AWS re:Inforce will be held on August 24 and 25 in Houston, Texas. AWS re:Inforce offers you an opportunity to learn how to prioritize your security posture and investments. Given recent headlines about ransomware, misconfigurations, and unintended privacy consequences, this is your chance to learn the tactical and strategic lessons that will help keep your workloads secure and protected.

The re:Inforce sessions are offered for all backgrounds, from business to technical. In these sessions, you’ll connect with and learn from AWS experts, customers, and partners who share actionable insights that you can apply in your everyday work. Sessions will be available from intermediate (200) through expert (400) levels, so you can grow your skills, no matter where you are in your career.

There are learning opportunities in over 100 sessions across five tracks:

  • Data Protection and Privacy
  • Governance, Risk and Compliance
  • Identity and Access Management
  • Network and Infrastructure Security
  • Threat Detection and Incident Response

In this blog post, I will share session details from the Governance, Risk and Compliance track.

AWS re:Inforce Governance, Risk and Compliance

Breakout sessions

Breakout sessions are lecture-style presentations that are delivered by AWS experts, builders, customers, and partners. Breakout sessions typically include 10–15 minutes of Q&A at the end.

Level 200 – Intermediate

  • GRC202: How financial services customers turbocharge the risk management process

Fidelity Investments discusses repeatable methods they put in place to turbocharge the risk management cycle using AWS services for management and governance, security, identity, and compliance. The discussion includes considerations based on collective experiences with financial institutions using AWS to meet their regulatory expectations. The session walks through the cultural, procedural, and technical requirements financial services organizations can use to build a robust and highly iterative risk management cycle that enables them to identify, evaluate, and mitigate risks derived from a rapidly evolving threat landscape.

  • GRC203: Cloud Audit Academy: AWS-specific preview

Today, control framework language caters to on-premises environments, and security IT auditing techniques have not been reshaped for the cloud. The AWS-specific Cloud Audit Academy provides auditors with the education and tools to audit for security on AWS using a risk-based approach. In this session, experience a condensed sample domain from our four-day workshop.

  • GRC204: Continuous cloud compliance and audit adoption with AWS Audit Manager

AWS Audit Manager is a new service that helps you continuously audit AWS usage to simplify assessing risk and compliance with regulations and open standards. In this session, learn how to implement a continuous cloud compliance and audit approach, how Audit Manager integrates with AWS services, and how it fits into your existing compliance and audit control structure. Transform your cloud audit process from a periodic, time-consuming, and manual process that can take weeks to complete into a near-real-time, continuous, audit-ready program. Automatically collect evidence to demonstrate compliance for standards like PCI DSS, HITRUST, GxP, SOC2, and more.

  • GRC205: AWS Well-Architected Management and Governance Lens

Learn how the new AWS Well-Architected Management and Governance Lens helps enterprise customers innovate faster and maintain control over costs, compliance, and security. With this lens, users can achieve visibility and operations at scale across resources, data, and applications in a dynamic cloud environment.

  • GRC201: How Western Union modernizes apps at scale with security and controls

In this session, learn how Western Union migrated and modernized more than 750 applications in a secure and compliant manner using AWS management and governance services. Western Union discusses how they secure, govern, and standardize using a DevOps pipeline, how they modernize mainframe applications to microservices, and how they achieve scale at cloud speed.

Level 300 – Advanced

  • GRC301: Apply security guardrails for application code with Amazon CodeGuru

How can you bring the power of machine learning to the CI pipeline to implement security guardrails and ensure high quality code is delivered? With Amazon CodeGuru, you can detect issues in the OWASP top-10 vulnerabilities list and ensure best practices are followed. CodeGuru natively integrates with AWS partners such as GitHub and GitLab and open-source software such as Jenkins. This session provides an overview of Amazon CodeGuru and how developers can use it to maintain a high bar for code quality.

  • GRC302: Automate AWS Config conformance pack deployment with AWS CodePipeline

AWS Config rules are often used to detect compliance issues and enforce automated remediation on AWS resources. In this session, you’ll see how to build, test, and deploy these rules at scale across multiple AWS accounts in a repeatable, secure, and automated way. This session presents a sample implementation that uses AWS Config conformance packs, AWS Developer Tools, the Rule Development Kit (RDK) and RDKLib to create a simple pipeline that can package AWS Config rules as organization conformance packs and deploy them across an organization.

