¶ AWS Security
Yeah , I mean we've gone through so much . Everything is just going on . That happens to be an Amazon Fire TV stick that just all of a sudden decided , hey , I'm going to turn on Nice .
Yeah , I'm sorry about that . That's the AI . That's the AI . It's coming . That's going to be our cold open for the episode , for sure . Yeah , Welcome to the Cables to Clouds podcast . Your one-stop shop for all things hybrid and multi-cloud networking .
Now here are your hosts Tim , chris and Alex .
Hello and welcome back to another episode of Cables to Clouds . Your one-stop shop for ? Oh , what does Sophie say ? Your one-stop shop for ? Oh , what does Sophie say ? Your one-stop shop for cloud news ?
I can't remember our own hybrid multi-cloud network .
That's it . We should get Sophie on here to do it live for us one of these times , okay , so , yeah . So my name is Tim McConaughey . I'll be your host this week at Juan Golbez on Twitter .
With me , as always , are my co-hosts Alex Perkins at Bumps in the Wire and Chris Miles at BGP Main , and with us we have a special guest tonight , a senior developer advocate from AWS , brandon Carroll . Thanks for joining us , and you want to go ahead and introduce yourself ?
Yeah , thanks , Tim . It's nice to be here with all three of you , Alex and Chris . Yeah , at Brandon Carroll is my handle on Twitter . And yeah , like you mentioned it , developer advocate at AWS and doing the security stuff .
Awesome . Actually , tell us a little bit about that . The developer security like senior developer advocate for security . What does that look like ?
Yeah . So it's kind of an interesting role right , because you get the opportunity to work with the community and to take a lot of feedback from the community to the service teams to help improve the products and to help reduce some of the friction .
At the same time , you get to take these really cool technologies that we're coming out with and create videos and educational content on it and teach people how to use it . And that's , I mean , that's always been a passion of mine being able to teach people how to , how to make sense of stuff that could be very complex .
So , yeah , it's kind of like a two-way role . There's some inbound stuff and some outbound stuff I get to do .
Yeah , I love it . How did you get started with that ?
Yeah , so my whole background has been Cisco . I'm an on-prem guy , yeah , so security focused .
And for a while , well , I was an instructor for a long time Cisco instructor and did training videos and that whole thing , and then at some point I started going to things like tech field days and I was blogging I mean , this was back in the days of , like you know , eattherealmindcom and you know , 2012 , maybe something like that and I was blogging and went
independent for a while pretty good chunk of time and then one of the people that I met at a field day from Riverbed had a role that they were looking for , for an evangelist position , and I didn't really realize that what I was already doing was being an evangelist across a wide range of topics .
And so we talked and I joined Riverbed and then , from Riverbed , I went to AWS In a similar role .
Okay , awesome , riverbed , and then from Riverbed I went to AWS so in a similar role , yeah , okay , awesome . Well , uh , the reason we brought Brandon here uh tonight , uh today , is to kind of talk about security in AWS and kind of how AWS approaches security and and how people that use AWS maybe should approach security .
So , yeah , tell us , tell us a little bit about kind of the differences there . Uh , you said you're an on-prem guy , so how does how does it differ ? Maybe just differences there . You said you're an on-prem guy , so how does it differ ? Maybe just start there .
Well , I mean , you know what it's like to go into a data center , and not so much maybe anymore , but to be able to walk in and to connect the console cable to something . That's what I grew up doing , and doing that having full control over everything and you know just being able to handle everything .
When you're setting up firewalls , you know you're you get people to rack and stack it for you , maybe , but then you're doing VLANs and you're directing traffic and you're you know you're doing everything
¶ Navigating Cloud Shared Responsibility and Abstraction
. So I think one of the big differences like when I started in in the AWS space and cloud was really wrapping my head around what AWS calls a shared responsibility model and really it's just like this delineation between what AWS or any cloud provider really handles and what the customer is responsible for .
And that was a bit different for me , because all of a sudden there's this whole layer of stuff that I don't have access to anymore . I can't touch , I can't draw it out on a napkin , I don't know how it's all connected , none of that . So that was probably the first differentiation . I think that that struck me .
