この日はアーキテクチャ、セキュリティ、AI エージェント運用と幅広いトピックが揃いました。アーキテクチャブログでは、100 万個超の Lambda 関数へのスケール事例 (scale-to-zero やクォータ管理の教訓)、SageMaker AI での機械学習環境のデータ持ち出し防止、Nakama ゲームサーバーの Cognito 二要素トークン認証が解説されました。AI 領域では Bedrock AgentCore Observability による本番エージェントのデバッグ、Nova 2 Lite と Claude Sonnet 4.6 を組み合わせた低コスト文書処理、行レベルセキュリティを備えたマルチテナント LLM 分析が取り上げられました。注目は GovCloud での Claude Opus 4.8 提供開始、および多数の AWS サービスのメンテナンス移行・サンセット (Bedrock Agents Classic 化、Kendra、Q Business など) を告知した Service Availability Updates です。セキュリティでは AWS WAF の HTTP/2 マルチフレーム検査に関する CVE (2026-13762/13763) が公表されました。日本語では ElastiCache 向け Valkey 9.1、Kiro の Agent Focus・GitLab 対応、AWS 認定の再認定新方式が紹介されました。
大規模サーバーレス: 100 万 Lambda 関数へのスケール教訓、SageMaker AI でのデータ持ち出し防止アーキテクチャ
AI エージェント運用: Bedrock AgentCore Observability による本番エージェントのデバッグ、AgentCore Gateway への AWS WAF 保護 GA
コスト最適化 AI: Nova 2 Lite + Claude Sonnet 4.6 の二段パイプライン、マルチテナント LLM の行レベルセキュリティ
モデル/サービス動向: GovCloud で Claude Opus 4.8 提供開始、Kiro に GPT-5.4・Nemotron 3 Super 120B 追加
サービスライフサイクル: Bedrock Agents の Classic 化、Kendra・Q Business・Simple AD 等がメンテナンス/サンセットへ
セキュリティ: AWS WAF の HTTP/2 マルチフレーム検査に関する CVE-2026-13762/13763 公表 (CloudFront はサーバー側修正済)
国内: ElastiCache 向け Valkey 9.1、コンソールアクセスのネットワーク制限 (Sign-In リソースベースポリシー/RCP)、AWS 認定再認定の新方式
Amazon Managed Workflows for Apache Airflow (Amazon MWAA) Serverless now supports shared VPC subnets. Previously, customers using subnets shared via AWS Resource Access Manager (AWS RAM) received a validation error when creating MWAA Serverless workflows. With this update, MWAA Serverless correctly validates subnet ownership in shared VPC configurations, consistent with MWAA Provisioned environments.
Sharing VPC subnets across accounts using AWS RAM is a common pattern in multi-account landing zone architectures. Organizations that centrally manage networking can now launch MWAA Serverless workflows in member accounts using shared subnets — no workarounds required. Customers using Amazon SageMaker Unified Studio Workflows also benefit from this update when their projects are configured with shared VPC networking.
This update is available in all AWS Regions where Amazon MWAA Serverless is supported. To learn more, see the Networking section of the Amazon MWAA Serverless User Guide.
Today, AWS announces general availability of AWS Web Application Firewall (AWS WAF) protection for Amazon Bedrock AgentCore Gateway, enabling you to protect your agentic AI workloads from common web exploits and abuse. As enterprises move agentic applications from prototype to production, this launch gives security and platform teams ability to apply consistent, customizable web protections at the Gateway layer.
You can now associate an AWS WAF protection pack with your AgentCore Gateway to enforce IP-based access controls, rate-based rules that throttle abusive traffic, and AWS Managed Rule Groups including common rule sets, known bad inputs, and Bot Control. You configure the protection pack once at the Gateway level and AWS WAF applies it consistently to every target behind that Gateway, so a single configuration protects all downstream tools, agents, and integrations.
Support for AWS WAF on AgentCore Gateway is available in all AWS Regions where both AWS WAF and Amazon Bedrock AgentCore Gateway are available.
To learn more, see the AWS WAF Developer Guide and the Amazon Bedrock AgentCore documentation.
