At AWS re:Inforce 2025, Amazon continued pounding a consistent message: The state of security is not broken, but it does require rigorous, built-in practices and a security-first cultural mentality. The implication is that security can’t come later with bolted-on features. With the debut of Amy Herzog as AWS CISO, the company reinforced its “secure by design” mantra and emphasized first principles that trace back to the original 2019 re:Inforce stage. The tone this year was similar in terms of making attendees aware of best practices. Less declarative is the undercurrent that AWS provides a lot of security capabilities “for free” and unlike some of its competitors doesn’t view security as a massive revenue stream (e.g. Microsoft’s approach), but as a foundational enabler of scalable innovation.
In our view, that approach is admirable, but it also leaves room for improvement. Amazon’s security messaging, while holistic and rooted in customer obsession, still leans heavily on shared responsibility without fully shielding developers and CISOs from complexity. While AWS highlighted several innovations that will attack this problem, more time is needed to evaluate the impact it will have on simplifying cloud customers’ security challenges. Moreover, AWS is releasing services that inch closer to what traditional security vendors would call their turf, raising questions about where AWS draws the line between enabling and competing with its ecosystem. Nonetheless, re:Iforce remains one of the industry’s most important events, with no shortage of new tools and world class techniques to secure infrastructure, data and applications.
The Scope of the AWS Security Challenge
There’s little doubt about the scale of the security challenge AWS faces daily. The above slide puts any doubt to rest. The sheer volume of threats, data, and decisions processed across the AWS global backbone is staggering and it highlights why AWS views security not as a product line, but as a distributed architectural imperative. So it’s only fair that when we call out that AWS’ security is still too complex, we acknowledge that the challenge is immense.
AWS shared the following about its scale and scope:
- Exabytes of data analyzed every 60 seconds
- 100+ billion AWS managed rules requests processed per day
- Thousands of DDoS attacks mitigated daily
- 550+ points of presence and 13 regional edge caches in 100+ cities across 50 countries
Think of AWS security, not just as infrastructure, but an active, adaptive global nervous system for cyber defense.
This underscores the paradox AWS must continuously balance – i.e. scale enables innovation, but also widens the attack surface. At 1.2 billion API calls per second, every misconfiguration is a potential breach vector. At exabyte scale telemetry, finding signal in the noise requires more than logging and alerts, it demands AI-assisted pattern recognition and automation.
The real takeaway here is architectural. AWS has positioned itself not just as a hyperscaler (it actually doesn’t use that term – we do), but as a first line of cybersecurity defense platform with global enforcement points. That distinction has meaning in our view. Unlike many security vendors who inspect traffic passively or reactively, AWS is architected to actively enforce policy at the edge, in the control plane, and inside customer VPCs.
Yet this also stresses the responsibility AWS undertakes. While the firm manages and mitigates billions of threats on behalf of customers, the shared responsibility model means every customer must still secure their own apps, data, identities, and runtime configurations. That burden grows with scale and for many enterprises, remains a major pain point.
While AWS is trying to address this complexity, these impressive numbers and the narrative at re:Inforce didn’t provide meaningful insight into how adversaries are scaling their own operations using generative AI and automation. The defensive stats are powerful, but without visibility into the offensive playbook, CISOs continue to fly with major blindspots. A missing piece re:Inforce in our view is AWS taking a leadership role in providing more transparency into the threat landscape, not just the mitigations.
Fun Facts and Jaw-Dropping Metrics from re:Inforce 2025
If there’s one thing AWS made clear at re:Inforce 2025, it’s the mind-bending scale of its security operations. The company shared a firehose of statistics that reflect the scope of its global cybersecurity challenge and an operation that not only defends its own infrastructure but underpins millions of customer environments.
Among the highlights:
- 943.6 million encryption attempts were blocked by AWS between December 2024 and April 2025.
- AWS processes 1.2 billion API calls per second – each one triggering fine-grained permission checks.
- 360 trillion telemetry traces are analyzed daily to detect anomalies and threats.
