Aws

🟢 Low | Source: AWS What’s New Amazon SageMaker Unified Studio has added localisation support for twelve languages, allowing the interface to display in the user’s preferred language based on browser settings or manual selection. This is a usability enhancement with no direct security implications. It is available across all AWS regions where SageMaker Unified Studio is supported. Architect’s Take: No security action is required for this update. Architects should note that language localisation does not affect IAM permissions, domain configurations, or access controls — existing governance and access policies remain unchanged. ...

🟢 Low | Source: AWS What’s New AWS Config has added support for nine new resource types spanning Amazon Bedrock, Bedrock AgentCore, and SageMaker. This means organisations can now track, audit, and enforce compliance rules against these resources automatically if they have enabled recording for all resource types. The expansion is particularly relevant as AI/ML workloads become a growing part of enterprise cloud environments. Architect’s Take: Review your AWS Config recording settings to confirm these new resource types are being captured, and consider authoring or adapting Config rules to enforce security baselines — such as network isolation, encryption, and access controls — for the newly supported Bedrock and SageMaker resources before they proliferate across your environment. ...

🟢 Low | Source: AWS What’s New Amazon ECS Managed Instances now supports AWS Trainium and Inferentia AI accelerator instance types, allowing teams to run ML training and inference workloads without managing the underlying EC2 infrastructure. A single task per instance is automatically allocated all accelerator resources via a NEURON_CORE configuration in the task definition. This is a feature release rather than a security event, though it expands the attack surface for ECS-based AI workloads. ...

🟢 Low | Source: AWS What’s New AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT Keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These logs help operators identify devices struggling to maintain connections and quickly diagnose certificate or credential failures across IoT fleets. This is an observability improvement rather than a security fix, but it meaningfully strengthens the ability to detect and respond to authentication anomalies. ...

🟢 Low | Source: AWS What’s New AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These additions give security and operations teams better visibility into device connectivity failures and credential or certificate issues across IoT fleets. This is a positive observability improvement rather than a vulnerability disclosure. Architect’s Take: Enable event-level logging in AWS IoT Core and opt into both new event types immediately — feed Connection.AuthNError logs into your SIEM or CloudWatch alarms to detect potential credential stuffing or certificate misconfiguration across your IoT fleet at scale. ...

🟠 High | Source: AWS Security Bulletins A vulnerability in Graph Explorer (versions 1.1.0 to 3.0.1), an open-source tool used with Amazon Neptune, can cause the application to silently fall back from HTTPS to unencrypted HTTP when TLS certificates are unavailable. This means sensitive data, potentially including graph database queries and results, may be transmitted in cleartext without any visible warning. The issue is tracked as CVE-2026-10584 and requires an explicit upgrade to version 3.0.1 or later. ...

🟡 Medium | Source: AWS Security Blog AWS has published guidance on identifying unused KMS encryption keys and protecting them from accidental deletion across large, multi-account environments. Orphaned or forgotten keys can inflate costs, create compliance gaps, and pose a risk if unexpectedly deleted — potentially making encrypted data permanently inaccessible. The post outlines tooling and processes to audit key usage and apply deletion safeguards at scale. Architect’s Take: Implement regular KMS key usage audits using AWS CloudTrail and CloudWatch metrics, and ensure deletion windows and key policies are configured to prevent accidental removal — particularly in multi-account organisations where key ownership can become unclear over time. ...

🟢 Low | Source: AWS What’s New AWS Config now supports internal service linked rules, allowing AWS services like Security Hub CSPM to deploy and manage their own Config rule evaluations independently of customer-managed rules. Evaluation results are delivered directly to the originating AWS service at no additional charge to customers. This separation means AWS services can run compliance checks without interfering with customer-configured Config setups. Architect’s Take: No immediate action is required, but architects should review their AWS Config cost models and compliance dashboards — internal service linked rules operate independently and won’t affect existing customer rules or recorders, so there is no risk of unintended interference. Take note that Security Hub CSPM will now leverage this mechanism, which may affect how you interpret Config rule counts and evaluation results in your environment. ...

🟢 Low | Source: AWS What’s New AWS Deadline Cloud now supports persistent EBS volumes for Service-Managed Fleet workers, preserving software environments and assets across worker lifecycle events. Previously, workers used only ephemeral storage, meaning software had to be reinstalled on every recycle. This change reduces startup times and improves job throughput for compute-intensive rendering and simulation workloads. Architect’s Take: Review IAM policies and EBS volume access controls to ensure persistent volumes cannot be accessed by unintended workers or principals across lifecycle boundaries. Consider enabling EBS encryption at rest for all SMF persistent volumes and validate that TTL policies are configured to minimise unnecessary data retention in line with your data classification requirements. ...

🟢 Low | Source: AWS What’s New Amazon SageMaker Studio’s quick setup time has been reduced from over two minutes to under twenty seconds. New Studio environments now automatically receive a managed IAM policy granting serverless model customisation permissions, including fine-tuning, evaluation, and deployment to SageMaker or Bedrock endpoints. This reduces friction for ML practitioners but introduces pre-configured IAM permissions that security teams should review. Architect’s Take: Review the scope of the automatically attached AmazonSageMakerModelCustomizationCoreAccess managed policy against your least-privilege baselines — auto-provisioned IAM policies with deployment permissions to Bedrock and SageMaker endpoints may exceed what individual users or teams require. Consider whether your landing zone or Service Control Policies should restrict or audit automatic policy attachment in SageMaker Studio environments. ...