Security Agent and DevOps Agent both ship to general availability after their re:Invent 2025 preview. S3 finally rolls out the SSE-C default-off across 37 Regions, the kill announced back in January. Audit Manager stops onboarding new customers as of April 30.
In this issue2high3medium1info
Highlights
6 items
$ tail -f /var/log/aws-security.log
high/Feature Launch/
Security Agent Hits GA
Announced in preview at re:Invent 2025, AWS Security Agent is now generally available as a frontier agent that performs continuous, context-aware penetration testing across AWS, multicloud, and on-premises environments.
AWS cites LG CNS as a preview customer reporting "over 50% faster testing and ~30% lower costs, along with significantly fewer false positives."
A companion blog post the following day, "Building AI defenses at scale: before the threats emerge," detailed Project Glasswing with Anthropic and the Claude Mythos Preview for vulnerability research.
Security Agent
medium/Feature Launch/
DevOps Agent Hits GA
AWS DevOps Agent reached GA the same day as Security Agent, focusing on cloud operations, incident investigation, and prevention across multi-cloud environments.
AWS reports that preview customers saw "up to 75% lower MTTR and 3 to 5 times faster resolution."
For security teams the implication is direct: another frontier-model agent now has read/write access to operational tooling. Blast-radius scoping (least-privilege roles, isolated execution accounts, Bedrock guardrails) is the new perimeter.
DevOps Agent
high/Service Update/
S3 Kills SSE-C Default Across 37 Regions
The change AWS announced in January started rolling out April 6 across 37 AWS Regions, including AWS China and AWS GovCloud (US).
New general-purpose buckets default to SSE-C disabled. Existing buckets in accounts with no SSE-C objects also have SSE-C disabled for new write requests. Accounts already using SSE-C are not modified.
The motivation is the Codefinger ransomware pattern (January 2025) where stolen credentials were used to re-encrypt objects with attacker-supplied keys, leaving victims unable to recover data without paying.
S3
medium/Compliance/
AWS Names Four Rules for Agentic AI
AWS published its response to NIST's request for information on agentic AI security, structured around four principles.
First, embed security across the development lifecycle. Second, apply traditional security controls to agentic systems. Third, use deterministic enforcement points outside the model. Fourth, grant autonomy only after it is earned through observed behavior.
This is the clearest public signal yet of how AWS expects customers to scope IAM, network, and data controls around its agent products.
medium/Service Update/
Audit Manager Stops Onboarding April 30
As part of the AWS service lifecycle updates communicated this week, AWS Audit Manager will be closed to new customers starting April 30, 2026.
Existing customers continue to operate normally. Single-account deployments will not be able to deploy across an Organization after that date. Audit Manager moves into maintenance mode rather than full sunset.
Compliance teams relying on Audit Manager assessments for SOC 2 or PCI evidence collection need to plan now. Security Hub Extended is the most-cited migration path.
Audit Manager
info/Service Update/
KMS Pushes Past AES-GCM Symmetric Limits
AWS published an architectural deep-dive on how KMS and the AWS Encryption SDK use derived-key methods to push past the per-key AES-GCM data limits without forcing customers to track those bounds manually. Useful background reading for anyone designing high-volume envelope encryption pipelines.
KMS
Key Takeaway
1 item
$ cat WEEKLY_SUMMARY.md
Two frontier security agents went GA in the same week and the long-promised S3 SSE-C default-off began rolling out across 37 Regions. The shared theme is automation taking over what used to be human review: pen testing, incident response, encryption defaults. The catch: every one of those automations runs under an IAM role you defined. Audit those role policies before the agents do.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.
