Good Morning!
If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at Duckbill—to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch.
Things I Found on the Internet
Aidan Steele combined the oldest and newest tech he could think of – faxes and AI agents paying via x402 micro-transactions in USDC. Is there a market for agents sending faxes? Probably not. Does this delightful experiment actually articulate the first crypto use case that makes sense to me? Annoyingly, yes.
Silent failure mode at its finest: rename a GitHub repo, git keeps working, but the CodeBuild webhook quietly evaporates and nothing triggers. Jordan Hornblow’s writeup of this trap includes the Terraform fix and, more usefully, argues you should alert on missing successes, not just failures.
Forrest Brazeal (yes, that Forrest Brazeal, of cloud cartoon and song fame) wrote a novel about a time-travel startup racing to monetize reality itself. Paradox Inc. drops January 2027, and if his track record of skewering our industry is any indication, it’ll be painfully accurate.
A cautionary tale about letting an AI agent run `terraform apply –auto-approve` against production. Alexey’s Claude Code agent nuked 2.5 years of student data, and his honest writeup of how he dropped the production database is the kind of post-mortem the industry needs more of. Learn from someone else’s scars.
What AWS Has For Us This Time
Amazon CloudWatch pipelines now supports configuration of processors via AI
Describe your log processing in plain English and AI writes the config for you. This is awesome, because the real productivity win for AI that AWS is loathe to mention is really “you don’t have to spend half a day screwing around with their crappy inconsistent APIs now that the robot can do it for you.”
Introducing the Amazon EKS Hybrid Nodes gateway for hybrid Kubernetes networking
“No additional charge,” they say, conveniently burying the EC2 instances and data transfer fees you’ll need to actually run the thing. Classic AWS move: the feature is free, the infrastructure to use it costs whatever your network team’s sanity is worth. Still, genuine progress for anyone tired of begging their on-prem folks to update route tables, a footgun waiting to happen to companies who don’t employ anyone who knows what a route table is.
Amazon EKS enhances cluster governance with new IAM condition keys
Seven new IAM condition keys for EKS, which is great news if your idea of a good Monday is writing SCPs to prevent junior engineers from spinning up publicly-accessible clusters encrypted with AWS-managed keys. The platform team rejoices; everyone else discovers their CreateCluster calls now fail for seven exciting new inscrutable reasons, each one giving other teams incentive to pursue a shadow IT strategy.
Attributed Revenue Dashboard Now Available in AWS Partner Central
Partners can finally see exactly how much revenue they’re generating for AWS, which feels a bit like being handed a detailed receipt of the rope you just sold someone to hang you with. Three measurement capabilities consolidated into one dashboard, because apparently counting money required a committee.
AWS Lambda functions can now mount Amazon S3 buckets as file systems with S3 Files
Mounting S3 as a filesystem in Lambda, built on top of EFS. This is the kind of mounting that previously was only observed in barnyards. So we’ve reinvented EFS-for-Lambda, except now the S3 API pretends to be POSIX. Pour one out for the ops engineer who has to explain why their “serverless” function has a mount table. At least it’s “no additional charge,” which in AWS means the bill arrives via S3 request pricing instead.
Amazon CloudWatch Logs Insights introduces JOIN and sub-query commands
CloudWatch Logs Insights “isn’t a database” but it supports JOIN. Sure, Jan. It doesn’t support UNION because Amazon kept reflexively firing everyone who uttered the word.
AWS Lambda Durable Execution SDK for Java GA
Lambda functions that can pause for up to a year waiting on external events. It now works in Java, where “spending a year waiting on external events” is a cultural norm. Nothing says “serverless” quite like a workflow that outlives your employment at the company that wrote it. Step Functions is presumably off in the corner, quietly updating its resume. Java developers rejoice: your checkpoints are now someone else’s problem.
Amazon S3 Express One Zone now supports S3 Inventory – Two and a half years after S3 Express One Zone launched, it finally gets Inventory support. Turns out listing objects in your premium-priced storage class required premium-priced patience. The good news: you can now audit encryption status. The better news: you’ll need the report to remember what you’re paying for.
Amazon S3 now supports five additional checksum algorithms
Ten checksum algorithms for S3, because five wasn’t enough decision fatigue for your Tuesday morning. MD5 finally arrives in 2026, which is adorable given it’s been cryptographically broken since roughly the Bush administration. At no additional cost, which is the AWS equivalent of finding a twenty in last winter’s coat pocket.
AWS Secrets Manager extends managed external secrets to MongoDB Atlas and Confluent Cloud
Rejoice: you can now stop maintaining those artisanal Lambda rotation functions you cargo-culted from a 2019 blog post. Secrets Manager will rotate MongoDB Atlas and Confluent Cloud credentials for you, at forty cents per secret per month, because centralized convenience has never met a price tag it couldn’t justify. FORTY CENTS! Per secret! This is why I use Parameter Store for my secrets. It’s also likely why CloudFormation doesn’t support Parameter Store for secrets very well; someone has a 40¢ per secret incentive not to.
