AWS Certificate Manager (ACM) now allows you to provision a fully managed ACME server endpoint that issues public TLS certificates with a 45 day validity from Amazon Trust Services using any ACMEv2-compatible client, including Certbot, cert-manager for Kubernetes, and acme.sh. With the CA/Browser Forum mandating 47-day certificate lifetimes by 2029, manual management of public certificates becomes untenable. ACME support in ACM gives developers a standards-based path to fully automate certificate issuance and renewal.
PKI administrators can create managed ACME endpoints with centralized governance controls: define domain scopes to restrict which certificates each client can issue, enforce policies on wildcard usage, and delegate certificate requests to application teams without distributing DNS credentials. Domain validation is performed once at the endpoint level, while application owners use standard ACME clients to request certificates. All activity is visible in the ACM console with AWS CloudTrail logging and Amazon CloudWatch metrics for auditability.
ACME support in ACM is available in all commercial AWS Regions. For pricing details, see the ACM pricing page. To get started, visit the AWS News blog post or read the documentation.
Today, AWS announces Service Events for Amazon CloudWatch Application Signals, which automatically captures exception and latency event snapshots, function-level performance data, and deployment events from instrumented services without additional code changes. Customers can now quickly identify whether a deployment has introduced new exceptions by navigating to CloudWatch > Application Signals > [Service] > Errors in the CloudWatch console.
Service Events is available to any application with CloudWatch Application Signals enabled. Customers instrument their applications with the ADOT SDKs or the Amazon CloudWatch Observability EKS add-on. Once Application Signals is active, Service Events begins capturing exception and latency event snapshots and deployment events automatically. Optionally, customers can gain deeper performance visibility by turning on function-call metrics.
Service Events is available in all commercial AWS Regions. Supported languages are Java, Python, and JavaScript.
To get started, see Monitor service events in the Amazon CloudWatch User Guide. Service Events data is captured as logs. Function call metrics are captured as OpenTelemetry metrics. Standard CloudWatch pricing applies. For details, see CloudWatch pricing.
Today, we are announcing that Amazon Elastic VMware Service (EVS) now supports VMware Cloud Foundation (VCF) 9.0 and 9.1.
Amazon EVS lets you run the latest VCF software directly within your Amazon Virtual Private Cloud (VPC) on EC2 bare-metal instances. With this latest announcement, you now have complete control of the installation, operations, and management of the VMware virtualization solution running the VCF 9.0 and recently released VCF 9.1 versions. You can continue to use the same tools, processes, and skills on Amazon EVS that you use in your data center today, managing your VCF environment yourself or with an experienced AWS partner. With this, we’re also launching the Solutions for EVS GitHub repository with examples, templates, and infrastructure as code artifacts to help you get started.
This release is available in all regions where Amazon EVS is offered.
For more details, visit the launch blog, the Amazon EVS product detail page and user guide.
You can now use declarative policies to turn on VPC Encryption Controls in monitor or enforce mode across all VPCs in your environment. This enhancement allows you to centrally define and manage your desired VPC Encryption Controls settings and apply it everywhere. You can exercise these controls for your account, organization or specific organizational unit.
VPC Encryption Controls offers you simple tools to audit and enforce encryption in transit within and across Amazon Virtual Private Clouds (VPCs), and to demonstrate compliance with encryption standards such as HIPAA, FedRAMP, and PCI. Before today, customers would turn on Encryption Controls in monitor or enforce mode and set up exclusions on each VPC separately. Security teams often want to exercise these controls centrally and consistently across their environment. With this launch, you can define and maintain a single declarative policy to enforce your desired encryption controls settings across all existing and future VPCs. This enhancement also gives you central visibility into the Encryption Controls status of all accounts and VPCs in your organization.
Declarative policies for VPC Encryption Controls are available in all AWS regions that support VPC Encryption Controls. There is no additional charge to use declarative policies in AWS Organizations. To learn more about this feature, see our documentation.
Amazon SageMaker Studio now supports direct integration from Hugging Face, letting you go from discovering a model to working with it inside a fully configured Studio environment in a single click. Select any supported model on Hugging Face and choose "Customize on SageMaker AI" or "Deploy on SageMaker AI" to land directly on the corresponding workflow page with the model pre-loaded and ready to use.
Previously, getting from model discovery to a working environment required navigating the AWS Console to find SageMaker AI, configuring an environment, setting up IAM permissions for serverless model customization, and in many cases requesting GPU quota increases through Service Quotas before running a first job. Now, new customers complete a standard AWS sign-up and receive a SageMaker Studio environment created in seconds with pre-configured permissions for serverless model customization jobs including fine-tuning with custom reward functions for reinforcement learning, model evaluation, and deployment to SageMaker or Bedrock endpoints. Verified customers receive default GPU access to G5, G6, and G4dn instances across endpoint deployments, training jobs, and notebooks without requesting quota increases, and quota limit and utilization information is visible for each instance type directly inside the Studio environment. Returning customers signing in from Hugging Face or SageMaker product pages select their environment and land directly inside SageMaker Studio with the model ready to use.
