Aws tpm


Using a Trusted Platform Module for endpoint device security in AWS IoT Greengrass

Co-authored by Aniruddh Chitre, AWS Solutions Architect

This post demonstrates how AWS IoT Greengrass can be integrated with a Trusted Platform Module (TPM) to provide hardware-based endpoint device security. This integration ensures the private key used to establish device identity can be securely stored in tamper-proof hardware devices to prevent it from being taken out of the devices for impersonation and other malicious activities.

With the ever-increasing adoption of IoT in various industries, managing the security of device fleets is a priority for any successful implementation. Industrial IoT also has to contend with devices deployed in remote, unmanned areas that cannot be easily secured. A compromised device can have ripple effects across the complete IoT solution ecosystem (equipment, devices, applications and network) with potentially damaging consequences for consumers and organizations.

Normal IT-related scenarios, software countermeasures, e.g. usage of Anti-Virus software, are taken for granted to secure the system. These programs are active only after the boot sequence completes and the OS takes control of the system and launches the antivirus program.

However, in IoT, another type of attack vector, commonly called bootkit or bootloader rootkit, can infect the master boot record. These bootkits subvert the normal booting process and allow for malicious programs to be executed before loading of the operating system. The bootkits escape detection by standard OS processes as they reside outside of the file system.

To handle these scenarios, the Trusted Computing Group (TCG) has developed Trusted Computing paradigm to protect computing infrastructure and billions of IoT devices. The TCG has created the specifications of a TPM that enforces specific behaviors and protects systems from unauthorized changes and attacks, such as malware and bootkits.

What is a TPM?

A TPM is a cryptographic processor present on most commercial PCs and servers. Ubiquitous in nature, it can be used for a wide variety of use cases, such as storing keys for VPN access and encryption keys for hard disks, or preventing dictionary attacks to retrieve private keys.

While a typical TPM provides several cryptographic capabilities, three key features are relevant for this post:

  • Establishing a root of trust
  • Secure boot
  • Device identification

Establishing a root of trust

A TPM can prevent a bootkit attack by providing a trusted sequence of boot operation. The following questions often arise in a running system:

  • Is the operating system that is running appropriately secure?
  • Is the firmware booting the OS appropriately secure?
  • Is the underlying hardware appropriately secure?

Each layer has to trust the layer below, as illustrated in the following diagram.

Chain of trust in a device starting from Applications and flowing down through Operating System, Hypervisor, Firmware and finally ending at the Hardware which forms the root of trust.

At the root of this chain is the hardware, which has to be inherently trusted and forms the base on which the chain of trust has been established. In more technical terms, a root of trust is all of the following:

  • Set of functions in a trusted computing module that is always trusted by the firmware/OS
  • Prerequisite for secure boot process
  • Component that helps in detection of bootkits

Secure boot

A secured boot builds on the underlying notion of a root of trust to protect the boot process from being compromised on the device. This whole process by which the trustworthiness of a device is established right from the chip is called a “Secure Boot”. In case a chain of trust is broken, the boot process is aborted and the device attempts to go back to its last known good state.

An extension to secured boot process is a measured boot – where the device does not halt the boot process. Instead, it records the identity of each component that participates in the boot process so that these component identities can be verified later against a list of approved component identities for that device. This is called a measured boot.

These two processes are illustrated in the following diagram.

The sequence of boot operations on a device reset. The Boot ROM initiates the boot from a trusted location and each subsequent image that forms part of the boot sequence is evaluated before execution till it enters normal device operation.

A typical sequence of a measured boot is as follows:

  • The boot ROM acts as the root of trust.
  • Upon a device reset, each image that forms part of the boot sequence is validated (measured) before execution.
  • The measurements are stored in a TPM.
  • Each measurement serves as the proxy for the root of trust for the subsequent step in the boot sequence.
  • Normally, only critical and security-sensitive process and configuration files are considered for the measurement.
  • After the security-sensitive processes are completed, the device enters the unmeasured boot stage before entering normal system operation state.

Device identification

In IoT solution deployments, it is important to check the identity of the device that is communicating with the messaging gateway. The usual method is to generate key pairs for the devices, which are then used to authenticate and encrypt the traffic. However, key pairs residing on the disk are susceptible to tampering.