- AWS runs tens of thousands of MadPot honeypots at any given time to deceive and study attackers.
- In the last six months alone, AWS blocked 2.4 trillion scanning requests—a staggering reflection of the persistent recon activity in the wild.
- Perhaps most jaw-dropping: 13,000 high-confidence attack sequences were identified by GuardDuty over just 90 days, with fewer than 2 per affected account.
AWS also touted how generative AI is slashing security toil:
- Log analysis productivity is up 50x thanks to AI automation.
- Manual triage time has dropped from 9.5 hours to minutes per log.
Finally, AWS highlighted real-world enterprise examples like BMW, which ingests 197TB of data daily from 23 million connected vehicles using over 1,000 microservices—a vivid demonstration of how security and scale converge in modern, cloud-powered ecosystems.
These numbers aren’t just impressive – they validate AWS’ argument that cloud, when done right, can offer security at a scale and velocity few enterprises could ever build themselves. But they also raise the stakes: when the platform is this big, any lapse has equally massive implications.
The Four Pillars of the AWS Security Model
This graphic from AWS re:Inforce 2025 visually depicts Amazon’s security framework in four core pillars, each representing a foundational layer in their secure-by-design approach. The overarching message – “A secure foundation enables innovation” – reinforces AWS’ long-standing belief that security is not a barrier to agility, but a prerequisite for it. Below we summarize the importance of each pillar:
Identity & Access Management (IAM)
This represents the trust layer – i.e. knowing who you are and what you can access. IAM is the gatekeeper that governs access to every AWS resource via fine-grained, least-privilege policies. AWS’ IAM strategy has evolved significantly, now offering features like IAM Access Analyzer and temporary credentials to reduce risk. Still, the complexity of configuring IAM remains a friction point for many customers. While AWS has made progress automating permission narrowing, the “start broad, refine later” model continues to expose organizations to risk if they don’t actively manage it.
Monitoring & Incident Response
This pillar is AWS’ detection and reaction layer. It includes services like CloudTrail, GuardDuty, and Security Hub, designed to ingest telemetry, identify threats, and enable rapid containment. This area saw some of the most notable announcements at re:Inforce 2025. GuardDuty Extended Threat Detection now provides attack sequence views and container-level insights. Yet this is precisely where AWS may be veering into SIEM territory, potentially unnerving ecosystem players. Monitoring tools are only useful if they integrate well with incident response workflows—an area where AWS still assumes customers will stitch services together themselves or rely on MSSPs.
Data & Network Protection
This pillar is focused on encryption, certificate management, shielding against DDoS and malware, and protecting data in transit and at rest. In our view, AWS is doubling down on pervasive encryption and defense-in-depth. The expansion of AWS Certificate Manager (ACM) to allow use outside AWS is an admission that hybrid and multi-cloud environments are here to stay. Network protection advances – such as the MadPot honeypot framework and Active Threat Defense – show AWS is building out native capabilities that historically lived outside its walled garden.
Migration & Modernization
This pillar reflects AWS’ belief that modernizing into cloud-native services is itself a security control. Automation reduces human error; ephemeral compute reduces attack surfaces. AWS is drawing a direct line from re-architecting legacy workloads to improving security posture. Services like Lambda, Inspector, and Systems Manager are tools to automate patching, scanning, and compliance. Yet modernization journeys remain complex and expensive. AWS in our view could further emphasize the role of professional services and partners in navigating this transformation, despite calling them “critical.” Specifically, we’d like to see more examples of AWS, services partners and marketplace technology vendors solving real world business problems. In our view this would highlight the complexity of customer environments and connect to the myriad tools customers must manage on a daily basis.
The bottom line is that the philosophy shown in the graphic above reinforces that AWS’ security strategy is holistic and deeply integrated into its service fabric. The pillars mirror the NIST framework (Identify, Protect, Detect, Respond, Recover), but are tailored to AWS primitives. While the structure is sound, the ongoing challenge in our opinion remains in usability, especially for resource-constrained teams trying to manage dozens of services. AWS promises that with great security comes great innovation, but the onus is still largely on customers to assemble, configure, and maintain this complex machinery.
