AWS Weekly Brief By Laroy Shtotland

← Home

Week 1 · 2 min read

December 29, 2025 – January 5, 2026

  • IAM
  • S3
  • EKS
  • EC2
  • WAF
  • OpenSearch

Automated certificate lifecycle management has arrived in AWS Certificate Manager for Kubernetes environments via ACK controllers. This streamlines requesting, exporting, and renewing both public and private certificates directly as Kubernetes resources, eliminating manual secret handling and raising the bar for TLS security in pods, ingress controllers, and service meshes.

Amazon ECR Public expands secure container options by adding Chainguard's hardened, minimal images to its gallery at no extra cost. With near-zero CVEs, built-in SBOMs, signatures, and non-root defaults, these images suggest a practical path toward reducing attack surfaces in ECS, EKS, and hybrid deployments without sacrificing choice or performance.

Cost allocation gains precision through two complementary updates: account tags in AWS Organizations now serve directly as cost allocation tags across tools like Cost Explorer and Budgets, while user attributes from IAM Identity Center, such as department or cost center, can tag per-user charges for services like Amazon Q and QuickSight.

Amazon OpenSearch Service introduces writable warm tiers on Optimized Instances, layering durable S3 storage beneath local caches to support ongoing indexing on less-active data. This multi-tier approach balances cost and performance for large-scale analytics while enabling seamless data rotation policies.

AWS IoT Core now batches messages in HTTP rule actions, bundling telemetry before downstream routing to cut overhead in high-volume device fleets.

Amazon ECS Managed Instances extend to EC2 Spot capacity, letting fault-tolerant container workloads tap steep discounts while AWS handles scaling and placement.

AWS Verified Access now natively integrates with AWS WAF. This allows you to apply web application firewall rules (like geo-blocking or SQL injection protection) directly to the secure "VPN-less" entry points for your internal applications.

Fargate now respects the STOPSIGNAL instruction in your Dockerfile (e.g., SIGQUITor SIGINT). This fixes a long-standing frustration where Fargate would only send SIGTERM, often causing "dirty" shutdowns for specialized applications like Nginx or older legacy apps.