News

AI on Lockdown: AWS Re:Inforce 2025 Delivers Cloud Security Upgrades

• By David Ramel
• 06/24/2025

AWS used its annual security-focused event to introduce a lineup of managed services and tooling updates designed to meet the growing threat landscape facing organizations building and operating AI in the cloud.

Held June 10-12 in Philadelphia, AWS re:Inforce 2025 brought together security professionals, developers, and enterprise customers for Amazon Web Services' annual cloud security conference. The event featured a series of announcements across threat detection, identity management, data protection, and workload security, with a notable emphasis on supporting AI-driven cloud environments.

Here's a roundup of the key announcements from the event:

GuardDuty Expands Extended Threat Detection Coverage to Amazon EKS Clusters
AWS announced expanded support for Amazon Elastic Kubernetes Service (Amazon EKS) within Amazon GuardDuty's Extended Threat Detection. The new capability enhances runtime security for Kubernetes environments by automatically detecting multistage attacks that may otherwise evade traditional tools.

According to AWS, the service "provides comprehensive security monitoring across your Kubernetes environment" and can "detect sophisticated multistage attacks by correlating events across different data sources, identifying attack sequences that traditional monitoring might miss." These attack sequences may include container exploitation, privilege escalation, or unauthorized access to Kubernetes secrets and AWS resources.

The detection engine correlates activity across:

• Amazon EKS audit logs
• Runtime behaviors within containers
• Malware execution events
• AWS API activity

To enable detection, customers can turn on one or both of the following features:

• EKS Protection -- Monitors audit logs for control plane activity
• Runtime Monitoring -- Observes container process behavior from inside the cluster

"Together, they create a complete view of your EKS clusters, enabling GuardDuty to detect complex attack patterns," AWS said.

Each finding includes context such as the timeline of events, affected resources, actor identities, and mapped MITRE ATT&CK techniques. GuardDuty also provides a visual dashboard and detailed resource lists to help teams triage incidents and prioritize remediation.

AWS Security Hub Adds Unified Risk Prioritization Dashboard
AWS introduced a major preview release of an enhanced AWS Security Hub at re:Inforce 2025, designed to give organizations a centralized, risk-driven view of their AWS security posture. The new version adds deeper integration with other AWS security tools, correlates findings automatically, and provides a redesigned summary dashboard for streamlined triage and prioritization.

AWS described the revamped hub as offering "additional correlation, contextualization, and visualization capabilities" to help customers "prioritize critical security issues, respond at scale to reduce risks, improve team productivity, and better protect your cloud environment."

The unified dashboard aggregates findings from services such as:

• Amazon GuardDuty
• Amazon Inspector
• AWS Security Hub CSPM (Cloud Security Posture Management)
• Amazon Macie

The new interface organizes findings into five key areas:

• Exposure -- Highlights misconfigurations or vulnerabilities that could expose resources to attack
• Threats -- Displays threat intelligence findings from GuardDuty
• Vulnerabilities -- Surfaces software flaws and exposures via Amazon Inspector
• Posture management -- Flags compliance issues and best-practice violations
• Sensitive data -- Identifies findings from Amazon Macie around exposed or mismanaged data

One standout feature is the new Exposure summary widget, which "helps you identify and prioritize security exposures by analyzing resource relationships and signals" from the connected services. Findings include attack path visualizations that map relationships between components such as VPCs, security groups, IAM permissions, and more.

The update also introduces a Security coverage widget that helps customers identify gaps in security controls across accounts and services. The Resources view shows an inventory of covered assets and lets teams filter by severity, type, or finding count for fast triage.

Security Hub is now built using the Open Cybersecurity Schema Framework (OCSF), which AWS says enables "seamless data exchange across your security capabilities with normalized data formats."

The new version is available in preview at no additional cost in more than 20 AWS Regions globally, with customers only incurring charges for underlying services like GuardDuty, Inspector, Macie, and CSPM.

