AWS re:Invent 2022 - A day in the life of a billion requests (SEC404)

Рет қаралды 31,439

Жыл бұрын

Every day, sites around the world authenticate their callers. That is, they verify cryptographically that the requests are actually coming from who they claim to come from. In this session, learn about unique AWS requirements for scale and security that have led to some interesting and innovative solutions to this need. How did solutions evolve as AWS scaled multiple orders of magnitude and spread into many AWS Regions around the globe? Hear about some of the recent enhancements that have been launched to support new AWS features, and walk through some of the mechanisms that help ensure that AWS systems operate with minimal privileges.
Learn more about AWS re:Invent at go.aws/3ikK4dD.
Subscribe:
More AWS videos bit.ly/2O3zS75
More AWS events videos bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers-including the fastest-growing startups, largest enterprises, and leading government agencies-are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents

Пікірлер: 25

@andreistefanie Жыл бұрын

I've always considered SigV4 a complex burden, but now I consider it a masterpiece. One of the best talks I've ever listened to.

@AvinTheBest Жыл бұрын

Fantastic talk! You can tell that Eric is an expert at his job in the comfortable and proud way he speaks of his work.

@Qwerty20238aw Жыл бұрын

Any presentation with Eric is a must watch!

@flying-eagle-method Жыл бұрын

I didn't know Jim Gaffigan worked for AWS. Great talk

@Tieno Жыл бұрын

underappreciated comment. Here, have my appreciation!

@hello_its_me. Ай бұрын

don't quit your day job, if you have one!

@mfe_ Жыл бұрын

Pure gold! Again.

@larryludden Жыл бұрын

Such a great talk. Great to hear the passion and satisfaction. Sounds like a good place to work.

@awssupport Жыл бұрын

Glad you enjoyed it, Larry! 😁 ^LD

@rajendrahr8364 Жыл бұрын

Excellent talk !

@whereismymind6696 Жыл бұрын

Second time watching this, thanks

@Alberto_Cavalcante Жыл бұрын

Excellent

@freerockneverdrop1236 Жыл бұрын

Complex made so simple!

@ninepoints5932 Жыл бұрын

One thing that wasn't explained was why the HMAC derivation chain needed to be a full chain at all, as opposed to concatenating a nonce + encoded representation of the region + timestamp + service all in a single HMAC. The talk as presented suggests that the resulting digest is cached in one place (one S3 region in the example) which would have meant that all intermediate digests are effectively thrown away on both the server and the client as I understand it.

@ebrandwine Жыл бұрын

In the Hong Kong example, I showed how stopping the derivation at region and propagating that key was valuable. We haven't needed the ability to stop derivation at each point, but it gives us flexibility for future tiers or hierarchy in our services. And HMAC is CHEAP, there's no real gain to doing it all in a single derivation step.

@LPRise Жыл бұрын

Incredible talk! Would love to get the same insights into the autorization part!

@awssupport Жыл бұрын

Super glad to hear this! If you could please provide a bit more detail around the insights you're interested in, I will be happy to pass this along for you. 😁 ^ES

@zhiliu4489 Жыл бұрын

Thanks for the talk. Maybe a silly question, the speaker mentioned at 45:06 that ARS has the mirror of the keys STS has, what are those keys? Are they the public/private key pair used to encrypt the token? How long do those keys live?

@ebrandwine Жыл бұрын

Two keypairs, one for signing/validation, one for encryption/decryption. They're rotated very frequently so there are multiple active keys at any given time (it's complicated) but it is this key rotation that sets the max session lifespan at 36 hours. Even if you could trick us into issuing a session that lasted longer than that, nobody would be able to validate it after about 36 hours because the keys would be expired.

@zhiliu4489 Жыл бұрын

Thank you for clarification.

@matthewmerchant1495 Жыл бұрын

Great talk!

@awssupport Жыл бұрын

We're so happy you think so, Matthew! 😄 ^LD

@jamessaull Жыл бұрын

Such an Eric and AWS Security thing to do: kzfaq.info/get/bejne/qraiZKSYrNHak2g.html Take a quick moment, to remind people of something important, not mock them or make them uncomfortable and offer them a simple no-cost solution to better security. Great presentation.

@andreistefanie Жыл бұрын

Nice of you to point it out. It's highly important. You can also specify timestamps in YT comments by simply typing them such as 18:58 (YT automatically linked it to the moment in the video)