Amazon API Gateway launches Portals that now enable businesses to create fully managed, AWS native developer portals that serve as the central hub for AWS assets such as REST APIs for discovery, documentation, governance, and monetization across their AWS infrastructure. Portals solve the challenge of fragmented APIs by automatically discovering existing APIs across accounts, generating documentation and also allow custom documentation. Teams can organize APIs into logical products for different audiences, customize branding by attaching company logos, configure access controls, ensure API compliance with organizational standards, and use analytics for understanding user engagement. Users can benefit from discovery and "Try It" button for API exploration. Portals deliver three benefits that address the pressing challenges in API management today. They eliminate the security risks of third-party solutions by keeping all API configurations within AWS boundaries while providing access control for internal and external audiences. Portals also reduce developer onboarding time from weeks to minutes through automated portal generation, and documentation that updates as APIs evolve. This eliminates the weeks of infrastructure setup and also promotes re-use across developer teams. Portals also provide visibility into developer portal usage and analytics, through CloudWatch RUM (Real User Monitoring) making it easier to understand user engagement. To learn about pricing for this feature, please see the Amazon API Gateway pricing page. Amazon API Gateway Portals is available in all AWS Regions, excluding the AWS GovCloud (US) and China Regions. To get started, visit Amazon https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-portals.html and https://aws.amazon.com/blogs/compute/improve-api-discoverability-with-the-new-amazon-api-gateway-portal/.

Amazon API Gateway now progressively streams response payloads to clients as they become available. This improves REST API responsiveness by eliminating the need to buffer complete responses before transmission. This new capability works with backends that support streaming, including Lambda functions, HTTP proxy integrations, and private integrations. Response streaming delivers three key benefits: improved time-to-first-byte (TTFB) performance, extended integration timeouts up to 15 minutes, and support for payloads larger than 10 MB. Generative AI applications particularly benefit from improved TTFB as users see responses appear incrementally in real-time, while complex deliberation-focused models that take longer to process can now run with extended timeouts. Additionally, large payload support enables direct streaming of media files and large datasets without requiring workarounds like pre-signed Amazon S3 URLs. To learn about pricing for this feature, please see the Amazon API Gateway pricing page. Amazon API Gateway response streaming is available in all AWS Regions, including the AWS GovCloud (US) Regions, and works with regional, private, and edge-optimized endpoints. To get started, visit https://docs.aws.amazon.com/apigateway/latest/developerguide/response-transfer-mode.html, https://aws.amazon.com/blogs/compute/building-responsive-apis-with-amazon-api-gateway-response-streaming/ and https://aws.amazon.com/blogs/architecture/building-an-ai-gateway-to-amazon-bedrock-with-amazon-api-gateway/.

Amazon API Gateway now supports enhanced TLS security policies on API endpoints and custom domain names, providing you with greater control over the security posture of your APIs. These new policies help you meet evolving security requirements, comply with stricter regulations, and enhance encryption for your API connections. When configuring REST APIs and custom domain names, you can now select from an extended list of security policies, including options that require TLS 1.3 only, implement Perfect Forward Secrecy, comply with Federal Information Processing Standard (FIPS), or leverage Post Quantum Cryptography. These policies help meet evolving security requirements and stricter regulations while simplifying API security management. The enhanced policies also support endpoint access control for additional governance. API Gateway enhanced TLS security policies are available in the following AWS commercial Regions: US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Canada West (Calgary), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (UAE), South America (São Paulo). For more information, visit the https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html.

AWS Identity and Access Management (IAM) announces outbound identity federation, enabling customers to securely federate their AWS identities to external services using short-lived JSON Web Tokens (JWTs). This allows customers to securely authenticate their AWS workloads with third-party cloud providers, SaaS providers, and self-hosted applications without using long-term credentials or implementing complex workarounds. Customers can now exchange their AWS IAM credentials for cryptographically signed, short-lived JSON Web Tokens (JWTs), providing a simple and secure mechanism for AWS workloads to access external services. These tokens contain rich context about the AWS workloads, enabling external services to implement fine-grained access control. Administrators can control access to token generation and enforce token properties (such as lifetime, audience and signing algorithms) using IAM policies and audit token usage using CloudTrail logs, allowing them to meet their organization’s security and compliance requirements. This capability is available in all AWS commercial Regions, AWS GovCloud (US) Regions, and China Regions. To get started, visit the list of resources below: Read the https://aws.amazon.com/blogs/aws/simplify-access-to-external-services-using-aws-iam-outbound-identity-federation Visit https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_outbound.html

