chore(deps): update dependency aws/aws-sdk-php to v3.368.0 [security] #1916
Conversation
Welcome @renovate[bot]! 🎉Great PR! I've analyzed your code changes for:
Ready to see the full review?
Let's make your code even better together! 🚀 |
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| "shasum": "" | ||
| }, | ||
| "require": { | ||
| "php": ">=8.4", |
There was a problem hiding this comment.
Bug: The updated aws/aws-sdk-php dependency requires PHP 8.4+, but the project is configured for PHP 8.2, creating a critical version incompatibility.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The update to aws/aws-sdk-php introduces a transitive dependency on symfony/filesystem v8.0.1. This version of symfony/filesystem requires PHP 8.4+, as declared in its configuration. However, the project's composer.json specifies a minimum requirement of php: ">=8.2.0", and production environments run on PHP 8.2. This version mismatch will cause composer install to fail on any environment running PHP 8.2 or 8.3. If the package were somehow installed, it would cause fatal errors at runtime when the AWS SDK is used, as it relies on code with PHP 8.4+ syntax.
💡 Suggested Fix
To resolve the incompatibility, you can either downgrade aws/aws-sdk-php to a version compatible with the project's PHP requirement or add an explicit constraint for symfony/filesystem in composer.json to a compatible version range, such as "symfony/filesystem": "^v6.4.3", and then run composer update.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: composer.lock#L2172
Potential issue: The update to `aws/aws-sdk-php` introduces a transitive dependency on
`symfony/filesystem v8.0.1`. This version of `symfony/filesystem` requires PHP 8.4+, as
declared in its configuration. However, the project's `composer.json` specifies a
minimum requirement of `php: ">=8.2.0"`, and production environments run on PHP 8.2.
This version mismatch will cause `composer install` to fail on any environment running
PHP 8.2 or 8.3. If the package were somehow installed, it would cause fatal errors at
runtime when the AWS SDK is used, as it relies on code with PHP 8.4+ syntax.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7727691
This PR contains the following updates:
3.295.5→3.368.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-14761
Summary
S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
Impact
Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message.
In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDKs could be associated to an underlying encrypted message object. For such customers an attack that leverages the lack of key commitment is possible. A bad actor would need two things to leverage this issue: (i) the ability to create a separate, rogue, EDK that will also decrypt the underlying object to produce desired plaintext, and (ii) permission to upload a new instruction file to the S3 bucket to replace the existing instruction file placed there by the user using the S3C. Any future attempt to decrypt the underlying encrypted message with the S3EC will unwittingly use the rogue EDK to produce a valid plaintext message.
Impacted versions: <= 3.367.0
Patches
We are introducing the concept of "key commitment" to S3EC where the EDK is cryptographically bound to the ciphertext in order to address this issue. In order to maintain compatibility for in-flight messages we are releasing the fix in two versions. A code-compatible minor version that can read messages with key-commitment but not write them, and a new major version that can both read and write messages with key-commitment. For maximum safety customers are asked to upgrade to the latest major version: 3.368.0 or later.
Workarounds
There are no workarounds, please upgrade to the suggested version of S3EC.
References
If customeres have any questions or comments about this advisory, AWS SDK for PHP asks that they contact AWS Security via the issue reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Release Notes
aws/aws-sdk-php (aws/aws-sdk-php)
v3.368.0Compare Source
Aws\S3- A newS3EncryptionClientimplementation and a newKmsMaterialProviderimplementation.S3EncryptionClientV3now supports writing and reading objects with Key Commitment.KmsMaterialProviderV3now supports verifying supplied encryption context ondecryptCekcalls.Aws\TimestreamInfluxDB- This release adds support for rebooting InfluxDB DbInstances and DbClustersAws\IoT- Add support for dynamic payloads in IoT Device Management Commandsv3.367.3Compare Source
Aws\MediaTailor- Added support for Ad Decision Server Configuration enabling HTTP POST requests with custom bodies, headers, GZIP compression, and dynamic variables. No changes required for existing GET request configurations.Aws\Connect- Amazon Connect now supports outbound WhatsApp contacts via the Send message block or StartOutboundChatContact API. Send proactive messages for surveys, reminders, and updates. Offer customers the option to switch to WhatsApp while in queue, eliminating hold time.Aws\BedrockAgentCoreControl- This release updates broken links for AgentCore Policy APIs in the AWS CLI and SDK resources.Aws\Glacier- Documentation updates for Amazon Glacier's maintenance modeAws\Route53Resolver- Adds support for enabling detailed metrics on Route 53 Resolver endpoints using RniEnhancedMetricsEnabled and TargetNameServerMetricsEnabled in the CreateResolverEndpoint and UpdateResolverEndpoint APIs, providing enhanced visibility into Resolver endpoint and target name server performance.Aws\CloudWatchLogs- This release allows you to import your historical CloudTrail Lake data into CloudWatch with a few steps, enabling you to easily consolidate operational, security, and compliance data in one place.Aws\EC2- EC2 Capacity Manager now supports SpotTotalCount, SpotTotalInterruptions and SpotInterruptionRate metrics for both vCPU and instance units.Aws\S3- This release adds support for the new optional field 'LifecycleExpirationDate' in S3 Inventory configurations.Aws\Health- Updating Health API endpoint generation for dualstack only regionsAws\EntityResolution- Support Customer Profiles Integration for AWS Entity ResolutionAws\ServiceQuotas- Add support for SQ Dashboard Apiv3.367.2Compare Source
