AWS announces an enhanced AWS Security Hub to prioritize your critical security issues and help respond at scale to reduce security risks, improve your team’s productivity, and protect your cloud environment. It detects critical issues by correlating and enriching security signals, for example, from threat detection and vulnerability management. This enables you to quickly surface and prioritize active risks in your cloud environment. The unified solution provides more comprehensive visibility into your security posture while reducing the complexity of manually piecing together information from multiple security tools.

Security Hub transforms correlated security signals into actionable insights through intuitive visualizations and contextual analytics, helping you identify critical patterns and trends and centralize security operations in your environment. For example, it detects and correlates scenarios where publicly exposed resources with highly exploitable vulnerabilities have access to storage with sensitive data. These insights provide enhanced risk context so you can make more informed decisions and take immediate action on security issues. Enhanced capabilities include exposure findings, security-focused asset inventory, attack path visualization, and automated response workflows with ticketing system integration. This centralized management enables streamlined remediation at scale while helping you minimize potential operational disruptions. 

For more information about AWS Regions where Security Hub is available, see the AWS Region table. You can enable Security Hub for individual accounts or across your entire AWS Organization with centralized deployment and management. The service integrates with existing AWS security capabilities including Amazon GuardDuty, Amazon Inspector, AWS Security Hub CSPM, and Amazon Macie, providing more comprehensive security posture without additional operational overhead.  

To learn more about the enhanced Security Hub and join the Preview, visit the AWS Security Hub console or the AWS Security Hub product page. 

 

​AWS announces an enhanced AWS Security Hub to prioritize your critical security issues and help respond at scale to reduce security risks, improve your team’s productivity, and protect your cloud environment. It detects critical issues by correlating and enriching security signals, for example, from threat detection and vulnerability management. This enables you to quickly surface and prioritize active risks in your cloud environment. The unified solution provides more comprehensive visibility into your security posture while reducing the complexity of manually piecing together information from multiple security tools.
Security Hub transforms correlated security signals into actionable insights through intuitive visualizations and contextual analytics, helping you identify critical patterns and trends and centralize security operations in your environment. For example, it detects and correlates scenarios where publicly exposed resources with highly exploitable vulnerabilities have access to storage with sensitive data. These insights provide enhanced risk context so you can make more informed decisions and take immediate action on security issues. Enhanced capabilities include exposure findings, security-focused asset inventory, attack path visualization, and automated response workflows with ticketing system integration. This centralized management enables streamlined remediation at scale while helping you minimize potential operational disruptions. 
For more information about AWS Regions where Security Hub is available, see the AWS Region table. You can enable Security Hub for individual accounts or across your entire AWS Organization with centralized deployment and management. The service integrates with existing AWS security capabilities including Amazon GuardDuty, Amazon Inspector, AWS Security Hub CSPM, and Amazon Macie, providing more comprehensive security posture without additional operational overhead.  
To learn more about the enhanced Security Hub and join the Preview, visit the AWS Security Hub console or the AWS Security Hub product page.   

Today, AWS Shield announces the preview of network security director, a new capability that provides visibility into the AWS resources in your network, identifies missing or misconfigured network security services, and recommends remediation steps. As threats continue to evolve, AWS Shield has expanded its capabilities beyond DDoS protection to help you easily identify resources requiring network and application protection and correctly secure them.

With network security director, AWS Shield helps you simplify network security management in three ways. First, it provides visibility into your network topology, which shows you the resources in your account and how they are connected to each other and the Internet. It discovers enabled AWS network security services, such as AWS WAF, VPC security groups, and VPC network access control lists (NACLs), and determines how well they are configured relative to AWS best practices and threat intelligence. Second, AWS Shield helps you quickly identify which missing or misconfigured firewalls require your immediate attention by showing you network security findings on your resources, prioritized by severity level.

Lastly, for each finding, you can view actionable remediation recommendations to correctly implement or update the configuration of the network security services you use.