What’s New from AWS Security at re:Inforce 2025
Despite our concerns, re:Inforce showcased several notable innovations aimed at simplifying customer security processes. The table below summarizes some of the highlights and our takeaways:
| Feature/Service | Description | Implication |
| GuardDuty Extended Threat Detection Dashboard (Enhancements) | Adds container-level threat detection, aggregates attack sequences into timeline views with remediation paths | Feels like a lightweight SIEM for SMBs – raises the question – is this AWS making a land grab into security ops territory? (Credit Jackie McGuire for this observation)* |
| AWS Network Firewall – Active Threat Defense | Automated threat detection and response based on IP analysis via “MadPot” deception framework | Significantly reduces dwell time; AWS claims tens of thousands of traps running globally |
| AWS Certificate Manager (ACM) Export Capability | Allows use of ACM-issued public certificates outside AWS, including on-prem and multi-cloud | A big move acknowledging data gravity and hybrid realities – cloud may not be the center of all future workloads (credit Jackie McGuire) |
| Security Hub (Preview Enhancements) (demo) | Signals from multiple AWS services synthesized into prioritized, actionable findings | Moves toward a unified threat posture dashboard – again potentially displacing partner solutions |
| Simplified WAF Console Experience | Pre-configured protection sets and curated rules reduce setup time by 80% | Improved accessibility, but developers manage granular security controls |
| Amazon CloudFront Onboarding Improvements | Developers can now configure WAF and DNS settings in one flow | Another quality-of-life improvement aimed at reducing friction in secure deployment |
| Passkey Support for MFA | Passwordless authentication in alignment with FIDO standards | Industry best practice, but feels overdue |
*Note: Commentary from Gee Rittenhouse indicates that AWS expects Cloud Security teams will be using Security Hub for cloud security issues, while other teams will continue to use SIEM for non-cloud security. AWS also emphasized that they can still send data to the SIEM, but the Security Hub buildout was a result of customer feedback – AWS’ standard answer to the ecosystem overlap question.
Customer Example: Comcast CISO Noopur Davis – A View from the Front Lines of Scale
One of the standout moments of the AWS re:Inforce 2025 keynote came from Comcast Global CISO Noopur Davis, who offered a clear, practitioner’s view of what it means to secure a massive enterprise at scale. Her remarks were a grounding contrast to AWS’ narrative of abstract principles and service capabilities. Davis brought forward an operator’s mindset – i.e. one focused on design discipline, measurable effectiveness, and zero-trust rigor.
Comcast’s approach is built around three “North Stars” that, in our view, form a pragmatic security blueprint for any large enterprise:
- Design security and privacy into every service from the start
This echoes AWS’ “secure by design” posture but makes the bar unambiguous – i.e. security must be intentional, not incidental. Comcast’s product teams integrate security from the first sprint, which is easier said than done at their scale. - Use data to measure and improve security effectiveness
Comcast isn’t just logging and monitoring, rather they’re applying AI and data science to continuously refine security outcomes. This includes developing internal tools like AI workbenches that help threat modeling, detect anomalies, and streamline developer workflows. - Operate under zero trust principles
With identity and context at the core, Comcast leans heavily on AWS capabilities like microsegmentation to understand east-west traffic and tenant behavior, which is core to the zero trust vision.
Davis’ commentary on AI was particularly relevant. She highlighted how generative AI is already improving Comcast’s cyber capabilities:
- In less than two years, 20% of the threat models used by Comcast are now generated through AI.
- Their teams use AI-powered tools to summarize threat models, generate schemas, and even write secure code.
- GRC (governance, risk, and compliance) was called out as the “ripest ground” for generative AI automation—arguably the most quotable and prescient insight from the session.
What stood out to us is how Comcast isn’t just adopting Gen AI, rather they’re integrating it across the value chain. From their dev wiki bots to a six-stage AI pipeline that automates everything from ingestion to deployment, the company is betting on AI to make its security operation faster, smarter, and more efficient.