Aws\WorkSpacesWeb- Adds support for portal branding customization, enabling administrators to personalize end-user portals with custom assets.Aws\Connect- Amazon Connect now offers automated post-chat surveys triggered when customers end conversations. This captures timely feedback while experience is fresh, using either a no-code form builder or Amazon Lex-powered interactive surveys.Aws\BCMRecommendedActions- Added new freetier action types to RecommendedAction.type.Aws\DataSync- Adds Enhanced mode support for NFS and SMB locations. SMB credentials are now managed via Secrets Manager, and may be encrypted with service or customer managed keys. Increases AgentArns maximum count to 8 (max 4 per TaskMode). Adds folder counters to DescribeTaskExecution for Enhanced mode tasks.v3.367.1Compare Source
Aws\SESv2- Update GetEmailIdentity and CreateEmailIdentity response to include SigningHostedZone in DkimAttributes. Updated PutEmailIdentityDkimSigningAttributes Response to include SigningHostedZone.Aws\Lambda- Add Dotnet 10 (dotnet10) support to AWS Lambda.Aws\QuickSight- This release adds new GetIdentityContext API, Dashboard customization options for tables and pivot tables, Visual styling options- borders and decals, map GeocodingPreferences, KeyPairCredentials for DataSourceCredentials. Snapshot APIs now support registered users. Parameters limit increased to 400Aws\Organizations- Add support for policy operations on the NETWORK SECURITY DIRECTOR POLICY policy type.Aws\SecretsManager- Add SortBy parameter to ListSecretsv3.367.0Compare Source
Aws\S3- A new S3 Transfer Manager implementation with multipart download capabilities. It allows better ways to configure each operation. Includes Progress Tracking, Transfer Event Listeners, and Automatic Multipart Uploads/Downloads.Aws\signer- Adds support for Signer GetRevocationStatus with updated endpointsAws\Odb- The following APIs now return CloudExadataInfrastructureArn and OdbNetworkArn fields for improved resource identification and AWS service integration - GetCloudVmCluster, ListCloudVmClusters, GetCloudAutonomousVmCluster, and ListCloudAutonomousVmClusters.Aws\BillingConductor- Launch itemized custom line item and service line item filterAws\CloudWatch- This release introduces two additional protocols AWS JSON 1.1 and Smithy RPC v2 CBOR, replacing the currently utilized one, AWSQuery. AWS SDKs will prioritize the protocol that is the most performant for each language.Aws\PartnerCentralSelling- Adds support for the new Project.AwsPartition field on Opportunity and AWS Opportunity Summary. Use this field to specify the AWS partition where the opportunity will be deployed.Aws\OpenSearchService- The CreateApplication API now supports an optional kms key arn parameter to allow customers to specify a CMK for application encryption.Aws\Bedrock- Automated Reasoning checks in Amazon Bedrock Guardrails is capable of generating policy scenarios to validate policies. The GetAutomatedReasoningPolicyBuildWorkflowResultAssets API now adds POLICY SCENARIO asset type, allowing customers to retrieve scenarios generated by the build workflow.v3.366.4Compare Source
Aws\IVSRealTime- Token Exchange introduces seamless token exchange capabilities for IVS RTX, enabling customers to upgrade or downgrade token capabilities and update token attributes within the IVS client SDK without forcing clients to disconnect and reconnect.Aws\Account- This release adds a new API (GetGovCloudAccountInformation) used to retrieve information about a linked GovCloud account from the standard AWS partition.Aws\Route53- Amazon Route 53 now supports the EU (Germany) Region (eusc-de-east-1) for latency records, geoproximity records, and private DNS for Amazon VPCs in that regionAws\AppSync- Update Event API to require EventConfig parameter in creation and update requests.Aws\GuardDuty- Adding support for Ec2LaunchTemplate Version fieldAws\mgn- Added parameters encryption, IPv4/IPv6 protocol configuration, and enhanced tagging support for replication operations.v3.366.3Compare Source
Aws\EC2- Amazon EC2 P6-B300 instances provide 8x NVIDIA Blackwell Ultra GPUs with 2.1 TB high bandwidth GPU memory, 6.4 Tbps EFA networking, 300 Gbps dedicated ENA throughput, and 4 TB of system memory. Amazon EC2 C8a instances are powered by 5th Gen AMD EPYC processors with a maximum frequency of 4.5 GHz.Aws\RolesAnywhere- Increases certificate string length for trust anchor source data to support ML-DSA certificates.Aws\PartnerCentralSelling- Deal Sizing Service for AI-based deal size estimation with AWS service-level breakdown, supporting Expansion and Migration deals across Technology, and Reseller partner cohorts, including Pricing Calculator AddOn for MAP deals and funding incentives.Aws\RDS- Adding support for tagging RDS Instance/Cluster Automated BackupsAws\IdentityStore- Updating AWS Identity Store APIs to support Attribute Extensions capability, with the first release adding Enterprise Attributes. This launch aligns Identity Store APIs with SCIM for enterprise attributes, reducing cases when customers are forced to use SCIM due to lack of SigV4 API support.Aws\RedshiftServerless- Added GetIdentityCenterAuthToken API to retrieve encrypted authentication tokens for Identity Center integrated serverless workgroups. This API enables programmatic access to secure Identity Center tokens with proper error handling and parameter validation across supported SDK languages.Aws\SESv2- Update Mail Manager Archive ARN validationAws\CostExplorer- Add support for Cost Category resource associations including filtering by resource type on ListCostCategoryDefinitions and new ListCostCategoryResourceAssociations API.v3.366.2Compare Source
Aws\- Enhance exponential delay calculation to reduce the possibilities of having 0 as the delay.Aws\SESv2- Updating the desired url forPutEmailIdentityDkimSigningAttributesfrom v1 to v2Aws\PartnerCentralAccount- Adding Verification API's to Partner Central Account SDK.Aws\ECS- Updating stop-task API to encapsulate containers with custom stop signalAws\Inspector2- This release adds a new ScanStatus called "Unsupported Code Artifacts". This ScanStatus will be returned when a Lambda function was not code scanned because it has unsupported code artifacts.Aws\IAM- Adding the ExpirationTime attribute to the delegation request resource.v3.366.1Compare Source
Aws\Lambda- Add DisallowedByVpcEncryptionControl to the LastUpdateStatusReasonCode and StateReasonCode enums to represent failures caused by VPC Encryption Controls.v3.366.0Compare Source
