Week 4 - Jan 20-26, 2026
Security Agent adds GitHub Enterprise support, Network Firewall gets GenAI traffic filtering, S3 lets you change encryption type without re-uploading, and STS validates OIDC identity provider claims.
Highlights
AWS Security Agent Adds GitHub Enterprise Cloud Support
AWS Security Agent now supports GitHub Enterprise Cloud, enabling AI-powered automated code reviews on pull requests, penetration testing of private repos, and automated remediation via pull requests. Available in US East (N. Virginia).
Network Firewall Gets GenAI Traffic Visibility & Filtering
AWS Network Firewall now provides visibility into generative AI application traffic with web category-based filtering. Block unapproved GenAI services, restrict AI tool usage by category, and meet regulatory requirements for AI governance. Available in all commercial regions.
S3 UpdateObjectEncryption API - Change Encryption Without Re-Uploading
Amazon S3 now supports changing server-side encryption type of existing objects atomically without re-uploading. Migrate from SSE-S3 to SSE-KMS, rotate keys, and standardize encryption across buckets at scale via S3 Batch Operations.
STS Now Validates Identity Provider Claims (GitHub, Google, OCI)
AWS STS now validates select identity provider claims from Google, GitHub (14 of 33 claims), CircleCI, and OCI in OIDC federation. New condition keys are usable in trust policies and resource control policies for fine-grained federated access control.
Key Takeaway
The Network Firewall GenAI filtering is a game-changer for organizations worried about shadow AI. You can now block unapproved GenAI services at the network level. The S3 encryption migration API also solves a long-standing pain point - no more re-uploading terabytes of data to change encryption keys.
Need Custom Security Briefings?
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.