<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Security | The AWS Blog</title><link>https://theawsblog.com/tags/security/</link><description>Articles, tutorials and insights from the AWS community.</description><generator>Hugo</generator><language>en</language><managingEditor>@theawsblog (The AWS Blog)</managingEditor><webMaster>@theawsblog</webMaster><lastBuildDate>Tue, 30 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://theawsblog.com/tags/security/index.xml" rel="self" type="application/rss+xml"/><item><title>ACM ACME support turns certificate automation into a governance problem</title><link>https://theawsblog.com/news/emiliano-montesdeoca/acm-acme-certificate-automation/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/acm-acme-certificate-automation/</guid><description>AWS Certificate Manager now supports ACME for public certificates, giving teams a standard automation path while keeping domain control, audit, and policy centralized.</description><content:encoded>&lt;p&gt;Certificate automation is becoming less optional. Validity periods are getting shorter, and manual renewal processes are exactly the kind of quiet operational risk that eventually becomes an outage.&lt;/p&gt;
&lt;p&gt;AWS has now added &lt;a href="https://aws.amazon.com/blogs/aws/automate-public-tls-certificate-issuance-with-acme-support-in-aws-certificate-manager/"&gt;ACME support for public certificates in AWS Certificate Manager&lt;/a&gt;. The headline is compatibility with ACMEv2 clients such as Certbot, cert-manager, and acme.sh. The bigger builder impact is that certificate issuance can become standardized without moving governance outside AWS.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;ACM now provides a managed ACME server endpoint for public certificates issued by Amazon Trust Services. Teams can point existing ACME clients at ACM, request certificates through the protocol they already know, and still have ACM visibility, CloudTrail logging, CloudWatch metrics, and certificate expiry notifications.&lt;/p&gt;
&lt;p&gt;The source article also highlights two controls that matter in real organizations:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;domain scopes at the endpoint level,&lt;/li&gt;
&lt;li&gt;External Account Binding credentials for client registration.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That means a central PKI or platform team can validate domains once, restrict what clients can request, and avoid distributing DNS credentials to every application team.&lt;/p&gt;
&lt;h2 id="why-this-matters"&gt;Why this matters&lt;/h2&gt;
&lt;p&gt;Most certificate incidents are not caused by cryptography being hard. They are caused by ownership being unclear.&lt;/p&gt;
&lt;p&gt;One team owns DNS. Another owns the ingress controller. Another owns the application. Someone installed a certificate manually two years ago. Nobody remembers the renewal path until browsers start showing errors.&lt;/p&gt;
&lt;p&gt;ACME support in ACM gives builders a cleaner operating model:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Kubernetes teams can keep using cert-manager.&lt;/li&gt;
&lt;li&gt;VM and container teams can keep using common ACME clients.&lt;/li&gt;
&lt;li&gt;Platform teams can centralize issuance policy and audit.&lt;/li&gt;
&lt;li&gt;Security teams can see certificates in ACM instead of chasing external CA dashboards.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is a good trade: keep the open protocol at the edge, centralize governance at the account or organization boundary.&lt;/p&gt;
&lt;h2 id="the-architecture-trade-offs"&gt;The architecture trade-offs&lt;/h2&gt;
&lt;p&gt;This does not remove the need for certificate lifecycle design.&lt;/p&gt;
&lt;p&gt;First, decide who owns ACME endpoints. If every workload account creates its own endpoint with broad wildcard permissions, you have recreated the sprawl problem. A better pattern is to define endpoints per domain boundary, environment, or platform domain, then scope allowed names carefully.&lt;/p&gt;
&lt;p&gt;Second, treat External Account Binding credentials like bootstrap secrets. They should be short-lived where possible, stored securely, and rotated when registration flows change.&lt;/p&gt;
&lt;p&gt;Third, think about wildcard issuance. Wildcards are convenient, but they expand blast radius. Many production environments should prefer exact domains and subdomains unless there is a strong operational reason.&lt;/p&gt;
&lt;p&gt;Finally, price and volume behavior matter. Moving high-churn ACME issuance into ACM should be costed, especially for systems that create many short-lived certificates across tenants.&lt;/p&gt;
&lt;h2 id="what-builders-should-do-next"&gt;What builders should do next&lt;/h2&gt;
&lt;p&gt;If I were running a platform team, I would start with an inventory:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which public certificates are already in ACM?&lt;/li&gt;
&lt;li&gt;Which are issued by external ACME providers?&lt;/li&gt;
