この日は生成 AI とエージェント関連の発表が目立ちました。Amazon Bedrock Guardrails の Automated Reasoning checks に新たなポリシー改善ワークフローが追加され、Bedrock AgentCore Memory はクロスアカウントアクセスに対応。機械学習ブログでは AgentCore を用いたタンパク質研究コパイロットやマルチテナント構成が紹介されました。セキュリティ面では Amazon GuardDuty の AI 駆動調査がプレビュー提供され、Amazon Cognito が顧客管理キーによる保存時暗号化をサポート。Language Servers for AWS と Amazon Q Developer プラグインの脆弱性(CVE-2026-12957/12958)も公表されました。運用系では CloudWatch のシスログ取り込み、EKS 向け OTel Container Insights、ダッシュボードのタグ付けが登場。ElastiCache は Valkey 9.1 に、Neptune はグローバルデータベースの CloudFormation 対応、EC2 High Memory U7in-24TB がソウルリージョンで利用可能になりました。日本語ブログでは AWS Summit Japan 2026 のブース紹介や NY Summit の週間まとめが掲載されました。
生成 AI/エージェント: Bedrock Guardrails のポリシー改善ワークフロー、AgentCore Memory のクロスアカウント対応、AgentCore 活用の研究・マルチテナント事例
セキュリティ: GuardDuty の AI 駆動調査プレビュー、Cognito の顧客管理キー暗号化、Language Servers for AWS/Amazon Q の脆弱性公表
オブザーバビリティ: CloudWatch のシスログ取り込み、EKS 向け OTel Container Insights、ダッシュボードのタグ付け
データベース/コンピュート: ElastiCache Valkey 9.1、Neptune グローバル DB の CloudFormation 対応、EC2 U7in-24TB のソウル提供
AWS Summit Japan 2026: ソフトウェア定義型ファクトリーや製品設計開発、Physical AI などのブース紹介
CloudWatch OTel Container Insights for Amazon EKS collects infrastructure metrics at 30-second granularity using open-source receivers including cAdvisor, Kube State Metrics, and NVIDIA DCGM. Each metric carries OpenTelemetry semantic conventions and Kubernetes labels, making it straightforward to correlate across nodes, pods, and workloads in a single PromQL query.
Pre-built dashboards give you immediate visibility into cluster health, node performance, and pod-level resource usage. The CloudWatch PromQL endpoint lets you connect existing Prometheus and Grafana dashboards directly to CloudWatch.
Enable it from the EKS console or via the CloudWatch Observability add-on (v6.2.0+), Helm, or CloudFormation.
Available in all commercial AWS Regions except Middle East (UAE), Middle East (Bahrain), and Israel (Tel Aviv). For pricing details, see the Amazon CloudWatch pricing page. To get started, see the OTel Container Insights documentation.
Today, AWS announces new automated refinement workflows for Automated Reasoning checks in Amazon Bedrock Guardrails. Automated Reasoning checks use formal logic to mathematically validate the accuracy of generative AI responses against a policy you define, helping detect hallucinations and provide verifiable explanations. The quality of validation results depends on how well a policy is defined. The new workflows help customers improve their policies with less manual effort, leading to more reliable Guardrail validation results.
The launch introduces two refinement workflows. With the iterative policy improvement workflow, customers who have created natural language tests for a policy can start an iterative refinement run, letting the system deduce the changes needed for the policy to pass those tests. With the ambiguity reduction workflow, customers who frequently encounter ambiguous translation results can run the resolve policy ambiguities workflow to automatically refine variable descriptions and type definitions, reducing how often ambiguous translations occur. Both workflows are available through the Amazon Bedrock APIs and in the AWS Management Console, where customers can start a workflow by choosing Refine policy on the policy page.
These workflows are available in all AWS Regions where Automated Reasoning checks in Amazon Bedrock Guardrails are available. To learn more, visit the Amazon Bedrock Guardrails product page and the Automated Reasoning checks User Guide.
Amazon Cognito now supports customer managed keys in AWS Key Management Service (KMS) for encrypting user pool data at rest. While AWS owned keys are used by default to protect your data, customer managed keys give you full control over the encryption keys, helping you achieve your organization's data governance objectives.