Do you think it was that off-putting at first , right To like , cause you have so much access before and then now suddenly it's like right , like you don't have access and you have to just kind of trust that things are taken care of . I know a lot of network engineers , I think , have some kind of issue with control right .
Yeah for sure , right ? Yeah , I think I guess it depends on how you look at it . I don't know if I'd say it was off-putting . It was initially a friction for me because I couldn't get to the depth that I had before and I had to trust as an individual .
I think from a business perspective it's probably not off-putting right , because the business now has someone else that's taking responsibility for a whole layer that they otherwise had to provide for . So , you know , I guess it depends on how you look at it .
For me it was a challenge to get used to what I could see , and I think stemming from that , from understanding the shared responsibility model , was then figuring out the layers of abstraction between things . Right , log in .
Well , I guess , depending on how you do it , if you're going to go into the AWS console , you know everything's GUI driven and a lot of the examples that I started out with it was , you know , here's our documentation and I'm telling you how to do it in the GUI and in the console .
A lot of the stuff I did I was doing it from the command line or , you know , even getting to a point where I wanted to do a terraformer or some kind of IAC you know , and you can definitely do that stuff with cloud and you will , but I think in your initial transition that's probably not exactly what you're looking at , because you're just trying to wrap
your head around .
How do I make this stuff work ? Yeah , I think it's . It's almost a level of exposure , right , because the you know I'm there , there's .
It probably differs between engineers across the board , right , but some of them want the utmost exposure , even when they're paying for a premium service like a , like an AWS service , right , maybe they want the utmost exposure so that they know when to point the finger and they actually will be able to come to AWS and say , hey look , I found this thing , you
guys need to fix this , whereas others are probably like , hey , shit's not working , start fixing it , look into it , figure it out , right . So I think it's a difficult balance to have , I think as far as what level of control or exposure you give to the people using the resource right .
The network engineer . Speaking as a network engineer , the hardest part I had with cloud and I think a lot of network engineers have this problem with cloud is the idea that there is that layer of abstraction . We understand abstraction but as network engineers there's two things right .
One is that we have lived at the infrastructure , the level , the layer , one layer , for so long and not only just live there but been responsible for it . Right , when there's a problem , all fingers point at you and there's a little trauma , a little trauma built into that .
So when you're asking someone who lives at the infrastructure layer to let it go and just kind of hand over the keys to and just trust that it's all , it's all going to be good there's there's a struggle there for sure . Yeah .
And you know , I think that another thing that maybe it's because of the abstraction , but I was a Cisco instructor for a really long time , teaching CCNA , CCNP , CCSP , their security classes , all that stuff .
When I learned and when we went through stuff , you had to learn how TCPIP worked , you had to learn the OSI model , you had to learn what a frame looked like and all of that right how VLANs worked . You had to learn all of these concepts that are really kind of down in the weeds .
And then for me to go to cloud and then start even taking some of the training where you're learning some of the security concepts or you're learning some of the routing concepts , that degree of depth is not there . So it always was sort of a question mark for me , like , well , what is happening here ?
You piece it together after you get some exposure , but it takes some time , and so I think that it really is . If you're going from on-prem and you're doing security stuff and you're used to putting in a firewall and then to go and to put AWS network firewall in . It's different . It's still a firewall , you know .
It still has the same kind of stuff happening . But you have to think a little differently as you start to build that into your existing infrastructure .
For sure , but you know yeah , the , the um , the , if nothing else , like the , even the service insertion , right , and we talked about this . How do we talk about this ? Like a year ago with steve mcnutt , right , we were talking about how service insertion was this big deal on .
You know , on-prem , you can put things in line , right , or you can put them , you can hang them off a switch and , you know , through vlan manipulation , insert it into the service . There's none of that in the cloud . In the cloud it's .
It's this very clunky kind of you know , comparatively , uh , kind of clunky kind of service insertion where we're manipulating route tables and and and all of this to make it happen and and it's the same output or it's the same outcome , if you will , right , but it's . It's definitely a different experience , for sure .
Yeah , yeah . And I think for me I'll just take the network firewall example . Doing an inline firewall is pretty simple , whether it's layer two , layer three , firewall Right . You manipulate some VLANs , you've got your cables , you know they're connected , that's great .