Aws\- Adds support for PHP 8.5Aws\Bedrock- Adding support in Amazon Bedrock to customize models with reinforcement fine-tuning (RFT) and support for updating the existing Custom Model Deployments.Aws\SageMaker- Introduces Serverless training: A fully managed compute infrastructure that abstracts away all infrastructure complexity, allowing you to focus purely on model development. Added AI model customization assets used to train, refine, and evaluate custom models during the model customization process.v3.365.0Compare Source
Aws\- Fixed an issue in NonSeekableStreamDecodingEventStreamIterator where partial reads from non-seekable streams could result in truncated payloads and CRC mismatches.Aws\RDS- RDS Oracle and SQL Server: Add support for adding, modifying, and removing additional storage volumes, offering up to 256TiB storage; RDS SQL Server: Support Developer Edition via custom engine versions for development and testing purposes; M7i/R7i instances with Optimize CPU for cost savings.Aws\S3Tables- Add storage class, replication, and table record expiration features to S3 Tables.Aws\S3Vectors- Amazon S3 Vectors provides cost-effective, elastic, and durable vector storage for queries based on semantic meaning and similarity.Aws\Lambda- Launching Lambda durable functions - a new feature to build reliable multi-step applications and AI workflows natively within the Lambda developer experience.Aws\CostExplorer- This release updates existing Savings Plans Purchase Analyzer and Recommendations APIs to support Database Savings Plans.Aws\OpenSearchServerless- GPU-acceleration helps you build large-scale vector databases faster and more efficiently. You can enable this feature on new OpenSearch domains and OpenSearch Serverless collections. This feature uses GPU-acceleration to reduce the time needed to index data into vector indexes.Aws\SavingsPlans- Added support for Amazon Database Savings PlansAws\BedrockAgentCore- Support for AgentCore Evaluations and Episodic memory strategy for AgentCore Memory.Aws\S3- New S3 Storage Class FSX_ONTAPAws\GuardDuty- Adding support for extended threat detection for Amazon EC2 and Amazon ECS. Adding support for wild card suppression rules.Aws\Bedrock- Adds the audioDataDeliveryEnabled boolean field to the Model Invocation Logging Configuration.Aws\CloudWatchLogs- CloudWatch Logs adds managed S3 Tables integration to access logs using other analytical tools, as well as facets and field indexing to simplify log analytics in CloudWatch Logs Insights.Aws\OpenSearchService- GPU-acceleration helps you build large-scale vector databases faster and more efficiently. You can enable this feature on new OpenSearch domains and OpenSearch Serverless collections. This feature uses GPU-acceleration to reduce the time needed to index data into vector indexes.Aws\NovaAct- Initial release of Nova Act SDK. The Nova Act service enables customers to build and manage fleets of agents for automating production UI workflows with high reliability, fastest time-to-value, and ease of implementation at scale.Aws\BedrockRuntime- Adds support for Audio Blocks and Streaming Image Output plus new Stop Reasons of malformed_model_output and malformed_tool_use.Aws\BedrockAgentCoreControl- Supports AgentCore Evaluations, Policy, Episodic Memory Strategy, Resource Based Policy for Runtime and Gateway APIs, API Gateway Rest API Targets and enhances JWT authorizer.Aws\SecurityHub- ITSM enhancements: DRYRUN mode for testing ticket creation, ServiceNow now uses AWS Secrets Manager for credentials, ConnectorRegistrationsV2 renamed to RegisterConnectorV2, added ServiceQuotaExceededException error, and ConnectorStatus visibility in CreateConnectorV2.Aws\SageMaker- Added support for serverless MLflow Apps. Added support for new HubContentTypes (DataSet and JsonDoc) in Private Hub for AI model customization assets, enabling tracking and management of training datasets and evaluators (reward functions/prompts) throughout the ML lifecycle.Aws\DataZone- Amazon DataZone now supports exporting Catalog datasets as Amazon S3 tables, and provides automatic business glossary term suggestions for data assets.Aws\FSx- S3 Access Points support for FSx for NetApp ONTAPAws\ObservabilityAdmin- CloudWatch Observability Admin adds pipelines configuration for third party log ingestion and transformation of all logs ingested, integration of CloudWatch logs with S3 Tables, and AWS account or organization level enablement for 7 AWS services.Aws\S3Control- Add support for S3 Storage Lens Advanced Performance Metrics, Expanded Prefixes metrics report, and export to S3 Tables.v3.364.0Compare Source
Aws\Connect- This is a combined re:Invent release for Amazon Connect.Aws\CustomerProfiles- This release introduces, CRUD APIs for the DomainObjectType and Recommender resources, APIs to offer statistical insights on Object Type Attributes, Changes to SegmentDefinition APIs to support SQL queries to create Segments, and Changes to Domain APIs to support Data Store.Aws\CleanRooms- AWS Clean Rooms now supports privacy-enhancing synthetic dataset generation for custom ML training.Aws\PartnerCentralSelling- New Features: Lead Management APIs for capturing and nurturing leads Lead invitation support for partner collaboration Lead-to-opportunity conversion operations AWS Marketplace OfferSets support for opportunitiesAws\Personalize- This release adds support for includedDatasetColumns and performIncrementalUpdate in solution APIs, and rankingInfluence in campaign and batch inference APIs.Aws\PartnerCentralAccount- Initial GA launch of Partner Central AccountAws\MarketplaceCatalog- This release introduces offer set entity in AWS Marketplace Catalog API to enable multi-product transaction. Offer set enables sellers to group multiple private offers into a single-click purchase experience, simplifying procurement for customers purchasing multi-product solutions.Aws\AppIntegrationsService- This release adds support for MCP servers via the ApplicationType field, allowing customers to register their Bedrock AgentCore gateways as third party applications.Aws\BedrockAgent- Support audio and video ingestion on Bedrock Knowledge Bases.Aws\Lambda- Launching Lambda Managed Instances - a new feature to run Lambda on EC2.Aws\ConnectCampaignsV2- This release added