As 2025 winds down, I’ve been reflecting on some of my favorite AWS announcements this year.

AWS Management Console now supports simultaneous sign-in for multiple AWS accounts

The AWS Management Console now supports simultaneous sign-in for multiple AWS accounts - AWS
Discover more about what’s new at AWS with The AWS Management Console now supports simultaneous sign-in for multiple AWS accounts
Amazon Web Services, Inc.

When I shared this with the team, I wrote, "This is probably the most important AWS announcement of our time". Frankly, I’m shocked it wasn't a re:Invent announcement in 2024. This has been one of the most frequent feature requests from anyone I know who works with the AWS Management Console.

Now, is it perfect? No. I mean, you're still limited to 5 accounts, and there are still some quirks: some services can only be loaded on one account at a time. Inspector is the one that comes to mind as the most annoying. But even then, it's not that much of a hassle.

This thing also prevents you from doing all kinds of weird workarounds, like having multiple private windows open, each with its own AWS Management Console, which was probably the source of at least one incident in my career. Another is installing a sketchy browser extension, which, given all the supply chain attacks lately, is probably pretty risky to do in 2026.

Amazon S3 Block Public Access now supports organization-level enforcement

Amazon S3 Block Public Access now supports organization-level enforcement - AWS
Discover more about what’s new at AWS with Amazon S3 Block Public Access now supports organization-level enforcement
Amazon Web Services, Inc.

Here's a really great feature update. It was already a great release when block public access was added in 2018 and then that release was made the default setting in 2023.

I'm hoping to see more organization-level security controls added, similar to this one. Maybe MFA delete or possibly a similar RDS-style control to prevent public RDS instances by default across the organization. You can do these types of things with SCPs and RCPs, but a single switch reduces complexity by a lot and makes it more likely to be adopted.

AWS Organizations supports full IAM policy language for service control policies (SCPs)

AWS Organizations supports full IAM policy language for service control policies (SCPs) - AWS
Discover more about what’s new at AWS with AWS Organizations supports full IAM policy language for service control policies (SCPs)
Amazon Web Services, Inc.

Speaking of service control policies, it's hard to think that before September that SCPs were essentially just fancy permissions booleans. I don't hear about many companies using SCPs and I like to think the reason was the limitation of the language before this update.

Now, I can author a single SCP that globally blocks SageMaker while using IAM‑style conditions to exempt my ML OU and my data-scientist roles, rather than relying solely on OU placement and multiple per‑account/role policies.

The more granular permissions and other capabilities, due to the full language support, lower the barrier to entry and make SCPs more appealing.

AWS Certificate Manager introduces public certificates you can use anywhere

AWS Certificate Manager introduces public certificates you can use anywhere - AWS
Discover more about what’s new at AWS with AWS Certificate Manager introduces public certificates you can use anywhere
Amazon Web Services, Inc.

This announcement removes one thing that I always praised Azure over AWS for. Azure Key Vault could do this at least as far back as 2019, which is when I first encountered the capability. This is a full year after I ran into the limititation of not being able to export ACM certs.

I never understood why it took so long for AWS to catch up here. I've heard various excuses, primarily that it prevents people from migrating, but I never bought that. If I wanted to migrate away from AWS, I'd probably have enough money to just buy another cert somewhere else and notify my customers that my cert is changing too since surely they would already be notified of me moving cloud providers.

AWS Secrets Manager announces managed external secrets

AWS Secrets Manager announces managed external secrets - AWS
Discover more about what’s new at AWS with AWS Secrets Manager announces managed external secrets
Amazon Web Services, Inc.

This is definitely a niche feature, but it's one that makes a big difference. Most SaaS companies use Snowflake and Salesforce [Citation-needed]. The fact that you can now rotate those secrets using a native AWS service is a huge deal, especially given all the Salesforce activity lately.

AWS Client VPN is now supporting MacOS Tahoe

AWS Client VPN is now supporting MacOS Tahoe - AWS
Discover more about what’s new at AWS with AWS Client VPN is now supporting MacOS Tahoe
Amazon Web Services, Inc.

This is one that still makes me laugh. It's not necessarily a major announcement or even one that I felt warranted an announcement. The date here is October 10, 2025, a full 25 day after Tahoe was released. As a daily user of the Client VPN service and someone that typically updates MacOS versions on day 1 in order to avoid the IT compliance hammer, I hadn't noticed any oddness or issues beyond the usual. Put another way, Tunnelblick and Viscosity are still miles better and I wish AWS Client VPN supported either of them. 🤷

2025 was a strong year for AWS. I’ve left out several great launches: the MCP servers, the Security Hub redesign, and AgentCore among them. With 2026 around the corner, I’m excited to see what’s next