What AWS Has For Us This Time
Amazon CloudWatch Logs announces increased query concurrency and API limits - I'm of two minds here. On the one hand, tripling CloudWatch Logs query concurrency from 30 to 100 is the kind of limit increase that quietly admits the old limits were absurdly low. You were getting throttled trying to debug your own infrastructure. That's like a hospital charging you a convenience fee to read your own chart, which they absolutely do. On the other paw, how the hell many simultaneous queries are you people running?
Introducing Amazon Connect Health, Agentic AI Built for Healthcare - Five AI agents for healthcare, HIPAA-eligible, ready to deploy "in days, not months." I give it six months before a hospital's ambient documentation agent hallucinates a diagnosis into someone's clinical notes. But sure, let's have AI auto-generate medical billing codes. That system definitely needed less human oversight than, say, Amazon's own retail site.
Amazon Route 53 Global Resolver is now generally available - Route 53 now has a globally available anycast DNS resolver that filters malicious domains and blocks DNS tunneling. Great, so DNS security is a premium add-on now. Enjoy your 30-day free trial before discovering what "per query" pricing does to your budget when every device on your network makes thousands of DNS lookups daily.
AWS simplifies IAM role creation and setup in service workflows - Twelve services in one region get an inline panel so you don't have to open a second browser tab. That's the innovation bar now. Though honestly, after years of playing "hunt the IAM console in another tab," I'll take it. Now then: how long until this panel introduces its own permissions to manage?
Database Savings Plans now supports Amazon OpenSearch Service and Amazon Neptune Analytics - Nobody knows what the hell they need a giraffe database for, but by god you can now commit to using them under the omnibus Database Savings Plan. Good for them!
AWS Elastic Beanstalk now offers AI-powered environment analysis - Elastic Beanstalk is still alive, which is itself the surprise here. Now it ships your logs to Bedrock when things catch fire, so AI can tell you what went wrong. How long before someone accidentally sends sensitive production logs through this and discovers a fun new compliance problem?
AWS Elastic Beanstalk launches Deployments tab with in-progress deployment logs - And wow, who let the Beanstalk team out of their cage? Elastic Beanstalk now lets you watch your deployments fail in real time instead of piecing together the wreckage after the fact. Previously you had to wait for everything to finish before you could even see logs, which is like only getting the black box recording after the plane lands. In a corn field. Yes, that's how black boxes work. Shut up.
Multi-party approval now supports approval team baselining - So you can now send test approvals to make sure your approval team is still alive and responsive. It's a "ping" command with enterprise characteristics. AWS recommends running this every 90 days, which feels like a polite way of saying "your approvers ghosted and nobody noticed for a quarter." This is a feature designed for environments that are absolute corporate hell.
AWS announces pricing for VPC Encryption Controls - Nothing says "we value your security" like letting you encrypt for free during preview and then flipping the meter on. Per-VPC hourly charges for the privilege of knowing your traffic is encrypted. Every non-empty VPC. In every region. Your CFO's eye is already twitching.
The Hidden Price Tag: Uncovering Hidden Costs in Cloud Architectures with the AWS Well-Architected Framework - Love that AWS published a blog about "hidden costs" in cloud architectures as if they aren't the ones hiding them. It's like a locksmith writing a pamphlet about break-ins. The post basically says "use our Well-Architected Framework or suffer," which is solid advice wrapped in the world's longest vendor pitch.
Introducing account regional namespaces for Amazon S3 general purpose buckets - For 18 years, S3 bucket names existed in a single global namespace, meaning someone could squat on your preferred name forever. Now you can scope buckets to your account and region, at the low cost of appending a 25-character suffix to every bucket name. "Simple" Storage Service strikes again, a decade and a half after people wanted something like this.
Introducing OpenClaw on Amazon Lightsail to run your autonomous private AI agents - Lightsail finally found a reason to exist: running an open-source AI agent that connects to your WhatsApp and manages your emails. The setup requires SSH pairing, CloudShell scripts, and IAM role configuration. "No additional configuration required," they say. I count at least three additional configurations. If you can get this running, you may not need to get this running; Claude Code is right there.
