Amazon Cognito now supports multi-Region replication, allowing user pool data — including credentials, configurations, and federation settings — to be synchronised to a standby Region in near real-time. This improves authentication resilience by enabling traffic failover during a regional outage without forcing users to re-authenticate. The feature is available as a paid add-on across most major AWS Regions.

Architect’s Take: Review your existing Cognito-based authentication architectures for single-Region dependencies and assess whether the Essentials or Plus tier add-on cost is justified by your RTO/RPO requirements. Ensure your incident response runbooks are updated to include Cognito traffic redirection procedures, and validate that federated identity providers (SAML/OIDC) are accessible from the secondary Region before declaring it ready for failover.

Original advisory: Amazon Cognito now supports multi-Region replication

AWS has introduced a new Lambda trigger for Amazon Cognito that allows developers to customise the federated sign-in process when users authenticate via external identity providers such as SAML, OIDC, or social logins. This enables teams to intercept and modify authentication flows at key points, such as attribute mapping or access decisions, without altering core Cognito configuration. The feature improves flexibility for organisations with complex identity federation requirements.

Architect’s Take: Review any existing custom authentication workarounds in your Cognito-integrated applications and assess whether this new trigger can consolidate or replace them — pay particular attention to how federated user attributes are mapped and validated, as improper handling here is a common source of privilege misassignment.

Original advisory: Customize federated sign-in with new Amazon Cognito Lambda trigger

AWS IoT Device Management has enhanced its connectivity status API to include detailed MQTT session data, such as session timeout and expiry values, plus optional socket-level details including IP addresses, ports, and VPC endpoint IDs. Unlike the IoT Core GetConnection API, which only retains data for 30 minutes post-disconnect, this API stores connection history indefinitely. This is useful for security auditing, forensic investigation of disconnect events, and monitoring connection patterns across large IoT fleets.

Architect’s Take: Review and tighten IAM policies controlling access to the new socket-level details (source/destination IPs, ports, VPC endpoint IDs), as this data could aid lateral movement reconnaissance if exposed to over-privileged roles. Use the indefinite data retention capability to feed IoT connectivity logs into your SIEM for anomaly detection and post-incident forensics.

Original advisory: AWS IoT Device Management adds MQTT session data to connectivity status API

AWS IoT Device Management has enhanced its connectivity status API to include detailed MQTT session data, such as session timeout and expiry values, plus optional socket-level details including IP addresses, ports, and VPC endpoint IDs. Unlike the AWS IoT Core GetConnection API, which only retains data for 30 minutes post-disconnect, this API stores connection history indefinitely, improving long-term auditability. Access to sensitive socket-level information is controlled via IAM policies, allowing organisations to limit visibility to authorised teams.

Architect’s Take: Review and tighten IAM policies governing access to the connectivity status API, particularly the socket-level data permissions, to ensure only operations and security teams have visibility into source/destination IPs and VPC endpoint IDs. Additionally, consider integrating the indefinite data retention capability into your IoT incident response and audit workflows to leverage historical disconnect data for forensic investigations.

Original advisory: AWS IoT Device Management adds MQTT session data to connectivity status API

AWS Step Functions now integrates with Amazon Bedrock AgentCore (currently in preview) to allow AI agent reasoning steps — such as document classification and data extraction — to be embedded directly into automated workflows. This enables multiple agents to run in parallel or sequence within a single workflow, with human approval gates and full audit trails via CloudWatch. For security teams, this introduces AI-driven decision-making into business-critical automation pipelines, expanding the attack surface and governance considerations.

Architect’s Take: Review IAM permissions granted to Step Functions execution roles that invoke AgentCore harnesses, ensuring least-privilege access and that per-invocation model/prompt overrides cannot be manipulated by untrusted inputs. Establish logging and alerting on CloudWatch agent turn details from day one, and apply human approval steps before any agent action with write or destructive permissions.

