この日は更新数が多く、特に新モデルと新世代コンピュートの発表が目立ちました。最大の話題は Anthropic の Claude Sonnet 5 の AWS 提供開始 (Amazon Bedrock および Claude Platform on AWS)、そして AWS Graviton5 プロセッサ搭載の EC2 C9g / C9gd インスタンスの一般提供です。C9g は Graviton4 比で最大 25% の性能向上と 5 倍の大容量キャッシュを備え、Nitro Isolation Engine による形式検証で数学的に証明された分離を初めて実現しました。運用効率化では CloudFormation / CDK の Express モード (デプロイ最大 4 倍高速化) と全スタック操作での事前検証、ACM の ACME プロトコル対応による TLS 証明書自動化、EKS の Kubernetes バージョンロールバックが登場しました。AI 領域では AgentCore への AG-UI プロトコル対応、Bedrock のマネージドエンタイトルメント、WorkSpaces for AI agents の GA、SageMaker の Gemma 4 サーバーレスカスタマイズが発表されました。セキュリティでは Security Hub CSPM の AI セキュリティベストプラクティス標準 (31 の自動コントロール) が追加されています。
新モデル: Claude Sonnet 5 が Amazon Bedrock と Claude Platform on AWS で提供開始 (最新世代 Sonnet、Sonnet 価格でトップティア性能)
新世代コンピュート: Graviton5 搭載 EC2 C9g / C9gd が GA — 最大 25% 性能向上、Nitro Isolation Engine で形式検証済み分離
デプロイ高速化: CloudFormation / CDK Express モード (最大 4 倍) と全スタック操作での事前検証、ECS Auto Scaling の予約優先配置
AI エージェント基盤: AgentCore への AG-UI プロトコル対応、Bedrock マネージドエンタイトルメント、WorkSpaces for AI agents GA
証明書/認証: ACM の ACME プロトコル対応で TLS 証明書発行・更新を自動化、IAM Identity Center のプログラム的アカウントアクセス
AI セキュリティ: Security Hub CSPM に AI Security Best Practices 標準 (Bedrock/AgentCore/SageMaker 向け 31 コントロール) 追加
その他: OpenSearch Service のログ分析特化エンジン (最大 4 倍の価格性能比)、Lambda MicroVMs、AWS Interconnect - last mile プレビュー
Starting today, Amazon Elastic Compute Cloud (Amazon EC2) C9g and C9gd instances, powered by AWS Graviton5 processors, are generally available. AWS Graviton5 processors are the fifth generation of custom-designed CPUs, delivering the best price performance for compute-intensive workloads running on Amazon EC2.
C9g instances are ideal for workloads such as high-performance computing (HPC), batch processing, gaming, video encoding, scientific modeling, distributed analytics, CPU-based machine learning (ML) inference, real time analytics, and ad serving. C9gd instances offer local NVMe-based SSD block-level storage for customers running compute-intensive workloads that also require high-speed, low-latency local storage for scratch space, temporary files, and caches.
C9g and C9gd instances deliver up to 25% better compute performance compared to AWS Graviton4-based C8g and C8gd instances. They are up to 30% faster for databases, up to 35% faster for web applications, and up to 35% faster for machine learning. They feature 5x larger cache and the fastest memory of any processor instances in the cloud. These instances are built on the sixth-generation AWS Nitro System and are the first to feature the Nitro Isolation Engine, harnessing formal verification to provide mathematical assurance that customer workloads are isolated from each other and AWS operators, pioneering a new standard for mathematically proven cloud security.
C9g and C9gd instances are available in US East (N. Virginia, Ohio), US West (Oregon), and EU (Frankfurt) regions. C9g and C9gd instances are available for purchase via Savings Plans, On-Demand, Spot instances, Dedicated instances, or Dedicated hosts.
Level up your compute with AWS Graviton and get started today.
AWS launches AWS Interconnect - last mile, a fully managed connectivity offering that allows customers to connect their branch offices, data centers, and remote locations to AWS with just a few clicks, eliminating the friction and complexity of network setup. Now with AT&T in gated preview, AWS Interconnect - last mile combines AWS cloud innovation with AT&T’s extensive network footprint to redefine how businesses connect to the cloud.
Customers can instantly establish private, high-speed connections to AWS by simply choosing their preferred AWS Region, bandwidth speed, Direct Connect Gateway ID and partner subscriber ID. Once initiated, AWS generates an activation key to complete provisioning with AT&T. The launch simplifies the connectivity experience by pre-provisioning capacity and automating complex network configuration including BGP peering, VLAN configuration, and ASN assignment. Customers can benefit from zero down-time maintenance. The service is designed for high availability and backed by SLA.
