2026-05-29 · aws-security
AWS Backup now requires OTP verification for approvers voting on multi-party approval requests tied to logically air-gapped vaults. The update went live on May 27, 2026 and adds an extra trust check before protected vault operations can proceed. For backup and recovery teams, the important shift is that vault access now depends on a second factor in the approval path, not just IAM permissions and workflow membership.
AWS added one-time password verification to multi-party approval actions for logically air-gapped vaults. Approvers must enter a six-digit code sent to their registered AWS IAM Identity Center email before their vote is accepted. AWS says the control is enabled automatically for existing and new sessions at no extra cost.
Backup systems are only useful if attackers cannot quietly change the restore path or approve unsafe actions. If an account or approver is compromised, the result can be delayed recovery, damaged backup integrity, or a compromised clean-room restore process when the business needs it most.
Logically air-gapped backups already reduce blast radius by isolating recovery copies. Adding OTP to approval steps makes it harder for an intruder to weaponize a single compromised identity against recovery controls. Teams should treat this as a cue to tighten approval hygiene, test recovery paths, and keep the clean restore workflow separate from day-to-day admin access.
Read Original Post →