The TPM steps in here by storing the keys in tamper-resistant hardware. The keys are generated inside the TPM itself and are thereby protected from being retrieved by external programs. In fact, even without harnessing the capabilities of a hardware root of trust and secure boot, the TPM is also valuable just as a hardware key store. The private keys are protected by the hardware and offer far better protection than a software key.

The rest of this post focuses on how to integrate and use features of TPMs to protect the edge gateways running AWS IoT Greengrass. This integration uses the PKCS#11 protocol as the interface to the TPM.


What is AWS IoT Greengrass?

AWS IoT Greengrass is software that extends cloud capabilities to local devices. Specifically, AWS IoT Greengrass provides cloud-based management of application logic that runs on devices. This enables devices to collect and analyze data closer to the source of information, react autonomously to local events, and communicate securely with each other on local networks. AWS IoT Greengrass developers can use AWS Lambda functions and pre-built connectors to create serverless applications that are deployed to devices for local execution.

The following diagram shows the basic architecture of AWS IoT Greengrass.

Basic Architecture of AWS IoT Greengrass

Using AWS IoT Greengrass, devices securely communicate on a local network and exchange messages with each other without having to connect to the cloud. Locally deployed AWS Lambda functions and connectors are triggered by local events, messages from the cloud, or other sources. If connectivity is lost, AWS IoT Greengrass provides a local pub/sub message manager that can intelligently buffer messages to preserve inbound and outbound messages to the cloud.

An AWS IoT Greengrass core is an AWS IoT thing (device). Like other AWS IoT devices, a core exists in the registry, has a device shadow, and uses a device certificate to authenticate with AWS IoT. The core device runs the AWS IoT Greengrass core software, which enables it to manage local processes for Greengrass groups, such as communication, shadow sync, and token exchange.

During the registration of the AWS IoT Greengrass core, the keys and the certificates generated are stored in the local drives of the devices by default and are easily accessible. The following sections provide a deep dive into how the keys can be securely stored in tamper-proof hardware provided by the TPM.

Securing AWS IoT Greengrass with Infineon OPTIGA TPM

We will look at the steps required to secure AWS IoT Greengrass with the Infineon OPTIGA TPM products.

This integration requires the following components:

  • A Raspberry Pi 3B+ running Raspbian Stretch.
  • AWS IoT Greengrass v1.7+.
  • Infineon OPTIGA TPM. This blog uses the Infineon OPTIGA SLB 9670. However the other supported OPTIGA TPMs are OPTIGA SLI 9670 and OPTIGA SLM 9670 which can also be used for automotive and industrial applications respectively.

Setting up AWS IoT Greengrass on Raspberry Pi 3B+

Because the AWS IoT Greengrass core is an AWS IoT device, it has to be registered with the AWS IoT Core and comply with all security restrictions. It should have the following:

  • A private key and public key pair.
  • A certificate signed by a certificate authority (CA).

For more information, see the following documentation:

As part of the setup, the keys and certificate are stored in the folder . After the device is registered with AWS IoT, you must take additional steps to ensure that the device keys are secured.

From v 1.7.0, AWS IoT Greengrass supports the use of Hardware Security Modules (HSM) through the PKCS#11 interface for secured storage and offloading of the private keys. This prevents the keys from being exposed or duplicated in software. The private keys can be securely stored on hardware modules such as HSMs, Trusted Platform Modules (TPM) or other cryptographic elements.

AWS has partnered with TPM manufacturers to protect the private keys inside a TPM. One of the TPM Manufacturer is Infineon Technologies, who provide a hardware TPM based security solution with their OPTIGA TPM products which can be used on embedded PC, mobile and other IoT Devices. All the OPTIGA TPM products comply with the Trusted Computing Group (TCG) standards.

