Good Morning!
This week I’ll be kicking around Moscone in San Francisco (hey, the first week in a month where I’m not flying someplace inconvenient!) for AI.engineer’s Worlds Fair, so if you’re around say hello.
Things I Found on the Internet
This time it wasn’t even LastPass’s own systems, but a market research vendor that integrates with Salesforce. The vault encryption held, the contact data didn’t. If you’re keeping a running tally of LastPass breaches, grab another tally mark and maybe a different password manager.
Amazon deprecated CloudTrail Lake and told everyone to “explore CloudWatch,” which Aidan Steele did, to his lasting regret. His write-up details the missing tag enrichment, the eight-hour ingestion lag, and the $50 in AI credits it took him to find the magic words “service-linked channel.” A fan’s disappointment, is palpable here—and I agree! I’ve been using CloudTrail Lake, advocating for it to customers (you pay up front for up to seven years of storage, it’s a great way to enforce good behaviors!), and now I feel like an idiot for doing so. I’ll be more circumspect the next time I recommend an AWS service,.
Someone added scrypt, TOTP, and a hash-chained audit ledger to my friend’s single-user localhost job application tracking list, then noted anyone with filesystem access can still copy the whole database. Me. That someone is me. The most over-secured to-do app in its weight class: all pure stdlib, zero new dependencies, and you’re enrolled in 2FA whether you asked or not. Better shitposting, now via pull requests.
Om Malik wrote about technology the way few people manage: with curiosity, taste, and an eye for the human underneath the hype. His photography was lovely, too. The tributes pouring in tell you everything about the man. We’re poorer for losing him. Go read his work.
Amazon’s security VP makes a uncomfortable case: humans rubber-stamping AI approvals get sloppy fast, same way ER nurses tune out beeping monitors. The normalization of deviance argument is hard to dismiss, even if “trust the agents” is exactly what you’d expect a cloud vendor to want you believing.
What AWS Has For Us This Time
Amazon CloudWatch launches OTel Container Insights for Amazon EKS
Embracing OpenTelemetry while routing every metric through CloudWatch’s billing meter is a special kind of “open.” Thirty-second granularity sounds great until you do the math on what “per metric, per region” means at cluster scale.
Amazon GuardDuty AI-powered investigations accelerate threat response (Preview)
Bolting AI onto GuardDuty to triage the alerts GuardDuty generates is a beautiful closed loop of monetization. The same service that floods your console now charges to interpret the flood.
Amazon Route 53 Global Resolver now supports sharing DNS Views between AWS Accounts
Cross-account DNS sharing without ownership transfer, controlled through RAM permissions that come in three flavors of “how much rope do you want to hand the consumer team.” Shockingly it’s free, but my sympathies to whoever debugs the cross-account monstrosity this turns into.
Automate AWS Invoice Retrieval with New Programmatic APIs
An API to download the invoices documenting how much they charge you, free of charge. The generosity is staggering. Finance teams have spent years clicking through hundreds of payer accounts like it’s 2009, the post admits this, but somehow presents it as “innovation” rather than “dreadfully, painfully late.”
Run isolated sandboxes with full lifecycle control: AWS Lambda introduces MicroVMs
Lambda runs on Firecracker microVMs. Now Lambda offers… microVMs. Years spent insisting servers were a relic, and the fix for running untrusted AI-generated code is apparently a virtual machine you control the lifecycle of. Reinventing EC2 one primitive at a time, except this one pauses to a “low idle cost.” Define low. Because you’ve utterly failed at defining “serverless.”
Upgrading Lambda function runtimes at scale with AWS Transform custom
Until Lambda / Transform do this natively under the hood instead of spamming me with 60K emails every time a runtime deprecates, I truly do not want to hear from this team. It’s your deprecation mess; either Transform is good enough to solve this for customers, in which case do it already, or it isn’t and you’re just blathering for your own marketing purposes. Put up or please, shut up.
Huntington Bank: Redacting sensitive data from 400M+ documents with AWS
A 95% accuracy target for redating Social Security numbers means roughly one in twenty slips through, which is comforting for a top 10 bank. Five AWS services stitched together to scrub data that should never have piled up unredacted for a decade. Compliance: we’ve heard of it.
Open Governance for MySQL: A Step Forward for the Community
Oracle granting outsiders four whole Steering Committee seats while keeping the majority is the corporate equivalent of letting your kids vote on dinner, then ordering what you wanted anyway. Still, an actual GitHub presence after fifteen years is progress, albeit glacial. AWS applauds loudly, having already forked Redis the moment licensing got inconvenient. Pretty sure Oracle isn’t gonna like what happens here if they start backsliding on their commitment.
How AWS and a local community organization built a developer engagement model that works
A “collaborator, not a sponsor,” which is corporate for “we still want the logo on the banner, just don’t call it that.” Credit where due: fifty-four people building actual apps beats another slide deck. The blog post’s real purpose, though, is teaching AWS teams to harvest user groups at scale.
Modernizing border control with digital arrival cards on AWS Cloud
Replacing a paper form you fill out on the plane with a fourteen-service AWS architecture, complete with SageMaker doing “AI-enabled risk assessments” on your customs declaration. The “one traveler, one declaration” model meets “one government, infinite Aurora instances.” Somewhere a border agent who just wanted a stamp is reading the EKS docs.
Prevent data exfiltration: AWS egress controls for cloud workloads
Worried about data leaving your network? AWS suggests preventing exfiltration with a hub-and-spoke architecture, Transit Gateway, Network Firewall, DNS Firewall, and VPC endpoint policies. Each one billing separately, naturally. Securing your egress now costs more than the data being stolen. The real exfiltration was apparently the line items we met along the way?
Locking the console door to public Wi-Fi: useful, free, and roughly a decade overdue. The fun part is the “designated principal” who keeps access from anywhere, because nothing says compliance like building a deliberate bypass into your network perimeter. Don’t lose that ARN, or enjoy explaining the lockout to your CISO when your corporate ISP pulls a maintenance and changes your IP address.
A new way to keep your AWS Certification current – Skipping the exam by grinding through Skill Builder labs sounds great until you remember Skill Builder requires a paid subscription. So your “free” recertification path is free the way airport WiFi is free: after you’ve already paid for something else. Still beats a testing center appointment and the existential dread.
CVE-2026-12957 and CVE-2026-12958 – Issues in Language Servers for AWS and Amazon Q Developer Plugins – Your AI coding assistant now executes arbitrary commands from any workspace you open, which is one way to ship features faster than you intended. Two CVEs, no workarounds, and the only fix is upgrading the thing meant to help you. Thank Wiz, who keeps finding the bugs AWS’s robots miss.
… and that’s what happened Last Week in AWS.

