Starting today, all AWS Directory Service for Microsoft AD (AWS Managed Microsoft AD) directories run on Windows functional level 2016. The upgrade to Windows functional level 2016 has been applied automatically to all existing AWS Managed Microsoft AD directories. The functional level upgrade includes enhanced authentication mechanisms and improved security for privileged access management, helping you better protect your Active Directory infrastructure in the cloud.
This upgrade provides LAPS (Local Administrator Password Solution), which helps you manage local administrator passwords on domain-joined computers by automatically generating unique, complex passwords, and storing them securely in Active Directory.
This is enabled in all AWS Regions where AWS Managed Microsoft AD is available, except in the Middle East (UAE) and Middle East (Bahrain) Regions. To learn more, see the AWS Directory Service Administration Guide.
Starting today, AWS Managed Microsoft AD supports forwarding Kerberos Encryption audit event logs (Event IDs 201–209) to Amazon CloudWatch Logs. These logs provide visibility into the encryption types used by your applications and services, helping you identify which resources are using RC4 encryption versus AES encryption. This visibility allows you to decide whether to upgrade clients to AES encryption (recommended for improved security) or maintain RC4 support based on your environment's compatibility requirements.
To get started, navigate to your AWS Managed Microsoft AD directory Network and Security tab in the AWS Directory Service console and enable log forwarding to Amazon CloudWatch Logs. You can then review the Kerberos Encryption audit events to understand your current encryption settings. To learn more, see Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD.
This feature is available in all AWS Regions where AWS Managed Microsoft AD is available, except in the Middle East (UAE) and Middle East (Bahrain) Regions.
AWS Transform now supports landing zone creation directly within migration workflows, delivering a secure, multi-account AWS environment tailored to your migration needs. By consolidating orchestration into AWS Transform, it automates the setup that previously required configuration across AWS Control Tower, AWS Organizations and AWS Identity and Access Management, accelerating migration readiness with a ready-to-deploy target environment. This new capability extends the end-to-end automation that AWS Transform provides across the migration lifecycle from discovery and migration planning to network and server migration, so that preparing the target environment is no longer a separate workstream.
Whether starting from scratch or extending an existing AWS organization, AWS Transform aligns landing zone foundations with AWS best practices, recommending optimal account structures based on migration data and business requirements. Customers can customize Organizational Unit (OU) hierarchies, accounts, and Service Control Policies (SCP), then choose between agent-managed deployment or generate Infrastructure as Code templates downloadable in CloudFormation, AWS CDK, or Landing Zone Accelerator (LZA) formats for self deployment.
The landing zone creation capability is now available in AWS Transform across all supported target regions.
To learn more, visit the AWS Transform User Guide.
Amazon Connect now enables you to automatically pass customer context to personalize self-service experiences from the moment a call connects. When a customer initiates a call from a website, mobile app, or notification link, you can automatically pass context, such as customer IDs, session references, and campaign codes, into the call. AI agents use this context to recognize the caller, understand the reason for the call, take action, and resolve issues without requiring callers to re-identify themselves or repeat why they are calling.
To learn more about these features, see the Amazon Connect Administrator Guide. These features are available in all AWS regions where Amazon Connect is available.
Amazon S3 Express One Zone, a high-performance S3 storage class for latency-sensitive applications, now supports S3 Inventory. S3 Inventory provides a scheduled alternative to S3's synchronous List API. You can configure S3 Inventory to generate reports on a daily or weekly basis that list your stored objects within an S3 directory bucket or with a specific prefix, and their respective metadata and encryption status. You can simplify and speed up business workflows and big data jobs with S3 Inventory, and verify encryption status of your objects to meet business, compliance, and regulatory needs.
You can use the AWS CLI, AWS SDKs, or S3 API to configure a daily or weekly inventory report for all the objects within your S3 directory bucket or a subset of the objects under a shared prefix. As part of the configuration, you can specify a destination S3 bucket for your S3 Inventory report, the output file format (CSV, ORC, or Parquet), and specific object metadata necessary for your business application, such as object name, size, last modified date, storage class, multipart upload flag, and encryption status.
S3 Inventory for S3 Express One Zone is available in all AWS Regions where the storage class is available. For pricing information, visit the S3 pricing page. To learn more, visit the S3 Inventory documentation.
Amazon MSK Replicator now delivers replicator logs to give you end-to-end visibility into replication health. Replicator logs surface critical replication events and errors along with guidance on how to resolve each issue, enabling you to troubleshoot faster without requiring AWS Support.