With AWS Network Firewall , you build your firewall out , but you have to put a firewall endpoint in the VPC and then route traffic through that endpoint to get it inspected . Right For me , being an on-prem person , the way I wrap my head around that is . I started thinking of , like the old IDS , ips and how you'd have it hanging out on a leg .
Yes , yes .
Right , and so that physical connection to the switch or whatever , or to the IDS IPS , that was like that end point . It was like I'm connecting a cable to this end point that's just hanging out here and that's how I'm going to route that traffic in and out of my IDS IPS , and so that's how I kind of visualized it as I was figuring out network firewalls .
But it's not traditional . I don't think it's traditional by any means if you go back to standard networking and whatnot .
Also , I think on-prem you're much closer , you're more in the weeds , obviously of . You're more in the weeds , like obviously you're way more in the weeds .
So you don't have that ability to kind of step back and even most of the time an old firewall I wouldn't even know what , you know what is the traffic is doing going between over the firewall and then when you get into the cloud , you know , and then you're placing something into that path instead .
So it's like a completely different view , like you kind of have to take a step back and get that 10,000 foot view . So yeah , I think that's a huge like it's a big mind shift to do that for a lot of people .
Yeah , because you're looking at specific workloads . Right , you're filtering traffic to and from specific workloads that are being accessed in the cloud . I mean , even if you were to go back to you know , setting up a firewall at the perimeter of your organization and you've got your entire workforce that's .
You know that that's your NAT gateway and it's it's doing firewall services and stateful packet filtering for your workforce . That's . It's not the same in the cloud , because the workforce is still out there somewhere else . Right , traffic's coming a different direction . It's more refined in the workloads that you're looking at .
So you do have to step back and look at it from a different lens .
Yeah , like , actually I like that because I was going to ask you know , I like actually I like that because I was going to ask .
You know , one of the biggest things that I hear all the time from people going from on-prem to the cloud is especially security focused is how porous the perimeter became , right , like we had the on-prem , the very hedgehog type of formation right , where you've got the security at the perimeter .
Usually the business isn't paying tons of money so you can put security all the way through a strata of your network right . You just have it right there at the end personally as a hedgehog , and then if anybody can get in , you know lateral movement is a lot easier , right , and in the cloud it's much more porous .
You're like right , all your workloads , basically , are just sitting next to the internet pretty much all the time , right .
Yeah , well then that gets into the whole VPC discussion , right On where you know , in your VPC . Is it private subnets ? Is it public subnets ? Is there a ALB Like yeah , and then that gets into all the different routing , where it's all sitting there and it's all right next to the internet .
But is it still going like from a private VPC to a private subnet to a public subnet and then out in IGW , or is it in a public subnet and going right out of an IGW ?
Is it a you know ?
multi-tier architecture and there is stuff that's kind of way down the road versus sitting right there on the edge .
It's a bit of a sorry , a bit of a curveball question , but so , in your role as a , as a developer advocate with AWS specifically around security , when you're talking to the community and specifically you know security professionals around what offerings AWS has within the cloud , what would you say is like the biggest thing that they I will say that they're excited
to hear about or they're delighted to hear about , and things that are easier versus things that they kind of need .
That mindset shift and it's probably a lot larger developer audience than infrastructure folks networking people about and interested in is probably more towards the application security and you know what's going to provide them the ability to secure applications really quick and maybe not have to have all of that infrastructure concern versus , you know , the smaller community
to AWS , I think . I mean I don't know numbers or anything offhand , but of networking people that are using . AWS and managing the infrastructure for an organization . I don't know .
I think it's kind of mixed right , because there's a lot of partner offerings that are being run on AWS because they're more traditional on-prem offerings , but I think probably there's a lot of desire for the easier implementations that are going to give you the ability to move more quickly . I think that's really like cloud's message right .
It's like move quick , build now , and then that just goes right back to that shared responsibility model where it's like okay , we've got this covered , and then you focus on this and it'll be secured .
¶ Cloud Security and Compliance Overview
Actually this is a good question . So developers , obviously , I mean we know cloud in general is mostly consumed traditionally , mostly consumed by developers , right ? And as more of the crown jewel , type of applications , or specifically the applications and the workloads that are covered by some form of governance and compliance , move into the cloud .
