As Amazon marks two decades of its AWS cloud platform this year, the world’s largest cloud provider finds itself grappling with two massive cybersecurity challenges on the horizon — artificial intelligence and quantum computing.
How AWS plans to tackle these emerging risks to protect the systems relied upon by millions of business customers is still a work in progress. However, top AWS executives are confident that critical choices and technological breakthroughs made over the company’s 20-year history have prepared it well for these challenges.
Here’s an exploration of three pivotal AWS innovations and how they relate to the threats the company and its clients face today and in the coming years.
Nitro and infrastructure with zero human access
When Amazon launched Virtual Private Cloud (VPC), its networking backbone for AWS, back in 2009, it was built entirely in software.
“Today, VPC is driven by dedicated hardware,” explains Eric Brandwine, who joined AWS more than 18 years ago to lead that initiative and currently serves as vice president and distinguished engineer for Amazon’s security division.
The game-changer arrived in 2017 with the debut of Nitro, a purpose-built hardware layer handling networking, security, and the hypervisor responsible for strict isolation between customer instances. To make this technological leap possible, Amazon acquired a chip design company for over $350 million in 2015.
“Off-the-shelf hypervisors are well-proven and reliable, but they weren’t engineered for cloud-scale multi-tenancy like ours,” Brandwine explains to CSO.
Nitro also allows Amazon to run AWS without any staff ever having physical or remote access to customer infrastructure. “With Nitro, there’s a complete absence of human access to the system,” he notes. “This is a big part of why we can confidently offer bare-metal instance hosting.”
When hardware maintenance becomes necessary, all customer data is wiped from a machine before any personnel can interact with it.
“And this process has been independently verified by outside parties,” he points out, referencing a 2023 architecture audit by security firm NCC Group that examined Amazon’s security claims.
These days, Nitro underpins the trust layer for safeguarding quantum-safe encryption keys, verifying the identities of AI agents, shielding AWS infrastructure against rogue actuators, and delivering the confidential computing backbone for running AI workloads.
Symmetric cryptography and quantum resilience
In the early 2010s, most hardware security modules depended on asymmetric cryptography to protect encryption keys. Asymmetric encryption — the approach commonly used to secure internet communication — relies on key pairs: one for encrypting and another for decrypting. It works well when coordinating among multiple parties.
Amazon opted for symmetric encryption instead, where a single key handles both encryption and decryption, because it delivers superior speed and efficiency.
“About 15 years ago, we made a deliberate choice to use symmetric cryptography for authenticating customers communicating with our services,” says Ken Beer, director of AWS cryptography. “And when I helped build the Key Management Service back in 2013, we committed to symmetric cryptography as the backbone for protecting all customer keys.”
Currently, more than 99.9% of all data-at-rest encryption on AWS involves no asymmetric cryptography anywhere within the key hierarchy securing it, according to Beer.
That decision has proven remarkably advantageous.
Here’s why: Quantum computers are widely expected to eventually crack today’s asymmetric encryption standards — but symmetric encryption remains resistant to quantum attacks. And given how rapidly quantum computing has accelerated lately, both Google and Cloudflare have already pulled forward their preparedness timelines.
Organizations everywhere are now racing against time to transition to quantum-safe algorithms — unless they’re already using symmetric methods.
“We don’t need to change anything, and we’re very glad we don’t,” Beer remarks. Regarding the vast quantities of data stored on Amazon’s servers, the company avoids the costly and complex process of decrypting and re-encrypting everything with quantum-resistant algorithms. It’s already quantum-resistant.
That doesn’t mean Amazon has eliminated asymmetric encryption entirely. Communications with external parties or over the public internet still depend on it.
AWS aims to finalize its post-quantum authentication for public certificates by 2028–2029. The holdup stems from the global community still needing to converge on shared standards.
“It’s going to require alignment among five or ten major vendors,” Beer notes. “Once we settle on a method for validating digital signatures, companies across different layers of the technology stack will begin implementation.”
Amazon has participated in the CA/Browser Forum — the industry consortium defining public key infrastructure rules for the internet — for well over a decade, according to Beer. “We’re confident we can push the industry forward by 2029.”
