More security, less manual work: AWS brings AI security

Contents

As part of its re:Inforce 2025 security conference, AWS has updated three of its security services: Security Hub, Shield and GuardDuty XTD. In the future, they will no longer just issue isolated individual notifications, but will use AI-supported correlation and prioritization to help detect critical threats more quickly and resolve them more efficiently. The new functions in Security Hub and Shield have been available as a public preview since June 17, 2025; the EKS extension of GuardDuty XTD has been generally available since then.

Security Hub with prioritization logic

A comprehensive extension of the AWS Security Hub is intended to enable security teams to assess risks more efficiently. High alert overloads often overwhelm security managers, which is why AWS correlates security alerts from multiple sources in the newly introduced preview version and automatically highlights particularly critical threats. This is intended to speed up response and remediation.

Until now, the AWS Security Hub has only been used to bring together security alerts and compliance information from various AWS services in one central location. Amazon has now introduced an extended preview version that offers additional functions: Security alerts are correlated by a specially trained AI in the AWS backend to make correlations more visible and critical security incidents easier to detect. This new correlation layer integrates security services such as Amazon GuardDuty, Amazon Inspector, AWS Cloud Security Posture Management (CSPM) and Amazon Macie more closely and allows their information to be viewed in a centralized user interface. A new feature is a revised dashboard that categorizes security messages more clearly and makes it easier to prioritize risks.

AWS Shield warns proactively and at an early stage

The preview version of AWS Shield performs automated analyses of network configurations and associated resources. This is intended to help companies identify and eliminate security risks at an early stage and make the necessary adjustments to meet compliance requirements.

Many security teams often lack a complete overview of resources, connections, and active protection measures in their AWS environment. Evaluating the network configuration against best practices and selecting appropriate protection measures often requires significant manual effort and specialized knowledge.

The new Network Security Director in AWS Shield is designed to automate this process via three central functions: First, the service identifies AWS resources, their connections and existing security configurations. Based on this analysis, the resources are classified according to their sensitivity and vulnerabilities in the configuration are categorized according to criticality. Based on this and best practice guidelines, AWS Shield provides specific recommendations for action to secure the identified vulnerabilities. These include step-by-step instructions for implementing AWS security services such as AWS WAF, Amazon VPC security groups or Network Access Control Lists (ACLs) in the cloud environment.

This approach is designed to detect misconfigurations in network security at an early stage and better defend against known threats such as SQL injection and DDoS attacks. The service thus addresses central use cases such as the protection of publicly accessible applications as well as the control of access rights to network resources.

GuardDuty: Targeting container threats

AWS wants to provide the answer to the question of how to detect complex attack chains in Kubernetes clusters with GuardDuty XTD. It is aimed specifically at teams that operate containerized applications with Amazon Elastic Kubernetes Service (EKS).

While GuardDuty previously primarily analyzed VPC flow logs, CloudTrail events and DNS activities, it now also includes EKS audit logs, runtime information and anomalies in container deployments. The service transforms any signs of compromise events – such as the deployment of privileged containers, reverse shells or crypto-mining – into a consolidated threat chain. In an internal test phase, over 13,000 realistic attack patterns were detected in millions of monitored AWS accounts.

In an interview with iX, Robert Kennedy, VP Security Services at AWS, explained that the underlying AI is active in all three services. It has been specially trained based on customer data and internal AWS telemetry and is already being used productively in the public preview – with consistently positive feedback on its precision and reliability.

Readers can find an overview of the announcements from re:Inforce on the AWS blog.

(dahe)