AWS Chief Information Security Officer Amy Herzog said cybersecurity is becoming more about the time to act than time to detect due to the sheer scale of incidents and alerts. Herzog pitched a more active defense approach amid emerging AI use cases.
Speaking at AWS re:Inforce 2025 in Philadelphia, Herzog's message echoed what was heard previously from AWS about security by design. The twist is that AWS is rolling up its various security services into one package that can automate security processes and various chores that eat up response time.
AWS launched Security Hub to give enterprises the ability to be more proactive about security as AI-driven attacks emerge.
AWS Security Hub provides a unified cloud security system that combines threat detection, signals and simplified and prioritized alerts. "Security Hub combines signals from across AWS security services and then transforms them into actionable insights, helping you respond at scale," said Herzog.
In a demo, Herzog walked through how Security Hub can aggregate everything across AWS' various security tools. Security Hub is also designed to alleviate alert fatigue. "It's about time to act more than the time to detect through automated correlation, rich context and actionable insights," said Herzog.
Herzog said that companies with more mature security and compliance frameworks are better suited to adopt generative AI and ultimately agentic AI. One key message: Security is an enabler not a blocker to AI innovation.
AWS also touted how it is using generative AI to perform code patches and automate processes. The upshot here is that AWS is providing multiple security services even as it uses its AWS Marketplace to connect customers to a big ecosystem of vendors. What AWS is doing now is connecting those various security building blocks and automating various security workflows.
The cloud giant also launched a proactive network security analysis tools for AWS Shield and Amazon GuardDuty's expansion into container-based environments.
Here's a look at what was announced:
Identity and Access Management (IAM): AWS IAM Access Analyzer internal access findings is available to find out who has access to S3 buckets and other services.
"You can use the internal access guidance to see exactly who in your company has access to specific resources and information from one dashboard. You can monitor both internal and external access in one view."
AWS IAM, which handles 1.2 billion API calls per second, is also adding long-term credential management, data protection and access and control. The general idea is that there are no long-term credentials.
Multifactor authentication is also 100% enforced across the AWS security layer.
AWS Certificate Manager with exportable public certificates. Herzog said "we know that management of digital certificates is a challenge" so the company is now enabling certificates to run inside AWS as well as outside.
AWS Shield Network Security Director in preview: "Network Security Director starts by performing an analysis of your network, building anthropology based on the resources connections, networking services, which has been implemented, it then assesses the network security of your resources and whether they meet the which network security best practices," said Herzog.
Herzog said the idea is that AWS Shield Network Director is aimed at giving enterprises a security team built in with a simplified experience.
AWS Network Firewall Active Threat Defense: Herzog said the cloud provider is aggressive with its defenses. She walked through AWS systems to defend against emerging threats. One service behind the active threat defenses, called Blackfoot, constantly checks packets for bad actors.
"Blackfoot gives us the data plane to stop their activities using Blackfoot, and we've implemented custom packet processing," said Herzog, who said Blackfoot has stopped 2.4 trillion malicious requests over the last six months.
Amazon GuardDuty: Herzog said Amazon GuardDuty is getting enhanced features to find anomaly behaviors, sequences and signals. AWS inspects 360 trillion telemetry events per day. Amazon GuardDuty identified 13,000 high confidence attack sequences over the last 90 days.