AWS Weekly Brief By Laroy Shtotland

← Home

Week 4 · 2 min read

January 19 – January 26, 2026

  • SCPs
  • CloudTrail
  • CloudWatch
  • RCP
  • EC2
  • Terraform

AWS now includes the exact policy ARN responsible for an access denied error across IAM and Organizations evaluations. This applies to identity-based policies, permission boundaries, session policies, SCPs, and Resource Control Policies. For teams operating multi-account environments with layered guardrails, this is a meaningful improvement. “Explicit deny” errors have historically required CloudTrail analysis or policy simulation to diagnose. Exposing the precise deny source directly in the error materially shortens investigation time and reduces operational noise for security and platform teams.

Resource Control Policies expanding to Amazon Cognito and CloudWatch Logs is another important step in data perimeter maturity. Identity services and logging pipelines are frequently overlooked as external access paths, despite being common misconfiguration or exfiltration vectors. Extending RCP enforcement here enables consistent, organization-level controls rather than service-by-service compensating mechanisms. This reinforces a clear direction: AWS expects data perimeter enforcement to live at the org boundary, not be rebuilt repeatedly at the workload layer.

Instance Scheduler improvements focus on resilience rather than new features. Event-driven orchestration, better handling of EC2 insufficient capacity errors via retries, and reduced operational overhead make it more viable in large, distributed environments. This matters because cost controls often fail due to brittle automation, not lack of intent. These updates make scheduler-based optimization more reliable, especially for bursty or AI-adjacent workloads where capacity constraints are increasingly common.

Amazon ECR’s cross-repository layer sharing via blob mounting addresses a real inefficiency in container-heavy organizations. Reusing common layers reduces redundant uploads and storage while improving push performance. It also increases the importance of registry governance, as shared base images become implicit dependencies across teams. This is a net positive, but only if ownership and lifecycle management are explicit.

Finally, the AWS Transfer Family Terraform module now supports web apps, enabling branded S3 file transfer portals with federated authentication. Integration with IAM Identity Center and S3 Access Grants closes a gap between secure storage and usable enterprise file exchange, while keeping deployments fully infrastructure-as-code.