<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>The AWS Blog</title><link>https://theawsblog.com/</link><description>Articles, tutorials and insights from the AWS community.</description><generator>Hugo</generator><language>en</language><managingEditor>@theawsblog (The AWS Blog)</managingEditor><webMaster>@theawsblog</webMaster><lastBuildDate>Tue, 30 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://theawsblog.com/index.xml" rel="self" type="application/rss+xml"/><item><title>ACM ACME support turns certificate automation into a governance problem</title><link>https://theawsblog.com/news/emiliano-montesdeoca/acm-acme-certificate-automation/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/acm-acme-certificate-automation/</guid><description>AWS Certificate Manager now supports ACME for public certificates, giving teams a standard automation path while keeping domain control, audit, and policy centralized.</description><content:encoded>&lt;p&gt;Certificate automation is becoming less optional. Validity periods are getting shorter, and manual renewal processes are exactly the kind of quiet operational risk that eventually becomes an outage.&lt;/p&gt;
&lt;p&gt;AWS has now added &lt;a href="https://aws.amazon.com/blogs/aws/automate-public-tls-certificate-issuance-with-acme-support-in-aws-certificate-manager/"&gt;ACME support for public certificates in AWS Certificate Manager&lt;/a&gt;. The headline is compatibility with ACMEv2 clients such as Certbot, cert-manager, and acme.sh. The bigger builder impact is that certificate issuance can become standardized without moving governance outside AWS.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;ACM now provides a managed ACME server endpoint for public certificates issued by Amazon Trust Services. Teams can point existing ACME clients at ACM, request certificates through the protocol they already know, and still have ACM visibility, CloudTrail logging, CloudWatch metrics, and certificate expiry notifications.&lt;/p&gt;
&lt;p&gt;The source article also highlights two controls that matter in real organizations:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;domain scopes at the endpoint level,&lt;/li&gt;
&lt;li&gt;External Account Binding credentials for client registration.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That means a central PKI or platform team can validate domains once, restrict what clients can request, and avoid distributing DNS credentials to every application team.&lt;/p&gt;
&lt;h2 id="why-this-matters"&gt;Why this matters&lt;/h2&gt;
&lt;p&gt;Most certificate incidents are not caused by cryptography being hard. They are caused by ownership being unclear.&lt;/p&gt;
&lt;p&gt;One team owns DNS. Another owns the ingress controller. Another owns the application. Someone installed a certificate manually two years ago. Nobody remembers the renewal path until browsers start showing errors.&lt;/p&gt;
&lt;p&gt;ACME support in ACM gives builders a cleaner operating model:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Kubernetes teams can keep using cert-manager.&lt;/li&gt;
&lt;li&gt;VM and container teams can keep using common ACME clients.&lt;/li&gt;
&lt;li&gt;Platform teams can centralize issuance policy and audit.&lt;/li&gt;
&lt;li&gt;Security teams can see certificates in ACM instead of chasing external CA dashboards.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is a good trade: keep the open protocol at the edge, centralize governance at the account or organization boundary.&lt;/p&gt;
&lt;h2 id="the-architecture-trade-offs"&gt;The architecture trade-offs&lt;/h2&gt;
&lt;p&gt;This does not remove the need for certificate lifecycle design.&lt;/p&gt;
&lt;p&gt;First, decide who owns ACME endpoints. If every workload account creates its own endpoint with broad wildcard permissions, you have recreated the sprawl problem. A better pattern is to define endpoints per domain boundary, environment, or platform domain, then scope allowed names carefully.&lt;/p&gt;
&lt;p&gt;Second, treat External Account Binding credentials like bootstrap secrets. They should be short-lived where possible, stored securely, and rotated when registration flows change.&lt;/p&gt;
&lt;p&gt;Third, think about wildcard issuance. Wildcards are convenient, but they expand blast radius. Many production environments should prefer exact domains and subdomains unless there is a strong operational reason.&lt;/p&gt;
&lt;p&gt;Finally, price and volume behavior matter. Moving high-churn ACME issuance into ACM should be costed, especially for systems that create many short-lived certificates across tenants.&lt;/p&gt;
&lt;h2 id="what-builders-should-do-next"&gt;What builders should do next&lt;/h2&gt;
&lt;p&gt;If I were running a platform team, I would start with an inventory:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which public certificates are already in ACM?&lt;/li&gt;
&lt;li&gt;Which are issued by external ACME providers?&lt;/li&gt;
&lt;li&gt;Which workloads use cert-manager or custom renewal scripts?&lt;/li&gt;
&lt;li&gt;Which teams still depend on manual DNS validation?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Then I would pilot ACM ACME with one non-critical domain and one existing ACME client. The goal is not only to issue a certificate. The goal is to prove the operating model: endpoint ownership, scope policy, audit trail, renewal alarms, and incident response.&lt;/p&gt;
&lt;p&gt;The useful part of this launch is not that Certbot can talk to AWS. It is that certificate automation can finally be treated as platform governance instead of a collection of one-off scripts.&lt;/p&gt;</content:encoded></item><item><title>Bedrock managed entitlements make model access a platform control</title><link>https://theawsblog.com/news/emiliano-montesdeoca/bedrock-managed-entitlements/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/bedrock-managed-entitlements/</guid><description>Amazon Bedrock managed entitlements let organizations subscribe to marketplace models centrally and distribute access across accounts without broad AWS Marketplace permissions.</description><content:encoded>&lt;p&gt;AI model access becomes messy as soon as an organization moves beyond one account and one team. Some models are available directly. Others require AWS Marketplace subscriptions. Workload accounts need access, but broad Marketplace permissions are rarely what security teams want.&lt;/p&gt;
&lt;p&gt;The AWS Machine Learning Blog post on &lt;a href="https://aws.amazon.com/blogs/machine-learning/simplify-multi-account-access-to-amazon-bedrock-models-with-managed-entitlements/"&gt;managed entitlements for Amazon Bedrock models&lt;/a&gt; is important because it turns model access into a platform-governance problem instead of an account-by-account chore.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Managed entitlements let a central account subscribe to supported third-party Bedrock models distributed through AWS Marketplace and share access with member accounts using AWS License Manager. Workload accounts can use the model access without needing direct AWS Marketplace subscription permissions.&lt;/p&gt;
&lt;p&gt;This is especially useful for models such as Anthropic, Cohere, AI21 Labs, or Stability AI when they are distributed through Marketplace and used across many accounts.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;A healthy multi-account AI platform needs two things at the same time:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;teams can access approved models quickly,&lt;/li&gt;
&lt;li&gt;the organization can govern subscriptions, pricing, visibility, and permissions centrally.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Without a central entitlement pattern, every workload account becomes a small procurement and governance island. That slows adoption and creates inconsistency. With managed entitlements, a platform team can subscribe once, distribute access intentionally, and keep workload accounts away from broad Marketplace permissions.&lt;/p&gt;
&lt;p&gt;This also helps with private offers. If pricing and terms are negotiated centrally, model access should follow that central agreement rather than being recreated account by account.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Managed entitlements are not needed for every Bedrock model. Amazon models and some partner models may already be available without Marketplace subscription overhead. Single-account teams may not need this complexity.&lt;/p&gt;
&lt;p&gt;For larger organizations, the main design work is governance:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Who approves model subscriptions?&lt;/li&gt;
&lt;li&gt;Which accounts receive grants?&lt;/li&gt;
&lt;li&gt;How are Regions handled?&lt;/li&gt;
&lt;li&gt;How are private offers tracked?&lt;/li&gt;
&lt;li&gt;How is model use monitored against budget and policy?&lt;/li&gt;
&lt;li&gt;What is the offboarding process when a model is no longer approved?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Access distribution is only one layer. Teams still need IAM permissions, guardrails, logging, evaluation, and cost controls around actual model invocation.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Inventory current Bedrock model usage by account. Identify which models require Marketplace subscriptions and which accounts have Marketplace permissions only because they needed model access.&lt;/p&gt;
&lt;p&gt;Then pilot managed entitlements with one approved third-party model and a small set of workload accounts. Validate the subscription flow, grant distribution, regional behavior, billing visibility, and access removal.&lt;/p&gt;
&lt;p&gt;The practical takeaway is that AI platforms need the same governance maturity as any other shared platform capability. Managed entitlements give AWS organizations a cleaner control point for model access.&lt;/p&gt;</content:encoded></item><item><title>CloudFormation Express mode is about feedback loops, not just faster deploys</title><link>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-express-mode-feedback-loops/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-express-mode-feedback-loops/</guid><description>AWS CloudFormation Express mode shortens infrastructure iteration by completing after configuration is applied, but builders need clear guardrails for when stabilization still matters.</description><content:encoded>&lt;p&gt;CloudFormation Express mode is easy to read as a speed announcement. The more useful way to read it is as a feedback-loop announcement.&lt;/p&gt;
&lt;p&gt;In the &lt;a href="https://aws.amazon.com/blogs/aws/accelerate-your-infrastructure-deployments-by-up-to-4x-with-aws-cloudformation-express-mode/"&gt;AWS News Blog post&lt;/a&gt;, AWS explains that Express mode lets CloudFormation complete when resource configuration has been applied instead of waiting for extended stabilization checks. That can make stack operations much faster, especially during iterative infrastructure work.&lt;/p&gt;
&lt;p&gt;That is valuable, but only if teams understand what changed: CloudFormation is not making every resource ready sooner. It is changing when the deployment returns control to you.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Standard CloudFormation waits for stabilization checks after applying resource configuration. Those checks are useful when the next action depends on the resource being operational.&lt;/p&gt;
&lt;p&gt;Express mode skips that waiting period and lets resources continue stabilizing in the background. AWS says this can reduce deployment time by up to four times and highlights examples where long wait periods around resources such as Lambda network interfaces become much shorter.&lt;/p&gt;