Amazon S3 now supports a new default encryption configuration setting to enforce Amazon S3 managed server-side encryption (SSE-S3) or server-side encryption with AWS KMS keys (SSE-KMS) for all write requests to your buckets. This new bucket-level setting helps you standardize the server-side encryption types that can be used with your buckets. Using the PutBucketEncryption API, you can disable server-side encryption with customer-provided keys (SSE-C) on specific buckets or in your AWS CloudFormation templates. This enhancement to the PutBucketEncryption API is now available in all AWS Regions. You can use the AWS Management Console, SDK, API, or CLI to configure encryption controls for your buckets. To learn more, see the https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/ or https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html in the S3 User Guide. For more information on the PutBucketEncryption API, visit the https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html.

Developers can now use their existing AWS Management Console sign-in credentials for programmatic access to AWS services. After a quick browser-based authentication flow, AWS automatically generates temporary credentials that work across local development tools like the AWS CLI, AWS Tools for PowerShell and AWS SDKs. To get started, simply install or upgrade to the latest version of the AWS CLI and run aws login in your terminal. This login for AWS local development feature makes it easier to start building with AWS services within minutes of account sign-up, eliminating the need to create and manage separate identities and access keys for programmatic access. The aws login CLI command generates short-lived credentials that are automatically rotated, reducing the risks associated with long-term access keys and enhancing your security posture. This feature is available in all commercial AWS regions. To get started, install or upgrade to AWS CLI version 2.32.0 and the latest versions of all AWS SDKs. For more information, please read our https://aws.amazon.com/blogs/security/simplified-developer-access-to-aws-with-aws-login/ or visit the https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html

Amazon S3 now supports post-quantum TLS key exchange on regional S3, S3 Tables, and S3 Express One Zone endpoints providing customers with post-quantum cryptography options for encryption of their data in-transit. All regional S3, S3 Tables, and S3 Express One Zone endpoints now support Module Lattice-Based Key Encapsulation Mechanisms (ML-KEM), one of National Institute of Standards & Technology (NIST) standardized post-quantum cryptographic algorithms. Through the new PQ-TLS key exchange, Amazon S3 now supports quantum-resistant cryptography for the encryption of data in-transit. This new support combined with Amazon S3’s server-side encryption by default utilizing AES-256 algorithms offers customers quantum-resistant encryption both in-transit and at-rest. Post-quantum TLS key exchange for Amazon S3 is available for all clients configured to use the ML-KEM key exchange algorithm, where you receive the benefits of the post-quantum TLS key exchange. This is because Amazon S3 will automatically negotiate the highest TLS protocol version that your client software supports. Post-quantum TLS key exchange for Amazon S3 is supported at no additional cost in all regional S3, S3 Tables, and S3 Express One Zone endpoints in all AWS regions. To learn more about PQ-TLS support in Amazon S3, visit our https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryptionInTransit.PQ-TLS.html.

Amazon CloudWatch RUM now supports iOS and Android applications, expanding real user monitoring beyond web applications. Developers and SREs can now quickly isolate mobile application issues and improve end-user experience, with visibility into performance metrics such as screen load times, crash rates, and API latencies. CloudWatch RUM for mobile uses the OpenTelemetry (OTEL) standard to send spans and events. The service captures mobile spans such as application startup time, screen load time and backend network calls. It also captures events including crashes, and ANRs/AppHangs to provide rich troubleshooting insights on the CloudWatch console. You can perform impact analysis for specific errors or crashes, drill down to correlated telemetry, and filter by location, device type, operating system, and app versions to quickly identify root causes. Mobile telemetry integrates with application metrics, traces, logs, web RUM monitoring, and synthetic monitoring in CloudWatch Application Signals to speed up troubleshooting and reduce application disruption. CloudWatch RUM support for iOS and Android is available in all AWS Commercial Regions where web monitoring is available. To learn more, see https://aws.amazon.com/cloudwatch/pricing/getting started for https://github.com/aws-observability/aws-otel-android?tab=readme-ov-file#aws-distro-for-opentelemetry---android and https://github.com/aws-observability/aws-otel-swift?tab=readme-ov-file#aws-distro-for-opentelemetry-for-swift, and https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-web-mobile.html#CloudWatch-RUM-mobile-monitoring.