With customer managed keys, you can define organizational policies and revoke access to encrypted data by disabling or deleting your key. You create and manage the customer managed key lifecycle and usage permissions in AWS KMS. You can configure a customer managed key when creating a new user pool or update an existing user pool to use one. You can also use AWS CloudTrail to monitor and audit all usage of your customer managed keys, giving you visibility into when and how your identity data is accessed.
Customer managed keys are available in user pools in Essentials and Plus tiers at no additional costs. Standard AWS KMS charges apply. To get started, configure your customer managed keys using the AWS Management Console, AWS CLI, or AWS SDKs. Visit the developer guide for instructions.
AWS HealthOmics adds ephemeral storage for private workflows, giving bioinformatics workloads dedicated scratch space that delivers more consistent run performance and lower costs. Each workflow task now receives a dedicated local volume mounted at /tmp, and workflows that generate significant scratch data, such as genomic sequence alignment, BAM sorting, and variant calling, can experience faster run times. AWS HealthOmics is a HIPAA-eligible service that helps healthcare and life sciences customers accelerate scientific breakthroughs with fully managed bioinformatics workflows.
With this launch, workflow tasks can write temporary data to their own local volume, keeping scratch I/O isolated from shared run storage that hosts the working directory. By default, each task includes 16 GiB of ephemeral storage at no additional charge. You can increase the amount of ephemeral storage allocated to individual tasks, up to a maximum of 3,072 GiB per task, using the appropriate directive in your WDL, Nextflow, or CWL workflow definition. You can enable ephemeral storage at runtime with the StartRun API. All ephemeral storage volumes are encrypted and deleted when a task terminates.
You can use ephemeral storage in all AWS Regions where AWS HealthOmics is available: US East (N. Virginia), US West (Oregon), Europe (Frankfurt, Ireland, London), Israel (Tel Aviv), and Asia Pacific (Singapore, Seoul). To learn more about ephemeral storage, visit the AWS HealthOmics User Guide. For more information on pricing, visit AWS HealthOmics pricing.
Amazon Bedrock AgentCore Memory now enables cross-account access, allowing you to build multi-account architectures where memory resources and consuming agents span multiple AWS accounts. You can grant principals in one account permission to call memory data plane APIs against resources in another account using resource-based policies, and configure memory delivery destinations (Amazon S3, Amazon SNS, Amazon Kinesis Data Streams) that reside in a separate account.
Cross-account access is configured by attaching a resource-based policy to your memory resource. Once configured, principals in the consuming account can create events, write memory records, retrieve records, and perform semantic search by referencing the full memory ARN. Cross-account delivery destinations allow your memory resource to deliver payloads and stream events to S3 buckets, SNS topics, and Kinesis Data Streams in other accounts.
To get started, see Cross-account memory access in the Amazon Bedrock AgentCore Developer Guide. Amazon Bedrock AgentCore Memory cross-account access is available in all AWS Regions where Amazon Bedrock AgentCore Memory is supported.
Amazon ElastiCache now supports Valkey 9.1 for node-based clusters, delivering higher throughput, improved memory efficiency, and stronger access control for multi-tenant workloads. This release helps customers get more performance from existing infrastructure while simplifying common application patterns with new commands.
Valkey 9.1 includes a redesigned I/O threading model that improves throughput by up to 17%, reduces memory usage for strings under 128 bytes by up to 20%, and introduces database-level access control lists that let administrators scope user permissions to specific numbered databases. New commands like HGETDEL for atomic hash field retrieval and deletion, MSETEX for setting multiple keys with a shared expiration, and CLUSTERSCAN for cluster-wide key iteration simplify workflows that previously required multi-step client logic. The release also adds new main-thread and I/O-thread usage metrics for better operational visibility.
To get started, see Creating an ElastiCache cluster or upgrade an existing cluster. For more information about Valkey 9.1 features, see the Valkey 9.1 for ElastiCache launch blog. To learn more about the open source release, see the Valkey 9.1 community announcement.
We are pleased to announce general availability of Amazon EC2 G6e instances on SageMaker notebook instances.
