May 11 – May 18, 2026

AWS Organizations now supports higher quotas for service control policies. The maximum number of SCPs per node increased from 5 to 10. Individual SCP size limits doubled to 10,240 characters. Enterprises can now attach more policies with finer-grained conditions to enforce comprehensive security and compliance controls across complex hierarchies.

Amazon CloudFront announces passthrough mode for mutual TLS viewer authentication. CloudFront forwards the full client certificate chain directly to the origin without edge validation. Teams with established origin-side mTLS processes integrate the global edge network seamlessly while preserving existing authentication logic. It also announces support for OCSP revocation for mutual TLS viewer. Real-time checks query the certificate authority during connection establishment with responses cached up to 30 minutes. The OCSP result exposes to connection functions for custom logic such as grace periods or IP exceptions. Regulated industries gain stronger zero-trust enforcement without relying on outdated static revocation lists. Additionally, the Premium flat-rate plan now supports configurable usage allowances. Customers select monthly levels from 500 million to 6 billion requests and 50 TB to 600 TB directly in the console. The flat rate includes content delivery, WAF, DDoS protection, bot management, Route 53 DNS, CloudWatch logs, serverless compute, and S3 credits with no overages. Enterprises with predictable high-volume traffic lock in costs without sales negotiations.

AWS WAF introduces dynamic label interpolation for custom request and response handling. The namespace syntax forwards entire label groups in headers or embeds them in bodies with a single rule. Multiple matches resolve automatically to comma-separated values while synthetic labels inject client IP, WAF request ID, and JA3 JA4 fingerprints. This approach simplifies adaptive security rules for applications that need real-time signals like reputation-based MFA.

AWS Security Agent now supports full repository code reviews. The agent performs deep context-aware analysis of entire codebases to identify systemic vulnerabilities beyond pattern matching. It reasons about architecture, trust boundaries, and data flows then delivers line-level remediation tied to exact files. Security and development teams accelerate vulnerability discovery and remediation at enterprise scale.

AWS Transform adds containerization capability during migrations. The service analyzes source code from GitHub, Bitbucket, GitLab, or zip files to generate Dockerfiles, secure container images with CVE scanning, Terraform IaC, and Helm charts. Private dependencies resolve through CodeArtifact and support monorepos or multi-repo structures. Migration teams assign applications to rehost or replatform paths in the same workflow to accelerate modernization to ECS or EKS.