AWS re:Invent 2022 - A day in the life of a billion requests (SEC404)
HTML-код
- Опубликовано: 30 ноя 2022
- Every day, sites around the world authenticate their callers. That is, they verify cryptographically that the requests are actually coming from who they claim to come from. In this session, learn about unique AWS requirements for scale and security that have led to some interesting and innovative solutions to this need. How did solutions evolve as AWS scaled multiple orders of magnitude and spread into many AWS Regions around the globe? Hear about some of the recent enhancements that have been launched to support new AWS features, and walk through some of the mechanisms that help ensure that AWS systems operate with minimal privileges.
Learn more about AWS re:Invent at go.aws/3ikK4dD.
Subscribe:
More AWS videos bit.ly/2O3zS75
More AWS events videos bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers-including the fastest-growing startups, largest enterprises, and leading government agencies-are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents 
Наука
I've always considered SigV4 a complex burden, but now I consider it a masterpiece. One of the best talks I've ever listened to.
Fantastic talk! You can tell that Eric is an expert at his job in the comfortable and proud way he speaks of his work.
Any presentation with Eric is a must watch!
I didn't know Jim Gaffigan worked for AWS. Great talk
underappreciated comment. Here, have my appreciation!
don't quit your day job, if you have one!
Pure gold! Again.
Such a great talk. Great to hear the passion and satisfaction. Sounds like a good place to work.
Glad you enjoyed it, Larry! 😁 ^LD
Excellent talk !
Second time watching this, thanks
Excellent
Complex made so simple!
One thing that wasn't explained was why the HMAC derivation chain needed to be a full chain at all, as opposed to concatenating a nonce + encoded representation of the region + timestamp + service all in a single HMAC. The talk as presented suggests that the resulting digest is cached in one place (one S3 region in the example) which would have meant that all intermediate digests are effectively thrown away on both the server and the client as I understand it.
In the Hong Kong example, I showed how stopping the derivation at region and propagating that key was valuable. We haven't needed the ability to stop derivation at each point, but it gives us flexibility for future tiers or hierarchy in our services. And HMAC is CHEAP, there's no real gain to doing it all in a single derivation step.
Incredible talk! Would love to get the same insights into the autorization part!
Super glad to hear this! If you could please provide a bit more detail around the insights you're interested in, I will be happy to pass this along for you. 😁 ^ES
Thanks for the talk. Maybe a silly question, the speaker mentioned at 45:06 that ARS has the mirror of the keys STS has, what are those keys? Are they the public/private key pair used to encrypt the token? How long do those keys live?
Two keypairs, one for signing/validation, one for encryption/decryption. They're rotated very frequently so there are multiple active keys at any given time (it's complicated) but it is this key rotation that sets the max session lifespan at 36 hours. Even if you could trick us into issuing a session that lasted longer than that, nobody would be able to validate it after about 36 hours because the keys would be expired.
Thank you for clarification.
Great talk!
We're so happy you think so, Matthew! 😄 ^LD
Such an Eric and AWS Security thing to do: ruclips.net/video/tPr1AgGkvc4/видео.html Take a quick moment, to remind people of something important, not mock them or make them uncomfortable and offer them a simple no-cost solution to better security. Great presentation.
Nice of you to point it out. It's highly important.
You can also specify timestamps in YT comments by simply typing them such as 18:58 (YT automatically linked it to the moment in the video)
This man over here singing a god damned ballad in love for IAM.