Current events · 2 MIN READ · ETHAN CHEN · JUN 25, 2025 · TAGS: AWS / Event
TL;DR
- Expel recently attended the 2025 AWS re:Inforce conference, where our CEO David Merkel spoke at AWS Security Live
- Attendees staffed our booth and attended sessions to track the trending topics for AWS this year
- Two big takeaways: multi-cloud (and multi-layered) environments require similar defense tactics, and using AI and ML to practice defensive tactics is a great way to introduce more of it into your security strategy
The Expel team recently returned from Philly after attending the 2025 AWS re:Inforce conference. While our CEO, Dave Merkel, was speaking at AWS Security Live, other Expletives were manning our booth and attending as many sessions as possible to uncover the latest practical insights and actionable advice for AWS resources.
There were two key takeaways that stuck out to our team we wanted to share with our AWS cloud users:
- A multi-cloud or layered cloud environment requires multi-layered containment for incident response, not a one-size-fits-all solution.
- To protect against attackers who change their behavior, you can use AI and ML tools to keep your security strong in a changing threat environment.
Let’s dive into each of these.
Multi-layered containment for multi-layered cloud environments
If you’ve been following along recently with our auto remediation blog series, you’ll know that no matter what defense strategies you’re using, they need to be impactful at various levels. Bad actors are crafty, so it’s critical to make sure you’re defending your environment from the many ways they’ll try to gain and maintain access to your tech.
Regarding containment in AWS, there are three key dimensions for comprehensive containment during an incident response scenario:
- Identity-based containment: preventing access to AWS users and roles at an account level.
- Resource-based containment: preventing access to resources like control policies and EC2 instances and groups.
- Network-based containment: preventing access from a source to a target, for things like firewalls and network control access lists.
This containment strategy is an effective way to protect your AWS instance(s) at every level. It’s applicable against common real-world attacks to attempt to access EC2 instances, containers, Lambda functions, and successfully isolating compromised accounts with minimal security disruption.
Using AI and ML to maintain a defensive posture in a constantly evolving threat landscape
It’s no secret that conversations about AI and ML are everywhere, especially on the cybersecurity conference circuit. AWS re:Inforce 2025 was no exception, but the key takeaway here was using AI and ML to fight back, much like bad actors are using it to get craftier, quicker.
There were a few key scenarios highlighted across sessions on how AWS AI and ML services can be used defensively, including:
- Active defense: Amazon Bedrock and Amazon SageMaker can be used to mimic attacker behavior based on previous incidents, allowing your org to create adaptive security responses.
- Deception environments: Amazon Bedrock, SageMaker, and Amazon Comprehend can create synthetic environments that mimic the real ones to simulate attacker behavior (and better prepare your teams for the real thing) with ECS and Kubernetes.
- AI-driven responses: Use AI to react in real-time to threat actor responses in the synthetic deception environments you created.
- Implementation patterns: Prompt AI models for future active defense strategies, as well as monitoring effectiveness, to keep up with newly implemented tactics.
It was another great year at AWS re:Inforce, and we’ll continue to apply these tactical insights to how we approach protecting and securing our AWS customers. Curious about how we can protect your AWS cloud environment? Check out our AWS Mind Map kit to see how we (and you) can strengthen your cloud security.