AWS re:Invent 2025 - GenAI-Powered Contextual Security Analysis & Remediation (ISV315)

Summary of AWS re:Invent 2025 - GenAI-Powered Contextual Security Analysis & Remediation (ISV315)

Key Requirements for Multi-Tenant Security Monitoring

• Robust Data Ingestion at Scale: The solution must be able to ingest and process millions of security telemetry events per day from multiple tenants.
• Tenant Context Awareness: Security events must be analyzed in the context of each tenant's security posture and compliance requirements.
• Resource Relationship Mapping: Understanding the interconnections between resources within and across tenant environments is crucial for impact analysis.
• Differentiated Threat Propagation Analysis: The solution needs to determine if a security issue in one tenant can propagate to the broader multi-tenant environment.

Solution Architecture

• Data Plane: Leverages native AWS security services (Security Hub, GuardDuty, Inspector) and the Open Cybersecurity Schema Framework (OCSF) to ingest and process security telemetry data.
• Resource Relationship Mapping: Uses AWS Config Aggregator and Neptune graph database to capture the relationships between resources within and across tenant environments.
• Security Assist Chatbot: Provides a natural language interface for security analysts to query the system and get contextual insights and remediation recommendations.

Key Components

1. Agent Core Runtime: Provides the underlying infrastructure for the Security Assist chatbot, handling tasks like observability, memory management, and integration with backend tools.
2. Strands Agent Framework: Powers the natural language processing and reasoning capabilities of the Security Assist chatbot.
3. Backend Tools: Includes components for querying the OpenSearch data store, accessing tenant information, and providing remediation recommendations.
4. Agent Memory: Maintains context and history of previous interactions to enable more coherent and relevant responses.

Prompt Engineering and Performance Optimization

• Careful design of the system prompt and role-based prompting to improve response accuracy and speed.
• Leveraging Agent Core's observability features to identify and address performance bottlenecks, such as excessive chattiness between the agent and backend services.
• Configuring secure network connectivity (VPC) between the agent and backend services to avoid internet-based latency.

Business Impact and Use Cases

• Reduces "alert fatigue" by prioritizing the most critical security findings and providing contextual insights to security analysts.
• Enables faster threat detection and response by automating the analysis of security telemetry data across a multi-tenant environment.
• Facilitates proactive security posture management by identifying potential attack vectors and propagation paths.
• Supports cost optimization efforts by integrating with billing and cost management tools.
• Provides a foundation for building advanced security automation and remediation capabilities in a multi-tenant SaaS environment.

Example Interactions

1. Tenant Security Posture Overview: "How is the security posture of the multi-tenant system? Anything that needs immediate attention?"
2. Tenant Vulnerability to DoS Attacks: "Is my tenant vulnerable to any kind of DoS attacks?"
3. Cost Optimization Recommendations: "Will savings plan help optimize the cost for my tenant two workload?"

The Security Assist chatbot is able to provide concise, actionable insights in response to these queries, highlighting critical security findings, potential attack vectors, and cost optimization opportunities across the multi-tenant environment.