MSK Replicator is a feature of Amazon MSK that automates data replication between Kafka clusters, eliminating the need to manage custom replication infrastructure or configure open-source tools. Until now, you could use Amazon CloudWatch metrics to track replication progress and get visibility into replication health. With this launch, MSK Replicator further simplifies diagnosing issues during replication with actionable log entries that surface the most common replication errors including insufficient permissions on source topics, partition quota exhaustion on target clusters, and records exceeding size limits, along with prescriptive guidance on how to resolve each issue. MSK Replicator also logs steady-state replication activity including offset commits, topic discovery events, and any errors or warnings from Kafka clients used internally by the replicator, giving you end-to-end visibility into replication health. You can enable log delivery when creating or updating a Replicator using the Amazon MSK console, AWS CLI, or AWS CloudFormation and forward logs to Amazon CloudWatch, Amazon S3, or Amazon Data Firehose.
This capability is supported in all AWS Regions where MSK Replicator is available. Log delivery costs depend on the destination service you choose, refer to the pricing pages for Amazon CloudWatch, Amazon S3, and Amazon Data Firehose.
To learn more, visit the MSK Replicator documentation, and product page.
Amazon MSK Replicator now provides enhanced consumer offset synchronization for bidirectional replication, enabling applications to resume processing from the correct position when moving across Kafka clusters. This capability enables you to move producer and consumer applications between clusters independently, in any order, without the risk of data loss.
MSK Replicator is a feature of Amazon MSK that automates data replication between Kafka clusters, eliminating the need to manage custom replication infrastructure or configure open-source tools. Previously, while replicating bidirectionally with MSK Replicator, consumer group offsets were synchronized only when producers and consumers were active on the same cluster, requiring careful sequencing of application migrations between clusters and increasing the risk of duplicate message processing during rollbacks. With this launch, MSK Replicator synchronizes consumer group offsets across source and target clusters regardless of where producers are running, enabling applications to move between clusters without coordination constraints or data duplication risks.
You can enable enhanced consumer offset synchronization when creating a Replicator using the Amazon MSK console, AWS CLI, or AWS CloudFormation. This capability is supported in all AWS Regions where MSK Replicator is available.
To learn more, visit the MSK Replicator documentation, product page, pricing page, and this AWS blog post.
Amazon MSK Replicator now supports data replication from external Apache Kafka clusters—including on-premises, self-managed on AWS, or other cloud providers—to Amazon MSK Express brokers. This capability simplifies workload migration to MSK Express Brokers, supports disaster recovery by using MSK Express-based clusters as a failover or backup target, and enables data distribution across hybrid and multi-cloud environments.
MSK Replicator is a feature of Amazon MSK that automates data replication between Kafka clusters, eliminating the need to manage custom replication infrastructure or configure open-source tools. MSK Express brokers are designed to deliver up to 3 times more throughput per broker, scale up to 20 times faster, and reduce recovery time by 90 percent as compared to Standard brokers running Apache Kafka. With this launch, you can now use MSK Replicator to replicate data from external Kafka clusters to Express brokers on Amazon MSK. You can also use MSK Replicator to replicate data from Amazon MSK Express to external Kafka clusters for reliable failback or multi-cloud data distribution. Unlike self-managed replication tools, MSK Replicator lets you retain your original Kafka topic names during replication while automatically avoiding infinite replication loops. It also synchronizes consumer group offsets bidirectionally, enabling you to move producers and consumers across clusters independently, in any order, without coordination constraints or the risk of data loss.
This new capability is supported in all AWS Regions where MSK Express brokers are available.
Watch a demo on YouTube to see it in action, or visit the MSK Replicator documentation, product page, pricing page, and this AWS blog post to learn more.
Amazon CloudWatch Logs Insights introduces JOIN and sub-query commands to the Logs Insights query language to accelerate log analysis. Customers who need to analyze logs across multiple log groups or correlate data from different sources no longer need to run multiple queries and manually combine the results.
With JOIN and sub-query commands, you can accelerate troubleshooting across scenarios such as correlating application and infrastructure errors across different services and log groups, analyzing security events across multiple services, or tracking user sessions across distributed systems. For example, you can use a sub-query to identify services with more than 20 errors in the last day, then use JOIN to correlate those results with performance data from a different log group to calculate average response times, helping you prioritize which high-error services also have the worst performance impact — all in a single query.
JOIN and sub-query commands are available today in all commercial AWS Regions. To learn more, see the Amazon CloudWatch Logs documentation.
Amazon Connect Outbound Campaigns now allows you to refresh campaign segments as frequently as every hour, reduced from the previous minimum of 24 hours. This enables campaigns to reach newly eligible customers throughout the day rather than waiting for the next daily run.