Amazon Route 53 now supports https://aws.amazon.com/privatelink/ for API requests to the route53.amazonaws.com service endpoint, allowing your AWS workloads to make changes to critical DNS infrastructure, including hosted zones, records, and health checks, without using the public internet. With this release, you can set up private connectivity between your virtual private clouds (VPCs) and the Route 53 API, from your VPC on the AWS backbone, in any AWS Region. The Route 53 API is used by customers for domain name system (DNS) operations, which are a foundational layer of their cloud infrastructure automation, user-facing applications, and internal services. This integration simplifies cloud architecture by removing the need for customers to setup and manage complex networking services that connect resources in their virtual private clouds (VPCs) privately to the Route 53 API. Now, customers can use a VPC endpoint within their VPC to establish connectivity to the Route 53 API. Customers outside the us-east-1 can use https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-cross-region-privatelink-support.html to natively connect to Route53 from other Regions, without the need to send traffic over the public internet or set up inter-region connectivity like VPC peering. Route 53 support for PrivateLink is available globally, except in AWS GovCloud and Amazon Web Services in China. To learn more about this feature, or to get started, visit the https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html. To learn about pricing, visit the https://aws.amazon.com/privatelink/pricing/.

AWS Site-to-Site VPN launches VPN Concentrator, a new feature that simplifies multi-site connectivity for distributed enterprises. VPN Concentrator is suitable for customers who need to connect 25+ remote sites to AWS, with each site needing low bandwidth (under 100 Mbps). Until now, customers who needed to connect large number of low-bandwidth remote sites to AWS relied on solutions that were complex to use. These solutions create operational overhead as customers need to deploy and manage multiple virtual appliances in AWS. For example, customers are responsible for deploying appliances in multiple availability zones and network configuration to ensure high availability. AWS Site-to-Site VPN is a fully managed service that allows you to create a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. With this launch, customers can now connect up to 100 low-bandwidth sites using a single VPN Concentrator to access their workloads in AWS. VPN Concentrator simplifies multi-site connectivity by allowing multiple remote sites to connect through a single attachment to AWS Transit Gateway, simplifying multi-site connectivity. Aggregating large number of low-bandwidth sites using a VPN Concentrator also provides efficient bandwidth utilization, and in turn, reduces VPN costs per site. This capability is available in all AWS commercial Regions and AWS GovCloud (US) Regions where AWS Site-to-Site VPN is available. To learn more and get started, visit the AWS Site-to-Site VPN https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-concentrator.html.

Amazon Connect outbound campaigns now offers campaign managers the ability to configure how long voice calls should ring—between a range of 15 and 60 seconds—before marking a call as “no answer” and moving to the next contact. Each contact also records when ringing began and ended for precise reporting and traceability. When ring duration is static, businesses struggle to balance calling efficiency and customer reach. Calls that ring too briefly may miss customers who take longer to answer, while excessive ring times delay overall campaign pacing. This lack of control leads to inconsistent contact rates and reduced agent productivity. With configurable ring time, campaign managers can tune dialing behavior to their audience for each campaign, use analytics to see exactly how long each call rang, and understand where connections were missed. This visibility helps identify patterns, refine calling strategies, and continuously improve campaign effectiveness. With Amazon Connect outbound campaigns, companies pay-as-they-go for campaign processing and channel usage. This feature is available in AWS regions, including US East (N. Virginia), US West (Oregon), Africa (Cape Town), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), and Europe (London). To learn more about configuring ring time for campaigns, visit our https://aws.amazon.com/connect/outbound/.

AWS IAM now enables outbound identity federation, allowing developers to securely authenticate AWS workloads with external services using short-lived JSON Web Tokens instead of storing long-term credentials like API keys and passwords.