Original advisory: AWS Step Functions adds AgentCore-powered agentic reasoning step

AWS Step Functions now integrates with Amazon Bedrock AgentCore (currently in preview) to allow AI agent reasoning steps within automated workflows. This enables teams to embed LLM-based tasks such as document classification and data extraction directly into orchestrated pipelines, with parallel execution and human approval gates. Audit trails are available via CloudWatch, capturing agent inputs, outputs, and token usage.

Architect’s Take: Review IAM permissions granted to Step Functions execution roles that invoke AgentCore harnesses — ensure least-privilege policies are applied, particularly around model invocation and tool access. Treat human approval steps as a mandatory control for any agentic action with write or destructive scope, and validate that CloudWatch audit logging is enabled before promoting any AgentCore-integrated workflow to production.

Original advisory: AWS Step Functions adds AgentCore-powered agentic reasoning step

OpenAI’s GPT-5.4 model is now generally available on Amazon Bedrock within AWS GovCloud (US-West), extending access to government and regulated-industry customers. The deployment leverages Bedrock’s isolated inference infrastructure, ensuring prompts and responses remain within the customer’s AWS environment and are not used for model training. This expands the options available for sensitive workloads requiring complex reasoning and document analysis under strict compliance controls.

Architect’s Take: Evaluate data residency and access control policies before enabling GPT-5.4 for sensitive workloads — confirm that Bedrock resource policies, VPC endpoints, and CloudTrail logging are configured to meet your organisation’s compliance requirements, particularly if handling OFFICIAL-SENSITIVE or equivalent data in GovCloud.

Original advisory: OpenAI GPT-5.4 generally available on Amazon Bedrock in AWS GovCloud (US-West)

AWS has added three new execution blocks to Amazon Application Recovery Controller (ARC) Region switch, automating database scaling and failover for Aurora (serverless and provisioned) and Neptune global databases during multi-region failover events. Previously, teams had to manually right-size secondary clusters under incident pressure, adding critical minutes to recovery time. These new blocks remove that manual step, reducing recovery time and human error during regional outages.

Architect’s Take: Review your existing ARC Region switch plans and incorporate the new Aurora and Neptune execution blocks to eliminate manual scaling steps from your runbooks. This is particularly relevant if you run active-passive Aurora global database configurations with scaled-down secondary clusters, as automating right-sizing directly reduces your effective RTO.

Original advisory: ARC Region switch adds Amazon Aurora scaling and Amazon Neptune global database failover

AWS has added three new execution blocks to Amazon Application Recovery Controller (ARC) Region switch, automating database scaling and failover for Aurora (serverless and provisioned) and Neptune global databases during multi-region failover events. Previously, engineers had to manually right-size secondary clusters under incident pressure, adding precious minutes to recovery time. These new blocks remove that manual step, reducing recovery time and human error during outages.

Architect’s Take: Review your existing ARC Region switch runbooks and integrate the new Aurora and Neptune execution blocks to eliminate manual scaling steps from your recovery plans. This is particularly important if you run active-passive Aurora global database configurations with scaled-down secondaries, as automating right-sizing directly reduces your practical RTO and the risk of operator error during a live incident.

Original advisory: ARC Region switch adds Amazon Aurora scaling and Amazon Neptune global database failover

A critical remote code execution vulnerability (CVE-2026-23479) in Redis, introduced in version 7.2.0 over two years ago, has been patched following discovery by an autonomous AI-powered bug-hunting tool. The flaw is a use-after-free bug in Redis’s blocking-client handling code, allowing any authenticated user to execute arbitrary operating system commands on the host server. This is significant because Redis is widely deployed across cloud environments as a caching and data store layer, meaning exposure could lead to full host compromise.

Architect’s Take: Prioritise patching all Redis instances to the May 5 fixed release immediately, paying particular attention to managed Redis services (AWS ElastiCache, Azure Cache for Redis, GCP Memorystore) and self-hosted deployments — check with your vendors for patch availability. In the interim, enforce network segmentation and strict authentication controls to limit which services and users can reach Redis endpoints, reducing the authenticated-user attack surface.

