AWS Weekly Brief By Laroy Shtotland

← Home

Week 6 · 2 min read

February 2 – February 9, 2026

  • STS
  • KMS
  • IAM
  • CloudFront
  • EC2
  • VPC

AWS tightened multi-party approvals in IAM Identity Center by requiring an email-delivered one-time password (OTP) for approval voting. This adds a anti-impersonation control and reduces the risk of approval-flow bypasses: protected operations now require OTP confirmation within a 10-minute window. Stronger governance for strict approval workflows, with no added cost and available across Regions.

AWS STS can now validate selected OIDC token claims from providers like Google, GitHub, CircleCI, and OCI directly in IAM role trust policies. This is a meaningful step forward for least privilege in federated access: role assumption can now be constrained by provider attributes (aud/sub/repo/org/workflow/tenant, etc.) using IAM condition keys, rather than relying on broad “any federated identity” trust. This improves precision in multi-provider federation and reduces over-provisioning risk, while enabling stronger data-perimeter style controls.

IAM Identity Center added multi-Region support, replicating configuration across selected Regions to improve access resilience during outages while still managing centrally from a primary Region. It requires a multi-Region KMS key and supports deployments aligned with data residency requirements without additional IAM costs. For global orgs, this is another building block for identity-plane resilience in hybrid and multi-Region strategies.

CloudFront now supports mutual TLS for origins, allowing cryptographic authentication so only authorized distributions can connect to backends like ALBs, NLBs, or on-prem servers. Instead of IP allowlists or custom headers, you can use certificate-based checks through AWS Certificate Manager, which is harder to spoof and typically simpler to standardize. It’s included at no extra charge in Business and Premium plans, and it’s a clean edge-origin trust primitive for hybrid designs.

AWS Network Firewall introduced two pricing improvements: NAT Gateway discounts now apply to secondary endpoints, and Advanced Inspection no longer carries separate charges, making TLS decryption and deep inspection materially cheaper at scale. If cost has stopped you from enabling this broadly, this update may be the difference between inspecting a small subset of traffic versus rolling out inspection consistently across multi-VPC, multi-AZ architectures.

The “Related resources” tab is now generally available in the EC2 and VPC console views, giving a single dependency map for security groups before you change them. Seeing attached instances, ENIs, load balancers, and databases reduces the chance of accidental outages and misconfig-driven blast radius, with no added cost.

Finally, DynamoDB global tables now support replication across multiple AWS accounts. For AWS Organizations and multi-account strategies, this enables fault tolerance while keeping security controls isolated per account, aligning HA/DR with governance boundaries for serverless data planes.