Cloud threats don’t stand still, and neither do we. Staying ahead of cloud security risks means knowing what’s next. That’s why Guidepoint Security attended AWS Re:Inforce 2025, an annual conference focused on emerging cloud security challenges.

The GuidePoint Security AWS Cloud team had the opportunity  to engage with industry leaders, gather valuable insights, and deepen our expertise to better support our customers. Now we’re reporting back so you can learn the latest threats to your AWS environment and innovative solutions to address them.

In today’s blog post, we will share key takeaways from the event, including new feature announcements for AWS-native security tooling and innovative ways AWS is integrating AI into tooling and customer experience. We believe these insights will play a pivotal role in shaping the future of our customers’ cloud security architecture and operations.

Notable Announcements

Security Hub – Enhanced (Preview)

What was announced? Toxic Combinations have come to AWS. Security Hub, as we used to know it, has been rebranded to Security Hub CSPM, and is now a sub-component of the “New” Security Hub. AWS is introducing a new Finding Type “Exposure Findings” that helps to prioritize by risk, enabling customers to focus on items where remediation provides the most impact. With the GA release (TBA), AWS will also improve onboarding and management of the subcomponent services (GuardDuty, AWS Config, Macie, Inspector), greatly improving onboarding and ease-of-use.

Why is this important? Security Hub now operates in the CNAPP space and provides a lot of value for folks who do not yet have a CNAPP. Exposure Findings will help significantly in remediation prioritization efforts.

What else? While Security Hub has made strides in its development, there are a couple security services not yet integrated, namely IAM Access Analyzer and the new Shield Network Security Director (though some of that functionality is replicated via Attack Paths). Customers may still find value with the segment’s top vendor platforms, which provide more flexibility, graph query capabilities, multi-cloud support, and are integrating additional tool categories such as ASPM and SSPM into their platforms.

GuardDuty – Extended Threat Detection for EKS

What was announced? AWS has added EKS support for GuardDuty Extended Threat Detection, introduced at reInvent 2024. This brings to EKS a new critical finding category which focuses on correlating security events across audit logs, process behaviors, and AWS API activity to identify malicious behavior.

Why is this important? This functionality improves visibility into EKS Clusters, and helps to surface sophisticated attack chains targeting containerized applications.

What else? To enable this functionality, customers can take advantage of the new GuardDuty protection plan labeled “EKS Protection”. In addition to increased visibility and correlation within EKS clusters, GuardDuty will deliver a comprehensive breakdown of what resources were affected, the timeline of the activity, as well as the indicators that it used to evaluate the attack sequence.

AWS Cloud WAN – Security Group Referencing and Improved DNS support

What was announced? AWS released to GA two significant features for Cloud WAN connected VPCs.

• Security Group referencing implements a long-requested feature for specifying other Security Group’s in egress and ingress Security Group rules, where the source/destination Security Group resides in another VPC.
• Enhanced DNS resolution allows for public DNS name resolution to private IP addresses across connected VPCs

Why is this important? This function and practice has been a best practice for many years now, but was never able to be implemented across accounts or VPCs, significantly lessening its applicability. Wrapping in Enhanced DNS.

What else? This new context is available to all VPCs connected to the same core network edge, but it does not support VPCs in other regions or connected to different Core Network Edges.

IAM Access Analyzer – Internal Access Findings

What was announced? IAM Access Analyzer now reports on what IAM Principals have access to (supported) resources.

Why is this important? This functionality will help to ensure least privilege is enforced for access to sensitive or critical data. Helpfully, findings associated with this new feature are aware of applicable Service Control Policies (SCPs) and Resource Control Policies (RCPs), unlike IAM Access Analyzer’s Unused Access findings. This feature will be best utilized to help identify changes in access, especially helpful when there are indirect modifications to permissions by way of Resource Policies, SCPs, and RCPs.

What else? IAM access analyzer Internal Access Findings are limited to a small number of resource types. To get started using this new feature, an additional Analyzer must be created.