The rest of the blog provides a step-by-step guide demonstrating how to use an Infineon OPTIGA TPM as an HSM for AWS IoT Greengrass on a Raspberry Pi 3 Linux environment. It can be performed with one of the following Infineon Iridium OPTIGA TPM SPI Boards:

  • OPTIGA TPM SLB 9670 TPM2.0
  • OPTIGA TPM SLI 9670 TPM2.0
  • OPTIGA TPM SLM 9670 TPM2.0

This example uses the OPTIGA TPM SLB 9670 TPM2.0 for the AWS IoT Greengrass HSM integration.

Prerequisites for setting up the TPM on the Raspberry Pi

The Infineon OPTIGA TPM uses the SPI interface to connect to the Pi on the GPIO Pins. Once the OPTIGA™ TPM is plugged into the PI, it should look as follows:

Setting up the TPM on Raspberry PI

Go through the following steps to validate the initial setup of the TPM and to check if the Raspberry Pi is able to recognize the TPM on reboot. For more information, see Preparation and Hardware Setup.

  • Reboot your Raspberry Pi and check that is available. Update your system with the following command:
  • Install latest kernel using the following command:
  • Edit and add the following line:
  • This value for the dtoverlay parameter applies to SLB 9670, SLI 9670 and SLM 9670)
  • Restart your Raspberry Pi and check if the TPM is recognized on reboot using . The output should resemble the following:

Quick check to verify if TPM is recognized.

A detailed verification can also be done by running a small utility, , provided by Infineon Technologies AG and available on GitHub. All of the following setup packages are created and built under the directory.

The output of the preceding command should resemble the following:

Detailed verification of TPM by listing its properties

This output confirms that the TPM is working correctly. Understanding the different properties of the TPM is not required for the rest of the integration.

Integrating AWS IoT Greengrass with Infineon OPTIGA TPM

For a TPM to function, it requires a complete software stack including drivers, resource managers, and other tools. Each of these components is available from GitHub (see links in the following sections) and has been built to the specifications laid out by the Trusted Computing Group (TCG). These software components include:

  • TPM TSS Library: This library consists of the TCG’s TPM2 Software Stack (tpm2-tss) specification. This library comprises various software components that implement the low-level and high-level APIs, transmission of commands to the TPM, and the marshalling and un-marshalling of all the data structures defined by the TPM2 specification.
  • TPM PKCS#11: The PKCS#11 is a public key cryptography standard that defines a standard method to access cryptographic services from tokens or devices such as HSMs or smart cards. In this example, the Infineon TPM serves as the HSM.
  • TPM2 Access Broker and Resource Manager: These are system daemon processes that implement the TPM2 Access Broker (TAB) and Resource Manager (RM) spec from the TCG.

Though all the above APIs are required for the proper functioning and use of TPM operations, AWS IoT Greengrass uses only the PKCS#11 APIs for storing and retrieving the primary keys.

Installation preconditions

Before installing the software stack and tools, ensure that the Raspberry Pi has all the packages required to build the TPM libraries. This includes upgrading the SSL and PKCS#11 packages, as the default packages in the Raspberry Pi are outdated.

The preceding steps build the basic dependencies to update the Raspberry Pi with the required libraries for compiling the source code in the subsequent steps.

Download the TPM2 software repositories

Download the following repositories:


    Install a recent version of libp11

    Unfortunately, the version of the PKCS#11 engine for OpenSSL provided on Raspbian Stretch is too old (0.4.4) and not compatible with this software. Install it manually from the repositories. Compile and install the correct version:

    Download the autoconf-archive and deploy to the projects

    The version of autoconf-archive provided on Raspbian Stretch is not compatible with the TPM software stack. Download it manually and copy it to the respective repositories.

    Install the TPM2 Software Stack library

    Install the tpm2-tss library.

    Install the TPM2 Access Broker and Resource Manager (tpm2-abrmd)

    Install the TPM2 Access Broker and Resource Manager.

    Install the TPM2 Tools (tpm2-tools)

    Install the TPM2 Tools.

    Install adaptation of PKCS#11 for TPM2 (tpm2-pkcs11)

    Install the adaptation of PKCS#11 for TPM2.

    Using the PKCS11 Provider for AWS IoT Greengrass hardware security.

    In this section, you create a keystore in which you create the keys and refer to the same in the AWS IoT Greengrass configuration.

