OpenAI’s GPT-5.4 model is now generally available on Amazon Bedrock within AWS GovCloud (US-West), extending access to government and regulated-industry customers. The deployment leverages Bedrock’s isolated inference infrastructure, ensuring prompts and responses remain within the customer’s AWS environment and are not used for model training. This expands the options available for sensitive workloads requiring complex reasoning and document analysis under strict compliance controls.

Architect’s Take: Evaluate data residency and access control policies before enabling GPT-5.4 for sensitive workloads — confirm that Bedrock resource policies, VPC endpoints, and CloudTrail logging are configured to meet your organisation’s compliance requirements, particularly if handling OFFICIAL-SENSITIVE or equivalent data in GovCloud.

Original advisory: OpenAI GPT-5.4 generally available on Amazon Bedrock in AWS GovCloud (US-West)

AWS Config has added support for nine new resource types spanning Amazon Bedrock, Bedrock AgentCore, and SageMaker. This means organisations can now track, audit, and enforce compliance rules against these resources automatically if they have enabled recording for all resource types. The expansion is particularly relevant as AI/ML workloads become a growing part of enterprise cloud environments.

Architect’s Take: Review your AWS Config recording settings to confirm these new resource types are being captured, and consider authoring or adapting Config rules to enforce security baselines — such as network isolation, encryption, and access controls — for the newly supported Bedrock and SageMaker resources before they proliferate across your environment.

Original advisory: AWS Config now supports 9 new resource types

AWS has published guidance on identifying unused KMS encryption keys and protecting them from accidental deletion across large, multi-account environments. Orphaned or forgotten keys can inflate costs, create compliance gaps, and pose a risk if unexpectedly deleted — potentially making encrypted data permanently inaccessible. The post outlines tooling and processes to audit key usage and apply deletion safeguards at scale.

Architect’s Take: Implement regular KMS key usage audits using AWS CloudTrail and CloudWatch metrics, and ensure deletion windows and key policies are configured to prevent accidental removal — particularly in multi-account organisations where key ownership can become unclear over time.

Original advisory: Identify unused AWS KMS keys and prevent accidental key deletions

AWS Config now supports internal service linked rules, allowing AWS services like Security Hub CSPM to deploy and manage their own Config rule evaluations independently of customer-managed rules. Evaluation results are delivered directly to the originating AWS service at no additional charge to customers. This separation means AWS services can run compliance checks without interfering with customer-configured Config setups.

Architect’s Take: No immediate action is required, but architects should review their AWS Config cost models and compliance dashboards — internal service linked rules operate independently and won’t affect existing customer rules or recorders, so there is no risk of unintended interference. Take note that Security Hub CSPM will now leverage this mechanism, which may affect how you interpret Config rule counts and evaluation results in your environment.

Original advisory: AWS Config now supports internal service linked rules