AWS re:Invent 2025 - Building Secure-by-Design Environments with AWS Capabilities (SEC208)

Secure-by-Design Environments with AWS Capabilities

Shifting from Reactive to Preventative Security

The "remediation treadmill" - security teams constantly playing catch-up, remediating issues after they are detected

Reactive, detective controls are expensive and leave organizations at risk while issues are being addressed

Shifting to a preventative, "secure-by-design" approach to proactively enforce security controls

AWS Native Security Capabilities

Service Control Policies (SCPs) - Boundary on maximum permissions for IAM principals

Resource Control Policies (RCPs) - Control access to resources, regardless of who is accessing

Declarative Policies - Define and enforce configuration of AWS resources and services

Data Parameters - Define security perimeters around identities, resources, and networks

Complexity of Secure-by-Design Implementation

Balancing different policy types (SCPs, RCPs, etc.) to achieve desired security controls

Ensuring policies don't disrupt business workflows while enforcing security

Extending secure-by-design approach beyond AWS to other cloud providers

Simplifying Secure-by-Design with Native

Native's platform automates the secure-by-design lifecycle:

Provides a unified governance approach across cloud providers

Adaptive coverage as cloud providers launch new capabilities

Key Takeaways

Shifting from reactive to preventative security through "secure-by-design" is critical

AWS provides powerful native security capabilities to enforce controls at the source

Implementing secure-by-design is complex, requiring careful policy management

Native's platform simplifies the entire secure-by-design lifecycle across cloud providers

Secure-by-Design Environments with AWS Capabilities