    Initializing the keystore and token

    The keystore is created under . The location should be readable and writeable to the logged-in user.

    Initializing the keystore

    Use the following command:

    The details of the options used in this command are:

    Initializing the token

    Use the following command:

    The details of the options used in this command are:

    Adding a key

    Use the following command:

    The details of the options used in this command are:

    Finding the PKCS#11 URL

    AWS IoT Greengrass and other tools use a PKCS#11 URL to find the token and key object. This URL can be determined using :

    This yields a result similar to the following:

    A screenshot of the same in this setup looks similar to the following:

    Listing of token URLs associated with the Token & Key

    The URL for the private key can then be determined using the following command:

    This yields a result similar to the following:

    The result is shown in the following screenshot:

    Listing of private keys contained in the TPM

    The URL can be trimmed of certain components, as long as it remains unique, such as in the following example:

    This setup uses the complete URL, as follows:

    The PIN can be appended to the URL:

    This is the URL to use for the AWS IoT Greengrass configuration.

    Generate a certificate signing request

    Use the following command to generate a certificate signing request:

    Answer the questions that OpenSSL asks you for the certificate signing request. This information is incorporated into the certificate.

    After you have completed the request, log in to AWS and navigate to the AWS IoT console. On the left navigation pane, under Security, choose Certificates, Create.

    AWS IoT Console. First step to creating a Certificate to be associated with the AWS IoT Greengrass core.

    Choose Create with CSR and select the CSR file that you created using OpenSSL (for example, ).

    Creating the certificate using the CSR

    Download the and the resulting , where stands for a unique ID, and copy both to .

    Before closing the window, activate the certificate and attach it to an object or policy in the dialog on the AWS IoT security page.

    Configure and run AWS IoT Greengrass with HSI

    To enable and use the TPM as HSI, enable it in the AWS IoT Greengrass config. Edit and replace the configuration with the content based on your OpenSSL configuration and location of the keys. A complete example of the AWS IoT Greengrass configuration with the setup completed in the preceding sections resembles the following:

    Adjust the , , and accordingly. After this, you can start your AWS IoT Greengrass daemon using the following commands:


    This post demonstrated how a TPM helps improve endpoint device security by providing a secured location for the storage of device primary keys. We hope this post was useful. Feel free to let us know your thoughts and feedback in the comments.


    AWS IoT Greengrass Hardware Security Integration: Provide hardware-based endpoint device security with Infineon's OPTIGA™ TPM SLx 9670


    This document contains step-by-step instructions on how to setup the Open Source TPM Software Stack 2.0 (TSS 2.0) in combination with the tpm2-pkcs11 provider and related software on a Raspberry Pi® 3 Linux environment to use the Trusted Platform Module OPTIGA™ TPM SLx 9670 TPM2.0 from Infineon Technologies as a Hardware Security Module (HSM) for AWS IoT Greengrass using the PKCS#11 Hardware Security Integration (HSI).

    The OPTIGA™ TPM SLx 9670 TPM2.0 product family with SPI interface consists of 3 different products:

    • OPTIGA™ TPM SLB 9670, standard security applications
    • OPTIGA™ TPM SLI 9670, automotive security applications
    • OPTIGA™ TPM SLM 9670, industrial security applications

    We refer with "OPTIGA™ TPM SLx TPM2.0" to all of the above 3 variants of the OPTIGA™ TPM2.0 product family with SPI interface.

    The described steps to use an OPTIGA™ TPM as a an Hardware Security Module for AWS IoT Greengrass on an Raspberry Pi® 3 Linux Environment can be performed with one of the Infineon Iridium SLx 9670 TPM2.0 SPI Boards, listed in the Table below:

    Supported TPMOrder TypeOrder numberFW Version
    OPTIGA™ TPM SLB 9670 TPM2.0IRIDIUM 9670 TPM2.0SP0015965927.85
    OPTIGA™ TPM SLI 9670 TPM2.0IRIDIUM SLI 9670 TPM2.0SP00423200013.11
    OPTIGA™ TPM SLM 9670 TPM2.0IRIDIUM SLM 9670 TPM2.0SP00423200413.11

    The 3 Infineon Iridium Boards are referred in the following as "Infineon Iridium SLx 9670 TPM2.0 SPI Board".