You know you have HIPAA and PCI and all this other stuff , even though the app owners want to focus on app security . You know those compliance frameworks often say , basically that's not good enough , right ?
So do you , as a developer advocate , I mean , do you only talk to developers or is this something where you see , do you see other people come in with similar security concerns , but from a different lens ?
Yeah , I mean developers aren't the whole mix , they're just kind of the large army , right . So there is definitely other angles , especially when you get into , like , the compliance stuff .
You know you've got a lot of teams that deal specifically with compliance especially when you get into , like government and you know some of the public sector stuff and AWS does have offerings that are around that you know that that are going to give you more of a compliance lens .
What .
I think is really interesting about cloud offerings is how tightly integrated they are . This was always like my biggest issue . Doing the on-prem stuff is like why can't I have this talk to this and just share that information ? You know why can't ? Why can't they just be on the same page ? They're made by the same manufacturer , you know .
But if , if they could just talk and if I could just extract easily information that this one has and this one has and put it together , I mean , that was always the dream , right , and I don't want to say the single pane of glass word , but I mean like that's what a you know that's what a lot of us wanted back then , like we were , we were working in
these different things and the and the images were different . Right , it wasn't the same base OS and um and a lot of yeah , it was clunky , um , and sometimes they still is right . I mean , that's just that's what we live in , that's the world we live in .
But what I do think is fascinating about these things in cloud is how they can provide a lens , using the data between services , but presenting it to you in a way that's more relevant to what you're looking for .
So , if you do deal with like compliance and that's something that you work with , you can use something like AWS Config right and deploy these compliance packs and have it scanning your resources for compliance-related issues and reporting that to you . But maybe I'm more of a NOC person and I want like an overall dashboard .
Well , now I can look at Security Hub and I can see information from Config , but I can also see information from GuardDuty , my IDS , the IDS one yeah . Yeah . So that's what I think is neat is there are there are these services that help you see it through those different lenses that are more specific to the , to the role that you might be operating in .
So , and maybe none of those are developer roles , like I don't know a lot of developers that are sitting there staring at security hub all day going .
What's going on with my environment ? So , yeah , well , this is all like that new , you know , like API currency term , where you know everything , can just talk to everything , like you said you can .
It's as simple as you can write a plugin and then you have this tool that already knows how to tie into all these different services and now just talk to them directly . Right , exactly , now that plugin can just do it easily because there's easily accessible and easily consumable APIs across all the services .
So , I agree , I think that's a huge benefit of the cloud over on-prem , even though it's slowly , slowly , kind of getting better . But you have to build a lot of it yourself . Yeah , you do .
What's funny about that is , of course , cloud was built that way , right . That's why it works right .
Cloud was built first API , first right .
Cloud was built first , api first , and it was that initial agility of having a greenfield to build it that way . And NetConf and all of that , and they've been , you know , mildly successful with some of it , not to call out Cisco every provider , every traditional provider struggling with this .
Yeah .
Yeah , so it's a challenge . Yeah , I mean think of . I mean , the house I live in was built in the eighties . There's all kinds of stuff I got to go in and retrofit and change right and there's like there's all kinds of cool stuff that you could put into a house now , but it's not that easy to just go .
Oh well , I'm going to just replace these doors with these doors and it's going to be current and up to it . It's not like there's a lot of work behind it . So if something like a house has that much work , think about all the technical stuff behind your infrastructure and the things that you have to change if you're trying to be more modern with it .
I mean .
I mean standards evolve right , and if they're in hardware , it's a lot harder to evolve a standard that's baked into a piece of hardware than it is something in .
Yeah , and you reach limitations with the hardware that was implemented at certain times and points in time , Right oh yeah , you know absolutely .
Yeah , that's true . I mean there's a reason and also I mean there's the technical debt , if you will , where and I use this , I use this one all the time you know , igmp V3 has been out for like 20 , 24 years now or something . It's been , it's been a standard for 24 years and yet the default on all Cisco devices is still IGMPv2 .
