Amazon Web Services (AWS) said it will require multi-factor authentication (MFA) for all privileged accounts starting mid-2024, in a bid to improve default security and reduce the risk of account hijacking.
From that time, any customers signing into the AWS Management Console with the root user of an AWS Organizations management account will be required to use MFA to proceed, chief security officer, Steve Schmidt said in a blog post.
“Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign into the console,” he added.
“We will expand this program throughout 2024 to additional scenarios such as standalone accounts (those outside an organization in AWS Organizations) as we release features that make MFA even easier to adopt and manage at scale.”
The move follows previous AWS efforts to improve take up of MFA. The firm began offering a free security key to account owners in the US from fall 2021, and a year later enabled organizations to register up to eight MFA devices per account root user or per IAM user in AWS.
Read more on MFA: Tech CEOs: Multi-Factor Authentication Can Prevent 90% of Attacks.
“We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys,” Schmidt concluded.
“While the requirement to enable MFA for root users of AWS Organizations management accounts is coming in 2024, we strongly encourage our customers to get started today by enabling MFA not only for their root users, but for all user types in their environments.”
MFA is a critical step to mitigate the risks posed by phishing attacks on employees. An IBM X-Force study last month revealed that the top initial access vector for cloud compromise between June 2022 and June 2023 was use of valid credentials by threat actors.
This happened in nearly two-fifths (36%) of real-world cloud incidents investigated by the security vendor, with credentials either discovered during an attack or stolen/phished prior to targeting an account.