Amazon Web Services rolled out sweeping security updates at re:Inforce 2025, spotlighting a push for deeper threat visibility, simplified defenses, and sharper context around internal access.
AWS came to Philadelphia this week with a clear message: cloud security isn’t optional—it’s foundational. The tech giant introduced major enhancements across AWS Security Hub, GuardDuty, Shield, and IAM tools. And it hit a major milestone: 100% multi-factor authentication enforcement for high-risk accounts.
MFA Takes Center Stage in AWS’s Security Strategy
For years, AWS has been nudging users toward better account security. This week, it stopped nudging and planted the flag.
Amy Herzog, AWS’s Chief Information Security Officer, took the stage to declare a goal long in the making—full enforcement of MFA for all management and root-level accounts. The company also added support for FIDO2 passkeys, making passwordless access a real option.
“It’s the single best thing you can do to lock down your account,” Herzog told a packed audience. Short, firm, no fluff.
For AWS, the milestone isn’t just symbolic. MFA adoption helps defend against everything from credential theft to insider attacks. This could also put pressure on other cloud providers to catch up—or risk falling behind on user trust.
IAM Gets Sharper: New Insights, Fewer Blind Spots
Identity has always been tricky, especially in sprawling cloud environments. AWS wants to make it easier to know exactly who can access what.
A new feature called “internal access findings” was added to IAM Access Analyzer. It builds on years of access policy data and uses something AWS likes to call “automated reasoning” to highlight where permissions are too loose—or dangerous.
The tool checks access permissions daily and alerts teams when someone suddenly gets access to sensitive resources.
In Hart Rossman’s words—it’s like “having a mathematician in your pocket.” He leads global security services at AWS and believes identity should be the first stop during any incident investigation.
He’s not wrong.
-
Daily analysis of permissions to prevent unnoticed privilege creep
-
Alerts for new or risky permissions without manual deep dives
-
Unified dashboard to monitor internal and external access together
That last one is huge. Instead of switching tools or building custom scripts, security teams get a clean, contextual view in one place.
Security Hub Gets a Major Overhaul
AWS Security Hub is no longer just a dashboard with alerts—it’s starting to act like a virtual SOC analyst.
The new preview version of Security Hub adds contextualization layers that many teams have been building manually. Features like “exposure summary” and “security summary” now surface relevant insights without digging through mountains of log data.
The “resources summary” takes inventory of all cloud assets, shows where the vulnerabilities are, and tells you how bad the risk is.
Rod Wallace from AWS’s vulnerability management team said the goal is to cut through alert fatigue. “You want people solving problems, not buried under tier-1 tasks,” he said.
That resonated.
Three different views—exposure, security, and resources—combine to give users a better understanding of what’s at risk and what needs fixing first.
Expect these changes to reduce time-to-response for many security teams, especially in high-noise environments.
GuardDuty and Shield Expand Into Deeper Waters
Containers are great. Securing them? Less so. AWS GuardDuty now digs deeper into Amazon EKS clusters, analyzing runtime behavior, audit logs, and API calls to flag multi-stage threats.
Previously, attackers could pivot inside container environments unnoticed. Now, GuardDuty is hunting in those shadows.
This was one of the more technically dense updates, but also one of the most meaningful for cloud-native security.
Here’s a quick breakdown of GuardDuty’s container coverage additions:
| Feature | What It Does |
|---|---|
| EKS Threat Detection | Detects lateral movement & privilege escalation in container clusters |
| Data Correlation | Links runtime, audit, and API activity |
| Automatic Alerting | Flags anomalies without manual tuning |
On the Shield side, AWS added a “network security director” preview feature. It helps organizations spot DDoS vulnerabilities, misconfigured connections, and unprotected endpoints.
Vice President Rob Kennedy explained the demand: “People with big networks often don’t know if everything’s locked down properly. That’s the stuff that keeps them up at night.”
The director tool not only flags issues but ranks them based on risk and even offers specific remediation suggestions. That’s a far cry from vague alerts and long PDFs.
The Real Story? Context Over Chaos
Across the board, AWS is shifting away from just sending alerts. It’s now focusing on helping users understand what those alerts mean, what’s affected, and what to do next.
For big customers, that means less spinning wheels and more targeted fixes. For small ones, it could mean actually standing a chance against complex threats.
Some security leaders at the event noted a common theme: visibility is useful, but context is critical. Whether through IAM improvements, Security Hub summaries, or GuardDuty’s expanded threat maps, AWS is clearly listening.
The re:Inforce 2025 conference wasn’t about shiny new tools—it was about making existing tools smarter.
