Leveraging AWS AI for Enhanced Security: Insights from AWS Re:Invent 2023

Author
Amruta Telang

March 5, 2026

Read

Key Takeaways

  • Amazon Web Services re:Invent 2025 pushed security toward continuous, near-real-time risk understanding, with security posture management becoming generally available and adding near-real-time risk analytics.
  • GenAI is becoming operational through security agents that shift expertise earlier in the lifecycle and reduce human bottlenecks.
  • The differentiator is not “more tools,” but integration and closure in normalizing telemetry, prioritizing by business risk, and routing work into remediation and compliance evidence loops.

Amazon Web Services has been laying the groundwork for AI-driven security operations for years through managed detection, posture management, and compliance tooling. 

What shifted at Amazon Web Services re:Invent 2025 is that artificial intelligence moved closer to the point of security decision-making:

  • Near-real-time risk analytics in posture management.
  • Broader, correlated threat-detection coverage for common compute and container surfaces. 
  • A security-focused agent designed to scale application security expertise from design to deployment.

We will break down what those changes mean in practice and how a security team can integrate them into a measurable operating model across cloud, IoT, and operational technology environments.

AWS AI security features unveiled at AWS re:Invent 2025

Below are some of the security launches and upgrades at the latest AWS re:Invent:

AI security agents

AWS Security Agent (preview)

AWS AI security

AWS Security Agent lists enabled security rules for design reviews

Amazon Web Services previewed its Security Agent, an artificial intelligence agent for proactive application security from design through deployment.

It uses generative AI to perform design-time security reviews and automated penetration testing workflows against your applications. The intent is to scale application security expertise without forcing every review through a specialist bottleneck.

AWS also previewed agent-based security workflows focused on shifting security expertise earlier in the application lifecycle. 

AWS positioned these capabilities as early-stage, directional previews, illustrating how security analysis and validation could be embedded more deeply into development and delivery workflows, rather than as a fully formed standalone security product.

Amazon Web Services security incident response

AWS security incident response added agentic, investigation support to assist incident response teams by collecting and correlating relevant evidence across the environment. This was done to reduce investigation time while keeping analysis and decisions in human hands.

re:Invent 2025 also introduced a clearer commercial model for this capability, including metered pricing and a free tier. Updates like this are useful because incident response services tend to expand cost as data sources and investigation scope grow.

Amazon Bedrock AgentCore identity

AWS AI security

AgentCore runs agents with secure identity and tool access

AWS highlighted early agent identity and permission-scoping capabilities in Amazon Bedrock AgentCore, designed to ensure AI agents act within clearly defined access boundaries aligned to existing identity and access management policies.

Machine learning and automation-driven threat detection

Amazon GuardDuty Extended Threat Detection

AWS AI security

GuardDuty ETD correlates multiple signals into a single, high-confidence attack sequence

Amazon GuardDuty Extended Threat Detection added support for Amazon Elastic Compute Cloud and Amazon Elastic Container Service, focusing on detecting multi-stage attacks by correlating signals (such as runtime activity, network signals, and audit events) into higher-confidence attack sequences. 

Amazon GuardDuty Malware Protection 

AWS AI security

GuardDuty malware protection scans new S3 uploads and reports findings automatically

AWS introduced GuardDuty Malware Protection scanning for backups (including scans of new backups and on-demand scanning of existing backups), with an emphasis on helping teams identify the last known clean backup before restoration.

Amazon Web Services Security Hub

AWS AI security

AWS Security Hub findings trigger automated remediation workflows through CloudWatch and Systems Manager

AWS Security Hub became generally available with near-real-time risk analytics and correlation across signals from services such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, and CSPM findings.

At re:Invent AWS effectively introduced a new generation of the platform with the original experience repositioned as Security Hub CSPM. 

While the service continues to aggregate findings from multiple AWS security services, it still depends on AWS Config recorders for posture evaluation. 

Amazon Inspector

AWS AI security

Inspector dashboard shows Lambda vulnerability coverage and critical findings

At re:Invent 2025, AWS reinforced Amazon Inspector’s role as a continuous exposure detection service. 

It expanded its enterprise operating model through organization-level management using AWS organizations policies.