Because they can't change it , because the default choice becomes hidden from the CLI . Right , the default choice is hidden from the CLI . So if you change the default , you've now changed the config on all these devices and so it's not that simple . Right , you can blow up somebody's multicast and implementation very , very simply just through an os upgrade .
So it's not . You know , it's the same thing with security and and apis and all of that , but , um , anyway . So so I mean abs has guidance on a lot of the security stuff , right , like they , they have the well architected framework . I think security is one of the security stuff , right , like they have the well-architected framework .
I think security is one of the pillars . You want to talk about that a little ?
bit . Yeah , yeah , it is , and that's , I think , the well-architected framework is going to help somebody who's coming into AWS look at different aspects of best practices when they architect their cloud environment , I should say .
And security , yeah , it's a big pillar of it , just like a Cisco validated design right , you get your CVD and it takes you through all the different ways that you should implement things and there's more specific designs for verticals and things like that , and AWS offers that .
The starting point really is the well-architected framework and then going through that security pillar and then from there you'll jump out to different best practices for things like identity management . And things change there , too . We were talking about how we change .
For a long time you would go into IAM and you would configure users and groups and policies and that's how users would access the cloud environment .
Now Identity .
Center is the way that AWS recommends you do . That it gives you a central place to configure users and groups and permission sets , and the concepts are similar , but things have shifted a little bit . I am still there . Identity Center is the best practice on how you would set up your workforce and your users that way , right so ?
But you'll get to that as you go through the well-architected framework and you start looking at some of those best practices .
I haven't played with a identity center at all . Actually , now that you mention it , have you ever done SSO ? Oh , yeah , of course I mean .
so that's what it is , it's , it's the rebranded , it's SSO it was formally . Yeah , I shouldn't say rebranded , but it was formerly known as SSO and now it's identity center . Yeah , aws , iam identity center .
Did you actually ? This is a great segue . Let's talk about the some of the security services that AWS has Like what are your I mean , what are your favorite security services on there , and just kind of why . I'd love to know what you , why you like the ones you like .
I think I'm super biased . I got , so I got my CCIE and security in 2008 or nine and I know I shouldn't remember that date , but but it's sitting back there , I'll read it later . But again , it was
¶ AWS Security Services and Shared Responsibility
the the . The training process back then was different . Right , it was very clear cut . It was like you had your router switch security , you had your IDS , ips , you had your firewall , perimeter security , you had VPN and that kind of completed the whole security suite at that time .
And so for me coming into cloud and even before AWS , just when I started looking at other cloud providers , I always just gravitated towards what services are there for me are part of the security set of tools that I would normally use , because that's how I was trained to set up security in an infrastructure and it was always firewalls and IDS , IPS and all that
stuff . So I think with AWS my favorite services I like the perimeter protection stuff , AWS network firewall and it was a little different .
It wasn't like I could just take everything from an ASA or Firepower and be like , okay , I can just take everything I know here , and I'm going to start working with network firewall and I can configure anything and it works . It's not the case , even having , like IP tables , knowledge right .
Knowing a little bit about that you can go into network firewall and you can start setting up some simple rules . But if you really want to get to the power , you're going to use Suricata type rules right . So it's a little bit different . So now you got to kind of go down that path of learning about Suricata .
If you look at Suricata , it's a little bit different . So now you got to kind of go down that path of learning about Sircata . If you look at Sircata , it's mostly an IDS IPS , but in the way that the rule sets are used . network firewall they're firewall rules , so I do like network firewall .
It's really grown on me as I've done some stuff with TLS inspection , which was launched , you know , in the last year , and some stuff earlier like Ingress and Egress TLS inspection . So I enjoyed that and WAF a little bit . But I think when you get into into WAF you're way more focused on just protecting a web application . Yeah , it's still a firewall .
To me it's like okay , it's just the different rules .
Yeah .
It's app player . Yeah , I like guard duty . I like working with guard duty . I like GuardDuty . I like working with GuardDuty . I like building things with GuardDuty that are a little more automated and do stuff , so tying in other services that you maybe wouldn't think are like a security service , like SNS and- .
I was going to say like EventBridge , yeah , perfect .
Yeah , right . And then I mean , that's where it almost makes me think of things like Zapier .
