AWS re:Invent runs next week, December 2-6, 2025, in Las Vegas. In the weeks leading up to pre:Invent announcements, staying up to speed is a challenge. With the constant stream of AWS news, even those of us embedded in the ecosystem struggle to keep up.
To stay up to speed on all announcements, check out aws-news.com. It's now the de facto way to stay on top of what's new year-round.
In this article, we're sharing: 10 announcements across Governance, Risk, Compliance, Security, Organisation Management and AI that matter for building resilient, well-governed, secure systems, as well as responsible AI systems.
Chosen because we think they'll make a meaningful impact for our customers and the broader ecosystem.
Creating this post helps us research each announcement and dissect its implications for the products we build and the teams we work with.
If there are any inaccuracies at the time of writing, please don't hesitate to reach out, and we'll update the reference article!
Here goes:
Our Picks
- AWS IAM Temporary Delegation
- Amazon CloudWatch Logs Centralisation
- AWS IAM Outbound Identity Federation
- Amazon Bedrock Guardrails for Code Security
- AWS Secrets Manager Managed External Secrets
- AWS Organizations Direct Account Transfer
- CloudTrail Aggregated Events
- Amazon Inspector Organization-Wide Management
- AWS PrivateLink Cross-Region Connectivity for AWS Services
- AWS WAF Web Bot Auth Support
#1: AWS IAM Temporary Delegation
The Announcement:
AWS introduces IAM temporary delegation, allowing SaaS partners to automate customer onboarding by requesting time-limited, scoped permissions to deploy resources in customer AWS accounts. Customers review and approve the request in the AWS console; after the time window expires, access automatically ends.
Who's It For & Real-World Scenario:
For SaaS and security vendors who need to deploy infrastructure in customer accounts during onboarding.
Scenario: Your SIEM platform needs to automatically configure data sources across a customer's AWS account. Traditionally, you'd ask the customer to manually create an IAM role with elevated permissions for your product, which stays around indefinitely, creating security debt. With temporary delegation, customers click "approve setup" in their AWS console, you get 30 minutes of scoped access to wire everything up, and the credentials automatically expire. Your customer feels secure (it's time-bound and visible), and you've cut onboarding from hours to minutes. Vendors like CrowdStrike, HashiCorp and Databricks are already using this.
Availability:
Available now for AWS ISV Accelerate Program partners; general availability for the broader AWS ecosystem expected to follow.
Pricing:
Free; this is built into AWS IAM at no additional cost.
#2: Amazon CloudWatch Logs Centralisation
The Announcement:
Amazon CloudWatch now offers cross-account and cross-region log centralisation, allowing you to copy log data from multiple AWS accounts and regions into a single destination account. Integrates with AWS Organizations for scoping rules to your entire organisation, specific OUs, or selected accounts.
Who's It For & Real-World Scenario:
For organisations managing logs across multiple AWS accounts and regions who need centralised visibility without building custom pipelines. Previously, aggregating logs from distributed workloads meant managing Kinesis streams, Lambda functions, or third-party tools. Now CloudWatch handles it natively. Scope rules to your organisation, OUs, or specific accounts. Log events are enriched with source metadata (@aws.account and @aws.region) for data lineage. Configure a backup region for resiliency. One centralised view for security investigations, compliance audits, and operational troubleshooting across your entire AWS footprint. Note: Centralisation rules only process new log data; existing historical logs are not retroactively copied.
Availability:
Available in 17 regions, including US East/West, Europe, Asia Pacific, Canada, and South America.
Pricing:
First copy of centralised logs is free (no ingestion or cross-region transfer charges). Additional copies are charged at $0.05/GB. Standard CloudWatch Logs pricing applies for storage.
Thanks to Siddharth Bhate - Product @ AWS - for his comment here pointing us to the CloudFormation docs for creating new rules of type AWS::ObservabilityAdmin::OrganizationCentralizationRule.
#3: AWS IAM Outbound Identity Federation
The Announcement:
AWS IAM now supports outbound identity federation, allowing AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens (JWTs) instead of storing long-term credentials. IAM principals call the new GetWebIdentityToken STS API (permission: sts:GetWebIdentityToken) to obtain cryptographically signed tokens that external services can verify.
