6/17/2025, 12:00:00 AM ~ 6/18/2025, 12:00:00 AM (UTC)

Recent Announcements

One Year EC2 Instance Savings Plans are now available for P5 and P5en instances

Starting today, EC2 1-year Instance Savings Plans are now available for EC2 P5 and P5en instances in all Regions where these instances are available.\n EC2 Instance Savings Plans are a flexible pricing model that offer lowest prices on individual instance family’s usage in a region (for example, P5 usage in the US (N. Virginia) Region), in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1- or 3- year term. Today we are adding 1-year option for EC2 P5 and P5en instances, offering savings of up to 40% as compared to On-Demand price, complementing the existing 3-year option. To learn more about the new pricing options for P5 and P5en instances, see EC2 Instance Savings Plans.

Amazon EC2 M8g instances now available in AWS South America (São Paulo)

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M8g instances are available in AWS South America (São Paulo) Region. These instances are powered by AWS Graviton4 processors and deliver up to 30% better performance compared to AWS Graviton3-based instances. Amazon EC2 M8g instances are built for general-purpose workloads, such as application servers, microservices, gaming servers, midsize data stores, and caching fleets. These instances are built on the AWS Nitro System, which offloads CPU virtualization, storage, and networking functions to dedicated hardware and software to enhance the performance and security of your workloads.\n AWS Graviton4-based Amazon EC2 instances deliver the best performance and energy efficiency for a broad range of workloads running on Amazon EC2. These instances offer larger instance sizes with up to 3x more vCPUs and memory compared to Graviton3-based Amazon M7g instances. AWS Graviton4 processors are up to 40% faster for databases, 30% faster for web applications, and 45% faster for large Java applications than AWS Graviton3 processors. M8g instances are available in 12 different instance sizes, including two bare metal sizes. They offer up to 50 Gbps enhanced networking bandwidth and up to 40 Gbps of bandwidth to the Amazon Elastic Block Store (Amazon EBS). To learn more, see Amazon EC2 M8g Instances. To explore how to migrate your workloads to Graviton-based instances, see AWS Graviton Fast Start program and Porting Advisor for Graviton. To get started, see the AWS Management Console.

AWS Backup launches Multi-party approval support for logically air-gapped vaults

AWS Backup announces support for Multi-party approval in AWS Organizations for logically air-gapped vaults to enhance data recovery. This new AWS Backup feature enables customers to authorize access to backups for approved accounts in logically air-gapped vaults, even when the owning account becomes inaccessible due to inadvertent or malicious events.\n Multi-party approval is a new governance capability that requires multiple authorized individuals to approve critical operations before execution on AWS resources. This distributed decision-making process adds an enhanced security layer by preventing any single person from making unilateral changes. The capability is now being launched as an integration with AWS Backup, allowing customers to create and associate approval teams with both new and existing logically air-gapped vaults to strengthen recovery protection. When used with logically air-gapped vaults, customers can provision clean recovery accounts and authorize backup sharing through their approval teams. Team members manage sharing requests through the AWS IAM Identity Center enabled Approval portal, providing an AWS-native secure method to access backups from compromised AWS accounts. Customers incur no additional cost for integrating and using Multi-party approval teams with AWS Backup logically air-gapped vaults. AWS Backup support for Multi-party approval is available in all Regions where logically air-gapped vaults are currently supported. For more information about implementing this data recovery strategy, visit the AWS Backup product page, AWS Backup documentation, Multi-party approval documentation and news blog.

AWS WAF reduces web application security configuration steps and provides expert-level protection

Today, AWS announces general availability of the AWS WAF simplified console experience that reduces web application security configuration steps by up to 80% and provides expert-level protection to help you optimize application security. AWS WAF helps protect web applications and APIs against common web exploits and bots that could affect availability, compromise security, or consume excessive resources. Security teams can now implement comprehensive protection for applications within minutes through pre-configured protection packs that incorporate AWS security expertise and are continuously updated to address emerging threats. These templates provide extensive security coverage including protection against common web vulnerabilities, malicious bot traffic, application layer DDoS events, and API-specific threats, all customized to your application type.\n With the new console experience, select the application type, such as E-commerce platforms or transaction processing applications, to automatically apply expert-curated protection rules optimized for the specific use case. The unified dashboard provides consolidated security metrics, threat detection, and rule performance data, enabling security teams to quickly identify and respond to potential threats while maintaining full security control. Key security controls, including rate limiting, geographic restrictions, and IP reputation filtering, can be customized through an intuitive single-page interface that reduces configuration time. The new AWS WAF console experience is available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions. To learn more about the new AWS WAF console experience, see the following resources:

