Amazon Web Services announces sweeping security upgrades across key services at re:Inforce 2025, including full MFA enforcement and smarter threat detection tools.
Amazon Web Services is sending a loud and clear message from Philadelphia this week: security is no longer optional. At its annual re:Inforce conference, AWS rolled out a host of new security tools and updates designed to help customers detect threats faster, understand risks better, and tighten control over who can access what.
Among the headline moments? AWS now enforces multi-factor authentication (MFA) for 100% of its management and root accounts — a milestone years in the making.
Full MFA Enforcement Hits 100% Across Root and Management Accounts
Let’s start with the news that turned heads first.
In her opening keynote, AWS CISO Amy Herzog confirmed the company has hit full enforcement of multi-factor authentication across all management and root-level accounts. That’s a major moment, considering how long AWS has been nudging, urging, and eventually requiring users to turn MFA on.
“MFA is the single best security practice you can implement to protect your accounts — period,” Herzog told the crowd. And she’s not wrong.
This move comes after several waves of changes that slowly pushed MFA adoption across AWS’s ecosystem. The big shift this year? Support for FIDO2 passkeys, offering customers a phishing-resistant, user-friendly option for identity protection.
Security leaders have long argued that MFA is the most straightforward defense against compromised credentials — and now AWS is putting its foot down.
IAM Access Analyzer Gets Smarter with Internal Findings
Identity and Access Management (IAM) is usually where security headaches begin. Too much access, unclear privileges, and fuzzy policy logic — it’s a recipe for problems. That’s why AWS expanding IAM Access Analyzer makes sense.
A new feature called internal access findings now gives customers deeper visibility into who can access what inside their environment. This goes beyond just spotting external risks. It’s about fixing internal over-permissioning, one of the quietest yet most dangerous problems in cloud security.
The tool analyzes CloudTrail logs, checks policy rules automatically every day, and flags changes or new permissions that could pose risk.
Here’s why it matters:
-
It reduces over-permissioning risks without requiring customers to sift through thousands of policies manually.
-
It lets companies verify — in plain sight — if their most critical resources are overexposed.
-
It centralizes all access monitoring in a single dashboard.
“A mathematician in your pocket,” is how Hart Rossman, AWS’s VP of global security services, described the underlying logic behind it. Slightly poetic, but not wrong.
Organizations need this kind of lens into their infrastructure — especially during incident response.
AWS Security Hub Grows Up with Richer Signal Correlation
Security signals are great, until they aren’t.
Every major enterprise is drowning in alerts from dozens of sources — VMs, APIs, endpoints, containers, user behavior. AWS Security Hub has always tried to wrangle that mess. But now, it’s growing smarter.
In preview now is a beefed-up version of Security Hub. It includes new features that try to do the hard part for you: surfacing what really matters.
Let’s break down the major additions:
-
Exposure Summary: Automatically scans signals and highlights weak spots in your cloud footprint.
-
Security Summary: Pinpoints posture gaps by correlating findings across tools like Amazon Inspector.
-
Resource Summary: Builds an inventory of all assets and shows how serious each one’s issues are.
Rod Wallace from AWS put it bluntly: “Analytics is cool, but that’s not solving the issue.” It’s about prioritization — knowing which fire to put out first.
Here’s a quick snapshot of the three summary views:
| Feature | Function | Impact |
|---|---|---|
| Exposure Summary | Highlights security weaknesses | Faster identification of threats |
| Security Summary | Correlates vulnerabilities and policy gaps | Holistic understanding of security posture |
| Resource Summary | Inventory of assets and linked security issues | Clear visualization of risks per resource |
GuardDuty and Shield Step Into Container and Network Security
Containers are tricky. They’re lightweight, flexible, and often vulnerable if misconfigured. This year, AWS upgraded GuardDuty to keep an eye on EKS clusters, the backbone of many Kubernetes workloads.
GuardDuty now automatically correlates logs and behavior across:
-
EKS audit logs
-
Runtime container activity
-
AWS API calls
Why’s this important? Multi-stage container attacks often slip through undetected. GuardDuty’s expanded scope helps catch lateral movement, privilege escalations, and other shady business that unfolds deep within EKS.
Meanwhile, AWS Shield got a new feature in preview: the network security director. Think of it as a map — but smarter. It scans configurations, finds weak links, and points out what needs fixing to fend off DDoS and network-based threats.
Rob Kennedy, AWS VP of network services, summed up what customers keep telling them: “I have large environments… and it’s hard to know if everything is configured properly.”
That’s what keeps people up at night.
Why All of This Matters
AWS isn’t reinventing the wheel here — but it’s tightening every bolt.
Taken together, these announcements reflect an increasingly clear mission: automate more, guess less, fix faster. Every feature aims to give customers better visibility, fewer false positives, and more time to focus on the hard problems.
Security has always been shared responsibility in the cloud. But AWS is making it clear it wants to take on a little more of the burden — and frankly, a lot of customers probably welcome the help.
