Good Morning!
We’re hosting a breakfast on Dec 2 and the annual Atomic Liquors DrinkUp on Dec 3 if you’re in Las Vegas. If you’re not, I’m deeply envious. I’m also speaking in two sessions; they’re not to miss. Just search my name in the event catalog.
Looking forward to seeing some of you, and dreading seeing a few more of you.
From the Community
A good exploration from Yelp in working with S3 server access logs at scale. Remember, these are orders of magnitude cheaper than CloudTrail data events.
re:Inforce will not be returning next year, as it is being folded into re:Invent; this lets them quit the field without admitting defeat. The community-driven fwd:CloudSec has won.
Comparing AWS Lambda Arm64 vs x86_64 Performance Across Multiple Runtimes in Late 2025 – Someone actually did the homework AWS should’ve updated after their 2023 blog post. Turns out ARM64 is still 20% cheaper and faster for Lambda, yet most people are still running x86 because inertia costs nothing until you see the bill. Personally I still find x86 Lambdas sneaking in because using Arm isn’t the default; you’ve gotta specify it in the CDK. Honestly, I’d be fine with making specifying an arch a mandatory field.
AWS finally admits via a public roadmap what Lambda users have known for years: they’re making it up as they go. No dates, no commitments, just a GitHub repo where your feature requests go to die while they "research" basic functionality that should’ve shipped in 2015. I have yet to see anything in here about "we sure do blather a lot about AI, maybe that AI could automatically update runtime versions so we don’t have to email you 400 times every time we deprecate an old version?"
My friend runs Conference Parties, which is awesome. Note that our event is there for this Wednesday night! If you’re throwing a party, you should absolutely be sponsoring this; it costs way less than the first round of drinks at any party you’re gonna throw.
The Future of AWS CodeCommit – AWS just apologized for trying to kill CodeCommit, blamed "adoption patterns," then resurrected it after realizing customers hate migrating. Git LFS arrives in 2026—because nothing says "we’re serious" like a two-year roadmap for a feature GitHub launched in 2015. My take on this in The Register is that they should be praised for this reversal. More listening to customers, less blathering about AI please.
And now, a EC2 Instance Family Performance Ranking, which is likely way more diplomatic a framing than "leaderboard."
Podcasts
Last Week In AWS: From Blackwell Ultra to “aws login”: Chaos Reigns at Every Layer
Choice Cuts
Protect sensitive data with dynamic data masking for Amazon Aurora PostgreSQL – Dynamic data masking finally arrives for Aurora PostgreSQL, solving a problem enterprises have been MacGyvering solutions for since approximately forever. The pg_columnmask extension handles role-based masking at query runtime without duplicating data or butchering performance. Shame it took until 2024 to get column-level protection that doesn’t require maintaining seventeen copies of your database as you continue to play whack-a-mole–wait, now it’s eighteen.
Amazon CloudFront announces support for mutual TLS authentication – Free security features from AWS? Someone must have lost a bet. Though I’ll give credit where it’s due—mTLS at the edge without extra charges is genuinely useful for B2B APIs and IoT fleets. Your compliance team will finally stop asking when you’re implementing proper client auth, once they learn what the hell mTLS is.
Amazon EC2 announces interruptible Capacity Reservations – So you’re paying to reserve capacity you’re not using, and AWS’s brilliant solution is… letting you share your own unused capacity with yourself? I think? What the hell is this? I am more confused having read this than I was when I started. Is this just Spot Instances with extra steps and a corporate org chart requirement?
Introducing guidelines for network scanning – AWS just published a "please don’t scan our stuff unless you’re nice about it" guideline that’s basically a polite letter to security researchers while they build the technical controls to actually enforce it.
Practical implementation considerations to close the AI value gap – AWS notices 42% of companies are abandoning AI projects due to lack of value and thinks "this is the perfect time to sell more AI consulting." After all, if you can’t be part of the solution, there’s good money in prolonging the problem.
Everything you don’t need to know about Amazon Aurora DSQL: Part 4 – DSQL components – Four blog posts deep into DSQL’s architecture and we still haven’t talked about pricing. That’s not an accident—when AWS needs a four-part series to explain how your database works before mentioning what it costs, grab your wallet and prepare for impact. Maybe that’s unfair. I couldn’t tell you, because I cannot for the life of me predict what a workload on this thing is gonna cost in advance. Nobody can. It’s a nondeterministic randomizer.
Simplify data integration using zero-ETL from self-managed databases to Amazon Redshift – AWS rebrands "we finally made DMS slightly less painful" as "zero-ETL" while you still configure endpoints, network settings, IAM policies, KMS keys, and Secrets Manager. That’s not zero anything—it’s just ETL with better marketing and the same architectural complexity tax.
Automatic quota management is now AWS Service Quotas adds support for automatic quota management – No, you are not having a stroke, that’s the actual title this thing originally published with. AWS finally automated quota increases after years of customers filing tickets like it’s 1997. Sure, it’s free now, but I’m betting the "auto-scaling" comes with some interesting asterisks about which quotas qualify and how aggressively they’ll actually increase before making you call support anyway.
Announcing Amazon Route 53 Accelerated Recovery for managing public DNS records – Cool, AWS finally admitted their control plane living exclusively in us-east-1 was a single point of failure. Now they’ve graciously built in what should’ve existed from day one – for free, which tells you how embarrassing this gap was. Your "stranded changes" during failover still vanish though, so maybe test that resubmission workflow before you actually need it. I’d also like if they explained how the hell this works, because "when our stuff is breaking, this thing won’t" is surprisingly uncompelling in isolation.
Announcing Unused NAT Gateway Recommendations in AWS Compute Optimizer – AWS finally notices customers paying $35/month for NAT Gateways that haven’t passed a packet since 2019 and I am overcome with joy. The feature’s smart enough to avoid flagging disaster recovery configs, which is progress from third party tooling’s usual "delete everything and pray" cost optimization approach.
Amazon EKS introduces Provisioned Control Plane – Reserved capacity for Kubernetes control planes sounds reasonable until you see the prices: $1.65/hr minimum, scaling to $6.90/hr for the "4XL" tier. That’s an extra $60K annually just to guarantee your cluster won’t choke during Black Friday. Most shops will discover their standard control plane was fine all along. I’d prefer if they had devoted this energy to the slow-as-molasses provisioning of EKS control planes from scratch.
I could not be happier that AWS Finally Lets You Find Your Idle NAT Gateways.
… and that’s what happened Last Week in AWS.
