BEIJING – April 25, 2024 Our customers choose Amazon Web Services to run their critical applications and most sensitive data. Every day, the world's fastest-growing startups, the largest enterprises, and the most trusted government agencies choose Amazon Web Services as their technology infrastructure platform. They chose Amazon Web Services because it was created with security as a top priority. We fundamentally designed Amazon Web Services to be the most secure platform for our customers to run their workloads, and we built a culture of security within the company as a necessity for running our business.
While technical security measures are important, organizations are made up of people. A recent report by the Cyber Safety Review Board (CSRB) makes it clear that a flawed safety culture can be the root cause of avoidable errors that can lead to intrusions or even go undetected for long periods of time.
Safety is our top priority
Our safety culture starts at the top and continues throughout every aspect of the company. Eight years ago, we decided to have the security team report directly to the CEO. This structure redefines how we embed security into our culture and let everyone in the company know that security is our highest priority through the engagement and visibility of senior leadership. We empower our services teams to take full responsibility for the security of their services and scale security best practices and programs to give our customers the confidence to innovate on Amazon Web Services.
We believe there are four key principles for building a strong safety culture:
- Embedding safety into our organizational structure
At Amazon Web Services, we consider security to be a core function of our business and closely aligned with our mission goals. Not only is this a good intention, but it's embedded directly in our organizational structure. At Amazon, we deliberately have all of our security teams report directly to the CEO, while also working closely with the business. The goal is to build security into the framework of the structure within which we make decisions. Each week, the AWS leadership team, led by our CEO, meets with the security team to discuss security issues and ensure that we are making the right choices on tactical and strategic security issues and correcting them if necessary. Our internal operational metrics report connects our safety culture to the impact on our customers, links data to business outcomes, and provides opportunities for leadership engagement and questioning. Support for security at the highest executive level helps make security a business enabler and enhance the customer experience, rather than being a hindrance.
- Safety is everyone's job
The AWS security culture is built on a strong accountability model. Ownership is one of Amazon's "Leadership Principles." All employees receive regular safety training to continuously reinforce the concept of "safety is everyone's job". Each service and product team is solely responsible for the security of the service or feature it delivers. Security is built into each product's roadmap, engineering plan, and weekly meetings, just like functionality, performance, cost, and other core responsibilities of the build team. Optimal security is not "cobbled" at the end of the process or outside the system, but should be built into the basics.
Amazon Web Services' business leadership prioritizes building products and services that are designed with security in mind. At the same time, they strive to create an environment that encourages employees to identify and report potentially safe incidents, even if they are unsure if there is an actual problem. Escalation is part of what we do at Amazon Web Services, and we provide a "secure reporting environment" for everyone. We encourage teams and employees to report and escalate any possible security issues or vulnerabilities to the security team in the form of higher priority tickets. We'd rather hear about a possible security breach and investigate it, regardless of whether it actually happens or not. Our employees know that even if the final report is irrelevant, the company is welcome.
- Transfer security expertise and ownership within Amazon Web Services
Our security team provides a number of critical capabilities and services that support and enable our engineering and service teams to effectively discharge their security responsibilities. We provide training, consulting, threat modeling tools, automated code scanning frameworks and tools, design reviews, penetration testing, automated API testing frameworks, and finally a final security review of each new service or feature. The security reviewer has the authority to approve or disapprove each release. If a service or feature doesn't pass the security review process in the first review, we dig into why so we can improve the process and identify issues early in development. Releasing something that isn't ready is a big failure for us, and we tend to maintain high security standards and always strive to meet the expectations of our customers.
One important mechanism we have developed over the years to decentralize security ownership is the Security Guardians program. The project trains, develops, and empowers service team developers in each two-pizza team to become safety ambassadors or champions within the product team. From a high-level perspective, Guardian is the "security awareness" of every team. They ensure that security considerations are incorporated earlier and more frequently for their products, helping their colleagues build and release products faster, while working closely with key security teams to help ensure that Amazon Web Services maintains high security standards at all times. Security Champions feel empowered as members of a cross-organization organization and play a key role in the team and across the company.
- Innovate to scale security
Another way we are scaling security culture at Amazon Web Services is through innovation. Our innovative build tools and processes help all of us work as efficiently and stay focused as possible. We use artificial intelligence (AI) to accelerate our security software development process, as well as new generative AI-based capabilities in Amazon Inspector, Amazon Detective, Amazon Config, and Amazon CodeWhisperer that complement human skills by helping people make better security decisions and leverage broader knowledge. This model, which combines sophisticated tools with skilled engineers, is highly effective, enabling people to make the nuanced decisions needed for effective security.
For large organizations, it can take years to evaluate each situation and prove that the system is secure. Even so, their system is constantly changing. Our automated reasoning tools use mathematical logic to answer critical questions about infrastructure to detect misconfigurations that can lead to data breaches. Provable security provides a higher level of assurance for security on and off the cloud. We apply automated inference in key service areas such as storage, networking, virtualization, identity, and encryption. Amazon's scientists and engineers also use automated reasoning to prove the correctness of critical internal systems. We process more than 1 billion mathematical queries every day to power Amazon Identity and Access Management Access Analyzer, Amazon Simple Storage Service (Amazon S3), block public access, and other security products. Amazon Web Services is the first and only cloud provider to use automated inference at this scale.
Advance the future of cloud security
At Amazon Web Services, we take our culture of security very seriously. We have been working backwards from our customers' perspectives to continuously improve the standards of our safety tools and capabilities. For example, Amazon Web Services supports encrypting everything. Amazon Key Management Service (Amazon KMS) is the first and only highly scalable, cloud-native key management system that is also FIPS 140-2 Level 3 certified. No one has access to a customer's plaintext key, not even the most privileged administrators within Amazon Web Services. With the Amazon Nitro System, Amazon Web Services' compute service, Amazon Elastic Compute Cloud (Amazon EC2), which is based on Nitro, we are maximizing the security of our customers' workloads, an industry-first innovation that is still unique today. The Nitro System provides industry-leading privacy and isolation for all computing needs, including the latest generative AI based on GPU computing. No one, including the most privileged administrators within Amazon Web Services, has access to customers' workloads or data in Nitro-based EC2 instances.
We will continue to innovate for our customers so they can do business quickly, securely, and with confidence. When it comes to cloud security, we're always leading the way. Despite this, cybersecurity challenges are constantly evolving, and while we are proud of what we have achieved so far, we will continue to improve security through continuous innovation, improved technology, and a stronger security culture.
By Chris Betz, Chief Information Security Officer, Amazon Web Services
![Enzymes in this gut bacteria can change blood type, and orangutans also use herbs to heal their wounds Tech Weekly[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)