AWS Security Blog
ICYMI: April 2026 @AWS Security
Read all about the latest AWS security features, compliance updates, and hands-on resources in our new, monthly digest posts. You’ll find expert blog posts, new service capabilities, code samples, and workshops.
AWS Security Blog posts
This month’s AWS Security Blog posts covered AI security, identity and access management, threat intelligence, data protection, and multicloud operations. Whether you’re securing agentic AI systems, upgrading to post-quantum cryptography, or streamlining forensic collection, these posts offer practical guidance across the security landscape.
Identity
Access control with IAM Identity Center session tags
Author: Rashmi Iyer | Published: April 28, 2026
Learn to combine AWS IAM Identity Center permission sets with session tags from Microsoft Entra ID to implement fine-grained attribute-based access control (ABAC) across multiple AWS accounts.
Can I do that with policy? Understanding the AWS Service Authorization Reference
Authors: Anshu Bathla, Prafful Gupta | Published: April 27, 2026
Learn to use the AWS Service Authorization Reference to determine what’s achievable with IAM policies, recognize scenarios needing alternative solutions, and build more effective security controls.
AI Security
Secure AI agent access patterns to AWS resources using Model Context Protocol
Author: Riggs Goodman III | Published: April 14, 2026
Learn to secure AI agent access to AWS resources via MCP using three principles: least privilege, organizational role governance, and differentiating AI-driven from human-initiated actions.
Four security principles for agentic AI systems
Authors: Mark Ryland, Riggs Goodman III, Todd MacDermid | Published: April 2, 2026
Learn four security principles from AWS’s NIST response for securing agentic AI: secure development lifecycle, traditional controls, deterministic external enforcement, and earned autonomy through evaluation.
Designing trust and safety into Amazon Bedrock powered applications
Author: Victor Lungu | Published: April 29, 2026
Learn to integrate responsible AI concepts into Amazon Bedrock applications, including abuse detection, Amazon CloudWatch monitoring, Bedrock Guardrails configuration, and the abuse response process.
Building AI defenses at scale: before the threats emerge
Author: Amy Herzog | Published: April 7, 2026
AWS CISO announces Project Glasswing with Anthropic, introducing Claude Mythos Preview for vulnerability research, plus the general availability of AWS Security Agent for autonomous penetration testing.
Governance and compliance
Shift-Left Tag Compliance using AWS Organizations and Terraform
Authors: Welly Siauw, Sourav Kundu, Manu Chandrasekhar | Published: April 27, 2026
Learn to validate tag compliance during development using AWS Organizations tag policies, a reusable Terraform tagging module, and a test-driven approach that dynamically validates against live organizational policies.
Detection and incident response
What the March 2026 Threat Technique Catalog update means for your AWS environment
Authors: Shannon Brazil, Cydney Stude | Published: April 28, 2026
The AWS CIRT’s latest Threat Technique Catalog update covers Amazon Cognito refresh token abuse, AMI image deletion targeting recovery, and trust policy modifications for persistence and privilege escalation.
A framework for securely collecting forensic artifacts into S3 buckets
Authors: Jason Garman, Vaishnav Murthy | Published: April 8, 2026
Learn to securely collect forensic artifacts into Amazon S3 using time-limited, least-privilege credentials with AWS STS session policies and automated AWS Step Functions workflows.
Transform security logs into OCSF format using a configuration-driven ETL solution
Authors: Vivek Gautam, Arpit Gupta, Ryan Gomes | Published: April 17, 2026
Learn to transform custom security logs into OCSF format using an AWS ProServe configuration-driven ETL solution with AWS Step Functions, AWS Glue or Amazon EMR Serverless, and Amazon Security Lake integration.
A technical walkthrough of multicloud full-stack security using AWS Security Hub Extended
Authors: Matt Meck, Michael Fuller | Published: April 22, 2026
Learn how AWS Security Hub Extended simplifies multicloud security procurement and operations through curated partner solutions, unified billing, and OCSF-based findings consolidation.
Data protection
Protecting your secrets from tomorrow’s quantum risks
Authors: Stéphanie Mbappe, Tobias Nickl | Published: April 24, 2026
Learn to upgrade AWS Secrets Manager clients to use hybrid post-quantum TLS with ML-KEM, protecting secrets against harvest-now-decrypt-later attacks, and verify connections via AWS CloudTrail.
How AWS KMS and AWS Encryption SDK overcome symmetric encryption bounds
Authors: Panos Kampanakis, Matthew Campagna, Patrick Palmer | Published: April 3, 2026
Learn how AWS Key Management Service and the AWS Encryption SDK use derived key methods to automatically handle AES-GCM encryption limits, eliminating the need to manually track bounds or rotate keys.
How to clone an AWS CloudHSM cluster across Regions
Authors: Desiree Brunner, Rickard Löfström | Published: April 20, 2026
Learn to clone an AWS CloudHSM cluster to another Region using CopyBackupToRegion, then synchronize keys—including non-exportable keys—across cloned clusters for disaster recovery.
April Security Bulletins
Investigations of reported security vulnerabilities affecting Amazon and AWS services, software, and products.