AWS Identity and Access Management (IAM) now supports a new global condition key, aws:SourceVpcArn, that enables customers to enforce region-based access controls for resources accessed through https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html. This condition key returns the ARN of the VPC where the VPC endpoint is attached, allowing customers to verify whether requests travel through a specific VPC and implement controls on private access to their resources in same-region or cross-region scenarios. Customers can use aws:SourceVpcArn in policies to ensure resources are only accessible from VPC endpoints in specific regions, helping enforce data residency requirements. For example, you can attach a policy to an Amazon S3 bucket that restricts access to requests made through VPC endpoints in designated regions only. The aws:SourceVpcArn condition key is available in all commercial AWS Regions. For a complete list of supported AWS services and to learn more, please refer to the https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-network-properties

https://aws.amazon.com/bedrock/custom-model-import/ now supports Open AI GPT OSS models. You can import custom weights for gpt-oss-120b and gpt-oss-20b models. This enables you to bring your own customized GPT OSS models into Amazon Bedrock and deploy them in a fully managed, serverless environment—without having to manage infrastructure or model serving. GPT OSS models are text-to-text models designed for reasoning, agentic, and developer tasks. The larger gpt-oss-120b model is optimized for production, general purpose, and high reasoning use cases, while the smaller gpt-oss-20b model is best suited for lower latency, or specialized used cases such as data processing or domain-specific summarization. Amazon Bedrock Custom Model Import for GPT OSS models is generally available in the US-East (N. Virginia) AWS Region. You can get started by importing your custom GPT OSS models in the custom models section of the https://console.aws.amazon.com/bedrock/. To learn more about OpenAI models in Amazon Bedrock visit the https://aws.amazon.com/bedrock/openai/. To see what all architectures are supported visit the https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-import-model.html. 

Amazon FSx for Windows File Server, a fully-managed service that provides file storage built on Windows Server, now supports File Server Resource Manager (FSRM), a Windows Server feature that provides powerful capabilities to manage, govern, and monitor your file data. With FSRM, you can better control storage usage, strengthen compliance, and optimize costs across your FSx for Windows file systems. With this launch, you can now classify, identify, and control sensitive data using file classification and file screening, control storage usage and costs using folder-level quotas, and better understand and optimize your storage usage with storage reports. FSRM on FSx for Windows File Server is also deeply integrated with AWS observability services. You can publish FSRM events directly to https://aws.amazon.com/cloudwatch/ Logs or stream events to https://aws.amazon.com/kinesis/ Data Firehose, allowing you to query, process, store, and archive logs, trigger https://aws.amazon.com/lambda/ functions to take reactive actions based on file events, and perform advanced monitoring and analysis to automate administration of your file data. FSRM support is available today at no additional cost for new file systems in all https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/?refid=bc0b1108-3dde-4bd6-8c6b-5bc65141884a. Existing file systems will receive FSRM support during an upcoming maintenance window. To get started, visit https://docs.aws.amazon.com/fsx/latest/WindowsGuide/managing-files-fsrm.html in the FSx for Windows User Guide and read the blog https://aws-blogs-prod.amazon.com/storage/using-file-server-resource-manager-fsrm-for-amazon-fsx-for-windows-file-server/.

Amazon DynamoDB now supports primary keys composed of up to eight attributes in global secondary indexes (GSIs). While previously, partition and sort keys were limited to one attribute each, DynamoDB now supports up to four attributes each for the partition and sort keys. With multi-attribute keys, you no longer need to manually concatenate values into synthetic keys, which sometimes result in the need to backfill data before adding new indexes. Instead, you can create primary keys using up to eight existing attributes, making it easier to model diverse access patterns and adapt to new query requirements. Multi-attribute partition keys improve data distribution and uniqueness. Multi-attribute sort keys enable flexible querying by letting you specify conditions on sort key attributes from left to right. For example, an index with partition key UserId and sort key attributes Country, State, and City lets you query all locations for a user, then narrow results by Country, State, or City. Multi-attribute partition and sort keys are available at no additional charge in all AWS Regions where DynamoDB is available. You can create them using the AWS Management Console, AWS CLI, AWS SDKs, or DynamoDB API. To learn more, see https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html in the Amazon DynamoDB Developer Guide.

