Good Morning!
Today is my birthday, so if you want to get me a present please log into your AWS account and turn off a Managed NAT Gateway.
Now then: hoo boy has there been a lot of bustle around the destructive AI prompt published in Amazon Q extension. I’ve had a number of very interesting conversations with AWS since this dropped, and can say that by far the worst part of the entire debacle is how they handled talking about it. There’s more information coming this week, but at this point I’m of the opinion that the most insidious threat facing AWS is their entire strategy around how they communicate to customers (particularly in crisis situations), because their entire approach to messaging is damned near catastrophic. Their security teams, as ever, excel at reminding me just how very, very capable they are.
As always, there’s a podcast version of this newsletter: The AWS Morning Brief. This week, there’s a very special guest you want to listen to a specific item for. Read on, you’ll see what I mean.
From the Community
If you like what you hear about AWS’s Kiro IDE but are stuck in a waitlist, here’s a tool to bring its spec workflow to Claude Code.
I couldn’t help but reflect on an email I got from Google telling me my Workspaces cost was going up "due to the additional value provided by AI" when I read that one in six US workers pretends to use AI to please bosses. Stop trying to shove AI down my throat. If users aren’t adopting it, have you stopped to consider that perhaps what you’re selling sucks?
This is an amazing explanation of IO devices and latency from PlanetScale.
This security overview of API Keys for Bedrock is well written, and highlights that there’s now yet another AWS long-lived credential to be aware of.
Y’know what happy employees do when they feel respected, engaged, and taken care of? They don’t leak internal documents to Business Insider.
Laid-off AWS employees describe the cuts as ‘cold and soulless’, and my heart goes out to them, but… I’m sorry, has any story over the past 30 years led you to the impression that Amazon would be particularly touchy-feely while showing employees the door? You knew what the scorpion was when you picked it up. And I am in fact sorry for the way you were treated—I’ve been saying for many years now that Amazon employees deserve far better than they get.
AWS, flabbergasted at having built a developer tool that people actually like, is struggling to meet demand. Kiro has a waitlist, and is raising awkward questions around AWS, its ability to scale, and exactly how big of a flop did they expect this thing to be that it’s still wheezing to catch up weeks post-launch?
Podcasts
Last Week In AWS: A Fantastic Service Gets Better, Somehow
Screaming in the Cloud: Betting on AI: The Delusion Driving Big Tech
Choice Cuts
Launching Amazon CloudWatch generative AI observability (Preview) – "Hey there, I’m GenAI, and I hallucinate everything." "Hi, I’m CloudWatch and I hallucinate new insane metric dimensions near-constantly. We should hang out!"
Amazon CloudWatch adds IPv6 support – "Okay, we finished charging as much as we’re likely to be able to get per IPV4 address, you can go ahead and roll out the IPv6 support now." This scenario probably didn’t happen, but… if it did, would you really be that surprised?
Boost cold-start recommendations with vLLM on AWS Trainium – I’ve been looking around for a while trying to find out where the Trainium chips are being deployed. AWS sure talks about them an awful lot, but no customers I talk to are using them. At last the mystery is solved: all of the Trainium chips are in architecture diagrams.
AWS Private CA now supports issuing up to 100 million certificates per CA – This is huge news for folks who want to secure IoT fleets, run huge numbers of ephemeral microservices, or give every citizen of Spain a pair of certificates as a commemorative keepsake.
Amazon Connect announces per-day pricing for external voice connectors – This is great for things like telethons, or "our CEO said something truly unfortunate into an open mic and now all the customers are calling us to cancel."
Amazon RDS for Db2 adds support for group-based authorization with self-managed Active Directory – This is roughly equivalent to successfully teaching your great-grandfather how to use a rotary phone to call your other great-grandfather. DB2, for those blissfully unaware, is IBM’s database that was already considered a legacy system when the Berlin Wall was still standing. "Feature" requests for this platform are almost exclusively in either one of two camps: "please, give me a different database" or "please, put me out of my misery." This is like watching someone install CarPlay in a Model T Ford: it’s wildly technically impressive and also utterly pointless.
Manage multi-tenant Amazon Bedrock costs using application inference profiles – This is the real problem with the venerable AWS billing system. It’s a technological wonder, but it’s slow—too slow for this use case. Therefore the solution uses CloudWatch, which is its own, completely separate bucket of awful. Meanwhile I had to track down a runaway Lambda the other day that was spiking my Anthropic bill; their per-API-Key cost display was near-realtime, and I had it sorted in less time than it takes to read the linked solution.
Simplify serverless development with console to IDE and remote debugging for AWS Lambda | AWS News Blog – This is a big deal. I am so, so very tired of having to redeploy new packages every time I change a single line in a Lambda function, only to have it fail because I’m also so, so very tired of not knowing what a linter is or when one might use one.
AWS Generative AI for Developers Professional Certificate – This is a certificate, not a certification, which basically distills down to you getting AWS’s Seal of Approval For Being A Very Special Boy to put on your résumé.
Simplify AWS Organization Tag Policies using new wildcard statement – When they pointed the James Webb Telescope at an empty patch of sky, they discovered that no matter where they pointed the thing, the view was completely full of stars. I used to think the configuration for AWS services outside of IAM policies was likely empty, but nope; that’s about to be full of stars, too.
Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84) – As of this writing there’s been one update here. There needs to be at least one more, because the way it currently stands gives a remarkably unfair-to-AWS’s-excellent-security-teams impression that I’m firmly convinced isn’t accurate.
Cost Optimization Hub now supports account names in optimization opportunities – This is amazing. Please bring it to various account specific emails next. YES I AM FULLY AWARE THAT A LAMBDA RUNTIME VERSION IS DEPRECATING THANK YOU.