AWS Interconnect - last mile is available as a gated preview with AT&T for customers in the US starting today. Partners can also easily adopt via a published open API package on GitHub. For more information, see the AWS Interconnect - last mile documentation and request access here.
Amazon SageMaker AI now supports serverless model customization for Gemma 4 E4B and 31B models using supervised fine-tuning (SFT), direct preference optimization (DPO), and reinforcement fine-tuning (RFT). Gemma is a family of open models built by Google DeepMind. In addition to deploying these models on SageMaker AI, you can now adapt them to your specific domains and workflows. This launch also extends the variety of models available for serverless customization on SageMaker AI, including models from the Nova, Nemotron 3, Qwen, Llama, gpt-oss, and DeepSeek families.
Model customization enables you to tailor these foundation models with your proprietary data, whether that's improving accuracy on domain-specific tasks, aligning outputs with your organization's tone, or enhancing performance on new tasks using your labeled data. With serverless customization, SageMaker AI handles all infrastructure provisioning and training orchestration, so you can focus on your data and evaluation rather than cluster management, and only pay for what you use.
Serverless model customization on SageMaker AI is available in US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), and EU (Ireland). To get started, navigate to the Models page in Amazon SageMaker Studio to launch a customization job, or use the SageMaker Python SDK for programmatic access. To learn more, see the Amazon SageMaker AI model customization documentation.
IAM Identity Center now enables customer managed applications to programmatically access AWS accounts on behalf of their users, including the ability to discover accounts and roles assigned to a user and retrieve temporary credentials required for AWS account access.
If you have a customer managed application that authenticates users through an external identity provider (IdP), you can configure that IdP as a trusted token issuer (TTI) in IAM Identity Center. With this launch, you can now enable AWS account access for this application. Users who have already signed in through the IdP can access their assigned AWS accounts and obtain temporary security credentials for their authorized roles without a separate authentication flow. This eliminates redundant sign-in prompts that previously required users to re-authenticate even after signing in through their external identity provider.
This feature is available for organization instances of IAM Identity Center. IAM Identity Center administrators must explicitly enable AWS account access for each customer managed application. Only management account administrators or delegated administrators can enable this capability, ensuring centralized governance over which applications can access account-level resources.
This feature is available in all commercial AWS Regions, the AWS GovCloud (US) Regions, and the China Regions. To get started, navigate to the IAM Identity Center console, select your customer managed application, and enable AWS account access. For more information, see Enable AWS account access for customer managed applications in the IAM Identity Center User Guide.
AWS now offers Claude Sonnet 5 - Anthropic's most capable Sonnet model and the first Sonnet model of Anthropic’s latest generation - bringing top-tier intelligence at Sonnet pricing for coding, agents, and everyday professional work at scale.
Claude Sonnet 5 delivers strong performance across coding, professional work, and agentic tasks while maintaining the balance of capability, cost, and speed that teams get from Sonnet. For coding, it navigates large codebases, lands multi-file changes, and carries debugging and refactoring tasks through to completion with fewer rounds of correction. For agents, it calls tools precisely, holds state across many steps, and recovers from errors so more runs finish correctly the first time. For knowledge work, it builds spreadsheets, drafts documents, and turns unstructured material into structured analysis.
Customers have two ways to access Claude Sonnet 5: Amazon Bedrock and Claude Platform on AWS.
Amazon Bedrock keeps your data within AWS infrastructure and provides access to Claude Sonnet 5 through a unified service with AWS-managed features like Guardrails, Knowledge Bases, and regional data residency. To learn more, see the Amazon Bedrock documentation and regional availability.
Claude Platform on AWS gives you direct access to Anthropic's native platform experience and capabilities via the AWS Console. Build, test, and deploy with the same APIs, features, and console experience you'd get working with Anthropic directly, unified with AWS billing and authentication. To get started, see the Claude Platform on AWS documentation.
AWS now offers Claude Sonnet 5 - Anthropic's most capable Sonnet model and the first Sonnet model of Anthropic’s latest generation - bringing top-tier intelligence at Sonnet pricing for coding, agents, and everyday professional work at scale.
