AWS re:Invent 2025 Security Recap: Key Announcements for IAM and Cloud Security
AWS re:Invent 2025 brought a wave of security announcements aimed at making cloud security more automated, more intelligent, and more deeply integrated across the AWS service portfolio. For teams managing IAM at scale, several of these launches directly address long-standing pain points. Here is a breakdown of the most significant security announcements and what they mean for practitioners.
IAM Access Analyzer Enhancements
Expanded Unused Access Analysis
IAM Access Analyzer received a major upgrade to its unused access findings. The service now tracks unused permissions at the individual action level rather than just flagging entire policies. This means you can see that a role has used s3:GetObject and s3:PutObject but never used s3:DeleteObject or s3:PutBucketPolicy, allowing you to craft tighter replacement policies with confidence.
# List unused access findings with the new action-level granularity
aws accessanalyzer list-findings-v2 \
--analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/my-analyzer \
--filter '{
"findingType": {"eq": ["UnusedPermission"]},
"status": {"eq": ["ACTIVE"]},
"resource": {"contains": ["arn:aws:iam::123456789012:role/ApplicationRole"]}
}' \
--query 'findings[].{
Resource: resource,
UnusedActions: findingDetails.unusedActions,
LastAccessed: findingDetails.lastAccessed
}'
Custom Policy Validation Rules
Access Analyzer now supports custom policy validation rules that you define in JSON. This lets you enforce organization-specific guardrails beyond what AWS managed rules cover. For example, you can require that all policies include a Condition block, prohibit specific actions like iam:CreateUser, or mandate that resource ARNs never use wildcards.
{
"CustomPolicyChecks": [
{
"checkId": "no-wildcard-resources",
"description": "Policies must not use wildcard resource ARNs for write actions",
"severity": "ERROR",
"rule": {
"effect": "Allow",
"actions": ["s3:Put*", "s3:Delete*", "dynamodb:Put*", "dynamodb:Delete*"],
"resources": ["*"]
},
"expectedResult": "FAIL"
},
{
"checkId": "require-mfa-for-sensitive",
"description": "Sensitive actions must require MFA",
"severity": "WARNING",
"rule": {
"effect": "Allow",
"actions": ["iam:*", "kms:*", "organizations:*"],
"conditions": {
"required": ["aws:MultiFactorAuthPresent"]
}
},
"expectedResult": "PASS"
}
]
}
Security Hub Improvements
Consolidated Cross-Account Dashboards
Security Hub now offers a unified dashboard that aggregates findings across all accounts in an AWS Organization without requiring manual administrator account delegation for each region. The new consolidated view provides executive-level risk scoring that weights findings by severity, account criticality, and time-to-remediation.
The most practical improvement is the automated remediation pipeline integration. Security Hub findings can now trigger Step Functions workflows directly, removing the need for custom EventBridge-to-Lambda glue code. Teams can define remediation workflows that include approval gates, Slack notifications, and Jira ticket creation as native steps.
Enhanced Compliance Standards
Two new compliance standards were introduced: a cloud-native application security benchmark and an AI/ML workload security framework. Both standards include automated checks that evaluate IAM permissions, network configurations, and data handling practices specific to containerized and machine learning workloads.
GuardDuty Enhancements
AI-Powered Anomaly Detection
GuardDuty now uses foundation models to detect behavioral anomalies that rule-based systems miss. The service learns the normal API call patterns for each IAM principal in your account and generates findings when behavior deviates significantly. This catches scenarios like a developer role suddenly making organizations:DescribeAccount calls or a Lambda execution role accessing DynamoDB tables it has never touched before.
# Enable the new enhanced threat detection features
aws guardduty update-detector \
--detector-id abcdef1234567890 \
--features '[
{
"Name": "AI_ANOMALY_DETECTION",
"Status": "ENABLED"
},
{
"Name": "RUNTIME_MONITORING",
"Status": "ENABLED",
"AdditionalConfiguration": [
{
"Name": "ECS_FARGATE_AGENT_MANAGEMENT",
"Status": "ENABLED"
},
{
"Name": "EKS_ADDON_MANAGEMENT",
"Status": "ENABLED"
}
]
}
]'
Runtime Threat Detection Expansion
GuardDuty Runtime Monitoring expanded beyond EKS to cover ECS on Fargate and standalone EC2 instances. The runtime agent detects process-level threats like reverse shells, privilege escalation attempts, and cryptomining binaries without requiring you to manage separate endpoint detection agents.
New Encryption and Data Sovereignty Features
Regional Key Governance
KMS introduced regional key governance policies that prevent keys from being replicated to regions outside an approved list. For organizations subject to data residency requirements in the EU, APAC, or other jurisdictions, this provides a technical enforcement mechanism that was previously only available through SCPs with limited granularity.
CloudHSM Cluster Improvements
CloudHSM clusters now support automatic failover across Availability Zones with sub-second recovery, making hardware-backed key management viable for latency-sensitive workloads that previously had to accept the availability tradeoff.
Identity Governance Updates
Temporary Elevated Access
AWS launched a native temporary elevated access service that integrates with IAM Identity Center. Teams can request time-bound access to privileged roles through an approval workflow, with all elevated sessions automatically logged and revoked when the window expires. This replaces the custom break-glass solutions many organizations have built on top of AssumeRole with session tags.
Service Control Policy Enhancements
SCPs now support condition keys for tagging, allowing organizations to enforce that resources can only be created or modified if they carry specific tags. Combined with the new tag-based access control improvements, this makes attribute-based access control practical at the organizational level.
What These Announcements Mean for Practitioners
The common thread across this year's security announcements is automation and intelligence. AWS is pushing hard to reduce the manual work involved in security operations, from unused permission cleanup to incident remediation to compliance reporting.
For IAM specifically, the direction is clear: AWS wants every organization to achieve least privilege, and it is building the tooling to make that achievable at scale. The action-level unused access analysis and custom policy validation rules are the most impactful features for teams that manage hundreds of roles across dozens of accounts.
Securing Your Environment After re:Invent with AccessLens
The new capabilities announced at re:Invent 2025 generate more data about your IAM posture than ever before. Access Analyzer findings, Security Hub scores, and GuardDuty behavioral baselines all contribute valuable signals. But turning that data into actionable security improvements requires a unified view across all your accounts and services.
AccessLens complements these new AWS features by providing:
- Unified IAM visibility that correlates Access Analyzer findings with cross-account trust relationships and effective permissions in a single dashboard
- Risk-prioritized remediation that ranks IAM issues by actual exploitability, not just severity labels
- Trust relationship mapping that visualizes the cross-account access paths GuardDuty's anomaly detection monitors
- Continuous posture monitoring that tracks whether your IAM configurations drift after you apply fixes from Security Hub recommendations
The AWS security toolbox is deeper than ever. AccessLens helps you use it effectively by providing the IAM-focused analysis layer that ties everything together.
See your IAM posture clearly with AccessLens and turn re:Invent's new security features into measurable risk reduction.