&lt;p&gt;No template changes are required. Builders can use Express mode through the console, AWS CLI, SDKs, CDK, and other IaC workflows.&lt;/p&gt;
&lt;h2 id="where-it-helps-most"&gt;Where it helps most&lt;/h2&gt;
&lt;p&gt;This is strongest in development and platform engineering loops where the cost of waiting is high and the risk of background stabilization is low.&lt;/p&gt;
&lt;p&gt;Good fits include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;iterative CDK or CloudFormation template development,&lt;/li&gt;
&lt;li&gt;AI-assisted infrastructure generation where an agent needs quick validation cycles,&lt;/li&gt;
&lt;li&gt;sandbox environments where failed or incomplete resources can be cleaned up,&lt;/li&gt;
&lt;li&gt;inner-loop testing of isolated infrastructure components,&lt;/li&gt;
&lt;li&gt;deletes that currently block workflows while AWS finishes cleanup.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The bigger win is not shaving seconds from one deployment. It is reducing the friction that makes engineers avoid small infrastructure changes. Faster feedback encourages smaller changes, and smaller changes are easier to review and recover.&lt;/p&gt;
&lt;h2 id="where-i-would-be-careful"&gt;Where I would be careful&lt;/h2&gt;
&lt;p&gt;Express mode should not become the default answer for every production deployment.&lt;/p&gt;
&lt;p&gt;If your pipeline shifts traffic, starts integration tests, runs database migrations, or declares a release successful immediately after CloudFormation returns, stabilization still matters. A resource can be configured but not yet ready for the next dependency in your delivery process.&lt;/p&gt;
&lt;p&gt;The practical guardrail is simple: separate &lt;strong&gt;configuration applied&lt;/strong&gt; from &lt;strong&gt;service ready&lt;/strong&gt;. Express mode can own the first signal. Your pipeline still needs health checks, smoke tests, alarms, and rollback logic for the second.&lt;/p&gt;
&lt;p&gt;Also note the rollback behavior. The source article says Express mode disables rollback by default for the fastest iteration experience, with options to re-enable rollback. That is sensible for local iteration. For production, it should be an explicit decision with cleanup and monitoring in place.&lt;/p&gt;
&lt;h2 id="builder-checklist"&gt;Builder checklist&lt;/h2&gt;
&lt;p&gt;Before adopting Express mode broadly, I would define three deployment profiles:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Inner loop:&lt;/strong&gt; Express mode allowed, rollback optional, cleanup automated.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pre-production:&lt;/strong&gt; Express mode allowed only when smoke tests verify readiness after stack completion.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Production:&lt;/strong&gt; Express mode allowed only for stacks where downstream steps do not assume full stabilization, or where readiness gates replace CloudFormation waiting.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Also update runbooks. If a deployment returns faster but a resource continues stabilizing, on-call engineers need to know where to look: CloudFormation events, service-specific logs, metrics, and alarms.&lt;/p&gt;
&lt;h2 id="the-practical-takeaway"&gt;The practical takeaway&lt;/h2&gt;
&lt;p&gt;CloudFormation Express mode is not a license to ignore readiness. It is a way to stop paying stabilization latency when your workflow does not need CloudFormation to wait.&lt;/p&gt;
&lt;p&gt;Used deliberately, it can make infrastructure development feel less heavy and make AI-assisted IaC workflows more practical. Used casually, it can move waiting from CloudFormation into your users&amp;rsquo; first request. The difference is whether your pipeline has an explicit readiness gate after the stack operation completes.&lt;/p&gt;</content:encoded></item><item><title>CloudFormation pre-deployment validation makes IaC failures cheaper</title><link>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-cdk-predeployment-validation/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-cdk-predeployment-validation/</guid><description>AWS CloudFormation and CDK pre-deployment validation now runs on stack operations, helping builders catch quota, Config, and ECR issues before failed deployments waste time.</description><content:encoded>&lt;p&gt;The best deployment failure is the one that fails before it starts changing infrastructure.&lt;/p&gt;
&lt;p&gt;AWS has announced that &lt;a href="https://aws.amazon.com/blogs/devops/ship-infrastructure-faster-with-cloudformation-and-cdk-pre-deployment-validation-on-every-stack-operation/"&gt;CloudFormation pre-deployment validation now runs automatically on every stack create and update operation&lt;/a&gt;. The same post also introduces new checks and a &lt;code&gt;cdk validate&lt;/code&gt; workflow.&lt;/p&gt;
&lt;p&gt;This is not as visually exciting as a new service. It is more useful than many new services.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Pre-deployment validation now runs on CloudFormation stack operations without requiring a separate setup. The source article mentions new checks for service quota limits, AWS Config Recorder conflicts, and ECR repository delete readiness. It also describes operation-level control and CDK integration through &lt;code&gt;cdk validate&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;For builders, this shifts some failure detection earlier in the pipeline. Instead of discovering quota or environment conflicts halfway through deployment, teams can catch them before the operation commits to a path.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;Infrastructure failures are expensive because they consume time, create partial state, and distract teams from the real change they were trying to ship.&lt;/p&gt;
&lt;p&gt;Quotas are a classic example. A template can be valid and still fail because the target account or Region does not have enough capacity for a resource type. A pre-deployment check that catches this earlier improves both developer experience and operational safety.&lt;/p&gt;
&lt;p&gt;The CDK angle matters too. CDK users often think in application constructs while CloudFormation owns the final deployment. Bringing validation closer to the CDK workflow helps developers discover platform constraints before the change reaches a shared environment.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Validation is not a proof of success. It can catch known classes of problems, but it cannot guarantee the application will work, the dependency will be healthy, or the rollout will be safe.&lt;/p&gt;
&lt;p&gt;Builders still need:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;template linting and policy checks,&lt;/li&gt;
&lt;li&gt;least-privilege review,&lt;/li&gt;
&lt;li&gt;drift detection,&lt;/li&gt;
&lt;li&gt;integration tests,&lt;/li&gt;
&lt;li&gt;deployment alarms,&lt;/li&gt;
&lt;li&gt;rollback or remediation plans,&lt;/li&gt;
&lt;li&gt;post-deploy smoke tests.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;There is also a balance between strictness and velocity. If validation blocks legitimate emergency changes, teams will look for bypasses. The &lt;code&gt;DisableValidation&lt;/code&gt; option should be treated like any other break-glass control: rare, logged, and reviewed.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Add &lt;code&gt;cdk validate&lt;/code&gt; or equivalent CloudFormation validation to pull requests and pre-merge pipelines where it makes sense. Then track validation failures as a signal. If many teams hit the same quota or Config issue, the platform needs a baseline fix, not repeated ticket handling.&lt;/p&gt;
&lt;p&gt;For production, make validation one gate in a broader release process. It should happen before deployment, but readiness should still be proven after deployment.&lt;/p&gt;
&lt;p&gt;The practical takeaway: pre-deployment validation makes IaC failures cheaper and faster to understand. It does not remove the need for good deployment engineering, but it moves a useful class of mistakes to the left.&lt;/p&gt;</content:encoded></item><item><title>Replicating S3 bucket configuration needs workflow discipline</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-configuration-replication-step-functions/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-configuration-replication-step-functions/</guid><description>AWS shows how Step Functions can replicate S3 bucket configuration across Regions, but builders should decide where automation ends and infrastructure as code should remain the source of truth.</description><content:encoded>&lt;p&gt;Replicating S3 data is only part of a multi-Region storage strategy. The bucket configuration around that data is often where drift hides.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/replicate-amazon-s3-bucket-configurations-across-aws-regions-with-aws-step-functions/"&gt;replicating Amazon S3 bucket configurations across AWS Regions with AWS Step Functions&lt;/a&gt; shows an automation pattern for replaying bucket configuration into a target Region with an auditable workflow.&lt;/p&gt;
&lt;p&gt;That is useful, but it also raises an important architecture question: should configuration replication be a workflow, or should it be infrastructure as code?&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article describes a Step Functions and Lambda solution that creates a bucket in a target Region and applies configuration from a source bucket. It logs runs to DynamoDB and CloudWatch, which gives operators an audit trail.&lt;/p&gt;
&lt;p&gt;This kind of workflow can help when teams need to replicate settings such as encryption, lifecycle, versioning, event notifications, tags, or other operational configuration across Regions.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Disaster recovery plans often assume that a bucket in another Region is ready because replication is configured. But during a real failover, missing configuration can break applications or weaken controls.&lt;/p&gt;
&lt;p&gt;Examples:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;lifecycle rules are missing and costs grow,&lt;/li&gt;
&lt;li&gt;event notifications do not trigger downstream processing,&lt;/li&gt;
&lt;li&gt;encryption or bucket policy differs from the primary Region,&lt;/li&gt;
&lt;li&gt;observability tags are absent,&lt;/li&gt;
&lt;li&gt;access points or integration settings are inconsistent.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;A repeatable replication workflow can turn those assumptions into something testable.&lt;/p&gt;
&lt;h2 id="the-trade-off-with-iac"&gt;The trade-off with IaC&lt;/h2&gt;
&lt;p&gt;For stable environments, infrastructure as code should usually be the source of truth. If the bucket configuration is defined in CDK, CloudFormation, Terraform, or Pulumi, the cleanest replication path is often to deploy the same intent to another Region.&lt;/p&gt;
&lt;p&gt;A workflow-based replication tool is valuable when:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;buckets already exist and need operational synchronization,&lt;/li&gt;
&lt;li&gt;configuration is discovered from a source environment,&lt;/li&gt;
&lt;li&gt;teams need an emergency or transitional DR path,&lt;/li&gt;
&lt;li&gt;there are many legacy buckets not yet under IaC,&lt;/li&gt;
