AWS re:Invent 2025 - Building and validating cloud controls with generative AI (COP350)

Building and Validating Cloud Controls with Generative AI

Challenges in Cloud Governance

• Businesses expect rapid innovation and cloud resource deployment, but governance and compliance processes often move at a slower pace
• Deploying and reviewing controls can take significant time, creating a tension between speed and assurance
• The opportunity is to find ways to accelerate governance without losing the critical assurance it provides

Leveraging Generative AI for Governance

• Generative AI can help shift governance from a gatekeeper to an enabler:
  • Automatically generate compliance checks and custom config rules based on natural language descriptions
  • Correlate findings from various sources like Config, CloudTrail, and Security Hub to identify gaps and suggest remediations
• This can help remove friction from building and deploying controls, enabling faster, safer, and smarter governance

Neeta's Governance Challenges

• Maintaining consistent controls across a growing number of AWS accounts
• Governance is mostly reactive, with limited ability to proactively prevent non-compliant actions
• Applying account customizations through Control Tower is time-consuming and resource-intensive

Foundational AWS Governance Services

1. AWS CloudTrail: Captures and stores event logs for API calls and account activity
2. AWS Config Data Events Insights: Provides aggregated insights into high-volume data events like S3 object creations
3. AWS Config: Tracks configuration history and enables compliance evaluations against desired states
4. AWS Config Service-Linked Recorder: Allows AWS services to take actions based on Config data
5. AWS Security Hub: Provides a unified security and compliance view, now integrating with AWS Config

Evolving AWS Governance Capabilities

• Expanded service coverage, with over 50 new managed Config rules and 50+ services now integrated
• Control Tower enhancements:
  • Comprehensive Control Catalog for easy deployment of controls
  • Account Enrollment to simplify migrating accounts into Control Tower
  • Service-Linked Config Rules to ensure controls are protected

Leveraging Generative AI for Governance Automation

• Using a conversational AI assistant (like the one powered by AWS Comprehend) integrated with AWS CLI and APIs
• Enables natural language interactions to:
  • Automatically generate and deploy config rules and CloudFormation templates
  • Troubleshoot and remediate deployment issues
  • Query compliance status and investigate non-compliant resources

Implementing Shift-Left Controls

• Deploying preventive controls through Service Control Policies (SCPs) to block non-compliant actions
• Implementing proactive controls using CloudFormation Guard Hooks to validate templates before deployment
• Automating the deployment of these controls through the Control Tower customization pipeline

Automating AWS Account Provisioning and Patching

• Using the agent to provision new AWS accounts through Control Tower's Service Catalog integration
• Deploying an SRA-aligned patching solution, including maintenance windows and baseline configurations, on the new account

Key Takeaways

• Generative AI can significantly accelerate the implementation and validation of cloud governance controls
• Adopting a "shift-left" approach to controls can help catch issues earlier in the development lifecycle
• Automating account provisioning and applying consistent security configurations can improve overall cloud hygiene
• Starting small, building trust, and scaling fast are key to successfully leveraging these capabilities