--- title: "S3 Gets Vectors, CloudFront Gets SHA-256, You Get the Bill" id: "15333" type: "newsletter" slug: "s3-gets-vectors-cloudfront-gets-sha-256-you-get-the-bill" published_at: "2026-04-06T13:30:00+00:00" modified_at: "2026-04-06T13:30:00+00:00" url: "https://www.lastweekinaws.com/newsletter/s3-gets-vectors-cloudfront-gets-sha-256-you-get-the-bill/" markdown_url: "https://www.lastweekinaws.com/newsletter/s3-gets-vectors-cloudfront-gets-sha-256-you-get-the-bill.md" excerpt: "If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you're not alone. Most teams are cobbling together strategies/tools that weren't designed..." --- About the Author Corey is the Chief Cloud Economist at Duckbill, where he specializes in helping companies improve their AWS bills by making them smaller and less horrifying. He also hosts the "Screaming in the Cloud" and "AWS Morning Brief" podcasts; and curates "Last Week in AWS," a weekly newsletter summarizing the latest in AWS news, blogs, and tools, sprinkled with snark and thoughtful analysis in roughly equal measure. Sign up for the Newsletter Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark. "*" indicates required fields ## [Good Morning](https://x.com/QuinnyPig/status/2039829406559117788) ! If you (well, not *you*, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at [Duckbill](https://www.duckbillhq.com) —to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch. ## Things I Found on the Internet Turns out you can’t just announce a data center into existence. [Nearly half of US data centers planned for 2026](https://futurism.com/science-energy/data-centers-construction-supply) are getting delayed or canceled because nobody stockpiled enough transformers and circuit breakers. The supply chain for boring electrical components is the actual bottleneck choking the AI buildout. Who knew infrastructure required, y’know, infrastructure. Half the internet threw this at me last week: someone looked at DNS TXT records and thought “yeah, I can run DOOM on that.” [Doom Over DNS](https://github.com/resumex/doom-over-dns) splits the entire shareware WAD into ~1,964 TXT records on Cloudflare’s free tier, then reassembles and plays it purely from PowerShell DNS queries. Nothing touches disk. The RFC 1035 authors are spinning in their office chairs and I am here for it. Someone built a Claude Code skill that roasts your code with substance-backed snark, and they explicitly cite me as the inspiration. I’m honestly flattered. The philosophy is right: [snark-driven-development](https://github.com/voldemortensen/snark-driven-development) only works when every joke carries a real technical point. The “never punch down” rule earns it extra credit. A compliance startup allegedly violating a software license is the kind of irony you couldn’t pitch as fiction. Even better: the open source project they allegedly ripped off belonged to a company that was *paying them* as a customer. [TechCrunch’s deep dive into Delve’s meltdown](https://techcrunch.com/2026/04/01/the-reputation-of-troubled-yc-startup-delve-has-gotten-even-worse/) is worth every paragraph. Security research on AWS privilege escalation is the kind of thing I want more people reading. Thomas Preece’s [deep-dive into CodeBuild and CodeConnections](https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/) walks through exactly how compromising one service can cascade outward, complete with responsible disclosure and AWS’s response. If you touch CodeBuild, read this before someone else does. Look, I’m biased here, but [Duckbill is hiring](https://www.duckbillhq.com/careers/?ashby_jid=ee6de749-9214-4772-9280-bc9540174f0a#open-positions) and I think you should know about it. We’re building Skyway, a cloud financial data platform, and we need people who can operate without a playbook. Fortune 500 clients, 100% covered healthcare, and coworkers who are genuinely fun. Come work with us. Most teams pick a Bedrock model by vibes and price tier, then wonder why results are mediocre. [This writeup](https://www.outcomeops.ai/blogs/youre-probably-using-the-wrong-bedrock-model) ran eight