Kinesis On-demand Advantage saves 60%+ on streaming costs - Saving 60% sounds incredible until you notice the minimum commitment of $100/day, which means you're spending $36,500/year before you stream a single byte. It's the Costco model: great savings, as long as you were already buying in bulk. Your small Kinesis streams can go pound sand.
Announcing the end-of-support for the AWS Copilot CLI - Pouring one out for Copilot CLI, which simplified ECS deployments so well that AWS killed it and told everyone to migrate to CDK L3 constructs or ECS Express Mode instead. Nothing says "we appreciate your loyalty" like a sunset blog post with homework assignments due by June. Remember, if you trust a fringe AWS product, it's increasingly looking like a gamble.
Announcing new output formats in AWS CLI v2 - It only took until 2026 for the CLI to stop hiding useful error details behind `--debug`. The new `--output off` format is honestly perfect for anyone who's been piping to `/dev/null` like a barbarian. Sometimes the best feature is the one that should've existed a decade ago.
AWS SDK for .NET V3 Maintenance Mode Announcement - Putting the .NET V3 SDK into maintenance mode is AWS's gentle way of saying "we're not breaking up with you, we just need space." Translation: stop filing feature requests, start planning your migration, and prepare to explain to management why your perfectly working code needs rewriting. Again. You're caught between Amazon and Microsoft playing a game of Tug-of-War, and you're the rope.
Upgrade AWS CLI from v1 to v2 using upgrade debug mode - CLI v1 to v2 migration has been a minefield for so long that AWS finally built a metal detector. Set an environment variable, run your commands, and pray the warnings are manageable. Only took them years to ship this. Your bash scripts written in 2017 send their regards.
Automate AWS Lambda Runtime Upgrades with AWS Transform custom - Imagine spending 20-30% of your engineering effort manually upgrading Lambda runtimes when you could instead spend that time learning a new AI tool that does it for you, poorly, and then fixing what it broke. AWS Transform custom: because technical debt needs its own technical debt. As a bonus, a quick look at the Transform pricing page indicates it will also incur actual debt.
Standardizing construct properties with AWS CDK Property Injection - Enforcing consistent CDK properties across an org is a legitimate painful problem, so naturally it took until v2.196.0 for AWS to ship something that isn't "just write a custom construct library and refactor everything." Property Injection is a good idea arriving fashionably late to a compliance fire that's been burning for years.
AWS Load Balancer Controller adds general availability support for Kubernetes Gateway API - Kubernetes Gateway API support hitting GA means you can finally stop plastering vendor-specific annotations all over your Ingress manifests like bumper stickers on a college laptop. Of course, you'll now need to learn three new resource types instead of one, because Kubernetes believes complexity is a love language.
AWS European Sovereign Cloud achieves first compliance milestone: SOC 2 and C5 reports plus seven ISO certifications - Nine compliance certifications for a sovereign cloud that's been GA for two months. That's less "earning trust" and more "speedrunning the European bureaucracy boss level." Still, if you're a German government agency eyeing AWS, this is the permission slip your procurement team has been waiting for.
AWS Security Hub is expanding to unify security operations across multicloud environments - Turns out "unified security" now means "we'd like to be your single pane of glass for clouds we've spent years trash-talking." Security Hub absorbing multicloud is AWS admitting customers actually use Azure and GCP. The partner marketplace with pay-as-you-go pricing is clever though - nothing locks in customers like consolidated billing.
Enhanced access denied error messages with policy ARNs - Telling you *which* policy denied your request is genuinely useful, and it only took five years after telling you the policy *type*. At this pace, by 2030 the error message might actually suggest how to fix it. Baby steps toward not making IAM troubleshooting a full-contact sport.
Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338) - Three CVEs in AWS-LC, their open-source crypto library, including a certificate chain validation bypass and a timing side-channel. The function literally called "verify" wasn't verifying. No workarounds for two of the three. Patch to v1.69.0 immediately, or enjoy explaining to auditors why your cryptography was decorative.
MariaDB Server Audit Plugin Comment Handling Bypass - Turns out prefixing your SQL with a comment character made it invisible to the audit plugin. That's not a bug, that's a cheat code. "How do we bypass database auditing?" "Have you tried a hyphen?" Patches are out for RDS and Aurora, no workarounds exist, so go upgrade before your auditors find out.
| 
