This week, we’re at re:Invent 2025 announcing new capabilities and highlighting some of the impactful work we’ve done in partnership with AWS this year. Together, we’re helping customers handle the growing demands of AI-driven workloads with simpler automation, stronger guardrails, and faster, more efficient operations. Let’s look at some of the key announcements and developments.
»Pre-written Sentinel policies for AWS PCI-DSS
Many organizations face slow, costly compliance cycles that can delay releases and complicate cloud adoption. Platform teams that use Terraform — particularly those in highly-regulated industries — are adopting policy as code in their infrastructure workflows to help enforce security guardrails across their organization in a standardized, frictionless way.
However, writing policies from scratch can be time-consuming. To address this, HashiCorp and AWS have worked closely to develop a set of pre-written Sentinel policies across industry standards like CIS and NIST, that can serve as a starting point for organizations adopting policy as code.
Building on this, we are excited to announce a new set of policies focused on the globally recognized Payment Card Data Security Standard (PCI-DSS). These policy sets translate PCI-DSS standards into ready-to-use, enforceable guardrails within Terraform, allowing customers to:
- Automatically enforce PCI-DSS controls across their AWS environments
- Reduce manual audit preparation through documented compliance code
- Ensure infrastructure changes align with governance standards before they reach production
Because the policy sets are maintained and validated by HashiCorp and AWS, organizations can accelerate audit readiness with greater confidence and far less operational overhead. By providing a turnkey compliance framework, these Sentinel policy sets help teams build securely from the start, freeing them from writing and maintaining custom policy code.
Learn more about the library of pre-built policies covering security, compliance, and operational efficiency, co-developed by HashiCorp and AWS.
»AWS Secrets Manager correlation and S3 scanning in HCP Vault Radar
Today, we’re announcing an update to HCP Vault Radar that delivers stronger, more automated protection against secret sprawl across AWS environments. AWS Secrets Manager correlation in HCP Vault radar is now GA, and we’ve also added Amazon S3 scanning as a public beta.
Vault Radar gives customers deeper visibility into where their sensitive credentials are, and whether they are properly secured. Today’s expanded capabilities are critical as organizations scale their cloud footprint and rely more heavily on automation and distributed development workflows.
AWS Secrets Manager correlation enables Vault Radar to automatically detect when Secrets Manager values are duplicated or exposed, even when they surface outside AWS-native services. By identifying the presence of these secrets in Git repositories, CI/CD pipelines, logs, chats, wikis, or container images, teams can quickly distinguish between legitimate use and unintended leakage, improving the accuracy of alert severity and speeding remediation.
The addition of S3 scanning extends visibility into one of the most common — and often overlooked — sources of accidental exposure. Vault Radar can now inspect S3 buckets, including large or legacy datasets, to uncover plaintext secrets that may have accumulated over time in data lakes, log archives, and AI training assets.
»AWS PrivateLink support in HCP Vault Dedicated
HCP Vault Dedicated now supports AWS PrivateLink to help customers get a fully managed Vault deployment with private, internal-only connectivity. This allows applications to access secrets securely and efficiently, without managing underlying infrastructure or exposing sensitive traffic to the public internet.
Together with the Vault Radar updates, this enhancement to HCP Vault Dedicated gives customers a unified, automated approach to discovering, securing, and privately accessing sensitive information. Together, they strengthen least-privilege access, reduce operational overhead, and maintain a more resilient, identity-centric security posture.
»AWS IAM temporary delegation support in HCP Terraform
Just before re:Invent, AWS announced IAM temporary delegation, a new capability that gives partners short-lived, customer-approved IAM access to automate onboarding and configuration of AWS services. As a launch partner, HashiCorp has integrated this capability into HCP Terraform’s dynamic provider credentials, enabling automated setup of IAM roles, permissions boundaries, and provider authentication with no manual steps required.This integration simplifies onboarding of AWS services, reduces configuration errors, and accelerates time-to-value while maintaining strict least-privilege security.