&lt;li&gt;Which workloads use cert-manager or custom renewal scripts?&lt;/li&gt;
&lt;li&gt;Which teams still depend on manual DNS validation?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Then I would pilot ACM ACME with one non-critical domain and one existing ACME client. The goal is not only to issue a certificate. The goal is to prove the operating model: endpoint ownership, scope policy, audit trail, renewal alarms, and incident response.&lt;/p&gt;
&lt;p&gt;The useful part of this launch is not that Certbot can talk to AWS. It is that certificate automation can finally be treated as platform governance instead of a collection of one-off scripts.&lt;/p&gt;</content:encoded></item><item><title>Faster S3 access log queries make storage security more usable</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</guid><description>AWS shows how CloudWatch and S3 Tables can make S3 access logs easier to query, which helps builders turn storage audit data into operational and security signals.</description><content:encoded>&lt;p&gt;S3 access logs are valuable, but value delayed often becomes value ignored. If logs are difficult to query, teams use them only after something has already gone wrong.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/query-amazon-s3-access-logs-instantly-with-cloudwatch-and-s3-tables/"&gt;querying Amazon S3 access logs instantly with CloudWatch and S3 Tables&lt;/a&gt; is interesting because it focuses on making access data easier to use in everyday operations.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The article walks through delivering S3 access log data to CloudWatch Logs and S3 Tables, then using those destinations for dashboards, alarms, and queries. The practical shift is from &amp;ldquo;logs exist somewhere&amp;rdquo; to &amp;ldquo;logs are queryable enough to support investigation and monitoring.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;For builders, that means S3 access patterns can become part of normal observability instead of a separate forensic workflow.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;S3 is often where the most important data lives. Application logs, analytics exports, customer files, model artifacts, backups, and operational reports all end up in buckets. Yet many teams still monitor bucket configuration more carefully than bucket access behavior.&lt;/p&gt;
&lt;p&gt;Queryable access logs help answer questions that matter:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which principals are reading sensitive prefixes?&lt;/li&gt;
&lt;li&gt;Did access spike after a deployment?&lt;/li&gt;
&lt;li&gt;Are clients getting unexpected 403 or 404 responses?&lt;/li&gt;
&lt;li&gt;Which workloads are driving request cost?&lt;/li&gt;
&lt;li&gt;Did a suspicious IP enumerate objects?&lt;/li&gt;
&lt;li&gt;Are lifecycle or replication assumptions visible in traffic?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When these questions are cheap to answer, teams ask them earlier.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;More logging is not free. S3 access log delivery, CloudWatch ingestion, query volume, table storage, retention, and dashboards all have cost implications. The right design depends on the bucket&amp;rsquo;s risk and traffic profile.&lt;/p&gt;
&lt;p&gt;I would not send every low-value development bucket into a high-retention analytics pipeline. I would prioritize buckets that contain customer data, security logs, production artifacts, financial exports, backups, or AI training and retrieval data.&lt;/p&gt;
&lt;p&gt;Also, access logs are only one layer. They should complement CloudTrail data events, IAM Access Analyzer, Macie, GuardDuty, S3 Storage Lens, and application-level audit logs. Different signals answer different questions.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Pick a production bucket that matters and define three operational queries before building anything. For example:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;top readers by prefix over the last hour,&lt;/li&gt;
&lt;li&gt;denied requests by principal and source IP,&lt;/li&gt;
&lt;li&gt;unusual data transfer volume compared with baseline.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then build the logging path and dashboard around those questions. Add alarms only where the signal is actionable; noisy storage alarms quickly become invisible.&lt;/p&gt;
&lt;p&gt;The main takeaway is that storage observability should be designed for regular use, not just incident response. Faster S3 access log queries make that much more realistic.&lt;/p&gt;</content:encoded></item><item><title>Secure ML environments need productivity and exfiltration controls together</title><link>https://theawsblog.com/news/emiliano-montesdeoca/sagemaker-ai-data-exfiltration-controls/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/sagemaker-ai-data-exfiltration-controls/</guid><description>An AWS architecture using SageMaker AI, VPC endpoints, DNS controls, and WorkSpaces Secure Browser shows how ML teams can protect sensitive data without returning to expensive air-gapped workflows.</description><content:encoded>&lt;p&gt;Machine learning teams need access to sensitive data, but the old answer of isolated desktops and manual monitoring does not scale well. It is expensive, slow, and frustrating for the people trying to build models.&lt;/p&gt;