EKS – AWS Private CA Connector Add-on

What was announced? This new integration allows customers to easily issue certificates from AWS Private CA to their Kubernetes clusters running on EKS.

Why is this important? The Private CA Connector for EKS add-on provides significant benefits for managing private certificates in EKS environments. It accelerates issuing AWS Private CA certificates to EKS clusters, enabling secure TLS termination at various points including load balancers, ingress controllers, and pods, while also securing pod-to-pod communication.

What else? Working in conjunction with cert-manager, it delivers a comprehensive solution for certificate lifecycle management within Kubernetes environments.

ACM – Public Certificate Export

What was announced? ACM Public Certificates can now be exported for use outside of the integrated managed AWS services.

Why is this important? Customers have long wanted the ability to leverage ACM public certs for end-to-end encryption, and this release makes it possible. Additionally, rotation is still supported, though users will have to update end systems on their own.

What else? One word of caution when considering this option, one of the benefits of ACM has been that the private keys were not exportable. This security assurance enabled customers to relax some restrictions around creation of certs, and loosened some requirements. For example allowing wildcards, due to the reduced risk of compromise. Ensure you have the appropriate controls in place to manage what certificates can be exported, and by whom, and enable logging to alert on certificate export.

New AWS MSSP Competency Categories

What was announced? AWS announced new AWS MSSP competency categories to help identify partners with validated security expertise. They are: Infrastructure Security, Workload Security, Application Security, Data Protection, Identity & Access Management, Incident Response, and Cyber Recovery.

Why is this important? AWS has structured these new competencies to make it easier for customers to find proven partners to help them achieve comprehensive security outcomes with quality, speed, and cost-effectiveness.

What else? Look for GuidePoint Security to contribute to this space as we continue to grow our AWS Partnership in support of our valued customers.

Other Announcements

• Inspector Code Security (GA release)
• AWS Shield Network Security Director
• WAF Improved Console Experience
• CloudFront Improved Console Experience
• Network Firewall – Active Threat Defense managed rule group
• Network Firewall – Native TGW Integration
• Verified Permissions (GA release)

AWS re:Inforce 2025 – Prevailing Themes

The AI in the room

At re:Inforce 2025, AWS tried to make one thing clear: AI isn’t just hype, it’s here and it’s integrated. Amazon Q was everywhere, woven into demos and sessions across the board. If you haven’t touched Q recently, it’s time for a revisit. Its integration across AWS services is now genuinely useful. Builder sessions had you using Q for writing Config rules, crafting CloudWatch queries, and even interacting directly with your environment via IDE extensions and AWS’ slew of MCP servers. The leap in capability from 2024 to 2025 is striking.

AWS also emphasized securing AI workloads, with sessions focused on best practices for building business applications with Amazon Q, Amazon Bedrock, and Amazon SageMaker AI. It provides guidance on architecting generative AI solutions on AWS while staying aligned with the updated Generative AI Lens for the AWS Well-Architected Framework. The power is impressive, but as always, human judgement and diligence is paramount.

GuidePoint has been developing our own guidance and assessment methodology for securing AI on AWS. Please reach out for more information.

Zero Trust

Zero Trust was also a prevailing theme. The event catalog was littered with sessions showcasing Zero Trust techniques and leveraging services like VPC Lattice, Verified Access, Verified Permissions, and other miscellaneous security controls for ingress services, such as the announced CloudFront VPC Origins. VPC Lattice will be replacing the deprecated AppMesh service, and it shows a lot of power for controlling service to service communication, though it’s still lacking service discovery. You’ll want to keep your TGW/Cloud WAN architectures for deep packet inspection and centralized logging. We expect verified permissions to gain some adoption as well, as it offers a managed service for housing and evaluating fine-grained authorization policies for your home-grown applications.

Future-Proof Your AWS Environments with GuidePoint

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. We act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions.

Need help future-proofing your AWS environment? We can help validate your existing workloads and security services, ensuring you’re secure and aligned with the latest best practices.

Contact us today!