Davis also reinforced a theme AWS has long promoted – i.e. the power of partnership. Comcast’s six-year relationship with AWS was framed as a key enabler of its operational success, citing around twenty-four services in use, including CloudWatch, EKS, DynamoDB GuardDuty, KMS, Lambda, Redshift, VPC and more. But the real takeaway here is cultural – Comcast has built a security-first mindset into its development and operations process, and it’s using Gen AI as a force multiplier rather than a bolt-on enhancement.
In our opinion, this kind of grounded leadership provides proofpoints that greatly support AWS’s claims. It showcases how operators are navigating real-world complexity with cloud-native tools and a focus on outcomes.
Positives, Open Questions and Gaps
Security has always been a cornerstone of AWS’ value proposition, and with the debut of CISO Amy Herzog at re:Inforce 2025, Amazon doubled down on its message that security must be embedded, not an afterthought. While the company generally avoids hyperbole and sweeping declarations, this year’s keynote made clear that AWS views security as both a cultural imperative and a technical differentiator. From identity management to encrypted infrastructure to deception-based threat intelligence, AWS continues to operate one of the most comprehensive cloud security platforms in the industry. And yet, beneath the surface of impressive metrics and generative AI breakthroughs, questions remain about the ongoing tension between AWS, its builders and its partner ecosystem. The continued burden placed on developers, CISOs and SecOps teams continues to be in play. As such the question remains, is security truly becoming simpler or just shifting the form it takes.
The Good: AWS Remains a Pillar of Trust in Cloud Security
Our view is that Amazon’s security model remains one of the most mature in the industry. AWS handles 1.2 billion API calls per second, and it evaluates access permissions for every single one, underpinning the importance of identity as the first line of defense. Herzog emphasized least privilege, ephemeral credentials, and identity-based access models as cornerstones of modern security.
The company continues to drive encryption across the OSI stack, with encryption capabilities that are free, pervasive, and performant. Innovations like MadPot and the black-footed penguin nod were a reminder that AWS is quietly operating one of the largest threat intelligence engines in the world. The investment in deception-based security and automated detection showcases a shift toward more proactive, AI-driven protection.
Moreover, AWS’ use of generative AI to streamline threat investigation, log analysis, and incident response represents a leap forward. Reducing incident log triage from 9.5 hours to minutes isn’t just a marginal gain – it’s a signal of a fundamental shift in how security ops can scale in the age of AI.
Open Questions: GuardDuty, Certificate Mobility, Ecosystem Swim Lane
That said, the announcements this year also introduce strategic tensions. The expanded GuardDuty Extended Threat Detection dashboard felt to us like a SIEM-lite experience—aggregated timelines, high-confidence threat sequences, and remediation recommendations. While this will resonate with smaller orgs lacking a mature SOC, it raises the question: is AWS now encroaching on the territory of Splunk, CrowdStrike, or other ecosystem partners?
This isn’t a hypothetical concern. While AWS emphasized MSSP partnerships, it was notably quiet about deep integrations with the broader security stack—EDR, NDR, XDR, SOAR, and beyond. The fear among partners: AWS is slowly building a more complete native security suite that could edge them out of customer accounts.
The announcement allowing digital certificates to be exported for use outside AWS is equally revealing. It’s an open admission that not all workloads will live in the cloud, let alone in AWS. Customers want to bring AI to where the data resides, and many are balking at cloud costs, bringing AI on-premises. AWS’ move here is pragmatic, but it also underlines a central truth – we are entering a hybrid, multi-cloud era, and AWS must adapt.
The Gaps: Simplicity Still Eludes Security Ops
AWS touts “builder culture” and the belief that developers want security built into every service. That’s true, but there’s a lingering problem – i.e. it’s still too hard. Developers and CISOs are expected to understand IAM intricacies, configure WAFs, patch CVEs, rotate credentials, interpret telemetry, and comply with regulatory frameworks, all while shipping code.