With hourly segment refresh, your campaigns stay current with changing business conditions across all campaign types. A collections team can start outreach to newly delinquent accounts the same afternoon they are flagged. A healthcare provider can begin appointment reminder calls within an hour of a new booking. A multi-step journey, such as sending an SMS reminder followed by a voice call if the customer doesn't respond, can enroll new customers throughout the day instead of in a single daily batch.
This capability is available in all AWS Regions where Amazon Connect Outbound Campaigns is offered at no additional cost. To get started, enable the Refresh option in your campaign configuration in the Amazon Connect console or via the API. To learn more, see the Amazon Connect outbound campaign documentation.
Amazon Elastic Kubernetes Service (EKS) now supports seven additional IAM condition keys for cluster creation and configuration APIs, enhancing the governance controls available through IAM policies and Service Control Policies (SCPs). Organizations managing multi-account environments require centralized mechanisms to enforce security and compliance requirements consistently across all clusters without relying on manual processes or post-deployment checks. This expansion of EKS IAM condition keys further enables proactive policy enforcement, providing organizations with more granular control to establish guardrails for cluster configurations.
Organizations can now enforce private-only API endpoints (eks:endpointPublicAccess, eks:endpointPrivateAccess), require customer-managed AWS KMS keys for secrets encryption (eks:encryptionConfigProviderKeyArns), restrict clusters to approved Kubernetes versions (eks:kubernetesVersion), mandate deletion protection for production workloads (eks:deletionProtection), specify control plane scaling tiers (eks:controlPlaneScalingTier), and enable zonal shift capabilities for high availability (eks:zonalShiftEnabled). These condition keys apply to CreateCluster, UpdateClusterConfig, UpdateClusterVersion, and AssociateEncryptionConfig APIs, integrating seamlessly with AWS Organizations SCPs for centralized governance across accounts.
The new IAM condition keys are available in all AWS Regions where Amazon EKS is available at no additional charge. To learn more about Amazon EKS IAM condition keys, see the Amazon EKS User Guide and the Service Authorization Reference for Amazon EKS. For information about implementing Service Control Policies, see the AWS Organizations documentation.
Amazon DocumentDB (with MongoDB compatibility) supports in-place major version upgrade (MVU) from version 5.0 to 8.0. You can upgrade with just a few clicks in the AWS Management Console or via the AWS SDK or AWS CLI — no new clusters, no endpoint changes, and no index rebuilds required.
Upgrading to version 8.0 delivers performance and cost improvements: query latency improves by up to 7x and storage compression improves by up to 5x, so your applications run faster on less storage, reducing your costs. Version 8.0 also adds new capabilities including collation, views, new aggregation stages and operators, enhanced text search with text index v2, and vector index builds that are up to 30x faster.
In-place MVU from version 5.0 to 8.0 is available in all AWS Regions where Amazon DocumentDB 8.0 is available, at no additional cost.
To get started, see the in-place MVU documentation. To learn more about Amazon DocumentDB 8.0, visit the documentation.
AWS IoT Greengrass v2.17 is now available, enabling you to run the edge runtime as a non-root user on Linux systems and deploy lighter-weight components that use significantly less memory. AWS IoT Greengrass is an Internet of Things (IoT) edge runtime and cloud service that helps customers build, deploy, and manage device software at the edge. With this release, you can install and run AWS IoT Greengrass v2.17 as a non-root user, making it easy for you to meet security requirements in enterprise and regulated environments where root access is prohibited. The release also adds an uninstall life cycle capability that automatically activates when you remove a component from a device, simplifying dependency management.
Moreover, the release introduces the following new nucleus lite capabilities to reduce resource consumption at the edge:
AWS IoT Greengrass v2.17 is available in all AWS Regions where AWS IoT Greengrass is offered. To learn more about AWS IoT Greengrass v2.17 and its new features, visit the AWS IoT Greengrass documentation. Follow the Getting Started guide for a quick introduction to AWS IoT Greengrass.
Amazon Connect now expands agentic voice speech-to-speech experiences to three additional AWS Regions: Asia Pacific (Seoul), Asia Pacific (Singapore), and Europe (Frankfurt), along with new locales including Australian English, British English, Singaporean English, Spanish, French, German, Italian, and Korean. With these updates, you can deliver natural, human-like voice AI experiences to a broader range of customers across more regions and languages.
Amazon Connect's agentic self-service capabilities enable AI agents to understand, reason, and take action across voice and messaging channels to automate routine and complex service tasks. Connect's agentic speech-to-speech voice AI agents understand not only what your customers say but how they say it, adapting voice responses to match tone and sentiment while maintaining natural conversational pace.