This feature is available in all AWS Commercial Regions where Amazon SageMaker Studio is supported. To get started, visit any supported model on Hugging Face and select "Customize on SageMaker AI" or "Deploy on SageMaker AI," or click Get Started from the SageMaker Studio page. To learn more, see Service quotas for Studio in the Amazon SageMaker documentation.
Amazon Cognito now allows you to increase or decrease your provisioned API rate limits on demand. Cognito has default rate limits for the maximum number of operations per second that you can perform in your user pools in each AWS Region, and you can purchase additional limits on adjustable API categories. With the new on-demand model, you can adjust your rate limits up or down more quickly to match your application’s traffic patterns.
Previously, to adjust your Cognito API rate limits, you would request an increase through Service Quotas, where requests are manually reviewed. This meant you had to plan rate limits in advance ahead of anticipated traffic spikes. Now, you have a new self-service experience to set your desired Cognito rate limit up to the account-level max limit using the Amazon Cognito console or the new limit provisioning API operations. Rate limit changes take effect immediately.
Self-service provisioned limits are available for adjustable API categories in all AWS Regions where Amazon Cognito is available. For pricing details of this add-on feature, see Amazon Cognito pricing page. To get started, see developer guide.
Amazon SageMaker HyperPod now supports Disaggregated Prefill and Decode (DPD), an inference optimization that separates the two phases of large language model (LLM) inference — prefill and decode — onto dedicated GPU pools and transfers the key-value (KV) cache between them over Elastic Fabric Adapter (EFA) using GPU-Direct RDMA. Customers running LLMs in production for chat assistants, agentic pipelines, retrieval-augmented generation, and long-document analysis need consistent per-token latency and predictable throughput under mixed traffic, but when prefill and decode share the same GPU, a single long-context request can stall token generation for every concurrent request and force customers to over-provision one phase to protect the other.
With DPD, customers run compute-bound prefill on one set of GPUs and memory-bandwidth-bound decode on another, so the two phases no longer contend for the same resources. This delivers more consistent per-token latency under sustained concurrency, higher goodput at strict latency SLOs, and the ability to scale prefill and decode capacity independently to match the input and output distribution of the workload. An intelligent router automatically directs long-context requests through the disaggregated path and sends shorter prompts directly to the decoder, so customers get the benefit on the traffic that needs it without paying transfer overhead on short prompts. Customers enable DPD by adding a `pdSpec` section to the same `InferenceEndpointConfig` custom resource they already use for inference endpoints on the HyperPod Inference Operator, and DPD is composable with the existing KV cache offloading and intelligent routing features on HyperPod.
DPD is available for SageMaker HyperPod clusters using the EKS orchestrator on EFA-capable instance types in all AWS Regions where Amazon SageMaker HyperPod is available. To learn more, see Disaggregated Prefill and Decode for HyperPod inference in the Amazon SageMaker AI Developer Guide.
Today, AWS Security Hub adds impact analysis to exposure findings, helping security teams understand the full scope of what an attacker could reach if an exposure is exploited. Impact analysis extends exposure findings by mapping the downstream resources that could be compromised beyond the initially exposed resource, giving teams deeper visibility into organizational risk.
Security Hub analyzes the effective permissions of IAM principals associated with exposed resources to identify privilege escalation paths to other resources in your account. The resulting scope of impact is displayed in the potential attack path graph, and a new Impact Assessment tab shows the prioritized chains of resources an attacker could traverse along with the specific permissions at each step. Security Hub factors the scope of impact into its severity scoring for exposure findings, and adjusts existing exposures as their scope of impact is identified or changes, so that exposures with greater downstream reach are prioritized appropriately.
To learn more, see Understanding exposure findings in the AWS Security Hub User Guide and the AWS Security Hub product page. For the full list of AWS Regions where Security Hub is available, see the AWS Regional Services List.
Amazon SageMaker Unified Studio now supports connecting existing Amazon Managed Workflows for Apache Airflow (MWAA) environments to projects. Data engineers and platform teams who already operate MWAA environments can now manage their Airflow workflows from the same interface they use for analytics and machine learning, without recreating configurations or migrating DAGs.
To connect an existing environment, open the Workflows tool in your Studio project and select "Add connection" in the connection selector. Provide the Airflow configuration options that reference your domain and project. Once connected, project members can sync, trigger, and monitor workflows directly from Amazon SageMaker Unified Studio. Environments running Apache Airflow 3 or later also get access to the visual authoring experience for creating new workflows using the drag-and-drop editor.
