Good Morning!
I’m at KubeCon this week, giving a very public talk about cloud native as a form of vendor lock-in. Surely this will not upset anyone. If you’re also in Atlanta, say hi!
From the Community
Tata Motors gives us a master-class via counter-example in how not to handle our API keys, along with threat response.
I once again have published a screed on The Register: How AWS is losing the younger generation with complexity.
You have many things you don’t need in your life, among them NAT Gateways.
Apparently one of AWS’s big concerns about their data center water usage at one point was how to keep the public from finding out.
After the third time a customer’s account was shut down for no clear reason, I’m starting to wonder if my "Google Cloud has the best developer experience" talking point needs an asterisk next to it.
Podcasts
Last Week In AWS: APIs to Tell You What You Already Paid For
Choice Cuts
AWS PrivateLink now supports cross-region connectivity for AWS Services – Cross-region PrivateLink is genuinely useful for compliance scenarios, but let’s not pretend this couldn’t have shipped years ago. Now you get to pay PrivateLink fees AND cross-region data transfer charges. Your network architect is thrilled; your finance team less so. Meanwhile, I’m weeping as I have to yet again update my data transfer calculator.
AWS announces new partnership to power OpenAI’s AI workloads – Fascinating how AWS suddenly has half a million GPUs lying around just when their biggest competitor needs capacity. The $38B price tag suggests OpenAI’s electricity bill alone could fund a small nation’s GDP—but sure, let’s call this a "partnership" instead of what it really is: AWS monetizing Microsoft’s AI arms race. Now that they’re the last hyperscaler to sign a giant deal with OpenAI, it’s a near certainty that the model factory is structurally too big to fail.
Prompt engineering with PartyRock: A guide for educators – AWS discovered educators exist and decided PartyRock (their AI playground that requires users to be 18+) is perfect for K-12 classrooms. The cognitive dissonance is chef’s kiss. At least the guardrails might prevent students from accidentally teaching the AI to write their essays while technically "learning prompt engineering."
New whitepaper available – AI for Security and Security for AI: Navigating Opportunities and Challenges – AWS partnered with SANS to produce a whitepaper about AI security risks—you know, the ones they’re actively profiting from by selling you the AI services that created those risks in the first place. Nothing screams "we’ve got your back" like monetizing both the problem and the solution.
CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 – runc container issues – AWS patched runc vulnerabilities across a dozen services, but here’s the kicker: "AWS does not consider containers a security boundary." Translation: if you’re relying on containers to isolate your stuff, that’s a you problem. At least the fixes are free. Small mercies…
Amazon CloudWatch Application Signals adds AI-powered Synthetics debugging – AWS effectively admits their synthetic monitoring alerts are so cryptic you need an AI to translate them. Instead of fixing the root cause (unclear error messages), they’ve wrapped it in LLM buzzwords and called it innovation. Your canary’s still dead, but now ChatGPT can explain why in excruciating detail.
Inside Amazon Connect: The evolution of a disruptor – AWS hits $1B revenue on a contact center product and writes a blog post so self-congratulatory it reads like they’re nominating themselves for sainthood. Meanwhile, competitors are quietly wondering if those "12 billion AI-optimized minutes" are actually just glorified IVR menus with better marketing.
How Indeed scaled Governance across 1,000+ AWS accounts with AWS Trusted Advisor – Indeed discovered 44% of their RDS instances were idle—costing them actual money while doing literally nothing. Turns out when you give teams 1,000+ AWS accounts with zero oversight, they rack up bills like it’s Monopoly money. At least they’re making lemonade by turning their expensive lesson into a case study.
Improper authentication token handling in the Amazon WorkSpaces client for Linux – Local privilege escalation via token leakage? This feature sucks! Wait, it’s not a feature, it’s a fundamental auth failure. Two years of shipping broken token handling suggests nobody was actually reviewing the Linux client code. Patch immediately, then ask why this took until 2025 to fix.
How Omnissa saved millions by migrating to Amazon RDS and Amazon EC2 – Broadcom jacked up VMware prices so high that rearchitecting thousands of instances across ten regions became the cheaper option. That’s not a customer success story, that’s a hostage negotiation with a happy ending.
The Swift AWS Lambda Runtime moves to AWSLabs – Seven years of community work, now conveniently branded as AWS innovation. The runtime’s good; note that Swift really does crush Lambda cold starts. I will say though: watching AWS adopt successful open source projects after the heavy lifting is done never gets old.
CVE-2025-12815 – RES web portal may display preview of Virtual Desktops that the user shouldn’t have access to – Nothing says "secure research environment" like accidentally livestreaming your colleague’s desktop to whoever bothers to check. I’m just surprised they didn’t market this as a free show for authenticated users with curiosity and zero boundaries.
From Business Logic to Working Code: How AWS Kiro Changes Who Can Build – AWS discovered "low-code" exists and slapped Bedrock on it. Note that Kiro launched as simply "Kiro," but now that it’s a hit AWS can’t wait to slap their name on it and enthusiastically hug it to death like the corporate Lenny they’ve become.
Tools
I was baited on the internet so quickly bullied a robot into creating yeet. The commit messages are exactly as unhinged as you would expect from said robot.
… and that’s what happened Last Week in AWS.
