🦄 Making great presentations more accessible.
This project aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - Innovations in Infrastructure Protection to strengthen your network (SEC310)
In this video, Sofia Aluma-Santos and Saleem Muhammad present AWS network and application protection innovations at re:Invent. They introduce AWS Shield Network Security Director (in preview) for network topology visibility and security findings, new WAF dashboard experiences with reduced CloudWatch pricing, and Network Firewall traffic insights. Key announcements include WAF starter packs with recommended configurations, CloudFront plus security bundled pricing, Layer 7 anti-DDoS managed rules, and AI agent authentication. For network protection, they unveil a fully managed explicit egress proxy as a new Network Firewall resource type, flexible cost allocation for centralized deployments via Transit Gateway native attachment, Active Threat Defense managed rule group powered by MadPot threat intelligence with 10-minute updates, and Partner Managed Rule Groups from seven vendors including Checkpoint, Fortinet, Infoblox, Lumen, Rapid7, Threat Stop, and Trend Micro for automated threat protection.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introduction: Working Backwards from Customer Challenges in Network Security
Good morning, everyone. Welcome, or welcome back if you've attended Reinvent before. We are so excited you've joined us here this morning. We've been busy building and innovating, working backwards from the conversations and challenges that you've shared with us over the last 12 months. We're excited to share everything that's new in the world of network security to help you protect your infrastructure. My name is Sofia Aluma-Santos. I lead go-to-market for our network and application protection services inside our security organization, and I'm joined here by my colleague Saleem Muhammad.
Hi, good morning. My name is Saleem Muhammad, and I lead product management for network and application protection at AWS. Welcome to have you here. Awesome. Saleem will join us in a bit to walk through some of the new innovations in network protection, but for now, I'll get started. Thank you, Saleem.
We've been working backwards from the conversations we've mentioned. Part of our role is traveling around to different geographies where you are all located and sharing with you. Working backwards from your perspective and your challenges as network security operators, we are assuming that if you're here, you are fairly familiar with networking, network security, networking on the cloud, and some of our security services on AWS. You're here to learn more about what's new to make your days easier in network security and NetSecOps, and how we can protect your infrastructure in a more streamlined way.
First, we'll work backwards from some of the challenges that we use as our North Star and guiding principles to ensure and guide our roadmap and our security service innovations. We'll also do a quick primer and overview of the services that are in scope for discussion in the network and application protection portfolio. Then we'll jump into everything that's new.
As we talk through the teams in network security, you all share different challenges and different pain points that you have to balance when setting out your strategy. The first is that we all know you are not operating on a single architecture type, a single deployment, or a single cloud. You have to manage a varying degree of complexity in your architecture decisions. We understand that folks might be operating across cloud or have to support hybrid connectivity. So you rely on us to ensure that we match the support and functionality to make sure you're connected in the way that you need to be.
Second, you need to be able to scale and perform and ensure that you're able to ramp up and down as you need to. You look to us to ensure that we give you the visibility and the ability to do so. Many of these security decisions are also driven by compliance and data sovereignty regulations and security frameworks that you must adhere to. We work backwards from these requirements to ensure that you're given the ability to prove compliance and meet those standards. We take all of that into mind when we're building a lot of our new functionality to ensure we give you the visibility and the ability to prove that you're matching those compliance and security frameworks.
All of these decisions you've told us takes a toll. All of this takes a cognitive load on your teams. You've told us that every time we see a new service or a new functionality, we have to map this back. We have to understand how this meets our needs and how this relates to everything we've already deployed. Help us ensure that this is intuitive and easy to spin up. This is definitely something we've kept in mind, and it's on us to ensure that things are easier to start and easier to ramp up and onboard. We're thinking about things like interoperability, integration, and native attachments. We're abstracting away things that are manual so you can spend less time in that cognitive load and more time doing things that are your comparative advantage for your business.
Visibility is a key aspect to everything you've deployed. You've set your rules, your policies, your configurations. How do you know they're working optimally to meet your use cases? We're making sure that across the board we're delivering that visibility.
