WEEKLY BRIEF AWS Weekly Brief

← The Brief

Week 26

June 15 – 22, 2026

  • Continuum
  • Workload Credentials
  • Secrets Manager
  • EKS
  • Console Access

AWS Continuum — machine-speed vulnerability management

AWS Continuum moves vulnerability management toward machine-speed validation and response. It ingests findings from existing tools and its own scans, prioritizes them with environment and business context, validates exploitability by building reproducible proof in isolated sandboxes, and applies fast, reversible mitigations within user-defined guardrails before routing durable fixes through existing review and deployment processes. AWS also folds Security Agent penetration testing and code scanning into Continuum previews and adds STRIDE-based threat modeling from design documents or source code. Security teams define guardrails, review outcomes, and manage blast radius while automated processes handle prioritization, exploit validation, and initial remediation.

Workload Credentials Provider

AWS Workload Credentials Provider automates deployment of exportable ACM certificates and local caching of Secrets Manager secrets across AWS and non-AWS workloads. It replaces custom renewal and deployment scripts that become harder to maintain as public certificate validity periods shorten under CA/B Forum requirements. The lightweight provider runs on Linux and Windows, supports Apache and NGINX reload workflows, and preserves compatibility with the AWS Secrets Manager Agent. This is useful for teams that need certificate and secret distribution without building another bespoke control loop.

Secrets Manager — safe secrets in the Agent Toolkit

AWS Secrets Manager introduces safe secrets handling in the Agent Toolkit for AWS. The secret safety skill keeps plaintext values out of model context, session logs, and agent memory by steering agents away from raw secret retrieval and resolving secret references only at execution time in a child process. This reduces one of the more obvious risks in agentic development workflows while preserving developer usability across supported harnesses including Claude Code, Codex, and Cursor.

Amazon EKS — customer-routed control plane egress

Amazon EKS now supports customer-routed control plane egress. Kubernetes API server outbound traffic for admission webhook callbacks, OIDC provider lookups, and aggregated API server requests can flow through the customer VPC, where teams control routing, security groups, and egress paths. This is useful for private OIDC providers, internal webhook endpoints, data perimeter designs, and compliance-driven network inspection. Organizations can enforce the mode with the eks:controlPlaneEgressMode IAM condition key in service control policies.

AWS Sign-in — resource policies for the Console

AWS Sign-in now supports resource-based policies and resource control policies for the AWS Management Console. These policies restrict console sign-in to expected networks and are evaluated both during sign-in and when console sessions request new credentials. Account-level resource-based policies and organization-wide RCPs can be combined with AWS Management Console Private Access to control both where users sign in from and which accounts they can access. Management console governance gets a stronger network perimeter without additional cost.