Original advisory: Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Amazon SageMaker Unified Studio has added localisation support for twelve languages, allowing the interface to display in the user’s preferred language based on browser settings or manual selection. This is a usability enhancement with no direct security implications. It is available across all AWS regions where SageMaker Unified Studio is supported.

Architect’s Take: No security action is required for this update. Architects should note that language localisation does not affect IAM permissions, domain configurations, or access controls — existing governance and access policies remain unchanged.

Original advisory: Amazon SageMaker Unified Studio now supports a localized experience in twelve languages

AWS Config has added support for nine new resource types spanning Amazon Bedrock, Bedrock AgentCore, and SageMaker. This means organisations can now track, audit, and enforce compliance rules against these resources automatically if they have enabled recording for all resource types. The expansion is particularly relevant as AI/ML workloads become a growing part of enterprise cloud environments.

Architect’s Take: Review your AWS Config recording settings to confirm these new resource types are being captured, and consider authoring or adapting Config rules to enforce security baselines — such as network isolation, encryption, and access controls — for the newly supported Bedrock and SageMaker resources before they proliferate across your environment.

Original advisory: AWS Config now supports 9 new resource types

Amazon ECS Managed Instances now supports AWS Trainium and Inferentia AI accelerator instance types, allowing teams to run ML training and inference workloads without managing the underlying EC2 infrastructure. A single task per instance is automatically allocated all accelerator resources via a NEURON_CORE configuration in the task definition. This is a feature release rather than a security event, though it expands the attack surface for ECS-based AI workloads.

Architect’s Take: Review IAM task roles and ECS task definitions for any new Trainium or Inferentia capacity providers to ensure least-privilege access; single-task-per-instance placement reduces noisy-neighbour risk but means a compromised container has full access to all Neuron cores, so container isolation and image provenance controls are critical.

Original advisory: Amazon ECS Managed Instances now supports AWS Trainium and AWS Inferentia

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT Keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These logs help operators identify devices struggling to maintain connections and quickly diagnose certificate or credential failures across IoT fleets. This is an observability improvement rather than a security fix, but it meaningfully strengthens the ability to detect and respond to authentication anomalies.

Architect’s Take: Enable these new log event types in your AWS IoT Core logging configuration and consider creating CloudWatch Metric Filters or alarms on Connection.AuthNError events to surface potential credential misuse or certificate expiry issues proactively — particularly useful in large-scale fleets where silent authentication failures are easy to miss.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These additions give security and operations teams better visibility into device connectivity failures and credential or certificate issues across IoT fleets. This is a positive observability improvement rather than a vulnerability disclosure.

Architect’s Take: Enable event-level logging in AWS IoT Core and opt into both new event types immediately — feed Connection.AuthNError logs into your SIEM or CloudWatch alarms to detect potential credential stuffing or certificate misconfiguration across your IoT fleet at scale.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication

A vulnerability in Graph Explorer (versions 1.1.0 to 3.0.1), an open-source tool used with Amazon Neptune, can cause the application to silently fall back from HTTPS to unencrypted HTTP when TLS certificates are unavailable. This means sensitive data, potentially including graph database queries and results, may be transmitted in cleartext without any visible warning. The issue is tracked as CVE-2026-10584 and requires an explicit upgrade to version 3.0.1 or later.

Architect’s Take: Audit any Graph Explorer deployments running versions 1.1.0 through 3.0.1 and upgrade to 3.0.1 immediately; additionally, enforce network-level controls (e.g. VPC security groups or WAF rules) to block plain HTTP traffic to Neptune endpoints as a defence-in-depth measure while patching is underway.

Original advisory: CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer

AWS has published guidance on identifying unused KMS encryption keys and protecting them from accidental deletion across large, multi-account environments. Orphaned or forgotten keys can inflate costs, create compliance gaps, and pose a risk if unexpectedly deleted — potentially making encrypted data permanently inaccessible. The post outlines tooling and processes to audit key usage and apply deletion safeguards at scale.