In this fast-paced, high-changing world, especially in the era of AI, we need to understand what new threats are evolving in this landscape. We understand that, and given our unique perspective with a global infrastructure, we're able to see the insights across our traffic patterns and make sure we're protecting our local infrastructure, our AWS underlying infrastructure, and increasingly we're giving you a lot of that threat intelligence to use in your own solutions. We'll walk through that as well.
AWS Network and Application Protection Portfolio: A Layered Defense-in-Depth Approach
We know there is no such thing as a silver bullet to security. Everything is a layered defense-in-depth strategy, and we understand that it takes many pieces that you must tackle to ensure that you're layering for defense in depth. What we're here to talk about today is things inside of the network and application protection space, and you can see those services here in the middle of the display. We understand that sometimes it could be challenging to understand how these things work together, so let's walk through that.
When you think about a typical web application architecture and how you're organizing and protecting your traffic as it comes into your network, you definitely want to start with setting up a WAF, a web application firewall, and AWS Shield Advanced or an anti-DDoS solution to ensure that you're protecting from threats coming into your network. As the traffic is coming in, you move into the idea of segmenting, organizing, and inspecting that traffic inside of the VPCs. You can then leverage a service like our AWS Network Firewall, which is our cloud-managed, native, next-generation firewall on AWS to do things like organizing east-west traffic and inspecting east-west traffic inside of your VPCs.
We have a lot of customers that jointly use AWS WAF with Network Firewall for ingress inspection and ingress use cases, but by and large, the biggest use cases we see for Network Firewall is organizing and setting up robust egress or outbound controls. It is definitely a two-part solution. We want to ensure that folks know to use Network Firewall along with Route 53 Resolver DNS Firewall for that DNS path as well. Organizing this at scale means you have WAF policies, security groups, and network access control lists to think about, as well as DNS firewall policies and network firewall policies. How do you make sure that you're able to deploy this from a central location? That is where services like Firewall Manager come into play, where you're able to organize these, set these up, configure these, and get central visibility from one place. AWS Shield Network Security Director, which I'll walk through in a bit, is also meant to give you extra visibility inside of your network resources.
If you're more of a visual person, as you're moving your traffic through your typical web application architecture, you'll get WAF and Shield to protect on that ingress path, the Network Firewall and the DNS Firewall to protect both paths on that egress, and then Firewall Manager and Shield Network Security Director for that cross-management and visibility use case. This is also the team that ensures and manages our AWS underlying global backbone. We manage and deploy across our global presence and we're making an additional commitment to ensure that you are matching the connectivity, the performance, and the throughput that you need to meet your use cases. With that global presence comes an immense scale of protection.
This allows us to analyze exabytes of data on a minute basis across our global infrastructure. We mitigate thousands of DDoS attacks on a daily basis. All of this data feeds back into our threat research, which we can analyze and learn from.
When we think about working backwards from threats, we know that threat actors have threat targets and leave behind threat artifacts or indicators of compromise. We can take these indicators, analyze them, and build threat intelligence that we then use to mitigate further attacks. However, here at Amazon, our threat research and threat intelligence teams prefer to take a more proactive approach through deceptive technology. We disclosed this project a couple of years ago. If you've heard of MadPot, it's one of our threat research projects inside of Amazon. This is essentially a set of decoys that we've deployed across our infrastructure. We have tens of thousands of decoys deployed across our global infrastructure. These are vulnerable services with different variations of vulnerabilities, and we can observe the reconnaissance activity and types of traffic we see, gaining insights that we learn from and integrate into our existing services like Shield and GuardDuty.
Enhanced Network Visibility: AWS Shield Network Security Director and New Dashboard Experiences
Now I want to share everything that's new in network visibility. We've made a commitment to provide greater visibility across your network stack because customers have told us they need it. Many of you manage central security teams but face challenges with complex architectures, complex business organizations, and inherited legacy systems with different security teams accustomed to doing things differently. Your central guardrails can only go so far, and you have to grant exceptions to these teams. How do you know what these teams have actually deployed? Additionally, you want to give your development teams and application teams a certain degree of autonomy so they can work fast and build fast, but then you need to know if they've deployed correctly, if things are configured properly, and what even exists out there.
