AWS Application Migration Service is now authorized for Department of Defense Cloud Computing Security Requirements Guide Impact Levels 4 and 5 (DoD CC SRG IL4 and IL5) in the AWS GovCloud (US-East and US-West) Regions.
This authorization builds on AWS Application Migration Service’s existing FedRAMP High categorization level in the AWS GovCloud (US-East and US-West) Regions as well as numerous compliance programs and standards, including HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry – Data Security Standard), ISO (International Organization for Standardization), SOC 1, 2, and 3 (System and Organization Controls). To learn more about AWS Application Migration Service compliance validation, visit the documentation here.
Application Migration Service minimizes time-intensive, error-prone manual processes by automating the conversion of your source servers to run natively on AWS. It also helps simplify modernization of your migrated applications by allowing you to select preconfigured and custom optimization options during migration.
AWS Lambda now supports IPv6-only and dual-stack PrivateLink interface VPC Endpoints, enabling you to access the Lambda API without traversing the public internet or being constrained by the limited number of IPv4 addresses in your VPC. AWS PrivateLink is a highly available, scalable service that allows you to privately connect your VPC to services and resources as if they were in your VPC.
Previously, Lambda supported inbound private connectivity over PrivateLink using IPv4-only VPC endpoints. With today’s launch, we are expanding Lambda’s inbound private connectivity to include IPv6-only and dual-stack VPC endpoints, enabling you to invoke and manage Lambda functions over IPv6 from dual-stack or IPv6-only VPCs. This launch combines the benefits of private connectivity with the larger address space and simpler network configuration of the IPv6 protocol.
AWS Lambda supports inbound IPv6 connectivity over PrivateLink in all AWS Regions. For more information, see the AWS Region table. Please refer to PrivateLink Pricing for price of using VPC endpoints. You can get started by creating a VPC endpoint for Lambda using the AWS Management Console, AWS CLI, AWS CDK, AWS CloudFormation, and the AWS SDK. To learn more, visit the Lambda developer guide.
You can now activate deletion protection for your Amazon Verified Permissions policy stores. When you configure a policy store with deletion protection, the policy store cannot be deleted by any user. This provides your applications resiliency as you can ensure that production policy stores are not accidentally deleted during deployments. Deletion protection is active by default for new policy stores created through the AWS Console. You can activate or deactivate deletion protection for an policy store in the AWS Console, the AWS Command Line Interface, and API. Deletion protection prevents you from requesting the deletion of a policy store unless you first explicitly deactivate deletion protection.
Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. Using Cedar, an expressive and analyzable open-source policy language, developers and admins can define policy-based access controls using roles and attributes for more granular, context-aware access control. For example, an HR application might call Amazon Verified Permissions to determine if Alice is permitted access to Bob’s performance evaluation, given that she is in the HR Managers group.
Starting today, customers can use Amazon Managed Service for Apache Flink in Asia Pacific (Thailand) Region to build real-time stream processing applications.
Amazon Managed Service for Apache Flink makes it easier to transform and analyze streaming data in real time with Apache Flink. Apache Flink is an open source framework and engine for processing data streams. Amazon Managed Service for Apache Flink reduces the complexity of building and managing Apache Flink applications and integrates with Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Kinesis Data Streams, Amazon OpenSearch Service, Amazon DynamoDB streams, Amazon Simple Storage Service (Amazon S3), custom integrations, and more using built-in connectors.
You can learn more about Amazon Managed Service for Apache Flink here. For Amazon Managed Service for Apache Flink region availability, refer to the AWS Region Table.
Amazon MemoryDB clusters now support the IPv6 protocol, allowing clients to connect to MemoryDB clusters using IPv6. You can now configure your cluster to accept only IPv6 connections or to accept both IPv4 and IPv6 connections. This allows you to work to meet IPv6 compliance requirements and more efficiently integrate with existing IPv6-based applications.
The continued growth of the internet is rapidly depleting available Internet Protocol version 4 (IPv4) addresses. By supporting IPv6, MemoryDB helps customers simplify their network architecture by providing a significantly larger address space and eliminating the need to manage overlapping address spaces in their VPCs. Customers can now standardize their applications on IPv6 and future-proof their infrastructure while maintaining compatibility with existing IPv4 systems through dual-stack support.