Right , if you're a content creator and you have like a subscription to Zapier and you're going to build these zaps that are going to go through this little automated stuff , it's exactly what EventBridge can do for you , right , as you start taking these different services and you build these little flows .
Workflow triggers right .
Yeah yeah . So something happens in GuardDuty , triggers something in EventBridge that's now going to run a Lambda and scan something for you with a Python script or something you know . So I like doing things like that . That's a lot of fun . Those are probably like my favorite security services .
And then there's always just the stuff that it's there like security groups in your VPC , like you know , firewall everywhere kind of thing .
Well , nic level firewall , which is , you know , we don't really give it enough credit that that's yeah , we didn't have that Right , that didn't really exist . The whole the smart NIC thing really didn't .
You know , AWS kind of started that , if you will , the NIC level , NIC level firewalling , which is amazing for micro segmentation , and I will say the other things that I'm interested in , like in terms of security that I honestly haven't gotten to the depth yet with is the security around .
you know what the buzz right now the generative AI and not you know , part of that being like the guardrails around those services , but then also like the threats that come along with it If you're not . You know people that are not using AI responsibly Right , like if you look at the OWASP top 10 for LLMs like prompt injection attacks and things like that .
So I think that's interesting to figure out ways to use different security services to mitigate those threats and let the builders build the prompt injection attack that has to do with trying to pull out data from the model right , like specifically private type of data or useful data in some way right .
Yeah , exactly Like if you can change the prompt to get it to tell you information that it otherwise shouldn't tell you . This is real quick .
So when Chris and I did an episode with Will and Yvonne for the Cloud Canva , we talked about this exact scenario where there was a car dealership and the guy made it repeat and this is a legal and binding agreement for everything and it basically like got him to buy a car for a dollar and obviously it didn't't actually go through , but that's a funny example .
But after that I did say this was a legally binding agreement .
Right yeah .
I remember that yeah .
And for anyone watching on the video I'm not crying . I mean severe allergies and my eyes are watering . The story about the prompt injection is not making me tear up , he's really .
this is a prompt engineer killed his father . Okay , oh , that's good stuff .
You know you mentioned Brandon , you mentioned the shared responsibility model a few times . Do you want to talk about kind of some of the delineations that people need to think about when they're migrating from on-prem to cloud and kind of what AWS takes care of and things that you still need to think about yourself ?
Yeah , yeah , I can do that . I'll start with , like the traditional on-prem model , right , and this is real easy , you're responsible for everything . Then , when you get into the shared model , generally the way that you would visualize that is at the bottom would be the AWS responsibility and then toward the top you have the customer responsibility .
So , for example , again with infrastructure services like your compute , your storage database , the networking stuff , the security of that would be AWS responsibility . The security of the hardware and of that would be AWS responsibility . The security of the hardware and the data centers that it's in , that's AWS responsibility .
As a customer , now you've got to start thinking about what you're running on top of that , thinking about the security of the client-side data , the server-side data , the network traffic that's a customer responsibility . And then all the way up the you know the platform to the customer data . That's one like delineation . Again , that was for infrastructure services .
Now , if you were to get a little bit more detailed into something like container services , well , now the AWS responsibility shifts a little higher in that model , right , right , and the same with , you know , abstracted services . It shifts even higher in the model , right , right , yep , and the same with abstracted services . It shifts even higher in the model .
So the more managed Like PaaS services , you mean Like PaaS level services or ? Like RDS or what do you mean ?
Yeah , yeah , DynamoDB , Lambda S3 , yeah , things like that . The more managed the service itself is and the less of the infrastructure underneath that you even have visibility or access to , the more responsibility is going to be on AWS . So , I guess it all kind of goes back to the more you can touch , the more you're responsible for .
If you can do it , you're responsible for it . Yeah , pretty much .
Yeah , so hopefully that kind of helps . You know those that are listening see the delineation . There's all kinds of visuals out there . You know help that are listening see the delineation .
There's all kinds of visuals out there , you know help with it as well . But no , it's a great thing to know , Cause I mean , I'm thinking of things like like VDI services or like a managed Kubernetes service . Right , Like you , you have stuff that you just cannot access and you just you just manage the end results .