Easily get answers, in natural language, to questions about your network security configurations from AWS Shield network security director within Amazon Q Developer in the AWS Management Console and chat applications. For example, you can ask “Are any of my Internet-facing resources vulnerable to DDoS?”, and Amazon Q shows relevant network security findings on specific resources with recommended remediation steps.This capability is available during preview at no additional cost in select AWS Regions: US East (N. Virginia) and Europe (Stockholm). Amazon Q Developer’s capability to analyze network security configurations is available in preview in US East (N. Virginia).

To learn more, visit the overview page.

 

​Today, AWS Shield announces the preview of network security director, a new capability that provides visibility into the AWS resources in your network, identifies missing or misconfigured network security services, and recommends remediation steps. As threats continue to evolve, AWS Shield has expanded its capabilities beyond DDoS protection to help you easily identify resources requiring network and application protection and correctly secure them. With network security director, AWS Shield helps you simplify network security management in three ways. First, it provides visibility into your network topology, which shows you the resources in your account and how they are connected to each other and the Internet. It discovers enabled AWS network security services, such as AWS WAF, VPC security groups, and VPC network access control lists (NACLs), and determines how well they are configured relative to AWS best practices and threat intelligence. Second, AWS Shield helps you quickly identify which missing or misconfigured firewalls require your immediate attention by showing you network security findings on your resources, prioritized by severity level.
Lastly, for each finding, you can view actionable remediation recommendations to correctly implement or update the configuration of the network security services you use. Easily get answers, in natural language, to questions about your network security configurations from AWS Shield network security director within Amazon Q Developer in the AWS Management Console and chat applications. For example, you can ask “Are any of my Internet-facing resources vulnerable to DDoS?”, and Amazon Q shows relevant network security findings on specific resources with recommended remediation steps.This capability is available during preview at no additional cost in select AWS Regions: US East (N. Virginia) and Europe (Stockholm). Amazon Q Developer’s capability to analyze network security configurations is available in preview in US East (N. Virginia). To learn more, visit the overview page.  

Introducing the updated AWS MSSP Competency (previously AWS Level 1 MSSP Competency) for partners with turn-key security solutions that transform how organizations approach cloud security. The update includes new categories to validate Partners’ security expertise in specific domains including Infrastructure Security, Workload Security, Application Security, Data Protection, Identity & Access Management, Incident Response, and Cyber Recovery. These categories validate service partners’ capabilities to deliver comprehensive security outcomes leveraging native AWS services and best-of-breed security tools.

Partners must meet core MSSP requirements and demonstrate expertise in at least one category through technical validation. Additionally, MSSP Competency Partners have the option to showcase how they integrate validated AWS Security Competency ISV solutions into their managed security services. This visibility helps AWS customers identify which MSSP Competency Partners can effectively manage their existing third-party security tools as part of a comprehensive security solution.

To learn more about AWS-validated fully managed security solutions, visit the AWS MSSP Competency page and contact a partner to evaluate your security needs.

 

​Introducing the updated AWS MSSP Competency (previously AWS Level 1 MSSP Competency) for partners with turn-key security solutions that transform how organizations approach cloud security. The update includes new categories to validate Partners’ security expertise in specific domains including Infrastructure Security, Workload Security, Application Security, Data Protection, Identity & Access Management, Incident Response, and Cyber Recovery. These categories validate service partners’ capabilities to deliver comprehensive security outcomes leveraging native AWS services and best-of-breed security tools. Partners must meet core MSSP requirements and demonstrate expertise in at least one category through technical validation. Additionally, MSSP Competency Partners have the option to showcase how they integrate validated AWS Security Competency ISV solutions into their managed security services. This visibility helps AWS customers identify which MSSP Competency Partners can effectively manage their existing third-party security tools as part of a comprehensive security solution. To learn more about AWS-validated fully managed security solutions, visit the AWS MSSP Competency page and contact a partner to evaluate your security needs.  

AWS Network Firewall now offers active threat defense, a new security feature that helps you protect your Amazon Virtual Private Cloud (VPC) workloads against threat activities observed across AWS global infrastructure using Amazon threat intelligence.

