Gen AI: Double-edged
sword in AWS’s security arsenal

As generative AI reshapes the technological landscape, it presents both opportunities and risks. For Amazon Web Services (AWS), the challenge is twofold: leveraging AI to fortify security operations while defending against adversaries who weaponise the same technology.

“Malicious actors are using generative AI, and so are we,” says CJ Moses, Chief Information Security Officer of Amazon Web Services (AWS), in an exclusive interview on the eve of the AWS re:Invent conference in Las Vegas next week.

“Velocity matters,” he declares. “In other words, speed must include direction to truly be effective.

“Generative AI can also help security teams prioritise findings and automate incident response. This approach frees security teams to focus their energy on more strategic business initiatives and higher value tasks. Generative AI-powered tools can detect anomalous behaviour within a customer’s account and help to more accurately isolate and alert highly suspicious user behaviour. 

“Security teams can also more effectively identify phishing emails with generative AI, e.g., via variable word examinations in the phishing emails that come in. Generative AI coding tools can also help developers scan code for hard-to-find vulnerabilities and suggest more secure options.”

This focus on velocity, both in responding to threats and in advancing defensive measures, is more crucial than ever as generative AI reshapes the technology ecosystem. For AWS, the rise of AI-powered tools represents a double-edged sword: a powerful ally in combating cyber threats and a new frontier for adversaries to exploit.  

The same technology that powers innovation and efficiency can also enable more sophisticated phishing campaigns, exploit vulnerabilities, and target unsuspecting users. For AWS, the challenge is to leverage AI to stay several steps ahead of adversaries, ensuring the safety of its customers while helping to secure the broader internet.

“With our scale comes broad responsibility, and we leverage our global resources to proactively combat malicious activities, creating a safer environment for all of our customers around the world,” says Moses. “We have instrumented our network, the telemetry and threat intelligence we use, and the analytics and enforcement we’ve built to provide active defence to our customers. 

“Actions we take to improve security have a multiplier effect that helps improve security across the entire internet. Whenever possible, AWS Security and its systems disrupt threats where that action will be most impactful.

“Using our active defence capabilities, we make it more difficult and expensive for cyberattacks to be carried out against our network, our infrastructure, and our customers. We also help make the internet as a whole a safer place by working with other responsible providers to take action against threat actors operating within their infrastructure. We work closely with the security community and collaborating businesses around the world to isolate and take down threat actors.”

Moses leaves no room for doubt about what matters to him in this arena: “While we’re talking about making the whole internet safer, I’ve got to do my foot stomp here on the use of multi-factor authentication (MFA). MFA is one of the simplest and most effective ways to help prevent unauthorized individuals from gaining access to systems or data. 

“In fact, we found that enabling MFA prevents greater than 99% of password-related attacks. I’m glad to say that between April and October 2024, more than 750,000 AWS root users enabled MFA.”

AWS also amplifies its security efforts through practicing “secure by design and default”.

This, says Moses, allows it to build secure products with a multi-layered strategy that meaningfully improves technical and business outcomes.

“Secure by default indicates the default settings of a product are secure out-of-the-box and resilient against common exploitation techniques, without the need for additional security configuration. Secure by design is a developer-centric approach that goes beyond implementing standard security measures to evaluate and address risks and vulnerabilities at every stage of the development life cycle, from design to deployment and maintenance rather than reacting to them later. 

“As the threat landscape continues to evolve, secure by design and default concepts are gaining importance in the effort to mitigate vulnerabilities early, minimise risks, and recognise security as a core business requirement.”

Inside Active Defence: A Step Beyond Traditional Security

At the core of AWS’s security strategy is what Moses calls “active defence.” Unlike traditional security measures that primarily involve passive monitoring and reacting to threats, active defence is about taking the fight to the adversaries.  

“Active defence refers to our proactive security measures and techniques implemented within AWS environments to detect, respond to, and mitigate potential security threats in real time. It involves actively monitoring, analysing, and blocking malicious activities.”  

AWS employs a suite of internal tools, including MadPot, Mithra, and Sonaris, to bolster its active defence capabilities. These tools are designed to cast a defensive net around AWS’s infrastructure and its customers, intercepting threats before they can cause harm.  

“When we act, the ripple effects improve security across the internet as a whole.”  

While AI is central to AWS’s strategy, Moses is clear that it doesn’t replace the human element in cybersecurity. Instead, it enhances the capabilities of security professionals, allowing them to focus on more complex and high-value tasks.  

“Generative AI doesn’t eliminate the need for human oversight—it amplifies the effectiveness of security teams. It allows us to be faster, more accurate, and more strategic in our approach. But at the end of the day, humans are still essential to interpreting results, making decisions, and adapting to new challenges.”  

Moses’s view of cybersecurity is not confined to AWS alone. He emphasises the importance of collaboration across the tech industry to tackle shared threats.  

“When it comes to security, my focus is always on outpacing the adversaries, the malicious actors who seek to do harm. But that doesn’t mean we don’t collaborate with our competitors. In fact, we often work together to share information about emerging threats and take collective action against bad actors.”  

This spirit of cooperation extends to AWS’s efforts to disrupt sophisticated cyber operations. For instance, AWS recently worked to take down internet domains abused by APT29, a group linked to Russia’s Foreign Intelligence Service.  

“APT29 was attempting to phish thousands of people, including government agencies, enterprises, and militaries. When we learned of the activity, we immediately seized the domains they were using to impersonate AWS, disrupting their campaign. This kind of collaboration is critical in the fight against cybercrime.”  

For AWS, the stakes couldn’t be higher. As generative AI reshapes the technological landscape, the company’s ability to harness this powerful tool while countering its misuse will determine not only its own success but also the safety of the broader internet.  

This balance between velocity and direction — aided by AI but guided by human ingenuity — will define the next chapter of cybersecurity.