AWS Weekly Brief By Laroy Shtotland

The week in AWS, distilled

← Home

Week 26 · 2 min read

June 22 – 29, 2026

  • Lambda MicroVMs
  • GuardDuty
  • AMI Watermarks
  • Route 53
  • Network Firewall

AWS introduced Lambda MicroVMs, a new serverless compute primitive for isolated execution of user and AI-generated code. Each user or job gets its own Firecracker-based MicroVM with VM-level isolation, near-instant launch and resume, state preservation through suspend/resume for up to 8 hours, and a dedicated HTTPS endpoint supporting HTTP/2, gRPC, and WebSockets. This is a strong building block for agent sandboxes, coding assistants, scanners, and multi-tenant execution environments, but the security boundary still has to include the IAM role and network reach you attach to the sandbox.

Amazon GuardDuty added AI-powered investigations in preview. It analyzes GuardDuty findings, account context, related activity from the last 90 days, affected resources, and threat indicators using knowledge graphs and threat intelligence, then returns a disposition, confidence score, MITRE ATT&CK technique classification, supporting evidence, and recommended suppression, containment, or remediation steps. For SOC teams, this is useful only if treated as investigation acceleration rather than autonomous judgment, but it can reduce the manual work needed to separate true threats from noisy findings across accounts and AWS Organizations.

Amazon EC2 introduced AMI Watermarks for private AMI governance. A watermark embeds custom identifiers and provenance metadata into a private AMI, including AMI ID, owner ID, Region, and creation timestamps, and carries forward when the AMI is copied across Regions, used to create derived AMIs, or shared with other accounts. Combined with Allowed AMIs and Declarative Policies, this gives platform teams a practical control to restrict launches to approved image lineage instead of relying only on naming conventions, tags, or manual image catalogs.

Amazon Route 53 Global Resolver now supports sharing DNS Views between AWS accounts through AWS RAM Resource Access Manager. Consumer accounts can associate their own private hosted zones with a shared DNS View, making their records resolvable through the owner's global resolver in every Region where it runs, without transferring ownership of the hosted zone or DNS View. This is a useful separation-of-duties pattern for multi-account DNS: application teams keep ownership of their zones, while platform teams centralize resolution, visibility, and removal rights.

AWS Network Firewall changed the default stateful drop action for newly created firewall policies to "Application drop established (server-directed only)." The previous bidirectional default could silently drop legitimate server-to-client TCP packets such as window updates, keep-alives, and resets, creating intermittent failures that were difficult to diagnose. It reduces operational risk in centralized inspection paths and gives teams a safer baseline while still allowing stricter TCP drop behavior where explicitly required, including PQC fragmented TLS handshake scenarios.