To get started, create your new MemoryDB cluster using the Amazon Web Services Management Console, CLI, or SDKs and choose which protocol(s) it supports by setting its network type. IPv6 is supported when using Valkey 7 and above, Redis OSS version 6.2 and above, in all AWS global regions and at no additional cost.
To learn more about MemoryDB, visit the Amazon MemoryDB product page.
Amazon Elastic Container Services (Amazon ECS) is introducing a new account setting, defaultLogDriverMode, allowing you to define whether tasks in your account use “blocking” or “non-blocking” log driver mode by default, when you do not specify or omit it in your applications’ Task Definitions.
A “non-blocking” log driver mode allows your applications to continue operating when log routing destinations become unavailable, therefore increasing availability if getting logs is not critical to your application, whereas “blocking” log driver mode signifies you do not want your applications to continue running if you cannot route logs to their intended destination, e.g. to record business-critical transactions or mandated by regulation. You can override this account setting for each application using the “mode” log configuration parameter in its Task Definition.
The new defaultLogDriverMode Account Setting is enabled in all AWS Regions. Click here and here for more details on how to set the new account setting.
Amazon Connect Contact Lens dashboards now supports the ability for contact center administrators to enforce granular access control based on a specific agent hierarchy. Assigning hierarchies to a user allows you to define organizational groups that a user belongs to and you can enable granular access controls by allowing users to only view metrics for agents within their hierarchy or a specific assigned hierarchy. For example, you can configure hierarchy groups and levels for a team, and only agents assigned to a hierarchy group within that team will be able to see metrics for those agents.
Amazon Connect Contact Lens dashboards are available in all commercial AWS regions where Amazon Connect is offered. To learn more about dashboards, see the Amazon Connect Administrator Guide. To learn more about Amazon Connect, the AWS cloud-based contact center, please visit the Amazon Connect website.
Amazon Bedrock Evaluations allows you to evaluate foundation models and retrieval-augmented generation (RAG) systems, whether hosted on Amazon Bedrock or multicloud and on-prem deployments. Bedrock Evaluations offers human-based evals, programmatic evals such as BERTScore, F1 and other exact match metrics, as well as LLM-as-a-judge for both model and RAG evaluation. For both model and RAG evaluation with LLM-as-a-judge, customers can select from an extensive list of built-in metrics such as correctness, completeness, faithfulness (hallucination detection), as well as responsible AI metrics such as answer refusal, harmfulness, and stereotyping. But, there are times when they want to define these metrics differently, or make new metrics that are relevant to their needs. For example, customers may define a metric that evaluates an application response’s adherence to their specific brand voice, or they want to classify responses according to a custom categorical rubric.
Now, Amazon Bedrock Evaluations offers customers the ability to create and re-use custom metrics for both model and RAG evaluation powered by LLM-as-a-judge. Customers can write their own judge prompts, define their own categorical or numerical rating scales, and use built-in variables to inject data from their dataset or GenAI responses into the judge prompt during runtime to fully customize the data flow in their evaluations. Customers can be inspired to create new judge prompt templates/rubrics with provided quickstart templates or they can make their own from scratch.
To get started, visit the Amazon Bedrock console or use the Bedrock APIs. For more information, see the user guide.
AWS customers in Europe can now use Advance Pay, which allows them to pay for their AWS usage in advance and automate future invoice payments. With Advance Pay, customers can add funds to their account, which AWS will automatically use to pay invoices as they become due. This feature provides customers in Europe with more flexibility in managing their AWS expenses and simplifies the payment process for ongoing cloud services.
Advance Pay offers several benefits to AWS customers in Europe. It allows for better financial planning and budgeting by enabling upfront payments for anticipated usage. This feature can be particularly useful for organizations that prefer to pay in advance for services or need to manage their cloud spending more proactively. Additionally, the automatic payment of invoices reduces administrative overhead and ensures timely payments, helping customers maintain good standing with AWS.
With the launch, Advance Pay is now available for both AWS Europe and AWS Inc customers.
