AWS Security Digest·Week 21 of 2026·May 18-24, 2026·5 items
Security Hub Hunts Down Unused Access
Security Hub learns to find identity risk that no one is using: unused IAM permissions, roles, and credentials, measured against 90 days of real activity. The Extended plan grows to 21 partners across 9 categories. Secrets Manager Agent picks up pre-fetching and cross-account role assumption, and Amazon Inspector Classic reaches end of support.
In this issue2high2medium1info
Highlights
3 items
$ tail -f /var/log/aws-security.log
high/Feature Launch/
Security Hub Now Surfaces Identity Risk From Unused Access
AWS Security Hub now detects unused IAM permissions, roles, and credentials across an AWS organization, evaluating each principal against 90 days of actual access activity.
It automatically creates the service-linked IAM Access Analyzer in member accounts and can generate recommended least-privilege policies on demand, based on what each principal actually used.
These findings sit alongside threats, exposures, and posture findings in the unified console, so teams can prioritize by real organizational risk. The capability is included with Security Hub Essentials at no additional cost.
Security HubIAMIAM Access Analyzer
medium/Feature Launch/
Security Hub Extended Grows to 21 Partner Solutions Across 9 Categories
The Security Hub Extended plan expanded to 21 curated partner solutions spanning 9 security categories, adding SentinelOne (endpoint), CyberArk (identity), Sublime (email), Varonis (data security), LayerX (browser), Native Security (cloud), and Zenity (AI security).
Findings from all participating solutions are emitted in the Open Cybersecurity Schema Framework (OCSF) and automatically aggregated in Security Hub.
Every solution has published pay-as-you-go pricing, a single AWS bill, automatic Enterprise Discount Program eligibility, unified Level 1 support for AWS Enterprise Support customers, and no long-term commitments.
Security Hub
medium/Feature Launch/
Secrets Manager Agent Adds Pre-Fetching and IAM Role Assumption
The AWS Secrets Manager Agent can now pre-fetch secrets at startup and assume an IAM role to retrieve them.
Pre-fetching lets you specify a list of secrets or a tag value to retrieve and cache at agent startup using the BatchGetSecretValue API, cutting startup latency by avoiding sequential GetSecretValue calls.
Role assumption lets you pass a role ARN in the pre-fetch configuration or in HTTP requests, enabling cross-account secret retrieval and a different IAM role per secret. It is available in all Regions where Secrets Manager is offered.
May 20, 2026 is the end-of-support date for Amazon Inspector Classic. After this date, customers can no longer access the Inspector Classic console or resources.
Inspector Classic stopped accepting new customers on May 20, 2025. The replacement is the rearchitected Amazon Inspector, which is available across AWS Regions and adds continuous scanning of EC2, Lambda, and container images in Amazon ECR.
If any workload still depends on Inspector Classic, migrate to the new Amazon Inspector now.
Inspector
info/Compliance/
AWS KY3P Report Now Available for Third-Party Due Diligence
AWS completed the S&P Global Know Your Third Party (KY3P) assessment of its security posture, and customers can now use the report to reduce their supplier due diligence burden.
The assessment covers over 200 controls across 26 control categories and nine risk domains, including Privacy, Network Management, Logical Access Management, and Physical and Environmental Security.
Results can be mapped to common frameworks such as NIST CSF v2, PCI DSS 4.0, and ISO 27001:2022 for instant visibility into control coverage.
Key Takeaway
1 item
$ cat WEEKLY_SUMMARY.md
Security Hub unused-access detection is the item to act on. It turns least-privilege from a manual review into a continuous finding stream, with generated policies you can apply, and it costs nothing on Essentials. Pair it with the new Secrets Manager Agent role assumption to tighten cross-account secret access, and if you still run Inspector Classic, finish your migration: support ended May 20.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.