This is where AWS Shield Network Security Director comes into play. We announced this a couple of months ago, and it's currently in preview, so you can try it out at no cost. This service solves exactly those use cases. The primary capability is giving you visibility into your network. It will first scan your network resources and give you a topology view of what exists. It provides various findings with different severity levels that you can triage based on AWS best practices, and we set recommendations based on those best practices. If you have any questions, there's an integration with Amazon Q Developer where you can ask questions about your network in natural language, making it really easy to get started.
Essentially, you start a network analysis, which initiates a scan. You choose the accounts you want to scan, and it shows you first that topology view. It shows you what is connected to what and what the relationships are. You can basically double-click and drill into each piece to see those findings and recommendations. It's important to note that unlike similar topology maps, you will see everything in the map regardless of whether there is a finding associated with it or whether there's a type of vulnerability or risk. The key thing is visibility, so you'll be able to see everything, even if it doesn't have any findings associated with it.
You'll also be able to drill into the type of findings in different ways. We have different widgets and dashboards where you can drill into different types of resource types, filter by those types, and filter by different severity levels. Additionally, this is where the Amazon Q piece comes in. If you choose to—and this is not a requirement of the service—you can ask specific questions based on your use case to get drilled into everything that is in your network posture.
We've also added new additional visibility across the rest of our firewalls as well, the first of which is on AWS WAF. We understood that you needed additional visibility into understanding whether your WAF policies and rules were working as you expected them to. This new dashboard experience gives you that additional visibility. For instance, if you have teams that have set all of your WAF policies to alert mode and you are expecting them to be blocking, you'll be able to easily see what percentage of your WAF estate is set on alert or block for easy triage to understand why it might not be behaving or why it is behaving the way that you expected.
Additionally, you'll be able to see things like where you're seeing traffic hitting your WAF and hitting your network. You might operate in a different, specific region or specific geography, so you should not expect to see traffic in different geos. Now you'll be able to easily see those in this dashboard experience as well. In tandem with that, we've reduced the price on the CloudWatch logs for this new dashboard experience. This now gives you essentially a more predictable cost structure for that.
Moving on to Network Firewall, previously we had an open-sourced dashboard that you could spin up and get traffic insights for Network Firewall. We have now announced a new native console dashboard experience on Network Firewall where you'll be able to see traffic insights, things like top talkers and different ways to help you optimize your traffic. For instance, things like recommendations for a PrivateLink endpoint. We have customers that may not need to scan all their traffic through Network Firewall. This new dashboard experience essentially bubbles up things that are great PrivateLink candidates where you can route your traffic through that trusted PrivateLink destination and be on your way.
Application and Edge Protection Innovations: Simplified WAF Onboarding and Layer 7 DDoS Defense
Moving on to everything that's new in the world of application and edge protection, we've touched on WAF and I mentioned we're trying to make it as easy as possible for you to get started and spin up on your WAF Web ACLs. We have revamped the creation of the Web ACL experience. Previously it was a very DIY type of experience. Now we've radically made it easier by giving you protection packs and starter packs where we recommend rule types for you to get started. Additionally, just this week we launched a CloudFront plus security bundled flat rate pricing. This includes CloudFront, WAF, DDoS, and Route 53 DNS protections in a simplified flat rate price. This is aimed at our founder persona where folks are asking us to give them predictability in their pricing to make sure that they're able to be protected and be on their way.
So new to getting started on WAF, you'll now be able to tell the experience what application, what type of application you're trying to build. Based on that type of application, whether it's like an e-commerce or a banking application, we will essentially recommend different rules to get you started based on that type of application. Previously, protection packs allowed only a DIY type of experience.
Now with this new starter pack, you'll be able to leverage these new recommended configuration packs to get you started more easily.
Also new to WAF is a new Layer 7 anti-DDoS protection managed rule. I know we mentioned that Shield Advanced is our anti-DDoS service. We have now brought DDoS protections in as a managed rule onto WAF. If you're a Shield Advanced customer, this is included in that subscription. These work in tandem, but this now essentially gives customers additional configuration and tunability, and visibility. We were hearing from many customers that they wanted greater visibility into how these DDoS protections were working. With this managed rule, we're able to extend greater configuration, greater tunability, and greater visibility in that Layer 7 type of protection.
