If you (well, not you, but probably the saddest looking person on your finance team) are tracking commitments in spreadsheets and hoping your discount strategy still makes sense, you're not alone. Most teams are cobbling together strategies/tools that weren't designed for the scale and complexity of modern cloud environments. That's why we're building Skyway over at Duckbill—to take you away from all that. Now the exclusive sponsor of Last Week in AWS, and also the company I co-founded. Cloud contract issues? Get in touch.
Things I Found on the Internet
Anthropic patched it this month, but the writeup of Claude's magic refusal string is worth your time anyway. A documented QA helper became a denial-of-service vector the moment it landed in untrusted RAG context. Nick Frichette's archived post is a tidy lesson in how legitimate testing tools become attacker primitives.
Only AWS could launch something called Humorphism that is in no way funny.
Brooke Jamieson cuts through the Trainium hype with the question most developers are actually asking: what *is* this chip? Their breakdown of the three design decisions (cores, memory, communication) explains the shape of the hardware without drowning you in marketing. Useful context now that OpenAI and Anthropic are committing gigawatts of the stuff.
Distributed inference across heterogeneous GPUs sounds like the kind of thing that shouldn't work, yet the folks at Tandemn are making a credible run at it. Worth a read if you've ever priced an H100 cluster and felt your soul leave your body.
Multi-region architecture stops being a theoretical exercise the moment an entire region goes dark for months. Reuters has the timeline on the UAE situation, and anyone running production workloads in me-central-1 should probably read it before their next status meeting. Disaster recovery plans tend to look very different at month three.
I wrote about AWS's eleventh-ish attempt to enter the applications business, including a tour of the graveyard that preceded it. Quick Suite is arguably the fourth rebrand in eighteen months, Sam Altman phoned in his own partnership announcement from what looked like a court parking lot, and existing Connect customers got renamed without warning.
Wear a Bee during the keynote, double-press to bookmark moments that matter, then let a Strands Agent cross-reference everything against the AWS Knowledge MCP Server. Brooke Jamieson's clever re:Invent note-taker spits out markdown with docs links, regional availability, and a prioritized reading list. The future of keynote survival, basically.
The MCP servers from AWS Labs lasted what, eighteen months before getting a rebrand? Your AI agents were burning tokens improvising CloudFormation from 2023 knowledge, and now they can burn tokens following 40 validated skills instead. Free to use, except for the AWS resources your overconfident agent decides to provision at 3 AM. And I still have to slap the Secrets Manager out of its hand in favor of Parameter Store: same security guarantees, no 40¢ per secret per month malevolent clown pricing.
Real-time apps in private subnets without the ACL gymnastics? Cool, useful, and somehow not an additional line item on your bill. I had to read that last part twice to make sure I wasn't hallucinating. Ops teams who've been duct-taping public subnet workarounds for years finally catch a break..
Only took until 2026 for EventBridge to log PutEvents calls to CloudTrail, the API that's literally the entire point of EventBridge. Auditors who've been squinting at this blind spot for years get to preserve what's left of their eyesight. Bonus: CloudTrail data events bill by the request, so visibility comes with a delightful little surcharge.
Procurement teams can now spend money on AWS Marketplace without clicking through a single console screen. Progress! Your monthly burn rate can now be automated by the same intern who wrote the Terraform module nobody reviews. Available only in us-east-1, because procurement keeps east coast business hours.
Your AI agent now needs its own WorkSpace, billed presumably at the same rate as the human it's replacing. The irony is that we're paying full desktop licensing for bots to click through legacy apps because nobody wanted to fund that mainframe modernization project. Somewhere, a CFO is weeping. The CFO is always weeping. It's part of their interview process: weeping.
The AWS MCP Server is now generally available - Giving an AI agent IAM credentials and 15,000+ API operations. What could possibly go wrong? The "sandbox with no network access" is doing Atlas-level load-bearing work in that sentence. Still, separating human and agent permissions via SCPs is the rare grown-up touch in an industry currently speedrunning new ways to bankrupt itself via runaway token loops.
Redis got greedy, the community got Valkey, and AWS got to stop contributing code to the folks who bought a community while looking like open-source heroes. Now version 9.0 bolts full-text search into your cache so you can retire that separate search cluster. Your bill won't shrink, mind you--it'll just consolidate into a more impressive single line item.
Three services, one Lambda duct-taped between them, and a CloudFormation template to hide the shame. You're trading ACID guarantees for "billion-scale," which is AWS-speak for "we sure hope you like reconciling orphaned vector IDs at 3 AM." The architecture diagram alone could qualify as modern art. Your bill will have opinions.
This is why I find myself using Stwipe.com instead: payments for toddlers. Letting AI agents move real money autonomously: what could possibly go wrong? Somewhere, a fraud team just stress-vomited into a wastebasket. The pitch is "fractions of a cent per call, billed in real time," which is also how I'd describe my therapy bills after auditing the resulting CloudWatch logs.
CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials - Five years of this bug lurking in the ECS agent for Windows, just waiting for someone to craft credentials creative enough to score SYSTEM privileges. The silver lining? If you're running ECS on Windows EC2, this vulnerability is probably the least of your operational concerns. Patch to 1.103.0 and resume your regularly scheduled suffering.
CVE-2026-7791 - Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent - Race conditions in a log archival routine, of all places, will let any random WorkSpaces user become SYSTEM. Patch to 2.6.2034.0 and contemplate the cosmic irony that the service watching over your workstation's health was itself the patient zero. Shoutout to Cymulate for finding what Amazon's fuzzers apparently couldn't.
CVE-2026-31431 - A kernel privilege escalation bug affecting roughly every Amazon Linux variant ever shipped, plus Bottlerocket, ECS, EKS, EMR, Fargate, and DLAMIs. The patch rollout schedule stretches into late May, which is a fun way of saying "good luck out there." SageMaker's status remains "we'll get back to you," which inspires zero confidence.
... and that’s what happened Last Week in AWS. If you’ve enjoyed reading this, tell everyone you know to subscribe at lastweekinaws.com.
As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply or join the #lwia-publications channel on the LWIA Slack team.
You have questions? We have coffee! Drop by my employer’s weekly FinOps office hours, every Thursday at 10:00a PT. Often fun, always free. Register here.
Share Last Week in AWS with your friends, colleagues, neighbors, and sworn enemies! Trick them into subscribing! Earn a variety of rewards when they sign up! Here’s your personal referral link: https://ref.lastweekinaws.com/b0w3xd
You currently have 0 referrals.
Get Some Swag
That’s right folks, we’ve got awesome swag. All of our swag features everyone’s favorite mascot, Billie The Platypus. Get yours here.
To make sure you keep getting these emails, please add corey@lastweekinaws.com to your address book or otherwise mark me as a permitted sender.
