AWS re:Invent 2025 - Infrastructure protection at scale with AWS Security, ft. Block, Inc. (SEC224)

Infrastructure Protection at Scale with AWS Security

Platform Engineering: The Foundation for Scalable Security

• Platform engineering is a rapidly growing practice, with 80% of organizations expected to have platform engineering teams by 2026.
• Key benefits of platform engineering:
  • Reduces cognitive overload for developers by providing reusable architectural components
  • Increases developer velocity and productivity by offering self-service capabilities
  • Ensures architectural consistency and standardized infrastructure components
  • Centralizes expertise in areas like networking, security, and infrastructure

Evolving AWS Infrastructure: From Single to Multi-Account Architectures

• Single AWS account architecture provides simplicity but has limitations around scaling, workload isolation, and resource constraints.
• Multi-account architectures offer benefits like workload isolation, distributed ownership, and better management of account-level limits.
• Key decisions in the multi-account journey:
  • Account vending and baseline security configurations
  • Access patterns and preferred interfaces (console, IaC, CLI)
  • Virtual private cloud (VPC) network topology and traffic management
  • Data perimeter strategy and hierarchical account structures

AWS Infrastructure Security Services

Ingress Security

• Web Application Firewall (WAF) provides layered security against attacks like DDoS, bots, and web application exploits.
• New WAF console experience reduces configuration time by 80% through pre-configured protection rules.
• Managed rules like the new AWS Managed Rule for anti-DDoS provide expert-curated protection.

Egress Security

• AWS Network Firewall is a fully managed, cloud-native firewall service for VPC traffic.
  • Offers stateful inspection, protocol detection, and IPS capabilities.
  • Commonly used for egress filtering, VPC-to-VPC isolation, and preventing data exfiltration.
  • Supports centralized and distributed deployment models, with a new multi-VPC endpoint feature for cost optimization.
• AWS Active Threat Defense leverages AWS's global threat intelligence to automatically create Network Firewall rules against active attacks.
• New Partner Managed Rules feature allows integrating third-party threat intelligence directly into Network Firewall.

Block's Journey: Building a Unified Infrastructure Security Platform

Challenges Faced

• Dynamic threat landscape across diverse business units and cloud migration
• Fragmented infrastructure and security tooling
• Scalability issues with manual changes and lack of observability
• Compliance requirements for PCI, SOX, and other standards

Key Initiatives

1. Consolidated ingress traffic through a dual-homed CDN and layer 7 ingress gateway
2. Standardized egress traffic patterns using layer 7 egress gateways and DNS firewalls
3. Implemented centralized inspection VPCs for inter-business and inter-environment traffic
4. Leveraged transit gateways and VPC peering for reliable multi-region connectivity
5. Built a service mesh-based policy framework to automate security controls
6. Unified platform through "cookie-cutter" environments and self-service capabilities

Benefits and Future Direction

• Reduced cognitive load and increased developer velocity through self-service and automated security
• Improved security posture and compliance through consistent policy enforcement
• Ongoing efforts to further unify the platform and eliminate manual infrastructure management

Key Takeaways

• Platform engineering is a critical foundation for scalable security in the cloud.
• AWS provides a comprehensive suite of infrastructure security services to protect ingress, egress, and inter-VPC traffic.
• Block's journey demonstrates the value of a unified, platform-centric approach to infrastructure security.
• Centralized expertise, automation, and self-service capabilities are key to enabling secure, high-velocity cloud adoption.