Amazon Web Services (AWS) has taken a significant step toward enhancing security by mandating multi-factor authentication (MFA) for all privileged accounts starting from April 2024. This move aims to mitigate the risks associated with account hijacking, reinforcing the importance of default security measures.
Steve Schmidt, Chief Security Officer (CSO) at AWS, stated, “By the end of this year, privileged account users who have yet to enable MFA will receive notifications regarding this security change. Early next year, they will be required to activate MFA as a mandatory procedure to maintain access.”
Standalone AWS accounts will also need to adopt this mandatory MFA procedure by the end of the upcoming year. AWS is committed to minimizing cyber risks associated with stolen account credentials, which can be exploited for malicious purposes.
This initiative traces its origins back to 2021 when AWS allowed organizations in the United States to register up to 8 MFA devices per root user. The company now seeks to make MFA usage compulsory, encouraging users to leverage MFA as a defense against phishing attempts.
In a separate development, Israeli cybersecurity firm Oligo has issued a red alert regarding an open-source tool employed by companies to scale up their AI models within the AWS TorchServe Project, in collaboration with Meta.
Oligo researchers have raised concerns about a Shell-Torch vulnerability in the PyTorch Library, a high-resource, large-scale machine learning framework based on AI. They emphasized that this vulnerability could enable attackers to upload malicious models to the server. Meta, in response, promptly issued a patch for this issue in August of this year, aligning with the security community’s recommendations.