AWS Weekly Brief By Laroy Shtotland

← Home

Week 18 · 2 min read

April 27 – May 4, 2026

  • KMS
  • EventBridge
  • CloudTrail
  • IAM
  • VPC
  • OpenSearch

AWS KMS now records the last usage timestamp for KMS keys. Idle keys can be identified, reviewed against dependency data, and moved through rotation, disablement, or deletion workflows with less guesswork. This also improves evidence for key hygiene, exception handling, and periodic access reviews for regulated environments.

Amazon EventBridge now supports data plane logging to AWS CloudTrail. Event delivery processing and transformation activity can be captured at the data plane level, which reduces blind spots in event-driven systems where control plane logging alone does not explain what happened during routing or processing. For incident response, this is a clearer audit trail across distributed event flows. It improves traceability around event handling behavior rather than only configuration changes.

IAM Roles Anywhere now enforces VPC endpoint policies for the CreateSession API. That is a meaningful control point for hybrid workloads using X.509 certificates to obtain temporary AWS credentials. Organizations can apply endpoint-level restrictions to session creation and reduce exposure from unapproved network paths. This is especially relevant where non-AWS workloads, on-premises systems, or private connectivity models are part of the credential issuance path.

Amazon OpenSearch now supports JWKS URL configuration for JWT authentication. OpenSearch domains can retrieve JSON Web Key Sets from an external identity provider instead of depending on manually uploaded static signing keys. That reduces operational friction around JWT key rotation and lowers the risk of stale validation material remaining in use. For environments with centralized identity providers and frequent signing key changes, this makes OpenSearch authentication easier to align with existing identity operations.

Amazon EKS now supports one-click cluster access through CloudShell. Operators can connect to EKS clusters from the AWS Management Console without setting up local kubeconfig files or installing kubectl on a workstation first. That reduces endpoint variance during troubleshooting and keeps access aligned with existing IAM authorization paths. It is not a substitute for strong cluster RBAC, but it does remove some of the local tooling drift that often complicates operational access.

AWS Payment Cryptography added multi-party approval integration for sensitive operations, cross-account key sharing, and paper-based key exchange for payment environments where key custody, dual control, segregation of duties, and auditable approval paths matter. Multi-party approval helps enforce consensus before high-impact cryptographic operations proceed. Cross-account key sharing supports controlled use of payment keys across account boundaries without duplicating key material unnecessarily. Paper-based key exchange addresses cases where offline or formally witnessed key transfer remains part of an approved operating model.