models across five providers on identical RAG context and found Haiku outperforming Sonnet. The takeaway: match the model to the cognitive task, not the invoice. Your wallet will thank you. I wrote [this piece for The Register](https://www.theregister.com/2026/03/26/aws_would_prefer_to_forget/) about AWS quietly waiving all March charges for me-central-1 and then removing the billing data entirely. Waiving charges after drone strikes destroyed two AZs? Reasonable. Scrubbing the usage records from Cost Explorer like it never happened? That’s a fascinating choice. Finding out you’re laid off because VPN and Slack stop working before the email even arrives is a special kind of cruelty. [The Register’s coverage](https://www.theregister.com/2026/04/01/laidoff_oracle_workers/?td=rt-3a) captures the human side of Oracle’s latest round of cuts, including a refreshingly honest take from an affected worker on where AI actually replaces people and where it doesn’t. ## What AWS Has For Us This Time [Announcing Amazon RDS for Oracle on AWS Outposts](https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-rds-oracle-aws-outposts/) – Running Oracle on managed hardware you rented from AWS that lives in your own data center so you can avoid putting your data in AWS’s data center. Bring Your Own License, naturally, because Larry Ellison’s yacht fleet isn’t going to fund itself. Your CFO just fainted and I don’t blame them. [AWS Direct Connect now supports AWS CloudFormation](https://aws.amazon.com/about-aws/whats-new/2026/03/aws-direct-connect-supports-aws-cloudformation/) – Direct Connect getting CloudFormation support in 2026 is like finding out your local DMV just discovered email. This service has been around since 2012. Fourteen years to let people manage their dedicated network connections as code. I assume someone at AWS finally tripped over a very old Jira ticket. [AWS Service Availability Updates](https://aws.amazon.com/about-aws/whats-new/2026/03/aws-service-availability/) Roughly 14 services and features (they’re the same thing, it just depends on the AWS product manager’s ambition) getting the Old Yeller treatment in one blog post is a bold move. RDS Custom for Oracle and WorkMail heading to sunset, App Runner going to maintenance – someone finally checked the usage metrics. Pour one out for WorkSpaces Thin Client, a product I’m genuinely surprised lasted this long. Someone owes me a $300 refund for mine. I’m not kidding. [Amazon S3 Vectors expands to 17 additional AWS Regions](https://aws.amazon.com/about-aws/whats-new/2026/03/s3-vectors-expands-17-regions/) S3 Vectors expanding to 17 more regions means your vector embeddings can now experience data sovereignty requirements in 31 exciting flavors. Two billion vectors per index at S3 durability sounds useful, which makes me deeply suspicious about what the pricing page looks like once you start actually querying things. [Amazon CloudFront now supports SHA-256 for signed URLs and signed cookies](https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-cloudfront-sha-256-signed-urls/) – SHA-1 has been considered broken since 2017, but sure, take your time. At least they made it opt-in with a query parameter instead of just upgrading, because nothing says “security-first” like letting customers keep using deprecated cryptography by default. No additional cost, though, so I’ll save my rage. [Amazon CloudWatch now supports OpenTelemetry metrics in public preview](https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-cloudwatch-opentelemetry-metrics/) “Free during preview” is doing a lot of heavy lifting here. CloudWatch finally accepting OTEL metrics natively means you can stop maintaining that janky conversion pipeline you pretend doesn’t exist. Enjoy the honeymoon period before pricing drops and your CFO discovers you’ve been shipping metrics from every microservice known to humanity. [Announcing compute-optimized instance bundles for Amazon Lightsail](https://aws.amazon.com/about-aws/whats-new/2026/04/lightsail-compute-optimized-instances/) – 72 vCPUs on Lightsail. At that point you’re not using the “simple