support for new WhatsApp channel and Journey type outbound campaignAws\Route53GlobalResolver- Add SDK for Amazon Route 53 Global Resolver, a fully managed DNS resolver service that offers broad DNS-filtering security controls.Aws\BedrockAgentRuntime- Support audio and video content retrieval on Bedrock Knowledge Bases.Aws\CleanRoomsML- AWS Clean Rooms ML now supports privacy-enhancing synthetic dataset generation for custom ML training.Aws\Glue- feature: Glue: Add support for Iceberg materialized view in Glue Data Catalog, including updated CreateTable API to support materialized views and new APIs for managing data refresh for materialized views. feature: Glue: Add support for Iceberg table encryption keys and struct field defaults.Aws\LexModelsV2- Adds support for speech-to-speech models for human-like, adaptive, and expressive voice interactions. Also adds support for speech model preference, allowing customers to select which speech model they want to use for speech-to-text requests.Aws\EKS- This release adds support for EKS CapabilitiesAws\ConnectParticipant- Amazon Connect now supports message processing that intercepts and processes chat messages before they reach any participant.Aws\QConnect- New AIAgent types: Orchestration for ModelContextProtocol tool integration, CaseSummary for Amazon Connect Case summaries, NoteTaker for Agent Assistance notes. Added ListSpans and Retrieve APIs. Enhanced Q in Connect AssistantAssociationType to support Bring Your Own Bedrock Knowledge Bases.Aws\PartnerCentralBenefits- Initial GA launch of Partner Central BenefitsAws\MarketplaceAgreement- This release supports 1/multi-product transactions via offer sets. DescribeAgreement and SearchAgreements APIs now return offer set IDs. SearchAgreements also supports filtering by offer set ID and 2/variable payment pricing terms will be returned through GetAgreementTerms.v3.363.3Compare Source
Aws\ComputeOptimizer- Compute Optimizer now identifies idle NAT Gateway resources for cost optimization based on traffic patterns and backup configuration analysis. Access recommendations via the GetIdleRecommendations API.Aws\CostOptimizationHub- This release enables AWS Cost Optimization Hub to show cost optimization recommendations for NAT Gateway.Aws\BedrockRuntime- Bedrock Runtime Reserved Service Supportv3.363.2Compare Source
Aws\EC2- This release adds support to view Network firewall proxy appliances attached to an existing NAT Gateway via DescribeNatGateways API NatGatewayAttachedAppliance structure.Aws\Route53- Adds support for new route53 feature: accelerated recovery.Aws\Organizations- Add support for policy operations on the S3_POLICY and BEDROCK_POLICY policy type.Aws\NetworkFirewall- Network Firewall release of the Proxy feature.v3.363.1Compare Source
Aws\CloudFront- Add TrustStore, ConnectionFunction APIs to CloudFront SDKAws\CloudWatchLogs- New CloudWatch Logs feature - LogGroup Deletion Protection, a capability that allows customers to safeguard their critical CloudWatch log groups from accidental or unintended deletion.v3.363.0Compare Source
Aws\SecurityIR- Add ListInvestigations and SendFeedback APIs to support SecurityIR AI agentsAws\MailManager- Add support for resources in the aws-eusc partition.Aws\ECR- Add support for ECR managed signingAws\Athena- Introduces Spark workgroup features including log persistence, S3/CloudWatch delivery, UI and History Server APIs, and SparkConnect 3.5.6 support. Adds DPU usage limits at workgroup and query levels as well as DPU usage tracking for Capacity Reservation queries to optimize performance and costs.Aws\CloudFormation- Adds the DependsOn field to the AutoDeployment configuration parameter for CreateStackSet, UpdateStackSet, and DescribeStackSet APIs, allowing users to set and read auto-deployment dependencies between StackSetsAws\KMS- Support for on-demand rotation of AWS KMS Multi-Region keys with imported key materialAws\KinesisVideo- This release adds support for Tiered StorageAws\APIGateway- API Gateway supports VPC link V2 for REST APIs.Aws\Odb- Adds AssociateIamRoleToResource and DisassociateIamRoleFromResource APIs for managing IAM roles. Enhances CreateOdbNetwork and UpdateOdbNetwork APIs with KMS, STS, and cross-region S3 parameters. Adds OCI identity domain support to InitializeService API.Aws\BedrockAgentCoreControl- Support for agentcore gateway interceptor configurations and NONE authorizer typeAws\ComputeOptimizerAutomation- Initial release of AWS Compute Optimizer Automation. Create automation rules to implement recommended actions on a recurring schedule based on your specified criteria. Supported actions include: snapshot and delete unattached EBS volumes and upgrade volume types to the latest generation.Aws\RDS- Add support for Upgrade Rollout OrderAws\SESv2- Added support for new SES regions - Asia Pacific (Malaysia) and Canada (Calgary)Aws\Organizations- Add support for policy operations on the UPGRADE_ROLLOUT_POLICY policy type.Aws\ControlTower- The manifest field is now optional for the AWS Control Tower CreateLandingZone and UpdateLandingZone APIs for Landing Zone version 4.0Aws\MediaPackageV2- Adds support for excluding session key tags from HLS multivariant playlistsAws\Connect- New APIs to support aliases and versions for ContactFlowModule. Updated ContactFlowModule APIs to support custom blocks.Aws\QConnect- This release introduces two new messaging channel subtypes: Push, WhatsApp, under MessageTemplate which is a resource in Amazon Q in Connect.Aws\BedrockRuntime- Add support to automatically enforce safeguards across accounts within an AWS Organization.Aws\ElasticLoadBalancingv2- This release adds the health check log feature in ALB, allowing customers to send detailed target health check log data directly to their designated Amazon S3 bucket.Aws\BedrockDataAutomationRuntime- Adding new fields to GetDataAutomationStatus: jobSubmissionTime, jobCompletionTime, and jobDurationInSecondsAws\Bedrock- Add support to automatically enforce safeguards across accounts within an AWS Organization.Aws\EKS- Adds support for controlPlaneScalingConfig on EKS Clusters.Aws\MarketplaceMetering- Endpoint update for new regionAws\EC2- This release adds a new capability to create and manage interruptible EC2 Capacity Reservations.Aws\Lambda- Launching Enhanced Error Handling and ESM Grouping capabilities for Kafka