Supply Chain Attacks

CF: Are supply chain attacks a major threat to AWS?

Ryland: It’s something we have to absolutely work on and be careful about. And for us, that includes hardware supply chain because we actually custom-produce a lot of the equipment that we operate as our cloud platform, also software as well. And the whole ecosystem is now very focused on making sure that our software supply chains remain secure. We’ve made a big investment through the Open Source Security Foundation (OpenSSF), which is a subsidiary or component of the Linux Foundation. We’re on the board of advisors. We’ve committed to spend more $10 million over the next three years on open source projects to help raise the bar for that part of the supply chain, because there are a lot of small engineering teams out there that build very useful components that are widely used because of their open source nature. And we want to make sure that is also a safe place to go get software. So we’re doing a lot and we’re investing a lot to help other companies improve the security of their software.

We, in turn, use open source software, but we also invest very heavily in the security of the software that we’re developing and then deploying into our services. So there’s a big investment and a big focus on that, trying to get ahead of the problem. SolarWinds was one example where there was a successful supply chain attack. But in general, there hasn’t been too much of a problem relative to other kinds of cyberattacks. But we want to get ahead of that. We know that’s a real concern and a real issue. And we’re doing a lot to make sure that that doesn’t become a big one.