Amazon EC2 G6e instances are powered by up to 8 NVIDIA L40s Tensor Core GPUs with 48 GB of memory per GPU and third generation AMD EPYC processors. G6e instances deliver up to 2.5x better performance compared to EC2 G5 instances. Customers can use G6e instances to interactively test model deployment and for interactive model training use cases such as generative AI fine-tuning. You can use G6e instances to deploy large language models (LLMs) with up to 13B parameters and diffusion models for generating images, video, and audio.
Amazon EC2 G6e instances are available on SageMaker notebook instances in the AWS US East (N. Virginia and Ohio), US West (Oregon), Asia Pacific (Tokyo), Middle East (Dubai) and Europe (Frankfurt, Sweden, Spain) regions.
Visit developer guides for instructions on setting up and using JupyterLab and CodeEditor applications on SageMaker Studio and SageMaker notebook instances.
AWS announces the preview of AI-powered investigations in Amazon GuardDuty, a new capability that automatically analyzes GuardDuty findings and accounts to help you quickly distinguish true threats from benign findings. This feature addresses the time-intensive manual investigation process that contributes to alert fatigue and slows incident response for security operations centers and cloud security analysts.
AI-powered investigations examine finding context, related activity from the last 90 days, affected resources, and threat indicators using knowledge graphs and threat intelligence, in minutes. Each investigation provides a disposition assessment with confidence scoring, MITRE ATT&CK® technique classification, supporting evidence, and actionable recommendations for suppression, containment, or remediation. This automation enables security teams to focus on genuine threats across individual AWS accounts or entire AWS Organizations and accelerate mean time to resolution.
This feature is available in preview in 10 AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Ireland), Europe (London), Europe (Frankfurt), Europe (Paris), Europe (Stockholm), Asia Pacific (Tokyo). To get started, access AI-powered investigations through the Amazon GuardDuty console, CLI, API, or AWS' MCP Server.
To learn more, visit the Amazon GuardDuty User Guide.
Amazon CloudWatch Logs supports managed syslog ingestion, enabling customers to send syslog messages from firewalls, routers, switches, and Linux servers directly into CloudWatch Logs.
With today's launch, customers can configure their network devices and servers to send syslog messages over TCP, TCP+TLS, or UDP to a VPC endpoint in their account - without installing or managing any agents. Amazon CloudWatch Logs supports RFC 5424, RFC 3164, and Cisco FTD/ASA syslog formats, making it compatible with a wide range of infrastructure. Amazon CloudWatch Logs automatically parses incoming syslog messages and extracts structured fields such as facility, severity, hostname, and application name, thereby eliminating the need for custom parsing pipelines. For example, customers can ingest syslog from their network firewalls and immediately query by severity or hostname using Logs Analytics to investigate security events or troubleshoot connectivity issues. This feature helps teams centralize infrastructure log visibility, simplify operational workflows, and reduce the overhead of deploying and maintaining log collection agents across distributed environments.
Available in all commercial AWS Regions except Middle East (UAE), Middle East (Bahrain), and Israel (Tel Aviv). To get started, see the Amazon CloudWatch Logs documentation.
Amazon EC2 High Memory U7in-24TB instances (u7in-24tb.224xlarge) are now available in AWS Asia Pacific (Seoul) region. U7i instances are part of the AWS 7th generation and are powered by custom fourth-generation Intel Xeon Scalable processors (Sapphire Rapids). U7in-24TB instances offer 24 TiB of DDR5 memory, enabling customers to scale transaction processing throughput in a fast-growing data environment. U7i instances offer up to 45% better price performance over existing U-1 instances.
U7in-24TB instances deliver 896 vCPUs and support up to 100 Gbps of Amazon EBS bandwidth for faster data loading and backups, 200 Gbps of network bandwidth, and ENA Express. U7i instances are ideal for customers running mission-critical in-memory databases like SAP HANA, Oracle, and SQL Server.
To learn more about U7i instances, visit the High Memory instances page.
Amazon CloudWatch now supports tagging for CloudWatch dashboards, enabling you to organize, categorize, and control access to your dashboards using tags. Tags are key-value pairs that help you identify and manage AWS resources across your environment.
With this launch, the PutDashboard API now accepts an optional Tags parameter, allowing you to assign up to 50 tags when creating a new dashboard. The TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs, enabling you to add, remove, and list tags on existing dashboards. You can also manage dashboard tags using AWS CloudFormation. This new capability allows you to group dashboards by team by team, project, or environment, implement attribute-based access control by scoping IAM permissions to dashboards with specific tag values, and filter dashboards by tag in AWS Resource Explorer.
