Good Morning!
If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you’re not alone. Most teams are cobbling together strategies/tools that weren’t designed for the scale and complexity of modern cloud environments. That’s why we’re building Skyway over at Duckbill—to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch.
Things I Found on the Internet
Google’s hiking CDN Interconnect and peering prices effective May 2026, nearly doubling rates in North America. Buried in the FAQ is the real signal: they’re actively pushing everyone toward Verified Peering Providers instead. When a cloud provider starts recommending alternatives to their own service, that service’s days are numbered.
Nearly four years after I requested it, folks are still begging AWS for a config.d capability for their aws-cli configuration. Come on, folks. I will say nice things about you if you do this for me.
Tired of wrestling with the AWS Console just to move files around? This dual-pane file manager treats S3 like a normal filesystem – drag, drop, done. Built-in cost tracking so you know what you’re spending as you work. Works with MinIO too, does the things the S3 console has steadfastly refused to do for decades.
I’ve spent years claiming the title of Amazon’s only L9, the one level that doesn’t exist in their org chart. I even named my company after it. Then Amazon went and gave it to Chris Hemsworth as “Chief Heartthrob, Alexa Devices.” Replaced by Thor: this is my supervillain origin story.
Someone just speedran an AWS breach in under 10 minutes using AI to automate the entire attack chain. Sysdig caught this intrusion with Serbian-commented code and hallucinated account IDs – the telltale signs of LLM-assisted hacking. If you’re still leaving credentials in public S3 buckets, this is your wake-up call. Congratulations to the unnamed company for the first S3 Bucket Negligence Award in ages…
AWS just updated their terms to drop patent protection for media codec users. Translation: if patent trolls come knocking about your video encoding, you’re handling that lawsuit solo. The Register’s breakdown explains why this matters for anyone using MediaLive, MediaConvert, the Chime SDK, or similar services. That sound is what customers make when AWS throws them under the bus.
What AWS Has For Us This Time
Change the server-side encryption type of Amazon S3 objects
So you’ve been encrypting with SSE-S3 and compliance just noticed? This new API lets you switch to KMS without copying objects, which is genuinely useful. Of course, you’ll now pay KMS API charges for the privilege of meeting your own security requirements. Compliance ain’t cheap. HOWEVER! It doesn’t reset your Lifecycle timing, which is noteworthy.
Announcing memory-optimized instance bundles for Amazon Lightsail
Lightsail now offers instances with up to 512 GB of RAM, because nothing says “simple, lightweight cloud for beginners” quite like half a terabyte of memory. At this point, Lightsail is just EC2 wearing a fake mustache, and the disguise is getting thinner with every launch.
Amazon RDS now provides an enhanced console experience to connect to a database
Consolidating database connection info into one console page is the kind of thing that should’ve existed from day one. Auto-generated code snippets adjusted for your auth settings? Genuinely useful. Integrated CloudShell access too. Someone on the RDS team apparently committed the radical act of watching a user struggle and then fixing it. I can only assume that they’re not considered a culture fit for their team.
AWS Multi-party approval now requires one-time password verification for voting
So your IAM Identity Center admins could previously just impersonate approvers and bypass the whole multi-party approval process? And the fix is… a six-digit email code? I love that AWS built an approval system, then had to build a second approval system to protect the first one. At least it’s free.
It only took AWS roughly 18 years to show you which account you’re logged into without memorizing a 12-digit number. Countless production databases were deleted in staging-colored disguise before someone finally said “maybe we should label these.” Available at no additional cost, because even AWS couldn’t figure out how to charge for a text label.
Structured outputs now available in Amazon Bedrock
Bedrock finally lets you tell an LLM “give me valid JSON” and actually get valid JSON back. Revolutionary, I know. Anthropic (y’know, the only thing you’re likely using Bedrock for) has supported this for months already via their own, superior API.
Twenty-two point eight terabytes of local NVMe storage per instance, because apparently someone looked at ephemeral storage that vanishes on stop and said “yes, but more of it.” Three new instance families that exist primarily to make your naming convention spreadsheet cry. Remember: local storage is temporary, but your bill is forever.
Single-region identity is a single point of failure, and it only took AWS until 2026 to notice. Now you can replicate IAM Identity Center across regions so your workforce can still log in during an outage. The catch? You’ll need multi-region KMS keys configured first, because for some godforsaken reason managed services only go so far in AWS land.
Trigger AWS Lambda functions from Amazon RDS for SQL Server database events
Six AWS services duct-taped together so your SQL Server stored procedure can call a Lambda function. You publish to error logs, which trigger CloudWatch filters, which trigger alarms, which trigger a Lambda, which publishes to SNS, which pushes to SQS, which triggers another Lambda. Rube Goldberg would be proud.
Amazon CloudFront now supports mTLS authentication to origins
Took them long enough to close this gap. CloudFront supported viewer-side mTLS already, but your origin connection was just vibes and implicit trust. Now you get true end-to-end mutual authentication, which is great for zero-trust architectures and even better for compliance checkbox enthusiasts who bill by the acronym. SOC it 2 me!
Bevar Ukraine: Empowering Ukrainian refugees with AI-powered support on AWS
Using AI to help Ukrainian refugees navigate Danish bureaucracy is genuinely good work. I’ll hold my snark on this one. Bevar Ukraine built something real with AWS credits and Bedrock that saves 1,500 volunteer hours and actually helps displaced people. Sometimes the tech industry accidentally does something worth celebrating.
Security Findings in SageMaker Python SDK
Someone decided the best workaround for SSL errors was to just… disable SSL verification entirely. For all connections. That’s not a fix, that’s the security equivalent of leaving your front door open because you lost your keys. Pair that with HMAC secrets leaked via API, and you’ve got a spicy February patch Tuesday.
… and that’s what happened Last Week in AWS.