Features page

Getting Started with AWS WAF

Launch Blog

Amazon Inspector launches code security to shift security left in development

Today, Amazon Web Services (AWS) announces the general availability of Amazon Inspector code security capabilities, helping you secure your applications before they reach production. This new feature, with native integration to GitHub and GitLab, helps you rapidly identify and prioritize security vulnerabilities and misconfigurations across your application source-code, dependencies, and infrastructure as code (IaC). You can evaluate source-code as builders push or pull code changes in repositories, within CI/CD pipelines, or through scheduled scans. Findings from these scans are surfaced both in the Amazon Inspector console for an aggregated view across the organization and within the source code management platform as fast feedback for the developers.\n This expansion builds upon existing Amazon Inspector capabilities for scanning Amazon EC2 instances, container images in Elastic Container Registry (ECR), and AWS Lambda functions to provide consistent vulnerability management from compute running on AWS to your code. Amazon Inspector delivers three core capabilities: Static Application Security Testing (SAST) for analyzing application source-code, Software Composition Analysis (SCA) for evaluating third-party dependencies, and Infrastructure as Code (IaC) scanning for validating infrastructure definitions. Amazon Inspector code scanning is available in 10 Regions including: US East (N. Virginia), US West (Oregon), US East (Ohio), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Stockholm), and Asia Pacific (Singapore). To learn more and get started with Inspector code security, visit:

Getting started with Amazon Inspector

Amazon Inspector free trial

Amazon SageMaker AI now supports M7i, C7i, and R7i for SageMaker Model Training and SageMaker Processing

Amazon SageMaker AI is pleased to announce support for M7i, C7i, and R7i instance types for SageMaker Model Training and SageMaker Processing. Amazon SageMaker Model Training lets you easily train machine learning models at scale using fully managed infrastructure optimized for performance and cost. Amazon SageMaker Processing makes it easy to run data pre-processing, post-processing, and model evaluation workloads on fully managed infrastructure.\n M7i, C7i, and R7i instances are powered by custom 4th generation Intel Xeon Scalable processors and deliver up to 15% better price performance compared to their previous generation (M6i, C6i, and R6i) instances. M6i, C6i, and R6i instances are powered by 3rd generation Intel Xeon Scalable processors. M7i, R7i, and C7i instances are a great choice for CPU-based, compute-intensive Machine Learning (ML) workloads M7i, C7i, and R7i instances are now available to run Training and Processing jobs on Amazon SageMaker AI in multiple AWS Regions. For pricing and regional availability information on these instances, please visit our pricing page.

Amazon MSK expands Express Brokers to Mexico (Central) and Asia Pacific (Thailand) regions

Amazon Managed Streaming for Apache Kafka (Amazon MSK) has added support for Express Brokers in Mexico (Central) and Asia Pacific (Thailand) regions. Express brokers are a new broker type for Amazon MSK Provisioned designed to deliver up to 3x more throughput per broker, scale up to 20x faster, and reduce recovery time by 90% as compared to standard Apache Kafka brokers. Express brokers come pre-configured with Kafka best practices by default, support all Kafka APIs, and provide the same low-latency performance that Amazon MSK customers expect, so they can continue using existing client applications without any changes.\n You can now create an MSK cluster with Express brokers in these AWS Regions from the Amazon MSK console. To learn more, check out this blog.