ESMsAws\RedshiftServerless- Added UpdateLakehouseConfiguration API to manage Amazon Redshift Federated Permissions and AWS IAM Identity Center trusted identity propagation for namespaces.Aws\LexModelsV2- Adds support for Intent Disambiguation, allowing resolution of ambiguous user inputs when multiple intents match by presenting clarifying questions to users. Also adds Speech Detection Sensitivity configuration for optimizing voice activity detection sensitivity levels in various noise environments.Aws\QuickSight- Amazon Quick Suite now supports QuickChat as an embedding type when calling the GenerateEmbedUrlForRegisteredUser API, enabling developers to embed conversational AI agents directly into their applications.Aws\SageMaker- Enhanced SageMaker HyperPod instance groups with support for MinInstanceCount, CapacityRequirements (Spot/On-Demand), and KubernetesConfig (labels and taints). Also Added speculative decoding and MaxInstanceCount for model optimization jobs.Aws\MarketplaceEntitlementService- Endpoint update for new regionAws\Transfer- Adds support for creating Webapps accessible from a VPC.Aws\Invoicing- Added the CreateProcurementPortalPreference, GetProcurementPortalPreference, PutProcurementPortalPreference, UpdateProcurementPortalPreferenceStatus, ListProcurementPortalPreferences and DeleteProcurementPortalPreference APIs for procurement portal preference management.Aws\Redshift- Added support for Amazon Redshift Federated Permissions and AWS IAM Identity Center trusted identity propagation.v3.362.1Compare Source
Aws\Organizations- Added new APIs for Billing Transfer, new policy type INSPECTOR_POLICY, and allow an account to transfer between organizationsAws\DeviceFarm- Add support for environment variables and an IAM execution role.Aws\DatabaseMigrationService- Added support for customer-managed KMS key (CMK) for encryption for import private key certificate. Additionally added Amazon SageMaker Lakehouse endpoint used for zero-ETL integrations with data warehouses.Aws\ApplicationSignals- Amazon CloudWatch Application Signals now supports un-instrumented services discovery, cross-account views, and change history, helping SRE and DevOps teams monitor and troubleshoot their large-scale distributed applications.Aws\SecurityHub- Release Findings and Resources Trends APIs- GetFindingsTrendsV2 and GetResourcesTrendsV2. This supports time-series aggregated counts with composite filtering for 1-year of historical data analysis of Findings and Resources.Aws\Glue- Added FunctionType parameter to Glue GetuserDefinedFunctions.Aws\LicenseManager- Added cross-account resource aggregation via license asset groups and expiry tracking for Self-Managed Licenses. Extended Org-Wide View to Self-Managed Licenses, added reporting for license asset groups, and removed Athena/Glue dependencies for cross-account resource discovery in commercial regions.Aws\BedrockDataAutomationRuntime- Bedrock Data Automation Runtime Sync APIAws\CloudFront- This release adds support for bring your own IP (BYOIP) to CloudFront's CreateAnycastIpList API through an optional IpamCidrConfigs field.Aws\RDS- Add support for VPC Encryption Controls.Aws\BedrockAgentCore- Bedrock AgentCore Memory release for redriving memory extraction jobs (StartMemoryExtractionJob and ListMemoryExtractionJob)Aws\imagebuilder- EC2 Image Builder now enables the distribution of existing AMIs, retry distribution, and define distribution workflows. It also supports automatic versioning for recipes and components, allowing automatic version increments and dynamic referencing in pipelines.Aws\AutoScaling- This release adds support for three new features: 1) Image ID overrides in mixed instances policy, 2) Replace Root Volume - a new strategy for Instance Refresh, and 3) Instance Lifecycle Policy for enhanced instance lifecycle management.Aws\RecycleBin- Add support for EBS volume in Recycle BinAws\QuickSight- Introducing comprehensive theme styling controls. New features include border customization (radius, width, color), flexible padding controls, background styling for cards and sheets, centralized typography management, and visual-level override support across layouts.Aws\ECS- Launching Amazon ECS Express Mode - a new feature that enables developers to quickly launch highly available, scalable containerized applications with a single command.Aws\Connect- Add optional ability to exclude users from send notification actions for Contact Lens Rules.Aws\DataSync- The partition value "aws-eusc" is now permitted for ARN (Amazon Resource Name) fields.Aws\EMR- Add support for configuring S3 destination for step logs on a per-step basis.Aws\CloudTrail- AWS launches CloudTrail aggregated events to simplify monitoring of data events at scale. This feature delivers both granular and summarized data events for resources like S3/Lambda, helping security teams identify patterns without custom aggregation logic.Aws\EC2- This release adds support for multiple features including: VPC Encryption Control for the status of traffic flow; S2S VPN BGP Logging; TGW Flexible Costs; IPAM allocation of static IPs from IPAM pools to CF Anycast IP lists used on CloudFront distribution; and EBS Volume Integration with Recycle BinAws\SageMaker- Added training plan support for inference endpoints. Added HyperPod task governance with accelerator partition-based quota allocation. Added BatchRebootClusterNodes and BatchReplaceClusterNodes APIs. Updated ListClusterNodes to include privateDnsHostName.Aws\Kinesis- Kinesis Data Streams now supports up to 50 Enhance Fan-out consumers for On-demand Advantage Streams. On-demand Standard and Provisioned streams will continue with the existing limit of 20 consumers for Enhanced Fan-out.Aws\Braket- Add support for Braket spending limits.Aws\LakeFormation- Added ServiceIntegrations as a request parameter for CreateLakeFormationIdentityCenterConfigurationRequest and UpdateLakeFormationIdentityCenterConfigurationRequest and response parameter for DescribeLakeFormationIdentityCenterConfigurationResponseAws\ElasticLoadBalancingv2- This release adds the target optimizer feature in ALB, enabling strict concurrency enforcement on targets.Aws\RedshiftDataAPIService- Increasing the length limit of Statement Name from 500 to 2048.Aws\NetworkManager- This release adds support for Cloud WAN Routing Policy providing customers sophisticated routing controls to better manage their global networksAws\S3- Enable / Disable ABAC on a general purpose bucket.Aws\Budgets- Add BillingViewHealthStatusException to DescribeBudgetPerformanceHistory and ServiceQuotaExceededException to UpdateBudget for improved error handling with Billing Views.Aws\BedrockDataAutomation- Added support for Synchronous project type and PII Detection and RedactionAws\DSQL- Added clusterVpcEndpoint field to GetVpcEndpointServiceName API response, returning the VPC connection endpoint for the clusterv3.362.0Compare Source