This feature is available in all AWS Regions where Amazon SageMaker Unified Studio is available. To get started, see Workflow environments in Amazon SageMaker Unified Studio in the Amazon SageMaker Unified Studio User Guide.
You can now connect and manage Azure Virtual Machines in AWS Systems Manager without manual agent installation or per-instance tier fees. Create a Cloud Connector and automatically deploy the SSM Agent to your Azure VMs at scale. Once connected, Azure VMs appear alongside EC2 instances in a unified view, and you can connect to them using Session Manager, run Automation runbooks, Run Command, State Manager, Patch Manager, and Inventory across both AWS and Azure from a single workflow.
This release also eliminates the Advanced Instances Tier entirely. This means that you can now connect any number of hybrid and multicloud nodes to Systems Manager with no upfront per-node fees. Beginning September 30, 2026, pay-as-you-go pricing takes effect for Session Manager sessions and Run Command invocations on non-EC2 nodes. This pricing model removes cost barriers for organizations managing multicloud environments at scale.
AWS Systems Manager multicloud management is available starting today. To learn more and get started, visit AWS Systems Manager.
Amazon Elastic Kubernetes Service (Amazon EKS) Auto Mode now offers significantly reduced management fees for GPU and accelerated instance types. Beginning July 1, 2026, G-series Auto Mode management fees are reduced by 35%, and P-series and AWS Trainium fees are reduced by 60%. These reductions apply automatically to all EKS Auto Mode clusters and no action is required from customers already using GPU instances with Auto Mode.
EKS Auto Mode simplifies Kubernetes operations by automatically provisioning and managing infrastructure for machine learning inference, fine-tuning, rendering, and batch processing workloads. It includes capabilities built for accelerated workloads: automatic parallel image pulling and unpacking on GPU instances with local NVMe storage, so large container and model images start faster, and accelerator-aware node repair that detects GPU hardware failures and automatically replaces unhealthy nodes. With today's price reduction, customers can run GPU workloads on Auto Mode at lower management fees, making its fully managed infrastructure more cost-effective.
This pricing update is available in all AWS Regions where EKS Auto Mode is available. Amazon ECS is implementing identical management fee reductions for GPU instances on ECS Managed Instances. See the ECS What's New post for details.
To get started with GPU workloads on EKS Auto Mode, see the EKS for AI/ML documentation. For the complete updated rate table, see Amazon EKS pricing.
The Amazon S3 Express One Zone storage class is now available in the AWS Europe (Frankfurt) Region.
Amazon S3 Express One Zone is a high-performance, single-Availability Zone storage class purpose-built to deliver consistent single-digit millisecond data access for your most frequently accessed data and latency-sensitive applications. S3 Express One Zone delivers data access speed up to 10x faster and request costs up to 80% lower than S3 Standard. It enables workloads such as machine learning training, interactive analytics, and key-value caching in AI search engines to achieve fast data access with high durability and availability.
With this expansion, S3 Express One Zone is now available in 8 AWS Regions. For pricing details, visit the S3 pricing page. To learn more, visit the product page and documentation.
A couple of editions ago I wrote about what I find so energizing about working with startups. Last week I got a fresh dose of it: I spent a few days with the AWS Startups team, listening to stories of founders talking about the problems they’re actually solving. One story that stayed with me came […]
本記事では、Tableau と Amazon Redshift Serverless の統合を最適化するための戦略を紹介します。データモデルアーキテクチャ、セキュリティ構成、パフォーマンス最適化、コスト管理、クエリ最適化の 5 つの領域について、RPU を最大限に活用しながらサブ秒レベルのインサイトを提供するためのベストプラクティスを解説します。
Amazon Redshift の新しいクエリ起動最適化により、BI ダッシュボードやリアルタイム分析アプリケーションのレスポンスタイムが向上しました。コンパイルの負荷を軽減する「コンポジション」技術により、初回クエリの P50 コンパイル時間が 4.3 秒から 170 ミリ秒に短縮され、追加費用なしですべてのユーザーにデフォルトで有効化されています。
Amazon Redshift のリモートテーブル DDL の改善、マテリアライズドビューの機能強化、zero-ETL および auto-copy 向けのコンカレンシースケーリング拡張により、大規模なアナリティクスワークロードを効率的にオンボードできるようになりました。金融サービスやゲーム業界の実例を交えて、マルチウェアハウスアーキテクチャの活用方法を紹介します。
Amazon Redshift のパフォーマンスチューニングを自動化する AI ソリューションの構築方法を解説します。AWS Lambda でテレメトリを収集し、シグナルベースのプロンプト設計で Amazon Bedrock から具体的な推奨事項を生成してメール通知します。