Lastly, new to WAF, we've added the ability to authenticate AI agents in this age of AI. We are now leveraging cryptographic signatures on HTTP for verification, and this will automatically verify against the category of AI bots as well. Now I'll hand it off to Salim who will walk us through everything that's new in the world of network protection.
Network Protection Services: DNS Firewall, AWS Network Firewall, and the New Explicit Egress Proxy
Thank you, Sophia. Sophia just provided an overview of the Network and Application Protection portfolio. She shared some enhancements in the space of threat intelligence and visibility, and finally, she talked about some innovations in the application protection space. Now I'm going to focus on network protection.
When it comes to network protection, you generally face three unique challenges. First is that cyber threats are constantly changing and becoming more sophisticated, which means that staying ahead of these threats requires that you continue to adapt your defenses. That takes us to challenge number two, which is that your teams are already spread too thin, and finding the right skill set can be challenging. This actually results in additional time it may take for you to detect threats, analyze data, and take remediation action. This challenge is also connected to challenge number three, which is that you need insights and visibility into how your applications are talking to each other and outside of your environment, so that you can identify threats quickly and take remediation actions.
All of this makes network protection critical and complex. Today I'll talk about a couple of AWS services that can help in this space. The first one is Amazon Route 53 Resolver DNS Firewall, and the second is AWS Network Firewall.
Amazon Route 53 Resolver DNS Firewall is a fully managed service that helps you block DNS queries to malicious domains and allows DNS resolution to trusted domains. It is a fully managed service that you can deploy centrally to provide coverage across multiple VPCs. You can write policy either by creating your own custom domain lists or using one of the Amazon-provided managed domain lists. The service provides full logging capability so that you can meet compliance or perform your own auditing. It also provides advanced DNS security functionalities, for example, protection against DGA attacks or DNS tunneling.
The second service is AWS Network Firewall, our cloud-native next-generation firewall, which offers stateful inspection. It provides IDS and IPS capabilities as well as TLS decryption, so you can decrypt the packet, do deep packet inspection, and then re-encrypt and send it to the destination. This is a fully managed, highly available, and auto-scaling capability, which essentially means that as your traffic increases, we'll automatically add additional capacity to your firewalls all the way to 100 gigabits per second. The service also supports full logging capability. There are two types of logs that support flow logs as well as alert logs. You can write the rules in alert mode so you can get visibility, allow, or block based on the actions that you take.
The way that you deploy this firewall is to either provide protection for ingress traffic—any threats coming from the internet into your VPCs. You can deploy it for east-west protection across VPCs and regions. Or third, which is the most common deployment option that customers take, is egress protection to protect any traffic going from your VPCs out to the internet. Because this is one of the most common deployment options that customers take, let's take a deeper dive into it.
When looking at egress protection, there are multiple choices available to you. Some choices are free of charge, for example, stateful security groups or stateless network ACLs. We already talked about DNS firewall to provide you protection at the DNS layer. Then you have some choices by using middle boxes such as third party firewalls or AWS Network Firewall. In some cases, there are customers who require an explicit proxy. So far their choice had been to use one of the third party explicit proxies and manage it themselves, but very recently we made available a new service. It's a fully managed explicit egress proxy that is offered as a new resource type under AWS Network Firewall.
The existing firewall operates as a transparent appliance, but this new resource type offers explicit egress function as well. You can deploy the egress proxy on your NAT gateway, which makes it very simple because a lot of traffic takes the egress path, and NAT gateway is generally part of that flow. The way it works is when traffic comes into the proxy, you can create pre-DNS filtering. Essentially it looks at the domains and filters out any communication going to malicious or unallowed domains. After that, the proxy performs DNS resolution.
Once DNS resolution is done, you can do another filtering based on post-DNS information. If the traffic is authorized, it goes to the destination, and when the response comes back from the server, you can do another analysis based on the response coming back from the servers and using the header attributes in the response. The service also supports TLS decryption, so you can definitely use that. It supports logging capability just like the existing firewall resource type, so you can meet compliance and auditing requirements. You can use this to perform the same functions that other firewalls provide, basically to protect against data exfiltration or attacks based on malware.