AWS Clean Rooms now supports intermediate tables for SQL queries, offering increased flexibility for organizations running complex, multi-step analytical workflows with their partners. With this launch, customers can write the results of a SQL query to an intermediate table within a collaboration for reuse in subsequent analyses. Intermediate tables enable multi-step analytical workflows — from reusing complex joins to building shared ID mapping tables for downstream analyses — all within the privacy boundary of the collaboration. For example, a publisher and an advertiser can join their first-party data to build an ID mapping table in a collaboration, then reuse it across reach, frequency, and attribution analyses, reducing costs and optimizing performance for the subsequent analyses.
AWS Clean Rooms helps companies and their partners easily analyze and collaborate on their collective datasets without revealing or copying one another’s underlying data. For more information about the AWS Regions where AWS Clean Rooms is available, see the AWS Regions table. To learn more about collaborating with AWS Clean Rooms, visit AWS Clean Rooms.
We’re announcing availability changes to the following AWS services and features.
Services moving to Maintenance
Services moving to maintenance will no longer be accessible to new customers starting July 30, 2026. Customers already using these services and features can continue to do so. AWS will continue to operate and support these services and features. We recommend that customers learn about the changes in the product pages and documentation.
· Amazon Bedrock Agents (launched November 2023) is now Amazon Bedrock Agents Classic
· AWS Directory Service – Simple AD
· AWS IoT Device Defender – Detect (feature will no longer be accessible to new customers starting August 31, 2026)
· AWS Mainframe Modernization – Self-Managed Experience
· AWS Management Console – myApplications
· AWS Resource Groups – Group Lifecycle Events
· AWS Service Catalog – Application Registry
· AWS Systems Manager – Application Manager
· Amazon SageMaker AI Features
o A2I
o Clarify
o Debugger
o Profiler
Services entering Sunset
The following services are entering sunset, and we are announcing the date upon which we will end operations and support of the service. Customers using these services should click on the links below to understand the sunset timeline and begin planning migration to alternatives as recommended in the updated service web pages and documentation.
· AWS Managed Services (AMS) Advanced
Services reaching End of Support
The following services have reached end of support and are no longer available as of June 30, 2026.
· Amazon Chime SDK – Carrier Voice Focus
· Amazon SageMaker AI – Ground Truth Plus
· AWS Elemental MediaLive and MediaPackage – ADC Regions
For customers affected by these changes, we've prepared comprehensive migration guides, and our support teams are ready to assist with your transition. Visit AWS Product Lifecycle Page to learn more, and subscribe to the RSS feed for future updates.
Amazon CloudWatch pipelines now supports processing and enriching OpenTelemetry (OTel) metrics during ingestion. CloudWatch pipelines is a fully managed service that ingests, transforms, and routes telemetry data to CloudWatch without requiring you to manage infrastructure.
Until now, customers who needed to enrich or transform OTel metrics before storage had to build custom processing layers or modify application instrumentation at the source. With OTel metric processing in CloudWatch pipelines, you can apply metric transformations centrally as part of the ingestion path with no new infrastructure required. With CloudWatch pipelines, you can enrich metrics by adding business context such as team ownership, cost center, and environment tags to metrics from sources you cannot modify. You can strip high-cardinality labels from custom workloads to reduce storage costs, and rename metrics and attributes to enforce consistent naming conventions across your organization. Processing is applied transparently to matched metrics with no changes to application instrumentation required.
OTel metric processing for CloudWatch pipelines is available in all AWS Regions where CloudWatch pipelines and CloudWatch native OpenTelemetry metrics are supported. Processing of OTel metrics via pipelines is offered at no additional cost. Standard CloudWatch pricing for OTel metrics ingestion apply. For pricing details, see CloudWatch Pricing.
To get started, open the Amazon CloudWatch console, navigate to pipelines under Ingestion, and select CloudWatch Metrics (OTel) as the source. To learn more, see the CloudWatch pipelines documentation.
