AWS leans on prior ingenuity to face future AI and quantum threats

Amazon Web Services has launched numerous security innovations in its first two decades. Three in particular will play key roles in how the hyperscaler responds to some of the most challenging cyber issues yet.

As Amazon celebrates the 20th anniversary of its AWS cloud this year, the world’s biggest cloud computing provider now faces two giant cybersecurity threats — AI and quantum.

How the company will navigate these emerging issues to ensure the security and resilience of systems used by its millions of corporate customers remains an evolving question. But senior executives at AWS believe key decisions and innovations the company has made throughout its 20-year run position it to handle these threats.

Here is a look at three key AWS advances and how they factor into what the company and its customers are dealing with as emerging threats now and in the years ahead.

Nitro and ‘zero humans’ infrastructure

When Amazon released Virtual Private Cloud, its networking layer for AWS, in 2009, it was all software.

“Now VPC is implemented in hardware,” says Eric Brandwine, who first came to AWS more than 18 years ago to work on that project and is now a VP and distinguished engineer for Amazon security.

What changed was 2017’s introduction of Nitro, a hardware foundation for networking, security, and the hypervisor that enforces strong isolation between customer instances. Amazon paid more than $350 million for a fabless semiconductor company in 2015 to make the technology shift possible.

“Commercial hypervisors are a mature and appropriate technology but not designed for cloud scale for the kind of multi-tenancy we have,” Brandwine tells CSO.

Nitro also enables Amazon to operate AWS without employees ever touching customer infrastructure. “With Nitro, there’s no human access to it,” he says. “This is one of the reasons why we’re able to offer bare-metal instances.”

If maintenance is required, all customer content is removed from the machine before employees can get into it.

“And we’ve had third parties take a look at this process,” he adds, including NCC Group, which conducted an architecture review of Amazon’s security claims in 2023.

Today, Nitro provides the trust foundation for protecting the company’s quantum-safe encryption keys, for securing the identities of AI agents, for protecting AWS infrastructure against rogue agents, and for providing the confidential compute foundation for AI workloads themselves.

Symmetric cryptography and the quantum threat

Back in the early 2010s, most hardware security modules used asymmetric cryptography to protect security keys. Asymmetric cryptography, the kind used to secure online communications, involves pairs of keys — one to lock, another to unlock. It’s a very useful and convenient approach when dealing with multiple parties.

Amazon chose to use symmetric encryption instead, where the same key is used to both lock and unlock the data, because it’s faster and more efficient.

“One of the things we did 15 years ago is that to authenticate customers who talk to us, we rely on symmetric cryptography,” says Ken Beer, director of AWS cryptography. “And the Key Management Service that I helped launch back in 2013, we also said we would rely on symmetric cryptography to protect all the keys.”

Today, over 99.9% of all the encryption of data at rest involves no asymmetric cryptography anywhere in the chain of keys that secure it, he says.

That turned out to be an extremely fortuitous decision.

The reason? Quantum computers are expected to be able to break today’s asymmetric encryption standards — but symmetric encryption is safe. And quantum computing progress has been moving so quickly of late that both Google and Cloudflare have moved up their timelines.

Companies of all sizes are now up against the clock to update their cryptography to quantum-safe algorithms — unless those algorithms are symmetric.

“We don’t have to change it, and we’re glad we don’t have to change it,” Beer says. As for all the data stored on Amazon’s servers, the company doesn’t have to decrypt and re-encrypt it with quantum-safe methods. It’s already quantum-safe.

That’s not to say that Amazon doesn’t have any asymmetric encryption anywhere. Communications with untrusted counterparties, or over the public Internet, require it.

AWS is targeting 2028 and 2029 to complete its public-certificate post-quantum authentication — there’s a delay there because the world still needs to agree on a common set of standards.

“It’s going to require cooperation between five or ten big vendors,” says Beer. “Once we agree on the method of validating digital signatures, then all the vendors that own different parts of the technology stack will go and implement it.”