Centralized Deployment Enhancements and Active Threat Defense with MadPot Intelligence
Coming back to the existing firewall resource type, there are two ways generally in which you have been deploying firewalls. One is distributed firewall deployment, which is a form where you deploy a firewall within a VPC and manage it as an individual resource. Then there is another type which is centralized deployment, typically deployed by a centralized cloud infrastructure and cloud security team where they have a transit gateway. With the transit gateway you can create an inspection VPC where you deploy a firewall and route traffic through it. It's a very scalable approach if you have lots of VPCs and you're centrally managing your traffic for either east-west or egress paths.
Very recently, around the re:Inforce time frame, we simplified the centralized inspection process. We made available a native TGW attachment. Within Transit Gateway, you enable native firewall attachment, and we take the responsibility of creating the inspection VPC, creating the firewall, creating the subnet, and creating the route table entries to route traffic through transit gateway and through this inspection VPC and the firewall. All you have to do is point your traffic to the native attachment, and we take care of the rest. Now leveraging the same capability, a couple of weeks ago we enhanced this centralized deployment model even further. This time we're taking simplification on the cost allocation side.
If you are from a centralized cloud infrastructure and cloud security team, what you have been telling us is that you are processing traffic through transit gateway and network firewall centrally and taking on the cost burden for all of that data processing yourself. The more your environments grow, the more application teams that you're servicing, the amount of volume grows, and then it becomes very difficult for you to get visibility into which applications are generating more cost burden for you.
With flexible cost allocation, we are simplifying that entire process. Within Transit Gateway, you create a cost allocation policy. Based on that policy, you can attribute the cost of data processing in TGW and Network Firewall to either the payer account, owner of the source attachment, destination attachment, or the centralized cloud infrastructure team that owns Network Firewall and Transit Gateway. You can create this policy at the attachment level or more granularly at the flow level.
This native attachment is our recommended way of deploying centralized deployment because going forward there will be many more enhancements that will be added to this functionality. Switching gears towards threat intelligence, there are a couple of things I'll talk about in the area of managed rule groups. First is Active Threat Defense, which is an Amazon-provided Managed Rule Group. Earlier, Sophia was talking about MadPot, which is Amazon's own globally deployed infrastructure of honeypots or digital decoys. Our threat researchers actually exposed these digital decoys as vulnerable services to attract interaction from malicious actors.
Through that interaction, we learn about their TTPs and use that threat intelligence to protect AWS infrastructure. You have been asking us to provide the same threat intelligence that we have to protect AWS infrastructure and make it available for you so that you can protect your workloads and VPCs as well. Active Threat Defense is our answer to that. This rule group is generated based on the threat intelligence that is coming directly from MadPot. Once you deploy it on Network Firewall, we will make sure that we keep it updated.
As soon as we detect a threat which is active, we will add it to the rule group. As soon as we realize that one of the threats is not active anymore and it becomes stale, we'll remove the rule that is associated with that. We do it at a ten-minute interval. So every ten minutes, if there is a change in the threat landscape that we have visibility into, we'll make the update. If there is no change, then we'll let it go.
Once you deploy it, there is no need for any manual action. You can deploy the rule group either in alert mode to get visibility or you can deploy it in block mode to get visibility as well as take simultaneous block action on that. This is exactly how it works in your VPCs with firewalls. This firewall can be deployed in a distributed deployment model, basically a firewall in every VPC, or in a centralized deployment model with Transit Gateway. The middle box is in session.
Partner Managed Rule Groups: Integrating Third-Party Threat Intelligence on AWS Network Firewall
Essentially, all of the processing that we take ownership of—our security engineers are detecting the threats, analyzing it, processing it, and making sure that the threats that they have identified are actually real. Once we are sure of that, at that point, we automatically update the rule groups. Now, the second area that I want to talk about is that you have been telling us that when you write firewall rules, you can of course write custom rules. In many cases, you already have existing relationships with some security vendors from which you are procuring threat intelligence and using it either on-premises or in other clouds or in your firewall as well.
The current mode of procuring this third-party threat intelligence and applying it on Network Firewall has been to use custom rules, which is a manual process and adds operational burden on you. You have been asking us to simplify that entire process. Recently, a couple of weeks ago, we announced Partner Managed Rule Groups on Network Firewall. These rule groups are based on partner-generated threat intelligence that is available through the marketplace. The way you deploy this is you go to the AWS Network Firewall console.
