AWS Weekly Brief By Laroy Shtotland

← Home

Week 21 · 2 min read

May 18 – May 25, 2026

  • Security Hub
  • Security Agent
  • Secrets Manager
  • Transfer Family
  • Transform
  • IAM

AWS Security Hub now uncovers identity risks from unused access. It automatically detects unused IAM permissions, roles, and credentials across your organization by evaluating 90 days of actual activity through a service-linked IAM Access Analyzer. Central security teams gain unified visibility in a single console, correlating these findings with exposure context to prioritize remediation and generate least-privilege policies on demand.

AWS Security Agent adds verification scripts for pentest findings. These scripts automate validation of penetration test results directly inside the agent workflow. Security operations teams reduce manual effort and accelerate remediation cycles while maintaining consistent verification standards across environments.

AWS Secrets Manager Agent introduces pre-fetching and IAM role assumption. Pre-fetching lets you cache secrets at startup via tags or lists and uses BatchGetSecretValue to eliminate sequential calls, cutting startup latency for microservices that load 20 secrets at once. IAM role assumption supports cross-account retrieval by passing role ARNs, tightening access controls without custom code. These changes strengthen secret management security and operational efficiency in multi-account setups.

AWS Secrets Manager adds managed external secrets support for Datadog vended keys and Snowflake Programmatic Access Tokens. It now automates rotation of Datadog API keys, application keys, and admin credentials as well as Snowflake PATs with native authentication and a configurable grace period for zero-downtime transitions. Teams centralize third-party credential lifecycle management, lowering the risk of static secrets while joining existing integrations for BigID, Confluent Cloud, MongoDB Atlas, and Salesforce.

AWS Transfer Family web apps now support federated permissions with IAM Identity Center across AWS Regions. This enables consistent access control using your existing identity providers without maintaining separate IAM policies per region. Security teams simplify governance for SFTP and web-based file transfers while enforcing least-privilege access at scale.

AWS Transform now modernizes networks during migrations. The new modernization engine accepts configuration files in any source format and instantly recommends optimizations for naming, sizing, security groups, CIDR allocations, and conflict resolution before provisioning. It flags unrestricted rules, consolidates fragmented constructs, and splits mixed-workload VPCs while preserving full customer control over final designs. Migration projects that once required days of manual review now accelerate with actionable guidance that improves security and cost posture.