AWS Weekly Brief By Laroy Shtotland

← Home

Week 5 · 2 min read

January 26 – February 2, 2026

  • S3
  • sovereignty
  • SageMaker
  • CloudWatch
  • ECS
  • EC2

AWS Network Firewall now supports web category-based filtering, including visibility into GenAI-related traffic. This is an explicit acknowledgement that uncontrolled AI access is becoming a governance problem. For regulated environments, this finally provides a native mechanism to distinguish “innovation” traffic from “policy violation” traffic, without relying entirely on proxy-layer workarounds.

File integrity monitoring now bridges AWS Systems Manager and Amazon Security Lake. Unauthorized changes on EC2 instances are captured as OCSF-formatted findings, pushing host-level drift directly into a centralized lake. This reduces the gap between configuration management and compliance evidence, and signals AWS’s continued push toward audit-by-default rather than audit-by-screenshot.

Amazon S3 gained the ability to change server-side encryption types atomically, without copying data. Practically, this removes one of the long-standing excuses for delaying SSE-KMS adoption or key rotations. In audit-heavy environments, this matters: encryption posture can now evolve without operational disruption or data movement risk.

Identity Center now supports IPv6 via dual-stack endpoints. This is a small but important step for organizations modernizing network architectures while trying to reduce NAT dependencies and simplify compliance with contemporary protocol requirements.

On sovereignty, AWS doubled down. The Digital Sovereignty Well-Architected Lens, combined with explicit sovereign failover designs for the European Sovereign Cloud, reframes resilience as a regulatory requirement, not just an availability goal. The emphasis on isolated partitions and auditable portability reflects a shift from “trust AWS” to “prove you can exit or isolate when required.”

For AI workloads, SageMaker Unified Studio now supports AWS PrivateLink, keeping model development traffic off the public internet. When paired with cross-region PrivateLink monitoring via CloudWatch Network Synthetic Monitor, this creates a more observable and defensible posture for privacy-sensitive ML pipelines.

Containers also saw a practical improvement: Amazon ECS now publishes container health status as a CloudWatch metric. This enables alarms on unhealthy states across tasks and clusters, moving teams closer to proactive reliability instead of reactive debugging.

Finally, the innovation sandbox on AWS adds real-time analytics dashboards for events like hackathons, with automated account provisioning and guardrails. This suggests AWS is treating experimentation itself as a governed workload, not an exception.