How AWS is protecting customers from cyber threats

Amazon Web Services (AWS) has been honing its multi-layered threat intelligence capabilities to protect its customers from the growing number of cyber attacks for a while now, but it’s only in recent years that the cloud giant has lifted the veil on its security operations.

“Our model for threat intelligence has been to avoid customer involvement as much as possible,” said CJ Moses, chief information security officer and vice-president of security engineering at Amazon. “We handle the threats so customers don’t have to.”

At the heart of AWS’s threat intelligence capabilities is MadPot, a network of distributed honeypots spread across the Amazon EC2 compute environment. These honeypots, intentionally vulnerable and mirroring various instance types, act as decoys, attracting and analysing malicious activities.

“On average, we see about three-quarters of a billion hits a day,” Moses said, noting the sheer volume of threat activities that AWS sees from its honeypots. The data about the activities is then fed into Sonaris, a system that automatically blocks and mitigates high-confidence threats, ensuring customer workloads remain unscathed.

AWS also uses Mithra, a neural network-powered graph database, to analyse domain activity and identify hundreds of thousands of derogatory or nefarious domains each day. This enables AWS to proactively block malicious domains, disrupting phishing attacks and malware distribution before they reach customers.

All of that work has to be automated and done in as real time as possible, given the dynamic nature of AWS’s infrastructure, where 23% of IP addresses are changed in a three-minute period, rendering traditional IP-based threat intelligence ineffective. “The reliance on third-party threat intelligence doesn’t work for us,” said Moses.

Moreover, the speed at which threat actors operate – a new MadPot sensor with a new vulnerability will be scanned within 90 seconds and attacked within three minutes – requires AWS to be much more responsive given the scale of its operations. “The meaningful metric for us is mean time to defence,” Moses said. “We need to be faster than the attackers, so it has to be within minutes, even seconds in some cases, to be effective.”

While automated systems form the backbone of AWS’s security, human expertise is still crucial. Specialised threat engineers, often recruited from the intelligence community, use the insights generated by these systems to hunt for sophisticated threats and uncover emerging attack patterns. “You’re never going to replace smart humans who can look at the things that generative AI may call out as aberrations,” said Moses.

AWS’s security capabilities are increasingly drawing customers that are concerned about cyber threats, particularly those that are growing rapidly but lack security expertise. Moses advised businesses to focus on bespoke threat intelligence relevant to their industry while relying on AWS to handle the broader threat landscape.

For larger enterprises that need more assistance to mitigate cyber threats, AWS has introduced a new incident response service that takes and summarises security alerts from different security tools, including Amazon GuardDuty, to automatically triage and respond to security incidents.

Announced at AWS re:Invent 2024, the service, available at different tiers with prices starting from $7,000 per month, also provides access to a global incident response team that helps customers respond to high-priority threats in a contracted service level agreement.

“Over time, we noticed that we were helping more customers respond to security incidents on the customer side of responsibility,” said Phil Rodrigues, AWS’s global head of customer security outcomes, referring to the company’s shared responsibility model. “It made a lot of sense to ask us for help because it’s our platform, and that led us to launch this service, which is a combination of both technology and AWS experts at the same time.”