Claude Sonnet 5 delivers strong performance across coding, professional work, and agentic tasks while maintaining the balance of capability, cost, and speed that teams get from Sonnet. For coding, it navigates large codebases, lands multi-file changes, and carries debugging and refactoring tasks through to completion with fewer rounds of correction. For agents, it calls tools precisely, holds state across many steps, and recovers from errors so more runs finish correctly the first time. For knowledge work, it builds spreadsheets, drafts documents, and turns unstructured material into structured analysis.
Customers have two ways to access Claude Sonnet 5: Amazon Bedrock and Claude Platform on AWS.
Amazon Bedrock keeps your data within AWS infrastructure and provides access to Claude Sonnet 5 through a unified service with AWS-managed features like Guardrails, Knowledge Bases, and regional data residency. To learn more, see the Amazon Bedrock documentation and regional availability.
Claude Platform on AWS gives you direct access to Anthropic's native platform experience and capabilities via the AWS Console. Build, test, and deploy with the same APIs, features, and console experience you'd get working with Anthropic directly, unified with AWS billing and authentication. To get started, see the Claude Platform on AWS documentation.
Today, AWS announces Dynamic Instrumentation for Amazon CloudWatch Application Signals, a capability that captures runtime state from live applications without requiring restarts or redeployments. Developers debugging production issues can now inspect variable values, method arguments, return values, and stack traces at specific code locations. Dynamic Instrumentation eliminates the need to add logging statements, redeploy, and wait to reproduce a problem, making it practical to investigate issues that are difficult to replicate locally.
Customers start by instrumenting their application with the AWS Distro for OpenTelemetry (ADOT) SDKs. Customers then configure which code locations to monitor using the CloudWatch Application Signals MCP server or manually via the AWS CLI and SDK. When execution reaches an instrumented location, the agent captures a snapshot containing the runtime context and delivers it to CloudWatch Logs, correlated with the active trace. Customers can tune how much data to capture, including which arguments and local variables to collect.
Dynamic Instrumentation is available in all commercial AWS regions. Supported languages are Java, Python, and JavaScript/TypeScript. The feature is disabled by default in the ADOT SDKs and must be enabled via a flag, see documentation for more.
To learn more, see Debug applications with Dynamic Instrumentation in the Amazon CloudWatch User Guide. Dynamic instrumentation data is captured as logs. Standard CloudWatch Logs ingestion and storage rates apply. For details, see CloudWatch pricing.
Today, AWS Security Hub CSPM announces the AI Security Best Practices standard, a set of 31 automated security controls that detect when your deployed AI resources do not align with security best practices. Developed by AWS security experts, this standard helps you continuously evaluate your Amazon Bedrock, Amazon Bedrock AgentCore, and Amazon SageMaker workloads against recommended security configurations—without requiring manual assessments or custom rule authoring.
The AI Security Best Practices standard covers critical security domains including but not limited to network isolation, encryption at rest and in transit, VPC placement, KMS key usage, private container registry requirements, and authorization controls. Controls span the breadth of AI infrastructure: from Bedrock AgentCore runtimes, gateways, memory stores, and custom browsers to SageMaker notebook instances, endpoints, models, monitoring jobs, and feature groups. Each control is assigned a security category and generates findings when resources deviate from best practices, enabling security teams to quickly identify and remediate misconfigurations across their AI workloads.
The AI Security Best Practices standard is available in all AWS Regions where Security Hub CSPM is currently available, including AWS GovCloud (US) and the China Regions. The standard identifier is standards/ai-security-best-practices/v/1.0.0. To learn more, see the AWS Security Hub CSPM User Guide. You can also try Security Hub CSPM at no cost for 30 days with the AWS Free Tier.
Amazon SageMaker Inference now supports container image caching, enabling up to 2x faster end-to-end scaling for generative AI models during scale-out events. When your endpoint scales out, the service pre-caches your container image so new instances can start serving traffic faster, without waiting for large container images to be pulled from Amazon ECR.
Generative AI workloads typically use large container images (10 GB or more) for deep learning frameworks and model serving. Previously, every new instance launched during scale-out had to pull the full image from ECR, adding several minutes of cold-start latency. Container image caching eliminates this bottleneck by pre-pulling the image so new instances launch with the container already available locally. Customers don't need to make any changes. The service automatically caches whatever image URI is specified in your endpoint or inference component configuration. This capability supports accelerator instance types, single-model endpoints, and inference component-based endpoints.
With this launch, SageMaker Inference now offers a comprehensive scaling optimization suite for generative AI: sub-minute concurrency metrics for up to 6x faster load detection, instance-store container caching for faster scaling on existing instances, and container image caching for up to 2x faster scaling on new instances.
