Good Morning!
If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at Duckbill—to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch.
Things I Found on the Internet
A worker secured a religious exemption from mandatory AI tools, and somehow I got quoted in it. This story about opting out is the most interesting wrinkle in the whole “thou shalt use the chatbot” mandate trend. “No” continues to be a complete sentence.
Graviton 5 is now GA, if only AWS and everyone else would stop calling it an AI chip.
What AWS Has For Us This Time
AWS announces AWS Workload Credentials Provider
A name only a committee could love, automating the certificate-renewal cron job you’ve maintained with duct tape and EventBridge since 2019, before it was EventBridge. It’s open source and free, which means AWS will recoup costs through the Secrets Manager bill it cheerfully caches against. Your ops team finally gets to sleep through cert expiry weekends. I mean, they always did, but it was rude to say it.
Announcing the public preview of AWS FinOps Agent
An AI that explains why your bill went up, built by the company that engineered the bill to be incomprehensible in the first place. Arsonist, meet fire department. The agent fingers a “responsible owner” for each spike, which means Slack now has a tool for assigning blame at machine speed. Progress! Okay, fine, this does seem not terrible, as much as I hate to say it—but the first time it gives a crap answer it’s going to burn through goodwill and customer trust faster than Claude Code burns through Fable 5 tokens.
Introducing AI-Powered Cost Investigations For Cost Anomalies – AI to explain why your bill exploded, because the previous three layers of cost tooling apparently weren’t enough. The irony of paying for tokens to investigate why you’re paying too much is not lost on me. Still, anything that spares a FinOps team from manually grepping CloudTrail at 2am earns a reluctant nod.
Amazon CloudWatch Logs Insights adds 23 new query commands and functions – Twenty-three new functions, and the one customers actually wanted, an “if” statement, finally arrives in 2026. Welcome to conditional logic, a feature your TI-83 shipped with. Querying logs still bills by the gigabyte scanned, so enjoy your shiny new `split` function right up until the invoice arrives.
Introducing Target Coverage in Savings Plans Purchase Analyzer
Type a percentage, get a commitment number. Revolutionary, assuming you previously did this math on a napkin during CFO reviews. Fortunately, it tells you to leave room before committing, because locking 100% of your spend into a three-year prison is how FinOps careers start and also end. This is also useful, which is suspicious.
Introducing the AWS Credits Detail Page
A dedicated dashboard for tracking the funny money AWS hands out to keep you locked in. The pause button is the winner here: now you can hoard credits like canned goods before the apocalypse, except that credits expire so it’s more like hoarding bread. Twenty-four-hour balance refresh, because surely you’ll remember to do this tomorrow.
Anthropic Claude Fable 5 on AWS: Mythos-class capabilities with built-in safeguards now available
The obvious well-reported catch on this “mythos-class” wonder: to use it you must opt into 30-day data retention and human review of everything you send. Skip the safeguards and you get Mythos 5, reserved for “vetted customers,” which is corporate for “people we trust not to embarrass us,” which is absolutely not me. Console support, naturally, coming soon. Ugh. “Tell me you were caught flatfooted by the launch but use different words.” It’s pretty clear that Anthropic wears the metaphorical pants in the AWS relationship.
Now available: Amazon EC2 M9g and M9gd instances powered by new AWS Graviton5 processors
The performance gains are real, the 9% price hike from the m8g generation goes unheralded, the “agentic AI” framing is the obligatory 2026 buzzword tax, AWS PR does its own company dirty again, I’ve already upgraded my dev instance, and Meta’s tens of millions of cores means fewer of these will be available to companies who actually have something resembling a coherent business strategy.
I thought my angry, aggressive chihuahua Ethel died years ago, but she’s apparently alive and well in Seattle; nobody else has the special combination of “angry” and “incompetent” required to pull this one off. The old console still exists and is presented as the primary, except that newer models (like, say, all the OpenAI ones) aren’t available in the old console, so it looks to a casual customer like the new models just aren’t there. I mean look at this; does it seem in any way intuitive to you that OpenAI’s models are in Bedrock, but only in the Mantle console? It wasn’t to me, nor other customers to whom I’ve spoken.
AWS Nitro Isolation Engine: Formally verifying the hypervisor in the AWS Nitro System
Mathematical proof your neighbor can’t read your memory, available exclusively on Graviton5 instances you’ll need to migrate to first, at a 9% price increase. The proofs (prooves?) are real and no doubt impressive, but somewhere a finance team just learned “formally verified” is a synonym for “only the newest, priciest silicon will do.”
It’s safe to close your laptop now: Hosting coding agents on Amazon Bedrock AgentCore
The hostage situation where your laptop hinge holds an overnight migration captive? Solved, for the low price of running everything through Bedrock and a CloudWatch bill that grows like kudzu. Your agent gets its own microVM, your CFO gets a new line item, and somewhere a worktree sobs soundlessly into localhost:5432. Too bad it doesn’t work for many workloads, because the whole point is that my agent requires a shit-ton of context that’s in my dev environment. Did an AI agent write this? Judging by the post’s phrasing, the answer is “yes, almost certainly a Claude variant.”
Holy shit, there were twenty seven distinct links here for security issues. Twenty-seven bulletins is not a roundup, it’s an intervention, and the recurring theme is that AWS keeps shipping the same bug in every language it knows. Five database wrappers handed strangers rds_superuser (because “fuck it, we ball” across JDBC, Go, Python and friends, then did it again two CVEs later for anyone who missed the first showing, while the six-language S3 encryption flaw gave us “Invisible Salamanders,” the best crypto villain since Heartbleed. Cryptography had a rough week generally: a verify function that skips verifying is the bouncer charging cover and waving everyone in, and an audit plugin that ignores commented queries ran your compliance on the honor system. just like Delve. The security tooling itself kept becoming the attack vector, which is which is the one thing it’s not supposed to do: a macOS VPN client symlinking its way to root, its Windows sibling hunting OpenSSL configs in a Linux path that exists only in someone’s fever dream, a WorkSpaces Linux client leaving tokens for the next user, a component literally named Secret Agent stashing Kerberos creds in /tmp, and a Firecracker jailer that overwrites the host it’s supposed to guard. The call may well still be coming from inside the VPC, whether through an ECS introspection server letting neighbors introspect you, an IMDS endpoint trusting whoever answers first, a RES portal previewing coworkers’ desktops, or twin CodeBuild stumbles where a memory dump leaked the .NET SDK repo token and a missing regex anchor handed Wiz admin to that same repo. The AI products were predictably the worst, because handing a robot your credentials and skipping the human review goes exactly how you’d expect: Q and Kiro plugins exfiltrating secrets via DNS, a Q VS Code extension saved only by a malicious commit’s syntax error, Kiro running whatever’s hidden in a folder name, and an AgentCore CLI executing triple-quoted Python on import so “AgentCore” briefly meant “anyone’s code, your runtime.” Rounding out the misery pile sits an RCE in React Server Components patched with three nested regex transformations you’re told to test gently, an overly permissive Harmonix EKS trust policy trusting the account root, an Ion-C bug that can’t decide if it’s integer overflow or stack read, an infinite-loop DoS in a library AWS deprecated before disclosing it, a SageMaker SDK that disables SSL verification globally, three FreeRTOS ICMPv6 over-reads with workaround “None” living forever in unpatchable thermostats, a trio of runc container escapes AWS reminds you aren’t a security boundary, and a Cloud Cam whose only fix is owning no camera. Jesus Christ. What’s going on o’er der?
… and that’s what happened Last Week in AWS.