So , yeah , you really got to know what product you're trying to use and , like you said , basically where's your touch point ?
and that's what your response is and what security options you have for whatever layer of what it is that you're managing right .
So , like I'll give you an example , this is an interesting way to I think it's an interesting way to look at it . So let's say that you're storing stuff in S3 , right , so you've got your object storage . It's stuff is in S3 . And for you to access S3 , there's a public endpoint for you to do it .
So you know you can make your calls to S3 from an application that's sitting in your VPC and if you do that then essentially you're kind of leaving your virtual cloud and you're going over that more public endpoint in the AWS network to S3 . Okay , so the traffic in your VPC is your responsibility to secure it .
So how do you secure that traffic when S3 is managed right , but your VPC has a little bit lower level of responsibility ? more responsibility on the customer , and that's where you have to know about other services like PrivateLink right . So he's private link to have an endpoint .
That's basically keeping it private in your vpc , securing that that traffic and you get I mean , and you get secure .
You can apply a security group to the um , the s3 gateway , right , if I'm remembering that correctly , so like yeah , but , and the point is that you have to , like that's your responsibility , to do it right , because you can do it yeah , it goes back to your touch point , right ? no , that's , that's a good , that's very good example .
I think , yeah , I think , wow , that's that we've covered . We've covered a ton to a ton tonight . I hope that our listeners are gonna really , you know , dig in on it because there's there's so much , uh , there's so much to it , any that makes sense that I've got .
I've got one of those two , that's the Alexa , which kind of makes yes , it's now listening to me , yeah , I made the mistake and said the name and now it's like what do you want ? So , anyway , yeah , so , yeah . So we need to probably wrap up pretty soon .
But I'd love to know is there anything else that you think like is really like super important for the listeners to know about the security stuff at AWS there ?
They haven't talked about , yet yeah , I mean , we've gone through so much . Everything is just that happens to be an Amazon fire TV stick that just all of a sudden decided hey , I'm going to turn on .
Nice . Yeah , I'm sorry about that . That's the .
AI , that's the AI . It's coming . That's going to be our cold open for the episode , for sure . Yeah .
Yeah no-transcript in the beginning . You'll start to form those connections and you'll start to be able to see where these things overlap and it'll come to you because it's different . It doesn't have to be scary , it's actually kind of exciting . All kinds of new stuff to learn . I mean , there's always something that's coming out .
You go to a reinforcer or reinvent and there's product announcements of all these really cool things that you can do . And I think the cycle of how quickly the innovation is happening or the features are being developed .
It's something that we'd wait a long time for a new iOS to come out to get a feature in the past and now it's like okay , well , six months later I just heard about it , six months later it's it's out . So I think that's exciting .
Alex . Any final thoughts there ?
No , I think , like you said , man , we covered a lot of stuff . It went by quick , but there's a lot of a lot of security things to think about . I'm glad we got to talk about security . We've been wanting to do something like this for a long time , so this was good . Thanks for coming on . Thanks for having me .
Yeah , I think it's been great . I think it's uh , it's been good to to get this kind of lens on , uh , on security , specifically within AWS , um , which is obviously a huge , a huge pillar for you guys .
Um , sorry , I've been trying to not not be , sniffing and sneezing all into the mic today , but , um , yeah , I think it's been great and uh , I think , um , we said waft a few times and I think we probably needed to delineate that there's a well-architected , well-architected framework and then there's also a web application firewall .
So when , when people are googling those things , make sure you're looking at the right one .
But uh , otherwise , that's , it's been awesome only one of those stops attacks against your website yes all right , well , I Well , I'll go ahead and wrap it up here Again .
¶ Promoting Cables to Clouds Podcast
If you guys like what you heard or see , please subscribe to us . Like us I don't know whatever else people do when they share things on social media with each other and we will see you next time on another episode . Hi everyone , it's Tim and this has been the Cables to Clouds podcast . Thanks for tuning in today .
If you enjoyed our show , please subscribe to us in your favorite podcast catcher , as well as subscribe and turn on notifications for our YouTube channel to be notified of all our new episodes . Follow us on socials at Cables to Clouds . You can also visit our website for all the show notes at cables to cloudscom .
Thanks again for listening and see you next time .