Posts Tagged ‘AWSKeynote’
[AWSReInforce2025] Keynote with Amy Herzog
Lecturer
Amy Herzog serves as Chief Information Security Officer at Amazon Web Services, where she oversees the global security strategy that protects the world’s most comprehensive cloud platform. With extensive experience in enterprise risk management and cloud-native security architecture, she drives innovations that integrate security as an enabler of business velocity.
Abstract
The keynote articulates a vision of security as foundational infrastructure rather than compliance overhead, demonstrating how AWS services—spanning identity, network, detection, and modernization—embed resilience into application architecture. Through customer case studies and product launches, it establishes architectural patterns that allow organizations to scale securely while accelerating innovation, particularly in generative AI environments.
Security as Innovation Enabler
Security must transition from gatekeeper to accelerator. Traditional models impose friction through manual reviews and fragmented tooling, whereas AWS embeds controls at the infrastructure layer, freeing application teams to experiment. This paradigm shift manifests in four domains: identity and access management, network and data protection, monitoring and incident response, and migration with embedded security.
Identity begins with least privilege by default. IAM Access Analyzer now surfaces internal access findings—unused roles, over-privileged policies, cross-account assumptions—enabling continuous refinement. The new exportable public certificates in AWS Certificate Manager eliminate manual renewal ceremonies, integrating seamlessly with on-premises PKI. Multi-factor authentication enforcement moves beyond recommendation to architectural requirement, with contextual policies that adapt to risk signals.
Network and Data Protection at Scale
Network security evolves from perimeter defense to distributed enforcement. AWS Shield introduces Network Security Director, a centralized policy engine that orchestrates WAF, Shield Advanced, and Network Firewall rules across accounts and regions. The simplified WAF console reduces rule creation from hours to minutes through natural language templates. Network Firewall’s active threat defense integrates real-time threat intelligence to block command-and-control traffic at line rate.
Amazon GuardDuty extends coverage to Kubernetes control plane auditing, EKS runtime monitoring, and RDS login activity, correlating signals across layers. The unified Security Hub aggregates findings from 40+ AWS services and partner solutions, applying automated remediation via EventBridge. This convergence transforms disparate alerts into prioritized actions.
Migration and Modernization with Security Embedded
Migration success hinges on security integration from day one. AWS Migration Evaluator now incorporates security posture assessments, identifying unencrypted volumes and public buckets during planning. Patching automation through Systems Manager leverages GuardDuty malware findings to trigger immediate fleet updates. RedShield’s journey from legacy data centers to AWS illustrates how Shield Advanced absorbed 15 Tbps of DDoS traffic during migration cutover, maintaining business continuity.
Comcast’s Noopur Davis details their transformation: consolidating 27 security operation centers into a cloud-native model using Security Hub and centralized logging. This reduced mean time to detect from days to minutes while supporting 300,000+ daily security events.
Generative AI Security Foundation
Generative AI introduces novel risks—prompt injection, training data poisoning, model theft—that require new controls. Amazon Bedrock Guardrails filter inputs and outputs for policy violations, while CodeWhisperer Security Scans detect vulnerabilities in generated code. BMW Group’s In-Console Cloud Assistant, built on Bedrock, demonstrates secure AI at enterprise scale: analyzing 1,300 accounts to optimize resources with one-click remediation, all within a governed environment.
The MSSP Specialization enhancement validates partners’ ability to operationalize these controls at scale, providing customers with pre-vetted security operations expertise.
Architectural Patterns for Resilient Applications
Resilience emerges from defense in depth. Applications should assume breach and design for containment: cell-based architecture with VPC isolation, immutable infrastructure via ECS Fargate, and data encryption using customer-managed keys. The Well-Architected Framework Security Pillar now includes generative AI lenses, guiding prompt engineering and model access controls.
Writer’s deployment of Bedrock with private networking and IAM-bound model access exemplifies this: achieving sub-second latency for 100,000+ daily users while maintaining PCI compliance. Terra and Twine leverage GuardDuty EKS Protection to secure containerized workloads processing sensitive health data.
Conclusion: Security as Strategic Advantage
The convergence of these capabilities—automated identity analysis, intelligent network defense, unified detection, and secure AI primitives—creates a flywheel: reduced operational burden enables faster feature delivery, which generates more telemetry, improving detection efficacy. Security ceases to be a tax on innovation and becomes its catalyst. Organizations that treat security as infrastructure will outpace competitors constrained by legacy approaches, achieving both velocity and vigilance.