This week TLDR i.e. 1 minute version (For executives):

1. Amazon Elastic Container Registry (ECR) supports image replication between the AWS GovCloud (US) Region.

2. AWS CodeBuild adds support for new IAM condition keys.

3. DynamoDB local is now accessible on AWS CloudShell.

4. Amazon Inspector enhances container security by mapping ECR images to running containers.

5. Amazon Cognito now supports OIDC prompt parameter.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Introducing the AWS User Guide to Governance, Risk and Compliance for Responsible AI Adoption within Financial Services Industries. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Threat modeling Cloud Service providers in 2025 by Chris Farris. Link.

   • Root in prod: The most important security analysis you will never do on your AWS accounts by Daniel Grzelak. Link.

   • KeePass trojanised in advanced malware campaign. Full report HERE.

   • Introducing Docker Hardened Images. Link.

   • Coinbase security incident details. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Elastic Container Registry (ECR) now supports replicating images from private ECR repositories across accounts and/or regions within the AWS GovCloud (US) Regions. This capability reduces startup time for applications by enabling faster, in-region image pulls, minimizing latency & supports backup and disaster recovery objectives. Link. Here’s my sample replication configuration:

   

2. AWS CodeBuild added support for new IAM condition keys for more precise access control over resource-modifying APIs. These keys let you enforce policies on VPC settings, buildspecs, and compute types—helping align CodeBuild usage with organizational security and compliance standards. Link. Here’s my sample policy:

   

3. Amazon DynamoDB local is now generally available in AWS CloudShell. This lets you develop and test DynamoDB apps locally, at no cost, without affecting production. Just use the dynamodb-local alias in CloudShell; no downloads or setup needed. To run CLI commands, use --endpoint-url http://localhost:8000. Link. For example, I created a DynamoDB table locally in my cloudshell using:

   

4. Amazon Inspector now links Amazon ECR images to running ECS tasks and EKS pods, helping you identify which images are actively used and to prioritize patching the most critical, in-use images. You can view image usage, last used time, and associated clusters via the Inspector console or API. Findings are updated automatically and sent to EventBridge. You can also adjust how long images are monitored after last use by setting the ECR re-scan duration. Link. For example, here’s one of my ECR images that hasn’t been used recently and has findings:

   

5. Amazon Cognito now supports the OpenID Connect (OIDC) prompt parameter in Managed Login, allowing finer control over authentication flows. Apps can use login to force re-authentication or none for silent checks. Cognito also supports select_account and consent prompts for federated sign-ins. The login prompt lets apps require users to re-authenticate for sensitive actions without ending their session. The none prompt enables silent session checks, ideal for seamless single sign-on across apps using the same Cognito user pool. Link.

   Subscribe

   Share