AWS announces SSE-C will be disabled by default on new general-purpose S3 buckets starting April 2026, closing the Codefinger ransomware vector. Security Hub and Security Agent updates from re:Invent 2025 keep rolling out.
$ tail -f /var/log/aws-security.logAWS published advance notice that starting April 6, 2026, SSE-C (Server-Side Encryption with Customer-Provided Keys) will be disabled by default on all new S3 buckets and existing buckets without SSE-C data. The Cloud Security Alliance noted this also closes a ransomware attack vector where attackers re-encrypt objects with their own keys.
AWS Control Tower now supports 176 additional Security Hub controls in the Control Catalog, covering security, cost, durability, and operations use cases across multi-account environments.
The AI-powered Security Agent announced at re:Invent 2025 is now available in preview. It conducts automated application security reviews and on-demand penetration testing from design to deployment - a shift-left security tool powered by frontier AI.
Security Hub reached general availability with near real-time analytics, automated risk prioritization, and cross-service correlation across GuardDuty, Inspector, Macie, and CSPM. This is the enhanced version announced at re:Invent 2025.
$ cat /var/reports/CVE_REPORT.txtImproper validation of the region parameter in the AWS SDK for .NET v4 allows routing API calls to non-AWS hosts, enabling server-side request forgery. Low severity (CVSS 3.7). Affects SDK v4 prior to 4.0.3.3. Fixed in November 2025, disclosed in this period.
$ cat WEEKLY_SUMMARY.mdThe S3 SSE-C default change is the most impactful news this week. If your applications use SSE-C, audit your buckets before April 6. For everyone else, this is AWS closing a known ransomware vector - a welcome security-by-default improvement.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.