  • GRC303: Building secure machine learning (ML) environments

Learn how to build secure and compliant machine learning and data science environments using AWS Control Tower, AWS Service Catalog, AWS Organizations, AWS Config, and other services. Also, learn how to set up your organizational unit (OU) structure for ML workloads and enable ML-specific guardrails. Leave the session with information to help you provision ML environments automatically on demand.

  • GRC304: Effective compliance automation with AWS Config

As organizations move to the cloud, it becomes challenging to ensure resource configuration and compliance across the business. In this session, learn how you can use services like AWS Config to automate your compliance management to both help you achieve compliance and gain operational efficiency. Compliance is a fast-moving and dynamic world. Come hear how AWS has removed the complexity by providing managed rules, sample templates, and aggregators to help you scale compliance across your business.

  • GRC305: Securing and governing your AWS environment at any scale

This session introduces best practices you can use to manage the security of your AWS accounts and govern your AWS environment. Whether you are a small startup or a large enterprise, explore approaches appropriate for your scale. This session covers AWS Organizations, AWS Control Tower, AWS Single Sign-On, AWS Security Hub, AWS Config, AWS CloudTrail, and more!

Level 400 – Expert

  • GRC401: Simplify and automate security with compliance as code

Managing compliance for thousands of resources in the cloud doesn’t have to be complicated. The key is to automate and simplify. This session walks you through the concept of compliance as code and demonstrates how to build a DevSecOps pipeline for PCI compliance that allows you to automate, validate, test, and deploy with minimal effort. This CI/CD pipeline for PCI compliance provides full coverage of automated remediations in code for the PCI Compliance conformance pack using custom-built AWS Systems Manager Automation documents. It then incorporates these automated remediations on detected PCI violations by integrating with AWS CodePipeline.

Builders’ sessions

These are small-group sessions led by an AWS expert who guides you as you build the service or product on your own laptop.

Level 200 – Intermediate

  • GRC271-R1/R2: Building custom frameworks with AWS Audit Manager

The AWS Audit Manager framework library is the central place from which you can access and manage frameworks. You can create custom frameworks to organize controls into control sets in a way that suits your unique requirements. In this session, build a customized framework through the AWS Management Console. Learn from customer use cases about how to use automation with the AWS SDK for Python (Boto3) to build custom frameworks at scale.

Level 300 – Advanced

  • GRC371-R1/R2: PCI DSS compliance for serverless cloud applications

Join this session to participate in a lab where you build a serverless payment application implemented with Amazon API Gateway, AWS Lambda, Amazon DynamoDB, and Amazon Cognito. The application is built with all required PCI DSS controls so that it’s ready to assess for PCI DSS compliance.

Chalk talks

Chalk talks are highly interactive sessions with a small audience. Experts lead you through problems and solutions on a digital whiteboard.

Level 200 – Intermediate

  • GRC231-R1/R2: DevSecOps of containers

Learn tips and tricks to help you answer your customers’ questions about vulnerability management for containers at scale and how to automate security deployment throughout a container pipeline.

Level 300 – Advanced

  • GRC331: Using the Customizations for AWS Control Tower solution

Consider why you should use the Customizations for AWS Control Tower solution. Learn about its advantages and best practices for upgrading, maintaining, and using the solution to the fullest.

  • GRC332: Increase visibility into backup compliance and governance with AWS Backup

Learn how to automate the evaluation of compliance policies related to backup across an AWS infrastructure that spans multiple accounts, Regions, and resources. Automatically detect policy violations and receive alerts to remediate issues in a timely manner. Learn how to use built-in dashboards and auditor-ready reports to fulfill regulatory compliance obligations and meet your organizational business continuity goals.

  • GRC333: Mitigating risks with technical security controls

Follow a path from identifying potential cyber risks to implementing technical controls to help mitigate those risks. Referencing standards such as ISO/IEC 27001:2013, NIST, and CSA CCM, we demonstrate how to align your risk frameworks to define which controls can mitigate your risks. We break down information security standards into AWS technical security controls you can implement and talk through how to monitor those controls using AWS Config rules. Learn how to measure the impact of failing technical controls and bridge the gap between your organization’s risk profile and first-line-of-defense IT controls.

  • GRC334: Accelerate migration and automate security with AWS Control Tower

Learn how AWS Control Tower automates multi-account provisioning and guardrails and enables integration of security controls to provide automated governance and security, empowering development teams to move faster. Hear how businesses can gain centralized visibility and management of AWS accounts and a security posture aligned to the AWS Well-Architected Framework while removing roadblocks for application teams. Join this talk to learn how your business can gain immediate value from AWS Control Tower and the AWS CloudFormation public registry by quickly, consistently, and securely provisioning accounts for your organization, allowing your business to scale and innovate at the pace of the cloud.

