codewave.asia - Blog by Ankit Mehta

AWS re:Invent 2025

Tue, 02 Dec 2025 10:29:36 +0700

All Major Announcements

AWS re:Invent 2025 has arrived, and it's shaping up to be one of the most transformative cloud conferences in Amazon Web Services history. Running from December 1-5 at various venues across the Las Vegas Strip, including the Venetian and Caesars Forum, this year's conference brings together tens of thousands of developers, cloud architects, business leaders, and tech enthusiasts from around the globe.

The theme dominating this year's event is unmistakably Agentic AI – autonomous AI systems that can reason, make decisions, and take action independently. With over 2,300 specialized learning sessions, five major keynotes, and groundbreaking product announcements, AWS is making a bold statement about the future of cloud computing and artificial intelligence.

This comprehensive guide covers all the major announcements and innovations unveiled at re:Invent 2025, organized by category to help you understand how these developments can transform your business.

Agentic AI: The Revolution is Here

The central theme of re:Invent 2025 is Agentic AI, representing a fundamental shift from AI that merely responds to prompts to AI that can autonomously plan, execute, and complete complex multi-step tasks. AWS CEO Matt Garman emphasized during his keynote that this technology could unlock billions in productivity gains across industries ranging from healthcare to finance.

Amazon Bedrock AgentCore

Amazon Bedrock AgentCore has emerged as the cornerstone of AWS's agentic AI strategy. This comprehensive platform includes seven core services designed to help enterprises deploy and operate secure AI agents at scale:

AgentCore Runtime: Managed compute environment for running AI agents with consumption-based pricing
AgentCore Gateway: Integration layer that transforms existing APIs, Lambda functions, and services into agent-compatible tools
AgentCore Browser: Enables AI agents to interact with web interfaces programmatically
AgentCore Code Interpreter: Allows agents to write and execute code for complex problem-solving
AgentCore Memory: Short-term and long-term memory management for context-aware interactions
AgentCore Observability: Real-time monitoring and debugging with OpenTelemetry compatibility
Model Context Protocol (MCP) Support: Integration with services like Amazon EKS for context-aware Kubernetes workflows and secure agent-to-agent communication

AWS Transform with Agentic AI

AWS Transform has received significant agentic AI enhancements that help companies modernize any code and application, including custom programming languages specific to their organization. Key capabilities include:

Full-stack Windows modernization across .NET apps, SQL Server, UI frameworks, and deployment layers
Up to 70% reduction in maintenance and licensing costs
Air Canada has already used the service to modernize thousands of Lambda functions in just days, achieving an 80% reduction in time and cost

Amazon Connect Agentic Self-Service

Amazon Connect, AWS's cloud contact center service that recently crossed $1 billion in annual revenue, is receiving a major agentic AI upgrade. The new capabilities enable AI agents to understand, reason, and act across both voice and messaging channels.

Using advanced speech models, these agents can now speak with natural pacing and tone, collaborating with human agents rather than replacing them. The system listens to calls in real-time and actively helps human representatives by preparing documents or suggesting next steps.

Real-world impact: Lyft has achieved an 87% reduction in average resolution time for customer and driver support requests, with more than half resolved in less than three minutes.

AI Models and Services

Amazon Bedrock Enhancements

Amazon Bedrock continues to evolve as AWS's premier managed service for building and scaling generative AI applications. Key announcements include:

New Service Tiers: Priority, Standard, and Flex tiers allow organizations to optimize AI workload costs by matching performance requirements with pricing
Marengo 3.0 on Bedrock: TwelveLabs' video foundation model that understands full scenes, turning previously unusable video archives into searchable, structured insight. AWS is the first cloud provider to offer this model
Amazon Nova Multimodal Embeddings: Industry's first embedding model supporting text, documents, images, video, and audio through a single unified model
Claude Sonnet 4.5: Anthropic's latest model with advanced coding capabilities and agentic AI features now available in Bedrock
Amazon Nova Web Grounding: Built-in tool for Nova models that automatically retrieves and grounds responses with web content

Amazon SageMaker AI Updates

Amazon SageMaker AI continues to receive significant enhancements:

One-click onboarding with notebooks featuring built-in AI agents in Amazon SageMaker Unified Studio
New business metadata features in Amazon SageMaker Catalog to improve discoverability
Deepgram integration for streaming speech-to-text, text-to-speech, and voice agent capabilities with sub-second latency
Simplified developer access with 'aws login' command

Amazon CloudWatch AI Observability

Amazon CloudWatch now offers comprehensive observability for generative AI applications and agents, providing built-in insights into latency, token usage, and errors across your AI stack. This capability works seamlessly with Amazon Bedrock AgentCore and is compatible with open-source agentic frameworks like LangChain, LangGraph, and CrewAI.