Container image caching is available in all AWS commercial regions where SageMaker Inference is supported. To learn more, visit the launch blog.
Announcing Capability Insights for AWS, an open-source solution for regional capabilities
Today, AWS announces the launch of Capability Insights, an open-source solution that enables you to deploy regional capabilities data inside your own Amazon Virtual Private Cloud (VPC). This self-hosted dashboard addresses the needs of teams building multi-Region architectures requiring regional capabilities data deployed as infrastructure they own, inside their network, and under their governance. The solution is designed for organizations with data residency requirements, compliance teams needing internal reporting, and teams planning regional expansion or multi-Region recovery strategies.
The dashboard auto-refreshes every 24 hours with AWS capabilities data across all Regions, covering services, features, API operations, and CloudFormation resource types. The Workload Analysis component scans your AWS CloudTrail logs and AWS CloudFormation stacks to filter 200+ services down to the number of services your account actually uses, reducing multi-week gap analysis to quick reviews. All data remains within your VPC perimeter, supporting compliance and data residency requirements while providing full ownership and control over the infrastructure hosting the regional capabilities data.
Today, AWS announces the launch of Capability Insights, an open-source solution that enables you to deploy regional capabilities data inside your own Amazon Virtual Private Cloud (VPC). This self-hosted dashboard addresses the needs of teams building multi-Region architectures requiring regional capabilities data deployed as infrastructure they own, inside their network, and under their governance. The solution is designed for organizations with data residency requirements, compliance teams needing internal reporting, and teams planning regional expansion or multi-Region recovery strategies.
The dashboard auto-refreshes every 24 hours with AWS capabilities data across all Regions, covering services, features, API operations, and CloudFormation resource types. The Workload Analysis component scans your AWS CloudTrail logs and AWS CloudFormation stacks to filter 200+ services down to the number of services your account actually uses, reducing multi-week gap analysis to quick reviews. All data remains within your VPC perimeter, supporting compliance and data residency requirements while providing full ownership and control over the infrastructure hosting the regional capabilities data.
Today, AWS announces container attribute-based rules for AWS Network Firewall, a capability that simplifies how you secure containerized workloads, including generative AI applications, running on Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS). You can now write firewall policies using native container constructs such as Namespace, Cluster Name, and Labels for Amazon EKS, and Cluster Name and Container Instance Attributes for Amazon ECS, instead of managing complex IP-based rules that break every time pods scale or restart. As organizations accelerate adoption of generative AI on Amazon EKS and Amazon ECS, this feature delivers the enterprise-grade network security controls needed to protect these dynamic, rapidly evolving environments.
With container attribute-based rules, you can apply TLS decryption for deep packet inspection of encrypted traffic, FQDN-based filtering to restrict specific pods to approved domains, URL category filtering, and GeoIP filtering—all automatically adapting as your containers scale. The native integration between AWS Network Firewall, Amazon EKS, and Amazon ECS enables centralized, multi-cluster security, helping you meet business and regulatory compliance.
Container attribute-based inspection is available at no additional cost as part of AWS Network Firewall. For a full list of supported regions, visit the AWS Capabilities by Region page.
To get started, visit AWS Network Firewall product page and service documentation.
Amazon EC2 Auto Scaling now offers reservations-then-balanced, a new Availability Zone (AZ) distribution strategy that prioritizes launching instances into your capacity reservations before distributing remaining capacity evenly across Availability Zones. This enables you to maximize utilization of pre-purchased capacity such as On-Demand Capacity Reservations (ODCRs), Capacity Blocks, and Interruptible Capacity Reservations, while retaining the operational simplicity and resilience of Auto Scaling.
Starting today, you can configure reservations-then-balanced by setting the capacity distribution strategy in the AvailabilityZoneDistribution configuration of your Auto Scaling group and targeting reservations by Capacity Reservation Group ARN or by individual Capacity Reservation IDs. There is no additional charge to use reservations-then-balanced; you continue to pay standard EC2 pricing for your reservations and any On-Demand or Spot instances launched by the group.
Reservations-then-balanced is available today in all AWS commercial Regions. To learn more, visit the Amazon EC2 Auto Scaling User Guide.
Amazon WorkSpaces for agents is now generally available, enabling AI agents to securely access and operate desktop applications through managed WorkSpaces environments. Enterprises run critical business processes on desktop applications (ERP systems, CRMs, mainframes, and proprietary tools) where years of customization, undocumented logic, and strict compliance requirements make them too critical to abandon and costly to modernize. WorkSpaces for agentsnow gives AI agents a managed cloud workspace where they can see the screen and operate these applications the way humans do, without requiring application modernization or custom integrations.
