WEEKLY BRIEF AWS Weekly Brief

← The Brief

Week 24

June 1 – 8, 2026

  • Inspector
  • Config
  • Cognito
  • MCP
  • SES

Amazon Inspector — VM Scanner for EC2

Amazon Inspector introduced the Inspector VM Scanner, a new agent-based engine for EC2. It widens vulnerability coverage to software that older scanning often missed, including WordPress, Apache HTTP Server, Python packages, and Ruby gems. It lowers CPU usage during scans. The practical effect is deeper visibility on production instances without the performance tax that makes teams hesitate to scan often. That application-layer coverage matters, since those packages are often where real exposure lives, not just the operating system. You activate it from the Inspector console.

AWS Config — internal service-linked rules

AWS Config now supports internal service-linked rules, which let an AWS service run its own Config compliance evaluations independently of the recorder and rules you manage yourself. Security Hub CSPM is the first to use it, deploying and running its own managed Config rules for security checks without touching your Config setup. You keep read-only visibility, the owning service manages the rules, and results route straight back to that service. For anyone who has watched service-driven rules clutter their own Config inventory, this separation is overdue.

Amazon Cognito — multi-Region user pool replication

Amazon Cognito now supports multi-Region replication of user pool data, including credentials and configuration. User and machine identities sync in near real time to a standby Region, so a regional failover no longer forces users to re-enroll or re-authenticate from scratch. It is available as an add-on for the Essentials and Plus tiers. For teams whose recovery plans assume authentication stays available, this closes a long-standing gap in regional disaster recovery.

Securing AI agents — Quick VPC for MCP and cross-account MCP Server

Two updates land squarely in the emerging work of securing AI agents. Amazon Quick added VPC connectivity for MCP server connections, so organizations can reach privately hosted MCP servers on EC2, Fargate, AWS Agentcore, or other VPC-based compute without exposing public endpoints. All traffic stays inside the VPC, which keeps sensitive servers off the internet during AI interactions. In parallel, the AWS MCP Server added cross-account and cross-role access within a single session for AI coding agents. Agents name a profile on each command to switch accounts and IAM roles, with no server restarts or credential file edits. A practical example is reviewing CloudWatch logs across production and staging in one session, while per-request profile specification keeps control and accountability explicit across account boundaries.

Amazon SES — tenant-level suppression lists

Amazon SES rounded out the week with tenant-level suppression lists for accounts running multiple email tenants. Each tenant tracks its own bounces and complaints instead of sharing one account-level list, so trouble in one tenant no longer suppresses sending for the others. Administrators set suppression scope and reasons per tenant, which supports independent reputation management in shared email environments.