Security in focus and AWS User Group Oslo 10 years anniversary!

This meeting will take place exactly (on the day) 10 years after our first meeting! 🥳 - Do not miss out on this opportunity to be able to say that you attended the anniversary meetup!

We will have a quick look back, and also have a raffle with some swag and AWS-vouchers for the lucky winners 🤩

Also this time we have two very interesting presentations related to security! Approx. 45 minutes duration for each presenter.

Agenda:

16:30 - Doors open. Food and networking
17:00 - Welcome, main news, and a quick look back at the last 10 years
17:15 - Main presentations starts (2 x 45 min)

Two very interesting talks about security this evening:

Service-To-Service Authentication And Authorization Using AWS SigV4 with Sebastian Anton (DevOps Engineer, NEP Norway)

Sensible Security for AWS Workloads with Nick Jones (Global Head of Research at WithSecure Consulting)

---------------------------------------------------------------------------------

Service-To-Service Authentication And Authorization Using AWS SigV4 with Sebastian Anton (DevOps Engineer, NEP Norway)

Service-to-service authentication and authorization are critical aspects of modern distributed systems, ensuring that different services within an architecture can securely communicate with each other.

There are multiple ways of implementing service-to-service auth each coming with their own challenges regarding security, performance, and reliability, including:

• How to store and distribute credentials in a secure way and also rotate them.
• Managing issuance, expiration and renewal of tokens. Also validating them and check for tampering.
• In case of mTLS having a complex certificate management.
• Single point of failure/performance bottleneck in case of a central IAM service.

About AWS SigV4:
AWS Signature Version 4 (SigV4) is basically AWS' implementation of hash-based messaging code (HMAC) over HTTP.
It is widely used for AWS' APIs and therefore the AWS SDKs and also the AWS CLI use this method for signing their requests.

In this session, I want to show how we could make use of the AWS SigV4 implementation for our own services using API Gateway resource policies and signing our service-to-service requests using AWS SigV4.

For demonstration I will go through these steps:

• Deploying a service with an API Gateway in front
• Configuring the API Gateway resource policy for authentication/authorization
• Setting up request signing in the caller service

---------------------------------------------------------------------------------

Sensible Security for AWS Workloads with Nick Jones (Global Head of Research at WithSecure Consulting)

We've all read the Well Architected Framework and followed best practices to build security into our workloads, but of all the controls and recommendations, which ones make the difference? Using real-world cloud breach data and his ten years of cybersecurity experience, Nick will talk through the most common attack scenarios against AWS workloads and associated supporting infrastructure, and the key security controls to have in place. Attendees will come away with a better understanding of the real security threats to their projects, and guidance on which controls to prioritise, why they matter, and how to balance them against engineering effort. He'll also offer up some advice on how to prioritise security work and how best to engage with external security partners, to help the audience understand how to get the best value out of limited security budgets.

Nick is the Global Head of Research at WithSecure Consulting, where he focuses on AWS security and attack detection in advanced, cloud-native organisations. He has been delivering offensive security testing, consultancy and support to a world-wide client base (including some of the world's largest financial organisations) for over a decade, and led WithSecure Consulting's cloud security team for half of that time. Nick has previously spoken at a number of conferences and events including fwd:cloudsec, DEF CON Cloud Village, Disobey, T2, and several AWS User Groups and Community Days. Nick is also an AWS Community Builder.

---------------------------------------------------------------------------------

LOCATION: Ardoq office at Grensen 9B

SPONSOR:
Venue and food sponsored by
Ardoq - https://www.ardoq.com
THANK YOU!!! 🙏