AWS Weekly Brief By Laroy Shtotland

← Home

Week 48 · 2 min read

November 24 – December 1, 2025

  • IAM
  • CloudWatch
  • S3
  • EC2
  • KMS
  • WAF

Security leads with upgraded SLAs across core AWS services, elevating reliability benchmarks for high-stakes setups. RDS and ElastiCache now offer 99.99% availability in Multi-AZ for us-east-1 and eu-west-1, DynamoDB hits 99.999% on-demand in ap-southeast-2, and S3's One Zone-IA class delivers 11 9s durability with default KMS encryption and Object Lock tamper protection. These zero-trust upgrades drive redundancy reviews in compliance pipelines, slashing exposure in finance and healthcare where outages spark audits and disruptions.

  • Application Load Balancers gain URL and host header rewrites, applying regex tweaks to paths, queries, and headers at listener or target levels for streamlined multi-app routing. Accessible via console, CLI, or API, it shrinks ALB complexity while preserving speed, but requires WAF integration to block misrouting threats—positioning it as a secure gateway for containerized apps balancing flexibility and defense.

  • CloudWatch advances incident handling with interactive reporting, incorporating timelines, task assignments, and metadata in the console for faster collaboration. Tied to SNS alerts and Lambda scripts, it merges logs, metrics, and traces into one dashboard, cutting mean-time-to-acknowledge for teams. This promotes observability as a forward-looking tool, preempting issues in hybrid environments and easing siloed incident hunts.

  • SageMaker improves data governance using custom subscription workflows to create access policies with alerts and RBAC for secure dataset sharing. Connected to EventBridge triggers, Lake Formation permissions, and Model Registry lineage, it mandates encryption and CloudTrail logs for full traceability. Supporting GDPR and HIPAA via ABAC tags, it enables data lineage in AI flows, reducing shadow access risks in collaborative teams and bolstering ethical model use.

  • CloudFormation StackSets enhance multi-account oversight by routing logs through Lambda templates and IAM roles to a central CloudWatch group. Enabling account-wide queries and alarms for drift detection, with S3 for retention, it streamlines audits for SOC 2 and PCI. This unifies scattered deploys into a solid barrier against config errors, aiding forensics in enterprise-scale ops.

  • Lambda expands serverless capabilities, raising async payloads to 1 MB from 256 KB and applying 99.999% SLAs for provisioned concurrency in all regions. It handles dense events seamlessly with TLS encryption, ideal for security log analysis, but demands quota monitoring during spikes to prevent workflow stalls.

  • Meanwhile, EC2 Capacity Manager applies ML to predict CPU, memory, and network needs, driving Auto Scaling and Systems Manager patching under IAM/KMS safeguards. It avoids overprovisioning and highlights security weaknesses in real time. This approach refines fleet efficiency, embedding scans into growth for resilient, cost-effective infrastructures.