Amazon Threat Intelligence Powers New Active Threat Defense in AWS Network Firewall
AWS unveiled a new managed rule group for AWS Network Firewall called active threat defense, designed to automatically block communications with known malicious infrastructure. Powered by AWS's internal threat intelligence system MadPot, the feature detects and mitigates live threats such as botnet traffic, malware staging hosts, and crypto mining pools.

According to AWS, the feature "uses the Amazon threat intelligence system MadPot, which continuously tracks attack infrastructure, including malware hosting URLs, botnet command and control servers, and crypto mining pools, identifying indicators of compromise (IOCs) for active threats."

The rule group, named AttackInfrastructure, is deployed within firewall policies and continuously updated with fresh threat indicators. When active, it blocks both inbound and outbound traffic associated with IOCs using high-fidelity signatures verified by AWS researchers.

Categories of threat indicators covered include:

• Command-and-control (C2) servers
• Malware staging hosts
• Sinkholes
• Out-of-band testing (OAST) infrastructure
• Crypto mining pools

The system supports multiple protocols including TCP, UDP, DNS, HTTPS, and HTTP, and integrates with Amazon GuardDuty by tagging findings with the "Amazon Active Threat Defense" label for visibility and correlation.

Key benefits highlighted by AWS:

• Threat prevention: "Automatically blocks malicious traffic using Amazon threat intelligence to identify and prevent active threats targeting workloads in AWS"
• Rapid protection: Updates rules based on new threats for immediate response
• Streamlined operations: Seamless integration with GuardDuty for alert visibility
• Collective defense: Deep threat inspection (DTI) enables shared intelligence among AWS users

To deploy the rule group, users can enable it through the AWS Management Console, CLI, or SDK, then attach it to their Network Firewall policy. The capability is supported in all AWS Regions, including AWS GovCloud and China Regions.

AWS recommends using the TLS inspection feature for HTTPS traffic to maximize threat visibility. "TLS inspection enables active threat defense to analyze the actual content of encrypted connections, allowing it to identify and block malicious URLs that might otherwise pass undetected."

Customers are also advised to review rule capacity limits and manage false positives by tuning alert settings in firewall policies. Pricing details are available on the AWS Network Firewall pricing page.

And Much More
While those are the key highlights of the event, other news included:

• MFA Now Enforced for Root Users: AWS Identity and Access Management (IAM) now requires multi-factor authentication (MFA) for the root user of all AWS accounts, including standalone accounts and those in organizations. More information is available here.
• Exportable SSL/TLS Certificates from AWS Certificate Manager: AWS Certificate Manager introduced support for exportable public certificates, allowing customers to use these SSL/TLS assets outside AWS environments. More information is available here.
• New CloudFront Console Experience: Amazon CloudFront launched a redesigned console interface focused on simplifying web application delivery and enhancing security configuration. More information is available here.
• Improved Security for Express APIs Using Verified Permissions: Amazon Verified Permissions can now be used to secure Express.js APIs within minutes, with built-in policy templates and scalable access control. More information is available here.
• Amazon Inspector Adds Code-Level Vulnerability Detection: A preview of new code security features in Amazon Inspector enables scanning application code for vulnerabilities, shifting security left in the development lifecycle. More information is available here.
• AWS Backup Introduces Multi-Party Approval for Air-Gapped Vaults: AWS Backup now supports multi-party approval workflows for changes to logically air-gapped vaults, enhancing protection against insider threats and unauthorized actions. More information is available here.
• AWS WAF Simplifies Web App Security: AWS Web Application Firewall (WAF) added configuration profiles and automated protections that reduce complexity for developers and improve security coverage by default. More information is available here.
• AWS MSSP Competency Updated for Turnkey Security Solutions: Enhancements to the AWS Managed Security Service Provider (MSSP) Competency streamline delivery of managed security services, including threat monitoring and incident response. More information is available here.