AWS re:Invent 2025 - Protecting Your Infrastructure with Amazon Threat Intelligence (SEC311)

Protecting Your Infrastructure with Amazon Threat Intelligence

AWS's Unique Visibility and Scale

• AWS interacts with 60% of the entire internet daily, equating to 2.6 billion out of 4 billion IPv4 addresses
• This global visibility comes from AWS's networking stack, which sees 4.8 billion network flow records and 34 million DNS requests per second
• AWS also has visibility into 100 million API requests per second and 1 billion host telemetry events per second
• This massive scale allows AWS to collect and analyze over 6 billion security telemetry events per second

AWS's Threat Intelligence Capabilities

• AWS operates a data platform that can handle the high-volume data, with the ability to:
  • Perform real-time stream filtering and threat detection
  • Store and optimize data for historical querying and investigation
  • Selectively summarize data for long-term retention
• AWS's threat intelligence comes from multiple sources:
  • Deception technologies like honeypots that elicit malicious behavior
  • Human analysts tracking specific threat actors and campaigns
  • Automated detection and analysis of the security telemetry data

AWS-Wide Protections

• AWS can apply mitigations at scale, such as:
  • Blocking malicious IPs at the networking layer
  • Selectively throttling abusive API usage
  • Isolating abusive EC2 instances from the network
• AWS also notifies customers of threats through email and integrations with services like GuardDuty

Customer-Level Protections

• Customers can leverage AWS's threat intelligence through services like:
  • AWS Network Firewall, which includes managed rules for active threat defense
  • AWS WAF, which has managed rule groups for IP reputations, anonymous IPs, and known bad inputs
  • AWS Inspector, which incorporates AWS's vulnerability intelligence to prioritize remediation
• AWS GuardDuty can ingest AWS's global threat intelligence to enhance its local detection capabilities

Protecting Against Network Reconnaissance

• AWS detects broad network scanning and probing using traffic analysis and behavioral monitoring
• Malicious scans are blocked at the networking layer, and the associated IPs are added to a threat intelligence feed
• Customers can leverage this threat intelligence through Network Firewall and GuardDuty

Mitigating Compromised Credentials

• Compromised credentials, especially long-lived AWS API keys, are a major source of security incidents
• AWS detects attempts to validate large numbers of stolen credentials across accounts
• AWS can apply a "compromised key quarantine" policy to disable high-risk functionality for affected credentials
• Customers should enable GuardDuty and configure services like WAF's account takeover prevention rules

Defending Against Malware

• AWS analyzes malware samples collected from honeypots and network traffic patterns
• Malware command-and-control infrastructure is identified and blocked at scale
• Customers can leverage services like Route 53 DNS Firewall, GuardDuty runtime monitoring, and S3 malware protection

Key Takeaways

• AWS's global visibility and scale allow it to collect and analyze vast amounts of security telemetry
• AWS leverages this data to proactively detect, mitigate, and share threat intelligence with customers
• Customers can take advantage of AWS's threat intelligence by configuring native security services like Network Firewall, WAF, and GuardDuty
• Adopting these services can significantly enhance an organization's security posture against common threats like reconnaissance, credential compromise, and malware