AWS re:Inforce was held in Philadelphia this year and serves as the smaller, security-focused counterpart to AWS re:Invent. Before we dive in, it’s worth noting that AWS security consistently releases products and features that serve one purpose: improving customer experience to ultimately raise customer cloud spend. Through that framing, the announcements were heavy on identity, cloud, application, and perimeter security.

One big announcement (and a well-deserved victory lap for AWS): It officially announced 100% multifactor authentication enforcement for root users across all types of AWS accounts, an impressive and industry-leading achievement.

AWS also announced a string of other security-related enhancements, including cloud and identity security-related announcements:

  • AWS Security Hub unifies. AWS is finally delivering a single place to manage threats across AWS from GuardDuty, IAM, Shield, etc. This is a win for consolidation and simplification, but the real test will be whether or not it actually reduces alert fatigue or just centralizes it. It’s worth noting that Google also announced Google Unified Security at its April 2025 Google Cloud Next event. AWS Security Hub offers largely AWS endpoint cloud security posture management and cloud infrastructure entitlement management, but its multicloud coverage is behind Google’s and Microsoft’s similar offerings.
  • Amazon GuardDuty Extended Threat Detection extends (again). AWS announced Extended Threat Detection in December last year. It uses timeline views and attack sequence mapping for detection across applications, workloads, and data. Now that capability is expanded into container environments. Forrester expects AWS to continue productizing, unifying, and consolidating its cloud security capabilities and products.
  • AWS Certificate Manager (ACM) enables the export of public certs. One of the biggest rounds of applause during the keynote was a new feature that enables the export of ACM-issued public certificates for use outside AWS. While not flashy, it’s a practical move to support hybrid and multicloud environments, providing centralized visibility and control over TLS certificates at a time when certificate lifecycle automation is becoming more critical to operational resiliency.
  • IAM Access Analyzer introduces internal access verification. The new feature lets security teams verify the roles and users that have access to AWS resources. A resource-centric dashboard view allows users to evaluate all possible access to a selected resource and confirm that the access is appropriately restricted and meets least-privilege requirements.

Perimeter and application security-related announcements included:

  • Amazon Inspector code security expands to the develop stage of the software development lifecycle. This builds on its scanning capabilities for Elastic Compute Cloud, container images in Elastic Container Registry, and AWS Lambda to scan GitHub and GitLab code repositories. Amazon Inspector is delivering static application security testing, software composition analysis (SCA) for open-source dependencies, and infrastructure-as-code scanning feedback early in the software development lifecycle. Easy configuration enables scanning based on events, on a schedule, or on demand in a GitHub or GitLab environment using Inspector. This provides security teams with visibility into security findings before the code is deployed to production. For developers, pull request (PR) scanning delivers security feedback directly within their workflow. A link from the PR allows the developer to access the Inspector console to view code fix suggestions, remediation actions, and — for SCA findings — the closest package version where the vulnerability is resolved.
  • AWS WAF has a new console experience. AWS Web Application Firewall (WAF) is a popular option for customers deploying applications in AWS, but we often hear customer complaints about ease of use. AWS’s announcement that the WAF console got an overhaul to simplify the user experience is a step in the right direction. In addition, WAF and Shield customers are getting application-layer distributed denial of service (DDoS) protection built in, a common feature in other WAF platforms. AWS CloudFront also got a new, simplified onboarding experience.
  • AWS Network Firewall now includes active threat defense. This new capability has a managed rule group that continuously updates based on threats observed across the AWS infrastructure and gives details on indicators of compromise such as names and types. These details are also included in a dedicated threat list for Amazon GuardDuty customers.
  • In preview: AWS Shield adds network security director. Network security director takes AWS Shield beyond DDoS protection to help customers visualize network resources and evaluate their configuration against AWS best practices. Misconfigurations are prioritized by the severity level. Network security director promises to simplify security configurations by helping customers understand the topological relationship of AWS workloads to each other and the internet. It also provides a holistic view of security controls such as Virtual Private Cloud (VPC) security groups, VPC network access control lists, and AWS WAF, which can sometimes have conflicting configurations or unexpected interactions.

In a world overtaken by generative AI agent announcements, they were conspicuously absent at re:Inforce. Announcements related to securing genAI were similarly missing from the keynote. That said, automated reasoning was high on the list of topics mentioned regarding establishing guardrails for factual generative AI outputs. Forrester expects (hopes) that there will be bigger announcements later in the year at Amazon re:Invent related to genAI.

If you have more questions about the announcements out of AWS re:Inforce, book an inquiry or guidance session with me or one of my colleagues.