&lt;p&gt;The AWS Architecture Blog post on &lt;a href="https://aws.amazon.com/blogs/architecture/preventing-data-exfiltration-in-machine-learning-environments-with-amazon-sagemaker-ai/"&gt;preventing data exfiltration in machine learning environments with Amazon SageMaker AI&lt;/a&gt; is useful because it balances two goals that are often treated as opposites: data scientist productivity and strict exfiltration control.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article describes a three-layer architecture using Amazon WorkSpaces Secure Browser, SageMaker AI, VPC endpoints, DNS controls, endpoint policies, and account restrictions.&lt;/p&gt;
&lt;p&gt;The pattern is straightforward:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;data scientists access the environment through a controlled browser,&lt;/li&gt;
&lt;li&gt;browser capabilities such as upload, download, clipboard, and printing are restricted,&lt;/li&gt;
&lt;li&gt;access is limited to approved AWS and SageMaker domains,&lt;/li&gt;
&lt;li&gt;SageMaker runs without direct internet egress,&lt;/li&gt;
&lt;li&gt;VPC endpoint policies restrict access to organization-owned resources,&lt;/li&gt;
&lt;li&gt;DNS Firewall and private endpoints reduce bypass paths.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This is not a single magic control. It is layered friction against data leaving through the browser, the network, AWS APIs, or cross-account paths.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;ML environments are uniquely risky because they combine sensitive data, powerful compute, notebooks, terminals, package installation, model artifacts, and curious users. Blocking everything makes teams ineffective. Allowing everything creates obvious exfiltration paths.&lt;/p&gt;
&lt;p&gt;A layered architecture gives teams a middle path. Data scientists can use managed ML tooling while the platform enforces where data can flow.&lt;/p&gt;
&lt;p&gt;This is especially relevant for fintech, healthcare, insurance, public sector, and any organization fine-tuning or evaluating models on sensitive datasets.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Every restriction has a productivity cost.&lt;/p&gt;
&lt;p&gt;No internet access means dependency management must be planned. Package mirrors, approved repositories, model artifact flows, and update processes become platform responsibilities. URL allowlists must be maintained. Endpoint policies must be tested. Break-glass workflows must exist for legitimate exceptions.&lt;/p&gt;
&lt;p&gt;There is also a risk of building controls that look strong but are not complete. If S3 endpoint policies block external buckets but another service path remains open, data can still move. If DNS Firewall covers only part of the environment, bypasses may remain.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start by mapping data egress paths, not by choosing tools. For an ML workspace, list how data could leave:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;browser download,&lt;/li&gt;
&lt;li&gt;clipboard or print,&lt;/li&gt;
&lt;li&gt;external website upload,&lt;/li&gt;
&lt;li&gt;S3 copy to another account,&lt;/li&gt;
&lt;li&gt;package manager or shell command,&lt;/li&gt;
&lt;li&gt;notebook output,&lt;/li&gt;
&lt;li&gt;model artifact export,&lt;/li&gt;
&lt;li&gt;DNS or HTTPS tunnel.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Then put controls around each path and test them with realistic user workflows. Involve data scientists early; controls that break normal work will be bypassed or abandoned.&lt;/p&gt;
&lt;p&gt;The practical takeaway: secure ML platforms should not be air-gapped by default or open by convenience. They should make the safe path productive and the unsafe path difficult.&lt;/p&gt;</content:encoded></item><item><title>Restricting AWS Console access by network is a useful perimeter, not a complete identity strategy</title><link>https://theawsblog.com/news/emiliano-montesdeoca/console-access-network-perimeters/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/console-access-network-perimeters/</guid><description>AWS sign-in resource-based policies and resource control policies can restrict Management Console access to expected networks, adding a practical layer to data perimeter designs.</description><content:encoded>&lt;p&gt;Identity controls usually answer who can sign in. Network-aware console controls help answer where that sign-in is allowed to happen.&lt;/p&gt;