Compute and Infrastructure

Custom Silicon: Trainium and Project Rainier

AWS continues to invest heavily in custom AI silicon. Trainium2 is now fully subscribed and has become a multi-billion dollar business growing 150% quarter-over-quarter. Key developments include:

Project Rainier: One of the world's largest AI compute clusters, now operational with nearly half a million Trainium2 chips, with plans to scale to over one million chips by end of 2025
Trainium3 Preview: Next-generation AI chip expected in late 2025, featuring 40% better performance and energy efficiency, built on a cutting-edge 3nm process
Trn2 UltraServers: Capable of scaling up to 83.2 peak petaflops, designed for training AI models with over a trillion parameters
Anthropic Partnership: Deep collaboration with Anthropic, which has chosen AWS as its primary cloud provider for training its Claude models

AWS Lambda Managed Instances

A significant serverless innovation, AWS Lambda Managed Instances allows customers to run Lambda functions on EC2 compute while maintaining serverless simplicity. This enables access to specialized hardware and cost optimizations through EC2 pricing models, with AWS handling all infrastructure management.

Amazon EKS Capabilities

New Amazon EKS capabilities for workload orchestration and cloud resource management streamline Kubernetes development with fully managed platform capabilities. Key features include:

New Provisioned Control Plane for enhanced performance
Fully managed MCP servers (preview)
Enhanced AI-powered troubleshooting in the console
Support for ultra-scale clusters of up to 100,000 nodes

New EC2 Instance Types

AWS announced the EC2 P6-B300 instances for accelerating large-scale AI applications, along with new instance types featuring Intel Xeon Scalable (Granite Rapids), AMD EPYC (Turin), and AWS Graviton processors.

Networking and Multicloud

AWS Interconnect - Multicloud with Google Cloud

In a groundbreaking move, AWS and Google Cloud have jointly engineered a multicloud networking solution that enables customers to establish private, high-bandwidth connectivity between the two cloud providers. This represents a significant evolution in cloud competition and collaboration.

Key features of AWS Interconnect - multicloud:

Fully managed, cloud-to-cloud experience provisioned quickly through the AWS Management Console or API
Pre-built capacity pools allowing organizations to create connections and adjust bandwidth as needed
Built-in resiliency and streamlined support
Open API package published on GitHub for other service providers to adopt

Amazon Route 53 Global Resolver

Now in preview, Amazon Route 53 Global Resolver provides secure anycast DNS resolution, simplifying hybrid DNS management with a unified service that resolves public and private domains globally while reducing operational overhead and maintaining consistent security controls.

Security and Developer Tools

IAM Policy Autopilot

AWS has released IAM Policy Autopilot, a new open-source MCP server that analyzes code to generate valid IAM policies. This tool provides AI coding assistants with up-to-date AWS service knowledge and reliable permission recommendations, significantly speeding up AWS development.

AWS Clean Rooms Privacy Enhancement

AWS Clean Rooms now supports privacy-enhancing synthetic dataset generation for ML model training. Organizations can train ML models on sensitive collaborative data by generating synthetic datasets that preserve statistical patterns while protecting individual privacy through configurable noise levels and protection against re-identification.

Kiro: Generally Available

Kiro, the first AI coding tool built around spec-driven development, is now generally available. Since its preview release, over 250,000 developers have embraced the tool. The GA launch introduces:

Property-based testing for spec correctness
New checkpointing capabilities
Kiro CLI bringing agents to your terminal
Enhanced agentic workflows for structured development

Strategic Partnerships

Visa Intelligent Commerce

Visa and AWS announced a major collaboration to enable AI agents to securely complete multi-step transactions, from shopping to price tracking to payments. The companies will publish open blueprints on the Amazon Bedrock AgentCore repository for retail shopping, travel booking, and payment reconciliation.