WorkSpaces uses the same infrastructure for agents as organizations have trusted for over a decade to deliver secure, managed desktops at scale. Agents inherit the same identity controls, network isolation, and compliance boundaries as human users, so organizations gain automation without giving up governance. Organizations can automate workflows such as claims processing, patient record updates, trade settlement, and back-office operations. The service works with any agent framework using Model Context Protocol (MCP), and pricing scales based on active session time.
Since launching in Preview, customer and partner feedback has shaped new capabilities. MCP tool forwarding allows agents to interact with applications and the desktop operating system through direct MCP calls rather than using computer use tools, improving accuracy, reducing latency, and lowering cost. Real-time session control gives operators live visibility into agent activity with the ability to revoke access mid-session. Domain-joined fleet support lets agents operate under existing Active Directory identities, extending the same access policies and audit attribution that apply to employees.
To learn more, visit Amazon WorkSpaces for AI agents. To get started building, see the documentation and sample code on GitHub.
Amazon Time Sync Service introduces support for microsecond accurate time on 26 additional EC2 instance types in all commercial regions. Built on Amazon's proven network infrastructure and the AWS Nitro System, microsecond accurate time and nanosecond precision hardware timestamps leverage the reference clocks running in the Nitro System directly, enabling customers to easily order application events, measure 1-way network latency, and increase distributed application transaction speed.
Starting today, customers can access microsecond accurate time on these additional instance types by creating a Precision Time Placement Group (PTPG), a new placement strategy that allows customers to launch instances with Precision Time Protocol hardware clock (PHC) enabled. Customers that require both low network latency as well as precision time can associate a PTPG with their Cluster Placement Group (CPG), so that their low-latency workloads also benefit from microsecond accurate time.
For more information, refer to the Amazon Time Sync Service documentation.
AWS End User Messaging now supports rich media and interactive messaging for RCS across all 22 supported countries. With the new SendRcsMessage API, you can send rich cards, carousels, images, videos, and interactive suggestion buttons that let recipients take action directly inside their messaging app.
RCS message recipients can tap to confirm an appointment, browse a product catalog, complete a payment in a webview, share their location, or interact with an AI agent, all without leaving their phone's messaging app. Behind each of these interactions is the same AWS infrastructure you already use to build applications. RCS becomes the interface layer that connects your backend services, your data, and your AI directly to your end users through your conversation with them.
With this release AWS now supports four RCS message types (text, files, rich cards, and carousels). These message types can be used with any combination of six actions (replies, URLs, webviews, phone calls, maps, and calendar events) to bring web and mobile app experiences directly into conversations.. Each message supports configurable SMS or MMS fallback for recipients without RCS.
AWS End User Messaging also introduces RCS Conversation pricing for 21 countries consisting of one flat rate for unlimited messages within a 24-hour session, so you can build back-and-forth workflows without per-message cost pressure.
RCS messaging is available in all AWS Regions where AWS End User Messaging is available. To learn more, see sending rich RCS messages in the AWS End User Messaging User Guide.
Amazon Connect Customer now supports assigning up to 7 security profiles with granular access controls per user, increased from the previous limit of 2. This means an agent who serves multiple lines of business can now have a distinct, scoped permission set for each one, enforced through tag-based or heirarchy-based access controls. The increased limit gives you greater flexibility to match your security model directly to your organizational structure. For example, a financial services company with separate lines for credit cards, mortgages, auto loans, personal banking, investments, insurance, and fraud can now assign an agent seven security profiles, one per line of business, each granting access only to the resources tagged for that specific division. This ensures least privilege access without requiring a single overly broad profile.
This feature is available in all AWS regions where Amazon Connect is offered. To learn more about estimated wait time see the Amazon Connect Administrator Guide. To learn more about Amazon Connect, the AWS cloud-based contact center, please visit the Amazon Connect website
Amazon ElastiCache now supports T4g node types in the following AWS Regions: Africa (Cape Town), Asia Pacific (Jakarta), Asia Pacific (Osaka), AWS GovCloud (US-East), and AWS GovCloud (US-West). T4g nodes are powered by AWS Graviton2 processors and provide a baseline level of CPU performance with the ability to burst CPU usage at any time, making them ideal for applications that experience temporary spikes in usage.
For complete information on pricing and regional availability, please refer to the Amazon ElastiCache pricing page. To get started, create a new cluster or modify an existing cluster using the AWS Management Console, AWS CLI, or API. To learn more, see Supported node types in the Amazon ElastiCache User Guide.