Amazon EC2 M7i-flex 12xlarge and 16xlarge instances are now available in AWS Europe (London) Region

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M7i-flex 12xlarge and 16xlarge instances powered by custom 4th Gen Intel Xeon Scalable processors (code-named Sapphire Rapids) are available in Europe (London) region. The new sizes expand the EC2 Flex portfolio, providing additional compute options to scale-up existing workloads or run larger sized applications that need additional memory. These instances are powered by custom 4th Gen Intel Xeon Scalable processors, that are available only on AWS, and offer up to 15% better performance over comparable x86-based Intel processors utilized by other cloud providers.\n Flex instances are the easiest way for you to get price-performance benefits for a majority of general-purpose and compute intensive workloads. M7i-flex instances deliver up to 19% better price-performance compared to M6i instances respectively. These instances offer the most common sizes, from large to 16xlarge, and are a great first choice for applications that don’t fully utilize all compute resources such as web and application servers, virtual desktops, batch-processing, microservices, databases, caches, and more. For workloads that need larger instance sizes (up to 192 vCPUs and 768 GiB memory) or continuous high CPU usage, you can leverage M7i instances. The new M7i-flex sizes are available in the following AWS Regions: US East (N. Virginia, Ohio), US West (N. California, Oregon), Europe (Frankfurt, Ireland, London, Paris, Spain, Stockholm), Canada (Central), Asia Pacific (Malaysia, Melbourne, Mumbai, Singapore, Sydney, Taipei, Thailand, Tokyo), Mexico (Central), South America (São Paulo), and AWS GovCloud (US-East, US-West).

Amazon ECR enhanced scanning now surfaces image use status

Amazon Elastic Container Registry (ECR) enhanced scanning now surfaces how an image is used on Amazon Elastic Kubernetes Service (EKS) and Amazon Elastic Container Service (ECS), including last used date, the number of clusters that the image was used, and the cluster ARNs. You can use this information to prioritize vulnerability remediation for images that are actively being used.\n ECR enhanced scanning is an integration with Amazon Inspector that provides vulnerability scanning for your container images. ECR enhance scanning scans your container images for both operating systems and programming language package vulnerabilities. With the launch today, you can understand whether and where your images are used on EKS and ECS. Using ECR or Inspector consoles and APIs, you can now identify when you last used an image, the number of clusters that the image was used, and which clusters are running the image with cluster ARNs. As the image use status changes, ECR enhanced scanning will continuously update the status and surface the new status as part of the enhanced scanning findings. ECR support for image use status is available for enhanced scanning customers at no additional cost and is generally available in all AWS Commercial and AWS GovCloud (US) Regions where enhanced scanning is available. To get started with ECR enhanced scanning, visit ECR documentation.

AWS Backup Audit Manager is now available in six additional regions

AWS Backup Audit Manager is now available in Asia Pacific (Hyderabad, Jakarta, Melbourne), Europe (Spain, Zurich), and Middle East (UAE) Regions. AWS Backup Audit Manager is a feature within AWS Backup that allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs. AWS Backup enables you to centralize and automate data protection policies across AWS services based on organizational best practices and regulatory standards, and AWS Backup Audit Manager helps you maintain and demonstrate compliance with those policies.\n To find a full list of AWS Regions in which AWS Backup Audit Manager is available, please refer to the AWS Backup Regional availability. To learn more about AWS Backup Audit Manager, visit the product page and documentation. To get started, visit the AWS Backup console.

Express.js developers can now add authorization in minutes with Amazon Verified Permissions

Today, AWS announces the release of @verifiedpermissions/authorization-clients-js, an open source package that enables developers to implement authorization in their Express.js web application APIs in minutes. This simplifies development and improves application security by significantly reducing the custom authorization code compared to traditional approaches where authorization logic was embedded into the application.\n With this package, developers of Express.js applications can move authorization logic to Cedar policies which are managed outside code. For example, a pet store application can restrict API access based on user roles, allowing administrators full access while limiting customers to view-only operations, all without embedding complex authorization logic in application code. As your application evolves, you can easily extend these permissions, such as allowing employees to create and update pets but not delete them, by simply adding a new policy without modifying a single line of application code. Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. The integration follows a straightforward workflow: developers generate a Cedar schema for their Express.js application, create authorization policies defining access rules, and add a middleware component to their Express application. When users make API requests, the middleware automatically validates authorization with Verified Permissions before processing continues. The @verifiedpermissions/authorization-clients-js package is available on GitHub under the Apache 2.0 license and distributed through NPM. This integration is available in all AWS Regions where Amazon Verified Permissions is supported with no additional charges beyond standard Verified Permissions pricing. To get started, follow the ExpressJS blog or visit the Verified Permissions github repo.

