at AWS, and he’s also writing a book on AWS security. This is a book from Manning Publications, and if you check out the show notes for this episode, you’ll find a link to a contest you can enter to basically join a giveaway and potentially win a free copy of Dylan’s book, AWS Security from Manning Publications.

Mike Pfeiffer:
So the book and the conversation that we had is all about securely granting access to AWS resources. Basically the things you need to think about, locking down the network, audit logs, all kinds of stuff like that. So, awesome conversation. Let’s go ahead and cut it over to the interview. So I got your book pulled up on manning.com. AWS Security. Appreciate you being on the show, man.

Dylan Shields:
Yeah, thanks for having me.

Mike Pfeiffer:
It would be really cool to know your history in IT, how you got into IT, and eventually into cloud and of course getting pulled into writing this book. Where’d you get started?

Dylan Shields:
Yeah, I actually, out of college was working at a startup building software for ID card printing. And one of the first projects I was working on there was transitioning that to be a cloud based solution, so running that on AWS. And from there, I met a few people at AWS and actually transitioned over there and started working in security. I was working on a couple of projects in the automated reasoning group. They do provable security type stuff. So one of the projects there that was really interesting was Zelkova, and they do some of the config rules and access analyzer for IAM checks. And this is just… It looks at IAM policies and can tell you exactly what permissions it grants and whether one policy is more permissive than another. So that was really interesting to me.

Dylan Shields:
They had these demos that we could see where it would show two policies that to the human eye looked they were exactly the same, but it can tell you what was different about them. And I just found that really interesting just because I think IAM is such an important piece of security there that you really want to be doing that right, and it was so easy to show these examples where you can’t really see what the difference is. So from there, I really dove into the IAM docs trying to get a good feel of all the different options and configurations there, and that was the impetus for the first two real chapters in the book on logical access protection in the cloud.

Dylan Shields:
So after working on that project for a bit, I moved over to the product that became AWS Security Hub, and that’s centralizing all of the security information into one place for your AWS environment. So that’s where I started to learn about the different pieces of security on AWS. So looking not just at IAM, but also at network access protection and data protection, S3, all of the different audit logs and stuff that, and collecting it into one place. So that’s where I got the baseline knowledge for the rest of the book and what I thought someone who was just starting out in AWS and looking at security should know before they get started.

Mike Pfeiffer:
Yeah, it’s definitely a foundational thing that you need to be successful. I always tell people, compute, network security, and storage at least. Get your legs under you.

Dylan Shields:
Yeah, absolutely.

Mike Pfeiffer:
Have you found that a lot of people are intimidated by the IAM stuff, because it can be, to your point, policies and stuff, it gets deep pretty fast, right?

Dylan Shields:
Yeah, it does. And I actually think one of the interesting things I’ve found is that people, they know just enough to make things work, which can be a little dangerous sometimes, where you’re adding a policy and you’re trying to get maybe a lambda function to connect to S3 and it’s not connecting, so you just start adding permissions or you grant admin permission to this function and you can really easily grant way too many permissions, which is just a huge security vulnerability. Just knowing enough to be dangerous, but not really fully understanding IAM.

Mike Pfeiffer:
Right. Yeah, broadly setting things up, not following principle of least privilege, things like that. It’s easy to hang yourself, right? Excuse me. One of the things that… We got a lot of people that listen to the show that are Azure focused, but there’s so many parallels between AWS IAM and Azure. I mean, under the hood, and I’m pretty sure Google is very similar as well, but ultimately what we’re doing is trying to control, really, the API calls that are taking place on the platform, and that’s really the underpinning of IAM in AWS. Do you take people through that a lot in the book, policies and the JSON syntax. I know this is always kind of confusing for folks.

Dylan Shields:
Yeah, that’s the focus of the second chapter is going through those policies and how the syntax works, and then in the third chapter, it goes through best practices. So restricting down to, like you’re saying, the exact API operations that you want to make and then restricting those down to the specific resources that you’ll be making them on.

