Analysts: Krista Case, Mitch Ashley, Fernando Montenegro
Publication Date: June 23, 2025
What is Covered in this Article:
- AWS re:Inforce 2025 key announcements, including new CISO Amy Herzog and enhanced identity security capabilities
- Code security and perimeter protection improvements through Inspector’s repository scanning and simplified deployment tools
- Threat detection advances with GuardDuty EKS support, Security Hub enhancements, and partner ecosystem evolution
The Event – Major Themes & Vendor Moves: AWS re: Inforce is the key AWS-led event focused on cybersecurity, compared to AWS re: Invent, which is broader (and includes security). The event focuses on practitioners (‘builders’ in AWS parlance) and executives while attracting partners and sponsors. The 2025 edition took place in Philadelphia.
This edition of re:Inforce had a mixture of novelty and continuity. One of the most visible changes has been the appointment of Amy Herzog as CISO for AWS, following her leadership as CISO for Amazon’s Ads & Devices and Specialized Business. In her keynote address, merely weeks into the new role, she emphasized how her previous experience with the specialized business units at Amazon will be additive to the foundational security capabilities that AWS has been building since the beginning.
This speaks to continuity. The company has built a foundation of security primitives in both hardware and software, and continues to enhance security capabilities.
AWS improved identity and access management with the general availability of IAM Access Analyzer’s internal access findings. This capability uses automated reasoning to analyze policies and identify which internal IAM roles and users can access specific resources. This provides a unified dashboard for both internal and external access. Additionally, AWS Certificate Manager now supports exportable public certificates, allowing them to be used in and outside of the AWS environment.
In a notable expansion of its capabilities, AWS announced that Amazon Inspector now scans code repositories in GitHub and GitLab. This “shift left” approach now includes three key scan types: Static Application Security Testing (SAST) for proprietary code vulnerabilities; Software Composition Analysis (SCA) for open-source dependencies; and Infrastructure as Code (IaC) scanning for templates. Findings are delivered into the developer’s workflow as comments on pull requests. Inspector also provides GenAI-assisted code fix recommendations to help developers resolve issues quickly.
Perimeter protection services also received updates. AWS Shield was expanded with previewing the new Network Security Director capability, which analyzes network topology and configurations and identifies configuration issues against recommended practices. Improvements in ease of use were announced for AWS WAF and Amazon CloudFront. Lastly, AWS Network Firewall was enhanced with active threat protection, leveraging AWS’s global threat intelligence.
Amazon GuardDuty Extended Threat Protection now includes advanced behavioral analytics and new coverage for Amazon EKS audit logs and runtime environments to improve threat detection capabilities. This allows GuardDuty to correlate security signals and aggregate them into critical findings. AWS also previewed an enhanced Security Hub, which unifies signals across AWS security services to help teams prioritize and respond to active risks more effectively.
Lastly, AWS announced enhancements to its MSSP (Managed Security Service Provider) specialization. This update makes it easier for customers to identify and engage with partners with AWS-validated capabilities in specific use cases.
AWS re:Inforce 2025 – Identity, Application Security, and More
Analyst Take – Identity Takes Center Stage: On the main stage, Herzog emphasized how fundamental identity and access management (IAM) is to cybersecurity. Futurum agrees that ensuring that only authorized users have the right access to systems, applications, and data is critical, given the onslaught of identity-based attacks. We note, however, that verifying the identity of a user (whether human or machine), what it is attempting to access, and why it is attempting to access that resource, is no easy feat, especially at speed and scale. This conversation grows especially interesting and pertinent as AI agents enter the equation.
Against this backdrop, verifying the ability of an account or a user to access specific, sensitive application, data, and infrastructure resources becomes critical. As relayed to Futurum in conversations while at re:Inforce, AWS has invested in a team of engineers and mathematicians to develop the engine behind its IAM Access Analyzer, which verifies access controls and ensures that permissions align with least-privilege principles. The result is precise and provable insights into access permissions, alongside the ability to continuously monitor for unintended access within the customer’s AWS environment, at scale. While positioned as a feature enhancement, the capability is in fact more strategic as it reflects AWS’s broader commitment to applying mathematical rigor for provable cloud and identity security.