AWS clients who offload their cryptographic operations to AWS receive post-quantum protection automatically at no extra cost. Those running their own asymmetric cryptography, however, face a significant undertaking.
“There may be cryptography deeply embedded in people’s applications,” Beer cautions. “Can they locate it? Can they update it? Do they need to contact a vendor they haven’t spoken with in years — or one that’s gone out of business entirely?” These are the kinds of questions enterprise customers need to be raising.
S3 security controls and the shared responsibility model
There have been no known cases of AWS Nitro or its encryption infrastructure being breached. Research from NCC Group and other analysts confirms these systems are performing as intended.
Yet Amazon data leaks constantly dominate headlines. The root cause? AWS customers misconfiguring their S3 storage buckets, exposing credentials, embedding keys directly in code, and committing a host of other configuration errors in their environments.
According to security firm UpGuard, AWS S3’s security model has “design-level flaws,” with thousands of breaches detected by the firm over recent years.
“Since the very first day S3 launched, buckets have been locked down by default,” Brandwine responds.
UpGuard acknowledges this is technically true — but argues that AWS makes it far too easy to unintentionally misconfigure storage buckets, the firm notes.
Brandwine concedes there’s a real issue. “When one customer has a bad experience in the cloud, that’s on them,” he says. “But when lots of customers keep having bad experiences, we need to step in and address it.”
Consider a company that uses an S3 bucket to host content, then deletes the bucket — but still has web pages, services, or tools pointing to it. Attackers can reclaim these abandoned buckets and exploit them for malicious purposes.
This is customer error — those who delete buckets should also remove all references pointing to them. But it happens repeatedly, and on a large scale.
“So we created something we call active defense,” Brandwine says.
When Amazon detects attackers trying to use dictionary attacks to guess bucket names, “we deliberately mislead them with a ‘Bucket not found’ response,” he explains. “This renders mass scanning useless and has effectively put an end to
They also attempted to gain access to systems through S3 bucket dictionary attacks.
However, AWS’s infrastructure is highly intricate, and there are plenty of scenarios where corporate clients might inadvertently configure policies wrongly. And the issue isn’t limited to customers themselves.
Their own Amazon staff members can also slip up. According to researchers at Wiz, AWS engineers neglected to correctly configure Amazon’s own internal systems in the CodeBreach incident.
Malicious actors have consistently tried to take advantage of configuration errors, vulnerable login details, and related issues stemming from the client side. And with AI now in the mix, the dangers have escalated significantly.
“AI isn’t altering how cybercriminals behave,” explains Gee Rittenhouse, Vice President of Security Services at Amazon. “It shifts just how quickly and how extensively they operate. We continue to observe the same major attack avenues—things like phishing and credential theft—but the execution happens at a much faster pace.”
Amazon itself is utilizing this same technology, according to him.
At the close of March, AWS rolled out its AWS Security Agent for on-demand penetration testing, along with the AWS DevOps agent, which resolves incidents autonomously.
“We now have AI-powered attack agents competing with defensive agents; tasks that used to require several weeks can now be handled in just a few hours,” he notes.
Still, AI represents yet another significant upcoming threat for Amazon. The AI agents companies are constructing and running on AWS could evolve into the next major security vulnerability—essentially a reincarnation of poorly secured S3 storage buckets.
Is Amazon able to leverage its achievements in fortifying its own systems while drawing on years of experience from S3 bucket breaches to establish a robust security foundation for AI agents?
Rittenhouse expresses confidence that it can. And a significant part of the solution involves the layer of agent authentication and access rights.
“We recently unveiled a new form of authentication, the OAuth 2 token exchange,” he states. “It’s integrated into Amazon Bedrock AgentCore Identity, and its main job is to track which user the AI agent is representing and which resources it is attempting to reach.”
“Before the agent performs any action, it checks at the infrastructure level whether the agent is permitted to proceed,” Rittenhouse explains. “If the answer is no, it simply won’t be allowed—no matter the instructions given, regardless of a hallucination or a potential takeover. Our infrastructure will block it entirely.”
“That is where our real strength lies,” he concludes. “We enforce controls all the way down through the infrastructure level.”
