Free AWS Security Whitepaper
    Toc Consulting Logo
    AWS Security Digest·Week 22 of 2026·May 25-31, 2026·3 items

    Network Firewall Filters the Web by Category

    AWS Network Firewall can now allow or block traffic by website category, including generative-AI services, with the matches visible in CloudWatch Logs Insights. AWS also published Well-Architected guidance for defending the software supply chain against attacks like Shai-Hulud, and a path to move centralized firewall inspection onto Transit Gateway attachments.

    In this issue1high1medium1info

    Highlights

    2 items
    $ tail -f /var/log/aws-security.log
    high/Service Update/

    AWS Details URL and Domain Category Filtering for Network Firewall

    AWS published a Security Blog deep-dive on URL and domain category filtering in AWS Network Firewall, which lets you allow or block traffic to entire categories of websites, such as generative-AI services, social media, and streaming, using AWS-managed categories that stay current automatically.

    Domain category filtering matches on the TLS Server Name Indication (SNI) field and needs no decryption, while URL filtering requires TLS inspection. Matches are reviewable through CloudWatch Logs Insights.

    For security teams, this turns a manual allowlist chore into a policy decision, and gives a practical control point for shadow-AI and data-exfiltration risk at the network edge.

    Network FirewallCloudWatch
    medium/Threat Intel/

    AWS Publishes Software Supply Chain Security Best Practices

    AWS published Well-Architected guidance on securing the software supply chain, written in direct response to attacks like Shai-Hulud that compromise build pipelines and package ecosystems.

    The guidance centers on disciplined credential management and artifact signing, so that a compromised dependency or a stolen token cannot quietly ship malicious code into production.

    It is practical reading for any team running CI/CD on AWS, and it pairs naturally with code signing on Lambda and image signing in Amazon ECR.

    CodeBuildECRLambda

    Service Updates

    1 item
    $ aws securityhub get-findings --query 'ServiceUpdates'
    info/Service Update/

    Guidance: Move Centralized Network Firewall to Transit Gateway Attachment

    AWS published guidance on migrating centralized Network Firewall deployments to a Transit Gateway attachment model, removing the dedicated inspection VPC from the path.

    The approach simplifies the inspection architecture and improves cost allocation across accounts, while keeping centralized egress and east-west inspection.

    If you run a hub-and-spoke inspection VPC today, it is worth evaluating against the attachment model.

    Network FirewallTransit Gateway

    Key Takeaway

    1 item
    $ cat WEEKLY_SUMMARY.md

    Network Firewall category filtering is the item to act on. It gives you a real, low-maintenance control over outbound access to AI services and other risky categories, with logging you can actually review. Stand it up where you already centralize egress, and read the new supply-chain guidance if you run CI/CD on AWS.

    Filed Under
    Network FirewallEgress FilteringGenerative AISupply ChainTransit GatewayCloudWatchWell-Architected
    Previous
    Week 21 - May 18-24, 2026
    Next
    Week 23 - June 1-7, 2026

    Need Custom Security Briefings?

    These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.

    All DigestsSubscribe via RSSGet in Touch