Another year, another AWS re:Invent has come and gone. I’ve been following the announcements closely, and there are some genuinely interesting developments worth discussing.

The Big Picture

This year’s re:Invent felt a bit different. The pre:Invent announcements started later than usual (mid-November instead of early October), and the keynote felt more focused on GenAI than infrastructure improvements. That said, there are still plenty of practical enhancements that can make our lives easier.

Security Features That Matter

AWS Security Agent (Preview)

This one caught my attention. AWS is introducing an AI-powered security agent that can perform automated security reviews and penetration testing. While I’m always a bit skeptical of “AI solves everything” claims, this could be useful for teams that need security validation but don’t want to go through the vendor procurement process. I’m curious to see how it performs in real-world scenarios.

IAM & Access Management Improvements

IAM Identity Federation for External Services with JWTs - Finally! AWS is acknowledging that we live in a multi-cloud world. This feature allows you to use IAM to access other cloud providers without managing long-lived tokens. This is particularly interesting for the upcoming European Sovereign Cloud launch.

IAM Policy Autopilot - Generate IAM policies from your code. This could help with least-privilege implementations, though I’ll be watching closely to make sure it doesn’t hallucinate actions like vpc:AuthorizedSecurityGroupIngress (yes, that’s a real concern).

Console Credentials for AWS CLI/SDK - A new aws login command that uses your console session for CLI authentication. It’s better than long-lived credentials, but enterprises should still be using Identity Center for proper SSO.

S3 Security Enhancements

S3 Block Public Access Organization-Level Enforcement - This is implemented via an AWS Organizational Policy, similar to Security Hub policies. The interesting part is that unlike IAM Organization Policies, a deny doesn’t automatically trump an allow. You can set "@@assign": "all" at the root OU and override with "@@assign": "none" on specific accounts. It’s not perfect (you can’t fine-tune individual BPA controls), but it helps with legacy bucket management.

S3 Attribute-Based Access Control - This was a major gap in Resource Control Policies (RCPs). Now you can write RCPs that grant or deny permissions based on tags on the bucket itself. This opens up new possibilities for governance.

S3 Bucket-Level Encryption Standardization - Here’s something important: AWS is disabling SSE-C (server-side encryption with customer-provided keys) for all new buckets starting in April 2026. SSE-C is a legacy capability from the pre-KMS days that ransomware groups have been known to exploit. Unless you have a very specific use case, you probably don’t need it.

Threat Detection & Response

Security Incident Response - Now available with metered pricing and a free tier. The agentic AI-powered investigation feature is interesting, though I can’t help but wonder if this is AWS’s way of reducing human security analysts. Time will tell if it’s effective.

GuardDuty Extended Threat Detection - Now supports EC2 and ECS. These extended detections alert as Critical (severity 9+), which helps cut through the noise that GuardDuty is known for.

Security Hub 2.0 - This is a significant update. The original Security Hub is now called “Security Hub CSPM,” and there’s a new “Security Hub” that focuses on near real-time risk analytics. It’s AWS’s response to Google’s security offerings, but it still requires running AWS Config Recorders, which haven’t been upgraded to support modern organizational management. I’m reserving judgment until I can test it.

CloudTrail Updates

Two new features, though they don’t address the major pain points:

CloudTrail Data Event Aggregation - You still need expensive data events enabled to use this. It adds a 30% cost on top of data event costs, and most use cases could be solved with an Athena query. Disappointing.

Simplified CloudTrail Events in CloudWatch - A new method for pushing CloudTrail events into CloudWatch that doesn’t require creating a CloudTrail. The pricing model is different ($0.75/GB instead of per-event), but I’m not convinced this makes data events any less expensive.

Cloud Governance & Cost Management

AWS Organizations Billing Delegation - This is huge for companies buying AWS through resellers. Previously, the reseller had to control the Organization’s Management Account for billing. Now customers can get all the security benefits of AWS Organizations while the reseller handles billing separately.