Getting started with Advance Pay is straightforward. Customers can register for the service from the Payments page in the AWS Billing and Cost Management console. To add funds, users can generate a funding document and submit an advance payment through electronic fund transfer. For more information on managing Advance Pay, including viewing funding history and setting up recurring payments, customers can refer to the “Managing your Advance Pay” section in the AWS Billing and Cost Management user guide. To learn more about Advance Pay or to get started, visit the AWS Billing and Cost Management console.
Amazon OpenSearch Service now supports SAML (Security Assertion Markup Language) via IAM federation for the next-generation OpenSearch UI. OpenSearch UI is a modernized operational analytics experience that enables users to gain insights cross data spanning managed domains and serverless collections from a single endpoint. OpenSearch UI already supports authentication via AWS Identity & Access Management (IAM) and IAM Identity Center (IDC). With this feature, you can now configure the SAML identity federation between your identity provider and IAM, so that your end-users can have a Single Sign-On (SSO) experience, to login from your Identity Providers and land directly in OpenSearch UI.
With SAML support, you can define a Default Relay State URL so that your end-users can click on the URL to open the login page from your Identity Provider, complete the SSO, and then land directly on the page you defined in OpenSearch UI. You can also define fine-grained access control (FGAC) by mapping Identity Provider users and roles to IAM roles with different permissions in OpenSearch, so that you can easily manage user permissions as well as to track user activities from the Identity Provider.
The AWS Well-Architected Generative AI Lens is now available, offering a guidance document to optimize generative AI workloads in the cloud. This new lens is a powerful addition to the Well-Architected Framework, designed to guide organizations through the complexities of implementing generative AI workloads. It provides structured, prescriptive guidance covering the entire generative AI lifecycle – from initial impact scoping to model selection, customization, integration, deployment, and continuous iteration.
The lens offers several key benefits, including cloud-agnostic guidance applicable across various environments and AI tools, comprehensive coverage of all six Well-Architected pillars, and flexible application for organizations at any stage of their AI journey. It enables thorough assessment of architectures using large language models (LLMs) and helps business leaders and data scientists navigate critical decisions in generative AI implementation.
By addressing specific data architecture requirements for generative AI workloads and providing a framework for continuous improvement, this lens promotes a robust, secure, and efficient solutions. Whether you’re exploring your first generative AI project or scaling existing implementations, the Well-Architected Generative AI Lens offers insights to enhance your cloud-based AI initiatives.
Amazon EventBridge announces support for Amazon Key Management Service (KMS) Customer Managed Keys (CMK) in API destinations connections. This enhancement enables you to encrypt your HTTPS endpoint authentication credentials managed by API destinations with your own keys instead of an AWS owned key (which is used by default). With CMK support, you now have more granular security control over your authentication credentials used in API destinations, helping you meet your organization’s security requirements and governance policies.
Customer managed Keys (CMK) are KMS keys that you create and manage by yourself. You can also audit and track usage of your keys via CloudTrail. EventBridge API destinations are private and public HTTPS endpoints that you can invoke as the target of an event bus rule or pipe, similar to how you invoke an AWS service or resource as a target. API destinations provides flexible authentication options for HTTPS endpoints, such as API key and OAuth, storing and managing credentials securely in AWS Secrets Manager on your behalf.
CMK support for EventBridge API destinations connections is now available across all AWS Regions where EventBridge API destinations is available. Please refer to the EventBridge user guide and KMS documentation for details.
Welcome to the first Cloud CISO Perspectives for April 2025. Today, Google Cloud Security’s Peter Bailey reviews our top 27 security announcements from Next ‘25.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
–Phil Venables, strategic security advisor, Google Cloud
aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x3e19d6588220>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
27 top security announcements at Next ‘25
By Peter Bailey, VP/GM SecOps, Google Cloud Security
We just wrapped our annual Google Cloud Next conference in Las Vegas, where we introduced innovations across AI, app development, infrastructure, data cloud, partners, and more — including security.
Peter Bailey, VP/GM SecOps, Google Cloud Security
From the moment the curtain went up at our opening keynote, we showcased 229 new products, new capabilities, and new enhancements that highlight Google Cloud’s commitment to how our AI-optimized platform can help transform the way that companies work and our skyrocketing customer momentum.
