AWS kicks off cloud race to mandate MFA by default
AWS said most-privileged users, and eventually more account types, will be required to use multifactor authentication beginning in mid-2024. The move makes the cloud giant the first of the three major hyperscalers to commit to MFA baseline controls by default.
“AWS is further strengthening the default security posture of our customers' environments by requiring the use of MFA, beginning with the most privileged users in their accounts,” Amazon CSO Steve Schmidt said in a blog post.
“Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed,” Schmidt said. Root users have complete access to all AWS services and resources in the account.
AWS, Microsoft and Google allow administrators to set MFA as a requirement for specific users, but the authentication mechanism which is already widely considered a basic cybersecurity control has not previously been required by default. All three hyperscalers highly encourage customers to use MFA.
Federal cyber authorities are pushing to shift the responsibility for security in technology products and services to manufacturers and vendors. Cloud providers are central to that effort to ensure products are secure by design and default.
An MFA mandate for for all privileged users is one of the secure-by-default tactics recommended by cyber authorities in the U.S. and six other nations.
“Whether or not to require MFA to access cloud resources gets at the heart of the security challenges in the shared responsibility model for the public cloud,” Lee Sustar, principal analyst at Forrester, said via email.
MFA use has been viewed as a customer decision, but the company’s commitment to impose a mandate shows “AWS has decided that it is in the best interest of both themselves and their customers to make MFA a core part of cloud security,” Sustar said.
AWS’ closest cloud competitors are reacting to the news in different ways, as the largest cloud providers race to improve default security controls.
Google said it will mandate MFA for some accounts before the end of this year, a commitment that puts it ahead of AWS’ plans.
"Starting later this year, in a phased approach, select administrator accounts of our resellers and largest enterprise customers will be required to add [two-step verification] to their accounts to strengthen their security,” a Google spokesperson told Cybersecurity Dive.
“We're constantly evaluating the security of our customers and users and will continue to adjust our policies based on the level of risk,” the spokesperson said.
Google required consumers to use two-factor authentication starting in late 2021, but this marks the first such mandate for enterprise cloud customers.
Microsoft isn’t changing course yet. “Microsoft does not require MFA for commercial customers,” a company spokesperson told Cybersecurity Dive.
“However, in the last two years, we began enabling security defaults for all new Azure AD customers (including customers of the Azure AD free tier), and recently began enforcing security defaults to customers who haven’t enabled MFA or rolled out their conditional access policies yet,” the Microsoft spokesperson said.
Mark Ryland, director of Amazon Security, said the cloud provider is announcing this move now to provide customers adequate time and resources to enable MFA.
“Customers have been able to use MFA for their root users in AWS for a long time. However, historically the use of MFA has been optional,” Ryland said. “What is changing is that we will be gradually enforcing the use of MFA for AWS Console access, starting with the most privileged users.”
While a steady pace of phishing attacks against identity-based authentication shows the extent to which MFA defenses can crumble, even under unsophisticated tactics, AWS supports many forms of MFA, not just the phishing-resistant variants.
“While we strongly recommend phishing-resistant forms of MFA like security keys, any form of MFA is better than no MFA at all, and we encourage everyone who is currently using password-only authentication to adopt some form of MFA,” Ryland said.
AWS said it will expand this mandate throughout 2024 to additional scenarios such as standalone accounts.
“We at CISA are excited by AWS’ announcement strengthening the default security posture of their customers by beginning to require them to use MFA. MFA is an important security feature that we encourage all users to implement to practice better cyber hygiene,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said via email.
“CISA is also working with technology manufacturers to encourage them to develop products that are secure by design, shifting the burden from the user to the companies and manufacturers who are best equipped to understand and safeguard risks. This is an example of a company doing just that,” Goldstein said.