AWS re:Invent 2025 — What We’re Watching
AWS re:Invent runs next week, December 2–6, 2025, in Las Vegas.
In the weeks leading up to pre-re:Invent announcements, staying up to speed is a challenge. With the constant stream of AWS news, even those of us embedded in the ecosystem struggle to keep up.
To stay on top of announcements year-round, check out aws-news.com. It has become the de facto place to track what’s new across AWS.
In this article, we’re sharing 10 announcements across Governance, Risk, Compliance, Security, Organisation Management, and AI that matter for building resilient, well-governed, secure systems, as well as responsible AI systems.
These were chosen because we believe they will have a meaningful impact for our customers and the broader ecosystem.
Creating this post also helps us research each announcement and unpack its implications for the products we build and the teams we work with.
If there are any inaccuracies at the time of writing, please reach out and we’ll update the reference article.
Table of contents
- AWS IAM Temporary Delegation
- Amazon CloudWatch Logs Centralisation
- AWS IAM Outbound Identity Federation
- Amazon Bedrock Guardrails for Code Security
- AWS Secrets Manager Managed External Secrets
- AWS Organizations Direct Account Transfer
- CloudTrail Aggregated Events
- Amazon Inspector Organization-Wide Management
- AWS PrivateLink Cross-Region Connectivity
- AWS WAF Web Bot Auth Support
- What’s Next
1. AWS IAM Temporary Delegation
The announcement
AWS introduces IAM temporary delegation, allowing SaaS partners to automate customer onboarding by requesting time-limited, scoped permissions to deploy resources in customer AWS accounts. Customers review and approve the request in the AWS console, and access automatically expires.
Who it’s for & real-world scenario
For SaaS and security vendors that need to deploy infrastructure during customer onboarding.
Scenario: Your SIEM platform needs to configure data sources across a customer’s AWS account. Instead of asking for a long-lived IAM role, the customer approves a short-lived delegation in their console. You get scoped access for 30 minutes, complete setup, and access expires automatically. Vendors such as CrowdStrike, HashiCorp, and Databricks are already using this.
Availability
Available now for AWS ISV Accelerate Program partners. Broader GA expected.
Pricing
Free, built into AWS IAM.
2. Amazon CloudWatch Logs Centralisation
The announcement
CloudWatch now supports cross-account and cross-region log centralisation, allowing log data from multiple AWS accounts and regions to be copied into a single destination account.
Who it’s for & real-world scenario
For organisations managing logs across multiple accounts and regions that want centralised visibility without custom pipelines. Scope rules across your organisation or selected OUs. Logs are enriched with account and region metadata. Note that only new log data is centralised.
Availability
Available in 17 regions globally.
Pricing
First copy is free. Additional copies cost $0.05/GB. Standard storage pricing applies.
3. AWS IAM Outbound Identity Federation
The announcement
AWS IAM now supports outbound identity federation, enabling AWS workloads to authenticate with external services using short-lived JWTs instead of long-term credentials.
Who it’s for & real-world scenario
For teams accessing third-party SaaS or cloud platforms from AWS. A Lambda function can authenticate to an external service using a signed JWT rather than stored secrets.
Availability
Generally available across all AWS commercial, GovCloud, and China regions.
Pricing
No additional cost.
4. Amazon Bedrock Guardrails for Code Security
The announcement
Bedrock Guardrails now extend to code generation, detecting malicious injections, prompt leakage, and PII in code across 12 programming languages.
Who it’s for & real-world scenario
For teams building AI-powered coding tools. Guardrails prevent sensitive data from being introduced into generated code.
Availability
Generally available where Bedrock Guardrails is supported.
Pricing
Included in standard Guardrails pricing.
5. AWS Secrets Manager Managed External Secrets
The announcement
Secrets Manager now supports managed rotation for third-party SaaS credentials without custom Lambda functions.
Who it’s for & real-world scenario
For organisations integrating SaaS platforms like Salesforce or Snowflake that require regular credential rotation.
Availability
Generally available for supported SaaS providers.
Pricing
Standard Secrets Manager pricing applies.
6. AWS Organizations Direct Account Transfer
The announcement
AWS Organizations now supports direct account transfers between organisations without accounts becoming standalone.
Who it’s for & real-world scenario
For enterprises handling M&A or internal restructures. Accounts retain governance and billing throughout the transfer.
Availability
Generally available.
Pricing
No additional cost.
7. CloudTrail Aggregated Events
The announcement
CloudTrail introduces aggregated data events, summarising high-volume API activity into five-minute windows.
Who it’s for & real-world scenario
For security and compliance teams managing high-volume environments who need trend visibility without processing millions of events.
Availability
Available in all CloudTrail regions.
Pricing
Charged per data event analysed.
8. Amazon Inspector Organization-Wide Management
The announcement
Amazon Inspector now supports organisation-wide enablement and configuration using AWS Organizations policies.
Who it’s for & real-world scenario
For large organisations needing consistent vulnerability scanning across many AWS accounts.
Availability
Generally available across commercial, China, and GovCloud regions.
Pricing
Included in standard Inspector pricing.
9. AWS PrivateLink Cross-Region Connectivity for AWS Services
The announcement
PrivateLink now supports cross-region connectivity to AWS-managed services.
Who it’s for & real-world scenario
For organisations with strict data residency requirements that need private cross-region access without public internet exposure.
Availability
Generally available in commercial regions.
Pricing
Standard PrivateLink and inter-region data transfer pricing applies.
10. AWS WAF Web Bot Auth Support
The announcement
AWS WAF now supports Web Bot Auth, enabling verification of legitimate AI agents and automated tools.
Who it’s for & real-world scenario
For teams running public applications that want to allow verified bots while blocking malicious automation.
Availability
Available for AWS WAF-protected applications.
Pricing
No additional charge beyond standard WAF pricing.
What’s Next
These announcements represent only a fraction of what’s coming at re:Invent. Whether you’re building infrastructure, improving security, preparing for compliance, or exploring AI, there’s something here that likely impacts your roadmap.
For a complete list of announcements, visit aws-news.com.
If we’ve missed something important, reach out and we’ll update this reference.
Top comments (0)