&lt;li&gt;operators need a controlled copy action with audit logs.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The risk is creating a second source of truth. If IaC says one thing and the replication workflow copies another, drift becomes harder to reason about.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Before using this pattern, classify buckets into two groups:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;IaC-owned buckets&lt;/strong&gt; where configuration should be generated from code.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operationally managed buckets&lt;/strong&gt; where a replication workflow can reduce drift until IaC ownership exists.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then run regular DR validation. Do not only check that the target bucket exists. Check whether the target bucket has the policies, notifications, lifecycle rules, encryption settings, tags, and observability hooks needed for the application to run.&lt;/p&gt;
&lt;p&gt;The useful takeaway is that S3 resilience is not just object replication. It is configuration repeatability. Step Functions can provide a controlled workflow for that, as long as builders are clear about the source of truth.&lt;/p&gt;</content:encoded></item><item><title>Faster S3 access log queries make storage security more usable</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-access-logs-cloudwatch-s3-tables/</guid><description>AWS shows how CloudWatch and S3 Tables can make S3 access logs easier to query, which helps builders turn storage audit data into operational and security signals.</description><content:encoded>&lt;p&gt;S3 access logs are valuable, but value delayed often becomes value ignored. If logs are difficult to query, teams use them only after something has already gone wrong.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/query-amazon-s3-access-logs-instantly-with-cloudwatch-and-s3-tables/"&gt;querying Amazon S3 access logs instantly with CloudWatch and S3 Tables&lt;/a&gt; is interesting because it focuses on making access data easier to use in everyday operations.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The article walks through delivering S3 access log data to CloudWatch Logs and S3 Tables, then using those destinations for dashboards, alarms, and queries. The practical shift is from &amp;ldquo;logs exist somewhere&amp;rdquo; to &amp;ldquo;logs are queryable enough to support investigation and monitoring.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;For builders, that means S3 access patterns can become part of normal observability instead of a separate forensic workflow.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;S3 is often where the most important data lives. Application logs, analytics exports, customer files, model artifacts, backups, and operational reports all end up in buckets. Yet many teams still monitor bucket configuration more carefully than bucket access behavior.&lt;/p&gt;
&lt;p&gt;Queryable access logs help answer questions that matter:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which principals are reading sensitive prefixes?&lt;/li&gt;
&lt;li&gt;Did access spike after a deployment?&lt;/li&gt;
&lt;li&gt;Are clients getting unexpected 403 or 404 responses?&lt;/li&gt;
&lt;li&gt;Which workloads are driving request cost?&lt;/li&gt;
&lt;li&gt;Did a suspicious IP enumerate objects?&lt;/li&gt;
&lt;li&gt;Are lifecycle or replication assumptions visible in traffic?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When these questions are cheap to answer, teams ask them earlier.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;More logging is not free. S3 access log delivery, CloudWatch ingestion, query volume, table storage, retention, and dashboards all have cost implications. The right design depends on the bucket&amp;rsquo;s risk and traffic profile.&lt;/p&gt;
&lt;p&gt;I would not send every low-value development bucket into a high-retention analytics pipeline. I would prioritize buckets that contain customer data, security logs, production artifacts, financial exports, backups, or AI training and retrieval data.&lt;/p&gt;
&lt;p&gt;Also, access logs are only one layer. They should complement CloudTrail data events, IAM Access Analyzer, Macie, GuardDuty, S3 Storage Lens, and application-level audit logs. Different signals answer different questions.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Pick a production bucket that matters and define three operational queries before building anything. For example:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;top readers by prefix over the last hour,&lt;/li&gt;
&lt;li&gt;denied requests by principal and source IP,&lt;/li&gt;
&lt;li&gt;unusual data transfer volume compared with baseline.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then build the logging path and dashboard around those questions. Add alarms only where the signal is actionable; noisy storage alarms quickly become invisible.&lt;/p&gt;
&lt;p&gt;The main takeaway is that storage observability should be designed for regular use, not just incident response. Faster S3 access log queries make that much more realistic.&lt;/p&gt;</content:encoded></item><item><title>Lambda durable functions fit the messy middle of agent workflows</title><link>https://theawsblog.com/news/emiliano-montesdeoca/lambda-durable-functions-agent-workflows/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/lambda-durable-functions-agent-workflows/</guid><description>AWS Lambda durable functions give multi-agent and human-in-the-loop workflows checkpointing, replay, callbacks, and polling without forcing every team to assemble custom orchestration infrastructure.</description><content:encoded>&lt;p&gt;Agent workflows are rarely a neat chain of fast API calls. They wait for humans, retry model calls, poll external systems, compensate for failed steps, and burn money when the same expensive operation runs twice.&lt;/p&gt;
&lt;p&gt;The AWS Compute Blog post on &lt;a href="https://aws.amazon.com/blogs/compute/building-fault-tolerant-multi-agent-ai-workflows-with-aws-lambda-durable-functions/"&gt;building fault-tolerant multi-agent AI workflows with AWS Lambda durable functions&lt;/a&gt; is useful because it focuses on that messy middle. The healthcare prior authorization example is domain-specific, but the orchestration problem is common.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Lambda durable functions extend the Lambda programming model with checkpoint and replay operations. The source article highlights patterns such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;context.step()&lt;/code&gt; for checkpointed work,&lt;/li&gt;
&lt;li&gt;callback waits for human review or external completion signals,&lt;/li&gt;
&lt;li&gt;condition waits for polling long-running systems,&lt;/li&gt;
&lt;li&gt;replay behavior that skips completed durable operations,&lt;/li&gt;
&lt;li&gt;execution metrics and status events for operational visibility.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That means a long-running workflow can pause without paying compute charges during the wait, then resume from the right point when a callback arrives or a condition changes.&lt;/p&gt;
&lt;h2 id="why-it-matters-for-ai-systems"&gt;Why it matters for AI systems&lt;/h2&gt;
&lt;p&gt;Multi-agent workflows are expensive and non-deterministic. If an extraction agent, reasoning agent, or synthesis agent has already completed, you usually do not want a transient failure later in the flow to rerun everything from the start.&lt;/p&gt;
&lt;p&gt;Durable checkpointing directly addresses that. It also makes human-in-the-loop patterns less awkward. A review step can suspend for hours or days without holding a running process open or building separate queue-and-database plumbing for every workflow.&lt;/p&gt;
&lt;p&gt;This is not only an AI feature. It is orchestration for any process where work is valuable, waits are long, and retries must be controlled.&lt;/p&gt;
&lt;h2 id="the-architectural-trade-off"&gt;The architectural trade-off&lt;/h2&gt;
&lt;p&gt;The biggest benefit is also the thing to design carefully: workflow logic lives in code.&lt;/p&gt;
&lt;p&gt;That can be cleaner than stitching together many small infrastructure pieces, but it requires discipline. Builders need deterministic step boundaries, idempotent external calls, clear timeout behavior, and replay-aware logging. If a step charges a credit card, submits a claim, sends an email, or updates a ticket, retries must reuse idempotency keys.&lt;/p&gt;
&lt;p&gt;You also need to decide when Step Functions is still a better fit. If the team benefits from visual state machines, service integrations, explicit workflow definitions, or non-developer operators inspecting the flow, Step Functions remains strong. Durable functions are attractive when the orchestration is code-heavy, developer-owned, and benefits from staying close to the Lambda handler.&lt;/p&gt;
&lt;h2 id="what-builders-should-do-next"&gt;What builders should do next&lt;/h2&gt;
&lt;p&gt;Do not start by converting every workflow. Start with one painful process that has three properties:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;expensive completed steps that should not repeat,&lt;/li&gt;
&lt;li&gt;long waits for humans or external systems,&lt;/li&gt;
&lt;li&gt;retry behavior that is currently implemented with custom glue.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then design the durable function around failure cases first. What happens if an agent times out? If the human rejects the result? If the external API accepts a submission but the response is lost? If the workflow exceeds the business deadline?&lt;/p&gt;
&lt;p&gt;The source example uses prior authorization, but the pattern applies to code review agents, document processing, procurement approvals, incident remediation, and migration assessment pipelines.&lt;/p&gt;
&lt;p&gt;The practical takeaway: durable functions are not just about making Lambda run longer. They are about making long-running workflows resumable, observable, and cheaper to wait on.&lt;/p&gt;</content:encoded></item><item><title>Redshift multi-warehouse improvements reduce the analytics freshness trade-off</title><link>https://theawsblog.com/news/emiliano-montesdeoca/redshift-multi-warehouse-enhancements/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/redshift-multi-warehouse-enhancements/</guid><description>Amazon Redshift multi-warehouse enhancements improve materialized views, remote DDL, and concurrency scaling so analytics teams can separate ingestion and consumption more cleanly.</description><content:encoded>&lt;p&gt;Analytics platforms often fail at the boundary between ingestion and consumption. The business wants fresh data, analysts want fast dashboards, and data engineers do not want one workload starving the other.&lt;/p&gt;
&lt;p&gt;The AWS Big Data Blog post on &lt;a href="https://aws.amazon.com/blogs/big-data/scale-analytics-with-amazon-redshift-multi-warehouse-enhancements/"&gt;Amazon Redshift multi-warehouse enhancements&lt;/a&gt; is useful because it targets that exact tension. Redshift is adding capabilities around remote materialized views, remote table DDL, and concurrency scaling for ingestion paths.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article highlights several improvements:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;materialized view operations can benefit from concurrency scaling,&lt;/li&gt;
&lt;li&gt;materialized views can work more effectively across data sharing boundaries,&lt;/li&gt;
&lt;li&gt;remote table DDL operations improve distributed warehouse management,&lt;/li&gt;
&lt;li&gt;zero-ETL, auto-copy, and COPY workloads can use concurrency scaling.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The practical effect is that data loading, transformation, and dashboard workloads can be separated more cleanly without forcing every team into a single overloaded warehouse.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Modern analytics environments are rarely one warehouse and one team. They include raw ingestion zones, curated datasets, consumer warehouses, BI dashboards, near-real-time application data, data science workspaces, and governance boundaries.&lt;/p&gt;