AWS Network Firewall with active threat defense provides automated, intelligence-driven protection against dynamic, ongoing threat activities observed across AWS infrastructure. Once enabled, you can configure the managed rule group in your firewall policy to automatically block suspicious traffic, such as command-and-control (C2) communication, embedded URLs, and malicious domains. The feature provides protection by continuously updating rules based on current threat activity. AWS Network Firewall offers improved visibility for active threat defense rule group, allowing you to see indicator groups, types and threat names you’re protected against. If you are also an Amazon GuardDuty customer, related threat intelligence findings are marked with the threat list name “Amazon Active Threat Defense” going forward. These active threats can be automatically blocked by using the active threat defense managed rule group on AWS Network Firewall.

To get started with AWS Network Firewall with active threat defense, visit the AWS Network Firewall console or refer to our documentation. This feature is supported in all AWS Regions where AWS Network Firewall is available today, including the AWS GovCloud (US) Regions and China Regions. For more information about AWS Network Firewall and its features, please visit the AWS Network Firewall product page AWS Network Firewall.

 

​AWS Network Firewall now offers active threat defense, a new security feature that helps you protect your Amazon Virtual Private Cloud (VPC) workloads against threat activities observed across AWS global infrastructure using Amazon threat intelligence. AWS Network Firewall with active threat defense provides automated, intelligence-driven protection against dynamic, ongoing threat activities observed across AWS infrastructure. Once enabled, you can configure the managed rule group in your firewall policy to automatically block suspicious traffic, such as command-and-control (C2) communication, embedded URLs, and malicious domains. The feature provides protection by continuously updating rules based on current threat activity. AWS Network Firewall offers improved visibility for active threat defense rule group, allowing you to see indicator groups, types and threat names you’re protected against. If you are also an Amazon GuardDuty customer, related threat intelligence findings are marked with the threat list name “Amazon Active Threat Defense” going forward. These active threats can be automatically blocked by using the active threat defense managed rule group on AWS Network Firewall. To get started with AWS Network Firewall with active threat defense, visit the AWS Network Firewall console or refer to our documentation. This feature is supported in all AWS Regions where AWS Network Firewall is available today, including the AWS GovCloud (US) Regions and China Regions. For more information about AWS Network Firewall and its features, please visit the AWS Network Firewall product page AWS Network Firewall.  

AWS Backup announces support for Multi-party approval in AWS Organizations for logically air-gapped vaults to enhance data recovery. This new AWS Backup feature enables customers to authorize access to backups for approved accounts in logically air-gapped vaults, even when the owning account becomes inaccessible due to inadvertent or malicious events.

Multi-party approval is a new governance capability that requires multiple authorized individuals to approve critical operations before execution on AWS resources. This distributed decision-making process adds an enhanced security layer by preventing any single person from making unilateral changes. The capability is now being launched as an integration with AWS Backup, allowing customers to create and associate approval teams with both new and existing logically air-gapped vaults to strengthen recovery protection.

When used with logically air-gapped vaults, customers can provision clean recovery accounts and authorize backup sharing through their approval teams. Team members manage sharing requests through the AWS IAM Identity Center enabled Approval portal, providing an AWS-native secure method to access backups from compromised AWS accounts. Customers incur no additional cost for integrating and using Multi-party approval teams with AWS Backup logically air-gapped vaults.

AWS Backup support for Multi-party approval is available in all Regions where logically air-gapped vaults are currently supported. For more information about implementing this data recovery strategy, visit the AWS Backup product page, AWS Backup documentation, Multi-party approval documentation and news blog.
 