Architect’s Take: Implement regular KMS key usage audits using AWS CloudTrail and CloudWatch metrics, and ensure deletion windows and key policies are configured to prevent accidental removal — particularly in multi-account organisations where key ownership can become unclear over time.

Original advisory: Identify unused AWS KMS keys and prevent accidental key deletions

AWS Config now supports internal service linked rules, allowing AWS services like Security Hub CSPM to deploy and manage their own Config rule evaluations independently of customer-managed rules. Evaluation results are delivered directly to the originating AWS service at no additional charge to customers. This separation means AWS services can run compliance checks without interfering with customer-configured Config setups.

Architect’s Take: No immediate action is required, but architects should review their AWS Config cost models and compliance dashboards — internal service linked rules operate independently and won’t affect existing customer rules or recorders, so there is no risk of unintended interference. Take note that Security Hub CSPM will now leverage this mechanism, which may affect how you interpret Config rule counts and evaluation results in your environment.

Original advisory: AWS Config now supports internal service linked rules

AWS Deadline Cloud now supports persistent EBS volumes for Service-Managed Fleet workers, preserving software environments and assets across worker lifecycle events. Previously, workers used only ephemeral storage, meaning software had to be reinstalled on every recycle. This change reduces startup times and improves job throughput for compute-intensive rendering and simulation workloads.

Architect’s Take: Review IAM policies and EBS volume access controls to ensure persistent volumes cannot be accessed by unintended workers or principals across lifecycle boundaries. Consider enabling EBS encryption at rest for all SMF persistent volumes and validate that TTL policies are configured to minimise unnecessary data retention in line with your data classification requirements.

Original advisory: AWS Deadline Cloud now supports persistent storage for Service Managed Fleets

Amazon SageMaker Studio’s quick setup time has been reduced from over two minutes to under twenty seconds. New Studio environments now automatically receive a managed IAM policy granting serverless model customisation permissions, including fine-tuning, evaluation, and deployment to SageMaker or Bedrock endpoints. This reduces friction for ML practitioners but introduces pre-configured IAM permissions that security teams should review.

Architect’s Take: Review the scope of the automatically attached AmazonSageMakerModelCustomizationCoreAccess managed policy against your least-privilege baselines — auto-provisioned IAM policies with deployment permissions to Bedrock and SageMaker endpoints may exceed what individual users or teams require. Consider whether your landing zone or Service Control Policies should restrict or audit automatic policy attachment in SageMaker Studio environments.

Original advisory: Amazon SageMaker Studio now sets up in seconds with model customization ready from the start

AWS has published guidance on securing multi-tenant AI agent deployments using Amazon Bedrock AgentCore resource-based policies. SaaS providers can use these controls to isolate tenants, enforce VPC-only traffic for regulated workloads, and manage cross-account access — all from a shared infrastructure. This matters because poorly isolated multi-tenant AI systems can expose one customer’s data or capabilities to another.

Architect’s Take: If you are building or reviewing a multi-tenant SaaS platform on Bedrock AgentCore, implement resource-based policies now to enforce tenant isolation boundaries — pay particular attention to cross-account trust conditions and VPC endpoint restrictions to meet regulatory obligations such as UK GDPR and financial sector requirements.

Original advisory: Secure multi-tenant AI agents with Amazon Bedrock AgentCore resource-based policies

A vulnerability in AWS’s Kiro agentic IDE (versions prior to 0.11) allows remote unauthenticated attackers to write to execution-sensitive files such as .vscode/tasks.json, which can trigger automatic command execution when a folder is opened. The flaw stems from insufficient access control restrictions in the IDE’s file write tool. This is particularly concerning as it can be exploited via crafted instructions, potentially through AI agent interactions.

Architect’s Take: Ensure all developers using Kiro IDE have updated to version 0.11 or later immediately, and consider enforcing this via endpoint management tooling. Review developer workstation security policies to restrict auto-execution behaviours in IDE environments, particularly for AI-assisted or agentic tooling.

Original advisory: CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths