At AWS re:Inforce 2025, which rounded up yesterday, AWS unveiled a powerful lineup of new security features and enhancements aimed at helping organizations better protect their cloud environments while simplifying day-to-day operations. From advanced multi-stage threat detection in Amazon EKS to exportable SSL/TLS certificates in AWS Certificate Manager, the announcements signal a continued push toward frictionless, scalable, and proactive cloud security.
Whether you’re a DevSecOps engineer, a cloud architect, or part of a growing startup, these updates are designed to help you shift security left, harden critical workloads, and gain unified visibility across your infrastructure. In this post, we’ll explore the most impactful security announcements from re:Inforce 2025 and how they can elevate your AWS security strategy going forward. Here they are:
Amazon Inspector Expands to Code Security, Enabling Early Vulnerability Detection Across Source and IaC
Amazon Inspector has officially launched its code security capabilities, now generally available, to help organizations shift vulnerability detection left, catching security issues earlier in the software development lifecycle. This new feature extends Inspector’s protection beyond runtime compute environments by scanning application source code, open-source dependencies, and Infrastructure as Code (IaC) templates for vulnerabilities and misconfigurations before they reach production.
With this expansion, developers and security teams can now integrate Amazon Inspector directly into their CI/CD pipelines or development workflows to:
-
Automatically detect known vulnerabilities (CVEs) in source code dependencies
-
Identify security misconfigurations in IaC templates (e.g., Terraform or AWS CloudFormation)
-
Prioritize findings based on context, such as exploitability, severity, and environment
-
Receive near real-time feedback, enabling quicker remediation without slowing down development cycles
Amazon Inspector’s code security also integrates with AWS Security Hub, AWS CodePipeline, and other developer tools to streamline DevSecOps practices and reduce time to resolution.
Key Benefits:
-
Shift security left: Identify and fix issues during development, not after deployment
-
Broadened coverage: Protects both application logic and the infrastructure that supports it
-
Reduced risk in production: Proactive scanning minimizes the chance of deploying vulnerable code
-
Developer-friendly tooling: Easily integrates with existing source control and CI/CD environments
By combining static code analysis with Inspector’s existing runtime protection, AWS empowers teams to build more secure applications from day one, accelerating delivery without compromising on security.
Amazon GuardDuty Enhances Threat Detection for Amazon EKS with Multi-Stage Attack Correlation
Amazon GuardDuty has expanded its Extended Threat Detection capabilities to now include Amazon Elastic Kubernetes Service (EKS) clusters, delivering advanced protection for containerized workloads. This enhancement enables GuardDuty to detect and correlate complex, multi-stage attacks by analyzing signals across multiple layers of the EKS environment, including Kubernetes audit logs, container runtime behaviors, and AWS API activity.
With this deeper integration, GuardDuty can automatically identify critical attack chains—such as privilege escalation, lateral movement, and exfiltration—within your Kubernetes environment, surfacing them as high-severity findings. These are often difficult to detect when monitoring signals in isolation.
Key Features and Benefits:
-
Multi-source correlation: GuardDuty connects disparate signals—like suspicious pod activity, unusual API calls, and malicious container behavior—to build a full picture of ongoing threats.
-
Automatic threat identification: The system uses machine learning to highlight “AttackSequence:EKS/CompromisedCluster” findings, pinpointing coordinated activity across layers.
-
Actionable insights: Each finding includes detailed metadata, including compromised resources, IAM roles involved, attacker behavior, and MITRE ATT&CK mappings to aid fast investigation and remediation.
-
Agentless and easy to enable: No need to install additional agents or reconfigure workloads. You can enable EKS protection directly from the GuardDuty console in just a few clicks.
-
Support for organization-wide rollout: Security administrators can enable EKS threat detection across all accounts in an AWS Organization for consistent security at scale.
-
Zero additional cost: This feature is included in the standard GuardDuty pricing—no extra fees for using EKS Extended Threat Detection.
This launch significantly strengthens Kubernetes workload security by helping teams detect and respond to advanced threats early, reducing the likelihood of breaches and business disruption. By combining container runtime visibility with control plane and API activity, GuardDuty provides a unified threat view across your containerized environments.
AWS IAM Access Analyzer Introduces Unified Access Insights for Critical Resources
AWS Identity and Access Management (IAM) Access Analyzer has introduced a significant new capability that enhances visibility into internal access to sensitive AWS resources across your entire organization. This new feature enables security teams, compliance officers, and cloud administrators to identify which IAM principals—users, roles, and services—have access to critical resources, such as:
-
Amazon S3 buckets
-
Amazon DynamoDB tables
-
Amazon RDS snapshots
-
And other resource types
The standout element of this feature is the use of automated reasoning technology, a form of mathematical logic that evaluates permissions with high precision. Instead of requiring teams to manually inspect and correlate various IAM, resource-based, SCP, and session policies, Access Analyzer automatically reasons through all applicable policies and generates accurate, actionable findings.
The results are displayed through a unified and intuitive dashboard within the IAM Access Analyzer console. This provides a centralized view of which principals—whether from the same account or across multiple AWS accounts within an organization—can access specified resources and under what conditions.
Key Benefits:
-
Policy-aware access analysis: Understand effective access resulting from combinations of identity policies, resource policies, service control policies (SCPs), and session context (like permissions boundaries or session tags).
-
Organization-wide visibility: Gain insights across the entire AWS Organization, not just individual accounts.
-
Risk reduction: Proactively detect and mitigate overly permissive or unintended access before it becomes a security incident.
-
Compliance support: Helps meet security audit requirements by demonstrating least privilege access and controlled internal resource exposure.
-
Ease of use: Navigate and act on findings easily through a user-friendly interface, enabling faster remediation of access risks.
This capability is especially valuable in large-scale cloud environments, where hundreds of IAM roles and complex multi-account architectures make it difficult to understand the full picture of who can access what. With this release, AWS empowers teams to more confidently apply the principle of least privilege while streamlining security operations.
AWS Strengthens Account Security with Advanced MFA Enforcement
AWS has rolled out a major security enhancement with stricter Multi-Factor Authentication (MFA) enforcement, designed to safeguard accounts against unauthorized access. This update mandates MFA for root users across all AWS account types, including AWS Organizations, AWS GovCloud (US), and China regions, significantly improving the security posture for all customers.
This move is backed by strong evidence: enabling MFA helps prevent over 99% of password-related attacks, such as phishing, credential stuffing, and brute force attempts. By requiring an additional layer of authentication beyond just usernames and passwords, AWS ensures that even if credentials are compromised, access to the account remains protected.
Customers can now choose from a broad range of supported IAM MFA methods, including:
-
FIDO2 security keys (such as YubiKeys or biometric devices)
-
FIDO2 passkeys, which enable a more user-friendly and phishing-resistant authentication flow
-
Time-based One-Time Password (TOTP) apps like Google Authenticator and Authy
-
Virtual MFA devices on mobile apps
In addition to improving security, AWS is also expanding usability. Each IAM user or root user can now register up to 8 MFA devices, offering flexibility and redundancy, especially helpful for users who switch devices frequently or work across multiple machines.
Key highlights of this MFA enhancement include:
-
Mandatory MFA for root accounts, reinforcing the security of the most privileged AWS identity
-
Expanded regional support, including compliance-driven regions like GovCloud and AWS China
-
Support for modern and secure FIDO2 authentication standards
-
Improved administrative flexibility with multiple registered devices per user
This initiative is part of AWS’s ongoing effort to make security best practices the default behavior, encouraging customers to adopt stronger identity protection mechanisms with minimal friction.
Organizations are encouraged to audit their accounts and ensure MFA is enabled for all high-privilege users and take advantage of the new features for enhanced security coverage.
AWS Network Firewall Adds Managed Rule Group for Real-Time Threat Protection
AWS has introduced a new managed rule group for AWS Network Firewall, designed to provide organizations with real-time protection against active and evolving threats. This powerful capability is backed by Amazon’s internal threat intelligence system, MadPot, which continuously gathers and analyzes data from a globally distributed sensor network that emulates vulnerable systems to attract malicious activity.
The new managed rule group automatically integrates threat intelligence findings from MadPot, offering protection against a wide range of active threats, including:
-
Malware-hosting domains and URLs
-
Botnet command-and-control (C2) servers
-
Cryptocurrency mining pools
-
Other malicious infrastructure associated with known attack campaigns
By tracking these malicious entities, the rule group identifies indicators of compromise (IOCs) in near real-time and allows Network Firewall to take immediate action, either by blocking, alerting, or inspecting suspicious traffic.
This managed rule group is continuously updated, ensuring your firewall policies reflect the latest threat landscape without manual intervention. As a result, security teams can significantly reduce the window of exposure and stay ahead of emerging threats without the need to manually curate threat feeds or build custom detection rules.
Key benefits include:
-
Simplified threat protection using fully managed, intelligence-driven rule groups
-
Automated mitigation of threats without needing to rely on third-party feeds or tools
-
Native AWS integration, making deployment seamless for existing VPC-based workloads
-
Improved security posture across both inbound and outbound traffic patterns
This feature is particularly useful for highly regulated environments, such as finance, healthcare, and government workloads, where early threat detection and response are critical.
By embedding Amazon’s threat detection capabilities into the firewall, AWS enables customers to protect their infrastructure with the same intelligence Amazon uses internally, further strengthening the overall cloud security posture.
AWS Certificate Manager Now Supports Exportable Public SSL/TLS Certificates
AWS Certificate Manager (ACM) has introduced support for exportable public SSL/TLS certificates, marking a significant step forward in certificate management flexibility. Previously, public certificates issued by ACM were tightly scoped for use within specific AWS services like Elastic Load Balancing (ELB), CloudFront, and API Gateway. Now, with this enhancement, customers can request and export publicly trusted certificates to use not only within AWS but also across hybrid and multicloud environments, or even on-premises infrastructure.
This new capability is especially valuable for organizations managing complex or distributed architectures that span multiple clouds or on-premise systems. With exportable certificates, security teams can standardize their TLS/SSL configurations across all environments using ACM as the single source of issuance, ensuring consistent security policies and compliance.
The export process is straightforward and secure. Once a certificate is issued through ACM, it can be downloaded in PEM-encoded format, including the certificate, certificate chain, and encrypted private key. You can then use standard OpenSSL tools or AWS SDKs to integrate these certificates into web servers, devices, or third-party platforms.
Additionally, AWS maintains strong compliance with industry standards for public certificates, ensuring that exported ACM certificates are recognized by major browsers and operating systems. You also benefit from ACM’s automation features such as managed renewals and lifecycle tracking—even if the certificate is used outside of AWS.
With this release, AWS Certificate Manager becomes a more versatile tool for DevOps, security engineers, and platform teams looking to unify certificate provisioning across complex infrastructures—all while maintaining a secure and scalable public key infrastructure (PKI).
AWS WAF Unveils Streamlined Console with Pre-Configured Protection Packs
AWS Web Application Firewall (WAF) has introduced a streamlined console experience that dramatically simplifies the process of securing web applications, reducing configuration time by up to 80%. This enhancement is aimed at helping both beginner and experienced security teams deploy comprehensive, best-practice protections without having to build rules from scratch.
At the core of this update are pre-configured protection packs, which bundle curated rule groups optimized for common application types such as:
-
Public-facing websites
-
APIs
-
Content delivery platforms
-
E-commerce applications
These protection packs are designed by AWS security experts and reflect the most common attack vectors, such as SQL injection, cross-site scripting (XSS), bot abuse, and application layer DDoS.
Key Benefits:
-
Accelerated Setup: Quickly deploy robust security without deep WAF expertise.
-
Tailored Protection: Choose protection packs that align with the architecture and risk profile of your specific application type.
-
Customizable Controls: While protection packs provide a strong default, users can still fine-tune individual rules and thresholds to meet unique needs.
-
Consolidated Security Metrics: The new interface provides centralized visibility into traffic trends, threat detections, and mitigation activity—all from a single dashboard.
-
Improved Usability: The intuitive design ensures that teams of any skill level can easily configure, monitor, and manage WAF protections.
This release reflects AWS’s continued push to make enterprise-grade security accessible and operationally efficient, even for teams without deep security backgrounds. By combining automation with best-practice defaults, AWS WAF enables organizations to rapidly strengthen application security while maintaining agility in deployment.
Amazon CloudFront Launches Simplified Console to Streamline Web Application Delivery and Security
Amazon CloudFront has introduced a revamped, user-friendly console interface that makes delivering and securing web applications faster and easier than ever. This new experience is designed to help developers and DevOps teams quickly set up secure, high-performance content delivery networks (CDNs) with minimal manual configuration.
With just a few clicks, users can now automate critical setup processes, including:
-
TLS certificate provisioning via AWS Certificate Manager (ACM)
-
DNS configuration using Amazon Route 53
-
Security integration through AWS WAF with enhanced pre-configured Rule Packs
By combining CloudFront’s performance optimization capabilities with built-in application-layer security, this interface reduces the time, effort, and expertise needed to launch and secure modern web applications. Users can benefit from automatic best-practice configurations, helping protect against common threats like SQL injection, cross-site scripting (XSS), and bot traffic—without diving deep into manual WAF rule customization.
Key Benefits:
-
Faster deployment: Easily configure secure content delivery with guided workflows
-
Integrated security: Seamless AWS WAF setup with curated Rule Packs for immediate protection
-
Reduced complexity: No need to separately manage DNS, TLS, and firewall settings
-
Developer-friendly: Designed for simplicity while retaining customization options
This simplified console reflects AWS’s continued commitment to improving usability and making powerful cloud services more accessible, even for teams with limited cloud or networking expertise. Whether you’re launching a static website, streaming media, or running dynamic APIs, this new interface makes CloudFront setup easier, more secure, and faster to production.
Conclusion
AWS continues to raise the bar for cloud security, usability, and observability with a wave of powerful new enhancements across its services. From GuardDuty’s extended threat detection for Amazon EKS to Amazon Inspector’s proactive code scanning, and from exportable SSL/TLS certificates in ACM to a streamlined AWS WAF and CloudFront console experience, these updates reflect a clear focus on simplifying security while increasing its depth and coverage. By integrating advanced automation, machine learning, and threat intelligence, AWS is helping organizations shift left, respond faster, and secure their applications at every layer—whether in a single cloud, hybrid, or multicloud environment.