To learn more about this feature, see the Amazon Connect Administrator Guide. To learn more about Amazon Connect, AWS’s AI-native customer experience solution, visit the Amazon Connect website.
Today, we're announcing that Amazon Elastic VMware Service (Amazon EVS) now offers Microsoft Windows Server licensing entitlements. You can now migrate or create new virtual machines (VMs) running Windows Server OS in EVS and obtain Windows Server licensing entitlements for those VMs from AWS.
Amazon EVS lets you run VMware Cloud Foundation (VCF) directly within your Amazon Virtual Private Cloud (VPC) on EC2 bare-metal instances, powered by AWS Nitro. Using either our step-by-step configuration workflow or the AWS Command Line Interface (CLI), you can set up a complete VCF environment in just a few hours. This rapid deployment enables faster workload migration to AWS, helping you eliminate aging infrastructure, reduce operational risks, and meet critical timelines for exiting your data center.
With this latest functionality, you can now entitle your Windows Server VMs on Amazon EVS with Microsoft Windows Server. You can configure an EVS connector to your VMware vCenter Server and provide the VM IDs for those Window Server VMs you want to entitle through the Amazon EVS console or AWS CLI. Pay for only what your VMs use, on a per vCPU-hour basis. Add or remove entitlement for your VMs at any time, giving you flexibility to manage costs as your environment evolves. This newest release provides you with greater flexibility when migrating to AWS, helping meet critical data center exit timelines while maintaining your familiar VMware environment.
This feature is available in all AWS Regions where Amazon EVS is available.
For more details, read the step-by-step walkthrough on the blog post. Visit the Amazon EVS product detail page and user guide. to learn more about Amazon EVS.
Amazon Elastic Block Store (Amazon EBS) now supports up to four Elastic Volumes modifications per volume within a rolling 24-hour window in AWS European Sovereign Cloud (Germany) Region. Elastic Volumes modifications allow you to increase the size, change the type, and adjust the performance of your EBS volumes. With this update, you can start a new modification immediately after the previous one completes, as long as you have initiated fewer than four modifications in the past 24 hours.
This enhancement improves your operational agility to immediately scale storage capacity or adjust performance in response to sudden data growth or unanticipated workload spikes. With Elastic Volumes modifications, you can modify your volumes without detaching them or restarting your instances, allowing your application to continue running with minimal performance impact.
The Elastic Volumes modifications enhancement is automatically available in the Region without requiring changes to your existing workflows. To learn more, see Modify an Amazon EBS volume using Elastic Volumes operations in the Amazon EBS User Guide.
Claude Opus 4.7 arrives in Amazon Bedrock with improved agentic coding and a 1M token context window. AWS Interconnect reaches general availability with multicloud private connectivity and a new last-mile option. Plus, post-quantum TLS for Secrets Manager, new C8in/C8ib EC2 instances, and more.
Kiro CLI を使ったことがある方なら、kiro-cli login を実行するとブラウザが開いて認証が走る、というお決まりの流れはご存じかと思います。手元で作業しているときはこれで十分ですが、ブラウザが開けない環境ではそうもいきません。CI/CD パイプラインや cron ジョブ、コンテナビルドといった自動化された処理では、そもそもブラウザを開けません。 こうした場面で役立つのがヘッドレスモードで、API キーを生成して環境変数に設定するだけで、Kiro CLI をブラウザなしで動かせるようになります。この記事では、ヘッドレスモードの仕組みを説明し、具体的な活用例として GitHub Actions で push のたびに自動実行されるコードレビューの構築方法を紹介します。
はじめに AWS では、AI 駆動開発ライフサイクル (AI-DLC) という新しい方法論を提唱しています。A […]
Anthropic の最新モデル Claude Opus 4.7 が Kiro IDE および CLI に順次展開されました。Opus 4.6 の直接アップグレード版として、複雑で長時間にわたるタスクでのコーディング性能が向上し、複数ファイル・ツールにまたがるマルチステップ実装や自己検証機能を備えています。Kiro のスペック駆動開発との親和性も高く、大規模コードベースでの高忠実度な実装を実現します。