Amazon GameLift Servers now offers DDoS Protection client SDKs for C# and Unity, helping game developers protect session-based multiplayer games against denial-of-service and distributed denial-of-service attacks. This feature co-locates a relay network directly alongside your game servers and uses access token-based authentication to ensure only authorized client traffic reaches your servers. Game developers building multiplayer experiences can now defend against targeted disruptions to specific players or entire game sessions.
DDoS Protection provides proactive UDP-based traffic protection with negligible latency and is available at no additional cost to Amazon GameLift Servers customers. The feature enforces per-player traffic limits to prevent disruptions even from seemingly legitimate sources, eliminating the need for manual byte matching. The new client SDKs for C# and Unity join existing support for C++ and Unreal Engine, giving developers flexibility to implement protection regardless of their game engine or language.
Amazon GameLift Servers DDoS Protection is available in US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Asia Pacific (Sydney), Asia Pacific (Tokyo), and Asia Pacific (Seoul). To learn more, visit the Amazon GameLift Servers documentation.
Two new models are now available in the Kiro IDE and CLI for the AWS GovCloud (US-West) Region.
OpenAI GPT-5.4 is now available in Kiro for complex reasoning, coding, document analysis, and multi-step agentic workflows. It helps developers build AI applications and production workflows that can interpret context, interact with tools, operate software environments, and verify outputs across multiple steps. GPT-5.4 runs on Amazon Bedrock's next-generation inference engine with isolated queues and durable execution for resilient workloads. Available with a 272K context window and 1.2x credit multiplier.
NVIDIA Nemotron 3 Super 120B is now available in Kiro as an open weight model option. A hybrid mixture-of-experts model activating only 12B of its 120B parameters for high compute efficiency and fast inference on agentic tasks. 256K context window with 32K max output. Available with a 0.25x credit multiplier.
Ensure your IDE or CLI is updated to the latest version, then restart it to access the new models from the model selector. For more details about Kiro in AWS GovCloud (US), visit the GovCloud documentation or contact your AWS account team for more information. To learn more about Kiro, visit the Kiro product page.
AWS GovCloud (US) now offers Claude Opus 4.8 -- Anthropic's most capable generally available model to date -- delivering meaningful advances across agentic coding, professional knowledge work, and long-running autonomous tasks for developers and enterprises building production AI applications.
Claude Opus 4.8 can perform longer autonomous runs, deeper reasoning, and consistency to be trusted with production work. For coding, the Opus 4.8 reads codebases like an engineer, plans before it edits, and holds context across long sessions in real repositories. For agentic tasks, it is better at finding paths around obstacles instead of stalling, recovering from its own errors, and knowing when to ask for help versus when to keep going. For knowledge work, it better synthesizes across long documents and complex sources, self-checks its output, and delivers structured deliverables that hold up to review.
Amazon Bedrock keeps your data within AWS infrastructure and provides access to Claude Opus 4.8 through a unified service with AWS-managed features like Guardrails, Knowledge Bases, and regional data residency. To learn more, see Amazon Bedrock documentation and regional availability.
Today, AWS announces that AWS Security Hub now monitors Microsoft Azure resources, extending risk analytics, cloud security posture management, vulnerability management, and security response management across both clouds. Many AWS customers running workloads in AWS and Azure have had to operate separate security tools for each environment, making it difficult to prioritize risks holistically or respond consistently. Security Hub now provides a single, unified experience to detect and respond to risks across your AWS and Azure environments.
Security Hub automatically discovers Azure resources, including Azure Virtual Machines (VMs), Azure Container Registry (ACR) container images, Azure Function Apps, and Azure identities, and evaluates them for misconfigurations, internet exposure, and software vulnerabilities. You receive posture checks against security standards including the CIS Benchmarks™ for Microsoft Azure Foundations, unified resource inventory, risk and exposure analysis, and automated response through existing EventBridge integrations. AWS and Azure findings appear in the same prioritized view with the same finding formats and automation workflows, so security teams can operate from one console rather than switching between tools.