»Terraform delivers launch-day support for new AWS services
The Terraform AWS provider is the integration that allows teams to define, provision, and manage AWS resources using Terraform’s declarative configuration language. Developers consistently want to adopt new AWS services as soon as they launch, and through close collaboration with AWS service teams, we are excited to announce launch-day support for a wide range of newly released AWS capabilities in the Terraform AWS provider.
These updates span key services across S3, ECS, Bedrock, and more. Newly supported features include:
- Required Tags in AWS Organizations Tag Policies
- AWS Lambda Managed Instances and Lambda Durable Functions
- VPC - Encryption Controls
- New S3 services including: Server side encryption configurations, Vectors, Tables replication and attribute-based access control (ABAC) for General Purpose Buckets, Tables Tags and Vectors
- ECS Express Gateway Service and ECS Linear and Canary Deployments
- DynamoDB Global Table multi-account
- CloudWatch Network Flow Monitor
- Bedrock Agent Core GA
- EKS Capabilities
Required Tags in AWS Organizations Tag Policies is a particularly impactful update for Terraform users. Consistent tagging is one of the simplest ways to improve cost allocation, ownership, and governance, but it’s also one of the hardest standards to enforce at scale.
AWS’s recent launch of Reporting for Required Tags in AWS Organizations Tag Policies, with HashiCorp as a launch partner, brings those guardrails directly into Terraform IaC workflows. Platform teams can define mandatory tags such as Environment, Owner, and Application once at the organization level and have every IaC change validated against those tag policies before resources are created or modified — using the new ListRequiredTags API behind the scenes. That means a single, centralized definition of tagging rules applies consistently across tools and accounts, without relying on manual review or ad hoc scripts.
In the Terraform AWS provider and HCP Terraform, this capability shows up as Tag Policy Compliance, allowing teams to treat organizational tag policies as a first-class part of their plans and applies. By configuring the provider (or an environment variable) to treat violations as errors or warnings, organizations can choose whether to hard-enforce required tags or start with softer, diagnostic-only guardrails while teams adapt. Validation occurs before new resources are created or tags are changed, but won’t block unrelated updates to existing resources, minimizing friction while still driving better hygiene over time.
Combined, AWS Organizations tag policies and Terraform’s built-in compliance checks give customers a powerful way to standardize tagging at scale, improve cost and security visibility, and keep rapidly expanding AI-driven cloud estates that are governed without adding policy boilerplate or operational overhead.
To learn more, check out the Terraform user guide on how to enforce with AWS Organizations Tag Policies.
»Automating Day 2 operations with Terraform actions
Today we’re announcing the general availability of Terraform actions, which introduces a way to codify and automate Day 2 infrastructure operations by triggering third-party tools outside of Terraform. Several new actions have been built directly into the AWS provider, offering preset operations that can be invoked before or after a resource's lifecycle events.
In AWS environments managed by Terraform, a number of Day 2 tasks emerge that often require teams to switch to the AWS console. Some examples include manually invoking Lambda functions, creating invalidation requests for CloudFront’s cache, or sending alerts and notifications via SNS. With actions, Terraform users are able to accomplish all of these tasks and more, without leaving Terraform workflows.
Learn how Terraform actions built for the AWS provider can trigger dynamic automation workflows in your environment, all with just one Terraform apply.
»Accelerating, securing, and optimizing infrastructure with AWS
Together, these updates reflect a shared commitment from HashiCorp, an IBM company, and AWS to simplify and secure cloud operations for modern, AI-driven environments. Organizations are under pressure to move faster while meeting stricter compliance requirements, managing growing secret sprawl, onboarding teams without friction, and adopting new AWS services the moment they launch.
By delivering pre-built compliance guardrails, expanded secrets visibility and protection from secrets sprawl, automated onboarding through temporary delegation, launch-day Terraform support, and new capabilities that streamline Day 2 automation, HashiCorp is helping customers reduce operational overhead, strengthen identity-centric security, and accelerate time-to-value — all while maintaining a consistent and governed cloud operating model.
To learn more, explore HashiCorp and AWS webinars and workshops.