    The Software has been tested with Infineon TPMs implementing TCG Revision 1.38 or higher.

    Iridium Boards with OPTIGA™ TPM SLB 9670 might have a lower firmware (7.40 or 7.63) and may need to be upgraded first. Iridium Boards with OPTIGA™ TPM SLI 9670 and OPTIGA™ TPM SLM 9670 should have FW 13.11.

    Please refer to eltt2 section below on how to check the version of your TPM.

    Intended Audience

    This document is intended for customers who want to increase the security level of their AWS IoT Greengrass deployments using an OPTIGA™ TPM SLx9670 TPM2.0 from Infineon as a Hardware Security Module, leveraging the capabilities of the AWS Greengrass Hardware Security Intergration (HSI) via the tpm2-pkcs11 provider library.

    Getting Started with AWS IoT Greengrass

    In case you are not yet familiar with AWS IoT Greengrass please have a look at:

    For more details on AWS IoT Greengrass HSI please refer to

    It is strongly recommended to follow the AWS IoT Greengrass tutorial before using this guide to support the use of OPTIGA™ TPM with HSI

    Quality and Limitations:

    The PKCS11 Library (tpm2-pkcs11) and the underlying TPM2 Software Stack (tpm2-tss) are part of the Open Source Project which is supported, developed and sponsored by Infineon and many others.

    The software:

    • is only tested to a limited extend and might not work as expected.
    • is provided as-is, without any waranty and liability.
    • provides the required functionality for Greengrass Device Tester 1.3.1 and IoT Greengrass 1.8.x, 1.9.x, 1.10.x
    • has NOT been tested for any additional functionality.

    Only RSA 2K Keys and ECC_NIST_P256 keys are supported.

    Preparation and Hardware Setup

    • Download latest Raspbian (2020-02-13, Buster) and flash onto SD Card.

    • Plugin OPTIGA™ TPM SLx 9670 Iridium Board on Raspberry Pi Header.

      • The chips must be facing the outside of the Raspberry Pi.
      • Pin 1 of the Iridium must align with Pin 1 of the Raspberry Pi.
      • Pin 1 is also marked by a rectangular solder pad on the Iridium board.
    • Plugin SD Card, Monitor, Keyboard, Mouse into Raspberry Pi and power it up.

    • Follow basic Raspberry Pi Setup instructions, especially Wifi and User Password.

    • Use 'raspi-setup' to enable SSH and SPI.

    • Update your system with .

    • Install latest kernel via .

    • Edit /boot/config.txt and add the following line:

      (this tpm-slb9670 overlay applies to SLB 9670, SLI 9670 and SLM 9670).

    • Reboot your Raspberry Pi and check that /dev/tpm0 is available.

    • Follow the AWS IoT Greengrass Tutorial to setup everything correctly.

    Check TPM Functionality with eltt2

    eltt2 is a small test utility provided by Infineon Technologies AG and is available on github:

    The output should look similar to this:

    This means your OPTIGA™ TPM works as expected. It also shows the Firmware Version of the TPM.

    Install TPM Software Stack and Tools

    Install preconditions

    Download Repositories

    Install tpm2-tss

    Install tpm2-abrmd

    Install tpm2-tools

    Install tpm2-pkcs11

    Using the PKCS11 Provider for Greengrass HSI.

    In this example, the keystore is created under /opt/tpm2-pkcs11. It is assumed, that the location is read-/writeable to the user. It is advisable to set the location using the environment variable

    Initializing Keystore and Token

    Init Keystore

    The used options are: --path PATH The location of the store directory.

    Init Token

    The used options are:

    Add a key:

    The used options are

    Find out the P11/PKCS#11 URL

    Greengrass and other tools use a pkcs11 url to find the token/key object. This URL can be determined using :

    This will yield a result similar to:

    The URL for the private key can then be determined using:

    If you receive error messages like

    they can be safely ignored. The TPM2TestParms command is used to determine whether something is supported by the tpm (e.g. an algorithm) and returns the same error code as the original TPM command called with the same arguments, e.g. unsupported algorithm. Future versions of the tpm2-tss suppress these false positive error messages.