2026 年 4 月 16 日、Amazon Bedrock で Claude Opus 4.7 を発表いたし […]
この記事では、Amazon RDS for SQL Server の追加ストレージボリューム機能を使用して、これらの一般的な課題に対処する方法と「追加ストレージボリュームの64 TiB を超える容量の拡張 」「動的な一時ストレージの管理 」「カスタマイズされた IOPS 設定によるパフォーマンスの向上 」「ストレージクラスの選択によるコスト削減 」「トランザクションログの分離 」「マルチテナントストレージの分離の実装」の 6 つの主要なユースケースの実装方法を学びます。
この投稿では、Dutchie が 2025 年の 4/20 週に向けて、ミッションクリティカルなワークロードを Amazon RDS for SQL Server に移行する際の課題をいかに成功裏に乗り越えたのかを探ります。
AWS Interconnect - last mile および multicloud の一般提供開始, Amazon Redshift が Top-K クエリのパフォーマンス最適化を導入, Amazon OpenSearch Serverless が派生ソースによるストレージ最適化をサポート, Amazon EC2 C8gn/M8gn/R8gn インスタンスで EBS パフォーマンスが倍増, AWS Secrets Manager がハイブリッド耐量子 TLS をサポート開始, AWS Transform が Kiro と VS Code で利用可能に, Claude Opus 4.7 が Amazon Bedrock で利用可能, Amazon EC2 C8in および C8ib インスタンスが一般提供開始, Amazon Quick がシートツールチップやマルチアカウントサインインをサポート など
2025年4月14日(火)にコンテナサービスの基礎的な内容を扱うウェビナー「これから始める AWS のコンテナサービス活用」を開催しました。本セミナーでは、なぜコンテナが必要なのか、AWS コンテナサービスのラインナップや使い分けといった基礎的な内容から、生成 AI を活用したコンテナ環境の構築・運用や ECS/EKS の新機能のご紹介まで幅広くお届けし、170名の方々にご登録いただき、131名の方々に当日ご参加いただきました。
本記事は、2026 年 1 月 30 日に公開された Serverless ICYMI Q4 2025 を翻訳 […]
本記事は、2026 年 3 月 30 日に公開された Build high-performance apps […]
AWS DevOps Agent は24時間365日稼働する運用チームメンバーで、インシデント対応やアプリケーション最適化、SREタスクをAWS・マルチクラウド・オンプレミス問わず担います。MCPツールやインテグレーションで拡張し、社内レジストリやGitHub Enterprise等の内部リソースにもアクセス可能です。しかし多くのサービスはVPC内で稼働しており、パブリックインターネット経由ではアクセスできません。プライベート接続機能を使えば、Agent SpaceとVPC内のサービスをインターネットに公開せずセキュアに接続でき、MCPサーバーやGrafana、Splunk等あらゆるプライベートエンドポイントに対応します。本記事ではその仕組みとセットアップ手順を解説します。
Important: As of January 1, 2025, Client SDK 3 tools (CMU and KMU) are no longer supported. This guide has been updated to use Client SDK 5 commands exclusively. Ensure you’re using the latest Client SDK 5 version (5.17 or later) for the most recent features and security improvements. You can use AWS CloudHSM to […]
Bulletin ID: 2026-017-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2026/04/20 12:45 PM PDT
Description:
AWS Encryption SDK (ESDK) for Python is a client-side encryption library. We identified CVE-2026-6550, which describes an issue with a key commitment policy bypass via shared key cache.
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.
Impacted versions:
- From 2.0 to 2.5.1
- From 3.0 to 3.3.0
- From 4.0 to 4.0.4
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
In this post, we'll show you how to build a complete omnichannel ordering system using Amazon Bedrock AgentCore, an agentic platform, to build, deploy, and operate highly effective AI agents securely at scale using any framework and foundation model and Amazon Nova 2 Sonic.
You can use ToolSimulator, an LLM-powered tool simulation framework within Strands Evals, to thoroughly and safely test AI agents that rely on external tools, at scale. Instead of risking live API calls that expose personally identifiable information (PII), trigger unintended actions, or settling for static mocks that break with multi-turn workflows, you can use ToolSimulator's large language model (LLM)-powered simulations to validate your agents. Available today as part of the Strands Evals Software Development Kit (SDK), ToolSimulator helps you catch integration bugs early, test edge cases comprehensively, and ship production-ready agents with confidence.
Today, we are thrilled to announce the availability of G7e instances powered by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs on Amazon SageMaker AI. You can provision nodes with 1, 2, 4, and 8 RTX PRO 6000 GPU instances, with each GPU providing 96 GB of GDDR7 memory. This launch provides the capability to use a single-node GPU, G7e.2xlarge instance to host powerful open source foundation models (FMs) like GPT-OSS-120B, Nemotron-3-Super-120B-A12B (NVFP4 variant), and Qwen3.5-35B-A3B, offering organizations a cost-effective and high-performing option.