At its re:Inforce 2025 conference in Philadelphia, Amazon Web Services announced a wave of major security upgrades across its cloud platform. The updates focus on providing deeper threat visibility, simplifying defenses, and adding crucial context to security alerts. The company also hit a major milestone by enforcing multi-factor authentication for 100% of its high-risk accounts, signaling a more aggressive stance on foundational security practices for all users.
MFA Enforcement Becomes the New Standard
AWS has moved from strongly recommending to mandating multi-factor authentication (MFA) for its most privileged accounts. During her keynote, AWS Chief Information Security Officer Amy Herzog announced the full enforcement of MFA for all management and root-level accounts, a goal the company has been working toward for years.
“It’s the single best thing you can do to lock down your account,” Herzog stated, emphasizing the critical role of MFA in preventing unauthorized access. This move is designed to protect users from a wide range of threats, including credential theft and insider attacks.
To further support this push, AWS also rolled out support for FIDO2 passkeys. This allows users to adopt passwordless authentication methods, making it easier and more secure to access their accounts. This significant policy change is expected to influence other cloud providers to strengthen their own account security requirements.
IAM Gains Deeper Insights to Reduce Blind Spots
Managing who has access to what is a constant challenge in large cloud environments. To address this, AWS introduced “internal access findings” to its IAM Access Analyzer. This new feature uses a process called “automated reasoning” to analyze access policies and identify permissions that are overly permissive or pose a security risk.
The tool performs daily checks on permissions, alerting security teams to any sudden or risky changes in access to sensitive resources. Hart Rossman, who leads global security services at AWS, described it as “having a mathematician in your pocket.” The goal is to make identity the starting point for any security investigation.
- It provides daily analysis of permissions to prevent unnoticed privilege creep over time.
- It sends alerts for new or risky permissions, eliminating the need for manual deep dives.
- It offers a unified dashboard to monitor both internal and external access in one place.
This consolidated view gives security teams the context they need without having to switch between different tools or rely on custom scripts.
Security Hub is Now a Smarter, Context-Aware Hub
AWS Security Hub received a major overhaul, transforming it from a simple alert dashboard into a more intelligent analysis tool. The new preview version introduces features that add layers of context, something many security teams previously had to build themselves.
New summary views for exposure, security, and resources help teams quickly understand their security posture. The “resources summary” inventories all cloud assets, highlights vulnerabilities, and prioritizes risks. The primary goal, according to Rod Wallace from AWS’s vulnerability management team, is to reduce alert fatigue so that security professionals can focus on “solving problems, not buried under tier-1 tasks.” These enhancements are designed to significantly decrease the time it takes for teams to respond to incidents.
GuardDuty and Shield Expand Protection into New Areas
Recognizing the security challenges of containerized environments, AWS has expanded GuardDuty’s capabilities to provide deeper threat detection for Amazon EKS clusters. It now analyzes runtime behavior, audit logs, and API calls to identify complex, multi-stage attacks that might otherwise go unnoticed. This update allows GuardDuty to hunt for threats like lateral movement and privilege escalation within container clusters.
| Feature | What It Does |
|---|---|
| EKS Threat Detection | Detects lateral movement & privilege escalation in container clusters |
| Data Correlation | Links runtime, audit, and API activity |
| Automatic Alerting | Flags anomalies without manual tuning |
Additionally, AWS Shield introduced a new preview feature called “network security director.” This tool helps organizations identify DDoS vulnerabilities, misconfigured network connections, and unprotected endpoints. It not only flags these issues but also ranks them by risk and provides specific suggestions for how to fix them, moving beyond vague alerts to offer actionable guidance.
