Executive Summary

At its flagship re:Invent 2025 conference, Amazon Web Services (AWS) announced a slate of new and updated security services designed to leverage AI for more proactive and intelligent cloud defense. The key announcements on December 3, 2025, signal a strategic push by AWS to embed security earlier in the development lifecycle ('shift left') and to automate threat detection and response. Highlights include the preview of AWS Security Agent, a novel tool for context-aware application security testing; the general availability of a significantly upgraded AWS Security Hub for unified Cloud Security Posture Management (CSPM); and new attack sequence detection capabilities in Amazon GuardDuty. These enhancements aim to provide customers with a more holistic and automated approach to securing their cloud environments.

New Product and Feature Details

AWS Security Agent (Preview)

This new service represents a significant step towards proactive, automated application security. Unlike traditional SAST or DAST tools, the AWS Security Agent is designed to be context-aware. It analyzes an application's design documents, source code, and runtime environment to understand its architecture and security requirements. Based on this context, it performs automated security reviews and runs adaptive penetration tests, creating a customized attack plan to find vulnerabilities before deployment. This AI-driven approach aims to provide more relevant findings and reduce the noise often associated with traditional scanning tools.

AWS Security Hub (General Availability)

The upgraded AWS Security Hub is now generally available, serving as the central nervous system for cloud security posture management (CSPM) in AWS. It aggregates findings from a wide range of AWS security services (like Amazon GuardDuty, Amazon Inspector, AWS IAM Access Analyzer) and third-party tools into a single, prioritized view. The new version enhances its ability to correlate related findings, helping security teams to see the bigger picture and focus on the most critical risks in near real-time.

Amazon GuardDuty Extended Threat Detection

Amazon GuardDuty, AWS's managed threat detection service, has been enhanced with two new 'attack sequence' findings. This feature goes beyond single-event alerts to identify a series of related malicious activities that constitute a broader attack campaign. The new sequences specifically improve detection for threats targeting:

• EC2 instances (virtual machines)
• ECS tasks (containers)

This helps security teams understand the full scope of an attack rather than just isolated indicators, enabling a more effective response.

IAM Policy Autopilot

AWS also announced IAM Policy Autopilot, an open-source server designed to help AI assistants (like Amazon Q) generate secure and fine-grained AWS Identity and Access Management (IAM) policies. This tool aims to address the common challenge of creating overly permissive IAM roles by using AI to suggest least-privilege policies based on application needs.

Impact Assessment

These announcements reflect a broader industry trend towards AI-driven security and 'shifting left'.

• For Security Teams: The new tools promise to reduce manual effort and alert fatigue. The correlated findings in Security Hub and attack sequences in GuardDuty can help teams prioritize their work more effectively. The Security Agent could significantly reduce the time spent on manual code reviews and penetration testing.
• For Developers: Tools like the Security Agent and IAM Policy Autopilot aim to make security more accessible to developers, enabling them to build more secure applications from the start without needing to be deep security experts.
• For Cloud Security Posture: By providing a more unified and intelligent view of risks, these services can help organizations improve their overall security posture and better comply with regulatory frameworks.

Implementation Guidance

• Explore AWS Security Agent: Organizations with mature DevOps practices should consider enrolling in the preview for the AWS Security Agent to evaluate its effectiveness in their CI/CD pipelines.
• Centralize on Security Hub: Teams that are not already using AWS Security Hub should adopt it as their primary CSPM dashboard to unify findings from various sources. This simplifies monitoring and prioritization.
• Enable New GuardDuty Findings: Ensure that the new attack sequence finding types are enabled in Amazon GuardDuty to benefit from the enhanced threat detection capabilities for EC2 and ECS.
• Adopt Least Privilege: Use tools like IAM Access Analyzer and the new IAM Policy Autopilot to systematically review and right-size IAM policies, removing excessive permissions that create unnecessary risk.