Partners reviewing blueprint designs include Expedia Group, Intuit, lastminute.com, and Eurostars Hotel Company. The collaboration envisions use cases like instructing an AI agent to "Buy me basketball game tickets if the price drops below $150."

BlackRock Aladdin on AWS

BlackRock confirmed that Aladdin, its industry-recognized investment management technology platform, will run on AWS infrastructure for US enterprise clients starting in the second half of 2026. This gives financial institutions greater flexibility in deploying risk modeling, analytics, and investment decision-making tools.

Other Key Partnerships

Nissan: Deploying its Nissan Scalable Open Software Platform on AWS, achieving 75% faster testing with over 5,000 developers collaborating globally
Deepgram: Integrating enterprise speech AI into SageMaker, Amazon Connect, and Amazon Lex
Trane Technologies: Using AI to achieve nearly 15% energy reductions at Amazon Grocery fulfillment sites
S&P Global: Using MCP integrations to enable clients to query complex financial data using AI agents
CrowdStrike: Enhanced Falcon Next-Gen SIEM tool offered via AWS Marketplace with simplified deployment
OpenAI: Multi-year strategic partnership with a $38 billion, 7-year commitment to run and scale workloads on AWS

Infrastructure Investments

AWS is making massive infrastructure investments to support AI workloads:

$15 Billion Indiana Investment: Building new data center campuses in Northern Indiana to advance AI innovation
$50 Billion Government Infrastructure: Expanding AI and supercomputing infrastructure for US government agencies, providing access to Amazon SageMaker AI, Amazon Bedrock, and Amazon Nova
Fastnet Transatlantic Cable: Dedicated high-capacity cable connecting the US and Ireland
Power Expansion: Added over 3.8 gigawatts of power in the past 12 months, with plans to double capacity by 2027
Custom Liquid Cooling: Designed a completely custom liquid cooling system in just 11 months to support denser, more powerful AI chips

Customer Success Stories

Real-world deployments demonstrate the transformative potential of AWS's new capabilities:

Lyft: 87% reduction in support resolution time using Claude-powered intent agents
Zepz: 30% contact deflection while processing $16 billion in transactions
TUI Group: Migrated 10,000 agents across 12 European markets, cutting operating costs by 10%
UC San Diego Health: Integrated Epic EHR for self-service patient authentication
Air Canada: Modernized thousands of Lambda functions in days with 80% time and cost reduction

Additional Announcements

AWS Partner Central in Console

AWS Partner Central is now available directly in the AWS Management Console, allowing partners to manage solutions, opportunities, and marketplace listings in one unified interface with enterprise-grade security.

Amazon Quick Suite

Amazon Quick Suite is a new agentic AI application designed to cut through fragmented information, siloed applications, and repetitive tasks. S&P Global clients can now query complex financial and energy data using AI agents embedded inside Quick Suite.

AWS Marketplace Updates

AWS Marketplace is adding AI-powered search and flexible pricing models to help customers piece together AI solutions from multiple vendors, making it easier to build comprehensive AI stacks.

Agentic AI Competency Program

AWS has launched a new "Agentic AI" competency program for partners, designed to recognize firms building autonomous systems rather than simple chatbots.

Key Takeaways for 2025 and Beyond

Agentic AI is Production-Ready: Companies are already deploying AI agents that reason, decide, and act autonomously, with measurable ROI across industries
Custom Silicon is Strategic: Trainium is becoming central to AWS's AI strategy, with Trainium3 promising even better price-performance ratios
Multicloud is Embraced: The AWS-Google Cloud partnership signals that interoperability is becoming a competitive advantage, not a weakness
Enterprise AI is Mainstream: With companies like BlackRock, Visa, and Nissan making major commitments, enterprise AI adoption is accelerating
Developer Experience Matters: Tools like Kiro, IAM Policy Autopilot, and enhanced observability show AWS's commitment to making AI development accessible

The Silent Majority of Risk: Why Non-Human Identity Governance is Your Organization's Biggest Security Blind Spot

Sun, 30 Nov 2025 07:48:45 +0700

We've all heard the phrase: "Identity is the new perimeter."

