AWS re:Invent 2025 - Innovation in Identity Security: how we protect the cloud & help you do it too

Summary of AWS re:Invent 2025 - Innovation in Identity Security

Identity Security Evolution at AWS

• AWS started with basic username and password authentication for services like SQS and S3.
• In 2011, AWS launched IAM, providing primitives like users, groups, and policies.
• Soon after, AWS introduced EC2 instance profiles for machine identity.
• As customers built more AWS accounts, AWS launched Organizations and Service Control Policies (SCPs) in 2017 to govern multi-account environments.
• Over the years, AWS added more capabilities like enterprise guardrails, data perimeter controls, and Access Analyzer for visibility.
• Recently, customers have asked to use their AWS identity foundation outside of AWS, leading to new innovations.

Securing the Identity Platform

• The Identity Security team works across AWS services to reduce risk and ensure security is built-in throughout the lifecycle.
• Key functions include:
  1. Preventing issues at design time with defense-in-depth architectures
  2. Proactively identifying unknown threats through offensive security practices
  3. Driving systemic changes to prevent issues from recurring
• Culture is foundational, with mechanisms like the weekly security meeting to align teams, escalate issues, and celebrate security champions.

Ensuring Authorization Correctness and Consistency

• Customers want provable correctness of the IAM authorization engine and consistent guardrails across services.
• The team built a mathematically proven correct version of the authorization engine, verifying core security properties like "deny by default" and "deny trumps allow".
• They also developed a new feature called "Authorization Context" to sample and analyze authorization decisions at scale, identifying inconsistencies like the EC2 copy snapshot issue.
• To enforce consistency, they built an internal service that formally verifies the translation of service API data models to authorization inputs, abstracting this complexity away from service teams.

Enabling Security in the Cloud

• While AWS is responsible for the security of the cloud, the team focuses on making it easy and straightforward for customers to implement their side of the shared responsibility model.
• Key principles include:
  1. Active empathy to deeply understand customer pain points
  2. Consistency and intuitiveness of controls
  3. Providing actionable and prescriptive guidance
• Practices include:
  1. Operating a large multi-account AWS environment as a customer
  2. Implementing reference implementations of enterprise controls like data perimeter
  3. Identifying "sharp edges" early by embedding in service teams

Data Perimeter Controls

• Data perimeter controls prevent access to resources outside of a customer's trust zone, using a combination of:
  • Service Control Policies (SCPs) to restrict access to trusted resources
  • Resource Control Policies to control who can access a customer's resources
  • VPC Endpoint Policies to prevent data exfiltration
• The team maintains a repository of reference data perimeter policies that customers can use as a starting point.

Validating and Documenting Security Guidance

• The team uses an internal "Looking Glass" API testing platform to validate the effectiveness of implemented controls across different service APIs and permutations.
• They also document additional service-specific considerations and provide sample policies in a public repository, helping customers implement secure patterns more easily.

Key Launches and Capabilities

1. AWS IAM Outbound Identity Federation: Allows customers to obtain short-lived, cryptographically verifiable credentials to authenticate and access external services, reducing the need for long-term API keys.
2. Simplified Developer Access with AWS Login: Provides a web-based, federated login flow to obtain temporary credentials for CLI and SDK access, eliminating the need for long-term access keys.
3. IAM Temporary Delegation: Enables a guided experience for customers to approve and manage temporary access requests from AWS Marketplace products, with optional approval workflows.
4. IAM Policy Autopilot: An open-source tool that analyzes customer code, maps API calls to required permissions, and generates starting IAM policies, accelerating secure policy creation.

Key Takeaways

• Foster a security-first engineering culture to empower builders and enable security teams to focus on strategic initiatives.
• Leverage tools like Access Analyzer to enforce authorization correctness and consistency.
• Implement data perimeter controls early to establish a secure foundation for multi-account environments.
• Eliminate long-lived credentials wherever possible, using temporary access mechanisms.
• Delegate access safely by providing guardrails and approval workflows.
• Leverage new capabilities like IAM Outbound Federation, Simplified Developer Access, and IAM Temporary Delegation to enhance security and usability.