Key AWS Security Updates in 2025 - Complete Timeline

2025 was a landmark year for AWS security. From SCPs finally getting full IAM language support to post-quantum cryptography going production-ready, here is every major change and what it means for your architecture.

Timeline of Key Changes

June 2025 - re:Inforce: Inspector Expands Beyond CVEs

Amazon Inspector expanded from a pure vulnerability scanner into a full application security platform. The new capabilities include:

• SAST (Static Application Security Testing) - source code scanning for security vulnerabilities
• SCA (Software Composition Analysis) - dependency analysis for known vulnerabilities
• IaC scanning - security checks for Terraform and CloudFormation templates

What to do: If you use Inspector, enable all scan types. You are now getting SAST, SCA, and IaC scanning at no additional cost. Inspector is no longer just a CVE scanner - it is a full AppSec tool.

September 2025 - SCPs Get Full IAM Policy Language

This is the biggest access control improvement in years. Service Control Policies now support:

• Conditions in Allow statements - previously only Deny supported conditions
• Individual resource ARNs in Deny - target specific resources instead of blanket denials
• Wildcards in Action strings - more flexible pattern matching
• NotResource element - deny everything except specific resources

You can now write SCPs like: "Deny s3:DeleteBucket only for production buckets" or "Allow ec2:RunInstances only when tagged with CostCenter." Previously impossible.

What to do: Review and upgrade your SCPs. The full IAM language enables surgical precision - rewrite broad guardrails with specific conditions and resource targeting.

October 2025 - Security Hub Supports CIS v5.0

AWS Security Hub CSPM now supports the CIS AWS Foundations Benchmark v5.0 with 40 automated controls. This is the latest compliance standard for evaluating your AWS security posture.

November 2025 - AWS Security Specialty Exam Updated to SCS-C03

The AWS Security Specialty certification exam was updated to SCS-C03 with restructured domains:

• Detection (16%) - now a separate domain
• Incident Response (14%) - now a separate domain
• Security Foundations & Governance (14%) - brand new domain

The previous version (SCS-C02) expired December 1, 2025. If you are studying for the exam, target SCS-C03.

re:Invent 2025 - GuardDuty Extended Threat Detection for EC2/ECS

Extended Threat Detection (originally launched at re:Invent 2024) was expanded to add EC2 and ECS attack sequence findings. Instead of 15 separate findings, GuardDuty now correlates events into a single attack timeline:

credential compromise → lateral movement → privilege escalation → data exfiltration

This is ML-based correlation that detects multi-stage attacks across your compute workloads.

re:Invent 2025 - Security Hub Gets Historical Trends

Security Hub now supports up to 1 year of historical trend data with period-over-period analysis, severity filtering, and cross-region aggregation. It has evolved from a finding aggregator into a proper security posture management (CSPM) tool.

re:Invent 2025 - Post-Quantum Cryptography Goes Production

AWS implemented NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA) across multiple services:

• KMS - post-quantum key types for long-lived data encryption
• CloudFront - post-quantum TLS for data in transit
• ACM Private CA - post-quantum certificate issuance
• Secrets Manager - post-quantum protection for stored secrets

What to do: Start with CloudFront post-quantum TLS for zero-effort protection against harvest-now-decrypt-later attacks. For long-lived encrypted data, evaluate KMS post-quantum key types.

re:Invent 2025 - New Tools

• AWS Security Agent (preview) - automated application security reviews and context-aware pentesting, signaling AWS moving security earlier in the development lifecycle
• IAM Policy Autopilot - open-source MCP server that helps AI coding assistants generate least-privilege IAM policies by analyzing application code

re:Invent 2025 - Graviton5 (M9g)

Graviton5 processors launched with M9g instances: 192 cores per chip and 25% higher performance. Not a security update per se, but relevant for compute-intensive security workloads (log analysis, ML-based detection).

December 2025 - CDKTF Deprecated

HashiCorp deprecated CDKTF (CDK for Terraform). Existing projects continue to work but receive no updates or security patches.

What to do: If you use CDKTF, start migration planning now. Your options are native Terraform HCL or AWS CDK. No security patches means accumulating risk over time.

CIS AWS Foundations Benchmark v6.0

CIS released the AWS Foundations Benchmark v6.0 - the latest compliance standard for AWS security posture. Check Security Hub for support status.

Key Takeaways

• SCPs got full IAM language (Sept 2025) - the biggest access control improvement in years. Review and upgrade your organization guardrails.
• GuardDuty Extended Threat Detection now detects multi-stage attack sequences across EC2 and ECS workloads.
• Inspector is a full AppSec platform - SAST, SCA, and IaC scanning on top of CVE detection.
• Post-quantum cryptography is production-ready in KMS, CloudFront, Private CA, and Secrets Manager.
• CDKTF deprecated - migrate to CDK or native Terraform before the security debt grows.
• CIS v6.0 and SCS-C03 are the new standards for compliance and certification.

Related Resources

For deep dives on specific topics covered here, check out our comparison guides:

• GuardDuty vs Inspector vs Macie vs Security Hub
• SCPs vs IAM Policies vs Permission Boundaries
• KMS vs CloudHSM vs ACM
• CloudFormation vs Terraform vs CDK