This week's issue is sponsored by Stwipe.com, my own implementation of infrastructure payments for toddlers. My personal favorite part is how the juice box drains as you scroll. No, the product isn't real, but that likely won't stop it from raising a giant pile of money based on vibes.
Things I Found on the Internet
Real data on what AWS practitioners actually love and hate. SNS takes the crown again, Beanstalk gets the boot, and the under-25 crowd apparently isn't picking AWS at all. The 2026 Answers for AWS survey results from Peter Sankauskas are out, and the JSON is yours to slice up.
Aurora DSQL pricing has that special AWS quality where you read the docs three times and still aren't sure what you'll owe. Farid did the math so you don't have to, and this breakdown of DPU costs is the cheat sheet I wish AWS had published themselves.
Six hours, eight cents, and one uncomfortable finding: VPC mode without Route 53 Resolver DNS Firewall still leaks. This hands-on verification of the Unit 42 AgentCore disclosure also catches that PUBLIC and SANDBOX are distinct modes, despite every vendor writeup conflating them. Worth a read before you trust "isolated."
Mitchell Hashimoto's heartfelt breakup letter in announcing Ghostty's departure from GitHub is the rare goodbye post that's actually about something. 18 years of daily use, ended by Actions outages eating hours per day. If you've felt the platform decay too, this one will hit.
Hiding services from the console is the cloud equivalent of putting child locks on the liquor cabinet. It won't stop anyone determined to spin up SageMaker in us-west-2, but it might reduce the number of "what is this $400 charge" Slack messages by a comforting margin. IAM still does the actual work, obviously. I sure wish there was a good way to only list S3 buckets that a principal has access to, but maybe by 2035.
Hand-editing CloudWatch agent JSON has been a rite of passage for ops engineers since roughly the Bronze Age, so naturally AWS waited until 2026 to add a GUI. The good news: it's free. The bad news: every metric, log, and trace it makes easier to collect will absolutely not be.
Naming a supply chain AI product "Amazon Connect Decisions" when Amazon Connect is the contact center service? Bold move. Somewhere, a poor SA is explaining to a confused customer why their call center won't forecast inventory. Thirty years of Amazon operational science apparently didn't include "checking if the name was already taken, and if so, are they at least targeting the same buyer persona?"
Amazon, the company famous for its warm and humane hiring practices, would now like to sell you the AI that conducts your interviews. Beware; they don't mention the part where "if the candidate is sitting in any number of jurisdictions like "New York City," use of an AI hiring tool requires disclaimers and work that the terms of service put squarely on you. How customer obsessed!
Two more entries in the EC2 alphabet soup, and AWS still can't decide if "in" means network or "I'm not sure." 600 Gbps of network bandwidth is impressive, though, assuming you have a workload that needs it and a budget that survives it. Pour one out for whoever maintains your instance type spreadsheet.
Opt-out AI is the new opt-in, apparently. The price-performance slider remains my favorite piece of AWS UI theater: drag it toward "cost" and watch your bill go up anyway, just more slowly. Lower entry at 8 RPU is useful, which I'm contractually obligated to mention before resuming skepticism.
Twenty years into AWS, and we're celebrating the revolutionary ability to click a button and get a CSV file. Truly, we live in an age of wonders. Now your FinOps team can email spreadsheets of ignored recommendations to executives who will also ignore them, but in Excel format. Progress!
Only took a decade for KMS to surface "when did anyone last touch this key" without a CloudTrail spelunking expedition. The condition key blocking deletion of recently-used keys is useful, which means somewhere in Seattle, a PM is being congratulated for inventing the concept of metadata. Your $1/month-per-key graveyard thanks you.
Both remaining Ruby developers will be thrilled. The runtime ships with structured JSON logs and configurable log levels, which is great if you enjoy paying CloudWatch Logs ingestion fees in increasingly granular formats. Support runs until 2029, by which point AWS will probably have invented Ruby 4.0 Express Edition Tiered Savings Plans.
Tagging cached objects so you can invalidate them in groups: a feature CDN competitors shipped roughly when dinosaurs roamed the earth. The catch? Each cache tag is priced as one path, so AWS found a way to monetize the convenience of not tracking individual URLs yourself. Innovation!
Pronouncing these instance names out loud sounds like a cry for help. "See-eight-eye-en-ee" rolls off the tongue right after you've given up on life. Network-optimized for firewalls and 5G UPF workloads, which is great if you're a telco, and confusing if you're literally anyone else.
Using your AWS bill as a security tool is peak cloud economics: the only system guaranteed to notice when something's wrong, because someone's getting charged for it. Your CUR detected the breach three weeks after it happened, but hey, at least the invoice was itemized. Security through accounting: truly we live in the future.
Remember Amazon Q Developer? The rebrand of CodeWhisperer? It's being sunset for Kiro, because nothing says "trust our roadmap" like killing your second AI coding tool in three years. Pour one out for the ops folks who just finished their procurement paperwork. The third time's the charm, surely.
The first two of... eleven? What the hell is going on? CVEs this week hit Ops Wheel. Turns out the tool your team uses to decide who runs standup also skipped verifying JWT signatures entirely. Anyone with the API Gateway URL could spin the wheel of tenant data deletion. Patch it, or at least hide it behind WAF before someone randomly selects your production database for termination. I love this tool so much.
Issues in tough library and tuftool CLI utility - Three CVEs in the library literally named "tough," which turns out to be less tough than advertised. The update framework needed an update. No workarounds exist, so upgrade to tough 0.22.0 and tuftool 0.15.0 before someone writes a CVE with your name attached to it.
Turns out the npm package literally named "static-eval" wasn't quite as static as advertised. Who could have foreseen that shipping a JavaScript expression evaluator into a Lambda fulfillment context might end poorly? Patch to 7.3.0, because there's no workaround-just the cold comfort that exploitation requires admin access you've presumably already overprovisioned.
CVE-2026-7424 - Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP - Integer underflow in a DHCPv6 parser, requiring a hardware reset to recover. Wonderful news for the IoT thermostat embedded in someone's drywall. The workaround is "just disable DHCPv6 and configure IPv6 by hand," which is the security equivalent of suggesting you walk to work because your car's brakes are recalled.
Issue with FreeRTOS-Plus-TCP - IPv6 Router Advertisement Memory Safety Issues - Two memory safety bugs in FreeRTOS-Plus-TCP's IPv6 Router Advertisement parser, exploitable by anyone on your local network with no auth required. The good news: there's a patch. The bad news: you have to find every embedded device running this stack and update it, which is to say, you'll be doing this until 2034.
... and that’s what happened Last Week in AWS. If you’ve enjoyed reading this, tell everyone you know to subscribe at lastweekinaws.com.
As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply or join the #lwia-publications channel on the LWIA Slack team.
You have questions? We have coffee! Drop by my employer’s weekly FinOps office hours, every Thursday at 10:00a PT. Often fun, always free. Register here.
Share Last Week in AWS with your friends, colleagues, neighbors, and sworn enemies! Trick them into subscribing! Earn a variety of rewards when they sign up! Here’s your personal referral link: https://ref.lastweekinaws.com/b0w3xd
You currently have 0 referrals.
Get Some Swag
That’s right folks, we’ve got awesome swag. All of our swag features everyone’s favorite mascot, Billie The Platypus. Get yours here.
To make sure you keep getting these emails, please add corey@lastweekinaws.com to your address book or otherwise mark me as a permitted sender.