CloudFront Flat Rate Pricing Plans - Single flat rate for CDN, WAF, DDoS protection, and logging. Read the fine print on what happens when you exceed your performance allocation, but this should drive adoption of basic edge security controls.

CloudFormation StackSets Improvements - Deployment ordering and enhanced configuration drift detection. StackSets have always been tools for invariants, but they’ve struggled with complexity. These updates might help, though I’ll believe it when I see it at scale.

Tag Validation in CloudFormation, Terraform, and Pulumi - This could be a game-changer. You can now validate and enforce required tags before deployment, aborting Terraform plans before they mess up production. I’ve struggled with Tag Policies and SCPs breaking pipelines, so this might finally solve that problem.

Serverless & Compute

Lambda Tenant Isolation Mode - Route invocations to specific execution environments using tenant identifiers. This is useful for multi-tenant applications where you need strict isolation.

Lambda Managed Instances - Run Lambda functions on your EC2 instances while maintaining Lambda’s operational simplicity. It’s like reverse Fargate. The irony of making serverless better by adding servers isn’t lost on me.

Step Functions Local Testing - New TestState API for local testing. Step Functions have been painful to author due to unclear docs and lack of examples, so this should help.

API Gateway MCP Proxy Support - Transform REST APIs into Model Context Protocol (MCP)-compatible endpoints, making them accessible to AI agents. This is part of AWS’s broader GenAI push.

GenAI & Bedrock

AWS continues to invest heavily in Bedrock, which seems like the right call in the GenAI space:

  • Bedrock Reserved Service Tier - For predictable workloads
  • OpenAI Responses API Support - Compatibility improvements
  • 18 New Open Weight Models - Largest expansion to date
  • Bedrock AgentCore Updates - Policy and Evaluations in preview
  • AWS AI Factories - The Outposts team finding a way to meet GenAI OKRs

There’s also some confusion with MCP servers - AWS announced the AWS API MCP Server in Marketplace, then announced a deprecation and consolidation into a new AWS MCP Server in preview. It makes you wonder if AWS knows what it’s doing in the GenAI space.

Networking & Infrastructure

AWS Interconnect MultiCloud (Preview) - A new service announced the night before re:Invent with minimal fanfare. MultiCloud Interconnect is in preview with GCP support now, Azure coming in 2026. Pricing is TBD, and preview connections will be removed at GA, so be warned.

Network Firewall Active Threat Defense as Default - Making threat defense opt-out instead of opt-in is the right security move.

AWS STS IPv6 Support - I was experimenting with IPv6 Egress Only Gateways and was surprised by AWS’s lack of IPv6 service support. IPv6 RFCs were written at the start of my career, and I expect I’ll retire before it’s widely supported. But hey, progress is progress.

The Random Stuff

S3 Maximum Object Size Increased to 50 TB - I’m sure there’s someone out there who needs this. For the rest of us, if you’re creating 50TB objects, you might want to rethink your architecture.

CloudWatch Unified Management - New unified management and analytics for operational, security, and compliance data. Most organizations I know use SIEMs or data aggregation tools, so I’m not sure what pain point this solves.

AWS DevOps Agent (Preview) - An “agentic AI” for operational excellence. After building loyalty with DevOps professionals for 15 years, AWS is now offering to replace you with AI. I wonder how this will handle the next us-east-1 outage. “We recommend migrating this workload to OCI” indeed.

Final Thoughts

This year’s re:Invent felt more incremental than revolutionary. The GenAI focus is understandable but sometimes feels like it’s coming at the expense of core infrastructure improvements. That said, there are some genuinely useful features here, especially around security and governance.

The S3 security improvements are particularly welcome, and the Organizations billing delegation is a big win for reseller customers. I’m cautiously optimistic about Security Hub 2.0, though I’ll need to see it in action before I’m convinced.

What are your thoughts on this year’s announcements? Are there any features you’re particularly excited about or disappointed by? Let me know in the comments or reach out on social media.

Note: This recap is based on publicly available AWS announcements. Some features are in preview and may change before general availability. Always check the official AWS documentation for the latest information.