AWS Weekly Brief By Laroy Shtotland

← Home

Week 50 · 2 min read

December 8 – December 15, 2025

  • IAM
  • CloudWatch
  • S3
  • EC2
  • OpenSearch

IAM Policy Autopilot launches as an open-source MCP server that analyzes code to generate valid IAM policies, speeding least-privilege setups by mapping SDK calls to permissions. Integrated with AI assistants like Kiro or Claude, it provides a refinement-ready starting point alongside IAM Access Analyzer for compliance. This points to wider DevSecOps adoption, with reviews key to security alignment.

The AWS MCP Server preview unifies API and knowledge access in a managed interface, letting AI agents handle multi-step tasks across 15,000+ AWS APIs using SOPs for workflows like EC2 provisioning or Lambda troubleshooting. With IAM authentication and CloudTrail logging, it offers controlled execution at no extra cost beyond services—now in US East (N. Virginia). This hints at streamlined audits for regulated sectors.

Extending the MCP ecosystem, the IaC MCP Server delivers AI assistance for CDK and CloudFormation via nine tools: documentation search, local validation, compliance checks, and CloudTrail-backed troubleshooting. Running locally with minimal IAM, it guides secure setups like S3 encryption validation. As an open-source, JSON-configurable tool, it reduces provisioning errors, freeing architects for high-level design.

OpenSearch Service’s Agentic Search redefines querying with agent-driven natural language, automating DSL generation and intent handling via conversational or flow agents. Available in version 3.3+ across commercial regions, it uses LLMs for broad analytics access, expanding enterprise search where skills vary. External MCP ties for custom templates bolster hybrid AI, though agent transparency demands monitoring.

Network Firewall Proxy preview enables centralized egress controls to block data exfiltration and malware via TLS inspection and HTTP header filtering. This explicit-mode setup simplifies outbound traffic management with logs to S3 or CloudWatch, marking a shift toward granular protection in hybrid environments.

AWS Transform custom arrives as an AI agent crushing technical debt, blending pre-built Java/Node.js/Python upgrades with custom patterns from natural language or samples. It handles migrations like Angular to React or CDK to Terraform across repos via CLI/web, slashing execution time by up to 80%. This CI/CD-integrated capability drives scalable refactoring, letting teams chase innovation over upkeep.

Finally, Lambda Managed Instances fuse serverless simplicity with EC2 options, running functions on managed instances for specialized hardware or Savings/Reserved pricing. AWS manages lifecycle, patching, and multi-concurrency scaling in capacity providers, ditching cold starts with a 15% fee on EC2 rates. In select regions for key runtimes, it suits steady workloads, sparking debates on hybrid shifts for gains.