AWS re:Invent 2022 - A day in the life of a billion requests (SEC404)

Подписаться 120 тыс.

Просмотров 33 тыс.

50% 1

Every day, sites around the world authenticate their callers. That is, they verify cryptographically that the requests are actually coming from who they claim to come from. In this session, learn about unique AWS requirements for scale and security that have led to some interesting and innovative solutions to this need. How did solutions evolve as AWS scaled multiple orders of magnitude and spread into many AWS Regions around the globe? Hear about some of the recent enhancements that have been launched to support new AWS features, and walk through some of the mechanisms that help ensure that AWS systems operate with minimal privileges.
Learn more about AWS re:Invent at go.aws/3ikK4dD.
Subscribe:
More AWS videos bit.ly/2O3zS75
More AWS events videos bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers-including the fastest-growing startups, largest enterprises, and leading government agencies-are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents

Опубликовано:

5 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 25

@andreistefanie Год назад

I've always considered SigV4 a complex burden, but now I consider it a masterpiece. One of the best talks I've ever listened to.

@AvinTheBest Год назад

Fantastic talk! You can tell that Eric is an expert at his job in the comfortable and proud way he speaks of his work.

@Qwerty20238aw Год назад

Any presentation with Eric is a must watch!

@flying-eagle-method Год назад

I didn't know Jim Gaffigan worked for AWS. Great talk

@Tieno Год назад

underappreciated comment. Here, have my appreciation!

@hello_its_me. 4 месяца назад

don't quit your day job, if you have one!

@LPRise Год назад

Incredible talk! Would love to get the same insights into the autorization part!

@awssupport Год назад

Super glad to hear this! If you could please provide a bit more detail around the insights you're interested in, I will be happy to pass this along for you. 😁 ^ES

@larryludden Год назад

Such a great talk. Great to hear the passion and satisfaction. Sounds like a good place to work.

@awssupport Год назад

Glad you enjoyed it, Larry! 😁 ^LD

@ninepoints5932 Год назад

One thing that wasn't explained was why the HMAC derivation chain needed to be a full chain at all, as opposed to concatenating a nonce + encoded representation of the region + timestamp + service all in a single HMAC. The talk as presented suggests that the resulting digest is cached in one place (one S3 region in the example) which would have meant that all intermediate digests are effectively thrown away on both the server and the client as I understand it.

@ebrandwine Год назад

In the Hong Kong example, I showed how stopping the derivation at region and propagating that key was valuable. We haven't needed the ability to stop derivation at each point, but it gives us flexibility for future tiers or hierarchy in our services. And HMAC is CHEAP, there's no real gain to doing it all in a single derivation step.

@zhiliu4489 Год назад

Thanks for the talk. Maybe a silly question, the speaker mentioned at 45:06 that ARS has the mirror of the keys STS has, what are those keys? Are they the public/private key pair used to encrypt the token? How long do those keys live?

@ebrandwine Год назад

Two keypairs, one for signing/validation, one for encryption/decryption. They're rotated very frequently so there are multiple active keys at any given time (it's complicated) but it is this key rotation that sets the max session lifespan at 36 hours. Even if you could trick us into issuing a session that lasted longer than that, nobody would be able to validate it after about 36 hours because the keys would be expired.

@zhiliu4489 Год назад

Thank you for clarification.

@mfe_ Год назад

Pure gold! Again.

@UntrustedProcess Год назад

Great talk!

@awssupport Год назад

We're so happy you think so, Matthew! 😄 ^LD

@freerockneverdrop1236 Год назад

Complex made so simple!

@rajendrahr8364 Год назад

Excellent talk !

@whereismymind6696 Год назад

Second time watching this, thanks

@Alberto_Cavalcante Год назад

Excellent

@jamessaull Год назад

Such an Eric and AWS Security thing to do: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-tPr1AgGkvc4.html Take a quick moment, to remind people of something important, not mock them or make them uncomfortable and offer them a simple no-cost solution to better security. Great presentation.

@andreistefanie Год назад

Nice of you to point it out. It's highly important. You can also specify timestamps in YT comments by simply typing them such as 18:58 (YT automatically linked it to the moment in the video)