VPS alternative,” you’re just using EC2 with training wheels and fewer knobs. Someone at AWS looked at customers outgrowing Lightsail and said “what if they simply never left?” Your bill, however, will feel very EC2. [Announcing managed daemon support for Amazon ECS Managed Instances](https://aws.amazon.com/blogs/aws/announcing-managed-daemon-support-for-amazon-ecs-managed-instances/) Decoupling daemon lifecycle management from application deployments is one of those things that should’ve existed from day one. Instead, platform engineers spent years coordinating monitoring agent updates across hundreds of services like it was some kind of distributed therapy session. Better late than never, I suppose. [Leverage Agentic AI for Autonomous Incident Response with AWS DevOps Agent](https://aws.amazon.com/blogs/devops/leverage-agentic-ai-for-autonomous-incident-response-with-aws-devops-agent/) – An “always-available operations teammate” that requires an eligible AWS Support plan; meaning you’re paying for the privilege of having AI do what your 2 AM on-call engineer does, except it won’t passive-aggressively Slack the team about it afterward. MTTR drops from hours to minutes; invoices go from minutes to hours. [Navigating the NGINX Ingress retirement: A practical guide to migration on AWS](https://aws.amazon.com/blogs/networking-and-content-delivery/navigating-the-nginx-ingress-retirement-a-practical-guide-to-migration-on-aws/) – NGINX Ingress retiring affects roughly half of all Kubernetes environments, and AWS helpfully published a migration guide that ends with “use our load balancer instead.” Shocking twist. Though I’ll admit the guide is actually useful; it’s rare AWS blog posts solve a problem they didn’t create themselves. [Optimizing data transfer costs when using AWS Network Load Balancer](https://aws.amazon.com/blogs/networking-and-content-delivery/optimizing-data-transfer-costs-when-using-aws-network-load-balancer/) – Nothing screams “we love our customers” like publishing a blog post explaining how to avoid the data transfer charges you designed. Penny-per-gig cross-AZ fees sound trivial until you multiply by petabytes. The fix? Enable zonal affinity, which trades cost savings for uneven traffic distribution. Pick your poison, pay either way. [AWS Security Agent on-demand penetration testing now generally available](https://aws.amazon.com/blogs/security/aws-security-agent-on-demand-penetration-testing-now-generally-available/) An AI agent that autonomously pen-tests your apps 24/7 across multicloud environments. What could possibly go wrong? I do love that AWS built a hacking tool that works on Azure and GCP too; finally, a multicloud strategy I can get behind. Your security budget just became AWS’s recurring revenue. … and that’s what happened ***Last Week in AWS.*** ## You might also like [More Newsletter Issues](https://www.lastweekinaws.com/newsletter/) Issue No.468 ### [Multicloud Interconnect and the Great CVE Hunt](https://www.lastweekinaws.com/newsletter/multicloud-interconnect-and-the-great-cve-hunt/) [Read More about Multicloud Interconnect and the Great CVE Hunt](https://www.lastweekinaws.com/newsletter/multicloud-interconnect-and-the-great-cve-hunt/) Issue No.467 ### [S3 Files and an AI-Powered Singing Rat Trap](https://www.lastweekinaws.com/newsletter/s3-files-and-an-ai-powered-singing-rat-trap/) [Read More about S3 Files and an AI-Powered Singing Rat Trap](https://www.lastweekinaws.com/newsletter/s3-files-and-an-ai-powered-singing-rat-trap/) Issue No.465 ### [Aurora PostgreSQL: Now Free Enough to Be Dangerous](https://www.lastweekinaws.com/newsletter/aurora-postgresql-now-free-enough-to-be-dangerous/) [Read More about Aurora PostgreSQL: Now Free Enough to Be Dangerous](https://www.lastweekinaws.com/newsletter/aurora-postgresql-now-free-enough-to-be-dangerous/) Issue No.464 ### [S3 Turns 20 and SimpleDB Is Still Alive](https://www.lastweekinaws.com/newsletter/s3-turns-20-and-simpledb-is-still-alive/) [Read More about S3 Turns 20 and SimpleDB Is Still Alive](https://www.lastweekinaws.com/newsletter/s3-turns-20-and-simpledb-is-still-alive/)