AWS re:Inforce: ‘Security is at the Foundation of Cloud Innovation’

The US city of Philadelphia is hosting a new edition of the AWS re:Inforce conference this week, where the leading public cloud provider is highlighting its commitment to security and its importance as a basis for providing its customers with the rest of its cloud services with efficiency and agility.

Not surprisingly, this conference was born in 2019 as a ‘spin-off’ of AWS re:Invent, its main conference, in order to offer more prominence to the area of cybersecurity, which is intrinsic to any of the hyperscale services in one way or another.

Amy Herzog, recently appointed CISO of AWS, stressed during the opening keynote of the event that in today’s digital environment, innovation and security are not opposites, but inseparable allies: ‘AWS’ main goal is to gain and maintain the trust of its customers, from startups to national governments, by providing the most secure environment possible’.

Thousands of professionals are finding here practical skills and strategies to foster secure cloud innovation through the latest tools provided by both AWS and its partners.

This year, with another of the key players in the technology sector: generative AI, which is accelerating its adoption and maturity, but which also needs to be secured to prevent data leaks and breaches from potential attacks.

During the first day, AWS provided details on key areas where a solid security foundation must be applied: identity and access management, data and network security, monitoring and migration/modernisation to the cloud.

Identity and access management

In modern systems, identity and access management is not just a part of security, it is fundamental to all operations, as Herzog explained. Identity is synonymous with trust, ensuring that you know who a user is and therefore what they can access.

AWS Identity and Access Management (IAM) is designed to address the complex needs of authentication and authorisation in the cloud on a massive scale, handling approximately 1.2 billion API calls per second worldwide. In other words, the AWS architecture is capable of allowing or denying that many calls without impacting overall service performance.

To achieve this, the provider says it has developed a unique and powerful policy language that enables granular access control to all resources, from the launch of an EC2 instance to the use of models in Amazon Bedrock.

One of the key tools in this area is IAM Access Analyzer. Previously, permissions configuration was an upfront and complex task, but AWS recognised that it is an ongoing process that evolves with the needs of the business. Access Analyzer proactively scans resource policies for unintended exposures, identifies recently unused roles, users and permissions, and can automatically create IAM policies based on AWS CloudTrail logs.

AWS has announced the general availability of Internal Access Findings, a new capability of Access Analyzer. Powered by automated reasoning, this feature allows you to see exactly who within the company has access to important AWS resources. The tool analyses various types of policies (identity, resource, service control policies) and identifies which AWS roles and users have access to specific resources. All access information is consolidated into a single dashboard, making it easy to detect and correct security issues. On top of that, the system automatically checks access permissions every day, notifying you when someone new gains access to something critical.

The AWS CISO emphasised the need to eliminate credentials in the long term, as they create a persistent security risk. While credential rotation is a short-term measure, the long-term strategy is to replace them with temporary credentials of lower privilege. Tools such as IAM Instance Profiles, identity federation, IAM Roles (which provide temporary productions without the need for rotation) and IAM Anywhere (for hybrid and multi-cloud workloads) facilitate this transition.

To conclude the section on IAM, the company announced that it has become the first cloud provider to require the use of MFA (Multi-Factor Authentication) for administration and independent accounts with root access. ‘We have achieved 100% MFA compliance for root users across all types of AWS accounts. In addition, we have made it easier to use strong MFA by supporting FIDO2 passkeys and the ability to support up to eight MFA devices per root or IAM user to avoid issues with lost tokens.”

Data and network security: in-depth protection and scalability

While IAM controls access, data security requires additional layers of protection and control. In a world of changing dynamics and evolving policies, control over data location has become crucial. ‘AWS offers the most advanced set of controls and sovereignty features in the cloud, including control over data location, verifiable control over who can access it, sovereign and resilient options, and the ability to encrypt everything everywhere,’ Herzog emphasised, explaining that data encryption, which was previously costly and complex, is now free on AWS.

AWS does not rely on a single layer of protection, but on defence in depth. Traffic on the AWS network is ubiquitously encrypted at the physical link, and traffic in VPCs (Virtual Private Clouds) is transparently encrypted, often resulting in three or more layers of encryption as it moves through the network, all while maintaining extremely high network performance.

Digital certificate management is another key challenge. AWS Certificate Manager (ACM) simplifies the provisioning, management and deployment of TLS certificates.