&lt;p&gt;Data sharing helped separate producers and consumers. These enhancements make the separation more usable because operational work such as materialized view refreshes and ingestion can scale without stealing capacity from interactive analytics.&lt;/p&gt;
&lt;p&gt;For builders, this reduces a common trade-off: choose fresher data and risk dashboard performance, or protect dashboards and accept slower ingestion.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;More warehouses and more scaling options can also mean more cost and governance complexity.&lt;/p&gt;
&lt;p&gt;Teams should define workload classes clearly:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;ingestion and copy workloads,&lt;/li&gt;
&lt;li&gt;transformation and materialized view refresh,&lt;/li&gt;
&lt;li&gt;interactive BI,&lt;/li&gt;
&lt;li&gt;ad hoc analyst queries,&lt;/li&gt;
&lt;li&gt;data science exploration,&lt;/li&gt;
&lt;li&gt;governed consumer access.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Then assign cost ownership and performance targets to each class. Concurrency scaling is valuable, but it should not hide inefficient query design, poor distribution choices, or runaway workloads.&lt;/p&gt;
&lt;p&gt;Remote operations also require careful permissions and change management. A consumer warehouse refreshing or building on shared data is convenient, but data contracts and ownership should remain explicit.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Review Redshift environments where ingestion freshness and query performance are in conflict. Those are the best candidates for multi-warehouse design improvements.&lt;/p&gt;
&lt;p&gt;Ask four questions:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Which workloads need isolation from each other?&lt;/li&gt;
&lt;li&gt;Which data products should be shared rather than copied?&lt;/li&gt;
&lt;li&gt;Which materialized views are critical to dashboard performance?&lt;/li&gt;
&lt;li&gt;Which ingestion paths need concurrency scaling to avoid freshness delays?&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The practical takeaway is that Redshift is making decentralized analytics architectures easier to operate. Builders should use that to create clearer workload boundaries, not just to add more capacity to the same messy warehouse.&lt;/p&gt;</content:encoded></item><item><title>Secure ML environments need productivity and exfiltration controls together</title><link>https://theawsblog.com/news/emiliano-montesdeoca/sagemaker-ai-data-exfiltration-controls/</link><pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/sagemaker-ai-data-exfiltration-controls/</guid><description>An AWS architecture using SageMaker AI, VPC endpoints, DNS controls, and WorkSpaces Secure Browser shows how ML teams can protect sensitive data without returning to expensive air-gapped workflows.</description><content:encoded>&lt;p&gt;Machine learning teams need access to sensitive data, but the old answer of isolated desktops and manual monitoring does not scale well. It is expensive, slow, and frustrating for the people trying to build models.&lt;/p&gt;
&lt;p&gt;The AWS Architecture Blog post on &lt;a href="https://aws.amazon.com/blogs/architecture/preventing-data-exfiltration-in-machine-learning-environments-with-amazon-sagemaker-ai/"&gt;preventing data exfiltration in machine learning environments with Amazon SageMaker AI&lt;/a&gt; is useful because it balances two goals that are often treated as opposites: data scientist productivity and strict exfiltration control.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article describes a three-layer architecture using Amazon WorkSpaces Secure Browser, SageMaker AI, VPC endpoints, DNS controls, endpoint policies, and account restrictions.&lt;/p&gt;
&lt;p&gt;The pattern is straightforward:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;data scientists access the environment through a controlled browser,&lt;/li&gt;
&lt;li&gt;browser capabilities such as upload, download, clipboard, and printing are restricted,&lt;/li&gt;
&lt;li&gt;access is limited to approved AWS and SageMaker domains,&lt;/li&gt;
&lt;li&gt;SageMaker runs without direct internet egress,&lt;/li&gt;
&lt;li&gt;VPC endpoint policies restrict access to organization-owned resources,&lt;/li&gt;
&lt;li&gt;DNS Firewall and private endpoints reduce bypass paths.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This is not a single magic control. It is layered friction against data leaving through the browser, the network, AWS APIs, or cross-account paths.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;ML environments are uniquely risky because they combine sensitive data, powerful compute, notebooks, terminals, package installation, model artifacts, and curious users. Blocking everything makes teams ineffective. Allowing everything creates obvious exfiltration paths.&lt;/p&gt;
&lt;p&gt;A layered architecture gives teams a middle path. Data scientists can use managed ML tooling while the platform enforces where data can flow.&lt;/p&gt;
&lt;p&gt;This is especially relevant for fintech, healthcare, insurance, public sector, and any organization fine-tuning or evaluating models on sensitive datasets.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Every restriction has a productivity cost.&lt;/p&gt;
&lt;p&gt;No internet access means dependency management must be planned. Package mirrors, approved repositories, model artifact flows, and update processes become platform responsibilities. URL allowlists must be maintained. Endpoint policies must be tested. Break-glass workflows must exist for legitimate exceptions.&lt;/p&gt;
&lt;p&gt;There is also a risk of building controls that look strong but are not complete. If S3 endpoint policies block external buckets but another service path remains open, data can still move. If DNS Firewall covers only part of the environment, bypasses may remain.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start by mapping data egress paths, not by choosing tools. For an ML workspace, list how data could leave:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;browser download,&lt;/li&gt;
&lt;li&gt;clipboard or print,&lt;/li&gt;
&lt;li&gt;external website upload,&lt;/li&gt;
&lt;li&gt;S3 copy to another account,&lt;/li&gt;
&lt;li&gt;package manager or shell command,&lt;/li&gt;
&lt;li&gt;notebook output,&lt;/li&gt;
&lt;li&gt;model artifact export,&lt;/li&gt;
&lt;li&gt;DNS or HTTPS tunnel.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Then put controls around each path and test them with realistic user workflows. Involve data scientists early; controls that break normal work will be bypassed or abandoned.&lt;/p&gt;
&lt;p&gt;The practical takeaway: secure ML platforms should not be air-gapped by default or open by convenience. They should make the safe path productive and the unsafe path difficult.&lt;/p&gt;</content:encoded></item><item><title>S3 Storage Lens groups make storage cost conversations less generic</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-storage-lens-groups-cost-visibility/</link><pubDate>Fri, 26 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-storage-lens-groups-cost-visibility/</guid><description>Amazon S3 Storage Lens groups help teams inspect storage by workload-specific criteria, making cost, lifecycle, and data hygiene work more actionable.</description><content:encoded>&lt;p&gt;Storage optimization advice often starts too broadly: reduce old data, review access patterns, apply lifecycle policies. That is true, but it is not specific enough for a team to act.&lt;/p&gt;
&lt;p&gt;The AWS Storage Blog post on &lt;a href="https://aws.amazon.com/blogs/storage/create-custom-storage-groupings-with-amazon-s3-storage-lens-groups/"&gt;S3 Storage Lens groups&lt;/a&gt; is useful because it shows how to group storage by workload-specific criteria instead of looking only at account or bucket totals.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;S3 Storage Lens groups let builders define custom groupings and analyze metrics for targeted slices of S3 data. The source article uses examples such as older application logs and aging image files across multiple buckets and accounts.&lt;/p&gt;
&lt;p&gt;That matters because the useful unit of storage ownership is rarely just a bucket. It may be an application, dataset, tenant, media type, compliance class, or product feature.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;S3 cost and hygiene problems are usually ownership problems.&lt;/p&gt;
&lt;p&gt;A central cloud team can see that storage is growing. They may not know which logs are safe to expire, which images are user-generated content, which datasets are legally retained, or which prefixes belong to an old migration. Application teams know the context, but they often lack cross-account visibility.&lt;/p&gt;
&lt;p&gt;Storage Lens groups can bridge that gap. They help create a view that says, &amp;ldquo;this workload has 40 TB of logs older than 180 days,&amp;rdquo; not just &amp;ldquo;this account has 400 TB in S3.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;That turns a generic optimization request into a practical backlog item.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Custom groups are only useful if the grouping logic reflects real ownership and lifecycle rules. If tags, prefixes, naming conventions, or account boundaries are inconsistent, the dashboard can give false confidence.&lt;/p&gt;
&lt;p&gt;Teams should avoid building too many groups at once. Start with questions that lead to action:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which data can move to a colder tier?&lt;/li&gt;
&lt;li&gt;Which prefixes have no recent access?&lt;/li&gt;
&lt;li&gt;Which workloads are growing faster than expected?&lt;/li&gt;
&lt;li&gt;Which buckets contain small-object patterns that inflate request costs?&lt;/li&gt;
&lt;li&gt;Which teams own the largest retained datasets?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also remember that visibility is not enforcement. Storage Lens can show the opportunity, but lifecycle rules, retention policies, and application changes implement the fix.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Pick one high-cost storage area and define a group around the way the business thinks about it. For example: production application logs older than 90 days, media originals by product, or export datasets by tenant.&lt;/p&gt;
&lt;p&gt;Then review the metrics with the owning team and decide on one action: lifecycle transition, deletion after retention, object compaction, prefix redesign, or access pattern review.&lt;/p&gt;
&lt;p&gt;The practical value of Storage Lens groups is not better charts. It is better conversations between platform, finance, security, and application teams about the specific data that is driving cost and risk.&lt;/p&gt;</content:encoded></item><item><title>Running pgvector on Aurora is a production operations decision</title><link>https://theawsblog.com/news/emiliano-montesdeoca/aurora-postgresql-pgvector-production/</link><pubDate>Thu, 25 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/aurora-postgresql-pgvector-production/</guid><description>AWS guidance on pgvector in Amazon Aurora PostgreSQL highlights that vector search is not only a model feature; it needs indexing, memory, partitioning, and observability discipline.</description><content:encoded>&lt;p&gt;It is easy to prototype vector search. It is harder to operate it after users, documents, embeddings, and retrieval patterns start changing every day.&lt;/p&gt;