AWS Marketplace now provides an enhanced selling authorization experience for Independent Software Vendors

AWS Marketplace helps Independent Software Vendors (ISVs) manage their AWS Marketplace Channel Partner relationships through selling authorizations, allowing channel partners to resell ISV products. Starting today, ISVs can access an enhanced selling authorization experience through the AWS Marketplace Management Portal. This update streamlines the process, making it more efficient to manage channel operations.\n The redesigned experience offers ISVs a step-by-step guide for creating and managing selling authorizations for their channel partners, with the ability to save progress and resume later. The authorization process has been simplified by combining granular sections and reducing the number of required steps. The “Partners” tab has been renamed to “Selling authorizations” and the interface now aligns with the private offer experience. Additionally, the authorization table has been revamped with a consolidated status field for improved tracking. Together, these enhancements streamline the selling process through channel partners, making it more efficient for ISVs to scale their channel sales and accelerate business growth through AWS Marketplace.

These features are available in all AWS Regions where AWS Marketplace is available for ISVs selling software-as-a-service (SaaS), Amazon Machine Images (AMI), professional services, and container products in AWS Marketplace. To learn more, visit the AWS Marketplace Seller Guide, or access the AWS Marketplace Management Portal to try the new capabilities.

Amazon EC2 M7g instances are now available in additional regions

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M7g instances are available in the AWS Africa (Cape Town) and AWS Asia Pacific (Hong Kong) regions. These instances are powered by AWS Graviton3 processors that provide up to 25% better compute performance compared to AWS Graviton2 processors, and built on top of the the AWS Nitro System, a collection of AWS designed innovations that deliver efficient, flexible, and secure cloud services with isolated multi-tenancy, private networking, and fast local storage.\n Amazon EC2 Graviton3 instances also use up to 60% less energy to reduce your cloud carbon footprint for the same performance than comparable EC2 instances. For increased scalability, these instances are available in 9 different instance sizes, including bare metal, and offer up to 30 Gbps networking bandwidth and up to 20 Gbps of bandwidth to the Amazon Elastic Block Store (EBS). To learn more, see Amazon EC2 M7g. To explore how to migrate your workloads to Graviton-based instances, see AWS Graviton Fast Start program and Porting Advisor for Graviton. To get started, see the AWS Management Console.

AWS Lambda now supports SnapStart for Python and .NET functions in 23 additional regions

Starting today, you can use AWS Lambda SnapStart for your Python and .NET functions in 23 additional AWS Regions. Lambda SnapStart is an opt-in capability that delivers faster startup performance, from several seconds to as low as sub-second. SnapStart makes it easier for you to build highly responsive and scalable applications without provisioning resources or implementing complex performance optimizations.\n For latency sensitive applications that support unpredictable bursts of traffic, high startup latencies—known as cold starts—can cause delays in your users’ experience. Lambda SnapStart can improve startup times by initializing the function’s code ahead of time, taking a snapshot of the initialized execution environment, and caching it. When the function is invoked and subsequently scales up, Lambda SnapStart resumes new execution environments from the cached snapshot instead of initializing them from scratch, significantly improving startup latency. Lambda SnapStart is ideal for applications such as synchronous APIs, interactive microservices, data processing, and ML inference. With today’s launch, you can use AWS Lambda SnapStart for Python and .NET in 23 additional AWS Regions: Africa (Cape Town), Asia Pacific (Hong Kong, Seoul, Osaka, Mumbai, Jakarta, Hyderabad, Melbourne, Malaysia, Thailand), Canada (Central, West), Europe (Zurich, Milan, Spain, London, Paris), Israel (Tel Aviv), Middle East (UAE, Bahrain), Mexico (Central), South America (Sao Paulo), and US West (N. California). You can activate SnapStart for new or existing Lambda functions running on Python 3.12 (and newer) and .NET 8 (and newer) using the AWS Lambda API, AWS Management Console, AWS Command Line Interface (AWS CLI), AWS Cloud Formation, AWS Serverless Application Model (AWS SAM), AWS SDK, and AWS Cloud Development Kit (AWS CDK). For more information, see the Lambda SnapStart documentation, or the launch blog post. To learn more about pricing for SnapStart on Python and .NET, visit AWS Lambda Pricing.