Security Hub includes an independent 30-day free trial to monitor Azure resources that begins once you create your integration with Microsoft Azure. After the trial, you pay the same price for monitoring Azure resources and equivalent AWS resources. You can create an integration to Azure from all AWS Regions where Security Hub is available except Middle East (UAE), Middle East (Bahrain), Asia Pacific (Taipei), and Asia Pacific (New Zealand). You can also create integrations to Microsoft Azure for AWS Security Hub CSPM for posture management checks and Amazon Inspector for vulnerability management independently from AWS Security Hub. To learn more, see AWS Security Hub Pricing and AWS Security Hub documentation.
It has been a busy stretch on the AWS Summit circuit. At the New York City Summit, I delivered a workshop called Building AI architectures with AWS Serverless, and it was a lot of fun watching builders wire up agents and serverless services to solve real problems in a single afternoon. This week I am […]
It has been a busy stretch on the AWS Summit circuit. At the New York City Summit, I delivered a workshop called Building AI architectures with AWS Serverless, and it was a lot of fun watching builders wire up agents and serverless services to solve real problems in a single afternoon. This week I am […]
本ブログは プリモグローバルホールディングス株式会社 様と アマゾン ウェブ サービス ジャパン合同会社が共同 […]
本ブログでは、Amazon ElastiCache で利用可能になった Valkey 9.1 の新機能についてご紹介します。再設計された I/O スレッディングによるスループット向上や、小さな文字列・ソート済みセットのメモリ効率改善といった性能強化に加え、データベース単位の ACL によるマルチテナント環境での分離強化、HGETDEL・MSETEX・CLUSTERSCAN などワークフローを簡素化する新コマンド、JSON 形式のログ出力による可観測性向上について学べます。大規模インメモリワークロードのコスト最適化と運用効率化を目指す方におすすめの内容です。
AWS 認定の再認定に新たな方法が加わりました。Skill Builder 上のコースとハンズオンラボを完了することで、認定の有効期限を 1 年間延長できます。テストセンターの予約も不要で、自分のペースで取り組めます。現在は AWS Certified Solutions Architect – Associate、AWS Certified Developer – Associate、AWS Certified CloudOps Engineer – Associate、AWS Certified DevOps Engineer – Professional、AWS Certified Solutions Architect – Professional が対象で、今年後半に AWS Certified Data Engineer – Associate、 AWS Certified Security – Specialty、AWS Certified Machine Learning Engineer – Associate を含む追加の認定も対応予定です。
Kiro Web は、既存の GitHub サポートに加えて、GitLab でも動作するようになりました。より興味深いのは、コードが GitLab と GitHub の両方にまたがって存在する場合に何が起きるかです。両方からリポジトリを同じセッションに追加し、単一の変更を記述すれば、Kiro がそれを両方にわたって実行し、一方にはマージリクエスト(MR)を、もう一方にはプルリクエスト(PR)を開いてくれます。これは、コードが 1 つのきれいな場所に収まっていないときに意味を持ちます。
開発者が AI と協働する方法は変わりつつあります。モデルは今や複数ステップの作業を計画し実行できるようになり、より多くの開発者が、自分で一行ずつコードを打ったり直接編集したりするのではなく、エージェントを導くことに一日を費やすようになっています。 IDE は別の時代のために作られたものです。IDE はコードを中心に据えますが、それはまさに「自分で編集しているとき」に欲しいものです。しかし、主な仕事がエージェントに実行させる作業を定義し、洗練し、方向づけることであるとき、それが必ずしも欲しいものとは限りません。2026 年 6 月 25 日、私たちは Agent Focus を発表します。これは Kiro IDE における実験的な新しいビューで、エージェントとのやり取りを前面に押し出すものです。チャットファーストな働き方の基盤を築きます。やりたいことを記述し、会話を通じて洗練させ、作業を開始し、エージェントが進める様子を確認する——という流れです。これまでの IDE 体験がなくなるわけではありません。Agent Focus はそれと並んで存在し、いつでも両者を行き来できます。
本ブログでは、企業が規制コンプライアンスのためにコンソールアクセスを企業ネットワークに制限するユースケースを取り上げ、AWS Sign-In のリソースベースポリシーと RCP を使った実装方法を紹介します。リソース許可ステートメントの作成、コンソール認可の有効化、CloudTrail による検証、Console Private Access やデータ境界フレームワークとの統合まで詳しく説明します。
Deadline Cloud のサービス管理フリートで Wait and Save を設定し、CPU レンダリングコストを削減する方法を紹介します。
The AWS Customer Incident Response Team (AWS CIRT) encounters patterns that repeat across engagements when helping customers respond to security incidents. We’re passionate about making sure that information is accessible so that everyone can improve their security posture and their organization’s resilience to disruption. The primary method we use to share this information is the […]
Bulletin ID: 2026-048-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/29/2026 11:15 PM PDT
Description:
AWS WAF is a web application firewall that monitors the HTTP(S) requests that are forwarded to your protected web application resources. We identified CVE-2026-13762 and CVE-2026-13763, which are issues affecting HTTP/2 multi-frame request body inspection by AWS WAF.