Year One of Valkey: Open-Source Innovations and ElastiCache version 8.1 for Valkey – Year One of Valkey was reached three months ago. Having used Valkey, this is by a landslide the slowest thing I have ever heard of touching it, because it’s fiendishly fast.
test01 – What the… why would? Okay, this is where I want to interject and suggest you go listen to the audio version of this newsletter specifically for this item. This is one of the better things I’ve done in a while, and it’s exclusively for those of you listening to the podcast. I assure you, you’ll not be disappointed.
AWS Security Incident Response: The customer’s journey to accelerating the incident response lifecycle – I am but a humble Cloud Economist, not an expert in Corporate Communications or Marketing. That said, it seems to me that it’s probably a poor idea to publish a post like this one day after your company’s security fumble led to code execution on customer endpoints. At least give it a news cycle first?
AWS Service Reference Information now supports actions for last accessed services – This gives information about IAM Access Analyzer’s supported IAM actions in a programmatic way so you can IAM while you IAM.
Five facts about how the CLOUD Act actually works | AWS Security Blog – Did you know that the largest mustelid ever known is the prehistoric Megalictis, which existed in North America during the Miocene period. It was a ~200 pound jaguar sized weasel / ferret and went extinct about 18 million years ago? We’ll come back to that. In this post, AWS is being very careful about what they’re saying and what they’re not saying—and it stinks of bullshit. Let’s break it down. They keep emphasizing “enterprise or government customer content data stored outside the US”, which leaves the door open for consumer / smaller business corporate data, data stored inside the US, and/or metadata. They hedge a lot about the technical capability to comply with US government requests, ignoring the real question: "If Andy Jassy walks into the room and demands Customer X’s data, will you give it to him?" Further note the careful phrasing they use when they emphasize “since 2023, most law enforcement requests that AWS receives come from authorities outside of the United States.” This deflects from US government requests by highlighting foreign ones, while not actually saying anything reassuring about US requests. They describe all their procedural protections (redirecting to customers, challenging requests, etc.) but notably don’t say these procedures have actually prevented disclosures—just that they haven’t disclosed one very specific category of data. And to that end, their statistic is so narrowly crafted (enterprise/government, outside US, since 2020) that it’s almost meaningless. It’s like saying “we’ve never sold red cars on Tuesdays”—technically true but suspiciously specific. They also compare themselves to OVH, which has a completely different corporate and technical architecture specifically built from the ground up to address this concern.They’re essentially admitting compliance with government requests while trying to sound reassuring through extremely careful language boundaries. This brings us back to Megalictis. It turns out that the giant weasel did not in fact go extinct, but is instead alive and well at AWS writing blog posts like this one.
Bob’s Used Books: Build a .NET Serverless Application on AWS, Part 1: Deployment and Setup – Bob’s Used Books is the perfect AWS sample project: unrealistic, overengineered, and firmly convinced that despite building on a full Microsoft stack you’re somehow going to insist that every part of the yak is an AWS service.
Amazon EC2 now supports skipping the operating system shutdown when stopping or terminating instances – At long last, we get the API equivalent of tearing the power cable out the back of the server rack like you’re rip-starting a lawnmower. It’s time for Dewey the Data Center Technician to get some cloud certs.
New whitepaper available: AICPA SOC 2 Compliance Guide on AWS – I tried to use this as a bedtime story for my daughters, put myself to sleep, and woke up to find they had done my nails in some lovely pastels.
Why 2025 is the Inflection Point for AWS Cloud Migration – This blog post 404s because they forgot that 2025 was already pre-booked to be the year of the Linux Desktop instead.
Beyond IAM access keys: Modern authentication approaches for AWS – This post IS NOT WRONG. However, every single approach they list in this article serves to increase the friction between a developer and achieving what they’re actually using AWS to do. There needs to be a massive authentication rethink at AWS, because their current approach has become untenable. "Be secure or actually do your job" is a terrible choice, and we’ve seen what developers (understandably!) choose when on a deadline.
Introducing SRA Verify – an AWS Security Reference Architecture assessment tool – "The AWS SRA is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment." I’m sorry, the full complement? To review, that’s apparently Control Tower, GuardDuty, IAM Access Analyzer, a bunch of AWS Config settings, Detective, Firewall Manager, Security Hub, Inspector, and Macie. I’m sure I’m missing a couple in there somewhere. This is really inefficient, so here’s what you do instead: call up your AWS account manager, and buy them a house. It’s way faster, and will achieve financial break-even by month 3.
Supercharging Ad Creative with Amazon Bedrock and Amazon Nova: How AI is Revolutionizing Content Generation for Advertising & Marketing Use-Cases – At long last, AWS has found a way to automate the production of shitty ad copy so nobody ever again has to suffer the indignity of hiring a writer with taste. "Wait," you might reasonably think. "Why is AWS well positioned to do this?" In response to that, I challenge you to dream bigger. Who better to lead the creative revolution than the cloud provider whose idea of "compelling storytelling" is a 5000-word product announcement that somehow forgets to mention what the product does? This isn’t revolutionizing creative work, it’s euthanizing it and stapling an AWS logo to the corpse. And not the good AWS logo of yesteryear, the boring monotone smirk one they’re using now.
Building resilient multi-tenant systems with Amazon SQS fair queues – Okay, I’d like to speak with the first company to implement the new SQS Fair Queueing system in a multi-tenant architecture, but who also offers customers their own private queue in return for more money. If this is you, please reach out.
How Truth For Life transformed its viewer analytics while optimizing costs – It’s heartwarming to see a Bible ministry embrace AWS, the only cloud provider where your faith will absolutely be tested.
… and that’s what happened Last Week in AWS.