Within the console, you have stateful managed rule groups. That is where you can learn about all of the partners and their unique managed rule groups that are available to you. You can learn more about what type of rule groups they provide and what type of coverage they provide within the console itself. Once you have selected the rule group that you want to deploy, you hit the subscribe button and we will automatically take care of all of the backend functions and make the rule group available to you.
The step after that is essentially taking that rule group and applying it to your firewall, and you are done. Behind the scenes, partners are taking the responsibility. As soon as they have a change to make on the rule group, they will automatically make the change. You will not be in the process. Essentially, you do not have to take any kind of static action or manual action to get the updated rule groups.
You can deploy it either in alert mode, just like active threat defense, to get visibility into the threat activity, or in block mode, which will give you both the visibility as well as simultaneously block the communication to the malicious infrastructure. There are seven partners that have launched these managed rule groups with us. I will quickly cover their uniqueness, what type of management groups they offer, and how they can benefit your environments.
First is Checkpoint, a global cybersecurity company that offers a wide range of security solutions. They are a pioneer in stateful firewall and now offer AI-powered, cloud-delivered security solutions. Their managed rule group for AWS Network Firewall is based on their cloud AI experts that automatically create this rule group and ensure that it is updated so you can get protection in the areas of CVEs and OWASP top 10 vulnerabilities.
Second partner is Fortinet, a well-known cybersecurity company that offers next-generation firewalls. Their managed rule groups are based on the threat research that their FortiGuard Labs provides. It is the same threat research that is available to you as a FortiNet customer across the globe. So if you are using FortiNet, for example, on-premises or in other clouds, you can bring the same threat intelligence and apply it on the AWS side as well. They offer managed IPS rule groups for AWS Network Firewall that help you protect against exploits, vulnerabilities, and C2 attacks.
Infoblox unites networking, security, and cloud to protect you and integrate with their protective DDI platform so that enterprises can get agility and resilience. Their managed rule groups are based on their predictive DNS threat intelligence. At Infoblox's scale, with 70 billion events detected every day or 4 million indicators every month, with 90 percent pre-query detections, you get faster protection with low latency and high impact.
Next up is Lumen, a global communication service provider that integrates products and services in the space of networking and security. Their Defender managed rule group is available on Network Firewall based on the unique threat intelligence that they generate through Black Lotus Labs, their own threat intelligence team that identifies and neutralizes hundreds of emerging threats, leveraging their backbone-level visibility.
Then we have Rapid7, which offers products and services in the space of detection and response. Their products include vulnerability risk management, attack surface management, as well as managed detection and response. The managed rule groups they offer are self-cleaning and expert-vetted and provide coverage in two specific areas. One is advanced persistent threat, where they protect against state-sponsored or sophisticated attacks, and ransomware, which essentially provides you protection against financially motivated attacks.
Threat Stop is a cloud-based threat intelligence company that generates their threat intelligence across thousands of resources globally. They convert that into actionable policies that are made available to you in your routers, firewalls, or DNS servers. Threat Stop already offers managed rule groups for AWS WAF, and now they are extending their managed rule groups to Network Firewall so you can get network layer protection as well. Their rule groups provide ingress protection as well as egress protection and help you meet compliance with ITAR and OFAC.
Lastly, we have Trend Micro, a well-known cloud-native application protection platform with expertise in protecting your environments in the cloud.
Their manageable groups are based on their digital vaccine program which customers are already using to protect their cloud environments. The specialization that they offer with their managed rule groups on network firewall is to protect you against zero-day attacks. They have a program called Trend Zero Day Initiative that generates the threat intelligence, and by using this managed rule group you are protected faster from the zero-day vulnerabilities that are out there.
To summarize, we talked about some enhancements in the area of threat intelligence and visibility. We talked about some onboarding enhancements for application protection and network protection. We also talked about a new resource type of explicit proxy within AWS Network Firewall.
Before we leave, I wanted to share that there are some additional sessions available for you to learn more about our firewalls, ingress protection, egress protection, and overall network and application protection. With that said, I hope you found our session to be informative and the journey very exciting. Both Sophia and I will stick around here for a while if you have any questions and would like to share your feedback. We would really appreciate it. With that, thank you so much.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)