Yes, Gen AI will help. AWS demonstrated solid progress, particularly in GRC, incident response, and log triage, but it’s unclear how much impact this will have in the near term as organizations struggle to ingest the firehose of innovation coming at them these days from tech vendors. Moreover, developers still carry too much of the security burden, and the shared responsibility model often results in handoffs that are sometimes ambiguous to users. In our opinion, AWS must continue to make progress to abstract away security complexity without creating new layers of risk.
The Threats that Shall Not be Named
For all the telemetry AWS claims to process – exabytes of data every minute, trillions of signals parsed, thousands of DDoS attacks mitigated daily – the company remains conspicuously quiet on how adversary behavior is evolving. While AWS rightly touts its ability to stop attacks at scale, it rarely shares insights into the tactics, techniques, and procedures (TTPs) threat actors are employing. This opacity is notable. Perhaps by design but curiously absent.
We feel the shared responsibility model demands increased transparency, for customers and ecosystem partners. If customers are responsible for securing identities, applications, and configurations, they deserve greater visibility into the threat landscape. AWS’ reluctance to provide detailed threat intel or forward-looking adversary behavior patterns leaves CISOs flying with limited instrumentation. Whether this is due to internal policy, risk aversion, or competitive dynamics is unclear, but it leaves a critical blind spot for customers trying to make informed security decisions.
Additionally, there was some, but less than expected, focus on securing generative AI itself. AWS emphasized how it’s using GenAI to improve security operations – e.g. accelerating log triage, answering incident questions, and summarizing threats. But it said little about securing the models, pipelines, and data inputs that power GenAI systems. There was some discussion of automating model deployment but not enough on model provenance, training data risks, LLM vulnerabilities, or hallucination mitigation. Given AWS’ experience with 3rd party models and its own Nova models we would like to see more in this regard. In addition, there was no acknowledgment that adversaries are using AI perhaps more aggressively than defenders.
In our opinion, because AWS is a leader in cloud security, we feel it also needs to lead the next phase of AI security, sharing data with customers, partners and even competitors. Going beyond defensive metrics and surfacing offensive intelligence would provide a valuable service to the industry. Customers don’t just want to know that threats were stopped, they want to understand what’s changing, what’s coming, and what they need to do differently. Without this context, security teams are left operating reactively, even in a cloud touted as “secure by design.” While it can be argued customers don’t need this information to do be effective, one could see how partners and the broader industry would benefit from Amazon’s deep expertise.
Note: When asked about Amazon’s “unnaturally cheerful” stance on security and its reluctance to speak to the gory details of adversarial techniques, executives shared that if it doesn’t help customers (and AWS is handling it), it sees no need to elaborate on the threats. As well the company indicated that the broader security industry does a fine job at fueling the fire with scare tactics.
Final Take: AWS Security is Elite, but not a Silver Bullet
Amazon deserves credit for maintaining security as a first principle, not a bolted on monetization layer. Unlike Microsoft’s $20B+ security business, AWS resists the temptation to hardsell/upsell security. Instead, it positions it as a prerequisite for experimentation and scale. That philosophy is baked into the company’s DNA, and Amy Herzog is a strong cultural fit to carry that message forward.
Still, our research suggests AWS will need to answer some tough questions in the coming year:
- How far will AWS go in building native capabilities that overlap with its partner ecosystem?
- Can it make good on the promise of shifting left while at the same time simplifying security for developers and security teams without offloading more risk?
- Will it lead in explaining how adversaries are using Gen AI – and what AWS is doing to counteract those tactics?
- How far will AWS go into on-prem and cross cloud security – i.e. will it help customers deal with this level of increasing complexity or focus solely on AWS itself?
- What about securing agents? As AWS builds its own agents internally, how will agents be secured and will agents be deployed to offload humans to address the skills gap in security?
At re:Inforce 2025, we saw a security posture that’s both powerful and pragmatic. But for AWS to remain the trusted security leader as the Gen AI wave crests, it must not only innovate with AI, but do so with clarity, simplicity, and partnership.