Amazon OpenSearch Serverless now supports backup and restore through the AWS Management Console. OpenSearch Serverless automatically backs up all collections and indexes in your account every hour and retains backups for 14 days. You can restore backups using either the https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-snapshots.html#serverless-snapshots-working-withor the AWS Console. This feature is enabled by default and requires no configuration. For more information, see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-snapshots.html#serverless-snapshots-working-with in the Amazon OpenSearch Serverless Developer Guide. Please refer to the https://docs.aws.amazon.com/general/latest/gr/opensearch-service.html#opensearch-service-regions for more information about Amazon OpenSearch Service availability. To learn more about OpenSearch Serverless, https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless.html https://aws.amazon.com

AWS Step Functions' enhanced TestState API now enables local unit testing with mocking support, comprehensive state type validation, and individual state testing capabilities without requiring AWS deployment or IAM permissions.

Network Load Balancer now supports weighted target groups, allowing you to distribute traffic across multiple target groups with configurable weights for advanced deployment strategies. Weighted target groups enables key use cases like Blue-Green and Canary Deployments, Application Migration, and A/B Testing by allowing you to register multiple target groups with configurable weights ranging from 0 to 999, providing precise control over traffic distribution. Blue-Green and Canary Deployments allow you to gradually shift traffic between application versions, minimizing downtime during upgrades and patches; Application Migration enables seamless transitions from legacy stacks to new stacks without disrupting production traffic; and A/B Testing facilitates splitting incoming traffic across experimental environments. All target group types are supported, including instance, IP address, and Application Load Balancer (ALB) targets. Weighted Target Groups routing is available for all existing and new Network Load Balancers across AWS commercial and AWS GovCloud (US) regions at no additional charge. Standard Network Load Balancer Capacity Unit (LCU) pricing applies. To learn more, please refer to https://aws.amazon.com/blogs/networking-and-content-delivery/network-load-balancers-now-support-weighted-target-groups/, and the https://docs.aws.amazon.com/elasticloadbalancing/latest/network/listener-update-rules.html. 

Amazon Connect now routes calls between instances within the same account through the AWS global backbone, without relying on the Public Switched Telephony Network (PSTN) when both numbers are provisioned or ported into Amazon Connect. Customers calling between Amazon Connect instances - whether within the same region or across regions - now benefit from AWS's global network infrastructure. Customers will enjoy higher call quality, simplified billing, and enhanced contact sharing capabilities that preserve call context across transfers. This feature is available in all commercial regions where https://docs.aws.amazon.com/connect/latest/adminguide/regions.html#amazonconnect_region is offered except for Africa (Cape Town). To learn more about Amazon Connect, review the following resources: https://aws.amazon.com/connect/ and https://aws.amazon.com/connect/pricing/ https://docs.aws.amazon.com/connect/latest/adminguide/what-is-amazon-connect.html

Amazon Managed Streaming for Apache Kafka (Amazon MSK) now supports viewing topics directly through the Amazon MSK console, making it easier to inspect all your Kafka topics without setting up Kafka admin clients. You can browse and search topics within a cluster, quickly review replication settings and partition counts, and drill into individual topics to examine detailed configuration, partition-level information, and metrics. These console capabilities are powered by three new MSK APIs, ListTopics, DescribeTopic, and DescribeTopicPartitions that you can also use directly for programmatic access. The ListTopics API returns the list of all topics in a cluster, while the DescribeTopic and DescribeTopicPartitions APIs provide detailed configuration and partition information for a topic. All three APIs are available through the AWS CLI and AWS SDKs. These MSK topic viewing capabilities are available for all Amazon MSK Provisioned clusters using Kafka version 3.6 and above across https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ where Amazon MSK is offered. To start using these features, you'll need to set up the appropriate IAM permissions. To learn more on how to get started, see the https://docs.aws.amazon.com/msk/latest/developerguide/getting-started.html.