 

​AWS Backup announces support for Multi-party approval in AWS Organizations for logically air-gapped vaults to enhance data recovery. This new AWS Backup feature enables customers to authorize access to backups for approved accounts in logically air-gapped vaults, even when the owning account becomes inaccessible due to inadvertent or malicious events. Multi-party approval is a new governance capability that requires multiple authorized individuals to approve critical operations before execution on AWS resources. This distributed decision-making process adds an enhanced security layer by preventing any single person from making unilateral changes. The capability is now being launched as an integration with AWS Backup, allowing customers to create and associate approval teams with both new and existing logically air-gapped vaults to strengthen recovery protection. When used with logically air-gapped vaults, customers can provision clean recovery accounts and authorize backup sharing through their approval teams. Team members manage sharing requests through the AWS IAM Identity Center enabled Approval portal, providing an AWS-native secure method to access backups from compromised AWS accounts. Customers incur no additional cost for integrating and using Multi-party approval teams with AWS Backup logically air-gapped vaults. AWS Backup support for Multi-party approval is available in all Regions where logically air-gapped vaults are currently supported. For more information about implementing this data recovery strategy, visit the AWS Backup product page, AWS Backup documentation, Multi-party approval documentation and news blog.    

Today, AWS announces the release of @verifiedpermissions/authorization-clients-js, an open source package that enables developers to implement authorization in their Express.js web application APIs in minutes. This simplifies development and improves application security by significantly reducing the custom authorization code compared to traditional approaches where authorization logic was embedded into the application.

With this package, developers of Express.js applications can move authorization logic to Cedar policies which are managed outside code. For example, a pet store application can restrict API access based on user roles, allowing administrators full access while limiting customers to view-only operations, all without embedding complex authorization logic in application code. As your application evolves, you can easily extend these permissions, such as allowing employees to create and update pets but not delete them, by simply adding a new policy without modifying a single line of application code.

Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. The integration follows a straightforward workflow: developers generate a Cedar schema for their Express.js application, create authorization policies defining access rules, and add a middleware component to their Express application. When users make API requests, the middleware automatically validates authorization with Verified Permissions before processing continues.

The @verifiedpermissions/authorization-clients-js package is available on GitHub under the Apache 2.0 license and distributed through NPM. This integration is available in all AWS Regions where Amazon Verified Permissions is supported with no additional charges beyond standard Verified Permissions pricing. To get started, follow the ExpressJS blog or visit the Verified Permissions github repo.

 

​Today, AWS announces the release of @verifiedpermissions/authorization-clients-js, an open source package that enables developers to implement authorization in their Express.js web application APIs in minutes. This simplifies development and improves application security by significantly reducing the custom authorization code compared to traditional approaches where authorization logic was embedded into the application. With this package, developers of Express.js applications can move authorization logic to Cedar policies which are managed outside code. For example, a pet store application can restrict API access based on user roles, allowing administrators full access while limiting customers to view-only operations, all without embedding complex authorization logic in application code. As your application evolves, you can easily extend these permissions, such as allowing employees to create and update pets but not delete them, by simply adding a new policy without modifying a single line of application code. Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. The integration follows a straightforward workflow: developers generate a Cedar schema for their Express.js application, create authorization policies defining access rules, and add a middleware component to their Express application. When users make API requests, the middleware automatically validates authorization with Verified Permissions before processing continues. The @verifiedpermissions/authorization-clients-js package is available on GitHub under the Apache 2.0 license and distributed through NPM. This integration is available in all AWS Regions where Amazon Verified Permissions is supported with no additional charges beyond standard Verified Permissions pricing. To get started, follow the ExpressJS blog or visit the Verified Permissions github repo.  

AWS Certificate Manager (ACM) announces exportable public certificates that you can use on any workload that requires a public TLS certificate, whether within AWS or outside. With this release, you can issue public certificates that you can export and access the certificate’s private key to securely terminate TLS traffic on any compute workload. This includes EC2 instances, containers, or on-premises hosts.

ACM customers can now affordably issue, manage, and automate public certificates for use with your AWS, hybrid, or multicloud workloads. Previously, ACM-issued public certificates could only be used with integrated AWS services, such as Amazon CloudFront. Now, during certificate request, you can mark the certificate as exportable for use outside of integrated services as well. You can procure these certificates within seconds once you complete the required domain validation to prove that you are authorized to receive the certificate.