Amazon Redshift は、Graviton プロセッサを搭載した新インスタンス RG の一般提供を開始しました。RG は RA3 と比較して最大 2.2 倍高速なパフォーマンスを 30% 低いコストで実現し、統合ベクトル化データレイクエンジンにより Iceberg クエリで最大 2.4 倍高速化します。本記事では RG の技術的特長とベンチマーク結果を紹介します。
国会答弁の想定問答作成業務は、正確性や首尾一貫性などが厳しく求められる重要度の高い業務です。それゆえに職員の負担も大きく、公務員の働き方改革や生成 AI 技術の急速な発展も相まって、AI を活用した高度化・効率化への期待が高まっていました。AWS は中央省庁のシステム担当部局とともに、人間の判断を中心に据えながら、過去資料の検索、ドラフト生成、審査等を AI で支援するアプリケーション「DietSearch」を、AWSのプロトタイピングプログラムでの共創を通じて構築しました。「まず動かして確かめる」というアプローチが、本格導入への道筋をどう後押ししたのかをご紹介します。
エムシーディースリー株式会社様とAI-DLC Unicorn Gym を実施し、Kiroを使った3日間のプロダクト開発に挑戦しました。AI-DLCで要件定義からアーキテクチャ設計、実装、テスト、デプロイまでの開発ライフサイクル全体でAIを活用し、従来数か月かかっていた開発を3日間で実現可能なレベルまで圧縮できることを実証しました。
If you’re building multi-agent AI systems, you need to prevent authorization scope from silently expanding as agents delegate tasks through multi-hop chains. Without proper controls, an agent can potentially act beyond what the originating user authorized, even when role-based access control (RBAC) policies are in place. The OWASP Top 10 for Agentic Applications classifies this […]
Bulletin ID: 2026-052-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/06/2026 13:45 PM PDT
Description:
Amazon mcp-gateway-registry is an open-source gateway and registry for Model Context Protocol (MCP) servers, providing centralized discovery, authentication/authorization, and proxying of MCP tools for AI agents. We identified CVE-2026-14471, an issue in the metrics-service retention policy management component where a caller-supplied table_name value is interpolated into SQL statements in identifier position without proper neutralization. An authenticated remote user is able to supply a crafted table_name value to execute arbitrary SQL queries against the metrics database. This allows the user to read stored data (including API key material) and to delete or alter stored data.
Impacted versions: >=1.0.3 AND <=1.0.12
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
In this post, you learn how to use the new MLflow integration with Amazon SageMaker AI optimized inference recommendation jobs and Amazon SageMaker AI benchmark jobs to automatically stream experiment data into a unified tracking interface. This integration streams metrics, parameters, and charts into your serverless Amazon SageMaker MLflow App in real time and you get a unified experiment tracking experience.
In this post, we present a multi-step pipeline directed by Amazon Nova, which uses its contextual vision reasoning to coordinate complementary tools, including Meta’s open-source Segment Anything Model (SAM 3) deployed on Amazon SageMaker AI for pixel-level segmentation, and Amazon Textract for optical character recognition (OCR). This pipeline is designed to provide comprehensive and compliant PII redaction even for challenging edge cases such as fingerprints, ID cards, or license plates in arbitrary orientations.
In this post, you deploy a two-phase infrastructure for multi-turn RL using Amazon Nova Forge on Amazon SageMaker HyperPod. By the end, you have an event-driven pipeline that starts training when you upload data to Amazon Simple Storage Service (Amazon S3). The training job teaches the model to play Wordle, a placeholder for your own RL task.
In this post, we walk through how to get started with MiniMax models on Amazon Bedrock, including the capabilities supported by these models, the service tiers available, how on-demand inference scales to handle your workloads, and the different APIs you can use to access them. Using these models, customers can build agentic applications, long-context document analysis pipelines, and software engineering workflows, all backed by the security and operational guarantees of AWS.
In this post, we introduce Reverse Direct Preference Optimization (rDPO), the novel unlearning technique behind Amazon Nova Customizable Content Moderation Settings (CCMS), and show how it reduces over-deflection while preserving model quality. We also provide pointers for customers who want to apply these preference optimization techniques to their own experiments.
Today, we’re excited to announce a deep-link integration between Hugging Face and Amazon SageMaker AI. Developers can now go from model discovery to hands-on experimentation in SageMaker Studio with a single selection.
The primary storage solutions for EC2 Windows instances, Amazon EC2 Instance Store and Amazon Elastic Block Store (Amazon EBS) , now provide detailed performance statistics for real-time monitoring. Real-time monitoring enables you to gain visibility into key performance metrics, such as latency, throughput, and IOPS, allowing you to detect and address potential bottlenecks or issues […]