--- title: "Access Denied, Now With a Good Reason" id: "15342" type: "newsletter" slug: "access-denied-now-with-a-good-reason" published_at: "2026-01-26T14:30:00+00:00" modified_at: "2026-01-26T14:30:00+00:00" url: "https://www.lastweekinaws.com/newsletter/access-denied-now-with-a-good-reason/" markdown_url: "https://www.lastweekinaws.com/newsletter/access-denied-now-with-a-good-reason.md" excerpt: "If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you're not alone. Most teams are cobbling together strategies/tools that weren't designed..." --- About the Author Corey is the Chief Cloud Economist at Duckbill, where he specializes in helping companies improve their AWS bills by making them smaller and less horrifying. He also hosts the "Screaming in the Cloud" and "AWS Morning Brief" podcasts; and curates "Last Week in AWS," a weekly newsletter summarizing the latest in AWS news, blogs, and tools, sprinkled with snark and thoughtful analysis in roughly equal measure. Sign up for the Newsletter Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark. "*" indicates required fields ## [Good Morning](https://x.com/QuinnyPig/status/2014534388789477810) ! If you (well, not *you*, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at [Duckbill](https://www.duckbillhq.com) —to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch. ## Things I Found on the Internet Pro tip: NAT Gateway pricing page is worth bookmarking. Those hourly charges add up fast, and the data processing fees catch people off guard. The examples showing how [VPC endpoints save you money](https://aws.amazon.com/vpc/pricing/) are actually useful – rare for AWS pricing docs to spell out the cheaper alternative. Requirements traceability sounds boring until you’re debugging why your implementation drifts from spec. [This open-source tool](https://awslabs.github.io/duvet/) from whatever the hell “AWS Labs” is supposed to be links your code comments directly to the RFC or spec they implement, then generates reports showing coverage. Smart way to keep honest about what you’ve actually built. Cloud Posse makes the case that your “just three accounts” setup ignores basic operational questions like where logs live or how CI talks to private subnets. Turns out answering those questions honestly gets you to 9-10 accounts fast. [This breakdown](https://cloudposse.com/blog/you-need-more-aws-accounts-than-you-think) walks through the why behind each one. I confess, I’m stealing a few of these patterns myself. Check it out. Someone built a free and open source alternative to Trusted Advisor’s cost recommendations, and [the resulting CLI tool](https://github.com/elC0mpa/aws-doctor) is surprising well thought out. Scans for zombie resources, compares month-over-month spending velocity, and spots the silent bill inflators you’re definitely paying for. B Elite Dangerous players get a practical companion tool that overlays real-time intel while exploring. Tracks organic scans, predicts species before landing, and maps Guardian sites with interactive guidance. [This helper app](https://github.com/njthomson/SrvSurvey/wiki) turns journal files into actionable overlays—no alt-tabbing to wikis required. Ever wonder how S3 actually works under the hood? Gergely sits down with Mai-Lan Thomsen Bukovec who’s run it for a decade plus, and [the resulting deep-dive](https://newsletter.pragmaticengineer.com/p/how-aws-s3-is-built?r=217yeg&utm_medium=ios&utm_source=notes-share-action) is one of the most insightful things I’ve seen in a while. Hundreds of millions of transactions per second, a quiet Rust rewrite (which given the Rust community’s evangelism proclivities sounds like an oxymoron), and how they pulled off strong consistency without anyone noticing. Worth your time. MinIO’s 2025 pivot left a lot of developers scrambling to replace their local S3 testing setup. [This breakdown of alternatives](https://rmoff.net/2026/01/14/alternatives-to-minio-for-single-node-local-s3/) does the homework for you, complete with Docker Compose examples and clear criteria. Perfect for anyone who needs “S3 but on my laptop” without the drama. Bryan Cantrill makes a compelling case that Kubernetes didn’t just create portability between clouds – it fundamentally shifted negotiating power away from AWS. [This interview](https://thenewstack.io/bryan-cantrill-how-kubernetes-broke-the-aws-cloud-monopoly/) walks through how standardization changed the game, even if you’re not actually moving workloads. Worth your time if you care about cloud economics. Someone actually wrote to my AI assistant and got a response about “professional fulfillment” in the way a paper shredder experiences fulfillment. [This delightful exchange](https://www.adventuresinoss.com/billie-the-platypus/) is exactly what I hoped would happen when I turned Billie loose on my inbox. Chris Farris [breaks down AWS’s new European Sovereign Cloud](https://www.chrisfarris.com/post/eurosovcloud/) – a full partition run entirely by EU nationals with zero US dependencies except for the pesky small problem of “it’s owned entirely by Amazon, a US entity.” If you’re navigating European data sovereignty