&lt;p&gt;The AWS Database Blog post on &lt;a href="https://aws.amazon.com/blogs/database/running-pgvector-in-production-on-amazon-aurora-postgresql/"&gt;running pgvector in production on Amazon Aurora PostgreSQL&lt;/a&gt; is useful because it moves the conversation away from &amp;ldquo;can I store embeddings?&amp;rdquo; and toward &amp;ldquo;can I keep this retrieval system healthy?&amp;rdquo;&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article covers operational practices for pgvector workloads on Aurora PostgreSQL: choosing index types and distance functions, managing HNSW behavior, using quantization and partitioning, sizing memory, and monitoring the signals that show when the vector store is drifting out of shape.&lt;/p&gt;
&lt;p&gt;That is the right level of discussion for production RAG systems. The database is not just a place to put vectors. It is part of the user-facing latency, relevance, and cost profile.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Aurora PostgreSQL with pgvector is attractive because many teams already understand PostgreSQL. They can keep relational data, metadata filters, access patterns, and embeddings close together. That reduces architecture sprawl for early and mid-sized AI applications.&lt;/p&gt;
&lt;p&gt;But familiarity can hide risk. Vector indexes have different maintenance behavior than normal B-tree indexes. Embedding dimensions affect memory. Update and delete patterns can degrade index quality. Query filters can change recall and latency. The database may need to serve both transactional and retrieval traffic.&lt;/p&gt;
&lt;p&gt;If you treat pgvector like a small column type, production will teach you otherwise.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;The main decision is managed abstraction versus self-managed control.&lt;/p&gt;
&lt;p&gt;Aurora PostgreSQL with pgvector gives control over schema, SQL, transactions, and tuning. That is valuable when retrieval is tightly coupled to application data. Amazon Bedrock Knowledge Bases or other managed retrieval systems reduce operational burden, which can be better when the team does not need direct database-level control.&lt;/p&gt;
&lt;p&gt;There is no universal winner. Choose pgvector on Aurora when PostgreSQL integration is a real product advantage. Choose a more managed path when the team mostly wants ingestion, embedding, retrieval, and scaling handled for them.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Before putting pgvector-backed retrieval into production, define operational checks:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;index type and distance metric per use case,&lt;/li&gt;
&lt;li&gt;expected vector count and growth rate,&lt;/li&gt;
&lt;li&gt;memory needed to keep hot indexes healthy,&lt;/li&gt;
&lt;li&gt;update and deletion behavior,&lt;/li&gt;
&lt;li&gt;query latency percentiles under realistic filters,&lt;/li&gt;
&lt;li&gt;recall evaluation for representative prompts,&lt;/li&gt;
&lt;li&gt;vacuum and maintenance expectations,&lt;/li&gt;
&lt;li&gt;fallback behavior when retrieval fails or gets slow.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also separate prototype metrics from production metrics. A demo with 10,000 documents says little about a system with millions of vectors, concurrent users, and evolving embeddings.&lt;/p&gt;
&lt;p&gt;The practical takeaway is simple: pgvector on Aurora can be a strong architecture choice, but only if the team is ready to operate vector search as a database workload, not as a model configuration checkbox.&lt;/p&gt;</content:encoded></item><item><title>AWS Transform makes migration assessments more conversational, but data quality still wins</title><link>https://theawsblog.com/news/emiliano-montesdeoca/aws-transform-migration-assessments/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/aws-transform-migration-assessments/</guid><description>AWS Transform assessments use agentic AI to turn migration planning into an interactive business-case workflow, but builders still need inventory discipline and assumption control.</description><content:encoded>&lt;p&gt;Migration assessments are rarely wrong because the spreadsheet formula is hard. They are wrong because the inventory is incomplete, assumptions are stale, and the business case changes every time a stakeholder adds context.&lt;/p&gt;
&lt;p&gt;The AWS Migration &amp;amp; Modernization Blog post on &lt;a href="https://aws.amazon.com/blogs/migration-and-modernization/accelerating-migration-assessments-and-planning-with-aws-transform/"&gt;accelerating migration assessments and planning with AWS Transform&lt;/a&gt; is interesting because it treats assessment as an interactive workflow instead of a static report.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;AWS Transform assessments can ingest inventory data from common discovery sources, generate a TCO business case, recommend AWS targets, and then let teams refine assumptions through chat. The source article shows examples such as adding missing servers, adjusting on-premises costs, modeling non-EC2 services, and exploring what-if scenarios.&lt;/p&gt;
&lt;p&gt;That changes the assessment loop. Instead of recollecting data and regenerating a report for every new question, teams can refine the model conversationally.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Migration planning is full of partial information. A CMDB misses servers. RVTools exports do not capture every cost. Licensing assumptions change. Some workloads are heading to managed services, not EC2. Finance wants a different depreciation model. Application owners remember a dependency late in the process.&lt;/p&gt;
&lt;p&gt;An interactive assessment tool can keep momentum when those changes happen. That is valuable during early planning, executive conversations, and portfolio prioritization.&lt;/p&gt;
&lt;p&gt;But the output is only as good as the inputs and assumptions.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Conversational planning can make weak assumptions feel more authoritative than they are. A polished business case is still a model.&lt;/p&gt;
&lt;p&gt;Builders and migration leads should keep three things explicit:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Data source quality:&lt;/strong&gt; where inventory came from, when it was collected, and what is missing.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Assumptions:&lt;/strong&gt; utilization, licensing, storage growth, network costs, support model, and target services.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Decision status:&lt;/strong&gt; directional estimate, planning baseline, or approved migration wave.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;AWS Transform can help generate and adjust the assessment, but it should not replace stakeholder validation. Application owners, finance, security, and operations still need to review the model.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Use AWS Transform early, but label the results honestly. Start with directional estimates, then improve confidence as discovery data gets better.&lt;/p&gt;
&lt;p&gt;A practical workflow:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Import existing inventory instead of waiting for perfect data.&lt;/li&gt;
&lt;li&gt;Generate a first-pass business case.&lt;/li&gt;
&lt;li&gt;Use chat to add known missing costs and workloads.&lt;/li&gt;
&lt;li&gt;Review assumptions with finance and platform teams.&lt;/li&gt;
&lt;li&gt;Convert high-confidence groups into migration waves.&lt;/li&gt;
&lt;li&gt;Reassess after each wave to improve the next one.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The useful takeaway is that migration assessments can become living documents. That is a big improvement over static PDFs, as long as teams keep data quality and assumption ownership visible.&lt;/p&gt;</content:encoded></item><item><title>OpenSearch Serverless next generation changes the economics of tenant isolation</title><link>https://theawsblog.com/news/emiliano-montesdeoca/opensearch-serverless-multitenant-search/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/opensearch-serverless-multitenant-search/</guid><description>Amazon OpenSearch Serverless next-generation architecture makes collection-per-tenant search more practical with scale-to-zero compute and regional endpoint routing.</description><content:encoded>&lt;p&gt;Multi-tenant search has always forced an uncomfortable trade-off: isolate tenants cleanly and pay for too much infrastructure, or pool tenants together and accept more operational and security complexity.&lt;/p&gt;
&lt;p&gt;The AWS Big Data Blog post on &lt;a href="https://aws.amazon.com/blogs/big-data/implement-multi-tenant-search-with-amazon-opensearch-serverless-next-generation/"&gt;multi-tenant search with Amazon OpenSearch Serverless next generation&lt;/a&gt; is important because it changes that cost model. Scale-to-zero compute and regional endpoint routing make collection-per-tenant designs more realistic.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;OpenSearch Serverless next-generation architecture lets collection groups scale compute to zero, while storage charges still apply. AWS also added a per-account, regional endpoint that can route requests to collections using headers such as &lt;code&gt;x-amz-aoss-collection-name&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;That means a SaaS application can keep a cleaner collection-per-tenant model without managing a separate endpoint and connection pool for every tenant.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Tenant isolation is easier to discuss in architecture reviews than to pay for in production.&lt;/p&gt;
&lt;p&gt;A collection-per-tenant design gives strong isolation boundaries for data, workload behavior, encryption, lifecycle, and noisy-neighbor risk. But if each tenant carries a minimum always-on compute cost, the design breaks down for long-tail tenants.&lt;/p&gt;
&lt;p&gt;Scale-to-zero compute makes the model more practical for SaaS platforms with many tenants that search occasionally. The regional endpoint also simplifies application routing. Instead of maintaining many endpoints, the application can target one endpoint and route by collection header.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Collection-per-tenant is not automatically the best design.&lt;/p&gt;
&lt;p&gt;For very small tenants with similar access patterns, pooled indexes may still be simpler. For very large tenants, dedicated collections or even separate domains may be appropriate. For regulated tenants, encryption, access policy, and audit boundaries may matter more than cost.&lt;/p&gt;
&lt;p&gt;Builders should also design the tenant mapping layer carefully. A regional endpoint reduces endpoint sprawl, but the application still needs a reliable mapping from tenant ID to collection name or ID. That mapping becomes part of the security boundary.&lt;/p&gt;
&lt;p&gt;Operational questions remain:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;How are collections created and deleted?&lt;/li&gt;
&lt;li&gt;What happens when a dormant tenant becomes active?&lt;/li&gt;
&lt;li&gt;How are per-tenant quotas enforced?&lt;/li&gt;
&lt;li&gt;How are index templates and mappings rolled out safely?&lt;/li&gt;
&lt;li&gt;How are tenant-level costs reported?&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;For SaaS search workloads, revisit the tenancy model. Compare pooled, collection-per-tenant, and hybrid approaches using real tenant distribution, not an average tenant.&lt;/p&gt;
&lt;p&gt;A practical path is:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Put high-volume tenants in dedicated collections.&lt;/li&gt;
&lt;li&gt;Keep small tenants pooled or grouped if isolation requirements allow it.&lt;/li&gt;
&lt;li&gt;Use collection-per-tenant where security, compliance, or noisy-neighbor risk justifies the boundary.&lt;/li&gt;
