AWS makes strong case for its security advantages at re:Inforce

Taking aim at competitors

Over the past few years, Microsoft and Google have been aggressively competing with AWS in technology maturity, security and cloud capabilities. In terms of customer workloads, AWS continues to be the largest cloud provider, however Microsoft and Google have steadily shrunk AWS' massive lead and are no longer distant laggards.

However, Microsoft has been plagued by a string of security incidents involving Azure as well as other services. In April 2024, the U.S. Department of Homeland Security's Cyber Safety Review Board said Microsoft's security culture is "inadequate and requires an overhaul." Meanwhile, Google Cloud released a number of new security capabilities and services earlier this year from its 2022 acquisition of Mandiant.

From a timing perspective, AWS re:Inforce provided the perfect opportunity for the company to make a strong case for its security advantages over competitors.

AWS CISO Chris Betz kicked off the conference keynote with the message that security is and has always been foundational to Amazon Web Services. He further elaborated that not all cloud providers are the same, especially when it comes to security. He stressed that AWS infrastructure is secure by design and is based on a robust security culture that it has built over a long period of time.

Betz's message was not new; in fact, this was the same message delivered in the inaugural re:Inforce conference keynote in 2019. However, this year, Betz's message spoke volumes, contrasted against Microsoft's track record of security fumbles and Google's brand-new security capabilities.

AWS made the case that it has been taking security more seriously than its cloud rivals starting with two big announcements to underscore AWS' cybersecurity differentiators.

1. Security features start at the silicon level

Last year, AWS announced its more efficient fourth-generation Graviton4 processor that includes full encryption of all high-speed physical interfaces to protect against hardware-based attacks. In the keynote, Betz elaborated on Graviton4's previously undisclosed embedded security capabilities, which support pointer authentication and branch target identification that work to defend against return-oriented programming and jumper-oriented programming attacks.

Betz also revealed Graviton4 defends against speculative execution vulnerabilities by eliminating simultaneous multithreading. In conjunction with embedded security at the silicon level, the AWS operating system, Amazon Linux 2023, also supports pointer authentication and branch target identification to protect all software packages compiled for the operating system. AWS' approach to security starting at the silicon level to the operating system is a powerful and unique differentiator compared to other cloud providers.

2. Sonaris cloud security

Betz also introduced Sonaris, an internal tool AWS uses to detect and defend against unauthorized and malicious external scanning or attempted connections to AWS infrastructure.

Once unauthorized traffic is detected, Sonaris provides contextualized mitigation recommendations that provide an alert or trigger an automated response to services such as AWS Web Application Firewall, Shield, Virtual Private Cloud and Simple Storage Service (S3) to preemptively block malicious access to customer resources and data hosted on AWS.

Sonaris also detects and alerts if customer accounts are accessed by unauthorized users using compromised identity and access management (IAM) access keys. As a proof point of the tool's efficacy, Betz highlighted that Sonaris denied 24 billion attempts to enumerate S3 buckets and 2.6 trillion attempts to discover vulnerable services on Elastic Cloud Compute in the past 12 months. While AWS' cloud rivals have distributed denial-of-service protection capabilities, those capabilities do not provide the same level of security as Sonaris.

The effectiveness of Sonaris is welcome news, since research from TechTarget's Enterprise Strategy Group has shown that over three-quarters (76%) of organizations surveyed experienced some type of cyberattack in which the attack itself started through an exploit of an unknown, unmanaged or poorly managed internet-facing asset.

Here is a rundown of other highlights from the conference in case you missed them:

• AWS Private CA Connector for SCEP. Currently in preview, this release will enable customers to use AWS private certificate authority (CA) with popular mobile device management tools to reduce the time and expense of self-managing public key infrastructure using a managed private CA along with a managed Simple Certificate Enrollment Protocol service.
• MFA enforcement. Beginning in early 2024, AWS began enforcing MFA, starting with the management account root user for AWS Organizations to prevent credential attacks and reduce the risk of account takeover.
• Passkeys as multifactor authenticators in AWS IAM. This feature provides customers the ability to use authenticators on their mobile phones and laptops to add phishing-resistant credentials to their AWS sign-ins.
• IAM Access Analyzer unused access findings recommendation. Currently in preview, this entitlement feature enables security teams to centrally view unused access across an organization. This service provides prescriptive guidance and policy recommendations to refine unused access. AWS offers this service at no additional cost.
• Amazon GuardDuty Malware Protection for S3. An extension of Amazon GuardDuty, Malware Protection detects malicious file uploads to any S3 bucket across an organization. The feature automatically scans files for malware as they are uploaded to S3, with the option to isolate or eliminate any malware found.
• Generative AI-powered query generation AWS CloudTrail Lake. This new generative AI feature, currently in preview, enables customers to more easily analyze AWS activities in CloudTrail Lake using natural language without requiring complex SQL statements.
• AWS Audit Manager extends generative AI best practices framework to Amazon SageMaker. This is a version 2 update to the AWS Audit Manager generative AI best practice framework on AWS Audit Manager. In version 1, the standard controls included were preconfigured to work with Amazon Bedrock and now, with this new version, Amazon SageMaker is also included as a data source for control and visibility of generative AI workloads on both Amazon Bedrock and Amazon SageMaker.

David Vance is a senior analyst covering risk and vulnerability management for TechTarget's Enterprise Strategy Group. He has more than 25 years of IT and cybersecurity experience helping clients be more successful in the market.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.