CloudWatch Dashboard tagging support is available at no additional cost in all AWS Regions where Amazon CloudWatch is available.
To learn more, see TagResource in the Amazon CloudWatch API Reference. To get started with CloudWatch dashboards, see Amazon CloudWatch features.
Amazon Neptune now supports AWS CloudFormation for provisioning and managing Neptune global databases. Using the new AWS::Neptune::GlobalCluster resource type, you can define your multi-region graph database topology as code — automating deployment, storing configurations in source control, and integrating with CI/CD pipelines.
Neptune global databases provide a primary cluster with read-write capability and up to five read-only secondary clusters in different AWS Regions, connected through low-latency replication via the Neptune storage subsystem. Common use cases include low-latency read access across regions, disaster recovery, data residency compliance, and high-availability graph deployments with centralized writes and distributed reads.
This feature is available in all AWS Regions where Neptune global databases are supported. To get started, see the Neptune global databases CloudFormation documentation.
2026 年 6 月 15 日週、AWS Summit New York City では、何千人ものお客様、パ […]
昼休み30分でAWSの最新AI技術をキャッチアップ。現場のソリューションアーキテクトが配信。AIエージェント、Bedrock、セキュリティまで。参加無料。
TLS エンドポイントをポスト量子暗号 (PQC) に移行する第一歩は、現状のインベントリと状態把握です。本記事では、ALB、NLB、Amazon API Gateway のエンドポイントを継続的に監視する PQC Readiness Scanner を紹介します。AWS Config コンフォーマンスパックを活用し、各エンドポイントを 3 階層フレームワークに分類して移行の優先順位付けを自動化する方法を、シングルアカウントおよび Organizations でのデプロイ手順とあわせて解説します。
こんにちは、ソリューションアーキテクトのシャルノ ミカエルです。 本記事では、2026 年 6 月 25 日( […]
株式会社 MIXI が FC東京向けに開発した「写真選定業務効率化システム」のバックエンドデータベースとして Amazon Aurora DSQL を採用した経緯と技術的な工夫、得られた効果を、お客様の声を交えてご紹介します。
みなさんこんにちは。ソリューションアーキテクトの山田です。2026 年 6 月 25 日(木)、26 日(金) […]
こんにちは。AWS プロフェッショナルサービスの Spatial Computing (空間コンピューティング […]
Bulletin ID: 2026-047-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/23/2026 09:30 AM PDT
Description:
Language Servers for AWS provide the underlying language-server runtime that powers Amazon Q Developer's AI coding assistance across its IDE plugins (Visual Studio Code, JetBrains, Eclipse, and Visual Studio).
We identified CVE-2026-12957, an improper trust boundary enforcement issue in Language Servers for AWS before version 1.65.0. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted.
We identified CVE-2026-12958, a missing symlink-validation issue in Language Servers for AWS before version 1.69.0. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.
These issues affect the Amazon Q Developer IDE plugins, which bundle Language Servers for AWS. Both issues are remediated in Language Servers for AWS version 1.69.0.
Affected products & versions:
- Language Servers for AWS: < 1.69.
- Amazon Q Developer for Visual Studio Code: < 2.20
- Amazon Q Developer for JetBains: < 4.3
- Amazon Q Developer for Eclipse: < 2.7.4
- AWS Toolkit with Amazon Q for Visual Studio: < 1.94.0.0
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
In this post, you will learn patterns for implementing production-ready multi-tenant systems using Amazon Bedrock AgentCore. You will see these patterns demonstrated through healthcare AI agents that serve multiple clinics and hospitals.
This post shows you how to build a conversational protein research assistant that combines three capabilities: Natural language query parsing to extract structured search parameters, vector similarity search over protein embeddings using a specialized language model and ai-generated scientific summaries of search results.
Learn how Amazon S3 Files simplifies Lambda functions by eliminating transfer code and /tmp constraints. See three modernization patterns with code examples for image processing, ETL pipelines, and multi-agent AI workloads. AWS Lambda functions that interact with Amazon Simple Storage Service (Amazon S3) typically follow a familiar pattern: download an object to /tmp, process it […]