[Last Week in AWS] Issue #475: OpenAI on Bedrock and Other Strange Bedfellows
Last Week in AWS

Monday, June 8, 2026

Good Morning!

This week has me in San Diego and LA. Next week has me in New York. The week after has me in Chicago and keynoting the AWS Community Day Midwest in Indianapolis, which you should attend.

Things I Found on the Internet

Last week I spaced and forgot that AWS will automatically migrate your gp2 volumes to gp3 via Compute Optimizer, so why on God's flat earth did they post a "solution" that requires Lambdas, Step Functions, and doing all of this by hand instead of clicking a button? Y'know, I sometimes joke that half of my job is "introducing Amazonians to one another," but in this case I'm starting to wonder if it's less a joke than I thought...


A debugging story with a twist: reducing the cache size caused 270 SIGKILLs, and the memory metric everyone trusts is a high-water mark that never resets. AWS even confirmed it in a ticket. If you run anything on Lambda, this ONNX memory autopsy will save you a panic.

AWS marking its own 20-year homework, complete with the line about eliminating data transfer fees for customers who leave. I've spent years yelling about egress charges, so seeing them frame the partial retreat as freedom is something. Still, the official origin story is worth a read for the framing alone.

"Successful" from the EKS API means the configuration was accepted, not that CoreDNS will survive it. Kannan's postmortem on a schema-valid Corefile that sat quietly for two days before a node upgrade detonated it is the kind of war story that'll change how you validate add-on configs.


I wrote about AWS reportedly bolting Grok into Bedrock despite enterprise buyers reacting to the idea like you'd just offered them a timeshare. The model underperforms, the org chart reorganizes weekly, and Bedrock's whole pitch is governance. Pick any two of those problems and you've already got a bad deal.

Random graph networking has been an academic curiosity since 2012, and AWS apparently spent the last two years turning it into production hardware with something called a ShuffleBox. The paper behind RNG is worth your time, especially the part where they explicitly say this isn't about AI training. Refreshing! Note, the Wired story doesn't do a super great job of explaining the nuances, so you're gonna want to review the paper itself.


I gave a fwd:CloudSec talk last week about the AWS Marketplace: Paying More For Worse Security. Take a look; if you've got sketchy vendors in the AWS Marketplace section of your bill, maybe ping your account team about that and ask why AWS didn't find it worth notifying customers about the various times I've raised it with them? Some folks already have, and it's glorious. Send me a (redacted) screenshot if you'd like, for my trophy wall.

What AWS Has For Us This Time

AWS Interconnect - multicloud now offers a free 500 Mbps tier -

I want to see what the other side charges but this may be a way to break, or at least end-run around, the usurious AWS egress data transfer fees.


Oracle Database@AWS is now available in twenty AWS Regions -

The Larry Ellison expansion tour continues, now playing Zurich, Milan, and Melbourne. Eight more regions where you can experience the unique thrill of paying Oracle licensing fees AND AWS infrastructure costs simultaneously, with a private marketplace offer that probably requires a notarized blood sample. Your procurement team's screams can be heard in twenty time zones now.


Amazon Cognito now supports multi-Region replication -

Surviving a regional outage without locking every user out of their own login screen used to be a fun interview homework assignment. Now it's an "add-on," available only if you've already upgraded to the Essentials or Plus tiers. This is unfortunately the kind of thing people will discover they need right after they really, really could have used it.


Amazon EKS and Amazon EKS Distro now supports Kubernetes version 1.36 -

Version 1.36 lands, which means your perfectly stable 1.32 clusters are now staring down the extended-support tax like it's a parking meter that only takes bars of platinum. User Namespaces hitting GA is nice, but I still can't past the upgrade treadmill that never stops billing you for standing still.


Amazon SES now supports tenant-level suppression lists -

So! You'd think I'd have known this already, but it turns out that for years, one customer's spam complaints could quietly torch deliverability for every other tenant sharing your account. A delightful surprise customers got to discover during an outage post-mortem. Now SES lets each tenant fail independently, which is the closest thing to progress the "Simple" Email Service has managed lately.


AWS Compute Optimizer now supports 32-day lookback for EBS volume and ECS service rightsizing recommendations -

Thirty-two days, so the tool can finally notice your month-end batch job before recommending you starve it. A calendar month has 30 or 31 days, but 32 gives you wiggle room, which is more foresight than the default 14-day window ever showed. Free, at least, which suggests that someone with a P&L lost an argument.