Amazon Neptune now supports dual-stack mode, enabling database clusters to accept connections over IPv4, IPv6, or both protocols simultaneously. This allows organizations to adopt IPv6 while maintaining backward compatibility with existing IPv4 deployments.
Neptune dual-stack mode supports two configurations. Private dual-stack mode provides IPv6 endpoints that remain isolated from the internet, suitable for internal applications and private graph databases. Public dual-stack mode enables IPv6 endpoints accessible from the internet, supporting internet-facing applications and hybrid network environments. Clients connect seamlessly using their preferred protocol with no application changes required.
Dual-stack mode is available in all AWS Regions where Amazon Neptune is supported. To get started, see the Neptune setup documentation.
AWS Parallel Computing Service (PCS) now supports managed in-place Slurm version upgrades for existing clusters. You can move your clusters up to three Slurm major versions ahead with no disruption to running jobs.
To upgrade, update your Cluster configuration with your target Slurm version using the AWS Management Console, AWS CLI, or UpdateCluster API. PCS handles the upgrade of all managed Slurm components — the controller, accounting database, and REST API. Running jobs continue uninterrupted during the upgrade, queued jobs resume once the operation completes, and any accounting data is preserved in the database. You can then update your compute nodes to the new Slurm version at your convenience. Refer to the PCS User Guide for more information on the steps to follow and considerations to review based on your cluster configuration.
AWS PCS is a managed service that simplifies running and scaling HPC workloads on AWS using Slurm. You can build complete, elastic environments that integrate compute, storage, networking, and visualization tools, while the service handles cluster operations with managed updates and built-in observability features.
This feature is available in all AWS Regions where PCS is available. To get started, see the PCS User Guide.
Amazon Relational Database Service (Amazon RDS) now offers dynamic connection scaling for IAM database authentication, allowing connection rates to scale with instance resources.
IAM database authentication performance now scales with available instance resources, enabling enterprise workloads to leverage IAM authentication for high-volume connection patterns. The number of new IAM authentication requests your instance can handle depends on available resources and workload characteristics. For optimal performance, we recommend reusing IAM user or IAM assumed role principals to generate authentication tokens, or reusing the authentication tokens themselves, when possible.
This update is available in all AWS Regions, including the AWS GovCloud (US) Regions, where IAM database authentication is supported for Amazon Aurora and Amazon RDS database engines including PostgreSQL, MySQL, and MariaDB. To learn more, visit the IAM database authentication documentation.
AWS CloudFormation customers can now get immediate feedback on deployment errors in seconds, eliminating the need to wait through a full provision-and-rollback cycle to discover preventable failures. CloudFormation now runs pre-deployment validation on Create Stack and Update Stack operations, catching common deployment errors before resource provisioning begins. This accelerates development velocity across all deployment workflows, from manual iteration to CI/CD pipelines to AI agents provisioning infrastructure.
Previously, pre-deployment validation was available during change set creation, covering property syntax errors, resource name conflicts, and S3 bucket emptiness constraints. With this release, the same validations now run automatically on Create Stack and Update Stack operations. Additionally, three new validation checks are now available as warnings during change set creation. Service quota limits validation warns when creating resources would exceed your account's service quotas. AWS Config Recorder conflict detection warns when your template adds Config rules to an account that does not have Config recording enabled, or defines a Config Recorder in an account where one is already active. ECR repository delete readiness validation warns when an ECR repository targeted for deletion still contains images. When validation detects an issue, you can view errors using the DescribeEvents API with the operation ID, or in the CloudFormation console by navigating to your stack's Events tab and clicking the operation ID (or the link in the banner or status reason column) to open the Operation view page, which opens directly on the Deployment validations tab. Each error includes the logical resource ID and property path, so you can pinpoint and fix the problem before any resources are provisioned. In CDK, both cdk deploy and cdk validate surface validation results with construct-level tracing in a unified report, so AI agents and automation tools can parse structured responses and self-correct immediately.
Pre-deployment validation is enabled by default on all stack operations with no configuration required. If you need to skip validation for a specific operation, use the new DisableValidation parameter on CreateStack, UpdateStack and CreateChangeSet API calls, or the --disable-validation flag in the CLI. Visit the Validate stack deployments User Guide to learn more.
This feature is available in all AWS Regions where CloudFormation is supported, excluding China. Refer to the AWS Region table for service availability details.
