BOSTON -- Amazon executives urged enterprises to embrace multifactor authentication to better protect accounts as cloud attack surfaces continue to expand.
In the keynote session Tuesday during the re:Inforce 2022 conference, Amazon CSO Steve Schmidt and Kurt Kufeld, vice president of AWS platform, discussed calls to action including enabling MFA and blocking public access along with new initiatives, such as offering free security keys, that support those calls. The speakers emphasized how important access control is when it comes to cloud security.
During his time at AWS, Schmidt said one of the most important lessons he learned was to ask, who has access to what and why?
"An overly permissive environment guarantees headaches," Schmidt said during the keynote. "What do your people need to do their job? And need is the operative word here, and it has to be strictly enforced."
This becomes even more important when examining the growing scope of potential attacks. Schmidt said AWS currently tracks quadrillions of events every single month.
Enabling MFA is one of the easiest and best ways to add an extra layer of security for access to the cloud, Kufeld said. For example, if credentials become compromised on GitHub, users will still be protected if MFA is enabled.
He advised enabling it for AWS accounts as well for use in everyday personal life.
"MFA is a must," Kufeld said during the keynote. "Accounts protected with MFA are significantly more secure than those that are not."
In addition to MFA, Kufeld addressed the importance of blocking public access. Turning on that feature when users don't need public access to a S3 bucket is critical. He went as far as to say that "it will absolutely save your life."
While new buckets and access points don't allow public access by default, Kufeld said users' customers could inadvertently allow it. He recommended restricting access initially since users can add customers and resources where necessary.
Forrester Research senior analyst Jess Burn said the keynote's calls to action were needed because many organizations still struggle with enabling MFA throughout the organization and blocking public access to their cloud instances. In addition, she said, the broadening attack surface in the cloud has added another layer of urgency for both enterprises and public sector entities.
"Attack surface is expanding because there are so many cloud services -- it's not just instances and infrastructure, but small apps and services. And you won't know if a cloud app has a vulnerability or an access misconfiguration if you don't know you're using it," she said, referring to shadow cloud usage.
New security offerings
To drive the calls to action, AWS expanded the eligibility to receive free MFA security keys, an initiative that it piloted last fall. Now, U.S.-based account users who have spent more than $100 each month over the past three months can use the key to connect to applications including AWS, Dropbox, GitHub and Gmail. In a blog post earlier this month, AWS noted the importance of security keys particularly for companies in the early stages of implementing MFA.
Also announced at re:Inforce 2022 was GuardDuty Malware Protection, which detects suspicious activity on AWS accounts and workloads. The malware scanning is agentless, so software deployment is not required, and because it runs in the AWS service account, there is no disruption to workloads.
AWS also announced that AWS Security Hub, which collects and analyzes security data throughout a customer environment and automatically receives any findings from GuardDuty Malware Protection. The findings can be investigated further through Amazon Detective, a managed threat hunting service.
Security news editor Rob Wright contributed to this report.