AWS Security & Ops Updates

Amazon CloudWatch’s new ability to ingest Security Hub CSPM findings can be enabled organization‑wide and is available in all AWS commercial regions, with findings delivered to CloudWatch Logs charged under tiered pricing. (cloudscoop.io) Amazon Bedrock’s structured‑outputs feature landed in AWS GovCloud (US) on April 1, 2026, bringing schema‑compliant JSON responses and constrained‑decoding guarantees into US‑government regions. (aws.amazon.com) Amazon ECS updates lean on managed capacity features: ECS Managed Instances now integrates with EC2 Capacity Reservations to reduce launch failures during demand spikes, and the managed‑infrastructure optimizations (idle‑instance detection and ScaleInAfter) automate capacity‑optimized scaling. (aws.amazon.com) AWS published a new guide on building PCI DSS–compliant architectures for Amazon EKS that highlights using Bottlerocket, strict network segmentation, and container image hardening as prescriptive controls for PCI DSS v4.0 scoped workloads. (aws.amazon.com) AWS’s UK Customer Switching and Portability Addendum formalizes commitments on multicloud choice, data portability, and switching assistance after sustained engagement with the UK Competition and Markets Authority. (aboutamazon.co.uk) The AWS Partner Network’s regular “Say Hello” posts enumerate monthly designations across AWS Competency, Service Delivery, Service Ready and MSP programs and publish example partner names and verified specializations. (aws.amazon.com) AWS says its new “frontier” agents—including the AWS Security Agent and AWS DevOps Agent—are generally available for security and ops use, with the Security Agent published as GA in six regions and described by AWS as a multi‑agent, on‑demand penetration‑testing system that validates exploits rather than just flagging findings. (aws.amazon.com)