AWS releases
Amazon Web Services releases and Terraform AWS provider. New features, breaking changes, security advisories and deprecations - each summarised in plain English and updated continuously.
Tracking 284 AWS releases · Updated
- AWS What's New aisecurityawsengineer ·
AWS Secrets Manager adds secret safety skill to Agent Toolkit
AWS Secrets Manager now includes a secret safety skill within the Agent Toolkit for AWS's aws-core plugin, enhancing security for AI coding agents. This feature prevents sensitive secrets from being exposed to AI models or session logs during agentic workflows. It is available today for all supported agent harnesses and AWS Regions, offering a crucial security upgrade for developers building on AWS.
feature - AWS What's New aisecurityawspreviewengineer ·
AWS Security Agent adds AI-powered threat modeling
AWS Security Agent now offers AI-powered threat modeling to automatically generate threat models for applications. This feature analyzes design documents or source code, identifies threats using the STRIDE framework, and suggests mitigations, reducing manual effort and specialized expertise requirements. Available in public preview for all AWS Security Agent regions, it integrates with IDEs and can be used by developers and security teams.
feature announcement - AWS What's New aisecurityawsengineer ·
AWS Security Agent adds Kiro, Claude Code, and simulated validation
AWS Security Agent, now part of AWS Continuum, has added support for Kiro and Claude Code, allowing developers to run security scans from their IDE. The agent now simulates exploits in a sandbox to validate findings, reducing false positives and prioritizing remediation. New integrations with GitLab, GitHub Enterprise, Bitbucket, and Confluence are also included, enhancing its utility for development teams.
feature - AWS What's New aisecurityawsengineer ·
Amazon Bedrock AgentCore adds Guardrails for AI agent safety
Amazon Bedrock AgentCore now integrates with Bedrock Guardrails, enhancing safety and security for AI agents in production by providing real-time defense against prompt injection and data exposure. This feature offers centralized enforcement outside agent code, with logging via AgentCore observability, and is available in select AWS regions. It requires no new infrastructure and uses consumption-based pricing for policy evaluations.
feature - AWS What's New securityawspreviewengineer ·
AWS Continuum for rapid security risk management announced
AWS announced AWS Continuum, a new service designed to discover, prioritize, validate, and remediate security risks at machine speed within defined guardrails. This aims to shift security teams from manual triage to strategic oversight by automating the post-discovery vulnerability lifecycle, including prioritization, exploitability validation, and remediation. The service is available in a gated preview and integrates with existing AWS security tools.
feature announcement - AWS What's New securityawsengineer ·
AWS Sign-in Supports Resource-Based and Control Policies
AWS Sign-in now allows resource-based policies (per account) and resource control policies (organization-wide) to restrict console access to specific networks. This enhancement, which can be combined with Private Access, helps organizations better manage security and compliance by controlling sign-in origins and accessible accounts. These features are available at no additional cost in all commercial AWS Regions.
feature - AWS What's New securitygovernanceawshealthcarefinancegovernment ·
AWS Management Console Private Access enhances VPC connectivity without internet
AWS Management Console Private Access now allows customers to access the AWS Console from VPCs without internet connectivity, improving network security for air-gapped environments. This enhancement, which leverages AWS PrivateLink, is particularly beneficial for regulated industries like finance, government, and healthcare, and enterprises with stringent security needs. The capability is available in all AWS commercial regions, with costs based on PrivateLink VPC endpoint usage.
feature - AWS What's New securityawspreviewengineer ·
Route 53 Resolver DNS Firewall adds Palo Alto Networks Advanced DNS Security (Preview)
Amazon Route 53 Resolver DNS Firewall now offers Palo Alto Networks Advanced DNS Security in preview, allowing administrators to enforce threat protections directly within Route 53 rules. This integration simplifies security operations by eliminating the need for separate firewalls and provides unified threat protection across AWS and on-premises environments. Customers can subscribe to PANW threat intelligence through the AWS Marketplace within the Route 53 console. The feature is available in preview across several AWS regions.
feature announcement - AWS What's New securityinfraawsengineer ·
AWS Workload Credentials Provider automates certificate and secret distribution
AWS has released the Workload Credentials Provider, a new client-side tool that automates the deployment and caching of certificates from AWS Certificate Manager (ACM) and secrets from AWS Secrets Manager. This simplifies certificate renewal management, especially with shorter certificate lifetimes mandated by the CA/B Forum, and unifies secret and certificate distribution across cloud and on-premises workloads. The provider is open source, available for Windows and Linux, and supports common web servers, aiming to prevent expiry-related failures for users.
