AWS Weekly Brief By Laroy Shtotland

← Home

Week 15 · 2 min read

April 6 – April 13, 2026

  • S3
  • EFS
  • Private CA
  • RAM
  • CloudWatch
  • ACM

Amazon starts rolling out an update disabling server-side encryption with customer-provided keys. Buckets default to SSE-S3 or SSE-KMS instead. New buckets and existing ones without prior SSE-C objects receive the change automatically, while buckets already using SSE-C remain unchanged to prevent disruption. This standardizes encryption management and reduces the misconfiguration surface. Also AWS launches S3 Files making S3 buckets accessible as file systems. General purpose buckets mount natively on EC2, ECS, EKS and Lambda using NFS v4.1 operations for create, read, update and delete. Automatic synchronization reflects changes in seconds to minutes while EFS integration provides sub-millisecond latency for active data with intelligent prefetching. Fine-grained loading controls optimize for metadata-only or full access patterns and IAM TLS 1.3 plus SSE options keep security intact. Shared access without data duplication benefits interactive agentic AI agents and ML training pipelines.

Amazon Verified Permissions now supports policy store aliases named policies and policy templates. Policy store aliases tie directly to tenant identifiers and eliminate separate mapping tables in multi-tenant deployments. Named policies and templates replace system-generated IDs with meaningful references. These additions reduce administrative overhead and improve governance as authorization logic scales across applications.

AWS Private CA now supports customer-managed RAM permissions for cross-account CA sharing. Administrators select specific read and write operations per consuming account, replacing earlier preset templates. Central PKI teams get the IAM-level scoping they expect everywhere else.

CloudWatch pipelines shipped the controls log engineering teams usually bolt on elsewhere. A keep-original toggle stores raw logs before transformation, processed events get marked for audit trails, and new IAM condition keys restrict pipeline creation by log source name and type. Conditional execution across 21 processors and Drop Events processor let teams filter or suppress telemetry before ingestion - clean separation between evidentiary retention and cost control in the telemetry path.

AWS ACM delivers native certificate search in the console and through a new API. Users locate certificates by domain name ARN or validity status to surface items such as those nearing expiration. The feature simplifies discovery across large portfolios. It directly supports stronger certificate governance and compliance monitoring.

Cost Explorer added natural language querying powered by Amazon Q. A convenience layer, but also a new data access surface that needs IAM and query scoping.

Amazon Bedrock now offers Claude Mythos Preview in a gated research preview for allow-listed internet-critical companies and open-source maintainers in US East through direct AWS account team outreach.