This matters because it pushes Inspector closer to an organization-wide, governed default posture. Which is similar in concept to how other organization-level policies are increasingly used to enforce security baselines across accounts.

Amazon Macie

AWS AI security

Workflow demonstrating Amazon Macie detecting sensitive data and automating S3 handling actions

Amazon Macie remains the sensitive data discovery and classification layer, and re:Invent 2025 reinforced its role as an input to risk correlation. 

The practical shift is prioritization: macie findings become most actionable when they are correlated with identity access paths, network exposure, and vulnerability context.

AWS CloudTrail 

AWS AI security

CloudTrail architecture shows active records of API activity and feeds audit logs into security and analytics systems

re:Invent 2025 included two CloudTrail changes that affect security monitoring patterns:

  • CloudTrail data event aggregation for security monitoring, which still depends on data events being enabled
  • Simplified enablement of CloudTrail events in Amazon Cloudwatch, which changes the cost model toward a per-gigabyte approach and reduces setup friction for getting events into an operational analytics plane

This means that AWS is expanding routes for CloudTrail telemetry into analytics and monitoring workflows, but teams still need to model cost and data volume carefully.

Amazon CloudWatch

AWS AI security

CloudWatch dashboard shows service health, alarms, and real-time metrics across AWS resources

Amazon Cloudwatch introduced unified data management and analytics for operations, security, and compliance data.

AWS seems to position CloudWatch as a normalization and analytics layer that can reduce fragmentation between operational telemetry and security telemetry. This would support standardized formats aligned with open cybersecurity schema framework patterns.

AWS Security Lake

AWS AI security

Security Lake centralizes and normalizes security data for analysis

AWS Security Lake remains the security data foundation for unifying signals across services and accounts.

re:Invent 2025 reinforced the normalization direction, including alignment with open cybersecurity schema framework patterns, to make cross-service analytics and investigation workflows more consistent.

Amazon Network Firewall

AWS firewall

AWS Network Firewall acting as an inline traffic control layer inside a protected VPC.

AWS Network Firewall is a fully managed service designed to simplify the rollout of core network security controls across Amazon VPC. 

It now includes upgraded built-in rule sets that improve inspection of fragmented traffic, including TLS client hello messages and HTTP requests spread across multiple packets. 

These enhancements allow the firewall to more accurately evaluate evasive or segmented traffic patterns without requiring custom rule authoring, strengthening baseline protection for cloud networks

AWS Virtual Private Cloud Encryption

AWS AI security

Multiple VPCs connected through an AWS Transit Gateway with encryption enforcement

AWS Virtual Private Cloud Encryption controls were introduced with a monitor mode that adds encryption context into virtual private cloud flow logs. It also includes an enforce mode that prevents attaching network interfaces to non-encrypted-in-transit resources.

Amazon Elastic Block Store

AWS AI security

Amazon EBS protecting SAP workloads through snapshots and backups

re:Invent 2025 added recycle bin support for Amazon Elastic Block Store volumes, enabling fast recovery from accidental deletion and improving resilience during destructive events. 

Amazon EBS now allows up to four volume changes per disk within a rolling 24-hour period. This update makes it possible to resize capacity, switch volume types, or tune performance characteristics more flexibly. 

As soon as one change finishes, another can be initiated, provided the total number of modifications stays within the four-change limit for the day.

AWS Secrets Manager

AWS AI security

AWS Secrets Manager securely sharing database credentials across accounts

AWS Secrets Manager added managed external secrets support for select third-party systems (Salesforce, BigID, and Snowflake secrets), enabling rotation and centralized control without manual secret handling. 

This strengthens credential governance in hybrid and multi-system environments where secret rotation and auditing are usually inconsistent.

Amazon OpenSearch Serverless

AWS AI security

Amazon OpenSearch Serverless separating indexing and search workloads

At re:Invent 2025, AWS added audit logging for Amazon OpenSearch Serverless data plane API activity through AWS CloudTrail data events.

This enhancement enables detailed tracking of user actions on OpenSearch Serverless collections, including authorization attempts, index modifications, and search queries. 

Customers can configure CloudTrail to capture OpenSearch Serverless data events using read-only or write-only filters, or apply advanced event selectors for more granular control.

The practical note is that this is a high-assurance auditing path, but it can be expensive, so it should be enabled with a clear use case and scoped to required coverage.