Who's It For & Real-World Scenario:
For teams running AWS workloads that need to access third-party cloud providers, SaaS platforms, or on-premises applications. Previously, accessing external services meant managing API keys, service account credentials, or other long-term secrets. Now your Lambda function processing data can write results to an external cloud provider's storage using a short-lived JWT instead of stored credentials. The external service validates the token signature against AWS's OIDC discovery endpoints. No secrets to rotate, no credentials to leak. Works with any service that supports OIDC/JWT verification.
Availability:
Generally available in all AWS commercial regions, AWS GovCloud (US) regions, and China regions.
Pricing:
No additional cost; included in standard AWS IAM.
#4: Amazon Bedrock Guardrails for Code Security
The Announcement:
Amazon Bedrock Guardrails now extends its safety and content filtering capabilities to code generation and analysis. It can detect and prevent malicious code injection, prompt leakage (unintended disclosure of system prompts in AI responses), and PII in code, including variable names, function names, comments, and string literals, across 12 programming languages.
Who's It For & Real-World Scenario:
For teams building AI-powered coding assistants or code generation platforms. Imagine a development platform offering an AI copilot to enterprise customers. A developer asks the AI to "generate a patient intake function using this test SSN: 078-05-1120." Before Bedrock Guardrails code protection, the AI might generate code that hardcodes the SSN in comments or variable names. Now Bedrock Guardrails catches the PII before it reaches the user. Also detects prompt injection attempts and prevents leakage of system prompts.
Availability:
Generally available in all AWS regions where Amazon Bedrock Guardrails is supported.
Pricing:
Included in standard Bedrock Guardrails pricing; no additional cost for code protection features.
#5: AWS Secrets Manager Managed External Secrets
The Announcement:
AWS Secrets Manager launches managed external secrets, enabling automatic rotation of third-party SaaS credentials without requiring custom Lambda functions. Choose from SaaS provider–specific rotation strategies, and Secrets Manager handles the entire rotation workflow. Available at launch for Salesforce, BigID, and Snowflake.
Who's It For & Real-World Scenario:
For organisations integrating SaaS platforms that require regular credential rotation for compliance. Previously, rotating credentials for Salesforce, Snowflake, or BigID required building and maintaining custom Lambda functions for each provider. Now Secrets Manager handles the entire rotation workflow automatically - no Lambda functions, no custom code, full audit trail.
SaaS providers interested in joining the managed external secrets program can contact the Secrets Manager team at aws-secrets-mgr-partner-onboarding@amazon.com. Application review typically takes 1-2 weeks. See the partner onboarding guide for details.
Availability:
Generally available for Salesforce, BigID, and Snowflake in all AWS regions where Secrets Manager operates; additional SaaS partners to be added over time.
Pricing:
Standard Secrets Manager pricing applies; no additional charges for managed rotation.
#6: AWS Organizations Direct Account Transfer
The Announcement:
AWS Organizations now supports direct account transfers between organizations without requiring accounts to first be removed and operated as standalone. Accounts maintain governance, consolidated billing, and compliance controls throughout the transfer process.
Who's It For & Real-World Scenario:
For enterprises managing M&A integrations or organisational restructuring. Previously, transferring accounts between organisations meant removing each account from its organisation, manually reconfiguring payment methods and support plans, then re-inviting. This took weeks and created governance gaps. Now your team sends a direct invite. Accounts accept and immediately inherit your governance controls and consolidated billing, no standalone period, no governance lapse. The same applies to internal reorganisations: move accounts between OUs or consolidate organisations without manual reconfiguration.
Availability:
Generally available in all AWS regions where AWS Organizations operates.
Pricing:
No additional cost; standard AWS Organizations pricing applies.
#7: CloudTrail Aggregated Events
The Announcement:
AWS CloudTrail introduces aggregated data events, consolidating high-volume API activity into 5-minute summaries. Security and compliance teams can analyse trends, access patterns, and error rates without processing thousands of individual events per minute.
Who's It For & Real-World Scenario:
For security and compliance teams managing high-volume AWS environments. CloudTrail can capture 5,000+ events per minute from S3 and Lambda alone. Previously, detecting anomalies meant processing millions of raw events daily (costly), sampling (missing incidents), or building custom aggregation pipelines. Now CloudTrail consolidates data events into 5-minute summaries. Security teams see trends instantly: "User X's S3 access jumped from 50 to 5,000 calls" or "Lambda error rate spiked to 15%." Drill into raw events when needed. Compliance teams get audit-ready summaries without wading through millions of log entries.
Availability:
Available for CloudTrail data events across all AWS regions where CloudTrail operates.