Amazon has been a member of the CA/Browser Forum for over a decade, he says, referring to the industry body that sets the rules for how public key infrastructure works on the Internet. “We have confidence that we’ll move the industry by 2029.”

AWS customers who use AWS for their cryptographic heavy lifting get post-quantum protection for free without additional effort. Those who have their own asymmetric cryptography, however, will have to do some serious work.

“There’s potentially a lot of crypto embedded in people’s applications,” Beer says. “Can I find it? Can I change it? Do I have to go talk to some vendor I haven’t talked to in ten years — or that doesn’t exist anymore?” Those are the kinds of questions enterprise customers should be asking.

There have been no public instances of AWS Nitro or encryption infrastructure being compromised. The NCC report, as well as other analyst research, shows that it’s working.

But Amazon data breaches are constantly in the news. The reason? AWS customers are failing to secure their S3 buckets, leaking credentials, hard-coding keys, and making many other mistakes when managing their environments.

According to cybersecurity firm UpGuard, AWS S3 security is “flawed by design,” with thousands of breaches over the past few years detected by the firm.

“From the day that S3 launched, buckets have been secure by default,” counters Brandwine.

That is accurate, UpGuard says — but AWS makes it too easy to accidentally misconfigure buckets, it concludes.

Brandwine admits there’s an issue here. “If a customer has a bad day in the cloud, it’s something that they did,” he says. “But if a bunch of customers have a bad day in the cloud, we need to take a look.”

Say, for example, a company uses an S3 bucket to hold some content and then takes down the bucket — but there are still web pages, or services, or tools that link to it. Attackers can hijack these abandoned buckets and use them for malicious purposes.

This is user error — customers who take down buckets should also take down the links pointing to them. But it happens. And happens frequently.

“So we built a thing called active defense,” says Brandwine.

When Amazon detects someone trying to use a dictionary attack to guess bucket names, “we lie to them and say, ‘Bucket not found,’“ he says. “It makes scanning ineffective and has effectively ended dictionary attacks against S3.”

But the AWS infrastructure is complex, and there are many instances in which enterprise customers can easily set up policies incorrectly. And it’s not just customers.

Amazon employees also make mistakes. In CodeBreach, AWS engineers misconfigured AWS’s own systems, according to Wiz researchers.

Attackers have always looked for opportunities to exploit misconfigurations, weak credentials, and similar customer-side problems. Now, with AI, the risks are greater than ever.

“AI isn’t changing what threat actors do,” says Gee Rittenhouse, VP of security services at Amazon. “It changes the speed and scale at which they operate. We still see the primary threat vectors, such as phishing and credential compromise, but the exploits are much faster.”

Amazon is also leveraging this technology, he says.

At the end of March, AWS launched its AWS Security Agent for on-demand penetration testing and AWS DevOps agent, which autonomously resolves incidents.

“We have attacker agents pitted against defender agents and what used to take a few weeks we’re now able to do in a few hours,” he says.

But there’s another way in which AI is a big emerging threat for Amazon. The AI agents that enterprises are building and deploying on AWS could be the next big breach vector, the new equivalent of unsecured S3 buckets.

Can Amazon take its successes at securing its infrastructure and combine it with the lessons learned from years of S3 bucket breaches to build a security foundation for AI agents?

Rittenhouse says yes. And a lot of it comes down to the agent authentication layer and access privileges.

“We just released a new authentication, the OAuth 2 token exchange,” he says. It’s part of Amazon Bedrock AgentCore Identity, and it involves keeping track of which user the AI agent is acting on behalf of, and what resources it’s trying to access.

“It evaluates whether the agent can do this before it does it, at the infrastructure layer,” says Rittenhouse. “And if it’s no, it’s not allowed to do it then, regardless of the command, or whether it’s hallucinating, or whether it’s been taken over, our infrastructure does not allow that.”

“That’s the advantage we have,” he adds. “We go all the way from the infrastructure layer.”