334: AWS Makes Kubernetes Conversational

Welcome to the CloudPod, where the forecast is always cloudy. We talk weekly about all things AWS, GCP, and Azure. We are your hosts, Justin, Jonathan, Ryan, and Matthew. Episode 334, recorded for December 9th, 2025. KubeCuddle, goodbye. AWS makes Kubernetes conversational. You know, Alchem is KubeCuddle, I guess. sadly I won't miss people pronouncing it cube cuddle instead of cube CTL like it's supposed to be I'm just doing it to troll you I know you are it's been happening on for years now and there we go again yeah well I mean we really just called this show Amazon announces a ton of AI shit at reInvent but that's not what we're going to call it because we're responsible podcasters here but yeah reInvent happened last week sorry to say happy to say I don't know it was good I watched all the keynotes today on 2x speed so I'm now fully caught up on the things other than Swami's I couldn't get through more than half sorry Swami love you I tried 3x on Swami's that's as far as I got 45 minutes in and I still couldn't do it anymore it's just so much ML so much ML but you know I was mostly impressed with this the 14th re-invent because I feel like I've been doing cloud for 100 years at this point So the fact that it's only the 14th was sort of shocking to me. It is shocking. But yeah, so let's get right into the thing that matters most, which is who won the reInvent Prediction show. And so we're going to cover these and then we have a bunch of news. We're not going to cover everything today because there was literally hundreds of announcements over the last weekend. We cannot possibly cover all of them unless this would be a 17 hour show. And I don't know that you guys all make it through an hour long show of us talking. So definitely not going to try for a really, really long show on everything. But if there's something you guys wish we talked about or you have questions about, you know, please ping us at the cloud pod dot net. You can email Justin or the pod there or you hop on our Slack channel and just say, hey, you didn't talk about this announcement. We will save it for next week and we will answer any any announcements, which is also my cheat way of saying, well, anything I should have covered that I thought was interesting that I found later, which is what happens every year. I can now say someone asked me a question. Yeah. so there you go and we'll actually do a research and you know like be prepared for yeah yeah be prepared it's good so jonathan's not here but uh his he was first up in the draft order for us and so he he nailed a saturday announcement like out of the park like blew up the internet when they announced it uh when that was that they announced a feature called where is it lambda managed instance which lets you run lambda on your own ec2 uh with the news management and the reason why you would do that is so you can get ISIS to GPUs most likely, which is really what he said was serverless GPU support or an extension of Lambda or a different service. It's about time we have a serverless GPU inference capability. And so if that had been said during a keynote, which it was during DeSantis' but it had already been spoiled on Saturday, he would have got a point. So he's not here to argue about it, so no point for Jonathan. Free you. Yeah. Next up, Jonathan had AI agent with goals, instructions that can run when they need to, periodically or always, and perform an action, like a magentic platform that runs agents. And they announced both Bedrock Agent Core and Kiro Autonomous Agents. And something also with Q, which I lost interest in when I was trying to read it. But yeah, lots of agent things, so I definitely feel he got a point for this one. So one point to Jonathan. And then the final one, Warner will announce his last keynote and he will retire. He did retire from keynotes. He did say that he will no longer do keynotes that he has decided to step down from keynotes to allow younger voices at AWS to take the stage and become more visible in the organization, which is a nice succession planning move, but he did not say he was retiring. He specifically said that in the thing. So Jonathan gets no points, although I will give him a half point. I think we still give him a point. I think we give him a point. He nailed that it was going to be his last keynote. Well, we did do research after the fact that we found that he had done an interview a few weeks ago. Jonathan swears he did not see the interview beforehand where he said alluded to this fact but you know I don't know I he said retire and I feel like retire is the key part of that because you know doing his last keynote I don't even know if I would have cared about that as a point but the retire part was that I was most intrigued about in his prediction I don't know yeah I mean it doesn't matter you can give him the point he'll still lose yeah so that's the only part I mean that's part of the reason I'm fighting for him here yeah I'm cheating I know the next step so I thought like we should have a little bit of argument on the podcast. Sure, sure. He's not here to defend himself, though. I thought Warner said he was taking a new role as well that was going to have different responsibilities. He did completely say that as his final keynote and he clarifies that he is not leaving Amazon and still has things to do, indicating he's stepping away from the keynotes to allow young, fresh new voices to share their stories. But there's nothing about taking out a new role on Amazon. He's continuing his current role as CTO. Okay. now we've clarified that no point for Jonathan no point for Ryan I was arguing for Jonathan if it was a different role I would maybe agree Ryan did quite well this time new Tranium 3 chips he also said maybe new Graviton chips because he knew how to structure