    The URL can be trimmed of certain components, as long as it remains unique, e.g.

    The Pin can be appended to the URL:

    This will be the URL we will use for the Greengrass configuration.

    Generate a Certificate Signing Request

    Please answer the questions OpenSSL is asking you for the Certificate Signing Request - these information will be incorporated into the certificate.

    Once completed, login to AWS and navigate to the AWS IoT Section.

    Under the tab on the left menu, create a new certificate (Right upper corner ).

    In the menu chose and select the file you created using openssl. (e.g. )

    Download the and the resulting , where xxxxxx stands for a unique id, and copy both to

    Before closing the window, please be sure to activate the certificate and attach it to an object/policy in the dialogue on the AWS Greengrass Security Page.

    Configure and run Greengrass with HSI

    To enable and use the TPM as HSI, we need to enable it in the greengrass config. For this we need to edit and replace the configuration with the following content:

    {"crypto": {"caPath": "file:///greengrass/certs/","PKCS11": {"OpenSSLEngine": "/usr/lib/arm-linux-gnueabihf/engines-1.1/","P11Provider": "/usr/lib/arm-linux-gnueabihf/pkcs11/","SlotLabel": "greengrass","SlotUserPin": "123456"},"principals": {"IoTCertificate": {"certificatePath": "file:///greengrass/certs/_xxxxxx_-certificate.pem.crt","privateKeyPath": "pkcs11:model=SLM9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456"},"MQTTServerCertificate": {"certificatePath": "file:///greengrass/certs/_xxxxxx_-certificate.pem.crt","privateKeyPath": "pkcs11:model=SLM9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456"}}},"coreThing": {"thingArn": "arn:aws:iot:eu-central-1:ZZZZZZZZZZZZZZZ:thing/Greengrass-Test_Core","iotHost": "","ggHost": "","keepAlive": 600},"runtime": {"cgroup": {"useSystemd": "yes"}},"managedRespawn": false}

    Please adjust the , , and accordingly. For more Information please have a look at

    After this you can start your greengrass daemon as usual:


    Greengrass is not starting

    Please validate that your environment is prepared for Greengrass (especially memory cgroups are on), by following the regular greengrass tutorials without hsi.

    Please also validate that the permissions and user groups are set up correctly.

    /dev/tpm0 is not showing up

    Please make sure that you are running the latest kernel from , that the SPI support is turned on using and that the overlay is enabled in

    Please also ensure that the Iridium board is plugged in correctly.

    Debug PKCS11 Provider

    In order to enable more verbose logging an environment variable can be set:

    Also the pkcs11-spy from libp11 can be used to get a deeper understanding of the PKCS#11 calls.

    Problems during the installation / execution

    The setup has been tested on a Raspberry Pi 3B+, with Rasbian Buster (2020-02-13) - please re-test on this exact platform first. Older Raspbian versions might not work.

    Esys_TestParms_Finish() Received TPM Error

    If you receive error messages like

    they can be safely ignored. The TPM2TestParms command is used to determine whether something is supported by the tpm (e.g. an algorithm) and returns the same error code as the original TPM command called with the same arguments, e.g. unsupported algorithm. Future versions of the tpm2-tss suppress these false positive error messages.


    All references product or service names and trademarks are the property of their respective owners.

    Important Notice

    The information contained in this application note is given as a hint for the implementation of the product only and shall in no event be regarded as a description or warranty of a certain functionality, condition or quality of the product. Before implementation of the product, the recipient of this application note must verify any function and other technical information given herein in the real application. Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind (including without limitation warranties of non-infringement of intellectual property rights of any third party) with respect to any and all information given in this application note.

    The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer’s technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application.

    For further information on the product, technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies office (


    Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office.

    Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies’ products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury.

    1. Second death note
    2. Newest quadcopter 2015
    3. Double edging
    4. Diy reborn stuff

    AWS Jobs – Recruiting, Product Management, TPM

    I have another triple dose of videos for you today. Continuing with our AWS Jobs video series, I interviewed an Amazon Recruiter, a Product Manager, and a TPM (Technical Program Manager).