&lt;p&gt;The AWS Security Blog post on &lt;a href="https://aws.amazon.com/blogs/security/restrict-aws-management-console-access-to-expected-networks-with-sign-in-resource-based-policies-and-rcps/"&gt;restricting AWS Management Console access to expected networks with sign-in resource-based policies and RCPs&lt;/a&gt; is important for organizations building data perimeters. It gives security teams another way to reduce the usefulness of stolen credentials.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;AWS now supports patterns where Management Console sign-in can be restricted based on expected networks using sign-in resource-based policies and AWS Organizations resource control policies. The source article walks through a financial services scenario, CloudTrail verification, Console Private Access integration, and data perimeter alignment.&lt;/p&gt;
&lt;p&gt;The builder impact is straightforward: console access can be constrained closer to the network boundary, not only by identity and MFA.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;A compromised credential should not work equally well from anywhere on the internet. Network restrictions are not perfect, but they raise the bar and reduce the blast radius of many common incidents.&lt;/p&gt;
&lt;p&gt;This is especially relevant for:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;regulated environments,&lt;/li&gt;
&lt;li&gt;privileged administration accounts,&lt;/li&gt;
&lt;li&gt;break-glass access patterns,&lt;/li&gt;
&lt;li&gt;organizations using centralized corporate egress,&lt;/li&gt;
&lt;li&gt;teams implementing broader AWS data perimeter controls.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When combined with IAM Identity Center, MFA, least privilege, CloudTrail, and anomaly detection, expected-network policies add another useful checkpoint.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Network conditions change. Employees travel, VPNs fail, disaster recovery procedures happen, and incident responders may need access from unusual locations. If console network restrictions are too rigid, they can become an availability risk during exactly the moment when access matters most.&lt;/p&gt;
&lt;p&gt;I would treat this as a tiered control:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;strict policies for highly privileged production administration,&lt;/li&gt;
&lt;li&gt;documented exceptions for break-glass roles,&lt;/li&gt;
&lt;li&gt;tested access paths for incident response,&lt;/li&gt;
&lt;li&gt;monitoring for denied attempts,&lt;/li&gt;
&lt;li&gt;clear ownership of allowed network ranges.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also, do not confuse console restrictions with API restrictions. Many automation paths use AWS APIs, not the web console. A complete perimeter strategy must cover both human console access and programmatic access patterns.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start with privileged accounts and roles, not every user at once. Define the expected networks, verify them with CloudTrail, and test both allowed and denied sign-in paths.&lt;/p&gt;
&lt;p&gt;Then rehearse failure cases:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;corporate VPN unavailable,&lt;/li&gt;
&lt;li&gt;emergency access required,&lt;/li&gt;
&lt;li&gt;identity provider outage,&lt;/li&gt;
&lt;li&gt;support engineer working from a different location,&lt;/li&gt;
&lt;li&gt;network range changed but policy not updated.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The practical takeaway is that network-aware console access is a strong additional guardrail. It should complement identity, not replace it. Used carefully, it makes stolen credentials less useful without making legitimate operations fragile.&lt;/p&gt;</content:encoded></item><item><title>EKS control plane egress through your VPC closes a real private-cluster gap</title><link>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</link><pubDate>Mon, 22 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</guid><description>Amazon EKS customer-routed control plane egress lets Kubernetes API server traffic use customer VPC routing, security controls, and private endpoints for webhooks and OIDC dependencies.</description><content:encoded>&lt;p&gt;Private EKS clusters have always had two sides: how clients and nodes reach the API server, and how the API server reaches things on behalf of Kubernetes. The first side was easier to reason about. The second side had awkward edges.&lt;/p&gt;
&lt;p&gt;AWS has announced &lt;a href="https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/"&gt;customer-routed control plane egress for Amazon EKS&lt;/a&gt;, which routes customer-controllable Kubernetes API server outbound traffic through your VPC. That includes admission webhook callbacks, OIDC discovery, and aggregate API server requests.&lt;/p&gt;
&lt;p&gt;This is a practical feature for teams that need private webhooks, private identity providers, and auditable network paths.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;With the new &lt;code&gt;controlPlaneEgressMode&lt;/code&gt; set to &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the Kubernetes API server uses an elastic network interface in your VPC for specific outbound flows. Those flows can then follow your routing, security groups, VPC endpoints, DNS, Network Firewall, PrivateLink, Direct Connect, and logging patterns.&lt;/p&gt;