Google Unified Security brings together our visibility, threat detection, AI powered security operations, continuous virtual red-teaming, the most trusted enterprise browser, and Mandiant expertise — in one converged security solution running on a planet-scale data fabric.
(Be sure to check out the reimagining of the Wizard of Oz at The Sphere, a collaboration between Sphere Entertainment, Google DeepMind, Google Cloud, Hollywood production company Magnopus, and five others.)
For the first time this year, we also hosted CISO Connect at Next, a unique opportunity for security and business leaders to delve into the ever-evolving cybersecurity landscape with experts from Google on the current threat landscape, breach mitigation strategies, and the transformative potential of AI in fortifying your organization’s security posture.
“We are all solving for the same security challenges; CISO Connect offers a safe environment to collaborate and share, unlike any other conference,” said Mike Orosz, CISO, Vertiv.
We also focused heavily on innovations across our security portfolio, designed to deliver stronger security outcomes and enable every organization to make Google a part of their security team. Fresh from Next ‘25, here’s our top 27 security announcements.
Google Unified Security brings together our visibility, threat detection, AI powered security operations, continuous virtual red-teaming, the most trusted enterprise browser, and Mandiant expertise — in one converged security solution running on a planet-scale data fabric.
The alert triage agent in Google Security Operations will perform dynamic investigations on behalf of users. Expected to preview for select customers in Q2 2025, it analyzes the context of each alert, gathers relevant information, and renders a verdict on the alert, along with a history of the agent’s evidence and decision making.
The malware analysis agent in Google Threat Intelligence will investigate whether code is safe or harmful. Expected to preview for select customers in Q2 2025, it builds on Code Insight to analyze potentially malicious code, including the ability to create and execute scripts for deobfuscation.
Google Security Operations
New data pipeline management capabilities, now generally available, can help customers better manage scale, reduce costs, and satisfy compliance mandates.
The new Mandiant Threat Defense service, now generally available, provides comprehensive active threat detection, hunting, and response. Mandiant experts work alongside customer security teams, using AI-assisted threat hunting techniques to identify and respond to threats, conduct investigations, and scale response through security operations SOAR playbooks, effectively extending customer security teams.
Security Command Center
Model Armor is now integrated directly with Vertex AI. As part of our recently-announced AI Protection capabilities that can help manage risk across the AI lifecycle, developers can automatically route prompts and responses for protection without any changes to applications.
New Data Security Posture Management (DSPM) capabilities, coming to preview in June, can enable discovery, security, governance, and monitoring of sensitive data including AI training data. DSPM can help discover and classify sensitive data, apply data security and compliance controls, monitor for violations, and enforce access, flow, retention, and protection directly in Google Cloud data analytics and AI products.
A new Compliance Manager, launching in preview at the end of June, will combine policy definition, control configuration, enforcement, monitoring, and audit into a unified workflow. It builds on the configuration of infrastructure controls delivered using Assured Workloads, providing Google Cloud customers with an end-to-end view of their compliance state, making it easier to monitor, report, and prove compliance to auditors with Audit Manager.
Integration with Snyk’s developer security platform, in preview, to help teams find and fix software vulnerabilities faster.
New Security Risk dashboards for Google Compute Engine and Google Kubernetes Engine. Now generally available, they can deliver insights into top security findings, vulnerabilities, and open issues directly in the product consoles.
An expandedRisk Protection Program, with new program partners Beazley and Chubb, two of the world’s largest cyber-insurers. They will provide discounted cyber-insurance coverage based on cloud security posture.
Chrome Enterprise Premium
New employee phishing protections use Google Safe Browsing data to help protect employees against lookalike sites and portals attempting to capture credentials.
Data masking in Chrome Enterprise Premium is now generally available.
We are also extending key enterprise browsing protections to Android, including copy and paste controls, and URL filtering.
Mandiant Cybersecurity Consulting
The Mandiant Retainer provides on-demand access to Mandiant experts. Customers now can redeem prepaid funds for investigations, education, and intelligence to boost their expertise and resilience.