AWS Shield introduces network security director (preview)

Today, AWS Shield announces the preview of network security director, a new capability that provides visibility into the AWS resources in your network, identifies missing or misconfigured network security services, and recommends remediation steps. As threats continue to evolve, AWS Shield has expanded its capabilities beyond DDoS protection to help you easily identify resources requiring network and application protection and correctly secure them.\n With network security director, AWS Shield helps you simplify network security management in three ways. First, it provides visibility into your network topology, which shows you the resources in your account and how they are connected to each other and the Internet. It discovers enabled AWS network security services, such as AWS WAF, VPC security groups, and VPC network access control lists (NACLs), and determines how well they are configured relative to AWS best practices and threat intelligence. Second, AWS Shield helps you quickly identify which missing or misconfigured firewalls require your immediate attention by showing you network security findings on your resources, prioritized by severity level.

Lastly, for each finding, you can view actionable remediation recommendations to correctly implement or update the configuration of the network security services you use. Easily get answers, in natural language, to questions about your network security configurations from AWS Shield network security director within Amazon Q Developer in the AWS Management Console and chat applications. For example, you can ask “Are any of my Internet-facing resources vulnerable to DDoS?”, and Amazon Q shows relevant network security findings on specific resources with recommended remediation steps.This capability is available during preview at no additional cost in select AWS Regions: US East (N. Virginia) and Europe (Stockholm). Amazon Q Developer’s capability to analyze network security configurations is available in preview in US East (N. Virginia). To learn more, visit the overview page.

Introducing AWS Security Hub for risk prioritization and response at scale (Preview)

AWS announces an enhanced AWS Security Hub to prioritize your critical security issues and help respond at scale to reduce security risks, improve your team’s productivity, and protect your cloud environment. It detects critical issues by correlating and enriching security signals, for example, from threat detection and vulnerability management. This enables you to quickly surface and prioritize active risks in your cloud environment. The unified solution provides more comprehensive visibility into your security posture while reducing the complexity of manually piecing together information from multiple security tools.\n Security Hub transforms correlated security signals into actionable insights through intuitive visualizations and contextual analytics, helping you identify critical patterns and trends and centralize security operations in your environment. For example, it detects and correlates scenarios where publicly exposed resources with highly exploitable vulnerabilities have access to storage with sensitive data. These insights provide enhanced risk context so you can make more informed decisions and take immediate action on security issues. Enhanced capabilities include exposure findings, security-focused asset inventory, attack path visualization, and automated response workflows with ticketing system integration. This centralized management enables streamlined remediation at scale while helping you minimize potential operational disruptions. 

For more information about AWS Regions where Security Hub is available, see the AWS Region table. You can enable Security Hub for individual accounts or across your entire AWS Organization with centralized deployment and management. The service integrates with existing AWS security capabilities including Amazon GuardDuty, Amazon Inspector, AWS Security Hub CSPM, and Amazon Macie, providing more comprehensive security posture without additional operational overhead.  

To learn more about the enhanced Security Hub and join the Preview, visit the AWS Security Hub console or the AWS Security Hub product page.

