Post Syndicated from Rodolfo Brenes original https://aws.amazon.com/blogs/security/icymi-june-2026-aws-security/
Read all about the latest AWS security features, compliance updates, and hands-on resources in our new, monthly digest posts. You’ll find expert blog posts, new service capabilities, code samples, and workshops.
AWS Security Blog posts
This month’s AWS Security Blog posts covered identity and access management, threat intelligence, network security, AI-powered security tooling, and multi-account governance. Read on for guidance on restricting console access to expected networks, securing multi-tenant AI agents, preventing data exfiltration, and managing organization-scale migrations.
Identity
Secure multi-tenant AI agents with Amazon Bedrock AgentCore resource-based policies
Authors: Satyen Verma, Satveer Khurpa, Prajit Pabbati, Vijay Kumar Samanthapudi, Zohreh Norouzi | Published: June 2, 2026
Learn to use resource-based policies on Amazon Bedrock AgentCore to grant cross-account access for one tenant while restricting another to VPC-only traffic in a shared multi-tenant AI platform.
Customize federated sign-in with new Amazon Cognito Lambda trigger
Authors: Abrom Douglas | Published: June 4, 2026
Learn to use the new inbound federation AWS Lambda trigger for Amazon Cognito to transform, filter, and enrich user attributes from external identity providers before profile creation in your user pool.
Amazon Cognito unlocks advanced capabilities with next-generation infrastructure
Authors: Howie Li, Georgi Baghdasaryan | Published: June 4, 2026
Amazon Cognito introduced high-throughput performance, customer-managed keys for data encryption at rest, and multi-Region replication for business continuity, built on a new storage infrastructure migrated with zero downtime.
Building secure B2C applications with fine-grained access control using Amazon Cognito and Amazon Verified Permissions
Authors: Sowmya Vemuri | Published: June 5, 2026
Learn to build fine-grained access controls for a Streamlit application using Amazon Cognito for authentication and Amazon Verified Permissions with Cedar policies for authorization.
Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs
Authors: Swara Gandhi, Rishi Tripathy | Published: June 24, 2026
Learn to use sign-in resource-based policies and resource control policies to restrict AWS Management Console sign-in to requests from expected networks, such as corporate VPNs and Amazon VPC endpoints.
Infrastructure security
Gain visibility into DDoS attacks with flow logs in AWS Shield Advanced
Authors: Ken Kitts | Published: June 4, 2026
Learn to configure AWS Shield Advanced attack flow logs to capture traffic metadata during DDoS events, pinpoint sources, verify mitigations, and feed your existing analysis pipelines.
Threat tactic spotlight: Subdomain takeover
Authors: Matt Gurr, Ariam Michael, Geoff Sweet, Luis Pastor | Published: June 16, 2026
Learn to detect and prevent subdomain takeover using AWS Config custom rules to identify dangling DNS CNAME records pointing to deleted resources in globally shared namespaces
Prevent data exfiltration: AWS egress controls for cloud workloads
Authors: Meriem Smache, Maxim Raya | Published: June 22, 2026
Learn to implement layered egress detection and protection using AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall, and data perimeters to help reduce unauthorized data transfer risk.
Detection and incident response
Operationalizing AWS security: A maturity roadmap
Authors: Joseph Sadler | Published: June 8, 2026
A six-phase maturity roadmap for organizations that have already enabled AWS Security Hub and Amazon GuardDuty, covering tuning, notifications, automated remediation, and operational cadence.
Introducing AWS Continuum: Security at machine speed
Authors: Chet Kapoor | Published: June 17, 2026
AWS Continuum for code vulnerabilities is an AI-native platform that addresses the full lifecycle of a code vulnerability at machine speed—from discovery and prioritization through validation and remediation.
Accelerate security investigations with Kiro CLI
Authors: Sibasankar Behera, Marshall Jones | Published: June 18, 2026
Learn to use Kiro CLI to conduct security investigations following the AWS Security Incident Response Guide framework, from triaging Amazon GuardDuty findings through containment and evidence preservation.
What the June 2026 Threat Technique Catalog update means for your AWS environment
Authors: Shannon Brazil, Cydney Stude, Javier Teitelbaum | Published: June 29, 2026
Learn about five new entries and three updates to the Threat Technique Catalog for AWS, covering container security, organization-level trust, and compute hijacking patterns observed by AWS CIRT.
Data protection
Identify unused AWS KMS keys and prevent accidental key deletions
Authors: Andrea Rossi, Poojil Tripathi | Published: June 2, 2026
Learn to use the new AWS KMS GetKeyLastUsage API to audit key activity, identify unused keys, and apply policy controls that prevent accidental deletion of recently used keys.
Governance and compliance
From Monolith to Multi-Account: Pinterest’s AWS Organization Transformation Journey
Authors: Sid Vantair, James Fogel, Jeremy Talis | Published: June 4, 2026
Learn how Pinterest migrated from a single monolithic AWS account to a multi-account architecture, including management account separation, automated account provisioning, and centralized networking.