  • GRC335: Use AWS Config and partner solutions to aid your HIPAA compliance efforts

Healthcare organizations need to meet regulatory requirements quickly, especially after experiencing the impacts of COVID-19. Many have achieved HIPAA compliance requirements during COVID-19 with the help of AWS Config and AWS Partner solutions. AWS Config, in combination with solutions from AWS Consulting Partners, provides a seamless way to audit, detect, and remediate workloads on AWS to help meet HIPAA requirements. Learn how AWS Config provides building blocks for AWS Consulting Partners to build a compliance as code solution.

  • GRC336: Governance gets better, together

AWS Organizations and AWS Control Tower are both excellent solutions for managing multi-account environments. Learn how you can take full advantage of both services to provide a future-ready design and minimize the heavy lifting to operate a multi-account environment.

Workshops

Workshops are interactive learning sessions where you work in small groups to solve problems using AWS services for security. Bring your laptop and a willingness to learn!

Level 200 – Intermediate

  • GRC251: Use AWS Systems Manager Change Manager for operational changes

AWS Systems Manager Change Manager is used to provide guardrails, approvals, and auditability for operational changes. Change Manager, a capability of AWS Systems Manager, is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. In this session, learn how to streamline operational change workflows through the use of change templates to manage user access and perform changes securely. In addition, learn to incorporate safety best practices such as requiring two-person approvals or automating rollbacks based on Amazon CloudWatch alarms.

  • GRC252: Applying security and governance to DevOps with ITSM connectors

Companies want their development teams to innovate and launch faster, but they need management and governance to achieve security and compliance. AWS has created service management connectors to combine the rapid innovation and delivery of the cloud with IT service management (ITSM) and governance. In this workshop, cloud architects, ITSM leads, and IT managers can learn the process for launching and securing the operation of governed cloud workloads on AWS using the ServiceNow and Jira Service Management platforms together with AWS Service Catalog, AWS Security Hub, and AWS Config.

  • GRC253: Management and Governance Gameday

Join this workshop for an interactive, team-based learning exercise designed to give you a chance to put your AWS skills to the test in a real-world, gamified, and risk-free environment. This is an opportunity to learn in a hands-on, collaborative fashion about AWS Management and Governance best practices, new AWS services, and AWS architecture patterns.

Level 300 – Advanced

  • GRC351: Cloud compliance and assurance

In this workshop, learn how to assess and manage compliance and security drift in the cloud. Dive deep into the three lines of defense to automated compliance management, consistent oversight, regular assessment, and automated evidence gathering and reporting. You also receive guidance on breaking down silos between business owners and operations, security, compliance, and audit teams using services related to cloud compliance and assurance.

  • GRC352: Operating securely in a multi-account environment

Operating multiple AWS accounts under an organization is how many users consume AWS services. In this workshop, learn how to build foundational security monitoring in multi-account environments. Walk through an initial setup of AWS Security Hub for centralized aggregation of findings across your organization created in AWS Organizations. You’ll also learn how to centralize Amazon GuardDuty findings, Amazon Detective functions, AWS Identity and Access Management Access Analyzer findings (if available), AWS Config rule evaluations, and AWS CloudTrail logs into the central security monitoring account (security tools account). Finally, implement a service control policy (SCP) that denies the ability to disable these security controls.

Level 400 – Expert

  • GRC451: Building remediation workflows to simplify compliance

Automation and simplification are critical to managing compliance at scale. Remediation is one of the essential elements of simplifying and managing risk. In this workshop, see how to build a remediation workflow using AWS Config and AWS Systems Manager automation. Learn how this workflow can be deployed at scale and monitored with AWS Security Hub (to oversee the entire organization) and AWS Audit Manager (to easily access evidence of risk management).

In addition to these sessions, we offer leadership sessions through which you can hear directly from AWS leaders as they share the latest advances in AWS security, set the future product direction, and motivate you through compelling success stories.

Conclusion

We hope you can join us in Houston, and we want you to feel safe. The health and safety of our customers, partners, and employees remains our top priority. If you want to learn more about health measures that are being taken at re:Inforce, visit the health measures page on the conference website.

If you’re not yet comfortable attending in person, or if local travel restrictions prevent you from doing so, register to access a livestream of the keynote for free. Selected sessions will be recorded and available to watch after the event. Keep checking the AWS re:Inforce website for updates.

About the author

Harshitha Putta

Harshitha Putta

Harshitha Putta is a Senior Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.