Amazon GuardDuty Extended Threat Detection now supports Amazon EKS

Today, AWS announces further enhancements to Amazon GuardDuty Extended Threat Detection. This capability now includes coverage for multi-stage attacks targeting Amazon Elastic Kubernetes Service (EKS) clusters in your AWS environment. GuardDuty correlates multiple security signals across Amazon EKS audit logs, runtime behavior of processes, malware execution, and AWS API activity to detect sophisticated attack patterns that might otherwise go unnoticed.  These new attack sequence findings cover multiple resources and data sources over an extensive time period, allowing you to spend less time on first-level analysis and more time responding to critical severity threats, thereby minimizing business impact. \n GuardDuty Extended Threat Detection uses artificial intelligence and machine learning algorithms trained at AWS scale to automatically correlate security signals to detect critical threats. For example, it can identify an anomalous deployment of a privileged container followed by persistence attempts, crypto mining, and reverse shell creation, representing these related events as a single, critical-severity finding. You can then take action based on a new attack sequence finding type of critical severity. Each finding includes an incident summary, detailed events timeline, mapping to MITRE ATT&CK® tactics and techniques, and remediation recommendations.

This capability is automatically enabled for all GuardDuty customers at no additional cost in all Regions where GuardDuty is available. To detect attack sequences involving Amazon EKS clusters, you must enable GuardDuty EKS Protection, and GuardDuty recommends to also enable GuardDuty Runtime Monitoring for EKS for a more comprehensive security coverage. Take action on findings directly from the GuardDuty console or via integrations with AWS Security Hub and Amazon EventBridge.

To get started, visit the Amazon GuardDuty product page or try GuardDuty free for 30 days on the AWS Free Tier.

AWS IAM now enforces MFA for root users across all account types

Today AWS Identity and Access Management (IAM) announced comprehensive multi-factor authentication (MFA) requirements for root users across all account types, with the expansion to member accounts. The new MFA enforcement marks a significant milestone in our ongoing commitment of secure by design principles, setting a high bar for our customers’ default security posture and building upon our previous security enhancements. Our security journey began with requiring MFA for AWS Organizations management account root users in May 2024, followed by expanding MFA requirements to standalone account root users in June 2024, and introducing centralized root access management for AWS Organizations in November 2024.\n IAM helps you securely manage identities and control access to AWS services and resources. MFA is a security best practice in IAM that requires a second authentication factor in addition to the user name and password sign-in credentials. MFA is available at no additional cost and prevents over 99% of password-related attacks. You can use a range of supported IAM MFA methods, including FIDO-certified security keys to harden access to your AWS accounts. AWS supports FIDO2 passkeys for a user-friendly MFA implementation and allows customers to register up to 8 MFA devices per root and IAM user. For AWS Organizations customers, we recommend centralizing access account management through the management account and removing root user credentials from member accounts, which represents an even stronger security posture. To learn more:

Root user MFA guide

Centrailzed root access

Introducing the reimagined AWS MSSP Competency

Introducing the updated AWS MSSP Competency (previously AWS Level 1 MSSP Competency) for partners with turn-key security solutions that transform how organizations approach cloud security. The update includes new categories to validate Partners’ security expertise in specific domains including Infrastructure Security, Workload Security, Application Security, Data Protection, Identity & Access Management, Incident Response, and Cyber Recovery. These categories validate service partners’ capabilities to deliver comprehensive security outcomes leveraging native AWS services and best-of-breed security tools.\n Partners must meet core MSSP requirements and demonstrate expertise in at least one category through technical validation. Additionally, MSSP Competency Partners have the option to showcase how they integrate validated AWS Security Competency ISV solutions into their managed security services. This visibility helps AWS customers identify which MSSP Competency Partners can effectively manage their existing third-party security tools as part of a comprehensive security solution. To learn more about AWS-validated fully managed security solutions, visit the AWS MSSP Competency page and contact a partner to evaluate your security needs.

Amazon CloudFront streamlines CDN setup with smart defaults and automation

Amazon CloudFront introduces a new console experience that simplifies the delivery of secure, high-performance applications to users on the internet. Setting up a content delivery network (CDN) traditionally required deep expertise in CDN configurations, domain management, and security best practices. The new CloudFront console experience streamlines this entire process with a unified approach to content delivery and security. The new experience automatically provisions and manages DNS records with Amazon Route 53 and TLS certificates with AWS Certificate Manager (ACM). Users can now create a secure, optimized distribution in as little as 30 seconds, regardless of their CDN expertise level.\n When creating a distribution, CloudFront now automatically applies optimized settings based on your specific origin type. For example, when serving static websites from Amazon S3, CloudFront automatically configures Origin Access Control to prevent direct bucket access, optimizes caching settings for improved performance, and enables recommended security settings - all without requiring you to understand the underlying technical details of these components. This new onboarding experience makes it easier for you to leverage AWS’ global edge network, reduce latency for your end users, and enhance the security posture of your applications. The new experience is available globally at no additional cost. To get started with the new CloudFront experience, visit the Amazon CloudFront console or check out our documentation.

IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources

AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. It uses automated reasoning to evaluate all identity policies, resource policies, service control policies (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources.\n After the new internal access analyzer is enabled in the IAM console, the analyzer monitors your selected resources daily, and surfaces findings in a unified dashboard. The updated dashboard combines internal and external access findings to provide a 360-degree view of all access granted to your critical resources. Security teams can respond to new findings in two ways: taking immediate action to fix unintended access, or setting up automated notifications through Amazon EventBridge to engage development teams for remediation. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements. Internal access findings are available in all AWS commercial Regions. To learn more about IAM Access Analyzer internal access findings:

Read the AWS news blog post

Review the pricing page

Visit the IAM Access Analyzer documentation

AWS Certificate Manager introduces public certificates you can use anywhere

AWS Certificate Manager (ACM) announces exportable public certificates that you can use on any workload that requires a public TLS certificate, whether within AWS or outside. With this release, you can issue public certificates that you can export and access the certificate’s private key to securely terminate TLS traffic on any compute workload. This includes EC2 instances, containers, or on-premises hosts.\n ACM customers can now affordably issue, manage, and automate public certificates for use with your AWS, hybrid, or multicloud workloads. Previously, ACM-issued public certificates could only be used with integrated AWS services, such as Amazon CloudFront. Now, during certificate request, you can mark the certificate as exportable for use outside of integrated services as well. You can procure these certificates within seconds once you complete the required domain validation to prove that you are authorized to receive the certificate. The exportable public certificates are valid for 395 days and costs $15 per FQDN and $149 per wildcard name. You don’t need to sign up for bulk issuance contracts and you only pay once for the lifetime of the certificate. Network and security administrators can monitor and automate the use of these certificates through ACM’s certificate lifecycle CloudWatch events Security is top priority within AWS and your end users cannot export public certificates that were issued prior to this launch. AWS administrators can set IAM policies to authorize roles and users who can request exportable public certificates. The feature is available in all regions where ACM is available including the AWS GovCloud (US) and China Regions. Learn more about this feature here.

AWS Network Firewall launches support for active threat defense

AWS Network Firewall now offers active threat defense, a new security feature that helps you protect your Amazon Virtual Private Cloud (VPC) workloads against threat activities observed across AWS global infrastructure using Amazon threat intelligence.\n AWS Network Firewall with active threat defense provides automated, intelligence-driven protection against dynamic, ongoing threat activities observed across AWS infrastructure. Once enabled, you can configure the managed rule group in your firewall policy to automatically block suspicious traffic, such as command-and-control (C2) communication, embedded URLs, and malicious domains. The feature provides protection by continuously updating rules based on current threat activity. AWS Network Firewall offers improved visibility for active threat defense rule group, allowing you to see indicator groups, types and threat names you’re protected against. If you are also an Amazon GuardDuty customer, related threat intelligence findings are marked with the threat list name “Amazon Active Threat Defense” going forward. These active threats can be automatically blocked by using the active threat defense managed rule group on AWS Network Firewall. To get started with AWS Network Firewall with active threat defense, visit the AWS Network Firewall console or refer to our documentation. This feature is supported in all AWS Regions where AWS Network Firewall is available today, including the AWS GovCloud (US) Regions and China Regions. For more information about AWS Network Firewall and its features, please visit the AWS Network Firewall product page AWS Network Firewall.

AWS Blogs

AWS Japan Blog (Japanese)

AWS News Blog

AWS Open Source Blog

AWS Database Blog

Artificial Intelligence and Machine Learning

AWS Security Blog

AWS Storage Blog

Open Source Project

AWS CLI

Amplify for JavaScript

Amplify for Flutter

Amazon Chime SDK for Android