All news with #aws lambda tag

Updating CRLs Privately with AWS Private CA and VPC Delivery

🔒 This AWS Security post explains two approaches to make certificate revocation lists (CRLs) available only to internal systems without exposing the S3 CRL bucket to the public internet. The first approach relocates CRLs by using a custom CDP CNAME and an EventBridge‑triggered Lambda that copies generated CRLs from the ACM Private CA S3 bucket to an internal store, with SNS notifications and example Python code. The second approach confines CRL retrieval inside AWS by using a VPC Gateway S3 endpoint, tightly scoped S3 bucket policies, and private Route 53 DNS so CRLs are resolvable and retrievable only from within the VPC.

AWS CloudTrail Insights Adds Data-Event Anomaly Detection

🔍 AWS CloudTrail Insights now analyzes data events as well as management events, automatically detecting anomalies in data access patterns such as unexpected surges in S3 delete calls or increased Lambda error rates. When unusual activity is found, CloudTrail generates an Insights event that includes the relevant data events and can trigger alerts for rapid investigation. The capability is available in all regions where CloudTrail is offered; additional charges apply for data-event Insights.

Amazon API Gateway Enables Progressive Response Streaming

⚡ Amazon API Gateway now progressively streams response payloads to clients as data becomes available, removing the need to buffer complete responses before transmission. The capability works with streaming-capable backends including Lambda functions, HTTP proxy integrations, and private integrations. Benefits include improved time-to-first-byte, integration timeouts extended to 15 minutes, and support for payloads larger than 10 MB. Generative AI and media-serving applications will particularly benefit, and the feature is available across all AWS Regions including GovCloud.

Amazon FSx Adds File Server Resource Manager Support

🗂️ Amazon FSx for Windows File Server now supports File Server Resource Manager (FSRM), enabling file classification, file screening, folder-level quotas, and storage reporting for managed Windows file systems. FSRM events can be published to Amazon CloudWatch Logs or streamed to Amazon Kinesis Data Firehose and used to trigger AWS Lambda for automated responses and workflows. The capability is available today at no additional cost for new file systems across all Regions where FSx is offered; existing file systems will gain support during a scheduled maintenance window.

AWS Lambda Introduces Tenant Isolation Mode for Multi-Tenant

🔒 AWS announced a new tenant isolation mode for AWS Lambda, enabling customers to isolate request processing per tenant or end-user invoking the same function. By providing a unique tenant identifier on invocation, Lambda routes requests to execution environments dedicated to that tenant and ensures those environments are never used for other tenants. This simplifies building multi-tenant SaaS workloads and reduces the need for custom per-tenant function routing.

Automating Session Manager Preferences with CloudFormation

🔐 This post explains how to centrally manage AWS Systems Manager Session Manager preferences across multiple accounts and Regions using CloudFormation StackSets and an AWS Lambda function. The solution automates updates to the SSM-SessionManagerRunShell document, provisions optional logging destinations (Amazon S3 or CloudWatch Logs), and can create KMS keys for session and log encryption. It aims to reduce manual configuration errors and ensure consistent security and compliance at scale.

AWS Lambda Adds Python 3.14 Managed Runtime Support

🔔 AWS Lambda now supports Python 3.14 for both managed runtimes and as a container base image. AWS will automatically apply updates to the managed runtime and base image as they become available, reducing maintenance overhead. The runtime is available in all Regions, including AWS GovCloud (US) and China Regions, and is supported for Lambda@Edge in applicable Regions. Developers can deploy using the Lambda console, AWS CLI, AWS SAM, AWS CDK, and CloudFormation, and Powertools for AWS Lambda (Python) also supports Python 3.14.

EC2 Image Builder Adds Lambda and Step Functions Integration

🚀 EC2 Image Builder now supports invoking AWS Lambda functions and executing Step Functions state machines directly within image workflows. This native integration lets teams embed custom logic, multi-step orchestration, and validation into image builds without bespoke glue code. It simplifies compliance checks, notifications, and multi-stage security testing while reducing maintenance and error-prone workarounds. The capabilities are available at no additional cost across all AWS regions, including China and GovCloud, and can be used via Console, CLI, API, CloudFormation, or CDK.

AWS Lambda Provisioned Mode for SQS Event-Source Mappings

🔔 AWS Lambda now offers Provisioned Mode for SQS event-source mappings (ESMs), letting you provision persistent event pollers to handle sudden traffic spikes. Provisioned ESMs scale up to 3x faster (up to 1,000 concurrent executions/min) and support up to 16x higher concurrency (up to 20,000 concurrent executions), reducing latency for bursty workloads. The feature is generally available in all AWS Commercial Regions and is configurable via the Console, API, CLI, SDK, CloudFormation, and SAM; billing is by Event Poller Units (EPU).

AWS Lambda Announces General Availability of Rust Support

🚀 AWS has declared Rust support in AWS Lambda Generally Available, promoting the runtime out of its prior experimental status and making it suitable for production workloads. The GA release is backed by AWS Support and the Lambda SLA and is available in all AWS Regions, including GovCloud (US) and China. Rust on Lambda delivers high performance, memory efficiency, and compile-time safety for serverless functions. Developers can now build business-critical serverless applications in Rust while leveraging Lambda's event integrations, fast scaling from zero, automatic patching, and usage-based pricing.