But here's the uncomfortable truth most security teams are missing — the perimeter isn't being breached by compromised employee credentials or phishing attacks. It's being breached by the identities you don't even know exist: Non-Human Identities (NHIs). ( APIs. Service accounts. Machine credentials. Bot tokens. IoT device certificates. Container orchestration keys. )

These digital identities power every modern enterprise. They enable automation, orchestration, and the seamless integration that businesses depend on. But they've also become the fastest-growing attack vector in cybersecurity — and most organizations have zero governance over them.

The numbers are staggering: 70% of security breaches now involve Non-Human Identities.

What Are Non-Human Identities?

Non-Human Identities (NHIs) are digital credentials that allow machines, applications, and automated processes to authenticate and communicate with each other. Unlike human users who log in with usernames and passwords, NHIs operate silently in the background, enabling critical business functions.

Common types of NHIs include:

API Keys: Credentials that allow applications to access external services
Service Accounts: Automated accounts used by applications to perform tasks
Machine Certificates: Digital certificates for server-to-server authentication
Bot Credentials: Authentication tokens for automated processes and RPA
IoT Device Tokens: Credentials embedded in connected devices
Container Secrets: Authentication data used in Kubernetes and Docker environments
CI/CD Pipeline Tokens: Credentials used in automated deployment processes

The Scale of the Problem

Here's what makes NHI security so challenging:

1. NHIs Outnumber Human Users 10:1

In a typical enterprise environment, Non-Human Identities outnumber human users by a factor of ten or more. A company with 1,000 employees might have 10,000+ machine identities operating across their infrastructure.

Traditional Identity and Access Management (IAM) solutions were never designed to handle this scale.

2. NHIs Have Elevated Privileges

Unlike human users who typically have role-based access, many service accounts and API keys are provisioned with broad, standing privileges. A single compromised service account often has more access than any individual employee — making it the perfect target for attackers seeking lateral movement.

3. NHIs Are Rarely Rotated or Monitored

Human passwords have rotation policies. Human access is reviewed periodically. But NHIs? They're often created once and forgotten.

Our research shows the average NHI credential age exceeds 3 years without rotation. Some organizations have service accounts that haven't been updated in over a decade.

4. NHIs Are Increasingly Targeted by Attackers

Sophisticated threat actors have recognized this vulnerability. Recent attack patterns show a deliberate shift toward targeting machine identities for:

Persistence: NHIs provide long-term access without triggering user-based security alerts
Privilege Escalation: Service accounts often have admin-level access
Lateral Movement: Machine-to-machine trust relationships create pathways across the network
Data Exfiltration: API keys can provide direct access to sensitive data stores

Real-World Impact: The Cost of NHI Compromise

The consequences of NHI security failures are severe and increasingly common.

Case Study: The Moneyview Breach (October 2025)

On October 27, 2025, Dubai-based attackers exploited compromised API keys to extract approximately $5.8 million USD from Moneyview — a leading Indian fintech platform — in just three hours.

The attack vector? A single Non-Human Identity with access to critical financial systems. No phishing required. No social engineering. Just one ungoverned machine credential.

This isn't an isolated incident. Major breaches at companies across healthcare, finance, and technology sectors have traced back to compromised service accounts and API keys.

The Compliance Dimension

NHI governance isn't just a security concern — it's increasingly a compliance requirement.

ISO 27001

The updated ISO 27001 framework now explicitly addresses machine identity management as part of access control requirements. Organizations pursuing or maintaining certification must demonstrate governance over all identity types.

SOC 2

SOC 2 Type II audits are beginning to include questions about service account lifecycle management, API key rotation policies, and machine identity inventory.

Industry-Specific Regulations

Financial services (PCI-DSS), healthcare (HIPAA), and government contractors (FedRAMP) all have evolving requirements around identity governance that extend to Non-Human Identities.

The compliance gap is real: Organizations that fail to govern NHIs are increasingly finding themselves flagged during audits.