AWS CloudFormation and CDK express mode reduces deployment time by up to 4x for developers and AI agents building infrastructure, based on internal benchmarks. Express mode completes stack operations when CloudFormation confirms resource configuration is applied, rather than waiting for extended stabilization checks such as traffic readiness, region propagation, and resource cleanup. This enables faster iteration cycles for developers and AI agents building infrastructure.
When iterating on infrastructure in development environments, developers and AI agents need faster iteration cycles to build infrastructure incrementally. Previously, every deployment waited for full resource stabilization regardless of whether the workflow required it. For example, creating a CloudFront distribution required waiting 5-10 minutes for propagation to all edge locations before the deployment completed, even when the developer only needed the distribution domain name to continue. With express mode, deployments complete in seconds once configuration is applied, and propagation continues in the background. CloudFormation still processes resources in dependency order and handles dependent resource failures within the same stack. Express mode disables rollback by default, enabling immediate fix-and-retry without waiting for rollback operations.
To get started, set --deployment-config '{"mode": "EXPRESS"}' when creating, updating, and deleting stacks or creating a change set through the AWS CLI, AWS SDKs, or the AWS Management Console. For AWS CDK users, activate express mode with cdk deploy --express. No template changes are required. Express mode works with all existing CloudFormation templates, and nested stacks. Visit the CloudFormation Express mode documentation to learn more.
This feature is available in all AWS Regions where CloudFormation is supported. Refer to the AWS Region table for service availability details.
Amazon CloudWatch Logs now enriches log events with resource tags, making it easier to filter, search, and analyze logs by the metadata that matters most to your organization, such as team ownership, environment, cost center, or application name, without requiring changes to your logging instrumentation.
With tag enrichment, Amazon CloudWatch Logs adds resource tags directly to your log events at ingestion time. You can immediately use tags in log queries, to scope your analysis without building custom pipelines or manually adding context to your application logs. For example, you can quickly filter all logs from production resources owned by a specific team, or filter by cost center during an incident investigation.
Tag enrichment for logs is available in all commercial AWS Regions except Middle East (UAE), Middle East (Bahrain), and Israel (Tel Aviv). To get started, enable resource tags on telemetry in the Amazon CloudWatch Settings, or through the AWS Command Line Interface (AWS CLI), and AWS SDKs to use your existing AWS resource tags to enrich your log events. Tag enrichment is available for no additional cost. Learn more on the Amazon CloudWatch documentation page.
Amazon Connect Customer now lets you protect sensitive information in agent screen recordings by defining rules to redact specific applications or URLs. Agent screen recording helps supervisors identify coaching opportunities, such as non-compliance with business processes by allowing them to record agents' on-screen actions during voice calls, chats, and tasks.
With this feature, you can create rules specifying which URLs or applications should be redacted from recorded content. When any rule condition is met, the system automatically redacts the matching content in the post-contact screen recording.
Rule-based redaction is available in all AWS Regions where Amazon Connect is currently offered and is supported on Windows operating systems. To learn more about, please visit the documentation and webpage. For information about pricing, visit the Amazon Connect pricing page.
Today, Amazon OpenSearch Service introduces a new engine purpose-built for log analytics workloads, delivering up to 4x better price-performance on internal benchmarks. It combines this efficiency with the full-text search capabilities that OpenSearch is known for, so users can still run the ad hoc queries that incident investigation depends on.
As log volumes grow with cloud-native architectures, AI workloads, and expanding compliance needs, teams spend more of their time on aggregations and trend analysis to uncover broader patterns — while incident investigations still call for precise text search. Amazon OpenSearch Service, with new optimized capability for log analytics, delivers both fast analytical queries and full-text search in one seamless service. Amazon OpenSearch Service’s new engine optimized for log analytics delivers up to 70% lower storage with a new columnar storage for aggregation workloads. Retain up to 3x more data at the same cost. The new engine also delivers up to 2x higher ingestion throughput on the same hardware and 2x faster analytical queries.
To get started, create a new domain on OpenSearch 3.5 or above using AWS console, select the observability use case, and set the engine mode to optimized. You can build visualizations and explore data through PPL in OpenSearch UI, or query via SQL using the API, JDBC/ODBC drivers, and Query Workbench. The engine also supports combining full-text search predicates with analytical SQL in the same query. For more information, refer to the documentation.
Amazon OpenSearch Service optimized for log analytics is available across 12 regions globally: US East (N. Virginia, Ohio), US West (Oregon), Canada (Central), Asia Pacific (Mumbai, Singapore, Sydney, Tokyo), and Europe (Frankfurt, Ireland, London, Spain). There are no additional charges for the new engine.