AWS Lambda Supports Java 25 for Serverless Applications

🚀 AWS Lambda now supports Java 25, using the latest long‑term support distribution from Amazon Corretto. The runtime is available as a managed runtime and as a container base image, and AWS will automatically apply updates to each as they are released. The release introduces new language features and performance improvements, including Ahead‑of‑Time caches and adjusted tiered compilation defaults. Lambda Snap Start and Powertools for AWS Lambda (Java) support Java 25, and the runtime is available in all Regions, including GovCloud (US) and China.

CloudWatch Application Signals Now in AWS GovCloud

🔒 CloudWatch Application Signals is now available in AWS GovCloud (US-East) and AWS GovCloud (US-West), extending automated application observability to government and regulated workloads. The service automatically collects telemetry from Amazon EC2, Amazon ECS, Amazon EKS and AWS Lambda to provide real-time health, dependency visualization and anomaly detection. By eliminating manual instrumentation, it helps teams meet compliance and monitoring requirements while improving incident detection and resolution. For pricing and setup, consult the CloudWatch pricing page and Application Signals documentation.

AWS Serverless MCP Server Adds ESM Tools for Lambda

🔧 The AWS Serverless Model Context Protocol (MCP) Server now includes specialized tools to configure and manage AWS Lambda event source mappings (ESM), combining AI assistance with ESM expertise. The new toolset—comprising the ESM guidance tool, the ESM optimization tool, and an ESM Kafka troubleshooting tool—translates high-level throughput, latency, and reliability requirements into concrete ESM configurations and generates optimized AWS SAM templates. It also validates VPC network topology for VPC-based event sources and diagnoses common ESM issues to streamline setup, tuning, and troubleshooting workflows.

Amazon Kinesis Data Streams: Record Size Raised to 10MiB

📣 Amazon Web Services has increased the maximum record size for Kinesis Data Streams from 1MiB to 10MiB and doubled the maximum PutRecords request size to 10MiB. You can update a stream's maximum record size to 10MiB via the AWS Management Console or the UpdateMaxRecordSize API using the AWS SDK or CLI, and continue using existing Kinesis APIs to publish and consume larger records. AWS Lambda now supports Kinesis payloads up to 6MiB; there are no additional charges beyond standard Kinesis fees. The feature is available in supported regions and AWS provides documentation describing region coverage and downstream handling guidance.

AWS Lambda ups asynchronous payload limit to 1 MB today

🚀 AWS has increased the maximum payload size for AWS Lambda asynchronous invocations from 256 KB to 1 MB. This change lets customers deliver richer, complex events—such as LLM prompts, telemetry batches, or detailed JSON outputs—without splitting, compressing, or externalizing data. The increase is generally available in all AWS Commercial and AWS GovCloud (US) Regions and can be used via the Lambda invoke API. Billing counts 1 request for the first 256 KB and an additional request per 64 KB chunk beyond that up to 1 MB.

AWS Lambda Code Signing Now Available in GovCloud Regions

🔐 AWS Lambda now supports code signing in AWS GovCloud (US-West and US-East) through the managed AWS Signer service. Lambda validates signatures at deployment to ensure code has not been altered and that it originates from trusted signers. Administrators can create Signing Profiles, bind allowed profiles to functions, and configure whether failed signature checks produce warnings or reject deployments. Access and permissions are controlled via IAM, and there is no additional charge to use this capability.

Defense-in-Depth: Building an AWS Control Framework

🔒 This post outlines a practical, layered approach to reduce risk in AWS by moving beyond detective-only controls to a comprehensive defense‑in‑depth control framework. It recommends combining preventative, proactive, detective, and responsive controls across the resource lifecycle and illustrates how AWS services such as AWS Control Tower, AWS Organizations, Security Hub, and AWS Config enable that strategy. The guidance covers concrete patterns—from SCPs, RCPs and policy‑as‑code in CI/CD to automated remediation via Lambda and Systems Manager—to scale governance, reduce findings, and shorten remediation time.

Automating Security Hub Exceptions with Business Context

🔒 This post describes an automated approach to validate and document exceptions to AWS Security Hub findings, enabling security teams to enforce governance while developers request and implement compensating controls. The solution leverages EventBridge, SQS, Lambda, and DynamoDB to validate controls, collect evidence, and maintain an immutable audit trail. It preserves segregation of duties, supports multiple validation types, and includes deployment scripts and CloudFormation templates. The authors emphasize the reference architecture is a starting point and must be reviewed and adapted before production use.

AWS Lambda: Cross-Account Container Images in GovCloud

🚀 AWS Lambda now supports creating or updating functions using container images stored in an Amazon ECR repository in a different AWS account within GovCloud Regions. This removes the previous need to copy images into a local ECR repo and streamlines centralized image management and CI/CD workflows. Administrators must grant the Lambda resource and the Lambda service principal the necessary cross-account permissions.

Automating OIDC Client Secret Rotation for ALB on AWS

🔁 This AWS blog demonstrates how to automate OIDC client secret rotation for Application Load Balancer authentication using AWS Secrets Manager, AWS Lambda, and Amazon EventBridge. The solution securely stores IdP credentials (Auth0 in the example), schedules a Lambda handler to fetch and compare tokens, and updates Secrets Manager and ALB listener rules when changes occur. It reduces manual effort, limits plaintext credential exposure, and adds monitoring via CloudWatch alarms.