The Three Phases of an NHI Breach

Understanding how attackers exploit Non-Human Identities is crucial for defense. Most NHI breaches follow a predictable pattern:

Phase 1: Discovery

Attackers scan for exposed credentials through:

Public code repositories (GitHub, GitLab, Bitbucket)
Misconfigured cloud storage (S3 buckets, Azure blobs)
Leaked configuration files
Dark web credential markets
Social engineering of DevOps teams

Phase 2: Exploitation

Once credentials are obtained, attackers:

Test API keys for valid access
Map the scope of service account permissions
Identify high-value targets accessible through the credential
Establish persistence mechanisms

Phase 3: Lateral Movement and Exfiltration

With a foothold established, attackers:

Leverage machine-to-machine trust relationships
Pivot to additional systems using the compromised identity's access
Extract sensitive data
Deploy ransomware or establish long-term presence

Building an NHI Governance Framework

Addressing NHI security requires a comprehensive governance approach. Here's the framework we recommend:

1. Discovery and Inventory

You can't secure what you don't know exists. The first step is comprehensive discovery:

Scan all repositories for embedded credentials
Inventory service accounts across cloud and on-premise systems
Map API integrations and their associated keys
Identify IoT devices and their authentication mechanisms
Catalog CI/CD pipeline credentials

2. Classification and Risk Assessment

Not all NHIs carry equal risk. Classify based on:

Access level: What systems and data can this identity access?
Business criticality: What processes depend on this identity?
Exposure risk: Is this credential at risk of exposure?
Compliance impact: Does this identity touch regulated data?

3. Policy Implementation

Establish clear policies for NHI lifecycle management:

Provisioning: Least-privilege access by default
Rotation: Automated credential rotation schedules
Monitoring: Real-time alerting on anomalous NHI behavior
Deprovisioning: Clear processes for retiring unused credentials

4. Continuous Monitoring and Audit

NHI governance isn't a one-time project:

Implement continuous monitoring for credential misuse
Regular access reviews for service accounts
Automated alerting for policy violations
Periodic audits against compliance frameworks

Why Traditional IAM Falls Short

If your organization has invested in Identity and Access Management solutions, you might wonder why NHI security requires special attention.

The reality is that traditional IAM was designed for human users:

Authentication flows assume interactive login
Access reviews are built around human managers
Lifecycle management follows HR processes (onboarding, role changes, offboarding)
Risk scoring is based on human behavior patterns

NHIs don't fit these models. They don't have managers. They don't change roles. They don't exhibit "normal" behavior patterns. They need purpose-built governance.

Taking Action: Your Next Steps

Addressing NHI security can seem overwhelming, but progress is possible with a structured approach:

Immediate Actions (This Week)

Audit your public repositories for exposed credentials
Inventory service accounts with admin-level privileges
Identify API keys that haven't been rotated in 12+ months

Short-Term Initiatives (This Quarter)

Implement secrets management for new projects
Establish rotation policies for critical credentials
Deploy monitoring for service account activity

Strategic Program (This Year)

Build comprehensive NHI inventory across all systems
Implement governance framework with clear policies
Integrate NHI security into compliance programs

Learn More: Join Our Free Webinar

Want to dive deeper into Non-Human Identity governance?

Codewave and StackGuard are hosting a free educational webinar:

The Silent Majority of Risk: Mastering Non-Human Identity Governance

Date: 10 December 2025 (Wednesday)

Time: 2:00 PM ICT | 3:00 PM SGT

Duration: 45 minutes (35-minute deep-dive + Live Q&A)

Cost: FREE

What You'll Learn:

The NHI threat landscape with real-world data
Compliance implications for ISO27001, SOC2, and industry frameworks
The three phases of an NHI breach and how to defend against each
A practical governance framework you can implement immediately

Featured Speakers:

Kapil Jain, CEO — StackGuard
Ankit Mehta, CEO — Codewave

🎁 Bonus: Attendees get a chance to win an Amazon Gift Card!

