The top AWS Identity and Organization security launches of 2025

by | Dec 16, 2025 | Security

The AWS Identity and Organization teams launched some big improvements to IAM in 2025. Read on for a quick introduction to the six changes we think are most likely to help you make an impact securing your AWS organization and identities:

  • Enforce MFA for root users across all account types
  • Centralized root access management
  • The aws login command in the AWS CLI
  • IAM Outbound Identity Federation
  • Full IAM policy language support in SCPs
  • New policy condition keys for VPCs

Each summary contains links to the feature launch’s PR and docs to get started.

AWS launched 19 years ago, but they’re still making important improvements in how people authenticate to the root user and to IAM principals both in and outside of AWS.

Enforce MFA for root users across all account types

AWS now enforces multi-factor authentication of root users across all account types: standalone, management, and member (PR | docs).

Enforcing MFA on the root user improves the baseline security of all AWS accounts that can be logged-into via the root user. MFA reduces the likelihood of a full account or organization takeover. AWS root user MFA prevents over 99% of password-related attacks and incurs no additional cost.

Centralized root access management

You can now easily manage root credentials and perform highly privileged actions from a central account (PR | docs).

Once root management is centralized, you can remove the root user password, access keys, signing certificates, and deactivate MFA for accounts. Centralized root management eliminates the toil of managing root credentials safely. This is particularly useful in Enterprises with hundreds or thousands of accounts because root access is still needed for certain operations such as recovering access to a locked-out bucket or KMS key.

aws login command in the AWS CLI

The new aws login command in the AWS CLI helps users start building immediately after signing up for AWS without creating and managing long-term access keys (PR | docs). (but consider using AWS Identity Center instead)

The login process enables the user to authenticate to one of the root user, IAM user, or IAM role accessible via federated signin and retrieve an STS token. You can enable this feature by granting signin:AuthorizeOAuth2Access and signin:CreateOAuth2Token to IAM principals.

IAM Outbound Identity Federation (STS -> JWT)

Now a twist… authenticate to the “external” world with an AWS IAM principal! You can now use short-lived JSON Web Tokens (JWTs) to authenticate your AWS workloads to non-AWS services without storing long-term credentials (or building your own solution from STS identity documents) (PR |docs).

So now an application can start with an STS token and use OIDC to convert it to a JWT that provides access to other clouds (Azure, GCP), SaaS apps, and even your own applications. All without needing to manage and securely handle long-term credentials.

Full IAM policy language support in SCPs

Service control policies (SCPs) now support the full AWS IAM policy language (PR).

These changes allow you to govern your organization with more specific and concise policies. (The word ‘specific’ appears 8 times in the press release.)

Allow statements can now use:

  • Conditions to allow actions based on request context such as aws:RequestedRegion
  • Specify individual resource ARNs in Resource & NotResource elements
  • The NotAction element to allow all actions except those explicitly listed

Both Allow and Deny statements can now use:

  • Wildcards at the beginning or middle of Action element strings (previously only allowed at the end)
  • The NotResource element to apply a statement to all resources except those explicitly listed

New IAM policy condition keys for VPCs

AWS introduced three new global IAM policy condition keys to help you define a network perimeter for your organization when a request is made to a VPC endpoint for e.g. S3 or KMS, not public AWS API endpoints (PR | docs | examples).

Restricting access to a VPC endpoint used to require managing lists of source VPCs or VPC endpoints that are allowed to connect to the target VPC endpoint, which was difficult to scale to many networks.

The new condition keys enable you to control access to your VPCs based on whether the connection originated from :

AWS also recently introduced aws:SourceVpcArn (PR) to verify the ARN of the VPC where the VPC endpoint is attached, allowing customers to verify whether requests travel through a specific VPC and implement controls on private access to their resources in same-region or cross-region scenarios.

Honorable Mention

Here are some other identity and IAM launches you might want to check out:

  • AgentCore Identity for AI agents (docs)
  • Attribute-based access control for S3 (PR | docs)
  • Transfer accounts to a different organization directly (PR)
  • IAM Policy Autopilot: generate IAM policies from code (PR)
  • Streamline integration with partner products using IAM delegation (PR)

That’s a wrap

2025 brought meaningful improvements across three key areas: stronger root user security, simplified authentication workflows, and more expressive and scalable policy controls.

Mandatory MFA and centralized root access management reduce account takeover risk, while the aws login command and IAM Outbound Identity Federation make it easier to authenticate without long-term secrets. Full IAM policy language in SCPs and new VPC condition keys round things out by giving security teams finer-grained control across their organization.

Together, these launches reflect AWS’s efforts to simplify secure, scalable delivery and operations.