AWS Open Source Security

Committed to raising standards for the broader community

At AWS, security is our top priority. We work hard to make AWS the best place for customers to build and run open source software in the cloud. We are committed to raising the bar for open source security by developing key security-related technologies in collaboration with the community and by contributing code, resources, and talent to open source software.

We actively participate in open source foundations, trade associations, standard bodies, and regulatory organizations, with a goal of improving software supply chain security to benefit our customers and improve security posture across the industry.

AWS re:Inforce 2023 - Security in the Open (58:43)

Security frameworks and tools as open source

We work upstream and release security frameworks and tools as open source to improve security posture across the industry.

OCSF

We co-founded, alongside 17 partner organizations, the Open Cybersecurity Schema Framework (OCSF) project to make it easier for security professionals to ingest and correlate telemetry data from different sources. OCSF has gained recognition as the standard for seamless tool communication, enabling interoperability across the open source security community.

Learn more 
Rust

AWS uses Rust, a memory-safe language, as the language of choice for multiple services, including Amazon S3, Amazon Route 53, and Amazon EC2. We contribute dedicated security and software engineering expertise to help organizations like the Rust Foundation improve their security posture, which impacts all those who consume from them.

Learn more 
Kubernetes

We participate in the Kubernetes Security Response Committee to improve long-term sustainability and advise on security best practices. We have committed cloud credits to the Cloud Native Computing Foundation to run the Kubernetes project, which helps provide the community with more testing and better tools, leading to fewer bugs in project releases.

Learn more 
OpenJDK logo

We contribute to the OpenJDK project, including bug fixes that are hard to reproduce because they only occur when running at scale. Our commitment extends through Amazon Corretto, a no-cost, multiplatform, production-ready open source distribution of OpenJDK, which comes with long-term support including performance enhancements and security fixes.

Learn more 

Supporting the advancement of open source security communities

We provide financial support, engineering staffing, and software development resources, including coding and testing, to advance open source security communities.

Shared learnings

We share AWS learnings and practices on consuming open source securely that you can leverage in your organization.

Consider adopting Powertools for AWS Lambda (Python), a developer toolkit to implement serverless best practices and increase developer velocity.

Learn about our approach to the Apache Log4j (Log4Shell) vulnerability and our guidance to help customers respond.

Learn more about the security practices we use via the GitHub repository, such as the recent security audit completed by the OpenSearch team at AWS.

Some of the most popular open source developer tools, platforms, databases, and services on AWS are based on leading open source projects. Amazon-led projects of note include:

Snapchange

Snapchange started as an experiment by the Find and Fix (F2) open source security research team to explore the potential of using KVM in enabling snapshot fuzzing. It’s one of a number of tools and techniques used by the F2 team in its research efforts to enable a secure and trustworthy open source supply chain for AWS and its customers. 

Explore project 

Cedar

Define permissions as easy-to-understand policies with Cedar, an open source language for access control built by using automated reasoning and differential testing.

Explore project 

Bottlerocket

AWS launched Bottlerocket, a Rust language-oriented Linux for containers, and the Amazon EC2 team uses Rust as the language of choice for new AWS Nitro System components.

Explore project 

Kani Rust Verifier Project

This is an open source project maintained by AWS that helps the verification of unsafe code blocks in Rust that may contain memory safety issues, leading to security concerns.

Explore project 

Firecracker

Written in Rust, Firecracker provides the open source virtualization technology that powers AWS Lambda and other serverless offerings.

Explore project 
Explore more than 1,200 Amazon-led open source projects on GitHub »

Innovations from Open Source Security

Contact an AWS Business Representative
Have Questions? Connect with AWS Support
Exploring security roles?
Apply today »
Want AWS Security updates?
Follow us on Twitter »