AWS CodeCommit Rises from the Dead: What This Tells Us About Customer Voice in Cloud

Mon, 24 Nov 2025 16:11:07 +0700

When AWS quietly deprecated CodeCommit in July 2024, I'll admit - I wasn't surprised. The writing had been on the wall. GitHub and GitLab had already won the developer mindshare battle, and AWS seemed to be cleaning house under new CEO Matt Garman. CodeCommit was slow, feature-poor, and frankly, felt like an afterthought in AWS's sprawling service catalog.

What I didn't expect was this: AWS just brought it back.

Yesterday, AWS announced CodeCommit's return to full general availability. Not just maintaining it for existing customers, but actively investing in it with Git LFS support coming in Q1 2026 and regional expansions planned. This is remarkable, and it says something important about where cloud computing is heading.

Why This Matters

Here's what AWS learned that we've been telling our clients for years: integration depth matters more than feature richness when you're operating at scale.

CodeCommit never had the slickest UI or the most advanced collaboration features. What it had was something far more valuable for enterprise teams - seamless IAM integration, VPC endpoint support, CloudTrail logging, and native connectivity with CodePipeline and CodeBuild. For teams in regulated industries or those running complex AWS-native architectures, that integration isn't just convenient. It's often the difference between a compliant system and a compliance headache.

When we work with clients on cloud migration and DevOps implementations, we see this pattern constantly. The "best" tool on paper often loses to the one that fits naturally into your existing infrastructure. CodeCommit wasn't competing with GitHub on developer experience. It was solving a different problem - giving AWS-centric teams a repository solution that spoke the same security and governance language as the rest of their stack.

The Broader Signal

This reversal tells us something bigger about the current state of cloud services. AWS listened to their customers and reversed course. In an industry where deprecation announcements usually mean "start planning your exit," this is almost unprecedented.

The feedback AWS received was clear: customers in regulated industries couldn't easily replicate CodeCommit's tight AWS integration with third-party providers. When you're dealing with strict compliance requirements, having your source control behind the same IAM policies and VPC configurations as your compute infrastructure isn't a nice-to-have. It's fundamental architecture.

This is exactly the kind of consideration that should drive your DevOps and DevSecOps strategy. At Codewave, we constantly evaluate whether a service's ecosystem fit outweighs its standalone capabilities. Sometimes the answer is yes - use the integrated AWS service. Sometimes it's no - the specialized third-party tool is worth the integration overhead. But you can't make that call without understanding both your compliance requirements and your operational complexity.

What We're Watching

AWS promised Git LFS support - their most requested feature. That's huge for teams managing design assets, ML models, or any workflow involving large binaries. The regional expansion to eu-south-2 and ca-west-1 also signals they're serious about making this globally viable.

But here's what I'm really watching: whether AWS can move fast enough. The deprecation announcement caused real damage. Teams spent time and resources planning migrations. Some completed them. Trust was broken. AWS acknowledged this and apologized, which is commendable. But rebuilding that trust means consistent investment and clear communication going forward.

For Our Clients

If you're currently using CodeCommit - this is good news. The uncertainty is over, and there's now a roadmap.

If you migrated away - don't feel pressured to migrate back. GitHub, GitLab, and Bitbucket are excellent platforms. The right choice depends on your specific architecture, team preferences, and compliance requirements.

If you're evaluating options - CodeCommit is back on the table, especially if you're heavily invested in AWS services and need that deep integration. But have the conversation about whether that integration is truly valuable for your use case or just convenient.

The Real Lesson

The CodeCommit story isn't really about Git repositories. It's about listening to customers and understanding that in enterprise cloud infrastructure, integration patterns matter as much as features. It's about AWS recognizing that even "small" services can be critical to specific customer segments.

For those of us building and migrating cloud architectures, it's a reminder to look beyond surface-level feature comparisons. The best solution is the one that fits your broader ecosystem, compliance requirements, and operational model - not the one with the most GitHub stars.

AWS brought CodeCommit back because customers made it clear they needed an AWS-native repository solution. That's customer feedback working exactly as it should. Now let's see if AWS can turn this resurrection into something worth keeping alive.

Thoughts on AWS's reversal? Have questions about whether CodeCommit makes sense for your architecture? Let's discuss in the comments or reach out directly - we're always happy to talk through cloud strategy decisions.

Let's Connect