All news with #aws tag

Preview Amazon S3 Tables Directly in the S3 Console

🔍 You can now preview Amazon S3 Tables directly in the S3 console without writing SQL. The console preview displays table schema, column types, and sample rows so you can quickly inspect structure and key data points without additional setup. Previews are available in all AWS Regions where S3 Tables are offered. You are charged only for the S3 requests used to read the sampled rows; consult S3 pricing and the S3 User Guide for details.

Amazon EC2 Allowed AMIs: New Parameters for Governance

🔒 Amazon EC2’s account-wide Allowed AMIs setting now supports four new parameters — marketplace codes, deprecation time, creation date, and AMI names — to tighten AMI discovery and usage controls. Previously limited to account IDs and owner aliases, administrators can now define additional criteria to block Marketplace images, filter out outdated AMIs, and enforce naming patterns. These parameters integrate with Declarative Policies and are available in all regions, including AWS China and AWS GovCloud (US), enabling centralized AMI governance across your organization.

Amazon RDS: PostgreSQL 18.0 Available in Public Preview

🆕 Amazon RDS for PostgreSQL 18.0 is now available in the RDS Database Preview Environment, enabling evaluation of new PostgreSQL capabilities within a fully managed sandbox. PostgreSQL 18.0 introduces multicolumn B-tree skip scan, improved WHERE handling for OR/IN conditions, parallel GIN builds, updated join behavior, and UUIDv7 support. The preview preserves instances for up to 60 days, restricts snapshots to the preview environment, and supports database import/export via dump/load; pricing follows the US East (Ohio) Region.

AWS Lambda Code Signing Now Available in GovCloud Regions

🔐 AWS Lambda now supports code signing in AWS GovCloud (US-West and US-East) through the managed AWS Signer service. Lambda validates signatures at deployment to ensure code has not been altered and that it originates from trusted signers. Administrators can create Signing Profiles, bind allowed profiles to functions, and configure whether failed signature checks produce warnings or reject deployments. Access and permissions are controlled via IAM, and there is no additional charge to use this capability.

AWS ARC Region Switch Now Available in New Zealand

🔁 Amazon Web Services has made the Application Recovery Controller Region switch feature available in the Asia Pacific (New Zealand) Region. Region switch lets teams orchestrate and execute cross-account and cross-Region recovery steps while providing real-time dashboards and consolidated data collection to support regulator and compliance reporting. The feature supports failover/failback for active/passive designs and shift-away/return for active/active architectures, and automatically replicates plans to all Regions where the application runs.

Amazon Route 53 Resolver Query Logging Now in NZ Region

🛰️ Amazon Route 53 Resolver Query Logging is now available in Asia Pacific (New Zealand). You can log DNS queries originating in VPCs to capture queried domain names, the AWS resources that issued the queries (including source IP and instance ID), and the responses received. Logs can be delivered to Amazon S3, CloudWatch Logs, or Amazon Data Firehose, and query logging configurations may be shared across accounts via AWS RAM. There is no additional Route 53 charge for enabling query logging, though storage and ingestion on the chosen destination may incur costs.

Pandoc SSRF Exploited to Target AWS IMDS, Steal EC2 Keys

🔒 Wiz has observed in-the-wild exploitation attempts of CVE-2025-51591, an SSRF in Pandoc that renders iframe tags and can direct them at the AWS Instance Metadata Service (IMDS). Attackers submitted crafted HTML aiming to access 169.254.169.254 to exfiltrate temporary IAM metadata and EC2 credentials. Attempts seen from August and continuing for weeks were blocked where IMDSv2 was enforced. Administrators should mitigate by using Pandoc's -f html+raw_html or --sandbox options, enforce IMDSv2, and apply least-privilege roles.

Amazon EC2 Auto Scaling — Forced Immediate Cancel Feature

⚡ Amazon EC2 Auto Scaling now allows customers to force-cancel ongoing instance refreshes immediately by setting WaitForTransitioningInstances to false when calling the CancelInstanceRefresh API. The change bypasses waiting for in-progress launches, terminations, or instance lifecycle hooks, enabling rapid aborts of deployments during incidents or to roll forward to corrected releases. The capability is available in all AWS regions, including AWS GovCloud (US).

AWS removes network burst limits for I7i and I8g instances

🚀 Today AWS removed networking bandwidth burst duration limits for Amazon EC2 I7i and I8g instances larger than 4xlarge, doubling the network bandwidth available at all times for those sizes. Where instances previously relied on a network I/O credit mechanism to burst above a baseline, larger I7i and I8g instances can now sustain their maximum network performance indefinitely. The change delivers more predictable, uninterrupted throughput for memory- and network‑intensive workloads such as distributed databases, real‑time analytics and AI preprocessing; smaller sizes retain existing baseline-and-burst behavior.

Amazon GameLift Servers: Dallas Local Zone Launches

🎮 Amazon GameLift Servers now supports the new AWS Local Zone in Dallas, Texas (us-east-1-dfw-2), enabling fleets to deploy EC2 C6gn, C6i, C6in, M6g, M6i, M6in, M8g, and R6i instances. From the GameLift Servers Console you can enable the Dallas Local Zone and add it to your fleets like any other Region or Local Zone. This launch lets studios run latency-sensitive multiplayer, AR/VR, and tournament workloads closer to Dallas-area players for single-digit millisecond latency and improved responsiveness.

