AWS re:Inforce was held in Philadelphia this 12 months and serves because the smaller, security-focused counterpart to AWS re:Invent. Earlier than we dive in, it’s value noting that AWS constantly releases merchandise and options targeted on enhancing buyer expertise, which our personal analysis exhibits drives progress and aggressive benefit. By way of that framing, the bulletins have been heavy on identification, cloud, software, and perimeter safety.
One massive announcement (and a well-deserved victory lap for AWS): It formally introduced 100% multifactor authentication enforcement for root customers throughout all forms of AWS accounts, a formidable and industry-leading achievement.
AWS additionally introduced a string of different security-related enhancements, together with cloud and identification security-related bulletins:
- AWS Safety Hub unifies. AWS is lastly delivering a single place to handle threats throughout AWS from GuardDuty, IAM, Defend, and so on. It is a win for consolidation and simplification, however the actual take a look at might be whether or not or not it truly reduces alert fatigue or simply centralizes it. It’s value noting that Google additionally introduced Google Unified Safety at its April 2025 Google Cloud Subsequent occasion. AWS Safety Hub affords largely AWS endpoint cloud safety posture administration and cloud infrastructure entitlement administration, however its multicloud protection is behind Google’s and Microsoft’s comparable choices.
- Amazon GuardDuty Prolonged Risk Detection extends (once more). AWS introduced Prolonged Risk Detection in December final 12 months. It makes use of timeline views and assault sequence mapping for detection throughout functions, workloads, and knowledge. Now that functionality is expanded into container environments. Forrester expects AWS to proceed productizing, unifying, and consolidating its cloud safety capabilities and merchandise.
- AWS Certificates Supervisor (ACM) permits the export of public certs. One of many greatest rounds of applause in the course of the keynote was a brand new function that permits the export of ACM-issued public certificates to be used outdoors AWS. Whereas not flashy, it’s a sensible transfer to assist hybrid and multicloud environments, offering centralized visibility and management over TLS certificates at a time when certificates lifecycle automation is turning into extra vital to operational resiliency.
- IAM Entry Analyzer introduces inner entry verification. The brand new function lets safety groups confirm the roles and customers which have entry to AWS sources. A resource-centric dashboard view permits customers to guage all attainable entry to a particular useful resource and ensure that the entry is appropriately restricted and meets least-privilege necessities.
Perimeter and software security-related bulletins included:
- Amazon Inspector code safety expands to the develop stage of the software program improvement lifecycle. This builds on its scanning capabilities for Elastic Compute Cloud, container photos in Elastic Container Registry, and AWS Lambda to scan GitHub and GitLab code repositories. Amazon Inspector is delivering static software safety testing, software program composition evaluation (SCA) for open-source dependencies, and infrastructure-as-code scanning suggestions early within the software program improvement lifecycle. Simple configuration permits scanning based mostly on occasions, on a schedule, or on demand in a GitHub or GitLab atmosphere utilizing Inspector. This supplies safety groups with visibility into safety findings earlier than the code is deployed to manufacturing. For builders, pull request (PR) scanning delivers safety suggestions immediately inside their workflow. A hyperlink from the PR permits the developer to entry the Inspector console to view code repair solutions, remediation actions, and — for SCA findings — the closest package deal model the place the vulnerability is resolved.
- AWS WAF has a brand new console expertise. AWS Internet Software Firewall (WAF) is a well-liked possibility for purchasers deploying functions in AWS, however we regularly hear buyer complaints about ease of use. AWS’s announcement that the WAF console bought an overhaul to simplify the person expertise is a step in the best course. As well as, WAF and Defend prospects are getting application-layer distributed denial of service (DDoS) safety inbuilt, a standard function in different WAF platforms. AWS CloudFront additionally bought a brand new, simplified onboarding expertise.
- AWS Community Firewall now consists of energetic risk protection. This new functionality has a managed rule group that repeatedly updates based mostly on threats noticed throughout the AWS infrastructure and provides particulars on indicators of compromise equivalent to names and kinds. These particulars are additionally included in a devoted risk checklist for Amazon GuardDuty prospects.
- In preview: AWS Defend provides community safety director. Community safety director takes AWS Defend past DDoS safety to assist prospects visualize community sources and consider their configuration towards AWS finest practices. Misconfigurations are prioritized by the severity degree. Community safety director guarantees to simplify safety configurations by serving to prospects perceive the topological relationship of AWS workloads to one another and the web. It additionally supplies a holistic view of safety controls equivalent to Digital Non-public Cloud (VPC) safety teams, VPC community entry management lists, and AWS WAF, which may typically have conflicting configurations or sudden interactions.
In a world overtaken by generative AI agent bulletins, they have been conspicuously absent at re:Inforce. Bulletins associated to securing genAI have been equally lacking from the keynote. That stated, automated reasoning was excessive on the checklist of matters talked about concerning establishing guardrails for factual generative AI outputs. Forrester expects (hopes) that there might be larger bulletins later within the 12 months at Amazon re:Invent associated to genAI.
In case you have extra questions in regards to the bulletins out of AWS re:Inforce, guide an inquiry or steering session with me or considered one of my colleagues.
