Good Morning!
In personal news, I shipped a thing. DeployBar is a free macOS menu bar app that monitors your GitHub Actions, GitLab CI/CD runs, and Vercel deployments. It auto-discovers your repos, tells you when GitHub is having outages, and ships with a platypus mascot who roasts your commit messages with the intensity of a code reviewer who stopped being polite three startups ago. The business model is charging people $4.99/month to control the platypus’s intensity, or to shut him up entirely. Yes, I’m aware of how “the app is mean to you unless you pay me” sounds.
And of course, if you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at Duckbill—to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch.
Things I Found on the Internet
Aphyr is back with a characteristically thorough and deeply uncomfortable look at why alignment is basically a joke. The argument that building “friendly” models necessarily enables building evil ones lands hard. Long read, but the kind of long read that makes you angry in productive ways.
Mounting S3 as a local file system in Lambda is one of those features that sounds boring until you realize how much boilerplate it kills. This walkthrough puts it through its paces by building AI code review agents on S3 Files, and the most compelling part is how much code just disappears.
Clever hack for anyone running Freescout or similar tools who doesn’t want to operate an actual mail server. This pseudo-IMAP bridge lets SES catch your mail into S3, then serves it to IMAP clients behind your firewall. Niche? Absolutely. But if you need it, you really need it.
The URL alone tells you exactly what you’re getting into. PCS Explorer is a tool for navigating Amazon’s insane compensation structure, and the domain name is doing heavy lifting as commentary. Worth a click if you enjoy watching corporate aspiration collide with the reality of how employees actually feel.
Colin Percival has been poking at AWS longer than most people have had Gmail accounts. This retrospective from his 20 years on the platform is packed with fascinating history, from faxing NDAs to recommending Tavis Ormandy audit Xen. A love letter written in bug reports. Respect.
AWS accidentally pushed a test IAM managed policy to production, and Victor Grenu’s IAMTrail tool caught it in real time(https://www.linkedin.com/posts/grenuv_yesterday-aws-inadvertently-pushed-a-test-share-7448265462238461952-SYR6/?utm_source=share&utm_medium=member_ios&rcm=ACoAAAKVyfEB_-M2l_ryTOdzM_233TYL84e4wKs). This one was harmless, but the scary question is: what happens when an unattended change hits an existing managed policy that millions of accounts depend on? You can’t version-pin these things.
What AWS Has For Us This Time
Amazon CloudWatch now supports cross-region telemetry auditing and enablement rules
Centralized telemetry enablement across every region sounds wonderful until you remember that “standard CloudWatch pricing applies.” Translation: your security team gets one button to turn on VPC Flow Logs everywhere, and your FinOps team gets one spreadsheet to cry into forever. Governance has never been easier, or more expensive by accident.
Introducing Amazon EC2 C8in and C8ib instances
Two more letters bolted onto the EC2 alphabet soup, because apparently “C8i” wasn’t cryptic enough. The “n” means network, the “b” means bandwidth for EBS, and together they mean your naming conventions document just got another footnote. 43% faster than C6in, which is interesting because they didn’t have a C7in for whatever reason; probably Intel’s busted-ass roadmap?
Amazon Quick now supports multi-account sign-in within the same browser – Congratulations, you can now juggle five accounts in one browser instead of maintaining a Chrome profile graveyard like the rest of us have since 2012. Truly the cutting edge of 2010s-era functionality. Bonus points for putting the account name in URLs, a feature my password manager has been begging for since the Obama administration.
Ohio getting WorkSpaces in 2026 feels like discovering your local diner finally serves breakfast. Malaysia, sure, that’s a real expansion. But us-east-2 somehow didn’t have virtual desktops until now? The service launched in 2013. Someone at AWS just found a Jira ticket under a pile of reInvent swag.
AWS announces general availability of AWS Interconnect – multicloud
This might be one of the most insane pricing structures I’ve seen yet from AWS: “To determine your AWS Interconnect – multicloud pricing, identify your source AWS Region(s) where your VPC traffic originates and your interconnect’s local AWS Region. Find the highest tier pairing of source AWS Region to local AWS Region in the pricing tiers table below to identify your tier. Once you have your tier, look up the price by your interconnect’s local AWS Region, tier, and bandwidth.” HOWEVER. This is a flat rate price that you eventually get to, and the economics are wildly compelling for some workloads. This bears investigation. Oh, they also support last mile interconnects, too.
Automate AWS Cost Reporting with Scheduled Dashboard Email Delivery
Automating the “log in, screenshot, paste into PowerPoint, email to CFO” workflow is… something. Of course, making it easier for executives to see the bill might actually generate more panicked Slack messages than it prevents. Sometimes ignorance really was bliss. Password-protected PDFs feel very 2014, absolutely nobody will read these after roughly the third report in the cadence, and it suffers from the “trying to get people to care about a problem before it becomes painful” issue, but… we’ll see, I suppose.
Introducing Anthropic’s Claude Opus 4.7 model in Amazon Bedrock – Anthropic’s Opus 4.7 lands in Bedrock with a “next generation inference engine” and zero operator access, which is a fancy way of saying “we pinky-promise not to read your prompts.” The benchmarks are impressive until you remember nobody’s production workload looks anything like a benchmark. Your invoice, however, will be very real.
Introducing Amazon Bio Discovery
Pharma companies, much like some product managers, already spend more on drugs than small nations spend on everything, so naturally AWS built an agentic drug discovery platform with 40+ AI models to help them spend even more, this time on cloud compute. “Lab-in-the-loop” is a great phrase for a billing cycle that never ends.
CVE-2026-5429 – Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme – Arbitrary code execution via a *color theme name*. Someone named their dark mode “‘; DROP TABLE production;–” and Kiro’s webview just went with it. The AI-powered IDE that helps you ship real engineering work was itself shipping unsanitized inputs. Update to 0.8.140 before your syntax highlighting syntax-highlights your credentials.
Issues with Amazon Athena ODBC Driver – Six CVEs in a single ODBC driver, including OS command injection and improper cert validation. That’s not a security bulletin, that’s a bingo card. No workaround available either, just “upgrade immediately.” If you’re running Athena queries through ODBC, go patch now and quietly question your life choices.
Issues with AWS Research and Engineering Studio (RES) – Three CVEs in one bulletin, including “execute arbitrary commands as root via a crafted session name.” In 2026, we’re still not sanitizing user input in session names. The researchers using this tool to do science were one creative desktop name away from someone owning their entire environment. Patch immediately.
CVE-2026-5747 – Out-of-bounds Write in Firecracker virtio-pci Transport – An out-of-bounds write in Firecracker’s virtio-pci transport that could let a guest escape to the host. “No AWS service is affected,” they assure us, which is the cloud equivalent of “the fire is contained to the other wing of the building.” Shoutout to Anthropic for the responsible disclosure.
… and that’s what happened Last Week in AWS.