Mike Pfeiffer:
It’s been interesting to watch over the last few years how the services have matured. There’s so many of those integration points like you were talking about where you’re just being a given the option to delegate access from one service to another. And sometimes if you’re not sure what you’re doing, then you get into that situation where maybe you’re opening stuff up. Do you like that pattern that AWS is following where they’ll build IAM roles for you and handle some of that setup or are you somebody that likes to see things a little bit more stricter?

Dylan Shields:
I do like it. If you do everything yourself, you can get down to strict least privilege, which would be better, but I do think it’s a step up from what a lot of people would have done otherwise. I see this a lot. I was talking with someone on a similar line using KMS to encrypt your data in AWS, and there’s a lot of integrations with KMS where you store something in S3 and you just do one click to encrypt the bucket and encrypt all the files in there with a KMS key that AWS will create for you.

Mike Pfeiffer:
Yeah, that’s a great point because it could be a barrier to entry if we don’t have some ways for people to get going. I agree with that. I actually think it’s a good thing to have those shortcuts and stuff. And that also reminded me, just in that conversation of, remember a couple of years ago where the S3 console was still not updated and you never really knew by just looking whether a bucket was public or private, but now it’s yelling at you if it’s in a public bucket. Are you seeing any of that pop up in any other services in AWS? I haven’t been doing a ton of AWS stuff lately, so I was wondering if they’re helping people more understand when they’re opening things up or going against best practices and stuff like that.

Dylan Shields:
S3 is definitely the biggest. I sometimes see it in security groups. I think it’ll let you know when you’re opening up inbound access into your network from all ports. Really the one place where they’re showing you best practices is S3.

Mike Pfeiffer:
Gotcha. That’s really cool. I like that they do that and I’ve noticed they’re doing tons of new AWS security services. Is that stuff you’re covering the book? I know there’s a ton of stuff that has popped up over the last couple of years.

Dylan Shields:
Yeah. Can’t cover all of it just because there’s so many, but I tried to put a lot of it in there with GuardDuty, looking at a lot of different network type threats, and then Amazon Macie, which looks at data access and then collecting that all into Security Hub. And there’s a new service called Detective, which is looking at threat movement and stuff that. So trying to cover that a little bit in the end of the book.

Mike Pfeiffer:
Yeah, the Security Hub and the Detective stuff is things I haven’t really looked at much lately.

Dylan Shields:
Yeah, those are really new.

Mike Pfeiffer:
Kind of switching gears here a little bit. Have you been working in cloud for a long time? Have you worked any other cloud platforms? Has it been pretty much AWS?

Dylan Shields:
Yeah, so I worked in AWS for a few years. I was there mostly working on Security Hub and then in the automated reasoning group for a while. Then I went over to Google Cloud and I was working on a project called BigQuery, which is their enterprise data warehouse. And I was working on availability and reliability there, which isn’t necessarily security, but I think there’s a lot of parallels between availability and security. The same kinds of things you would look to protect for denial of service attacks and data corruption or data tampering are the same things you are really looking at for availability with backing up all of your data and making sure that you’re not going to go down if a customer sends too much load or something like that. So there’s a lot of parallels there. So I was at GCP for a while, and then recently I came back to AWS and I’ve been working on quantum computing.

Mike Pfeiffer:
Quantum computing is something I would love to get into in an episode. That’s really cool. But I was just looking at your bio while you were talking about that, and I noticed you were the first engineer on the AWS Security Hub team. That’s pretty cool.

Dylan Shields:
Yeah, it was actually kind of funny. I was hired to work on Security Hub, but I was the only one there. So I just was working on different internal security teams until they filled out the team to start working on it.

Mike Pfeiffer:
Nice. I joined AWS in 2013 and I was the first architect on the Quick Start team for about two weeks, and then we got some more people and started building up the team. But that’s what I loved about working at AWS is because even though Amazon is such a huge company, you can get into a team like that where it’s just such a startup feel, right?

Dylan Shields:
Yeah. I do feel all the teams are like that and they’re building out so many new services that it’s easy to jump onto something new.