Optimize Security Operations with AWS Incident Response

🔒 AWS Security Incident Response provides an AWS-native incident management capability that combines automated triage, threat intelligence, and customer metadata to surface and prioritize genuine threats. The service integrates with Amazon GuardDuty, AWS Security Hub, and select third-party detections, and offers a unified console with 24/7 access to the AWS Customer Incident Response Team (CIRT). It supports delegated administration, organization-wide coverage, and immutable case timelines. Included with Amazon Managed Services (AMS), it accelerates investigation and containment to reduce mean time to resolution.

Amazon DataZone Now Available in Three Additional Regions

🔔 Amazon DataZone is now available in AWS Asia Pacific (Hong Kong), Asia Pacific (Malaysia), and Europe (Zurich) Regions. The fully managed Amazon DataZone service catalogs, discovers, analyzes, shares, and governs organizational data, integrating with AWS Glue Data Catalog and Amazon Redshift. Consumers can search, subscribe, and analyze assets using tools like Amazon Redshift and Amazon Athena from the DataZone portal. The service also underpins governance in the next generation of Amazon SageMaker to simplify discovery and secure access to data and models.

Defense-in-Depth: Building an AWS Control Framework

🔒 This post outlines a practical, layered approach to reduce risk in AWS by moving beyond detective-only controls to a comprehensive defense‑in‑depth control framework. It recommends combining preventative, proactive, detective, and responsive controls across the resource lifecycle and illustrates how AWS services such as AWS Control Tower, AWS Organizations, Security Hub, and AWS Config enable that strategy. The guidance covers concrete patterns—from SCPs, RCPs and policy‑as‑code in CI/CD to automated remediation via Lambda and Systems Manager—to scale governance, reduce findings, and shorten remediation time.

AWS License Manager Adds Shared Managed Active Directory

🔁 AWS License Manager now supports shared AWS Managed Active Directory across multiple AWS accounts, enabling centralized management of Microsoft product subscriptions. Customers can subscribe once in a single admin account and extend those subscriptions to directory consumer accounts across their AWS Organization. This reduces duplicate directories and IT overhead and is available in all commercial regions where License Manager user subscription is supported.

npm Supply-Chain Worm 'Shai-Hulud' Compromises Packages

🛡️ CISA released an alert about a widespread software supply chain compromise affecting the npm registry: a self-replicating worm called 'Shai-Hulud' has compromised over 500 packages. The actor harvested GitHub Personal Access Tokens and cloud API keys for AWS, Google Cloud, and Azure, exfiltrating them to a public repository and using them to publish malicious package updates. CISA recommends immediate dependency reviews, credential rotation, enforcing phishing-resistant MFA, pinning package versions to releases before Sept. 16, 2025, hardening GitHub settings, and monitoring for anomalous outbound connections.

ShadowV2 Botnet Targets Misconfigured AWS Docker Containers

⚠️ Researchers at Darktrace disclosed ShadowV2, a DDoS-focused botnet that exploits misconfigured Docker daemons on AWS EC2 instances to deploy a Go-based RAT and enlist hosts as attack nodes. The campaign uses a Python spreader to spawn an Ubuntu setup container, build a custom image, and run an ELF payload that checks in with a Codespaces-hosted C2. Operators leverage HTTP/2 Rapid Reset floods, a Cloudflare UAM bypass via ChromeDP, and a FastAPI/Pydantic operator API, signaling a modular DDoS-for-hire service.

Amazon RDS supports cross-Region and cross-account snapshots

🔁 Amazon RDS now supports single-step cross-Region and cross-account copying of snapshots for Amazon RDS and Amazon Aurora. This new capability eliminates the prior two-step process and removes the need for an intermediate snapshot, helping customers achieve tighter recovery point objectives while reducing storage and operational costs. The feature is available in all AWS Regions, including AWS China and AWS GovCloud (US), and can be used today via the AWS Management Console, AWS CLI, or AWS SDKs.

Amazon Connect: Custom Attributes for Interaction Segments

📞 Amazon Connect now lets administrators associate custom, predefined attributes with individual interaction segments. Attributes such as business unit, account type, or contact reason can be centrally managed and applied through contact flows or the UpdateContact API, ensuring each segment retains accurate business context during transfers and multi-party interactions. For example, engagements that start in Support and move to Sales keep distinct business unit names per segment. This capability strengthens reporting and analytics across the customer journey and is available in all AWS regions.

AWS Launches EC2 Instance Attestation for Trusted Instances

🔒 AWS announced general availability of EC2 instance attestation in September 2025, enabling customers to cryptographically verify that only trusted software and configurations run on EC2 instances, including those with AI chips and GPUs. The feature uses NitroTPM and Attestable AMIs to create and compare cryptographic measurements of AMI contents. It integrates with AWS KMS so key operations can be restricted to instances that pass attestation. EC2 instance attestation is available in all AWS Commercial Regions, including AWS GovCloud (US).

AWS IAM Identity Center Adds Customer-Managed KMS Keys

🔐 IAM Identity Center now supports customer-managed AWS KMS keys to encrypt workforce identity data, including user and group attributes. While AWS-owned keys remain the default, a customer-managed key (CMK) lets organizations control key lifecycle, policies, and usage permissions for stronger security and compliance. CMKs can be set when enabling a new organization instance or added to existing ones, and their usage is auditable via AWS CloudTrail. Support is available for access to accounts and select AWS applications across all IAM Identity Center regions; standard KMS charges apply.