AWS opens what will become the defining CVE story of May: a Linux kernel privilege escalation tracked across half a dozen services. JDBC Wrapper ships column-level client-side encryption via KMS. AgentCore previews agent-to-agent payments via Coinbase and Stripe. AWS MCP Server reaches GA. WorkSpaces for AI Agents enters preview.
$ tail -f /var/log/aws-security.logAmazon identified a Linux kernel flaw allowing an authenticated local user to escalate privileges, tracked as part of the broader "DirtyFrag" / "copy.fail 2" class.
AWS directed customers to the rolling 2026-030-AWS bulletin for current patching status across services.
The full technical scope expands the following week (see W20).
The AWS Advanced JDBC Wrapper added a KMS Encryption plugin for column-level client-side encryption: the application encrypts before the value reaches the database and decrypts on read; HMAC validation provides integrity; plaintext stays inside the application boundary; the database only ever sees ciphertext. Compatible with Amazon RDS / Aurora PostgreSQL and MySQL across all Regions where those services run. Available under Apache 2.0. The pattern is significant because it gives Java teams a drop-in answer to "PII in a column the DBA shouldn't see" without app code changes.
AgentCore previewed managed payment capabilities for AI agents (credential management and compliance controls plus session-level spending limits) built with Coinbase and Stripe. Agents can now autonomously transact for APIs, MCP servers, web content, and other agents. The security implications are immediate: blast-radius scoping for agents now includes "and a payment instrument."
AWS MCP Server (managed Model Context Protocol server) is GA, exposing all AWS services to AI agents and coding assistants through a small fixed toolset with secure, authenticated access. Pair this with the MCP secure-access patterns blog from W16. The IAM design around MCP server trust is the new attack surface to scope.
Preview of WorkSpaces designed for AI agents to access desktop applications through managed environments with enterprise-grade governance and compliance. The threat-model question is whether agent-driven WorkSpaces inherit the same network isolation, MFA, and session policies as human-driven WorkSpaces, or whether a parallel governance plane will emerge. Worth tracking closely.
A free production-ready toolkit aimed at AI coding agents building on AWS, marketed around "fewer errors, lower token costs, and enterprise-grade security controls." For platform teams piloting Cursor / Claude Code / Cline against AWS-deployed apps, this is the official AWS-supported alternative to ad hoc CLI wrappers.
$ cat WEEKLY_SUMMARY.mdTwo themes converge this week. (1) The Linux kernel "DirtyFrag" / Copy.fail class arrives at AWS, and every multi-tenant shared-kernel surface (ECS, EKS, Fargate, SageMaker notebooks, Bottlerocket) needs a patch posture. (2) AWS keeps shipping the agent stack (payments, desktop access, IAM-integrated MCP), and every one of those launches widens the IAM blast radius your agents operate within. Audit those agent execution roles like you audit human IAM users, because functionally, that is what they are.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.