Mike Pfeiffer:
Right. That’s really cool. So right now the book, the AWS security book that you’re writing for Manning is in an early access program, so people can start reading and maybe circling feedback to you right now, right?

Dylan Shields:
Yeah. So there’s five chapters available online and the sixth one should be up probably by the time this is posted and you can start reading those online and there’s a forum where you can ask me questions or tell me where you think I’m wrong. And then when the book becomes fully available, it’ll all be up there as well as in a physical copy as well.

Mike Pfeiffer:
Nice. Yeah, you probably won’t get a ton of arguing from the community, I wouldn’t suspect. You’re an actual AWS security engineering. But I’d love to ask you… There’s a couple other things I want to get back to in the book, but I’m curious about your experience with certifications. I know that there’s a security specialization cert. Is that something that you get into at all over there?

Dylan Shields:
I actually have not. I’ve just been at AWS so long I never tried taking any of the certifications just working on the internal side

Mike Pfeiffer:
It’s kind of different when you’re there behind the scenes and we’re all here in the community chasing certs. It’s kind of different for you guys when you’re working there, right?

Dylan Shields:
Yeah, I think it’s a little different. The security specialization I definitely want to look into. I’m hoping to tailor the book a little bit towards what that covers. I would love for the book to be a good reference if you wanted to take that certificate.

Mike Pfeiffer:
I’m glad that they’re doing that, because it’s encouraging the other platforms to do it too. Microsoft now has a security specialty for Azure and stuff like that. But I really love those specializations. Security’s so important. But getting back to the book here, I’m guessing that it’s really just taking you end to end. So you start off with basically introduction to how IAM works and then I’m assuming it progressively takes you through different architectures, different services, maybe networking and then getting into, I’m sure, data encryption and things like that. Am I understanding that the idea here right?

Dylan Shields:
In the first section going through IAM and same thing with networking, so learning how VPCs and all those controls work and then getting into more advanced concepts with networking, and then looking at data access, data encryption, logging and audit trails, and then looking at continuous monitoring and then remediation. That’s stuff that interests me a lot just because that’s what I was working on with Security Hub. And then after that, there’s a second section that goes into actually applying everything learned in the first part of the book to different types of applications. Sometimes I’ve read books where I read a chapter and I’m like, “Oh, that totally makes sense.” And then I go try to apply it and I’m like, “How does this actually fit into my architecture?” So I wanted to go through a couple of different sample applications that would be more realistic just to maybe help people apply it in their own environments.

Mike Pfeiffer:
Yeah, that’s huge. I definitely love that concept of applying what you’re learning. I think that’s massive. It looks a really awesome outline. Even saw at the end there, securing a mobile application. But I’m curious, I know there’s some… You cover some best practices, common attacks and stuff. Where are some of the most common attacks you see in AWS or that customers are defending against?

Dylan Shields:
It depends on the level. So 90% of the attacks are really simple stuff like open S3 buckets, databases, or Elasticsearch cluster is open to the world. Past that, I think the next biggest one is denial of service. That one’s huge, and there’s a lot of unsophisticated denial of service attacks that are really easy to protect against. There’s a few services like Shield and Shield Advance that can do that pretty easily for you. And if you’re using certain services in AWS, they’ll help you out with that, like CloudFront, which is their CDN service. That’ll do a lot of that for you. So putting your application behind something like that, it’s just an easy way to get that security for free.

Mike Pfeiffer:
There seems there’s so many integration points and there’s so many managed services where there’s a lot of perimeter security that you may have to think about, and to your point, a lot of the other places that are common is just people making simple mistakes by opening things up too big or too permissive, I should say. It seems a really common thing. At the network level we’ve got… You mentioned security groups and then there’s ECLs and BPC. Is there any other integrations these days like managed DDoS protection and VPC and stuff like that? I haven’t been keeping up to date with what you guys are up to over there.