&lt;p&gt;EKS-managed service traffic still uses the EKS-managed path. The feature is scoped to customer-controllable API server egress, not every packet from the control plane.&lt;/p&gt;
&lt;p&gt;One important detail: after a cluster uses &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the setting is immutable for the life of the cluster. That makes planning more important than experimentation on a random production cluster.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;Admission webhooks are often part of the security boundary. They validate images, enforce labels, inject sidecars, block risky configurations, and integrate with policy engines. If the API server can only call a public endpoint, teams end up exposing services that they would rather keep private.&lt;/p&gt;
&lt;p&gt;The same issue appears with external OIDC identity providers. If the control plane must fetch discovery documents and JWKS over an internet-reachable path, the cluster is not as private as the architecture diagram suggests.&lt;/p&gt;
&lt;p&gt;Customer-routed egress makes a cleaner design possible:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;webhook services can live behind internal load balancers,&lt;/li&gt;
&lt;li&gt;private DNS can resolve API server dependencies,&lt;/li&gt;
&lt;li&gt;VPC Flow Logs can show the path,&lt;/li&gt;
&lt;li&gt;SCPs can enforce the required egress mode across accounts,&lt;/li&gt;
&lt;li&gt;network teams can apply existing inspection and routing controls.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For regulated environments, the value is not only connectivity. It is evidence.&lt;/p&gt;
&lt;h2 id="design-considerations"&gt;Design considerations&lt;/h2&gt;
&lt;p&gt;This feature moves responsibility to your network design. If DNS, routes, endpoint policies, or security groups are wrong, API server calls can fail. That can break admissions, identity association, or aggregated APIs.&lt;/p&gt;
&lt;p&gt;I would pay attention to four areas:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;DNS resolution.&lt;/strong&gt; The API server now depends on the DNS path available from your VPC configuration for those customer-controllable names.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Webhook availability.&lt;/strong&gt; A private webhook outage can become a cluster-wide admission outage if failure policies are strict.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Certificate trust.&lt;/strong&gt; Private does not always mean privately trusted. The source article notes that OIDC issuer certificates still need a publicly trusted chain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost and routing.&lt;/strong&gt; NAT gateways, cross-AZ paths, inspection appliances, and endpoints can add cost or latency if the path is not designed deliberately.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start by identifying clusters that already use admission webhooks, external OIDC providers, or aggregate API servers. Those clusters have the most to gain.&lt;/p&gt;
&lt;p&gt;For new clusters, decide whether &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt; should be part of the baseline. For existing clusters, test in a non-production environment with the same webhook and identity dependencies before updating anything important.&lt;/p&gt;
&lt;p&gt;Then build a failure test. Block the webhook endpoint, break DNS resolution, and confirm your cluster behavior matches your expectations. Network privacy is useful only if the failure modes are understood.&lt;/p&gt;
&lt;p&gt;This EKS change does not make private Kubernetes automatic, but it removes a real architectural compromise. Builders now have a better way to align the control plane&amp;rsquo;s outbound path with the same network rules they already apply to workloads.&lt;/p&gt;</content:encoded></item><item><title>Lambda MicroVMs make isolated sandboxes a serverless design choice</title><link>https://theawsblog.com/news/emiliano-montesdeoca/lambda-microvms-isolated-sandboxes/</link><pubDate>Mon, 22 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/lambda-microvms-isolated-sandboxes/</guid><description>AWS Lambda MicroVMs give builders a new option for running user-generated and AI-generated code with VM-level isolation, fast resume, and controlled lifecycle state.</description><content:encoded>&lt;p&gt;AWS Lambda MicroVMs are interesting because they do not try to replace normal Lambda functions. They fill a different gap: workloads where the unit of isolation is not an event, but a user session, coding environment, agent run, scanner job, or other stateful sandbox.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/"&gt;AWS announcement&lt;/a&gt; frames this around isolated sandboxes with full lifecycle control. That is the right framing. The practical value is not only that Firecracker provides VM-level isolation. It is that AWS is exposing a managed way to create, pause, resume, and retire those environments without asking every product team to become a virtualization platform team.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Lambda MicroVMs add a serverless compute primitive inside the Lambda family for running code in isolated, stateful execution environments. The source article describes several important properties:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;each session can run in its own Firecracker-backed MicroVM,&lt;/li&gt;
