Streamlining Compliance: Leveraging Open-Source Terraform AWS modules [Advanced]

Are you navigating the complexities of compliance frameworks like SOC2, CIS, and HIPAA and seeking a more efficient path? This talk breaks down these frameworks simply and shows you a time-saving trick, making it perfect for anyone wanting to make their organization's compliance journey much easier. I'll start by outlining the basics of these frameworks and highlighting the challenges businesses face in implementing them. As the creator and maintainer of the terraform-aws-modules projects, I'll be excited to share how using these open-source Terraform AWS modules can streamline the compliance process. I'll walk you through real-life examples showing how such solutions significantly reduce the effort and time required for compliance. At the end of the talk, attendees will get actionable insights on using Terraform AWS modules for efficient compliance management.

Build-time to runtime: Automated security testing in your pipeline [Advanced]

Discover how to implement comprehensive security testing throughout your CI/CD pipeline. This session demonstrates how to integrate static analysis with Amazon CodeGuru Reviewer, dependency scanning with Amazon Inspector, and container security with Amazon ECR scanning. Learn to orchestrate security gates using AWS CodePipeline, implement software composition analysis, and automate vulnerability remediation with Amazon Q Developer. Walk away with practical patterns for embedding security testing at every stage of your delivery pipeline while maintaining development velocity.

Securing Large Language Models: Best Practices for Prompt Engineering and Mitigating Prompt Injection Attacks [Beginner]

The rapid adoption of large language models (LLMs) in enterprise IT environments has introduced new challenges in security, responsible AI, and privacy. One critical risk is the vulnerability to prompt injection attacks, where malicious actors manipulate input prompts to influence the LLM's outputs and introduce biases or harmful outcomes. This guide outlines security guardrails for mitigating prompt engineering and prompt injection attacks. The authors present a comprehensive approach to enhancing the prompt-level security of LLM-powered applications, including robust authentication mechanisms, encryption protocols, and optimized prompt designs. These measures aim to significantly improve the reliability and trustworthiness of AI-generated outputs, while maintaining high accuracy for non-malicious queries. The proposed security guardrails are compatible with various model providers and prompt templates, but require additional customization for specific models. By implementing these best practices, organizations can instill higher trust and credibility in the use of generative AI-based solutions, maintain uninterrupted system operations, and enable in-house data scientists and prompt engineers to uphold responsible AI practices.

Simplify Security Events Log Analysis with Amazon Q [Advanced]

Discover how to build security-focused applications with Amazon Q to analyze AWS accounts for compliance and vulnerabilities. Use automation to centralize security logs and events from AWS services, partner solutions, and open-source tools, and analyze using an intuitive chatbot interface. Through practical examples, explore how Generative AI enhances security analysis, delivering a richer experience with queries in natural language.

Securing Large Language Models: Best Practices for Prompt Engineering and Mitigating Prompt Injection Attacks [Beginner]

The rapid adoption of large language models (LLMs) in enterprise IT environments has introduced new challenges in security, responsible AI, and privacy. One critical risk is the vulnerability to prompt injection attacks, where malicious actors manipulate input prompts to influence the LLM's outputs and introduce biases or harmful outcomes. This guide outlines security guardrails for mitigating prompt engineering and prompt injection attacks. The authors present a comprehensive approach to enhancing the prompt-level security of LLM-powered applications, including robust authentication mechanisms, encryption protocols, and optimized prompt designs. These measures aim to significantly improve the reliability and trustworthiness of AI-generated outputs, while maintaining high accuracy for non-malicious queries. The proposed security guardrails are compatible with various model providers and prompt templates, but require additional customization for specific models. By implementing these best practices, organizations can instill higher trust and credibility in the use of generative AI-based solutions, maintain uninterrupted system operations, and enable in-house data scientists and prompt engineers to uphold responsible AI practices.

Everything you didn't want to know about IAM [Beginner]

If you have used AWS, you have seen an error message stating "x is not authorized to perform y". This is a annoying fact. But how do you solve these? In this talk, Peter will walk though how IAM is designed, different types of policies and when they are useful. You will leave with techniques for understanding and debugging those access issues you wish didn't exist.

Simplify Security Events Log Analysis with Amazon Q [Advanced]

Discover how to build security-focused applications with Amazon Q to analyze AWS accounts for compliance and vulnerabilities. Use automation to centralize security logs and events from AWS services, partner solutions, and open-source tools, and analyze using an intuitive chatbot interface. Through practical examples, explore how Generative AI enhances security analysis, delivering a richer experience with queries in natural language.

Securing Generative AI applications using AWS Services [Business Focused]

Securing generative AI applications using AWS services involves implementing robust strategies to protect data, models, and infrastructure. This presentation explores how AWS tools like Identity and Access Management (IAM), AWS Key Management Service (KMS), and Amazon SageMaker enable secure model development, training, and deployment. Topics include safeguarding sensitive data with encryption, ensuring network security through Virtual Private Clouds (VPCs), and mitigating threats using services like AWS Shield and AWS WAF. Best practices for monitoring AI workloads with Amazon CloudWatch and addressing compliance requirements through AWS Audit Manager will also be discussed. Attendees will gain actionable insights to build and maintain secure, scalable, and resilient generative AI applications on AWS.

Creating secure code with Amazon Q Developer [Beginner]

In this session you will learn how to use Amazon Q Developer to create secure code. Write unit tests, optimize code, and scan for vulnerabilities, and discover how Amazon Q Developer suggests remediations that help fix your code instantaneously. Also, learn how you can use Amazon Q Developer security scanning to outperform other publicly benchmarkable tools on detection across popular programming languages.

Threat Modeling a Batch Job System on AWS [Advanced]

I’ve been blogging about building a batch job system on AWS for about two years now as time allows, documented at https://medium.com/cloud-security/automating-cybersecurity-metrics-890dfabb6198. Initially I was “just” going to quickly show how to use batch jobs to run tools to analyze security in AWS accounts. For example, I run Prowler and other proprietary tools on AWS penetration tests and I can run those tools as batch jobs. But it turned into a much bigger endeavor as I considered how to deploy and run those jobs ~ securely ~ in a production environment. In this presentation, I’ll walk through some of the threats, mitigations, and I’ll talk about some unpublished developments.