EC2 M9g/M9gd (Graviton5) GA — Cognito multi-Region & CMKs, MCP Server GA, WAF Bot Control edge metering

AWS just handed platform teams a new operational surface: WAF is now a billing enforcement point for AI bots. The WAF Bot Control update adds AI traffic monetization so you can price, meter, and charge agent traffic at the edge. That’s not a nicety — it changes where metering, policy, and revenue control live. Instead of routing all monetization into backend APIs or gateways, AWS is giving you the option to gate access and bill before hits ever reach your origin.

This week’s other releases cluster into three pragmatic moves: faster general-purpose compute, hardened regional identity, and a managed agent runtime surface. None are flashy stand-alone launches, but together they reshape operational boundaries for AI-first architectures.

WAF Bot Control: edge billing as policy

Turning WAF into a point-of-sale for AI traffic is clever and dangerous. Clever because it reduces latency and simplifies enforcement: detect an agent at the edge, apply a policy, and require payment or token exchange before the request proceeds. Dangerous because it relocates a class of business logic into a security product not traditionally designed for complex billing integration. Technically, AWS WAF provides detection, scoring, and enforcement actions (block/challenge/allow) and can emit metrics and request attributes you can use to drive billing — it does not itself process customer billing transactions. Expect engineering work to wire WAF signals into billing systems, rate-limiting dashboards, and fraud detection (for example, via CloudWatch metrics, logs, and integration with API gateways or edge functions).

If you want the implementation details and implications on rule management, see our deeper look at AWS WAF Bot Control: edge AI traffic monetization and bot billing.

EC2 M9g/M9gd (Graviton5) GA  real uplift, same tradeoffs

Amazon GA'd M9g and M9gd instances powered by Graviton5, with AWS citing up to ~25% better compute performance for some general-purpose workloads versus Graviton4. M9gd includes local NVMe storage where you need it. This is the natural next step for Arm-first instances: improved IPC and efficiency while preserving the same operational model.

If your fleet is already Arm-ready, the math is simple: lower cost and better throughput per vCPU for scale-out services. If you’re still wrestling with compatibility, this is a reminder that performance gains depend on ecosystem maturity — compilers, libraries, and container images that actually behave on Arm. Read the performance breakdown in our companion piece on EC2 M9g/M9gd (Graviton5) GA.

Cognito multi-Region replication and KMS: finally, identity that fails over properly

Amazon Cognito added multi-Region replication and support for customer-managed KMS keys (CMKs). The replication syncs user-pool configuration, profile data, and authentication state to a secondary Region, enabling failover of authentication flows without forcing password resets in many cases. Running identity as a single-Region service has been a fragile dependency for globally distributed apps — this change lets platform teams build regional resilience while retaining encryption controls via CMKs.

The opinion: centralizing agent access is the right move, but audit it

AWS also announced general availability of the AWS MCP Server as part of the Agent Toolkit for AWS. Instead of each agent or assistant stuffing AWS credentials into its environment, teams can point agents at a managed MCP Server to broker authenticated, auditable access to AWS APIs and resources.

This is the right call. The alternative was a mess of ad-hoc credential injection and ephemeral token hacks across microservices. A managed MCP Server gives you a single place to enforce policies, rotate access, and integrate logging. The caveat: you’ve introduced a new trust boundary. MCP Server becomes high-value and must be monitored, RBAC-controlled, and included in incident playbooks.

What’s missing and what this signals

No EKS distro shake-ups, no Lambda engine changes, and no new Bedrock model families this week — AWS prioritized composability for AI agents, regional identity resilience, and cost-performance for compute. That’s the signal: AWS is hardening the plumbing that makes agents practical at production scale rather than launching more model endpoints.

Final thought

Platform teams should treat these releases as linked operational shifts, not discrete feature toggles. Graviton5 gives you cheaper compute; Cognito gives you predictable identity failover; MCP Server centralizes agent access; WAF metering moves billing signals to the edge. Ignore how they interact and you’ll stitch together brittle solutions. Start thinking about the new trust and billing boundaries now — they’re where outages and surprise costs will show up first.

Sources

• Announcements | AWS News Blog (current week)
• What's New at AWS
• Amazon Web Services - X (recent posts)