Also, during her keynote, Herzog announced that AWS is the first cloud provider to mandate MFA for management and standalone accounts with root access. By enforcing MFA at the root level, AWS is addressing one of the most critical areas of risk—high-privilege access—without requiring customer action to enable it. This continues the trajectory from previous re:Inforce events, where AWS emphasized the shared responsibility model, (while AWS, as the hosting provider, is responsible for the security and resilience of the infrastructure itself, customers remain responsible for securing their identities and data). The evolution in this story is that AWS is increasingly embedding safeguards that reduce the margin for user error. By enforcing MFA at the root level, AWS addresses one of the most critical risk areas—high-privilege access—without requiring customer action to enable it. Where previously AWS emphasized empowering customers with tools and guidance, it now embeds proactive and automated protections.
Code Security Emerges as Key Area
While not a developer-focused conference, this year’s re:Inforce highlighted important aspects of secure software development, securing APIs, and deployed applications.
AWS CISO Amy Herzog demonstrated new capabilities in Amazon Inspector, performed static application security testing (SAST) on code residing in GitHub or GitLab, and identified vulnerabilities within that code. As noted above, Amazon Inspector can now also provide remediation recommendations that can be implemented during the code development process. Inspector also uses software composition analysis (SCA) to examine library components used in software builds. Inspector also analyzes infrastructure as code (IaC) templates for vulnerabilities and misconfigurations in Terraform, AWS CDK, and AWS CloudFormation.
Amazon’s announcements of these code security analysis capabilities aren’t novel to the industry. Several other vendors already offer these capabilities. What is unique here is AWS’s implementation of it natively within their product toolset. You can perform all these code analyses and vulnerability remediation options in one environment, including recommendations for fixing code. Amazon is not relying solely on others to create secure software, indicating that Amazon is increasingly emphasizing secure code creation on its own. Are other SAST and SCA products in danger of competing with Amazon? Not in the near term. Integrating with GitHub and GitLab means Amazon Q Developer and Amazon Inspector users can work more seamlessly across integrated workflows across products, rather than exit to other third-party security testing and remediation tools. Customers already using Checkmarx, Sonatype, Tenable, and other tools in this space will likely continue to use existing technology investments.
The newly announced Express.js @verifiedpermissions/authorization-clients-js open-source package for Cedar-based Amazon Verified Permissions addressed a pain point expressed by software developers. By decoupling API authorization logic from application code running within the Node.js web and application framework, developers can more easily and quickly maintain, modify, and update security permissions as needed for APIs. Releasing this authorization client open-source package is a demonstration by Amazon that it is still serious about maintaining and supporting Cedar, which they open-sourced in 2023. It also means fewer errors in security issues from error-prone authorization logic, which could occur within Express.js apps.
From a deployment perspective, AWS announced enhancements to its web application firewall, which has been redesigned to reduce the security configuration required to deploy applications. The update means there are fewer configuration steps, which are facilitated through curated security rules. This means applications get automatic layer 7 DDoS protection, along with machine learning modules that help establish baselines and detect traffic anomalies, which automatically apply rules in cases of suspicious requests. This streamlined deployment step represents progress from a shift-right perspective, reducing the workload, configuration, and opportunity for errors as web application firewalls must be configured to handle new and updated software deployments. Security professionals often say security is improved through small incremental steps. This web application firewall improvement represents a perfect example.
Perimeter Security Improvements
The improvements in the perimeter protection services are interesting as they address concerns that we at Futurum often see: the need for improved capabilities against threats and more streamlined, simpler operations.
The new active threat defense capabilities in AWS Network Firewall are a good example of how AWS is using its broader view into the global threat landscape, addressing both of these needs at once. The simplified enablement of this capability – just adding a new rule group to an existing firewall policy – should be well-received by customers. The same can be said about the new console experience for Amazon CloudFront, though we see it as focused on a slightly different set of users. Here, AWS looks to streamline new application deployments, removing what it famously calls “undifferentiated heavy lifting” of security, DNS, and content network configurations.
