AWS Weekly Brief By Laroy Shtotland

← Home

Week 14 · 2 min read

March 30 – April 6, 2026

  • KMS
  • CloudFront
  • SES
  • Lambda
  • CloudWatch
  • CloudTrail

AWS Security Agent on-demand penetration testing is now generally available. Security teams can trigger tests when a new internet-facing workload goes live, after an architecture change, or remediation instead of waiting for the next manual pentest window. AWS says it tests web applications and APIs against OWASP Top 10 issues and business logic flaws, validates findings through exploitation, and returns reproducible attack paths, impact analysis, and suggested fixes.

AWS Secrets Manager now lets users enter a customer-managed AWS KMS key ARN directly in the console. Previously, console workflows were limited to the pre-populated key list from the current account. For teams that enforce encryption boundaries with specific CMKs, this removes console friction and reduces the chance of secrets being created under the wrong key.

CloudFront now supports SHA-256 for signed URLs and signed cookies. Signed URLs can use the Hash-Algorithm=SHA256 query parameter and signed cookies can use the CloudFront-Hash-Algorithm=SHA256 attribute, while older configurations remain backward compatible on SHA-1.

Amazon SES Mail Manager added four concrete capabilities: optional TLS for ingress, certificate-based authentication with mTLS on ingress endpoints, an Invoke Lambda rule action, and a Bounce rule action with RFC-compliant SMTP responses. This gives teams more control at SMTP ingress: allow legacy senders where STARTTLS cannot be enforced, require certificate auth where it can, trigger custom processing directly from rule sets, or reject mail during the SMTP transaction.

CloudWatch had the densest set of useful updates this week. Security Hub CSPM findings can now be ingested into CloudWatch Logs in ASFF and OCSF format through CloudWatch Pipelines, with organization-wide enablement rules for consistent coverage across accounts. Log centralization can now target data sources by name and type, such as CloudTrail, VPC Flow Logs, and EKS audit logs, so teams no longer need to maintain long log group allow-lists. Logs Insights also adds a lookup command that joins query results with CSV reference tables at query time, helping translate internal IPs, GUIDs, or resource IDs into owner or asset context. CloudWatch also now accepts native OpenTelemetry metrics over OTLP and lets teams query them with PromQL.

Amazon OpenSearch Service introduced agentic AI for log analytics. It adds natural-language analysis in the OpenSearch UI, PPL query generation and iteration in Discover, and an investigation agent that can run root cause analysis and return ranked hypotheses with visible reasoning steps and session memory.

Amazon ECS also introduced Managed Daemons for ECS Managed Instances. ECS now places one daemon task per managed instance and guarantees those daemons are running before application tasks are scheduled. That gives security agents, log forwarders, and tracing collectors node coverage without custom bootstrap logic.