Aws\Credentials- AddsLoginCredentialProvider, which supports AWS Console sign-in credentials through theaws loginCLI workflow.v3.361.0Compare Source
Aws\Route53- Add dual-stack endpoint support for Route53Aws\CloudWatchRUM- CloudWatch RUM now supports mobile application monitoring for Android and iOS platformsAws\DataZone- Amazon DataZone now supports business metadata (readme and metadata forms) at the individual attribute (column) level, a new rule type for glossary terms, and the ability to update the owner of the root domain unit.Aws\Lambda- Added support for creating and invoking Tenant Isolated functions in AWS Lambda APIs.Aws\Inspector2- This release introduces BLOCKED_BY_ORGANIZATION_POLICY error code and IMAGE_ARCHIVED scanStatusReason. BLOCKED_BY_ORGANIZATION_POLICY error code is returned when an operation is blocked by an AWS Organizations policy. IMAGE_ARCHIVED scanStatusReason is returned when an Image is archived in ECR.Aws\Signin- AWS Sign-In manages authentication for AWS services. This service provides secure authentication flows for accessing AWS resources from the console and developer tools. This release adds the CreateOAuth2Token API, which can be used to fetch OAuth2 access tokens and refresh tokens from Sign-In.Aws\EC2- This launch adds support for two new features: Regional NAT Gateway and IPAM Policies. IPAM policies offers customers central control for public IPv4 assignments across AWS services. Regional NAT is a single NAT Gateway that automatically expands across AZs in a VPC to maintain high availability.Aws\Billing- Added name filtering support to ListBillingViews API through the new names parameter to efficiently filter billing views by name.Aws\MediaConnect- This release adds support for global routing in AWS Elemental MediaConnect. You can now use router inputs and router outputs to manage global video and audio routing workflows both within the AWS-Cloud and over the public internet.Aws\CostExplorer- Add support for COST_CATEGORY, TAG, and LINKED_ACCOUNT AWS managed cost anomaly detection monitorsAws\IAM- Added the EnableOutboundWebIdentityFederation, DisableOutboundWebIdentityFederation and GetOutboundWebIdentityFederationInfo APIs for the IAM outbound federation feature.Aws\SecretsManager- Adds support to create, update, retrieve, rotate, and delete managed external secrets.Aws\PartnerCentralChannel- Initial GA launch of Partner Central ChannelAws\SFN- Adds support to TestState for mocked results and exceptions, along with additional inspection data.Aws\GuardDuty- Add support for scanning and viewing scan results for backup resource typesAws\FSx- Adding File Server Resource Manager configuration to FSx WindowsAws\EMR- Add CloudWatch Logs integration for Spark driver, executor and step logsAws\NetworkFirewall- Partner Managed Rulegroup feature supportAws\S3- Adds support for blocking SSE-C writes to general purpose buckets.Aws\Invoicing- Add support for adding Billing transfers in Invoice configurationAws\NetworkFlowMonitor- Added new enum value (AWS::EKS::Cluster) for type field under MonitorLocalResourceAws\Health- Adds actionability and personas properties to Health events exposed through DescribeEvents, DescribeEventsForOrganization, DescribeEventDetails, and DescribeEventTypes APIs. Adds filtering by actionabilities and personas in EventFilter, OrganizationEventFilter, EventTypeFilter.Aws\CloudTrail- AWS CloudTrail now supports Insights for data events, expanding beyond management events to automatically detect unusual activity on data plane operations.Aws\BedrockRuntime- This release includes support for Search Results.Aws\CostOptimizationHub- Release ListEfficiencyMetrics APIAws\APIGateway- API Gateway now supports response streaming and new security policies for REST APIs and custom domain names.Aws\CloudWatchLogs- Adding support for ocsf version 1.5, add optional parameter MappingVersionAws\BillingConductor- This release adds support for Billing Transfers, enabling management of billing transfers with billing groups on AWS Billing Conductor.Aws\ApiGatewayV2- Support for API Gateway portals and portal products.Aws\SageMaker- Added support for enhanced metrics for SageMaker AI Endpoints. This features provides Utilization Metrics at instance and container granularity and also provides easy configuration of metric publish frequency from 10 sec -> 5 minsAws\ECR- Add support for ECR archival storage class and Inspector org policy for scanningAws\ECS- Added support for Amazon ECS Managed Instances infrastructure optimization configuration.Aws\ConnectCampaignsV2- This release added support for ring timer configuration for campaign calls.Aws\Backup- Amazon GuardDuty Malware Protection now supports AWS Backup, extending malware detection capabilities to EC2, EBS, and S3 backups.Aws\BCMPricingCalculator- Add GroupSharingPreference, CostCategoryGroupSharingPreferenceArn, and CostCategoryGroupSharingPreferenceEffectiveDate to Bill Estimate. Add GroupSharingPreference and CostCategoryGroupSharingPreferenceArn to Bill Scenario.Aws\MediaLive- MediaLive is adding support for MediaConnect Router by supporting a new input type called MEDIACONNECT_ROUTER. This new input type will provide seamless encrypted transport between MediaConnect Router and your MediaLive channel.Aws\DynamoDB- Extended Global Secondary Index (GSI) composite keys to support up to 8 attributes.Aws\STS- IAM now supports outbound identity federation via the STS GetWebIdentityToken API, enabling AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens.v3.360.1Compare Source