The exportable public certificates are valid for 395 days and costs $15 per FQDN and $149 per wildcard name. You don’t need to sign up for bulk issuance contracts and you only pay once for the lifetime of the certificate. Network and security administrators can monitor and automate the use of these certificates through ACM’s certificate lifecycle CloudWatch events

Security is top priority within AWS and your end users cannot export public certificates that were issued prior to this launch. AWS administrators can set IAM policies to authorize roles and users who can request exportable public certificates. The feature is available in all regions where ACM is available including the AWS GovCloud (US) and China Regions. Learn more about this feature here.
 

 

​AWS Certificate Manager (ACM) announces exportable public certificates that you can use on any workload that requires a public TLS certificate, whether within AWS or outside. With this release, you can issue public certificates that you can export and access the certificate’s private key to securely terminate TLS traffic on any compute workload. This includes EC2 instances, containers, or on-premises hosts. ACM customers can now affordably issue, manage, and automate public certificates for use with your AWS, hybrid, or multicloud workloads. Previously, ACM-issued public certificates could only be used with integrated AWS services, such as Amazon CloudFront. Now, during certificate request, you can mark the certificate as exportable for use outside of integrated services as well. You can procure these certificates within seconds once you complete the required domain validation to prove that you are authorized to receive the certificate. The exportable public certificates are valid for 395 days and costs $15 per FQDN and $149 per wildcard name. You don’t need to sign up for bulk issuance contracts and you only pay once for the lifetime of the certificate. Network and security administrators can monitor and automate the use of these certificates through ACM’s certificate lifecycle CloudWatch events Security is top priority within AWS and your end users cannot export public certificates that were issued prior to this launch. AWS administrators can set IAM policies to authorize roles and users who can request exportable public certificates. The feature is available in all regions where ACM is available including the AWS GovCloud (US) and China Regions. Learn more about this feature here.    

AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. It uses automated reasoning to evaluate all identity policies, resource policies, service control policies (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources.

After the new internal access analyzer is enabled in the IAM console, the analyzer monitors your selected resources daily, and surfaces findings in a unified dashboard. The updated dashboard combines internal and external access findings to provide a 360-degree view of all access granted to your critical resources. Security teams can respond to new findings in two ways: taking immediate action to fix unintended access, or setting up automated notifications through Amazon EventBridge to engage development teams for remediation.

Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements. Internal access findings are available in all AWS commercial Regions. To learn more about IAM Access Analyzer internal access findings:

• Read the AWS news blog post
• Review the pricing page
• Visit the IAM Access Analyzer documentation 

 

​AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. It uses automated reasoning to evaluate all identity policies, resource policies, service control policies (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources. After the new internal access analyzer is enabled in the IAM console, the analyzer monitors your selected resources daily, and surfaces findings in a unified dashboard. The updated dashboard combines internal and external access findings to provide a 360-degree view of all access granted to your critical resources. Security teams can respond to new findings in two ways: taking immediate action to fix unintended access, or setting up automated notifications through Amazon EventBridge to engage development teams for remediation. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements. Internal access findings are available in all AWS commercial Regions. To learn more about IAM Access Analyzer internal access findings:

Read the AWS news blog post
Review the pricing page
Visit the IAM Access Analyzer documentation   

Today, AWS announces general availability of the AWS WAF simplified console experience that reduces web application security configuration steps by up to 80% and provides expert-level protection to help you optimize application security. AWS WAF helps protect web applications and APIs against common web exploits and bots that could affect availability, compromise security, or consume excessive resources. Security teams can now implement comprehensive protection for applications within minutes through pre-configured protection packs that incorporate AWS security expertise and are continuously updated to address emerging threats. These templates provide extensive security coverage including protection against common web vulnerabilities, malicious bot traffic, application layer DDoS events, and API-specific threats, all customized to your application type.

