AWS re:Invent 2025 - Protecting Your Infrastructure with Amazon Threat Intelligence (SEC311)
Published: (December 5, 2025 at 01:44 PM EST)
2 min read
Source: Dev.to
Source: Dev.to
Overview
In this session, the presenters explain how AWS leverages massive‑scale threat intelligence to protect customer workloads. Key points include:
- AWS sees roughly 60 % of the global internet each day (≈ 2.6 billion IPv4 addresses).
- The platform processes 6 billion security telemetry events per second from sources such as VPC Flow Logs, DNS queries, API logs, and the MadPot honeypot fleet.
- Threat intelligence is integrated into native AWS security services, allowing customers to benefit from global visibility without operational overhead.
AWS Scale and Visibility
Global Internet Visibility
- Internet coverage: AWS interacts with about 2.6 billion of the 4 billion IPv4 addresses daily.
- Network flow data: ~4.8 billion flows per second are observed at the networking stack.
- DNS telemetry: ~34 million DNS requests per second provide insight into domain resolutions.
- API activity: ~100 million AWS API requests per second give visibility into service usage and authentication events.
- Host telemetry: ~1 billion host‑level events per second (process starts/stops, etc.) are collected from Amazon‑owned hosts.
Data Sources
| Source | Approx. Volume | What It Reveals |
|---|---|---|
| VPC Flow Logs / Network Flow | 4.8 B flows/s | IP‑to‑IP, port, protocol, and internal mapping to accounts/instances |
| DNS Queries | 34 M req/s | Domains accessed, resolved IPs, potential malicious domains |
| AWS API Logs | 100 M req/s | Service calls, credential usage, anomalous API patterns |
| MadPot Honeypots & Dark‑Space Monitoring | — | Elicits malicious traffic, identifies active threat actors |
| Host Telemetry Agents | 1 B events/s | Process activity, system calls, potential malware execution |
Threat Categories
- Network Reconnaissance – AWS blocks ≈ 20 000 malicious IPs per minute based on reconnaissance patterns.
- Compromised Credentials – Account takeover attempts account for ≈ 2/3 of security incidents.
- Malware Detection – Continuous analysis of host telemetry and network traffic surfaces malicious binaries and command‑and‑control communications.
Integration with Native AWS Security Services
AWS threat intelligence feeds directly into several managed services, enabling customers to apply global insights locally:
- Amazon GuardDuty – Detects anomalous activity using threat‑intel feeds (e.g., known malicious IPs, credential compromise).
- AWS WAF & AWS Network Firewall – Managed rule groups such as Active Threat Defense and Account Takeover Prevention block malicious web traffic.
- Amazon Route 53 DNS Firewall – Blocks resolution of known malicious domains.
- Amazon Inspector – Uses intel to prioritize vulnerability findings related to active threats.
These services require no additional operational overhead; customers simply enable the relevant managed rule groups or findings.
Takeaways
- Leverage AWS’s global visibility: Even without deep security expertise, customers can protect workloads by enabling native services that consume AWS threat intelligence.
- Focus on high‑impact threats: Prioritize defenses against network reconnaissance, credential compromise, and malware—areas where AWS sees the most activity.
- Use managed rule groups: Activate pre‑built protections (e.g., Active Threat Defense) to get immediate coverage.
- Continuous improvement: AWS continuously refines its intel pipelines, so staying up‑to‑date with service enhancements ensures ongoing protection.