    You can learn more about all of these jobs (and many others) on the AWS Careers page. We have open positions in North and South America, Europe, Africa, and the Asia-Pacific parts of the world.

    If you would like to apply for any of the jobs, please use the email address associated with the job family. Also, please take a moment to fill out the survey using the link after the video.

    You may be wondering about the barking dog in the opener to each episode. is a dog-friendly company and dogs are permitted on-premises at many of our locations. You may be interested in the story of Rufus, the first company dog.

    Amazon Recruiter
    I spoke with Garrett Gentry to learn about what it is like to be an Amazon Recruiter:

    To apply for a position as an Amazon Recruiter, send your resume to [email protected] Don’t forget to complete our survey.

    Product Manager
    I interviewed Derek Lyon to learn about what he does as a Product Manager:

    To apply for a position as a Product Manager, send your resume to [email protected] Don’t forget to complete our survey.

    I talked to Parmita Mehta to learn about her job as a TPM:

    To apply for a position as a TPM, send your resume to [email protected] Don’t forget to complete our survey.

    Stay Tuned
    If none of these jobs are a good match for your skills and interests, check out the AWS Careers Page and find one that does! You should also come back again for the third installment in the AWS Video Recruiting series.

    — Jeff;


    Modified 10/28/2020 – In an effort to ensure a great experience, expired links in this post have been updated or removed from the original post.
    AMAZON LEADERSHIP PRINCIPLES Interview Questions \u0026 Answers!


    Do you love working with development teams to drive global security impact? The AWS Commerce Platform (CP) provides the back and front-end services that enable AWS customers to purchase AWS services and understand and manage their infrastructure costs. Our teams tackle some of the hardest scalability, performance, and distributed computing challenges in the world. We process trillions of events per month using stream processing techniques (Kinesis), process billions of line items via map reduce (EMR), and manage artifacts through the latest in database technologies (DynamoDB and Aurora). The AWS CP Security Team is responsible for driving innovative enhancements that raise the bar for how internal and external customers interact with cost and billing resources, systems, and data. At AWS' scale, we must invent new security tools and processes to enable system administrators and developers to build rapidly, while maintaining least privileged access. We are looking for a passionate, innovative, results-oriented individual to manage and execute various programs to improve AWS CP's overall security posture.

    As an AWS CP Security Technical Program Manager (TPM), you will define, scope, and manage the delivery of security projects and products from start to finish. Responsibilities include: Collect business and systems requirements from customers across Amazon; Author specifications; Drive project schedules from design to release; and Manage the production launch. You will lead and coordinate design/implementation efforts between internal teams and partners to develop optimal solutions. You will be expected to make appropriate trade-offs to optimize release schedules, clearly communicate goals, roles, responsibilities, and desired outcomes to internal cross-functional and local or remote project teams.

    Successful candidates love working directly with software developers and security engineers to understand their needs, and design security systems and solutions that enable developers to operate more quickly. You are passionate about the security of the cloud and you want to solve real business problems. We are looking for leaders who like to solve problems, and remove obstacles. We have a team culture that encourages innovation and we expect team members and management alike to take high degree of ownership for their program vision and execution of ideas. You will have the opportunity to engage with systems that are at the cutting edge of technology. You will work directly with AWS service teams, infrastructure and administrative teams to identify opportunities to improve AWS’ security posture. You will design and build tooling, drive process improvements and work with service owners and cutting edge technology to develop innovative solutions to complex technical challenges. You can prioritize well, communicate clearly, and have a consistent track record of delivery. You are proactive in removing roadblocks, and can handle multiple competing priorities in a fast-paced environment. You will be a positive influencer across diverse teams, be able to rally support for your initiatives and be able to help deeply technical teams create simple solutions to meet your program goals. You are able to handle business escalations with a data-driven approach to build trust with engineers, senior leaders, and executives.