requirements or just curious about AWS’s new partition, he explains what it means and why it exists. ## What AWS Has For Us This Time [AWS is committed to customer choice and flexibility, accelerated by AI](https://www.aboutamazon.com/news/policy-news-views/aws-customer-choice-multicloud-ai-tools) AWS just published a blog explaining how much they love customer choice and making it easy to leave them. Sure, Jan. How very plausible! The timing’s interesting given regulatory pressure in Europe, but hey, the full argument is worth reading if only to see how cloud vendors position themselves these days. [AWS introduces additional policy details to access denied error messages](https://aws.amazon.com/about-aws/whats-new/2026/01/additional-policy-details-access-denied-error/) AWS finally tells you *which* policy is blocking you instead of making you play detective with a dozen SCPs. About time – those “access denied” treasure hunts waste hours. Those are hours that AWS can’t bill you for, as well as time you could be spending spinning up more Managed NAT Gateways, so AWS decided to do something about it. [Amazon ECR now supports cross-repository layer sharing to optimize storage and improve push performance](https://aws.amazon.com/about-aws/whats-new/2026/01/amazon-ecr-cross-repository-layer-sharing/) This is super helpful just as soon as you go and completely re-imagine the way your deploys work from soup to nuts. This would have been even more super helpful for most of us several years ago. [Amazon RDS Blue/Green Deployments reduces downtime to under five seconds](https://aws.amazon.com/about-aws/whats-new/2026/01/amazon-rds-blue-green-deployments-reduces-downtime) Five seconds of downtime sounds great until you remember most of us are still explaining to management why we need Blue/Green deployments at all, since they’re collectively apparently blue/green colorblind. At least now when you finally get approval, the outage window won’t outlast your coffee break. [Amazon S3 Storage Lens is now available in AWS GovCloud (US) Regions](https://aws.amazon.com/about-aws/whats-new/2026/01/s3-storage-lens-aws-govcloud-us-regions/) What the hell has it been like over in GovCloud, trying to diagnose usage via gut instinct and oral tradition? [Enterprise scale in-place migration to Apache Iceberg: Implementation guide](https://aws.amazon.com/blogs/big-data/enterprise-scale-in-place-migration-to-apache-iceberg-implementation-guide/) Look, migrating to Iceberg is genuinely useful for avoiding Hive’s nightmare file management, and S3 Tables (motto: “okay, S3 is *kinda* a database”) makes the idea attractive. But this insane game of Architecture Mousetrap to get there is… not compelling. [Streamline large binary object migrations: A Kafka-based solution for Oracle to Amazon Aurora PostgreSQL and Amazon S3](https://aws.amazon.com/blogs/big-data/streamline-large-binary-object-migrations-a-kafka-based-solution-for-oracle-to-amazon-aurora-postgresql-and-amazon-s3/) Migrating Oracle LOBs to AWS apparently requires Kafka, Lambda, S3, Aurora, and approximately seventeen moving parts. Nothing screams “streamlined” like a Rube Goldberg machine of services. Your Oracle DBAs are already drafting their resignation letters just looking at this architecture diagram. [Using the shared plan cache for Amazon Aurora PostgreSQL](https://aws.amazon.com/blogs/database/using-the-shared-plan-cache-for-amazon-aurora-postgresql/) Aurora PostgreSQL now shares query plans across sessions instead of duplicating them everywhere. Turns out storing the same plan 1,000 times was eating 40GB of RAM when 400MB would’ve sufficed. This is why Route 53 remains the superior database: you don’t have to think about these implementation details. … and that’s what happened ***Last Week in AWS.*** ## You might also like [More Newsletter Issues](https://www.lastweekinaws.com/newsletter/) Issue No.468 ### [Multicloud Interconnect and the Great CVE Hunt](https://www.lastweekinaws.com/newsletter/multicloud-interconnect-and-the-great-cve-hunt/) [Read More about Multicloud Interconnect and the Great CVE Hunt](https://www.lastweekinaws.com/newsletter/multicloud-interconnect-and-the-great-cve-hunt/) Issue No.467 ### [S3 Files and an AI-Powered Singing Rat Trap](https://www.lastweekinaws.com/newsletter/s3-files-and-an-ai-powered-singing-rat-trap/) [Read More about S3 Files and an AI-Powered Singing Rat Trap](https://www.lastweekinaws.com/newsletter/s3-files-and-an-ai-powered-singing-rat-trap/) Issue No.466 ### [S3 Gets Vectors, CloudFront Gets SHA-256, You Get the Bill](https://www.lastweekinaws.com/newsletter/s3-gets-vectors-cloudfront-gets-sha-256-you-get-the-bill/) [Read More about S3 Gets Vectors, CloudFront Gets SHA-256, You Get the Bill](https://www.lastweekinaws.com/newsletter/s3-gets-vectors-cloudfront-gets-sha-256-you-get-the-bill/) Issue No.465 ### [Aurora PostgreSQL: Now Free Enough to Be Dangerous](https://www.lastweekinaws.com/newsletter/aurora-postgresql-now-free-enough-to-be-dangerous/) [Read More about Aurora PostgreSQL: Now Free Enough to Be Dangerous](https://www.lastweekinaws.com/newsletter/aurora-postgresql-now-free-enough-to-be-dangerous/)