As the chief information security officer (CISO) of Amazon Web Services (AWS), Chris Betz ensures that the cloud infrastructure operated by AWS is as safe and secure as possible for everyone. That means keeping AWS customer data secure, while also securing the data of the customers of companies that use AWS. So how does Betz (a former AWS customer himself) approach that massive, and massively important, job?
We spoke to Betz just ahead of AWS re:Inforce, the company’s annual cloud security conference, where attendees collaborate with experts, partners, and builders who are driving the future of security in the generative AI era. Here, in his own words, are seven reasons why security has been a company-wide priority since Day 1 and will always be Amazon’s top priority.
1. Good security is the key to experimenting with new technologies, including generative AI
Generative AI can transform virtually every customer experience through powerful tools that are accessible to everyone. However, without clear governance, generative AI is raising security and privacy concerns. As a result, it’s not uncommon for employees at organizations keen on generative AI to see security as a gatekeeper—or the “Department of No.” That is not only wrongheaded, but bad for business. At AWS, we’ve always believed that security is a business enabler. Security reduces risk, reinforces resilience, and empowers customers to innovate faster and with confidence—especially in the rapidly evolving era of generative AI.
We want to get our customers’ security teams to the place where they are seen as the “Department of Yes,” and where they work with employees to support their business objectives, understand risks, and help them put the necessary mitigations in place.
2. Security is everyone’s job—from the CEO to the developer
A recent report from a U.S. government advisory board makes clear that a deficient security culture can be a root cause for avoidable errors that allow intrusions to succeed and remain undetected. At AWS, we made an intentional choice for the security team to report directly to the CEO. The goal was to build security into the structural fabric of AWS. Security starts at the top, but it’s just as important that responsibility flows from the bottom up. Security is not just the security team’s job—it’s a distributed responsibility.
Every product team is responsible for the security of the service or capability that they deliver. Security is built into every product road map, engineering plan, and weekly stand-up meeting, just as much as capabilities, performance, and cost are. The best security is not something that can be “bolted on” at the end of a process or on the outside of a system; rather, security is integral and foundational.
3. A secure approach to generative AI means putting customers in control of their data
The biggest concern I hear from customers as they explore how to adopt generative AI is how to protect their data as well as the data of their end-customers. From day one, AWS AI infrastructure and services have had built-in security and privacy features to give customers control over their data. Our AWS Nitro System plays a key role here. Nitro’s specialized hardware and associated firmware enforce restrictions so that nobody, including anyone at AWS, can gain logical access the underlying infrastructure, workloads, or data running on customers’ Amazon Elastic Compute Cloud (Amazon EC2) virtual servers.
When it comes to securely building generative AI applications, our Amazon Bedrock service gives customers full control over the data they use to customize the foundation models behind their applications. With Bedrock, their data is encrypted in transit and at rest, ensuring that their data remains private and confidential.
4. Generative AI has the power to boost customer security
The same power and ease-of-use that is making generative AI extremely attractive to customers also makes it an indispensable tool to IT and security administrators to help them identify and resolve issues more effectively. At this year’s re:Inforce we announced two new generative AI-powered security features:
A new natural language query generation capability enables security administrators to easily and quickly analyze activity events in AWS CloudTrail Lake, a service that lets organizations store and query events for security investigations. Now security administrators can ask questions, such as “How many errors were logged during the past week for each service and what caused each error?,” and CloudTrail will generate a query.
AWS Audit Manager customers can now access a prebuilt framework to understand how their generative AI implementation on Amazon SageMaker matches AWS recommended best practices. SageMaker customers can now start auditing their generative AI usage and automating evidence collection, providing a consistent approach for tracking AI model usage and permissions, flagging sensitive data, and alerting any issues.
5. The best security defense is a good offense
Every day across AWS infrastructure, we scan for, detect, and thwart cyberattacks. With the largest public network footprint of any cloud provider, AWS has unparalleled insight into certain activities on the internet, in real time. Last fall we shared details about MadPot, our globally distributed network of threat sensors (aka honeypots) that help our teams understand attackers’ tactics and techniques. Any time an attacker tries to target one of our threat sensors, we use that threat intelligence to help protect customers.
Additionally, at re:Inforce this year, for the first time we publicly discussed Sonaris, an internal tool we use to analyze network traffic to identify and stop malicious attempts to connect to a large number of customer accounts to find vulnerabilities. Between May 2023 and April 2024, Sonaris denied over 24 billion attempts to scan customer data stored in Amazon Simple Storage Service (Amazon S3) and prevented nearly 2.6 trillion attempts to discover vulnerable services running on customers’ Amazon EC2 virtual servers. This is a staggering amount of work that happens behind the scenes to ensure that a customer’s business continues uninterrupted.
6. Good security includes getting the basics right
While passwords help protect digital assets, they are not enough. Multifactor authentication (MFA), which requires users to provide more than just a password to access a website or application, acts as an additional layer of security. It’s been around for more than 20 years but still isn’t universally adopted.
To help AWS customers safeguard their accounts, earlier this year we started a new program that will enforce MFA for root user accounts of AWS Organizations—a tool to manage AWS environments with multiple accounts—to further reduce the risk of account takeover, offering customers a free MFA security key. To make MFA even easier to adopt, at re:Inforce this year we announced that AWS Identity and Access Management (IAM)—a tool used to securely manage identities and access to AWS services and resources—now supports passkeys as a second authentication method. Passkeys use public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords.
7. Security requires constant commitment to innovate
Every day, the world’s fastest-growing startups, largest enterprises, and most trusted governmental organizations use AWS to run their technology infrastructure. They choose us because security has been our top priority from day one. We designed AWS to be the most secure way for our customers to run their workloads, and we’ve built our internal culture around security as a business imperative. We continue to innovate on behalf of our customers so they can move quickly, securely, and with confidence to enable their businesses, and our track record in the area of cloud security is second to none. Cybersecurity challenges will continue to evolve, and while we’re proud of our achievements to date, we’re committed to constant improvement as we innovate and advance our technologies and our culture of security.