With the new console experience, select the application type, such as E-commerce platforms or transaction processing applications, to automatically apply expert-curated protection rules optimized for the specific use case. The unified dashboard provides consolidated security metrics, threat detection, and rule performance data, enabling security teams to quickly identify and respond to potential threats while maintaining full security control. Key security controls, including rate limiting, geographic restrictions, and IP reputation filtering, can be customized through an intuitive single-page interface that reduces configuration time.

The new AWS WAF console experience is available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions.

To learn more about the new AWS WAF console experience, see the following resources:

• Features page
• Getting Started with AWS WAF
• Launch Blog

 

​Today, AWS announces general availability of the AWS WAF simplified console experience that reduces web application security configuration steps by up to 80% and provides expert-level protection to help you optimize application security. AWS WAF helps protect web applications and APIs against common web exploits and bots that could affect availability, compromise security, or consume excessive resources. Security teams can now implement comprehensive protection for applications within minutes through pre-configured protection packs that incorporate AWS security expertise and are continuously updated to address emerging threats. These templates provide extensive security coverage including protection against common web vulnerabilities, malicious bot traffic, application layer DDoS events, and API-specific threats, all customized to your application type. With the new console experience, select the application type, such as E-commerce platforms or transaction processing applications, to automatically apply expert-curated protection rules optimized for the specific use case. The unified dashboard provides consolidated security metrics, threat detection, and rule performance data, enabling security teams to quickly identify and respond to potential threats while maintaining full security control. Key security controls, including rate limiting, geographic restrictions, and IP reputation filtering, can be customized through an intuitive single-page interface that reduces configuration time. The new AWS WAF console experience is available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions. To learn more about the new AWS WAF console experience, see the following resources:

Features page
Getting Started with AWS WAF
Launch Blog  

Today AWS Identity and Access Management (IAM) announced comprehensive multi-factor authentication (MFA) requirements for root users across all account types, with the expansion to member accounts. The new MFA enforcement marks a significant milestone in our ongoing commitment of secure by design principles, setting a high bar for our customers’ default security posture and building upon our previous security enhancements. Our security journey began with requiring MFA for AWS Organizations management account root users in May 2024, followed by expanding MFA requirements to standalone account root users in June 2024, and introducing centralized root access management for AWS Organizations in November 2024.

IAM helps you securely manage identities and control access to AWS services and resources. MFA is a security best practice in IAM that requires a second authentication factor in addition to the user name and password sign-in credentials. MFA is available at no additional cost and prevents over 99% of password-related attacks. You can use a range of supported IAM MFA methods, including FIDO-certified security keys to harden access to your AWS accounts. AWS supports FIDO2 passkeys for a user-friendly MFA implementation and allows customers to register up to 8 MFA devices per root and IAM user. For AWS Organizations customers, we recommend centralizing access account management through the management account and removing root user credentials from member accounts, which represents an even stronger security posture.

To learn more:

• Root user MFA guide
• Centrailzed root access

 

​Today AWS Identity and Access Management (IAM) announced comprehensive multi-factor authentication (MFA) requirements for root users across all account types, with the expansion to member accounts. The new MFA enforcement marks a significant milestone in our ongoing commitment of secure by design principles, setting a high bar for our customers’ default security posture and building upon our previous security enhancements. Our security journey began with requiring MFA for AWS Organizations management account root users in May 2024, followed by expanding MFA requirements to standalone account root users in June 2024, and introducing centralized root access management for AWS Organizations in November 2024. IAM helps you securely manage identities and control access to AWS services and resources. MFA is a security best practice in IAM that requires a second authentication factor in addition to the user name and password sign-in credentials. MFA is available at no additional cost and prevents over 99% of password-related attacks. You can use a range of supported IAM MFA methods, including FIDO-certified security keys to harden access to your AWS accounts. AWS supports FIDO2 passkeys for a user-friendly MFA implementation and allows customers to register up to 8 MFA devices per root and IAM user. For AWS Organizations customers, we recommend centralizing access account management through the management account and removing root user credentials from member accounts, which represents an even stronger security posture. To learn more:

Root user MFA guide
Centrailzed root access