Aws\AutoScaling- This release adds the new LaunchInstances API, which can launch instances synchronously in an AutoScaling group. The API also returns instances info and launch error back immediately.Aws\BedrockRuntime- Amazon Bedrock Runtime Service Tier Support LaunchAws\EC2- AWS Site-to-Site VPN now supports VPN Concentrator, a new feature that enables customers to connect multiple low-bandwidth sites connections through a single attachment, simplifying multi-site connectivity for distributed enterprises.Aws\ResourceGroupsTaggingAPI- Add support for new ListRequiredTags API used to retrieve the required tags specified in a customer's effective tag policy.Aws\IAM- Added the AssociateDelegationRequest, GetDelegationRequest, AcceptDelegationRequest, RejectDelegatonRequest, ListDelegationRequests, UpdateDelegationRequest, SendDelegationToken and GetHumanReadableSummary APIs for the IAM temporary delegation feature.Aws\Backup- AWS Backup now supports a low-cost warm storage tier for Amazon S3 backup data.Aws\Kafka- Amazon MSK adds three new APIs, ListTopics, DescribeTopic, and DescribeTopicPartitions for viewing Kafka topics in your MSK clusters.Aws\CloudFormation- New CloudFormation DescribeEvents API with operation ID tracking and failure filtering capabilities to quickly identify root causes of deployment failures. Also, a DeploymentMode parameter for the CreateChangeSet API that enables creation of drift-aware change sets for safe drift management.Aws\StorageGateway- Adds support for European Sovereign Cloud ARNs in Storage Gateway API parameters.Aws\WAFV2- AssociateWebACL, UpdateWebACL and PutLoggingConfiguration will now throw WAFFeatureNotIncludedInPricingPlanException when the request contains a feature that is not included in the CloudFront pricing plan of the WebACL.Aws\CloudWatchLogs- CloudWatch Logs updates: Added capability to setup a recurring schedule for log insights queries. Logs introduced Scheduled Queries (managed through Create/Update/Get/Delete/List/History Scheduled Query APIs). For more information, see CloudWatch Logs API documentation.Aws\Connect- This release added support for ring timer configuration for campaign calls.v3.360.0Compare Source
Aws\Glue- Amazon Glue Releasing 2 the new API ListIntegrationResourceProperties and DeleteIntegrationResourceProperty along with minor improvement on existing API(s).Aws\MediaPackageV2- Add support for SCTE messages in Segment file outputAws\LexModelsV2- Adds support for LLM as Primary, allowing usage of LLMs as the default NLU system.Aws\PCS- Added support for the managed Slurm REST API endpointAws\GuardDuty- Add S3 On-Demand Object ScanningAws\Backup- AWS Backup now supports specifying a logically air-gapped backup vault as a primary backup target in backup plans and on-demand backup jobs.Aws\OpenSearchService- This release adds index operation APIs to support Automatic Semantic Enrichment featureAws\MediaLive- Adds configurations for spatial/temporal adaptive quantization in AV1 codec, and conversion to HLG output color space in H265 codec.Aws\Route53Resolver- Adding DICTIONARY_DGA to dns-threat-protection as a new enum type. Customers can now set rules for dictionary dga protectionAws\AppStream- Adding support for additional instances and extended storageAws\EC2- This release introduces new APIs: DescribeInstanceSqlHaStates, DescribeInstanceSqlHaHistoryStates, EnableInstanceSqlHaStandbyDetections and DisableInstanceSqlHaStandbyDetections on Amazon EC2, allowing customers to enroll and monitor SQL Server licensing fee savings for their SQL HA EC2 instances.Aws\DeviceFarm- This release adds support for interacting with devices during a remote access session using the remoteDriverEndpoint interfaceAws\MWAAServerless- Amazon MWAA now offers serverless deployment, eliminating operational overhead while optimizing costs. The service supports YAML and Python-based workflows, with 80+ AWS Operators. It provides isolated execution, IAM permissions, and automatic scaling with pay-per-use pricing.Aws\DatabaseMigrationService- This release introduces the SAP ASE(Sybase) Data Provider for AWS Data Migration Service (DMS). In addition, DMS Schema Conversion now supports this provider, enabling customers to migrate SAP ASE(Sybase) databases to Amazon RDS for PostgreSQL or Aurora PostgreSQL seamlessly.Aws\Bedrock- Automated Reasoning checks in Amazon Bedrock Guardrails now automatically generate Q&A tests for new Automated Reasoning policies. The GetAutomatedReasoningPolicyBuildWorkflowResultAssets API adds GENERATED_TEST_CASES asset type, allowing customers to retrieve tests generated by the build workflow.v3.359.13Compare Source
Aws\imagebuilder- EC2 Image Builder now supports invoking Lambda functions and executing Step Functions state machine through image workflows.Aws\MediaLive- Removed all the value constraint (min/max) for the shape definitions (e.g. integerMin0Max3600) on the C2j models to get rid of the need to request an exemption from the SDK team whenever a shape definition (e.g. integerMin0Max3600) is changed.Aws\DataZone- Adds support for granting read and write access to Amazon S3 general purpose buckets using CreateSubscriptionRequest and AcceptSubscriptionRequest APIs. Also adds search filters for SSOUser and SSOGroup to ListSubscriptions APIs and deprecates "sortBy" parameter for ListSubscriptions APIs.Aws\EC2- This release adds AvailabilityZoneId support for CreateInstanceConnectEndpoint, DescribeInstanceConnectEndpoints, and DeleteInstanceConnectEndpoint APIs.v3.359.12Compare Source
Aws\EC2- Added support for new accelerator types ("media") and accelerator names ("L4", "L40s", "GAUDI_HL_205", "INFERENTIA2", "TRAINIUM", "TRAINIUM2", "U30") in Attributes Based Instance Type Selection for launched instance types.Aws\IoTWireless- Integration of Device Location with Amazon Sidewalk network for Amazon Sidewalk enabled devicesAws\ControlCatalog- Added support for related control mappings with new RELATED_CONTROL mapping type in ListControlMappings API.Aws\WorkSpacesWeb- Support for managing web content filtering for defining, tracking and regulating type of content accessed with WorkSpaces Secure Browser as part of browser settings.Aws\MediaConvert- Lowers minimum duration for black video generator. Adds support for embedding and signing C2PA content credentials in DASH and CMAF HLS outputs.Aws\RDS- Updated endpoint and service metadataAws\CloudFormation- CloudFormation now supports GetHookResult API with annotations to retrieve structured compliance check results and remediation guidance for each evaluated resource, replacing the previous single-message limitation with detailed validation outcomes.Aws\ECR- Add Amazon ECR FIPS PrivateLink endpoint supportAws\ElasticLoadBalancingv2- QUIC and TCP_QUIC protocol support for Network Load Balancer (NLB). This capability enables customers to forward QUIC traffic to their targets with ultra-low latency while maintaining session stickiness using QUIC Connection IDs.Aws\SageMaker- Added support for minor version upgrades and AWS Identity Center integration for SageMaker Hadron Partner Apps, enabling automated version management and IdC group-based access control.v3.359.11Compare Source