feature announcement - AWS What's New securityawsengineer ·
Amazon Cognito adds multi-Region replication for identity data
Amazon Cognito now supports multi-Region replication, allowing near real-time synchronization of user and machine identity data to a secondary user pool. This enhances authentication system resilience by enabling failover to a standby Region during disruptions, ensuring continuous application access for users. The feature is available as an add-on for Essentials or Plus tiers and is accessible in numerous AWS Regions globally.
feature - AWS What's New securitygovernanceawsengineer ·
AWS Config supports internal service-linked rules
AWS Config now supports internal service-linked rules, allowing AWS services to evaluate resource configurations using managed rules. This feature enables integrated security and compliance capabilities by letting services like Security Hub deploy and manage rule evaluations, with results delivered at no charge to customers. These rules operate independently of customer-managed recorders, offering enhanced governance and auditing flexibility.
feature - AWS What's New securityawsgaarchitect ·
Amazon QuickSight supports customer-managed encryption keys
Amazon QuickSight now allows customers to encrypt their data using their own AWS Key Management Service (KMS) keys. This provides enhanced security control and audit capabilities for organizations with strict compliance needs, enabling them to manage encryption for their business intelligence data. The feature is generally available and requires keys to be in the same AWS account and region as QuickSight resources, supporting only symmetric KMS keys.
feature patch - AWS What's New securitygovernanceawsengineer ·
SageMaker Unified Studio supports IAM permissions boundaries
Amazon SageMaker Unified Studio now supports custom IAM permissions boundaries for roles provisioned with new projects. This allows organizations enforcing Service Control Policies (SCPs) to adopt SageMaker without altering security postures. Administrators can specify a permissions boundary in the Tooling blueprint, automatically applying it to all new project roles, enhancing control and simplifying compliance.
feature - AWS What's New securityawsgaengineerretail ·
Amazon Inspector improves agent-based EC2 scanning
Amazon Inspector has launched the Inspector VM Scanner for agent-based EC2 instances, expanding vulnerability detection for applications like WordPress and Python packages. This new scanner also reduces CPU utilization during scans, minimizing impact on production workloads. Security teams benefit from this enhanced, more efficient scanning which brings agent-based coverage to parity with agentless methods. The update is available in all Inspector regions at no additional cost.
feature - AWS What's New securityawspreviewengineer ·
AWS Shield Advanced adds DDoS attack flow logs
AWS Shield Advanced now offers DDoS attack flow logs, providing packet-level visibility into traffic during attacks. This feature aids forensic analysis and compliance by publishing detailed log data to S3, CloudWatch Logs, or Data Firehose. Available in all Shield Advanced regions, it requires protection with Shield Advanced and log delivery configuration.
feature - AWS What's New securitygovernanceinfraawsengineer ·
AWS Organizations adds CloudTrail events for account membership changes
AWS Organizations now automatically emits CloudTrail events for accounts joining or leaving the organization. These new events, AccountJoinedOrganization and AccountDepartedOrganization, enhance visibility for security teams and administrators, aiding in the detection of unauthorized activities. The events provide details on how accounts joined or departed, along with timestamps, enabling real-time notifications and supporting use cases like fraud detection and security monitoring.
feature - AWS What's New securityinfraawsengineermediagovernment ·
DynamoDB Streams adds PrivateLink for FIPS in AWS GovCloud
Amazon DynamoDB Streams now supports AWS PrivateLink for FIPS endpoints in AWS GovCloud (US) Regions. This enhancement enables government agencies to establish private connectivity to DynamoDB Streams, enhancing security and simplifying network architecture. This allows for secure, real-time data streaming applications that meet federal compliance requirements. The feature is available in AWS GovCloud (US) and other select AWS Regions.
feature announcement - AWS What's New securityawsengineer ·
AWS Backup adds OTP verification for multi-party approval
AWS Backup now requires one-time password (OTP) verification for multi-party approval actions on logically air-gapped vaults. This enhances security by ensuring only verified approvers authorize protected vault operations. The feature is automatically applied to all existing and new approval sessions for air-gapped vaults at no extra cost and requires no setup.
feature security - AWS What's New securitygovernanceawsengineer ·
GuardDuty Malware Protection adds S3 continuous backup scanning
Amazon GuardDuty Malware Protection now supports S3 continuous backups, enabling malware scanning for recovery points. This feature allows users to identify clean points in time, verify recovery safety, and initiate restores with greater confidence. Support is available in all regions where GuardDuty Malware Protection is offered, accessible via the AWS Backup console, API, or CLI.
feature - AWS What's New securityawsengineer ·
AWS Security Agent generates scripts to verify pentest findings
AWS Security Agent can now automatically generate scripts to reproduce penetration test findings. This feature allows security teams to independently validate discovered vulnerabilities, reducing manual effort and accelerating remediation. The scripts include setup instructions and are available in all supported AWS Regions.
feature