Dylan Shields:
So there’s AWS Shield Advanced, which is a super sophisticated DDoS protection tool. It’s a bit expensive, but that’s a really great tool for DDoS protection that integrates well with AWS services. And then there’s also AWS WAF, web app firewall, that’s a good, basic firewall if you’re just looking for something to put in front of a simple application. It’s got a bunch of basic built in rules and in AWS style, you can pick and choose the rules you want and pay for what you use. But then on top of that, AWS marketplace has a ton of different firewalls from third-party vendors that make it really easy to integrate those. So if you have something that you’re using in an on-prem environment that you’re used to, you can easily bring those in.

Mike Pfeiffer:
I remember back when I was there, Trend Micro was a huge marketplace partner building all kinds of security products. I’m sure you guys got a ton of stuff from other vendors out there. But it’s cool to hear that the marketplace is still thriving. So switching gears just a little bit, obviously writing a book is a big deal. What do you think so far? Are you going to do another one? Is there going to be a follow-up to this? I know that’s an early question for you, but I’m just curious. Is there a series coming or what’s your experience so far writing a book?

Dylan Shields:
I’m not sure if there’ll be any more. I haven’t decided yet. It’s harder than I thought. I thought I had all this knowledge down, and then I started writing and I was like, “Wow, some of these things I don’t understand as well as I thought I did,” and had to do a lot of research and talk with a lot of people that work on these services to figure them out. But it’s true that you don’t really know how well you know something until you try to explain it to someone else.

Mike Pfeiffer:
That’s really true, man. I think connecting all those dots I think is part of the beauty of writing a book, even though it’s insanely hard, but it’s got to be difficult to keep up with the pace of AWS innovation. Has that been a challenge for you, where you have to go back and rewrite stuff?

Dylan Shields:
Not yet, but I’ve definitely seen services launch, especially at re:Invent last year, and then re:Inforce recently where I’ve been like, “Okay, these are two more services that I need to put in.” Luckily they’re in chapters I haven’t written yet, but I’m definitely worried about re:Invent coming up this year and adding a few things that I’m going to have to change in the early chapters.

Mike Pfeiffer:
Right, re:Invent is so such a huge annual event where so many new services are announced and changes. It’s got to have you a little bit anxious. I know I would be. I just got done updating just one chapter of a book, and that was… I was complaining about that. Got to shift my perspective a little. At least I’m not doing 12 chapters. But it’s awesome, man. That’s really good work. And speaking of the conferences and stuff, I’m super familiar with re:Invent, have spoken on stage there before, but I haven’t heard of the other one you mentioned. What did you say it was?

Dylan Shields:
Oh, re:Inforce?

Mike Pfeiffer:
Yeah, re:Inforce.

Dylan Shields:
That’s kind of a mini re:Invent for just security products.

Mike Pfeiffer:
Okay. Has that been going on for a couple of years now?

Dylan Shields:
I think they’ve had two so far. Usually in the summer.

Mike Pfeiffer:
Got it. And I guess that’s all online now, right?

Dylan Shields:
Yeah. Everything’s online.

Mike Pfeiffer:
Yep. Did that already happen this year or is it something that we can get into this year? Or is it past?

Dylan Shields:
I think this one already happened just a couple months ago.

Mike Pfeiffer:
Got it. Interesting. Yeah, well this has been awesome, Dylan. As we start to wrap up the show, what else do you want to send people to? Obviously it would be awesome to have people start looking at your book, especially anybody deploying apps on AWS, just to make sure they’re doing it securely, but any other recommendations are places we should send people?

Dylan Shields:
Outside of the book, I think the AWS security white papers are really great start and they have some blueprints for how to get started with a secure application and get started in a secure way, and it’s a lot easier if you start from something secure to build your application on top of that, rather than starting with an application and trying to add on security after the fact.

Mike Pfeiffer:
Cool man. Well we’re definitely going to link up some resources in the show notes. We’ll put a link to the book in there. The book is from Manning. It’s called AWS Security. Dylan Shields, thanks so much, man. Appreciate you coming on the show.

Dylan Shields:
Yeah, thank you.

Subscribe to the CloudSkills Weekly Newletter

Get exclusive access to special trainings, updates on industry trends, and tips on how to advance your career in the tech industry.