Amazon Web Services (AWS) said it will require multi-factor authentication (MFA) for all privileged accounts starting in mid-2024, aiming to improve security by default and reduce the risk of account takeovers.
From that point on, all customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will need to use MFA to continue, Chief Security Officer Steve Schmidt said in a post of blog.
“Customers who need to enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they log in to the console,” he added.
“We will expand this program throughout 2024 to additional scenarios such as standalone accounts (those outside of an organization in AWS Organizations) as we release features that make MFA even easier to adopt and manage at scale. ladder.
This move follows AWS’s previous efforts to improve MFA adoption. The company began offering a free security key to account owners in the United States starting in fall 2021 and, a year later, allowed organizations to register up to eight MFA devices per root user of account or per IAM user in AWS.
“We recommend that everyone adopt some form of MFA and further encourage customers to consider choosing phishing-resistant forms of MFA, such as security keys. » Schmidt concluded.
“While the requirement to enable multi-factor authentication for root users of AWS Organizations management accounts is coming in 2024, we strongly encourage our customers to get started today by enabling multi-factor authentication not only for their users root, but for all types of users in their environments.
MFA is a critical step in mitigating the risks posed by phishing attacks against employees. A IBM X-Force study last month revealed that the primary initial access vector for cloud compromise between June 2022 and June 2023 was the use of valid credentials by malicious actors.
This occurred in almost two-fifths (36%) of real-world cloud incidents investigated by the security vendor, with credentials discovered during an attack or stolen/phished before targeting an account.