Track Amazon Bedrock Costs by Caller Identity with IAM Principal-Based Cost Allocation
Turns out the answer to “which intern bankrupted us on Claude tokens this quarter” no longer requires a CloudTrail archaeology expedition and a prayer circle. Bedrock costs now attach to IAM principals directly in CUR 2.0, assuming you remember to enable it at the management account level, know what the CUR even is, can articulate that knowledge down to the team that cares about the answer to the question that started this paragraph, and you don’t mind a multi-day latency between “expensive thing happens” and “you can find the person responsible.”
Transforming FinOps with the Latest Amazon Q Cost Capabilities
Paying $20 per user per month for an AI to tell you why your EC2 bill went up feels like hiring a detective to investigate the crime they just committed. The free tier’s 50 queries should cover it, assuming you don’t have follow-up questions. Which, given AWS billing, you absolutely will. I’ve kicked the tires on this and I have many questions, most of them pointed-bordering-on-rude.
Aurora Serverless: Faster performance, enhanced scaling, and still scales down to zero
Aurora Serverless scaling up 45% faster and down to zero, which is coincidentally where my enthusiasm for “serverless” databases that still bill in ACU fractions tends to land. Genuine improvements at no extra charge, though, which either means competitive pressure is working or someone in Seattle accidentally approved the wrong PRFAQ.
From developer desks to the whole organization: Running Claude Cowork in Amazon Bedrock
Anthropic and AWS announced you can now run Claude Cowork on Bedrock, because what every knowledge worker has been crying out for is their AI desktop app gated behind AWS IAM and metered through the AWS billing system. Computer Use, the Chat tab, and the Skills Marketplace are all disabled because they require Anthropic-hosted inference—so you’re getting the enterprise-safe Claude, which is the one that doesn’t do all the things Claude demos with. The product manager in the example turns meeting notes into a brief (how innovative!); meanwhile behind the scenes the AWS administrator turns an IAM policy into a two-week ticket so she can try it.
Get to your first working agent in minutes: Announcing new features in Amazon Bedrock AgentCore
“Working agent in minutes” is the new “serverless” – technically accurate if you ignore the half a day getting your credentials working securely from your terminal, followed by the six weeks of IAM debugging that follows like some kind of obscene cloud groundhog seeing its own shadow. Bedrock AgentCore now promises three API calls to production, which is adorable. Your agent will be running in minutes; your bill will be running for considerably longer.
Automated network incident response with AWS DevOps Agent
This sure is an awful lot of words in a blog post to say “we don’t remember that we launched VPC Reachability Analyzer back in 2020 and for the sake of our GenAI metrics we hope to god you don’t either.” Seriously. This is exactly what VPC Reachability Analyzer does, for a flat rate of 10¢ per query.
Atinary’s AI & Self-Driving Labs® on AWS accelerate R&D for dsm-firmenich, Takeda, and MIT – Replacing a PhD student’s five years of labor with one week of ECS, Fargate, Bedrock, and Aurora PostgreSQL bills. The grad student was cheaper, ate ramen, and didn’t require a Solutions Architect. Science marches forward, though, and somewhere a pharma CFO is discovering that “accelerated R&D” has a surprisingly specific AWS invoice attached.
Accelerate development workflows with Amazon EBS Volume Clones
Snapshot-and-restore took 12 hours for the healthcare customer in their example. Clones take 54 minutes. Only took AWS roughly two decades to invent the copy-on-write semantics that every storage vendor shipped in 2005. Personally, I choose to believe that this is a product team shitposting about another product team’s crappy latency via shipping something better, and I am totally here for it.
Troubleshooting Amazon S3 access denied errors using Kiro CLI
An AI-powered CLI to debug the S3 permission lasagna you built by stacking IAM, bucket policies, KMS, and VPC endpoints on top of each other. The real troubleshooting tool would be a time machine back to whoever approved seven overlapping permission layers, but sure, let’s throw an LLM at it instead. Though my approach is closer to “hey Claude, go find out why it’s not working” from my terminal, not the “Google what Kiro is, stumble through getting it installed, smack into arcane rate limits, realize it can’t talk to AWS in the right account yet, go down that rabbit hole, and finally start using a new tool,” but maybe I’m regressive like that.
CVE-2026-6437 – Mount Option Injection in Amazon EFS CSI Driver – Turns out if you stuff a comma into a volumeHandle, the EFS CSI driver cheerfully interprets whatever follows as bonus mount options. Input sanitization: still apparently optional in 2026. Patch to v3.0.1, or explain to your security team why your Kubernetes cluster is doing interpretive dance with filesystem flags.
CVE-2026-6550 – Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python – Your encryption library has a bug where the same ciphertext can decrypt to multiple different plaintexts. That’s not encryption, that’s a Rorschach test with extra steps. Patch your Python ESDK to 3.3.1 or 4.0.5, and maybe reconsider letting cache layers make cryptographic decisions on your behalf.
… and that’s what happened Last Week in AWS.