Mandiant Consulting is partnering withRubrik andCohesity to create a solution to minimize downtime and recovery costs after a cyberattack. As part of the program, our partners provide affirmative AI insurance coverage, exclusively for Google Cloud customers and workloads. Chubb will also offer coverage for risks resulting from quantum exploits, proactively helping to address the risk of quantum computing attacks.
Sovereign Cloud
We’ve partnered with Thales to launch theS3NS Trusted Cloud, now in preview, designed to meet France’s highest level of cloud certification. As part of our broad portfolio of sovereign cloud solutions, it is the first sovereign cloud offering based on Google Cloud platform, that is in this case operated, majority-owned and fully controlled by a European organization.
Identity and Access Management
Unified access policies, coming to preview in Q2, create a single definition for IAM allow and IAM deny policies, enabling you to more consistently apply fine grained access controls.
We’re also expanding our Confidential Computing offerings. Confidential GKE Nodes with AMD SEV-SNP and Intel TDX will be generally available in Q2, requiring no code changes to secure your standard GKE workloads. Confidential GKE Nodes with NVIDIA H100 GPUs on the A3 machine series will be in preview in Q2, offering confidential GPU computing without code modifications.
Single-tenant Cloud Hardware Security Module (HSM), now in preview, provides dedicated, isolated HSM clusters managed by Google Cloud, while granting customers full administrative control.
Network security
Network Security Integration allows enterprises to easily insert third-party network appliances and service deployments to protect Google Cloud workloads without altering routing policies or network architecture. Out-of-band integrations with ecosystem partners are generally available now, while in-band integrations are available in preview.
DNS Armor, powered by Infoblox Threat Defense, coming to preview later this year, uses multi-sourced threat intelligence and powerful AI/ML capabilities to detect DNS-based threats.
Cloud Armor Enterprise now includes hierarchical policies for centralized control and automatic protection of new projects, available in preview.
Cloud NGFW Enterprise supports L7 domain filtering capabilities to monitor and restrict egress web traffic to only approved destinations, coming to preview later this year.
Secure Web Proxy (SWP) now includes inline network data loss protection capabilities through integrations with Google’s Sensitive Data Protection and Symantec DLP using service extensions, available in preview.
To learn more about how your organization can benefit from our announcements at Next ‘25, check out our CISO Insights Hub, and stay tuned for our announcements later this month at the RSA Conference in San Francisco.
aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x3e19d65880a0>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Demystifying AI security: How to use SAIF in the real world: Our new paper, “SAIF in the real world,” takes a deep look at how to apply Google’s Secure AI Framework (SAIF) throughout the AI development lifecycle. Read more.
Shadow AI strikes back: Following our previous spotlight on shadow AI, we look at a new, more insidious form of shadow AI — emerging from within organizations themselves. Read more.
Google announces Sec-Gemini v1, a new experimental cybersecurity model: Sec-Gemini v1 is our new experimental AI model focused on advancing cybersecurity AI frontiers. It can power security operations workflows with state-of-the-art reasoning capabilities and extensive, current cybersecurity knowledge. Read more.
Building sovereign AI solutions with Google Cloud: The world has changed a lot since we started to speak about the options for data residency, operational transparency, and privacy controls in Google Cloud. Organizations are increasingly seeking AI solutions that drive innovation and enforce regional regulations. Here’s how Cloud Run can help. Read more.
Detecting IngressNightmare without the nightmare: To help detect the IngressNightmare vulnerability chain affecting Kubernetes Ingress Nginx Controllers, discovered by Wiz, we’ve developed a novel non-intrusive technique. Read more.
Please visit the Google Cloud blog for more security stories published this month.
aside_block
<ListValue: [StructValue([(‘title’, ‘Fact of the month’), (‘body’, <wagtail.rich_text.RichText object at 0x3e19d6588310>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://security.googleblog.com/2025/04/google-launches-sec-gemini-v1-new.html’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Threat Intelligence news
DPRK IT workers expanding in scope and scale: Google Threat Intelligence Group (GTIG) has identified an increase of active North Korean IT insider worker operations in Europe, confirming the threat’s expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations in corporate virtualized infrastructure. Read more.