https://aws.amazon.com/directoryservice/ now supports https://aws.amazon.com/privatelink/, enabling you to ensure all API calls to AWS Directory Service are constrained to within the private networks that you specify. This new capability provides private connectivity to both the AWS Directory Service APIs and Directory Service Data APIs, delivering faster network paths, reduced latency, and eliminating public internet-based call patterns. With AWS PrivateLink support, your access to AWS Directory Service APIs can be constrained to the private network connectivity you specify and eliminate any requirements for an internet gateway or NAT device. This encompasses all essential operations such as creating directories, configuring trust relationships, managing user accounts, and adding users to groups. This capability is particularly valuable for organizations that must maintain strict isolation between their workloads and public network connectivity. To establish a private connection, you create an interface Amazon VPC endpoint powered by AWS PrivateLink, which creates requester-managed network interfaces in each enabled subnet to serve as entry points for Directory Service API traffic. This feature is available in all https://docs.aws.amazon.com/directoryservice/latest/admin-guide/regions.html where AWS Directory Service is supported. To learn more, see the AWS https://docs.aws.amazon.com/directoryservice/latest/admin-guide/vpc-interface-endpoints.html.

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M7i instances powered by custom 4th Gen Intel Xeon Scalable processors (code-named Sapphire Rapids) are available in the Europe (Zurich) region. These custom processors, available only on AWS, offer up to 15% better performance over comparable x86-based Intel processors utilized by other cloud providers. M7i deliver up to 15% better price-performance compared to M6i. M7i instances are a great choice for workloads that need the largest instance sizes or continuous high CPU usage, such as gaming servers, CPU-based machine learning (ML), and video-streaming. M7i offer larger instance sizes, up to 48xlarge, and two bare metal sizes (metal-24xl, metal-48xl). These bare-metal sizes support built-in Intel accelerators: Data Streaming Accelerator, In-Memory Analytics Accelerator, and QuickAssist Technology that are used to facilitate efficient offload and acceleration of data operations and optimize performance for workloads. To learn more, visit https://aws.amazon.com/ec2/instance-types/m7i/. To get started, see the https://console.aws.amazon.com/.

Amazon Q Developer now offers enhanced cost management capabilities, enabling customers to analyze costs across a wider range of Cloud Financial Management domains with more advanced analytical capabilities. Customers can now ask complex, open-ended questions about historical and forecasted costs and usage, optimization recommendations, commitment coverage and utilization, cost anomalies, budgets, free tier usage, product attributes, and cost estimation. Q can explore data, form hypotheses, and perform calculations to provide deeper insights with less time and expertise required. With these capabilities, FinOps practitioners, engineers, and Finance professionals can increase productivity by delegating more cost analysis and estimation tasks to Q. For example, customers can ask "Why did costs for this application increase last week?". Q will explore the data by retrieving costs and usage quantities by service, account, or resource, form hypotheses, gather data from multiple sources, and perform calculations ranging from simple period-over-period cost changes to unit economic metrics like effective cost per instance-hour. Q provides transparency on each API call it makes to retrieve data, including specific parameters used, and provides matching console links where customers can verify the data or dive deeper. To get started, open the Amazon Q chat panel from anywhere in the AWS Management Console and ask a question about your costs. To learn more, see https://docs.aws.amazon.com/cost-management/latest/userguide/ce-cost-analysis-q.html in the AWS Cost Management user guide.

Amazon SageMaker Catalog now supports custom metadata forms and rich text descriptions at the column level, extending existing curation capabilities for business names, descriptions, and glossary term classifications. Data stewards can create custom metadata forms to capture business-specific information directly on individual columns. Columns also support markdown-enabled rich text descriptions for comprehensive data documentation and business context. Custom metadata form field values and rich text content are indexed in real-time and become immediately discoverable through search. This enhancement enables organizations to curate columns with comprehensive business context using customer-defined metadata schemas and formatted documentation. Asset owners can define custom key-value metadata forms and rich text descriptions to provide detailed column documentation that improves data discovery across enterprise teams. Data analysts can search using custom form field values and rich text content alongside existing column names, descriptions, and glossary terms. This capability is available in all AWS Regions where Amazon SageMaker is supported. To learn more about Amazon SageMaker Catalog, visit the https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/update-metadata.html.