Amazon QuickSight

AWS AI security

Automated Amazon QuickSight asset migration across AWS accounts

Amazon Web Services re:Invent 2025 positioned Amazon QuickSight more strongly as an artificial intelligence-supported analytics layer, including question-and-answer experiences and alerting for dashboards. 

For example, Amazon QuickSight added “dashboard question and answer by Amazon Q” and also supports dashboard alerts.

AWS re:Invent 2025 also emphasized security data unification and normalization, including work aligned with Open Cybersecurity Schema Framework patterns in its security analytics direction.

Agent-centric Identity and Access Management

IAM Policy Autopilot (open source)

AWS AI security

IAM Policy Autopilot generates least-privilege policies from application code

AWS announced Identity and Access Management Policy Autopilot – an open-source static analysis tool that analyzes application code locally and generates baseline IAM policies that teams can review and refine as the application evolves.

IAM Outbound Identity Federation

AWS AI security

AWS IAM Outbound Identity Federation issues short-lived tokens to access external services securely

Amazon Web Services launched Outbound Identity Federation in IAM, enabling workloads to exchange Amazon Web Services identities for short-lived JSON Web Tokens to authenticate to external services without long-term credentials.

IAM delegation

AWS AI security

With IAM delegation, admins approve temporary access for partners to set up AWS

AWS added a delegation mechanism that allows third parties to have temporary, controlled access to deploy into your amazon web services accounts.

The security implication is that vendor and partner deployment access can move toward time-bounded, auditable delegation rather than static cross-account roles that linger.

AWS Security Token Service IPV6 

AWS AI security

Security Token Service issues temporary credentials using secure regional endpoints

AWS also announced at the re:Invent 2025 that the Security Token Service now supports IPV6, which matters for organizations pushing for its adoption and attempting to reduce gaps in service-level internet protocol version 6 compatibility across their identity perimeter.

AWS Source Virtual Private Cloud 

AWS AI security

AWS VPC architecture demonstrating subnets across zones connected to internet gateway 

AWS Source VPC added the SourceVpcArn condition key, which strengthens data perimeter style controls for restricting access paths based on source context, supporting tighter regional and boundary governance patterns.

Amazon Simple Storage Service (S3)

AWS AI security

Mapping of Amazon S3 storing files and supporting data processing workflows

re:Invent 2025 announced organization-level enforcement for Amazon Simple Storage Service Block public access through an AWS organizations management policy, similar in spirit to how organization-wide security policies are being used to standardize service posture.

Amazon also introduced S3 attribute-based access control, enabling access decisions based on bucket tags, which closes a major governance gap for policy-driven access control at scale.

re:Invent 2025 also introduced bucket-level controls to standardize encryption types and explicitly disable server-side encryption with customer-provided keys. 

This has resulted in an important forward-looking change; starting in April 2026, AWS will disable server-side encryption with customer-provided keys for all new buckets, and will disable it for existing buckets in accounts that do not contain server-side encryption with customer-provided keys encrypted data. 

Applications that still require it must explicitly enable it after bucket creation through the PutBucketEncryption API.

AWS Management Console Private Access

AWS AI security

Private Console Access through secure AWS network connections

AWS also highlighted the Private Access “sign-in” approach that routes console traffic through virtual private cloud endpoints instead of the public internet, using intelligent routing to preserve performance.

Enhancing security operations with Amazon Web Services Systems Manager

Threat detection does not matter if exposure remains open. AWS Systems Manager addresses this by giving teams a way to standardize and automate operational tasks. 

For patching, the most relevant capability is patch policies, which are designed to help automate patching across managed nodes, including different operating system families.

For security teams operating across multiple accounts and regions, the objective is to reduce the time between patch release and path deployed, without requiring a manual campaign every time.

An AWS Systems Manager patch operating model typically includes:

  • Defining patch baselines and approval rules
  • Scheduling scanning and installation windows by environment tier,
  • Enforcing consistency through centralized governance (for example, multi-account and multi-region management patterns)

Integrating Amazon Web Services security with Network Intelligence solutions

Amazon Web Services provides powerful primitives across detection, posture, governance, and operations. The integration challenge is operational:

  • How do you normalize signals across accounts, regions, and service domains?
  • How do you correlate findings to business risk and asset criticality?
  • How do you route work to the right owners with a measurable closure time?
  • How do you preserve evidence for governance, risk management, and compliance without duplicating labor?