Amazon Relational Database Service (Amazon RDS) for Db2 now allows customers to directly join their RDS for Db2 DB instances to the domains of self-managed Microsoft Active Directory (AD). Self-managed AD can be on-premises, on AWS, or in another cloud. Customers use Kerberos as the authentication protocol to enable single sign-on for their database users.
Previously, to use Kerberos authentication against a self-managed AD with their RDS for Db2 instances, customers were required to deploy AWS Managed Microsoft AD and establish a trust between the AWS managed domain and the self-managed domain. Now, customers can use their existing self-managed AD directly to authenticate and authorize database users without the additional complexity of a managed directory or a directory trust — helping them meet compliance requirements with their existing identity infrastructure. Customers can domain-join their RDS for Db2 instance by either creating a new instance or modifying an existing one, supplying the credentials of a delegated AD service account stored in AWS Secrets Manager and encrypted with AWS KMS. Customers can use self-managed AD free of charge.
Self-managed Active Directory with Amazon RDS for Db2 is now generally available in all AWS Regions where Amazon RDS for Db2 is available, including the AWS GovCloud (US) Regions.
To learn more and get started with self-managed Active Directory, visit the Amazon RDS for Db2 User Guide and the Amazon RDS for Db2 product page.
AWS Certificate Manager now supports the ACME protocol for public TLS certificates, enabling automated issuance and renewal through any ACMEv2-compatible client on any workload. Administrators get centralized governance, IAM-based access controls, and domain scoping, reducing operational risk as certificate lifetimes continue to reduce.
Amazon EC2 C9g and C9gd instances, powered by AWS Graviton5, are now generally available. They deliver up to 25% better compute performance than Graviton4-based instances, 5x larger cache, fastest memory of any processor instances in the cloud, and local NVMe storage options (C9gd).
AWS CloudFormation speeds up infrastructure deployment with Express mode, enabling AI agents and developers to receive deployment confirmation in seconds and iterate faster. Available in all commercial Regions at no additional cost.
本記事は、2026 年 6 月 22 日に公開された Run isolated sandboxes with […]
本ブログは ITbook 株式会社様とAmazon Web Services Japan 合同会社が共同で執筆 […]
AWS Summit が各地で開催されており、多忙な日々を過ごしています。私は New York City S […]
In this post, you'll learn how fine-tuning Amazon Nova models using Amazon SageMaker AI addresses these specific issues by teaching the models to recognize your exact data patterns, distinguish between similar fields, and process information more efficiently—achieving up to 94.77% extraction accuracy while reducing costs 50%.
In this post, we share the technical approach using token-based distillation, lessons learned, and deployment architecture. If you face similar bilingual NER challenges, you can benefit from IBS Software’s experience with the Amazon Bedrock knowledge distillation capabilities.
In this post, we explore how Outpost VFX achieved 8x faster training speeds using AWS infrastructure to transform their face replacement workflow, the technical architecture they implemented to overcome single-GPU limitations, and the measurable results achieved through AWS multi-GPU training.
In this post, you will learn five practical patterns for building resilient generative AI applications on AWS, progressing from native Amazon Bedrock features to multi-model orchestration using an LLM gateway. These patterns address real-world challenges such as quota exhaustion during unexpected traffic surges, maximizing availability through geographic distribution of inference, and helping prevent noisy neighbor problems in multi-tenant environments.
In this post, we show you how to use managed entitlements for Amazon Bedrock to subscribe once from a central account and distribute model access across your organization. This approach removes the need for AWS Marketplace permissions in workload accounts.
This post walks through how AG-UI integrates into the Fullstack AgentCore Solution Template (FAST) to build interactive agent frontends on Amazon Bedrock AgentCore. We then show how CopilotKit extends this with generative UI, shared state, and human-in-the-loop interactions, all deployed on Amazon Bedrock AgentCore.
Today, we’re excited to announce the availability of Anthropic’s most advanced Sonnet model, Claude Sonnet 5, on Amazon Bedrock and Claude Platform on AWS. Claude Sonnet 5 is the first Sonnet model of Anthropic’s latest generation and represents a meaningful step forward. It delivers top-tier intelligence at Sonnet pricing for coding, agents, and everyday professional […]
It’s our goal for AWS to be the most secure place to run any workload, and in support of that we’ve been deeply investing in security across our services since AWS's inception more than two decades ago. Our AI services like Amazon Bedrock are built on this foundation and with the same focus.