Good Morning!
This week’s issue is sponsored by Stwipe.com, my own implementation of infrastructure payments for toddlers. My personal favorite part is how the juice box drains as you scroll. No, the product isn’t real, but that likely won’t stop it from raising a giant pile of money based on vibes.
Things I Found on the Internet
Real data on what AWS practitioners actually love and hate. SNS takes the crown again, Beanstalk gets the boot, and the under-25 crowd apparently isn’t picking AWS at all. The 2026 Answers for AWS survey results from Peter Sankauskas are out, and the JSON is yours to slice up.
Aurora DSQL pricing has that special AWS quality where you read the docs three times and still aren’t sure what you’ll owe. Farid did the math so you don’t have to, and this breakdown of DPU costs is the cheat sheet I wish AWS had published themselves.
Six hours, eight cents, and one uncomfortable finding: VPC mode without Route 53 Resolver DNS Firewall still leaks. This hands-on verification of the Unit 42 AgentCore disclosure also catches that PUBLIC and SANDBOX are distinct modes, despite every vendor writeup conflating them. Worth a read before you trust “isolated.”
Mitchell Hashimoto’s heartfelt breakup letter in announcing Ghostty’s departure from GitHub is the rare goodbye post that’s actually about something. 18 years of daily use, ended by Actions outages eating hours per day. If you’ve felt the platform decay too, this one will hit.
What AWS Has For Us This Time
AWS Management Console now supports settings to control service and Region visibility – AWS
Hiding services from the console is the cloud equivalent of putting child locks on the liquor cabinet. It won’t stop anyone determined to spin up SageMaker in us-west-2, but it might reduce the number of “what is this $400 charge” Slack messages by a comforting margin. IAM still does the actual work, obviously. I sure wish there was a good way to only list S3 buckets that a principal has access to, but maybe by 2035.
Amazon CloudWatch adds visual agent configuration to the EC2 console
Hand-editing CloudWatch agent JSON has been a rite of passage for ops engineers since roughly the Bronze Age, so naturally AWS waited until 2026 to add a GUI. The good news: it’s free. The bad news: every metric, log, and trace it makes easier to collect will absolutely not be.
AWS Announces Amazon Connect Decisions
Naming a supply chain AI product “Amazon Connect Decisions” when Amazon Connect is the contact center service? Bold move. Somewhere, a poor SA is explaining to a confused customer why their call center won’t forecast inventory. Thirty years of Amazon operational science apparently didn’t include “checking if the name was already taken, and if so, are they at least targeting the same buyer persona?”
Amazon Connect Talent for AI-powered hiring (now available in Preview)
Amazon, the company famous for its warm and humane hiring practices, would now like to sell you the AI that conducts your interviews. Beware; they don’t mention the part where “if the candidate is sitting in any number of jurisdictions like “New York City,” use of an AI hiring tool requires disclaimers and work that the terms of service put squarely on you. How customer obsessed!
Introducing Amazon EC2 R8in and R8ib instances
Two more entries in the EC2 alphabet soup, and AWS still can’t decide if “in” means network or “I’m not sure.” 600 Gbps of network bandwidth is impressive, though, assuming you have a workload that needs it and a budget that survives it. Pour one out for whoever maintains your instance type spreadsheet.
Amazon OpenSearch Service now supports index-level encryption
Per-index KMS keys on OpenSearch, because apparently one encryption key per domain was insufficient granularity for your compliance auditor’s fever dreams. The feature itself costs nothing, which is adorable until you remember KMS charges per key per month. Multi-tenant SaaS folks rejoice; your KMS bill is about to get interesting.
Amazon Redshift Serverless AI-driven scaling is now the default for new workgroups
Opt-out AI is the new opt-in, apparently. The price-performance slider remains my favorite piece of AWS UI theater: drag it toward “cost” and watch your bill go up anyway, just more slowly. Lower entry at 8 RPU is useful, which I’m contractually obligated to mention before resuming skepticism.
AWS Cost Optimization Hub now supports CSV download
Twenty years into AWS, and we’re celebrating the revolutionary ability to click a button and get a CSV file. Truly, we live in an age of wonders. Now your FinOps team can email spreadsheets of ignored recommendations to executives who will also ignore them, but in Excel format. Progress!
AWS KMS now tracks last usage of all KMS keys
Only took a decade for KMS to surface “when did anyone last touch this key” without a CloudTrail spelunking expedition. The condition key blocking deletion of recently-used keys is useful, which means somewhere in Seattle, a PM is being congratulated for inventing the concept of metadata. Your $1/month-per-key graveyard thanks you.