AWS Cost and Usage Report 2.0 now supports Athena and Redshift integration -

Two and a half years after CUR 2.0 launched, it finally does what CUR 1.0 already did. They're calling this "feature parity," which is corporate for "we shipped the new thing before it could replace the old thing." Querying your cost data with SQL now requires zero ETL and only mild existential dread.


Amazon ElastiCache for Valkey now supports durability -

Once again I am begging you to not confuse "cache" with "primary data store." Once again, you will ignore me, as some lessons can only be learned and internalized via SLA breaches.


Understanding how backups work in Amazon Aurora -

A whole blog post explaining why your backup bill keeps jumping around. The short version: change more data, pay more, and the math lives at the storage layer where you can't see it. Free up to 100% of storage, then the meter spins. Bookmark this before your CFO asks. but it's still inscrutable.


OpenAI models and Codex on Amazon Bedrock are now generally available -

There's now a second model provider available on Bedrock; previously it was just for Anthropic. "Hey, that's not true!" some Amazon PM is about to exclaim—but if they're right, why does logging into Bedrock, on a new account, greet me with a banner about Anthropic KYC requirements?


How Bedrock Streaming optimizes its AWS costs -

A streaming company named Bedrock that has nothing to do with the AWS service named Bedrock optimizing its bill. The branding collision alone deserves hazard pay. Running 100% Spot for Kubernetes is impressively daring work, but watching them write a custom termination handler to survive AWS's two-minute eviction notice makes me question the decision's durability.


From Monolith to Multi-Account: Pinterest’s AWS Organization Transformation Journey -

Pinterest ran exabytes of data in a single AWS account until 2022, which explains why their DescribeInstances calls were basically a prayer. It turns out that the multi-account structure AWS has recommended since roughly the Obama administration has its merits, but migrations are hard. A solid blueprint, assuming you enjoy paying technical debt with compound interest.


Gain visibility into DDoS attacks with flow logs in AWS Shield Advanced -

Shield Advanced runs you three grand a month on a one year commitment, and only now do you get flow logs showing who's actually attacking you. Bonus: the logs land in S3, CloudWatch, or Firehose, so you'll pay again to store and query the receipts. And it's EIP-only at launch. Visibility, now sold separately.


Identify unused AWS KMS keys and prevent accidental key deletions -

Now "kms" is Gen-Z slang for talking about suicide, and should not be confused with the AWS KMS service, which makes me want to kill myself. For years, finding a key's last usage meant Athena queries against CloudTrail logs that cost more than the keys protected. Now there's an API. The catch: tracking only started April 23, so any key untouched since looks dead but might not be. Good luck!


CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths -

Turns out the agentic IDE was a little too agentic, happily writing to tasks.json so opening a folder runs whatever a stranger told it to. No workaround, just upgrade to 0.11 and pray. Letting AI write files anywhere it pleases: what could possibly go wrong?


CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer -

"Under certain circumstances" is kissing cousins with a lie, since the circumstance is "the cert wasn't there." Graph Explorer noticed and shrugged your sensitive data onto cleartext HTTP instead of, say, complaining. Patch to 3.0.1, or enjoy explaining to your CISO why "encrypted" was more of a vibe than a setting.

... and that’s what happened Last Week in AWS. If you’ve enjoyed reading this, tell everyone you know to subscribe at lastweekinaws.com.

As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply or join the #lwia-publications channel on the LWIA Slack team.

You have questions? We have coffee! Drop by my employer’s weekly FinOps office hours, every Thursday at 10:00a PT. Often fun, always free. Register here.

Corey Quinn

I'm Corey Quinn

I help companies improve their horrifying AWS bills by making them smaller and less horrifying. I also host two podcasts—check them out at lastweekinaws.com.

Last Week in AWS

Refer people to Last Week in AWS

Share Last Week in AWS with your friends, colleagues, neighbors, and sworn enemies! Trick them into subscribing! Earn a variety of rewards when they sign up! Here’s your personal referral link:
https://ref.lastweekinaws.com/cfdae819

You currently have 0 referrals.

Get Some Swag

Get Some Swag

That’s right folks, we’ve got awesome swag. All of our swag features everyone’s favorite mascot, Billie The Platypus. Get yours here.