Pricing:
Charged per data event analysed to create aggregations (separate fee from standard CloudTrail per-event pricing).
#8: Amazon Inspector Organization-Wide Management
The Announcement:
Amazon Inspector now integrates with AWS Organizations policies, letting you centrally enable, configure, and manage vulnerability scanning (EC2, ECR, Lambda, and code repositories) across your entire organization with a single policy. New accounts automatically inherit the policy when they join OUs with attached Inspector policies.
Who's It For & Real-World Scenario:
For large organisations with dozens or hundreds of AWS accounts across multiple business units who need a uniform security baseline. Imagine running a healthtech company with 40+ AWS accounts: engineering teams spinning up new accounts, acquisitions bringing in legacy accounts, and regional teams with their own AWS infrastructure. Before this, security teams had to manually enable Inspector in each account and track compliance. People get busy, accounts slip through the cracks, and you end up with blind spots. Now? Create one organisation policy specifying "scan EC2, ECR, and Lambda in X,Y,Z regions," attach it to your org root, and Inspector automatically deploys to all covered accounts. New accounts that join? They inherit it instantly. Coverage is automatic; compliance is enforced.
Availability:
Generally available in all AWS commercial regions, China, and AWS GovCloud (US), where Amazon Inspector operates.
Pricing:
No additional cost, included in standard Amazon Inspector pricing.
See below a quick policy example.
{
"inspector": {
"enablement": {
"ec2_scanning": {
"enable_in_regions": {
"@@assign": ["us-east-1", "us-west-2"]
},
"disable_in_regions": {
"@@assign": ["eu-west-1"]
}
}
}
}
}
#9: AWS PrivateLink Cross-Region Connectivity for AWS Services
The Announcement:
AWS PrivateLink now supports cross-region connectivity to AWS managed services. You can create VPC endpoints that privately connect to AWS services hosted in other regions, keeping traffic on the AWS backbone without requiring VPC peering, public internet exposure, or inter-region connectivity management.
Who's It For & Real-World Scenario:
For organisations needing private cross-region access to AWS services like S3, ECR, or Data Firehose. Cross-region PrivateLink for third-party endpoint services launched at re:Invent 2024 - this announcement extends that capability to AWS-managed services. Here's a concrete example: A media company operates across Europe with strict data residency requirements - UK viewer data in S3 buckets in London, EU data in Frankfurt. Their content delivery platform in Ireland needs real-time access to the London S3 bucket for personalisation and analytics. Previously, cross-region S3 access meant VPC peering (complex, doesn't scale), data replication (expensive, compliance headache), or public internet (security risk). Now? One VPC interface endpoint in Ireland privately connects to S3 in London. Traffic stays on AWS backbone, controlled by IAM and VPC endpoint policies. The same pattern applies to pulling container images from a central ECR registry or streaming logs to a Data Firehose in another region.
Availability:
Generally available in AWS Commercial partition regions via interface endpoints only. Currently supported services include S3, IAM, ECR, and Data Firehose; more services to follow.
Pricing:
Standard PrivateLink pricing (hourly + per-GB data processing) plus EC2 inter-region data transfer charges for cross-region traffic.
#10: AWS WAF Web Bot Auth Support
The Announcement:
AWS WAF now supports Web Bot Auth (WBA), a standardised authentication method for verifying the legitimacy of AI agents and automated tools accessing web applications. Verified bots are automatically allowed while maintaining protection against malicious traffic.
Who's It For & Real-World Scenario:
For teams running public-facing applications protected by AWS WAF who want to allow legitimate AI agents (search crawlers, LLM training bots) while blocking malicious automated traffic. Previously, WAF's Category AI feature indiscriminately blocked unverified bots, creating friction for legitimate tools. WBA uses IETF draft standards with cryptographic signatures in HTTP messages. Legitimate crawlers share their identity credentials via a public key directory, and the WAF automatically verifies them and allows them. Malicious bots without valid credentials remain blocked. Better security posture without blocking the tools you actually want to access your content.
Availability:
Available for applications protected by AWS WAF.
Pricing:
No additional charges for WBA; standard AWS WAF pricing applies.
What's Next
These 10 announcements represent just a slice of what's coming in December. Whether you're shipping infrastructure, hardening security, preparing for compliance or exploring AI, there's likely something here that matters to your roadmap.
For a comprehensive list of everything announced, head to aws-news.com.
If we've missed something important, reach out, and we'll update this reference.
Top comments (0)