&lt;li&gt;Automate collection lifecycle and mapping changes from the start.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The takeaway is that OpenSearch Serverless is making stronger isolation less expensive. That does not remove design work, but it gives builders more room to choose isolation for good reasons instead of avoiding it because of minimum compute cost.&lt;/p&gt;</content:encoded></item><item><title>Restricting AWS Console access by network is a useful perimeter, not a complete identity strategy</title><link>https://theawsblog.com/news/emiliano-montesdeoca/console-access-network-perimeters/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/console-access-network-perimeters/</guid><description>AWS sign-in resource-based policies and resource control policies can restrict Management Console access to expected networks, adding a practical layer to data perimeter designs.</description><content:encoded>&lt;p&gt;Identity controls usually answer who can sign in. Network-aware console controls help answer where that sign-in is allowed to happen.&lt;/p&gt;
&lt;p&gt;The AWS Security Blog post on &lt;a href="https://aws.amazon.com/blogs/security/restrict-aws-management-console-access-to-expected-networks-with-sign-in-resource-based-policies-and-rcps/"&gt;restricting AWS Management Console access to expected networks with sign-in resource-based policies and RCPs&lt;/a&gt; is important for organizations building data perimeters. It gives security teams another way to reduce the usefulness of stolen credentials.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;AWS now supports patterns where Management Console sign-in can be restricted based on expected networks using sign-in resource-based policies and AWS Organizations resource control policies. The source article walks through a financial services scenario, CloudTrail verification, Console Private Access integration, and data perimeter alignment.&lt;/p&gt;
&lt;p&gt;The builder impact is straightforward: console access can be constrained closer to the network boundary, not only by identity and MFA.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;A compromised credential should not work equally well from anywhere on the internet. Network restrictions are not perfect, but they raise the bar and reduce the blast radius of many common incidents.&lt;/p&gt;
&lt;p&gt;This is especially relevant for:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;regulated environments,&lt;/li&gt;
&lt;li&gt;privileged administration accounts,&lt;/li&gt;
&lt;li&gt;break-glass access patterns,&lt;/li&gt;
&lt;li&gt;organizations using centralized corporate egress,&lt;/li&gt;
&lt;li&gt;teams implementing broader AWS data perimeter controls.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When combined with IAM Identity Center, MFA, least privilege, CloudTrail, and anomaly detection, expected-network policies add another useful checkpoint.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Network conditions change. Employees travel, VPNs fail, disaster recovery procedures happen, and incident responders may need access from unusual locations. If console network restrictions are too rigid, they can become an availability risk during exactly the moment when access matters most.&lt;/p&gt;
&lt;p&gt;I would treat this as a tiered control:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;strict policies for highly privileged production administration,&lt;/li&gt;
&lt;li&gt;documented exceptions for break-glass roles,&lt;/li&gt;
&lt;li&gt;tested access paths for incident response,&lt;/li&gt;
&lt;li&gt;monitoring for denied attempts,&lt;/li&gt;
&lt;li&gt;clear ownership of allowed network ranges.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also, do not confuse console restrictions with API restrictions. Many automation paths use AWS APIs, not the web console. A complete perimeter strategy must cover both human console access and programmatic access patterns.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start with privileged accounts and roles, not every user at once. Define the expected networks, verify them with CloudTrail, and test both allowed and denied sign-in paths.&lt;/p&gt;
&lt;p&gt;Then rehearse failure cases:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;corporate VPN unavailable,&lt;/li&gt;
&lt;li&gt;emergency access required,&lt;/li&gt;
&lt;li&gt;identity provider outage,&lt;/li&gt;
&lt;li&gt;support engineer working from a different location,&lt;/li&gt;
&lt;li&gt;network range changed but policy not updated.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The practical takeaway is that network-aware console access is a strong additional guardrail. It should complement identity, not replace it. Used carefully, it makes stolen credentials less useful without making legitimate operations fragile.&lt;/p&gt;</content:encoded></item><item><title>S3 Files makes Lambda file workflows simpler, but not automatically better</title><link>https://theawsblog.com/news/emiliano-montesdeoca/s3-files-lambda-modernization/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/s3-files-lambda-modernization/</guid><description>Amazon S3 Files lets Lambda functions work with S3-backed file paths instead of download-process-upload code, which can simplify workloads if teams understand consistency, throughput, and VPC implications.</description><content:encoded>&lt;p&gt;A lot of Lambda code that works with S3 is not complicated because the business logic is complicated. It is complicated because the function has to download an object, manage &lt;code&gt;/tmp&lt;/code&gt;, process the file, upload the result, and clean up after itself.&lt;/p&gt;
&lt;p&gt;The AWS Compute Blog post on &lt;a href="https://aws.amazon.com/blogs/compute/modernizing-lambda-s3-workloads-with-amazon-s3-files/"&gt;modernizing Lambda and S3 workloads with Amazon S3 Files&lt;/a&gt; shows a different model: mount an S3-backed file system and let the function use normal file paths.&lt;/p&gt;
&lt;p&gt;That sounds small. For many workloads, it changes the shape of the code.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;S3 Files lets a Lambda function mount an S3 bucket as a file system at a path such as &lt;code&gt;/mnt/data&lt;/code&gt;. Code can open, read, write, list, and organize files using filesystem operations while S3 remains the durable backing store.&lt;/p&gt;
&lt;p&gt;The source article uses examples such as image processing, ETL pipelines, and multi-agent shared workspaces. In each case, the function moves away from explicit S3 transfer code and toward direct file I/O.&lt;/p&gt;
&lt;p&gt;That removes a surprising amount of glue:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;no manual download before processing,&lt;/li&gt;
&lt;li&gt;no upload step after writing output,&lt;/li&gt;
&lt;li&gt;less &lt;code&gt;/tmp&lt;/code&gt; capacity management,&lt;/li&gt;
&lt;li&gt;fewer cleanup paths for failed invocations,&lt;/li&gt;
&lt;li&gt;simpler handoffs between functions that share a workspace.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;The strongest use case is modernization of existing file-oriented libraries. Many image, document, ML, and data-processing libraries expect file paths. Without S3 Files, Lambda code often has to adapt object storage into temporary local files before real work can start.&lt;/p&gt;
&lt;p&gt;S3 Files lets builders keep file-based code and still use S3 as the storage layer. That can make Lambda more attractive for workloads that previously moved to containers only because file handling became awkward.&lt;/p&gt;
&lt;p&gt;The shared workspace pattern is also interesting for AI agents. If multiple Lambda functions collaborate on a session, a directory tree can be easier to reason about than a collection of object keys and serialized state blobs.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;I would not replace every S3 API call with file I/O.&lt;/p&gt;
&lt;p&gt;Object APIs are still excellent when you want explicit object boundaries, event-driven processing, presigned URLs, lifecycle policies, replication, and direct control over metadata. File systems are easier for some code, but they can also hide transfer and consistency behavior behind familiar syntax.&lt;/p&gt;
&lt;p&gt;Builders should validate:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;throughput for large files,&lt;/li&gt;
&lt;li&gt;behavior under high concurrency,&lt;/li&gt;
&lt;li&gt;consistency expectations between producers and consumers,&lt;/li&gt;
&lt;li&gt;VPC and mount target requirements,&lt;/li&gt;
&lt;li&gt;IAM permissions for mount and write operations,&lt;/li&gt;
&lt;li&gt;failure behavior when a function exits while writing.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also remember that simpler code is not the same as simpler operations. If many functions share a writable workspace, you need naming conventions, cleanup policies, and safeguards against accidental overwrite.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Look for Lambda functions where more code is spent on S3 transfers than on the actual business logic. Image resizing, report generation, data conversion, document processing, and agent workspaces are good candidates.&lt;/p&gt;
&lt;p&gt;For each candidate, compare two versions:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;current S3 API flow with &lt;code&gt;/tmp&lt;/code&gt;,&lt;/li&gt;
&lt;li&gt;S3 Files flow with mounted paths.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Measure duration, memory, error handling complexity, and cost. The winning design may be different per workload.&lt;/p&gt;
&lt;p&gt;The useful takeaway is not that file systems are better than object APIs. It is that Lambda now has a cleaner option when the workload is naturally file-shaped.&lt;/p&gt;</content:encoded></item><item><title>EKS Auto Mode improvements show why managed Kubernetes is becoming operational engineering</title><link>https://theawsblog.com/news/emiliano-montesdeoca/eks-auto-mode-scaling-improvements/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/eks-auto-mode-scaling-improvements/</guid><description>Recent EKS Auto Mode runtime, compute, storage, and networking improvements reduce Kubernetes operational friction, but teams still need workload-level SLOs and migration discipline.</description><content:encoded>&lt;p&gt;The latest EKS Auto Mode update is not one big feature. It is a collection of operational improvements: faster node startup, better Karpenter behavior, node-local DNS, smoother EBS migration, and more networking options.&lt;/p&gt;
&lt;p&gt;That is exactly why it matters.&lt;/p&gt;
&lt;p&gt;In the &lt;a href="https://aws.amazon.com/blogs/containers/faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode/"&gt;AWS Containers Blog post&lt;/a&gt;, AWS describes improvements across runtime, compute, storage, and networking. For builders, the lesson is that managed Kubernetes value increasingly comes from reducing the number of sharp edges you have to own yourself.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The source article lists several practical changes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;node ready latency reduced through faster startup detection,&lt;/li&gt;
&lt;li&gt;Karpenter scale-out and consolidation improvements,&lt;/li&gt;
&lt;li&gt;zram protection for transient system memory pressure,&lt;/li&gt;
&lt;li&gt;faster image pulls for large ML and GPU images,&lt;/li&gt;
&lt;li&gt;node-local DNS by default in Auto Mode,&lt;/li&gt;
&lt;li&gt;support for separate pod subnets and pod security groups,&lt;/li&gt;