AWS Lambda adds support for Ruby 4.0
Both remaining Ruby developers will be thrilled. The runtime ships with structured JSON logs and configurable log levels, which is great if you enjoy paying CloudWatch Logs ingestion fees in increasingly granular formats. Support runs until 2029, by which point AWS will probably have invented Ruby 4.0 Express Edition Tiered Savings Plans.
AWS Marketplace Management Portal now supports bank account deletion
Yeah, no shit.
Amazon Bedrock now offers OpenAI models, Codex, and Managed Agents (Limited Preview)
The frenemies-to-lovers arc continues. OpenAI models on Bedrock, Codex with AWS credentials, and you can burn your EDP commitment on it.
Amazon CloudFront now supports invalidation by cache tag
Tagging cached objects so you can invalidate them in groups: a feature CDN competitors shipped roughly when dinosaurs roamed the earth. The catch? Each cache tag is priced as one path, so AWS found a way to monetize the convenience of not tracking individual URLs yourself. Innovation!
Introducing Amazon EC2 C8ine and M8ine instances
Pronouncing these instance names out loud sounds like a cry for help. “See-eight-eye-en-ee” rolls off the tongue right after you’ve given up on life. Network-optimized for firewalls and 5G UPF workloads, which is great if you’re a telco, and confusing if you’re literally anyone else.
Identifying security risks using AWS Cost and Usage Report data
Using your AWS bill as a security tool is peak cloud economics: the only system guaranteed to notice when something’s wrong, because someone’s getting charged for it. Your CUR detected the breach three weeks after it happened, but hey, at least the invoice was itemized. Security through accounting: truly we live in the future.
Amazon Q Developer end-of-support announcement
Remember Amazon Q Developer? The rebrand of CodeWhisperer? It’s being sunset for Kiro, because nothing says “trust our roadmap” like killing your second AI coding tool in three years. Pour one out for the ops folks who just finished their procurement paperwork. The third time’s the charm, surely.
Building Inspection Intelligence with AWS Spatial Data – Treating building photos as spatial data instead of “a folder named final_FINAL_v3 on someone’s laptop” is genuinely useful. The catch: you’re now paying for S3, SageMaker endpoints, REST APIs, and an integration layer to detect that your façade is cracking. So is your AWS bill, probably for the same reason.
Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
The first two of… eleven? What the hell is going on? CVEs this week hit Ops Wheel. Turns out the tool your team uses to decide who runs standup also skipped verifying JWT signatures entirely. Anyone with the API Gateway URL could spin the wheel of tenant data deletion. Patch it, or at least hide it behind WAF before someone randomly selects your production database for termination. I love this tool so much.
Issues in tough library and tuftool CLI utility – Three CVEs in the library literally named “tough,” which turns out to be less tough than advertised. The update framework needed an update. No workarounds exist, so upgrade to tough 0.22.0 and tuftool 0.15.0 before someone writes a CVE with your name attached to it.
CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
Turns out the npm package literally named “static-eval” wasn’t quite as static as advertised. Who could have foreseen that shipping a JavaScript expression evaluator into a Lambda fulfillment context might end poorly? Patch to 7.3.0, because there’s no workaround-just the cold comfort that exploitation requires admin access you’ve presumably already overprovisioned.
Issue with FreeRTOS-Plus-TCP – MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow – Two fresh CVEs in FreeRTOS-Plus-TCP, including a MAC validation bypass that lets adjacent devices pretend to be you. Spare a thought for the embedded engineers who now get to push firmware updates to a fleet of devices last touched in 2019 by an intern who’s since become a dentist.
CVE-2026-7424 – Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP – Integer underflow in a DHCPv6 parser, requiring a hardware reset to recover. Wonderful news for the IoT thermostat embedded in someone’s drywall. The workaround is “just disable DHCPv6 and configure IPv6 by hand,” which is the security equivalent of suggesting you walk to work because your car’s brakes are recalled.
Issue with FreeRTOS-Plus-TCP – IPv6 Router Advertisement Memory Safety Issues – Two memory safety bugs in FreeRTOS-Plus-TCP’s IPv6 Router Advertisement parser, exploitable by anyone on your local network with no auth required. The good news: there’s a patch. The bad news: you have to find every embedded device running this stack and update it, which is to say, you’ll be doing this until 2034.
… and that’s what happened Last Week in AWS.
