AWS Weekly Brief By Laroy Shtotland

← Home

Week 12 · 2 min read

March 16 – March 23, 2026

  • Inspector
  • CloudWatch
  • MCP
  • Lambda
  • ElastiCache
  • RDS

AWS Security Agent added two practical improvements. It now integrates with Service Quotas, giving teams a centralized view of applied limits and utilization across services, while eligible quota increase requests - including penetration testing action hours and concurrent jobs - can be approved directly in the console. It also now supports downloadable penetration testing reports in customizable PDF format. Users can filter by risk level, confidence level, finding status, risk type, and task status to generate executive summaries covering security posture, scope, methodology, techniques, tasks, and detailed findings. Together, these updates reduce friction in on-demand testing and help avoid quota bottlenecks during scaling.

Amazon Inspector now extends agentless EC2 scanning to Windows instances and introduces KB-based findings. It detects vulnerabilities across software such as WordPress, Apache HTTP Server, Python, and Ruby gems, while Windows patch findings are consolidated into single KB entries showing the highest CVSS, EPSS, exploit availability, and Microsoft references. That means less noise, clearer prioritization, and simpler remediation without configuration changes.

Amazon CloudWatch continues to expand central observability. It now supports organization-wide enablement of EC2 detailed monitoring through CloudWatch Ingestion rules that can be applied automatically to existing and new instances across an organization or scoped by account and tags such as env:production. CloudWatch Logs also now supports ingestion through HTTP-based protocols, with endpoints accepting HLC for JSON events, ND-JSON bulk payloads, structured JSON arrays, and OTEL logs. Authentication uses bearer tokens and API keys with configurable expiration from one to 365 days. This makes it easier to onboard packaged software and legacy systems that lack native SDK support while improving governance through service control policies.

The AWS MCP Server preview adds better operational visibility with CloudWatch metric publication and semantic search. Invocation counts, success rates, client errors, server errors, and throttling are published under the AWS-MCP namespace at no additional cost, while the documentation search tool can return relevant Agent SOPs using natural language similarity. This gives teams a clearer view of agent behavior, permission issues, and error conditions that were previously hard to observe.

AWS Lambda now exposes Availability Zone metadata through a dedicated endpoint. Applications can query the AZ ID directly and use it for same-zone routing to dependencies such as ElastiCache or RDS. That can reduce latency and improve the precision of AZ-specific resilience and fault-injection testing.