- CVE-2026-7791 – Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent
- CVE-2026-7461 – OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
- Issue with FreeRTOS-Plus-TCP – IPv6 Router Advertisement Memory Safety Issues
- CVE-2026-7424 – Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
- Issue with FreeRTOS-Plus-TCP – MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow
- CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
- Issues in tough library and tuftool CLI utility
- Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912)
- CVE-2026-6550 – Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
- CVE-2026-6437 – Mount Option Injection in Amazon EFS CSI Driver
- CVE-2026-5747 – Out-of-bounds Write in Firecracker virtio-pci Transport
- Issues with AWS Research and Engineering Studio (RES)
- Issues with Amazon Athena ODBC Driver
- CVE-2026-5429 – Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
AWS Samples
This month brings 16 new AWS samples spanning identity, governance, compliance, detection and incident response, AI Security, data protection, and infrastructure security. From beginner-friendly AI agent development on Amazon Bedrock to automated Control Tower re-registration at scale, these ready-to-deploy repositories help you implement security best practices across your AWS environment.
Identity
Amazon Cognito OAuth2 Token Proxy with Caching
Learn to deploy an Amazon API Gateway proxy for Cognito’s OAuth2 token endpoint with intelligent caching and AWS WAF protection, reducing M2M authentication costs by over 90%.
Cognito API Gateway Authorization Demo
Learn to implement user-specific data protection using Amazon Cognito, API Gateway, and an AWS Lambda authorizer that enforces JWT sub claim matching to prevent cross-user data access.
Securely Connecting On-Premises Data Systems to Amazon Redshift with IAM Roles Anywhere
Learn to deploy a fully private environment connecting on-premises workloads to Amazon Redshift using X.509 certificate authentication via IAM Roles Anywhere for short-lived credentials.
AWS IAM Access Key Lifecycle Management with Human Approval
Learn to automate organization-wide detection, disabling, and deletion of unused IAM access keys using Step Functions, IAM Access Analyzer, and a secure human-in-the-loop approval workflow.
Secrets Manager Audit
Learn to resolve and report who can access your AWS Secrets Manager secrets—across accounts, through Identity Center, and down to the human behind the IAM role—in a single command.
Governance
Control Tower Organization Re-Registration Automation
Learn to automate AWS Control Tower OU re-registration and account updates at scale using lifecycle events, Amazon EventBridge, and AWS Lambda to resolve mixed governance after landing zone changes.
Sample Agent Skills for Builders
A curated collection of installable agent skills that extend AI coding agents (Claude Code, Cursor, Copilot) with production-ready AWS, CDK, security scanning, and engineering workflows.
How to Stop AI Agent Hallucinations: 5 Techniques + Production on Amazon Bedrock AgentCore
Learn to detect, prevent, and self-correct AI agent hallucinations using Graph-RAG, semantic tool selection, multi-agent validation, neurosymbolic guardrails, and agent steering with Strands Agents.
Compliance
Compliance Lens
Learn to deploy a serverless solution that analyzes AWS Config snapshots across an AWS Organization, compares them against conformance pack rule sets, and visualizes compliance posture via Amazon QuickSight dashboards.
AWS Security Agent Terraform Configuration
Learn to provision AWS Security Agent resources using the AWSCC Terraform provider, automating agent space creation, IAM roles, target domain registration, and penetration test setup.
Detection and incident response
AWS Security Agent Demo Suite
Learn to use AWS Security Agent across three scenarios: automated design reviews, AI-generated infrastructure code review via GitHub, and penetration testing against intentionally vulnerable applications.
Agentic SOC Workshop — CDK Infrastructure
Learn to build an AI-powered Security Operations Center agent that investigates Amazon GuardDuty findings, queries CloudTrail logs, and takes automated containment actions using Amazon Bedrock AgentCore.
Data Protection
Implementing Kerberos Authentication for Apache Spark Jobs on Amazon EMR on EKS to Access a Kerberos-Enabled Hive Metastore
Learn to configure Kerberos authentication for Spark jobs on Amazon EMR on Amazon Elastic Kubernetes Service, connecting to a Kerberos-enabled Hive Metastore using Microsoft Active Directory as the KDC.
AWS Nitro Enclaves with Kubernetes – Hello World Example
Learn to deploy a Hello World application inside an AWS Nitro Enclave on Amazon EKS, covering cluster creation, device plugin setup, and enclave image building.
Infrastructure security
Multi-Tenant OpenClaw on Firecracker
Learn to deploy isolated, multi-tenant OpenClaw AI agents on AWS using Firecracker microVMs with per-tenant kernel/network isolation, auto-scaling, backup/restore, and a web management console.
AI Security
Amazon Bedrock for Beginners – From First Prompt to AI Agent
Learn to build AI applications on Amazon Bedrock, from basic API calls to a full agent with RAG, guardrails, tool use, and the Strands Agents SDK.
Conclusion
April 2026 reinforces that securing AI workloads now requires the same rigor applied to traditional infrastructure. The posts and samples in this edition provide concrete patterns for enforcing least privilege on agentic systems, automating governance at organizational scale, and preparing cryptographic implementations for post-quantum requirements. The security bulletins address vulnerabilities across compute, networking, and developer tooling, reinforcing the need to apply patches consistently. Each resource includes deployment steps or runnable code so you can validate the approach in your own environment before adopting it. Subscribe to the AWS Security Blog RSS feed to receive updates as they publish, and revisit this digest monthly for a consolidated view of what changed and what to act on.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.