AWS Weekly Brief By Laroy Shtotland

← Home

Week 22 · 2 min read

May 25 – June 1, 2026

  • Interconnect
  • CloudWatch
  • Shield
  • DDoS
  • GuardDuty
  • Inspector

AWS Interconnect multicloud now offers a free 500 Mbps tier for private connectivity to other clouds. Customers move roughly 160 TB per month at no AWS-side cost while retaining full resiliency and CloudWatch Network Synthetic Monitor inclusion. The tier simplifies evaluation, data replication, and hybrid workload testing with immediate cost savings on the AWS portion.

AWS Shield Advanced introduces DDoS attack flow logs. Packet-level details now capture source and destination IPs, ports, protocols, byte counts, and source country data during active attacks. Logs deliver automatically every five minutes to S3, CloudWatch Logs, or Firehose. This supplies exact forensic data for faster incident response and stronger compliance evidence.

Amazon GuardDuty Malware Protection for AWS Backup supports Amazon S3 continuous backups. The service scans the full backup timeline to identify clean recovery points and prevent reinfection on restore. The new GetPITRMalwareScanResults API returns point-in-time malware status before recovery begins. Organizations reduce data loss risk while maintaining reliable S3 continuity.

Amazon Inspector launches improved agent-based scanning for EC2. The updated VM Scanner architecture lowers CPU usage during assessments and extends coverage to WordPress, Apache HTTP Server, Python packages, and Ruby gems. Findings now align fully with agentless results. Workloads achieve consistent vulnerability detection with reduced performance impact.

AWS Secrets Manager Agent adds pre-fetching and IAM role assumption. Secrets load in a single batch at startup while the agent assumes designated roles for secure cross-account access. Applications avoid custom pre-loading logic and cut startup latency. This tightens role-based controls inside multi-account and microservices environments.

Amazon Bedrock AgentCore Identity now supports bringing your own secrets with AWS Secrets Manager. Customers reference existing secret ARNs and apply organization CMKs, tags, rotation policies, and resource policies at creation time. The change removes earlier limits of service-managed secrets. Governance stays fully aligned without altering runtime behavior.

AWS Organizations emits CloudTrail events for account membership changes. AccountJoinedOrganization and AccountDepartedOrganization events record join methods, departure types, and timestamps. Integration with CloudWatch alarms or EventBridge enables immediate notifications. This visibility speeds detection of unauthorized activity across multi-account setups.

Amazon SageMaker adds permissions boundaries for SCP compliance. Administrators define the boundary once in the tooling blueprint so all three provisioned roles inherit it automatically. New projects provision without manual policy adjustments. Teams scale SageMaker adoption while preserving existing organizational security controls.