AWS re:Inforce 2025:
Cloud wide open

The cloud is facing its greatest test. The entire business world is all-in, but so are the cybercriminals.

The very openness that makes cloud computing a boon for both businesses and consumers also makes it vulnerable. This means the cloud has never been more essential, or more exposed

Now, as artificial intelligence accelerates, cybercriminals are building AI-driven toolkits that scan for weaknesses faster than any human team could patch them. This is a direct threat to the pace of innovation that the cloud has enabled.

“Security isn’t just a priority; it’s really a prerequisite for innovation,” said Amy Herzog, the new chief information security officer (CISO) of Amazon Web Services (AWS), the largest cloud provider in the world. Delivering the opening  keynote at the company’s annual security conference, AWS re:Inforce 2025, she said: “It’s not the end goal. Security is what gets you to your goals faster, safer, and with more impact.”

That means facing off against AI-enhanced threat actors who adapt, spoof, and scale attacks with machine efficiency. At the same time, organisations are expected to open their systems for integration, collaboration, and innovation.

_{Amy Herzog, AWS chief information security officer. Photo: Arthur Goldstuck.}

“The pace of change is not slowing down,” said Herzog. “Over the next few years, we’re going to see rapid transformation, countless experiments and probably some spectacular failures along the way. Sometimes you can worry that AI feels a little bit like a rebellious intern who might just decide to redesign your entire database schema without you asking. But we can’t properly secure AI or any other technology, without a secure foundation.”

She outlined four prerequisites for this foundation: “Identity and access management, data and network security that actually scales for you, monitoring and incident response that keeps up with the pace of change, and migrating to the cloud and modernising your tech to give you a better security edge.

“These are not barriers. They are enablers. When you have a secure foundation, your teams can experiment, build and shift with confidence. A secure foundation doesn’t slow you down, it speeds you up. It removes friction. It gives the teams confidence to adopt, experiment and innovate faster, because guardrails are already in place.”

The most important of these, Identity and access management, known in the industry as IAM, was also central to one of the key product enhancements unveiled during the keynote. Herzog announced new capabilities in AWS’s IAM Access Analyzer, a tool that helps security teams verify which IAM roles and users have access to critical resources.

Previously, teams had to invest considerable time and resources conducting manual reviews of IAM policies or rely on pattern-matching tools to understand internal access patterns. That was feasible at a time when only a few thousand connections were being made to Application Programming Interfaces (APIs), the mechanisms that enable different software components and services to communicate and interact with IAM.

“AWS IAM handles 1.2-billion API calls per second worldwide,” said Herzog. “That means 1.2-billion times per second IAM is asked to determine if an API call should be permitted or denied. It’s a little wild.”

The new IAM Access Analyzer uses automated reasoning, a form of AI that can deduce conclusions from given information using formal logic, which enables computers to “think” or reason in a structured way.

“In modern systems, identity and access management aren’t just part of the security story. They’re foundational to everything you do. Identity is about trust. It’s about being confident enough to say we know who you are, and therefore we know what you can access.”

Herzog told Gadget during the conference that the sudden shift in the scale of threats was not a surprise.

“For the most part, this is like other seismic shifts in technology that I’ve lived through from a security perspective. There are cloud environments that are used by lots of different types of people, and I don’t think generative AI is going to be meaningfully different in that perspective.

“Instead, where we need to focus is figuring out how to understand what we want to be true, understand the invariance of the systems that we need to deliver, and that’s specific to the product or system at hand.

“The cloud represents the opportunity to get strong security guarantees in a significantly simpler way with a lot less effort. If you’ve got the time and the manpower and the innovation and the dedication, you can pretty much do what you want. But, generally, it takes less effort to get a higher security bar in a cloud environment like AWS, because we’ve wired it to be that way.”

During the keynote, she drew a parallel between solid security and innovation.

“Customers with mature security practices and the ability to innovate, while maintaining a high security bar, are adopting Gen AI faster. It’s no surprise that large enterprises in finance, healthcare and telecoms are leveraging Gen AI to build innovative solutions. It’s because they already have the right security controls and governance structures, widespread data encryption, strong access management, ubiquitous audit trails.”

_{Eric Brandwine, AWS vice president.  Photo: Arthur Goldstuck}

AWS senior security engineer Eric Brandwine pointed out that attacks using generative AI were not an overnight phenomenon, as “threat actors” were still learning to use it.

“Our adversaries have to figure out how to use this effectively,” he told Gadget. “The first AI driven attacks that we saw were very obvious. That gave us time to work on our defences. The majority of these AI attacks are just automating things. They are making the kinds of activity accessible to a less sophisticated threat actor.

“So now you’ve got a mid-tier threat actor that can perform operations as if they were a much higher tier threat actor. Well, we already had to worry about those higher tier threat actors. That’s already accounted for in our threat model, so we’re prepared.

“It is absolutely an arms race. We have to keep up. And we are keeping up.”

_{Tom Scholl, AWS vice president.  Photo: Arthur Goldstuck.}

Tom Scholl, AWS vice president and distinguished Engineer at AWS, told Gadget that a fascinating shift was talking place in cyber criminals’ modus operandi as a result of the security barriers they faced.

“We have seen some cases where certain actors try to use Gen AI to build ways to exclude AWS-protected sites. They ask it to tell them, ‘How do I avoid this, because I keep getting caught by something.’ We’ve seen them using a third-party AI system for that purpose.”

One standout initiative was the AWS Nitro System, a security and isolation architecture designed to eliminate administrative access to customer data.

Scholl called it “a fundamental shift in the trust model”. He said: “If we can’t see your data, we can’t leak it.”

* Arthur Goldstuck is founder of World Wide Worx and author of “The Hitchhiker’s Guide to AI”.