&lt;li&gt;environments can launch and resume from pre-initialized snapshots,&lt;/li&gt;
&lt;li&gt;memory, disk, and running process state can survive during the session,&lt;/li&gt;
&lt;li&gt;idle environments can be suspended by policy,&lt;/li&gt;
&lt;li&gt;applications get a dedicated endpoint and short-lived request authentication.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That combination matters for applications that cannot fit cleanly into stateless request-response functions. A code interpreter, browser automation sandbox, vulnerability scanner, AI coding assistant, data notebook, or game scripting environment often needs process state and filesystem state between interactions.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;The old decision tree was uncomfortable. Virtual machines gave strong isolation but slow startup and more operations. Containers started quickly but shared a kernel, which raises the bar for safely running untrusted code. Lambda functions were operationally simple but not designed for long-running interactive state.&lt;/p&gt;
&lt;p&gt;Lambda MicroVMs create a new middle path. For builders, the design conversation becomes more precise:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use Lambda functions for event handlers and short stateless tasks.&lt;/li&gt;
&lt;li&gt;Use containers when you need packaging flexibility and can manage isolation risk.&lt;/li&gt;
&lt;li&gt;Use Lambda MicroVMs when each tenant, user, or agent run needs a dedicated stateful sandbox.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This is especially relevant for AI systems. As more applications let agents write code, execute tools, inspect repositories, or process customer files, isolation becomes part of the product boundary. A prompt injection bug should not become a cross-tenant file access bug.&lt;/p&gt;
&lt;h2 id="the-trade-offs-are-still-real"&gt;The trade-offs are still real&lt;/h2&gt;
&lt;p&gt;MicroVMs reduce a lot of infrastructure work, but they do not remove architecture responsibility.&lt;/p&gt;
&lt;p&gt;First, lifecycle policy becomes a cost control. If idle sessions stay warm too long, the bill can drift. If they suspend too aggressively, users feel resume latency. Teams should treat idle duration as a product setting, not a default copied from a sample.&lt;/p&gt;
&lt;p&gt;Second, snapshot-based startup changes how applications initialize. Code that generates unique state, opens long-lived external connections, or assumes initialization happens once per user action needs careful review.&lt;/p&gt;
&lt;p&gt;Third, stateful sandboxes need cleanup rules. Temporary files, credentials, downloaded packages, generated artifacts, and logs can accumulate. Builders should define what survives during a session, what is exported, and what is destroyed.&lt;/p&gt;
&lt;p&gt;Finally, security does not stop at VM boundaries. The execution role, outbound network policy, source artifact pipeline, token handling, and tenant mapping are still part of the isolation story.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;I would start with workloads where the current workaround is obviously expensive: per-user EC2 sandboxes, over-hardened container runners, or Lambda workflows full of awkward &lt;code&gt;/tmp&lt;/code&gt; and rehydration logic.&lt;/p&gt;
&lt;p&gt;For a proof of concept, validate four things before celebrating:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Cold launch and resume behavior&lt;/strong&gt; with your real image size and dependencies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Idle cost profile&lt;/strong&gt; for normal user behavior, not a synthetic benchmark.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tenant boundary tests&lt;/strong&gt; for filesystem, process, network, and IAM access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Failure cleanup&lt;/strong&gt; when a session crashes, times out, or is abandoned.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Lambda MicroVMs are not just another Lambda feature. They are AWS acknowledging that the next wave of serverless workloads includes interactive, stateful, sometimes untrusted execution. That is a useful primitive, as long as teams treat it as an isolation architecture rather than a shortcut around security design.&lt;/p&gt;</content:encoded></item></channel></rss>