Suspected China-nexus threat actor actively exploiting critical Ivanti Connect Secure vulnerability: Ivanti disclosed a critical security vulnerability impacting many Ivanti Connect Secure VPN appliances on April 3. GTIG has linked UNC5221, a suspected China-nexus espionage actor, to some of the exploits of the vulnerability. Read more.
Windows RDP, going from remote to rogue: GTIG observed a novel phishing campaign in October 2024 that targeted European government and military organizations. Unlike typical remote desktop protocol (RDP) attacks focused on interactive sessions, this campaign creatively used resource redirection and malicious remote apps including a RDP proxy tool to automate malicious activities. The campaign likely enabled attackers to read victim drives, steal files, capture clipboard data (including passwords), and obtain victim environment variables. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Podcasts from Google Cloud
Decoding cyber-risk and threat actors in Asia-Pacific: From big-picture views to nuanced details only an expert could know, Steve Ledzian, APAC CTO, Mandiant at Google Cloud, shares his insight and knowledge with hosts Anton Chuvakin and Tim Peacock. Listen here.
The state of IAM, from cloud to AI: Henrique Teixeira, senior vice-president of strategy, Saviynt, explores with hosts Anton and Tim how identity and access management has evolved from the beginning of the cloud era through to today’s AI sea change. Listen here.
What not to do when red teaming AI: From uncovering surprises to facing new threats and exposing the same old mistakes, Alex Polyakov, CEO, Adversa AI, discusses how and why his company focuses on red teaming AI systems. Listen here.
Behind the Binary: Inside the mind of a binary ninja: Jordan Wiens, developer of the widely-used Binary Ninja and cofounder of Vector 35, brings his expertise as an avid CTF player to a discussion about the complexities of building a commercial reverse engineering platform. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.
GitLab Duo with Amazon Q is generally available for Self-Managed Ultimate customers, embedding advanced agent capabilities for software development, Java modernization, enhanced quality assurance, and code review optimization directly in GitLab’s enterprise DevSecOps platform. GitLab Duo with Amazon Q delivers a seamless development experience that accelerates the execution of complex, multistep tasks and collaborative workflows in the GitLab platform your developers already know.
Using GitLab Duo with Amazon Q, developers and teams can collaborate with Amazon Q agents to accelerate feature development, maximize code quality and security, detect and resolve vulnerabilities, automate testing coverage, troubleshoot failed pipeline jobs, and upgrade legacy Java code bases. GitLab’s unified data store across the software development lifecycle gives Amazon Q project context to accelerate software development and deployment, simplifying the complex toolchains historically required for collaboration across teams.
Streamline software development: Delegate feature development to the Amazon Q agent from any issue. Detailed summaries, implementation plans, and commit messages keep developers informed on every change. Using feedback in comments, Amazon Q iterates to apply changes on the merge request.
Maximize code quality and security with review and testing agents: Standardize code review best practices with agent-assisted security, quality, and deployment risk scanning on every merge request. Amazon Q can generate new tests to add complete coverage on code changes and apply fixes to merge requests, making QA seamless.
Faster debugging, troubleshooting, and vulnerability resolution: During deployment, platform teams can quickly troubleshoot and resolve failed CI/CD jobs from context-aware web chat using analysis and suggested fixes powered by Amazon Q.
Transform enterprise workloads: Upgrade Java 8 or 11 code bases to Java 17 directly from a GitLab project to improve application security and performance and remove technical debt.
Amazon S3 Tables now support server-side encryption using AWS Key Management Service (SSE-KMS) with customer-managed keys. You can use your own KMS keys to encrypt the tables stored in table buckets to meet regulatory and governance requirements.
By default, S3 Tables encrypt all objects with server-side encryption using S3-managed keys (SSE-S3). With support for customer-managed keys, you have the option to set a default customer-managed key for all new tables in the table bucket, set a dedicated key per table, or implement a combination of both approaches. With SSE-KMS support, S3 Tables use S3 Bucket Keys by default for cost optimization, and provide AWS CloudTrail logging for auditing the usage of customer-managed keys.
