AWS re:Invent 2025-Meta's insights on implementing AWS security controls at scale (SEC308)

Securing Cloud Infrastructure at Hyperscale: Lessons from Meta

Scaling Cloud Security Principles

• Security at scale is defined by the convergence of ephemeral workloads, distributed systems, and automation
• Security must be embedded into the entire process - from design to deployment to runtime
• Security is no longer a gatekeeper, but rather woven into the fabric of cloud deployments
• Resiliency is key, focusing on the ability to withstand and recover from security events
• A blameless, iterative incident analysis culture enables continuous security improvements

Identity and Access Management at Scale

• Leveraging federated identity providers and single sign-on for human users
• Applying organization-wide security policies that cascade down to the account and resource level
• Using declarative policies to prevent non-compliant actions and provide helpful error messages
• Implementing a tiered approach for service approvals, with isolated sandbox environments

Secure Networking at Hyperscale

• Adopting zero-trust access principles, leveraging identity and security features for authorization
• Inspecting both outbound and ingress network traffic to mitigate threats like data exfiltration and vulnerability exploits
• Implementing identity-aware service authorization to enable secure connectivity between applications

Data Governance and Resource Security

• Understanding the data landscape and applying appropriate security controls based on data sensitivity
• Optimizing the management of KMS keys, including bringing your own key material
• Implementing defense-in-depth through infrastructure-as-code validation at multiple stages
• Embracing immutable infrastructure to transform infrastructure vulnerabilities into reliable security boundaries

Defining Data Parameters for Secure Cloud Operations

• Establishing trusted identities, resources, and networks to control access and data movement
• Applying identity, network, and resource parameters to mitigate unauthorized access and data exfiltration

Meta's Approach to Secure Cloud Expansion

• Leveraging a centralized identity and authentication system to grant least-privileged access
• Using machine attestation and short-lived credentials to reduce the blast radius of compromised credentials
• Implementing a credential vending service (ORHD) to abstract away cloud-specific credential retrieval
• Leveraging IPv6 infrastructure to enable one-workload-per-account VPC isolation
• Deploying sophisticated network security controls, including AWS Network Firewall for ingress and egress inspection
• Integrating with Meta's privacy-aware architecture to enforce data lineage and purpose-limitation policies

Securing AI Workloads in the Cloud

• Addressing the unique challenges of AI clusters, including GPU scarcity and large data transfer volumes
• Deploying dedicated GPU and storage VPCs, with high-bandwidth direct connect links for data transfer
• Implementing sophisticated internet ingress and egress controls using AWS Network Firewall
• Leveraging Meta's privacy-aware infrastructure to enforce data usage policies based on context and lineage

Closing the Loop: Threat Detection and Incident Response

• Streaming VPC flow logs and S3 data events to internal monitoring and threat detection systems
• Automating remediation and isolation to respond quickly to security incidents
• Fostering a culture of blameless incident analysis to continuously improve the security posture

Key Takeaways

• Securing cloud infrastructure at hyperscale requires a fundamental rethinking of security principles
• Automation, security-by-design, and a federated approach are essential to manage the scale and complexity
• Resiliency, incident response, and a learning culture are critical to withstand and recover from security events
• Meta's real-world experiences demonstrate the practical application of these principles at an unprecedented scale