Lastly, the preview of AWS Shield Network Security Director, which addresses network configuration issues, is an interesting new capability that will likely be useful to those looking to enhance the security of more complex deployments. As we observe more complex network topology choices for enterprise-scale deployments, it is not uncommon to see potential gaps in how teams communicate their needs and insights, which can lead to downstream security issues.
Threat Detection Improvements
More broadly, the announcement of new support for Amazon EKS clusters for Amazon GuardDuty and the enhancements to AWS Security Hub reflect the approach of deriving platform benefits for security.
Amazon GuardDuty has long been a key element for threat detection, and adding support for workloads running on Kubernetes clusters aligns with what was already done for other environments, such as Lambda, EC2, RDS, and others. The correlation of signals between audit logs and runtime behaviours will likely assist with threat detection.
The enhancements to AWS Security Hub run across more correlation, contextualization, and visualization capabilities. The service has been streamlined to support key areas such as Exposure, Threats, Vulnerabilities, Posture Management, and Sensitive Data. The new capabilities around Exposure allow for a more proactive approach to fixing possible security gaps. Attack path visualization can also help practitioners better understand the context for findings, which is vital to prioritizing responses.
Support for Security Partnerships
AWS continues to operate and support a thriving partner ecosystem in terms of technology vendors and those offering services. On that note, the ongoing support of Open Cybersecurity Schema Framework (OCSF) as a core schema for AWS security services is notable, as is the framework’s evolution for security partners, with enhancements to the MSSP Competency program.
What to Watch:
- AWS’ evolving identity security positioning and capabilities span how it applies its strategy of implementing guardrails for customers to facilitating conditional, just-in-time access permissions for AI agents, how it manages key partnerships in areas such as identity governance, how it evolves its support of open standards, and how it applies its team of mathematicians and engineers for provable risk and threat assessments.
- Amazon Q developer, Amazon Inspector, and other Amazon development tools will continue to make progress, increasing their capabilities as development and security testing technologies. While those improvements will continue, there isn’t an indication that Amazon is on a path to seriously leapfrog the major players in this space, such as GitHub, GitLab, Microsoft at this time.
- Look for similar innovations, such as those introduced by Amazon WAF, that aid in deploying code into production, leveraging automation and AI to reduce errors and decrease deployment time.
- AWS continues to evolve regarding how it works with its partner ecosystem, so it will be essential to watch how the company ties its efforts with third-party technology and services partners. This will be particularly relevant when customers need to coordinate security capabilities across multiple cloud environments from different providers.
You can read the summary of key announcements on AWS’ site.
Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.
Other insights from Futurum:
Futurum Agentic AI Open Standards Report: 1H-2025
Trends at the RSAC Conference Point to the High-Stakes Nature of Cybersecurity – Report Summary
Futurum Cybersecurity Decision Maker Survey on Cyber Incidents
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.
Mitch Ashley is VP and Practice Lead of DevOps and Application Development for The Futurum Group. Mitch has over 30+ years of experience as an entrepreneur, industry analyst, product development, and IT leader, with expertise in software engineering, cybersecurity, DevOps, DevSecOps, cloud, and AI. As an entrepreneur, CTO, CIO, and head of engineering, Mitch led the creation of award-winning cybersecurity products utilized in the private and public sectors, including the U.S. Department of Defense and all military branches. Mitch also led managed PKI services for broadband, Wi-Fi, IoT, energy management and 5G industries, product certification test labs, an online SaaS (93m transactions annually), and the development of video-on-demand and Internet cable services, and a national broadband network.
Mitch shares his experiences as an analyst, keynote and conference speaker, panelist, host, moderator, and expert interviewer discussing CIO/CTO leadership, product and software development, DevOps, DevSecOps, containerization, container orchestration, AI/ML/GenAI, platform engineering, SRE, and cybersecurity. He publishes his research on FuturumGroup.com and TechstrongResearch.com/resources. He hosts multiple award-winning video and podcast series, including DevOps Unbound, CISO Talk, and Techstrong Gang.
Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.
Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.
Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.