Today, we are excited to announce throughput improvements to dynamic run storage for AWS HealthOmics. AWS HealthOmics is a HIPAA-eligible service that helps healthcare and life sciences customers accelerate scientific breakthroughs with fully managed biological data stores and workflows.
Dynamic run storage automatically scales storage capacity based on workflow needs. With this release, dynamic run storage now also scales throughput using Elastic Throughput mode on Amazon Elastic File System. This feature is recommended for runs requiring faster start times, workflows with unpredictable storage requirements, and iterative development cycles, helping research teams reduce time-to-insight for time-sensitive genomic analyses.
Dynamic run storage with elastic throughput is now available in all regions where AWS HealthOmics is available: US East (N. Virginia), US West (Oregon), Europe (Frankfurt, Ireland, London), Asia Pacific (Singapore) and Israel (Tel Aviv). To get started with dynamic run storage, see the documentation.
Amazon CloudWatch agent now supports Security-Enhanced Linux (SELinux) environments through a pre-configured security policy that allow monitoring in systems where security enforcement is required. This feature benefits customers in regulated industries and government sectors who maintain strict security controls across their Linux infrastructure. These security policies, when applied before CloudWatch Agent installation, help customers maintain their security posture while collecting essential monitoring data.
This launch enables organizations to deploy the CloudWatch agent in SELinux-enabled environments while maintaining their security posture. It addresses a critical need where enforcing access controls is essential. The pre-configured SELinux configurations allow customers to benefit from AWS monitoring and observability features while helping to adhering to their compliance requirements. This feature helps to simplify the deployment process and reduce the risk of security misconfigurations during agent installation.
To get started with Amazon CloudWatch agent in Security-Enhanced Linux (SELinux) environments, see Installing the CloudWatch agent in the Amazon CloudWatch User Guide.
Customers in AWS Mexico (Central) Region can now use AWS Transfer Family for file transfers over Secure File Transfer Protocol (SFTP), File Transfer Protocol (FTP), FTP over SSL (FTPS) and Applicability Statement 2 (AS2).
AWS Transfer Family provides fully managed file transfers for Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (Amazon EFS) over SFTP, FTP, FTPS and AS2 protocols. In addition to file transfers, Transfer Family enables common file processing and event-driven automation for managed file transfer (MFT) workflows, helping customers to modernize and migrate their business-to-business file transfers to AWS.
To learn more about AWS Transfer Family, visit our product page and user-guide. See the AWS Region Table for complete regional availability information.
We are excited to announce that Amazon Athena is now available in Mexico (Central) and Asia Pacific (Thailand).
Athena is a serverless, interactive query service that makes it simple to analyze petabytes of data using SQL, without requiring infrastructure setup or management. Athena is built on open-source Trino and Presto query engines, providing powerful and flexible interactive query capabilities, and supports popular data formats such as Apache Parquet and Apache Iceberg.
For more information about the AWS Regions where Athena is available, see the AWS Region table. To learn more, see Amazon Athena.
Amazon CloudFront announces Anycast Static IPs support for apex domains, enabling customers to easily use their root domain (e.g., example.com) with CloudFront. This new feature simplifies DNS management by providing just 3 static IP addresses instead of the previous 21, making it easier to configure and manage apex domains with CloudFront distributions.
Previously, customers had to create CNAME records to point their domains to CloudFront. However, due to DNS rules, root domains (apex domains) cannot point to CNAME records and must use A records or Route53’s ALIAS records. With the new Anycast Static IPs support, customers can now easily configure A records for their apex domains. Organizations can maintain their existing DNS infrastructure while using CloudFront’s global content delivery network to deliver apex domains with low latency and high data transfer speeds. Anycast routing automatically directs traffic to the optimal edge location, ensuring high performance content delivery for end users worldwide.
CloudFront supports Anycast Static IPs from all CloudFront edge locations. This excludes Amazon Web Services China (Beijing) region, operated by Sinnet, and the Amazon Web Services China (Ningxia) region, operated by NWCD. Standard CloudFront pricing applies, with additional charges for Anycast Static IP addresses. To learn more, visit the CloudFront Developer Guide for detailed documentation and implementation guidance.