This is where an integration and managed operations layer is valuable, especially for teams that want to use AI to answer these questions without introducing opaque processing or uncontrolled data movement.

How Network Intelligence (Transilience AI) fits in your AWS environment

Network Intelligence Transilience AI operates as a managed compliance and SecOps layer within a customer’s Amazon Web Services environment and not outside it.

The Transilience’s managed compliance service is designed to deliver outcomes across:

  • Security monitoring and incident creation
  • Vulnerability management and prioritization
  • Standard checks against benchmarks such as CIS
  • Penetration testing coordination
  • Risk analysis and formal risk acceptance
  • Access reviews, network access reviews, and log reviews
  • Audit preparation and evidence support

Leveraging Amazon Web Services partner competencies as a buyer filter

AWS competency programs exist to help customers identify network partners validated in specific domains. 

For example, Amazon Web Services introduced an AI cybersecurity category under the AWS Security Competency to highlight partners focused on securing AI environments and workloads. 

AWS has also expanded the AI Competency with agentic AI categories, validating partners that deliver security solutions using specific AWS AI services while maintaining governance and monitoring commitments.

Implementing GenAI security in IoT and operational technology environments

IoT and operational technology environments intensify every complex security problem:

  • Asset inventories are fragmented and incomplete.
  • Patch cycles are constrained.
  • Connectivity patterns are atypical.
  • Operational impact of false positives can be severe.

Amazon Web Services provides building blocks that help address this, particularly at the device and telemetry layer. 

Internet of Things Device Defender, for example, is designed to audit configurations, monitor device-related security metrics, and detect anomalous behavior, with alerting and integration paths into broader security workflows.

Where GenAI adds value is not in sensing. It adds value in interpretation and throughput, especially when applied to security data aggregation. 

For example, Amazon Security Lake guidance allows environments to apply GenAI to the data lake for threat hunting and incident response workflows.

Two use case success patterns that are worth copying because they are implementation-real:

  1. Routing device security telemetry into centralized security operations: Device-level findings become actionable only when they are visible to the same teams handling broader security incidents. Reference patterns show how device security telemetry can be routed through serverless pipelines into centralized security operations tooling, enabling consistent triage and response.
  2. Unifying device posture with broader security monitoring. Another common pattern integrates device security findings into a central posture and findings aggregation layer. This unifies IoT signals, cloud misconfigurations, and identity findings, enabling consistent prioritization and reporting across environments.

The strategic advantage of AWS AI security in cyber defense

1. Continuous threat exposure management

This is all about shrinking the time between three moments – when exposure appears, when it is understood, and when it is closed.

Amazon Web Services supports this in a practical way by combining:

  • Continuous posture signals across accounts and regions (misconfigurations, missing controls, drift),
  • Threat detection signals from workloads and identities
  • Operational controls that help teams act, such as patch and configuration automation

The benefit of this is faster prioritization and faster closure. Real-time vulnerability detection is only meaningful when it is tied to context (asset criticality, exploitability, internet exposure) and routed into remediation workflows with measurable closure times.

2. Governance, risk management, and compliance 

In practice, governance in AWS environments comes down to four controls:

  • Identity and access boundaries that define what an artificial intelligence capability can see and do
  • Auditability through logging and traceable actions across services
  • Data handling guarantees that prevent sensitive data from being reused or retained outside defined boundaries
  • Policy consistency across accounts, regions, and environments

When these controls exist, security teams can use AI to accelerate analysis and decision support without weakening trust, a prerequisite for secure digital transformation.

Embrace Amazon Web Services AI security with Network Intelligence

Amazon Web Services is making it easier to run security as a continuous system. Network Intelligence’s Transilience AI is useful when teams need help operationalizing that system. 

It runs continuous security and compliance checks within your AWS environment, prioritizes vulnerabilities and risks, supports access and log reviews, and produces audit-ready evidence without pulling data from your account.

If you are ready to test that flow in your organization’s environment, reach out and talk to an expert, let’s evaluate and bolster your security setup.

Author

Related Tags:

FAQs 

Table of Contents
Secure with Network Intelligence
Top