CVE-2026-13762 affects AWS WAF deployment with CloudFront. This issue was remediated server-side; no customer action is required.
CVE-2026-13763 affects AWS WAF deployment with AWS Application Load Balancer (ALB). Under certain conditions, a crafted multi-frame HTTP/2 request could cause only a partial request body to be inspected. This issue has been addressed on ALB, and customers can ensure full protection by configuring how AWS WAF inspects HTTP/2 request bodies on their ALB.
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
In this post, you learn how to configure an Amazon Cognito User Pool for SRP-based game client authentication with no client secret. You will implement a Go runtime hook that validates Cognito JWTs and bridges player identity to Nakama sessions.
In this post, we demonstrate how iBusiness implemented a three-layered security architecture using Amazon SageMaker AI, virtual private cloud (VPC) endpoints, and Amazon WorkSpaces Secure Browser to prevent data exfiltration while maintaining data scientist productivity. You can adapt this approach to build secure machine learning environments that balance strict data protection with team scalability.
In this post, we share our journey and the lessons learned from building and running a fully serverless, multi-account software as a service (SaaS) platform at scale. We’ll explore why true scale-to-zero is critical, how we handle quota management, why engaging AWS service teams early saved us from outages, and which unexpected practices emerged once we scaled from thousands to over a million functions.
In this post, you learn how to debug production agent failures using built-in observability capabilities. We walk through common failure patterns, show how to analyze agent behavior with traces and metrics, and provide structured workflows for resolving issues such as infinite loops and tool invocation failures. This is Part 1 of a two-part series. Part 2 covers performance optimization and memory management.
In this post, we show you how to build an automated claims processing pipeline using two key Amazon Bedrock capabilities: Amazon Bedrock Data Automation for intelligent document extraction from healthcare claim forms, and Amazon Bedrock AgentCore for hosting an AI agent that validates and transforms the extracted data into FHIR (Fast Healthcare Interoperable Resources) resources in AWS HealthLake. You will learn how to combine these services to create an end-to-end workflow that reduces manual processing while maintaining accuracy through automated validation checks.
In this post, we show you how PAR built a production-ready multi-tenant LLM analytics system that enforces row-level security through a three-layer architecture: cryptographic request signing with AWS SigV4, semantic validation on Amazon Bedrock, and programmatic data isolation via Split-Plane SQL. We demonstrate how each layer operates independently to reduce the risk of cross-tenant data exposure, even when the LLM itself is compromised or manipulated.
In this post, we show how pairing Amazon Nova 2 Lite with Anthropic’s Claude Sonnet 4.6 delivers an efficient solution for digitizing scanned documents at scale. We built a two-model pipeline on Amazon Bedrock for digitizing scanned yearbook pages. Amazon Nova 2 Lite handles native multimodal extraction in a single call: detecting photos, extracting visible names with coordinates, and returning page-level metadata. Claude Sonnet 4.6 then performs spatial reasoning to match names to faces based on page layout.
In this post, we cover best practices for implementing an effective backup strategy for BI assets in Quick Sight. We start by covering the options for selecting the assets to include in your backup, then explain the high-level APIs available for that purpose, and finalize with sample code to help you get started quickly.