Build a Multi Account Patch Compliance Dashboard with Kiro Specs
Authors: Justin Thomas | Published: June 9, 2026
Learn to use Kiro’s spec-driven development approach to build a serverless multi-account patch compliance dashboard with AWS Systems Manager Patch Manager and private access via AWS Systems Manager Session Manager.
Transfer AWS accounts between AWS Organizations while preserving AWS Lake Formation permissions
Authors: Alex Torres, Aarthi Srinivasan, Ryan McNamee | Published: June 12, 2026
Learn to migrate member accounts between AWS Organizations without disrupting AWS Lake Formation cross-account permissions by using temporary bridge shares with the new AWS RAM retention parameter.
June Security Bulletins
Investigations of reported security vulnerabilities affecting Amazon and AWS services, software, and products.
- CVE-2026-10591 – Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
- CVE-2026-10584 – HTTPS Fallback to HTTP in Graph Explorer
- CVE-2026-11400 and CVE-2026-11401 – Privilege Escalation in Aurora PostgreSQL using AWS Advanced JDBC Wrapper, AWS Advanced Go Wrapper
- CVE-2026-11393 – Code Injection via Improper Triple-Quote Escaping in AgentCore CLI Bedrock Agent Import
- CVE-2026-11417 – OS Command Injection in aws-cdk-lib NodejsFunction bundling
- CVE-2026-10740 – Excessive memory allocation in s2n-quic
- CVE-2026-12043 – Heap double-free in AWS Common Runtime aws-c-http
- CVE-2026-11931 – Insecure Permissions on Authentication Token Cache File in Kiro IDE
- CVE-2026-12530 – Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
- Issue with containerd CRI Plugin – CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
- CVE-2026-12957 and CVE-2026-12958 – Issues in Language Servers for AWS and Amazon Q Developer Plugins
- CVE-2026-13762 and CVE-2026-13763 – Issue with HTTP/2 multi-frame request body inspection in AWS WAF
AWS Samples
This month brings 10 new AWS samples spanning AI security, identity, infrastructure security, governance, and observability. From securing Amazon Bedrock AgentCore agents with AWS WAF to building graph-based CMDBs for dependency analysis, these repositories help you implement security and governance best practices across your AWS environment.
AI Security
Securing Amazon Bedrock AgentCore Runtime with AWS WAF
Learn to place AWS WAF in front of Amazon Bedrock AgentCore Runtime using two architecture patterns with an Application Load Balancer and VPC endpoints for defense-in-depth protection.
AI Security Posture Management (AI SPM) on AWS
Learn to discover, assess, and protect AI agents running in your environment using AWS-native services across three pillars: observe, govern, and defend, with rules mapped to OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS.
Identity
Implement On-Behalf-Of (OBO) token exchange for Amazon Bedrock AgentCore agents
Learn to implement secure identity propagation from user context through agent chains using Amazon Bedrock AgentCore Identity OBO token exchange without credential sharing.
Infrastructure Security
Monetizing AI traffic with Amazon CloudFront and AWS WAF (x402)
Learn to monetize AI traffic at the edge using AWS WAF native x402 protocol support with Amazon CloudFront, settling payments in a single round-trip with no Lambda@Edge required.
Governance
Turn repeatable processes into SOPs your AI agent works through one auditable step at a time
Learn to use this MCP server to hand standard operating procedures to your AI agent one step at a time, with gated execution and auditable progress tracking.
Bedrock Ops Lens
Learn to deploy an Amazon Bedrock observability dashboard in your own account for per-account, per-model, and per-tag cost attribution, quota tracking, latency monitoring, and model lifecycle management, with an MCP server for IDE access.
AWS Agent Registry sample demo application
Learn to use AWS Agent Registry to publish, review, approve, and discover AI agents, MCP servers, and agent skills through a centralized catalog with governance workflows.
Graph CMDB — an AWS resource relationship graph
Learn to build a graph-based CMDB from AWS Config, AWS IAM, Amazon EKS, AWS CloudTrail, and VPC Flow Logs to visualize resource dependencies, investigate scope of impact, and surface governance findings.
OpenAI Codex through Amazon Bedrock — Usage governance with LiteLLM
Learn to centrally govern, administer, and monitor OpenAI Codex access for engineering teams using Amazon Bedrock as the inference backend with per-user budgets, rate limits, and audit trails via LiteLLM.
Agentic Data Governance — the context ladder
Learn to measure how governance context layers — data dictionaries, semantic metrics, and execution skills — improve data agent accuracy through a four-level ablation ladder on the BIRD benchmark.
Conclusion
June 2026 provides guidance and examples for operationalizing security at organizational scale; from maturity roadmaps and console access restrictions to AI agent registries and posture management platforms. The posts and samples provide patterns for DDoS visibility with flow logs, multi-tenant agent isolation with resource-based policies, egress controls for data exfiltration prevention, and governance frameworks for AI coding assistants. Each resource includes deployment steps or runnable code so you can validate in your own environment before adopting. Subscribe to the AWS Security Blog RSS feed to receive updates as they publish, and revisit this digest monthly for a consolidated view of what changed and what to act on.
If you have feedback about this post, submit comments in the Comments section below.