&lt;li&gt;improved EBS migration and topology-aware volume scheduling.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of these changes remove the need to understand Kubernetes. They reduce the tax of operating the infrastructure layer below your workloads.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Most Kubernetes incidents are not about Kubernetes being unavailable. They are about the cluster being technically alive while applications wait for capacity, DNS, storage, or networking to catch up.&lt;/p&gt;
&lt;p&gt;Faster node startup helps bursty workloads. Better consolidation helps cost. Node-local DNS reduces a common hidden bottleneck. Separate pod subnets and security groups make enterprise network patterns easier to express without abandoning Auto Mode defaults.&lt;/p&gt;
&lt;p&gt;For platform teams, this changes the migration conversation. Auto Mode is not only about &amp;ldquo;less to manage.&amp;rdquo; It is about whether AWS-managed operational improvements arrive faster than your team could safely build and maintain them.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;There are still boundaries.&lt;/p&gt;
&lt;p&gt;Auto Mode can improve node lifecycle and system components, but it cannot fix bad pod requests, missing disruption budgets, slow application startup, or chatty service dependencies. If workloads request too much CPU, do not define readiness probes, or depend on large cold images, managed infrastructure only helps so far.&lt;/p&gt;
&lt;p&gt;Cost also needs attention. Faster scale-out is useful, but it can surface inefficient autoscaling policies. Faster consolidation is useful, but only if workloads tolerate disruption and your budgets are modeled correctly.&lt;/p&gt;
&lt;p&gt;Networking improvements should also be treated as architecture choices. Separate pod subnets and security groups can improve segmentation, but they introduce more routes, policies, IP planning, and troubleshooting paths.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;If you run EKS Auto Mode today, measure before and after. Look at:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;pending pod seconds during scale events,&lt;/li&gt;
&lt;li&gt;node ready time,&lt;/li&gt;
&lt;li&gt;image pull latency for large containers,&lt;/li&gt;
&lt;li&gt;DNS latency and CoreDNS saturation,&lt;/li&gt;
&lt;li&gt;consolidation events and interruption impact,&lt;/li&gt;
&lt;li&gt;cross-AZ and NAT gateway traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are migrating to Auto Mode, do it workload by workload. Start with stateless services that have clean readiness probes, pod disruption budgets, and known resource requests. Then move stateful or network-sensitive workloads after validating storage topology and security group behavior.&lt;/p&gt;
&lt;p&gt;The best outcome is not simply fewer Kubernetes knobs. It is a platform where the knobs that remain are closer to application reliability, cost, and security decisions. That is where builders should spend their time.&lt;/p&gt;</content:encoded></item><item><title>EKS control plane egress through your VPC closes a real private-cluster gap</title><link>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</link><pubDate>Mon, 22 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/eks-control-plane-egress-vpc/</guid><description>Amazon EKS customer-routed control plane egress lets Kubernetes API server traffic use customer VPC routing, security controls, and private endpoints for webhooks and OIDC dependencies.</description><content:encoded>&lt;p&gt;Private EKS clusters have always had two sides: how clients and nodes reach the API server, and how the API server reaches things on behalf of Kubernetes. The first side was easier to reason about. The second side had awkward edges.&lt;/p&gt;
&lt;p&gt;AWS has announced &lt;a href="https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/"&gt;customer-routed control plane egress for Amazon EKS&lt;/a&gt;, which routes customer-controllable Kubernetes API server outbound traffic through your VPC. That includes admission webhook callbacks, OIDC discovery, and aggregate API server requests.&lt;/p&gt;
&lt;p&gt;This is a practical feature for teams that need private webhooks, private identity providers, and auditable network paths.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;With the new &lt;code&gt;controlPlaneEgressMode&lt;/code&gt; set to &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the Kubernetes API server uses an elastic network interface in your VPC for specific outbound flows. Those flows can then follow your routing, security groups, VPC endpoints, DNS, Network Firewall, PrivateLink, Direct Connect, and logging patterns.&lt;/p&gt;
&lt;p&gt;EKS-managed service traffic still uses the EKS-managed path. The feature is scoped to customer-controllable API server egress, not every packet from the control plane.&lt;/p&gt;
&lt;p&gt;One important detail: after a cluster uses &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt;, the setting is immutable for the life of the cluster. That makes planning more important than experimentation on a random production cluster.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;Admission webhooks are often part of the security boundary. They validate images, enforce labels, inject sidecars, block risky configurations, and integrate with policy engines. If the API server can only call a public endpoint, teams end up exposing services that they would rather keep private.&lt;/p&gt;
&lt;p&gt;The same issue appears with external OIDC identity providers. If the control plane must fetch discovery documents and JWKS over an internet-reachable path, the cluster is not as private as the architecture diagram suggests.&lt;/p&gt;
&lt;p&gt;Customer-routed egress makes a cleaner design possible:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;webhook services can live behind internal load balancers,&lt;/li&gt;
&lt;li&gt;private DNS can resolve API server dependencies,&lt;/li&gt;
&lt;li&gt;VPC Flow Logs can show the path,&lt;/li&gt;
&lt;li&gt;SCPs can enforce the required egress mode across accounts,&lt;/li&gt;
&lt;li&gt;network teams can apply existing inspection and routing controls.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For regulated environments, the value is not only connectivity. It is evidence.&lt;/p&gt;
&lt;h2 id="design-considerations"&gt;Design considerations&lt;/h2&gt;
&lt;p&gt;This feature moves responsibility to your network design. If DNS, routes, endpoint policies, or security groups are wrong, API server calls can fail. That can break admissions, identity association, or aggregated APIs.&lt;/p&gt;
&lt;p&gt;I would pay attention to four areas:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;DNS resolution.&lt;/strong&gt; The API server now depends on the DNS path available from your VPC configuration for those customer-controllable names.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Webhook availability.&lt;/strong&gt; A private webhook outage can become a cluster-wide admission outage if failure policies are strict.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Certificate trust.&lt;/strong&gt; Private does not always mean privately trusted. The source article notes that OIDC issuer certificates still need a publicly trusted chain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost and routing.&lt;/strong&gt; NAT gateways, cross-AZ paths, inspection appliances, and endpoints can add cost or latency if the path is not designed deliberately.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start by identifying clusters that already use admission webhooks, external OIDC providers, or aggregate API servers. Those clusters have the most to gain.&lt;/p&gt;
&lt;p&gt;For new clusters, decide whether &lt;code&gt;CUSTOMER_ROUTED&lt;/code&gt; should be part of the baseline. For existing clusters, test in a non-production environment with the same webhook and identity dependencies before updating anything important.&lt;/p&gt;
&lt;p&gt;Then build a failure test. Block the webhook endpoint, break DNS resolution, and confirm your cluster behavior matches your expectations. Network privacy is useful only if the failure modes are understood.&lt;/p&gt;
&lt;p&gt;This EKS change does not make private Kubernetes automatic, but it removes a real architectural compromise. Builders now have a better way to align the control plane&amp;rsquo;s outbound path with the same network rules they already apply to workloads.&lt;/p&gt;</content:encoded></item><item><title>Lambda MicroVMs make isolated sandboxes a serverless design choice</title><link>https://theawsblog.com/news/emiliano-montesdeoca/lambda-microvms-isolated-sandboxes/</link><pubDate>Mon, 22 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/lambda-microvms-isolated-sandboxes/</guid><description>AWS Lambda MicroVMs give builders a new option for running user-generated and AI-generated code with VM-level isolation, fast resume, and controlled lifecycle state.</description><content:encoded>&lt;p&gt;AWS Lambda MicroVMs are interesting because they do not try to replace normal Lambda functions. They fill a different gap: workloads where the unit of isolation is not an event, but a user session, coding environment, agent run, scanner job, or other stateful sandbox.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/"&gt;AWS announcement&lt;/a&gt; frames this around isolated sandboxes with full lifecycle control. That is the right framing. The practical value is not only that Firecracker provides VM-level isolation. It is that AWS is exposing a managed way to create, pause, resume, and retire those environments without asking every product team to become a virtualization platform team.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Lambda MicroVMs add a serverless compute primitive inside the Lambda family for running code in isolated, stateful execution environments. The source article describes several important properties:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;each session can run in its own Firecracker-backed MicroVM,&lt;/li&gt;
&lt;li&gt;environments can launch and resume from pre-initialized snapshots,&lt;/li&gt;
&lt;li&gt;memory, disk, and running process state can survive during the session,&lt;/li&gt;
&lt;li&gt;idle environments can be suspended by policy,&lt;/li&gt;
&lt;li&gt;applications get a dedicated endpoint and short-lived request authentication.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That combination matters for applications that cannot fit cleanly into stateless request-response functions. A code interpreter, browser automation sandbox, vulnerability scanner, AI coding assistant, data notebook, or game scripting environment often needs process state and filesystem state between interactions.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;The old decision tree was uncomfortable. Virtual machines gave strong isolation but slow startup and more operations. Containers started quickly but shared a kernel, which raises the bar for safely running untrusted code. Lambda functions were operationally simple but not designed for long-running interactive state.&lt;/p&gt;
&lt;p&gt;Lambda MicroVMs create a new middle path. For builders, the design conversation becomes more precise:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use Lambda functions for event handlers and short stateless tasks.&lt;/li&gt;
&lt;li&gt;Use containers when you need packaging flexibility and can manage isolation risk.&lt;/li&gt;
&lt;li&gt;Use Lambda MicroVMs when each tenant, user, or agent run needs a dedicated stateful sandbox.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This is especially relevant for AI systems. As more applications let agents write code, execute tools, inspect repositories, or process customer files, isolation becomes part of the product boundary. A prompt injection bug should not become a cross-tenant file access bug.&lt;/p&gt;
