How we trained our employees for AWS Security
Welcome
The nature of the Life Insurance industry requires tight information security. Haven Life handles sensitive data, and we regularly are looking for ways to improve the security skills of our employees at all technical levels.
Last March our InfoSec and Infrastructure teams coordinated with Amazon and did an AWS Security Jam session: A super fun, interactive, hands-on keyboard event that allows individuals with different skill levels to work in teams and respond to a set of simulated security incidents within workloads running on AWS.
Setting the Stage
We offered this to the employees of all different technical abilities, from people who tangentially use AWS, to experienced developers who use it daily. We created it as a team competition to complete challenges across common AWS use-cases and operational tasks to earn points. Eight teams of five were crafted to inspire team building and allow folks to meet new people. Each person from our cloud operations team (our infrastructure team that manages our AWS systems) aligned themselves to a team as a subject matter expert providing quick and helpful guidance. Amazon provided their in house coaches as well, leading the session through the ten challenges.
Game Challenge Details
The AWS Security Jam consisted of ten challenges from easy to hard. Focusing on several security concepts including data protection, where they were able to learn hands-on how to secure S3 buckets, how to create monitoring for abnormal behavior using the cloud watch and config services, and implement access controls by configuring the identity access management service. For the highly motivated there were even options to practice writing lambda functions.
The teams were able to choose how they wanted to tackle the challenges for example they could divide and conquer, or they could do their own thing and any strategy in between.
Each challenge contained hints if they were stuck or they could leverage the Haven Life or AWS coaches. There was no particular order in solving the challenges; attendees could pick and choose whichever they felt like solving first.
Making Learning Even More Fun
And Yes, of course, no hackathon is complete without pizza, beer, wine, and prizes!
The prizes incentivized the competition with awards that aligned with our company’s mottos:
- Just F*ing Do It: The team with the most points and challenges.
- Obsessively Learn and Look for Better Ways: The team who completed the most challenges without using hints.
- Set Big Hairy Goals: The team that was the most ambitious
- We Matter to Each other: The team that worked best with each other, teaching each other along the way and supporting one another (team name will be part of judging criteria)
The Winners
The Just F*ing Do It, was dedicated to the team with the most points and most completed challenges because not all challenges were created equally. This category came down to the very last minute of the competition wherein that last moment two teams tied based on points and challenges, then hoodie sweaters were given out to the winners. The Obsessively Learn and Look for Better Ways prize was water bottles for the team who completed the most challenges without using any hints. The Set Big Hairy Goals prize received trophies for finishing the hardest number of challenges. The final prize for We Matter to Each other was a swag bag for supporting each other the best, including the cleverest name.
The feedback was overwhelmingly positive with comments like :
“This is a great opportunity to learn about cloud platform” -qa
“thank you for the wine” — developer
“To get to play around in the environment was a lot of fun” -project manager
“Wow I didn’t realize how much the infrastructure team does” -developer
“There are some very cool security tools out there let’s do more” — infrastructure
Overall the event was successful. There was a great deal of team building and learning, but it was successful because of the energy the teams brought to the table. There are always ways to improve and we would recommend for the next AWS Security Jam event to be an all-day event, more time to walk through a practice round or two, special tracks defined by roles, more specific content, preparation tutorials for the specific content, and definitely more pizza!