    Successful candidates will have demonstrated experience leading large, ambiguous projects, and will have a well-rounded technical background in current technologies. You must be able to thrive and succeed in an entrepreneurial environment, and not be hindered by ambiguity or competing priorities. This means you are not only able to develop and drive high-level strategic initiatives, but can also roll up your sleeves, dig in and get the job done. As a TPM, you will anticipate bottlenecks, provide escalation management, anticipate and make trade-offs, and balance the business needs versus technical constraints. An ability to take large, complex projects and break them down into manageable pieces, develop functional specifications, then deliver them in a successful and timely manner is expected. Maturity, high judgment, negotiation skills, ability to influence, analytical talent and leadership are essential to success in this role.

    Our team also puts a high value on work-life balance. Striking a healthy balance between your personal and professional life is crucial to your happiness and success here, which is why we aren’t focused on how many hours you spend at work or online. Instead, we’re happy to offer a flexible schedule so you can have a more productive and well-balanced life—both in and outside of work.

    We have a formal mentor search application that lets you find a mentor that works best for you based on location, job family, job level etc. Your manager can also help you find a mentor or two, because two is better than one. In addition to formal mentors, we work and train together so that we are always learning from one another, and we celebrate and support the career progression of our team members.

    Here at AWS, we embrace our differences. We are committed to furthering our culture of inclusion. We have ten employee-led affinity groups, reaching 40,000 employees in over 190 chapters globally. We have innovative benefit offerings, and we host annual and ongoing learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon (gender diversity) conferences. Amazon’s culture of inclusion is reinforced within our 14 Leadership Principles, which remind team members to seek diverse perspectives, learn and be curious, and earn trust.

    This role is available for hire in the following locations: Arlington, VA; Herndon, VA; Tempe, AZ; and Seattle, WA.


    · 10+ years as a Software Technical Program Manager (TPM)
    · Experience leading security product and services teams to address complex security challenges at scale
    · Innate sense of ownership combined with collaborative approach to overcoming challenges and influencing organizational change
    · Demonstrated ability to deliver in scope and on time
    · Ability to communicate effectively, orally and in writing, with both technical and non-technical stakeholders
    · Experience with business applications such as Word, Excel and Project
    · Experience with program and project management software and techniques

    Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, visit


    Tpm aws


    AWS Support is a self-standing business (P&L) within AWS and continues to be one of AWS’s fastest and most innovative businesses. Kumo is AWS Support’s product and engineering arm. Kumo builds the technology that enables AWS Support to scale across 200+ (and growing) AWS services and 1000s of AWS features launched annually. Kumo’s technology platforms and products are leveraged by over 8,000 support/ITS engineers, technical account managers, and support associates, as well as 2,700 Solution Architects and service team SDEs.

    Security is our highest priority within Kumo. Kumo is investing in preventative, detective and corrective security controls to cover an ever increasing surface area. We are looking for a Security focused Principal Technical Program Manager. This is a builder role, that requires: 1) deep analytical and problem solving skills as we encounter new use cases and constraints, 2) working with software engineering teams to build scalable technical security controls, 3) building processes and mechanisms to support the technology adoption. The role has constant exposure to executive leadership and requires excellent written and verbal communication.


    · 8+ years technical product or program management or technical leadership experience
    · 2+ years of project delivery experience working with internal and/or external customers to launch security related programs, products or services (within the last 8 years)
    · 5+ years of experience working across multiple engineering and operational teams to build and successfully deliver on business outcomes (e.g., increased security, operational savings, etc.)
    · 5+ years of experience on and/or knowledge of computer security – threats, controls, best practices
    · 5+ years of experience working in roles requiring communication with a wide audience, from executives to individual contributors


    · Master’s degree in Computer Science, Engineering or Information Security or MBA
    · Knowledge and prior use of AWS services
    · IS Security Certifications

    Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit

    How to land your dream Technical Program Manager job at Amazon, Google, Facebook, Apple \u0026 Microsoft

    The Satanist asked hoarsely, slowly giving in with his hips, which made the girl gasp and roll her eyes every time. "To become a real witch. Yes, ready. " she moaned, realizing that she had fallen so low that she was ready to sell her soul, if only the possession of her body.

    You will also be interested:

    She was in captivity. Clara was leading one hairpin on her balls, and the member was in the gap between the feet and the hairpin. Paola froze.

    952 953 954 955 956