&lt;h2 id="the-trade-offs-are-still-real"&gt;The trade-offs are still real&lt;/h2&gt;
&lt;p&gt;MicroVMs reduce a lot of infrastructure work, but they do not remove architecture responsibility.&lt;/p&gt;
&lt;p&gt;First, lifecycle policy becomes a cost control. If idle sessions stay warm too long, the bill can drift. If they suspend too aggressively, users feel resume latency. Teams should treat idle duration as a product setting, not a default copied from a sample.&lt;/p&gt;
&lt;p&gt;Second, snapshot-based startup changes how applications initialize. Code that generates unique state, opens long-lived external connections, or assumes initialization happens once per user action needs careful review.&lt;/p&gt;
&lt;p&gt;Third, stateful sandboxes need cleanup rules. Temporary files, credentials, downloaded packages, generated artifacts, and logs can accumulate. Builders should define what survives during a session, what is exported, and what is destroyed.&lt;/p&gt;
&lt;p&gt;Finally, security does not stop at VM boundaries. The execution role, outbound network policy, source artifact pipeline, token handling, and tenant mapping are still part of the isolation story.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;I would start with workloads where the current workaround is obviously expensive: per-user EC2 sandboxes, over-hardened container runners, or Lambda workflows full of awkward &lt;code&gt;/tmp&lt;/code&gt; and rehydration logic.&lt;/p&gt;
&lt;p&gt;For a proof of concept, validate four things before celebrating:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Cold launch and resume behavior&lt;/strong&gt; with your real image size and dependencies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Idle cost profile&lt;/strong&gt; for normal user behavior, not a synthetic benchmark.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tenant boundary tests&lt;/strong&gt; for filesystem, process, network, and IAM access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Failure cleanup&lt;/strong&gt; when a session crashes, times out, or is abandoned.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Lambda MicroVMs are not just another Lambda feature. They are AWS acknowledging that the next wave of serverless workloads includes interactive, stateful, sometimes untrusted execution. That is a useful primitive, as long as teams treat it as an isolation architecture rather than a shortcut around security design.&lt;/p&gt;</content:encoded></item><item><title>Lambda runtime upgrades need campaigns, not reminders</title><link>https://theawsblog.com/news/emiliano-montesdeoca/lambda-runtime-upgrades-aws-transform/</link><pubDate>Sat, 20 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/lambda-runtime-upgrades-aws-transform/</guid><description>AWS Transform custom can help teams upgrade Lambda runtimes at scale, but the durable improvement is treating runtime changes as governed modernization campaigns.</description><content:encoded>&lt;p&gt;Lambda runtime upgrades are easy to postpone because the function still works today. Then a deprecation date becomes a support risk, a security exception, or a rushed platform campaign.&lt;/p&gt;
&lt;p&gt;The AWS Compute Blog post on &lt;a href="https://aws.amazon.com/blogs/compute/upgrading-lambda-function-runtimes-at-scale-with-aws-transform-custom/"&gt;upgrading Lambda function runtimes at scale with AWS Transform custom&lt;/a&gt; is useful because it treats runtime upgrades as a repeatable modernization workflow, not a calendar reminder.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;AWS Transform custom can analyze codebases, identify runtime upgrade risk, apply transformations, update dependencies or configuration, and validate against exit criteria. The source article focuses on Lambda runtime upgrades, including cases where code changes are required, such as moving callback-style Node.js handlers toward async patterns.&lt;/p&gt;
&lt;p&gt;For platform teams, the more important piece is campaign management. A large organization rarely has one repository and one owner. It has hundreds of functions across many accounts, teams, IaC stacks, and CI/CD systems.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Runtime upgrades fail when ownership is unclear.&lt;/p&gt;
&lt;p&gt;An application team may not know a function exists. A platform team may see the deprecated runtime but not understand the deployment path. Security may see the exposure but not own the code. The result is a spreadsheet-driven migration with too many manual exceptions.&lt;/p&gt;
&lt;p&gt;A transformation tool can help, but only if it plugs into an operating model:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;inventory functions and repositories,&lt;/li&gt;
&lt;li&gt;map functions to owners,&lt;/li&gt;
&lt;li&gt;assess code and dependency risk,&lt;/li&gt;
&lt;li&gt;create pull requests or transformation branches,&lt;/li&gt;
&lt;li&gt;validate with tests and alarms,&lt;/li&gt;
&lt;li&gt;deploy with safe rollout and rollback,&lt;/li&gt;
&lt;li&gt;track completion centrally.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is a campaign, not a one-off task.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Automated transformation is not a substitute for test coverage. It increases the value of tests because it can make changes faster than humans can manually review every edge case.&lt;/p&gt;
&lt;p&gt;Before trusting a runtime upgrade, teams should check:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;unit and integration tests for handler behavior,&lt;/li&gt;
&lt;li&gt;dependency compatibility with the target runtime,&lt;/li&gt;
&lt;li&gt;infrastructure definitions that set the runtime,&lt;/li&gt;
&lt;li&gt;packaging and build pipeline changes,&lt;/li&gt;
&lt;li&gt;observability after deployment,&lt;/li&gt;
&lt;li&gt;alias or version-based rollback strategy.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For platform teams, the other trade-off is centralization. Pushing changes across many repositories can be efficient, but service owners still need to understand and approve behavior changes. The best model is usually centralized orchestration with distributed ownership.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Start with inventory. Use AWS Config, Trusted Advisor, CLI scripts, tags, or deployment metadata to find functions approaching deprecation. Then group them by owner, runtime, business criticality, and test readiness.&lt;/p&gt;
&lt;p&gt;For low-risk functions with good tests, an automated transform can move quickly. For high-risk functions with poor tests, the first transformation should probably add documentation, tests, or alarms before changing the runtime.&lt;/p&gt;
&lt;p&gt;The lesson from this AWS post is broader than Lambda. Modernization work becomes manageable when it is continuous, visible, and validated. If runtime upgrades are still handled as emergency cleanup, the tooling can help, but the process needs upgrading too.&lt;/p&gt;</content:encoded></item><item><title>Before downsizing EC2, simulate the EBS burst budget</title><link>https://theawsblog.com/news/emiliano-montesdeoca/ec2-ebs-burst-credits-downsizing/</link><pubDate>Wed, 17 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/ec2-ebs-burst-credits-downsizing/</guid><description>AWS shows how to simulate EBS burst credits before downsizing EC2 instances, a practical cost-optimization step that avoids turning compute savings into storage throttling.</description><content:encoded>&lt;p&gt;Rightsizing EC2 usually starts with CPU and memory. That is necessary, but it is not enough.&lt;/p&gt;
&lt;p&gt;The AWS Compute Blog post on &lt;a href="https://aws.amazon.com/blogs/compute/simulating-amazon-ec2-ebs-burst-credits-before-downsizing-an-instance/"&gt;simulating Amazon EC2 EBS burst credits before downsizing an instance&lt;/a&gt; is a good reminder that storage performance can be the hidden reason a &amp;ldquo;safe&amp;rdquo; downsize becomes a production incident.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;The article walks through a simulation approach for burstable EBS-optimized instance performance. Instead of looking only at average utilization, it pulls EBS read and write metrics from CloudWatch, compares them with the baseline and burst ceiling of a target instance type, and simulates whether IOPS or throughput credits would run out after downsizing.&lt;/p&gt;
&lt;p&gt;The important metrics include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;EBS read and write bytes,&lt;/li&gt;
&lt;li&gt;EBS read and write operations,&lt;/li&gt;
&lt;li&gt;EBS I/O and byte balance percentages,&lt;/li&gt;
&lt;li&gt;instance EBS IOPS and throughput exceeded checks.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The outcome is more useful than a simple utilization chart: it tells you whether the target instance can absorb the actual I/O pattern without draining credits and throttling.&lt;/p&gt;
&lt;h2 id="why-builders-should-care"&gt;Why builders should care&lt;/h2&gt;
&lt;p&gt;Cost optimization often fails when it optimizes one dimension in isolation. A smaller instance can look perfect from a CPU perspective but have lower EBS baseline performance. If the workload depends on burst credits during business hours, the downsize may save compute cost while increasing latency, queue depth, or database wait time.&lt;/p&gt;
&lt;p&gt;This matters especially for databases, analytics workers, search nodes, and file-heavy applications. It also matters when downsizing reduces memory. Less memory can mean less cache, which can increase disk I/O after the move.&lt;/p&gt;
&lt;p&gt;The practical lesson: do not approve a downsize until the storage path has been modeled.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;The simulation described by AWS is intentionally conservative when using maximum statistics over five-minute periods. That is useful for safety, but it can overstate credit drain. If the conservative simulation passes, confidence is high. If it fails, the answer is not automatically &amp;ldquo;do nothing.&amp;rdquo; It may mean you need higher-resolution data, a different target instance, gp3 tuning, or application-level changes.&lt;/p&gt;
&lt;p&gt;Also, burst credits are not a performance strategy. They are a buffer. If normal business traffic depends on sustained bursting, the workload is under-provisioned for its real behavior.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;For each EC2 rightsizing candidate, add a storage check to the decision process:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Pull at least two weeks of CloudWatch EBS metrics, four if the workload has monthly cycles.&lt;/li&gt;
&lt;li&gt;Check whether the current instance already hits EBS exceeded metrics.&lt;/li&gt;
&lt;li&gt;Compare peak and sustained I/O against the target instance baseline and burst ceiling.&lt;/li&gt;
&lt;li&gt;Simulate credit balance for both IOPS and throughput.&lt;/li&gt;
&lt;li&gt;Monitor &lt;code&gt;EBSByteBalance%&lt;/code&gt;, &lt;code&gt;EBSIOBalance%&lt;/code&gt;, and exceeded checks after the change.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This is the kind of small operational habit that prevents cost work from damaging reliability. A good rightsizing recommendation should say not only &amp;ldquo;CPU is low,&amp;rdquo; but also &amp;ldquo;storage credits survive the target shape.&amp;rdquo;&lt;/p&gt;</content:encoded></item><item><title>Emiliano Montesdeoca</title><link>https://theawsblog.com/authors/emiliano-montesdeoca/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://theawsblog.com/authors/emiliano-montesdeoca/</guid><description/><content:encoded/></item></channel></rss>