This is where another of the announced new features comes into play: ACM’s Exportable Public Certificates. It is now possible to request public certificates issued by ACM and their private keys for use both inside and outside AWS. When requesting a public certificate through ACM, you have the option to designate it as exportable, allowing you to download the certificate and private key for use wherever you want. This provides the value of centralised certificate management, managed renewals and automatic rotation notifications, all at a lower price than other commercial certification authorities, according to AWS.

In terms of network protection, AWS Shield has been the defence against DDoS events. However, ‘identifying resources that require protection can be complex,’ continued the directive, which gave way to another new feature (this time in the preliminary phase): AWS Shield Network Security Director. This is ‘a service that offers protection from DDoS defence to comprehensive network security management.’

The new AWS Shield interface offers an intuitive dashboard that classifies issues by severity, along with step-by-step instructions for quickly remediating them. In addition, customers can now use Amazon Q, the most advanced AI-powered generative assistant for professional environments, to get guidance through natural conversations, simplifying navigation through complex security configurations.

For its part, AWS Web Application Firewall (WAF) blocks attempts to exploit applications, allowing the creation of precise security rules to filter malicious traffic, such as SQL injection or cross-site scripting attempts, or to block access from specific geographic locations.

What is new about this service is that it simplifies the console user experience, transforming the application and API security configuration process into an onboarding wizard that ‘can reduce the steps required for initial application security configuration by 80%, allowing security teams to protect their applications in minutes rather than hours.’

The importance of proactive monitoring

Monitoring is critical to security, but the challenge lies in knowing what to monitor and how to do it effectively. Often, ‘security gravitates toward detecting what is easy to identify,’ which Herzog compared to the ‘streetlight effect’ in cybersecurity: you look where the light is brightest, not necessarily where the greatest threat is.

‘AWS inspects more than 36 billion telemetry events on average every day for signs of recognition, unauthorised access, lateral movement or other attack techniques,’ he said.

This section highlights tools such as Amazon CloudWatch, AWS CloudTrail, and Amazon Security Lake, which provide visibility into resource security and API usage. Amazon GuardDuty, meanwhile, uses AI to minimise false positives and facilitate reliable automation.

AWS has provided more details about Amazon GuardDuty Extended Threat Detection (XTD), which uses AI and ML to automatically correlate security signals across AWS services and detect critical and more sophisticated threats.

For example, it has added enhanced capabilities to GuardDuty XTD such as advanced behaviour analysis, greater accuracy with fewer false positives, and new coverage for EKS (Elastic Kubernetes Service) clusters.

Finally, AWS has announced a preview of the enhanced AWS Security Hub. This is a unified cloud security solution that combines signals from all AWS security services and transforms them into actionable information, helping to prioritise critical security issues and respond at scale. The new capabilities correlate and enrich broad and deep security signals to detect and prioritise active risks.

Migration and modernisation, the path to greater security

Migrating to the cloud represents a transformative change in security management, offering a shared responsibility model where AWS takes care of securing the infrastructure, allowing customers to focus on the security of their own resources. ‘Unlike on-premises environments, where organisations bear the full burden of security, AWS customers inherit world-class physical security, and AWS services integrate security directly into their design,’ Herzog said.

The ultimate goal should be modernisation, which involves moving solutions higher up the technology stack and leveraging more managed services such as Lambda, S3 or KMS. This not only increases security, but also reduces reliance on manual configuration (prone to human error), as the infrastructure for these services is patched and managed by AWS.

Meanwhile, regular patching plays a critical role as a first line of defence against vulnerabilities. AWS promotes a mindset where these updates are integrated into security and operations practices, using automated continuous delivery through CI/CD pipelines.

AWS provides several tools to facilitate patching across the technology stack:

* AWS Systems Manager: Patching at the operating system level.

* Amazon ECR Scanning: Automatically scans container images for vulnerabilities and provides possible solutions.

* AWS CodeArtifact: Helps maintain private repositories of patched and verified dependencies.

* Amazon Inspector: Automatically assesses applications for vulnerabilities and deviations from best practices, integrating directly with Security Hub to provide recommendations prioritised by risk level.

Herzog concluded his presentation by explaining that ‘migration and modernisation, while complex, offer transformative benefits in scalability, resilience and security, and AWS partners are very important in helping customers address these challenges’.

Over the next few days, we will continue to report on everything that happened at AWS re:Inforce 2025.