Aws\Connect- Updated Authentication Profile APIs to add support for automatic logout on user inactivityAws\ElasticLoadBalancingv2- This release expands ALB Authentication to support JWT verification and adds support for a new JWT validation action in listener rule.Aws\EC2- Adds complete AMI ancestry tracing from immediate parent through each preceding generation back to the root AMIAws\DatabaseMigrationService- Added support of SQL statements creation, metadata model discovery and selection rules transformation.Aws\S3Tables- Adds support for request metrics metrics APIs for S3 TablesAws\PrometheusService- Add VPC source configuration support enabling Amazon Managed Service for Prometheus Collector to collect metrics from MSK clusters.Aws\Redshift- Added GetIdentityCenterAuthToken API to retrieve encrypted authentication tokens for Identity Center integrated applications. This API enables programmatic access to secure Identity Center tokens with proper error handling and parameter validation across supported SDK languages.Aws\SageMaker- Add support for trn2.3xlarge instance type for SageMaker Hyperpodv3.359.10Compare Source
Aws\RTBFabric- Added LogSettings and LinkAttribute fields to external linksAws\SecurityIR- Added support for configuring communication preferences as well as clearly displaying case comment author identities.Aws\EC2- AWS Site-to-Site VPN now supports VPN connections with up to 5 Gbps bandwidth per tunnel, a 4x improvement from existing limit of 1.25 Gbps.Aws\MedicalImaging- Added new fields in existing APIs.Aws\Batch- Documentation-only update: update API and doc descriptions per EKS ImageType default value switch from AL2 to AL2023.Aws\BedrockDataAutomation- Added support for Language Expansion feature for BDA Audio modality.v3.359.9Compare Source
Aws\DSQL- Cluster endpoint added to CreateCluster and GetCluster API responsesAws\Invoicing- Added new invoicing get-invoice-pdf API OperationAws\Braket- Adds ExperimentalCapabilities field to CreateQuantumTask request and GetQuantumTask response objects. Enables use of experimental software capabilities when creating quantum tasks.Aws\Kafka- Amazon MSK now supports intelligent rebalancing for MSK Express brokers.Aws\WAFV2- AWS WAF now supports CLOUDWATCH_TELEMETRY_RULE_MANAGED as a LogScope option, enabling automated logging configuration through Amazon CloudWatch Logs for telemetry data collection and analysis.Aws\STS- Added GetDelegatedAccessToken API, which is not available for general use at this time.Aws\IAM- Added CreateDelegationRequest API, which is not available for general use at this time.Aws\EC2- Amazon EC2 Fleet customers can now filter instance types based on encryption-in-transit support using Attribute-Based Instance Type Selection (ABIS), eliminating the manual effort of identifying and selecting compatible instance types for security-sensitive workloads.Aws\GuardDuty- Include tags filed in CreatePublishingDestinationRequest and DescribePublishingDestinationResponse.Aws\Backup- AWS Backup supports backups of Amazon EKS clusters, including Kubernetes cluster state and persistent storage attached to the EKS cluster via a persistent volume claim (EBS volumes, EFS file systems, and S3 buckets).Aws\ACMPCA- Private Certificate Authority service now supports ML-DSA key algorithms.Aws\DataZone- Remove trackingServerName from DataZone Connection MLflowPropertiesAws\AppStream- AWS Appstream support for IPv6Aws\VerifiedPermissions- Amazon Verified Permissions / Features : Adds support for entity Cedar tags.v3.359.8Compare Source
Aws\- RemovesQLDB,QLDBSession,Robomaker,LookoutMetrics,LookoutVision,IoTFleetHubandApptestservices, which have been deprecated.Aws\KMS- Added support for new ECC_NIST_EDWARDS25519 AWS KMS key specAws\ControlTower- Added Parent Identifier support to ListEnabledControls and GetEnabledControl API. Implemented RemediationType support for Landing Zone operations: CreateLandingZone, UpdateLandingZone and GetLandingZone APIsAws\VPCLattice- Amazon VPC Lattice now supports custom domain name for resource configurationsAws\OpenSearchService- This release introduces the Default Application feature, allowing users to set, change, or unset a preferred OpenSearch UI application on a per-region basis for a streamlined and consistent user experience.Aws\EC2- Adds PrivateDnsPreference and PrivateDnsSpecifiedDomains to control private DNS resolution for resource and service network VPC endpoints and IpamScopeExternalAuthorityConfiguration to integrate Amazon VPC IPAM with a third-party IPAM servicev3.359.7Compare Source
Aws\Backup- AWS Backup now supports customer-managed keys (CMK) for logically air-gapped vaults, enabling customers to maintain full control over their encryption key lifecycle. This feature helps organizations meet specific internal governance requirements or external regulatory compliance standards.Aws\SSM- Provides NoLongerSupportedException error messageAws\QuickSight- Support for New Data Prep ExperienceAws\IdentityStore- IdentityStore API: added new KMSExceptionReason fields to the Exception object; added multiple new fields to the User APIs - UserStatus, Birthdate, Website and Photos; added multiple new metadata fields for User, Groups and Membership APIs - CreatedAt, CreatedBy, UpdatedAt and UpdatedBy.Aws\EC2- Add Amazon EC2 R8a instance typesAws\S3Tables- Adds support for tagging APIs for S3 TablesAws\AccessAnalyzer- New field totalActiveErrors added to getFindingsStatistics response.Aws\S3Vectors- Amazon S3 Vectors provides cost-effective, elastic, and durable vector storage for queries based on semantic meaning and similarity.Aws\SageMaker- Added NodeProvisioningMode parameter to UpdateCluster API to deConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.