this bet right so he not only did get Tranium he also got a new Graviton chip the Tranium 3 Ultra servers were announced in Garmin's keynote and in the DeSantis keynote they announced the new Graviton chips and they brought a really nice shiny rack for Ryan in Garmin's presentation to show you what a training 3 ultra server rack looked like and it was very pretty and very clean cable management so A plus on the cable management. I love it. Love a good cable management. Ryan then predicted that they will expand the number of models in or via Bedrock and they announced they had doubled the number of models and announced Gemma, Minimax M2, NVIDIA, Nemotron, Mistral Large and Mistral 3. I feel that's a firm vote to Ryan. Technically, those doubling the models have been way before reInvent, but hey, Gemma is a big one, and Mistral, those are two very large, big models that people care about, so I think that's definitely a point. You then said you hoped for a refresh to Amazon organizations, which you did not use. There's even a section where you could have got it, which is, we'll talk about that in a second, but I thought it might happen still for you, the last 10 minutes of the presentation. I was like, it could happen. My score here, I got a new Nova model and Sonic with multimodal. I got a Pro of Sonic and a new model called Omni for multimodal. So I was very happy about that on Garmin's keynote. I said they would announce a partnership with OpenAI likely on stage. They do not have OpenAI on stage, nor do they have a partnership. They did say that Amazon and OpenAI are running on top of the brand new EC2 Ultra servers that Ryan predicted earlier. It would technically be a half point, but I'm not giving it to myself. But yeah, I said I don't need it. And then my final one was advanced agentic AI capabilities for Security Hub. Basically, we automate the SOC teams. And they announced as part of the general availability of Security Hub, new AWS security agent, which is exactly what I was looking for. So that is a solid point for me. Totally. Matt had a rough... I don't want to talk about it. Matt did not get it. I don't want to talk about it. Matt, unfortunately, did not get a model router to route LM queries to different AI models. he did not get a well architected framework expansion although it was mentioned in many keynotes well architected frameworks and he did not get a new replacement for Cognito I was actually in a different conversation with AI the other day and I said I don't want to use Cognito as a piece of crap and it challenged me like why do you think it's a piece of crap? Explain it to me and I was like oh god so even AI is trying to pitch me into Cognito so that takes us to our tiebreaker because both Ryan and I are tied at two points each maybe technically Jonathan's tied at two points as well debating how you want to see that and so the tiebreaker was how many times did they say the word artificial intelligence or AI in the keynotes Matt Garmin said it 77 times in his keynote he definitely beat everyone else which I was shocked about because I thought Swami would take him, that was not the case DeSantis' keynote had 31, Swami had 41 and Warner had 31 for a total of 183 and on Price is Right rules that means I take the win for reinvent with 160 was my guess and I was only off by 23 so not bad definitely no challenge we should have done agent I mean agent would be maybe that's what we need next year I will note it next year is agent I will definitely note that for next year I think agent would be a good one as well because I do feel like we've kind of put AI and artificial intelligence to death this point. So we did get some honorable mentions as well. Marketplace for AI work. There was definitely a marketplace for that. For agents you could basically download or select and add into your bedrock. There was a Q developer with autonomous agents. There was a next generation silicone discussion for a combined TPU competitor, i.e. GPU, Graviton Learning. So they basically said that things are optimizing for Entrainium and that they basically alluded to they are working on something there. so that's great so I will pat myself on the back for winning this one again show off but it was an impressive impressive feat we were a three way tie I think it was the first time we've ever done that well on predictions I think we all should be winners and I will give out my win except for Matt who lost and also lost Azure which was sad I won Google last year you did win Google which is funny Yeah, you did, which is funny. So in the cloud you don't work in every day, you have better visibility on it than the cloud that you used to work in all the time and the one you work in every day. Yeah, I will say a lot of these things are easier to get right just because they're a little bit behind the other cloud platforms in terms of AI. And so you can kind of stick to what everyone else has already announced a little bit or just pick the gaps in their current services. I do feel like it's a little bit easier these days when they're all releasing kind of the same sort of ecosystems around agentic they all want foundational models they all want agents they all want agent orchestration so yeah it was probably one of the easier ones to do if you've been paying any attention to the market in the last six months but overall I'm pretty pleased we were close on cost savings for networking. It was just wrong service. It was cost savings for databases. Yeah, which is huge. All right, well, let's talk about the keynotes themselves. So Matt Garman started out the week with his keynote. I struggle with his keynote because I feel like he's... I want to really like him and I just, for some reason, don't like him because I think he was in sales and I think it just exudes out of him that he's a former sales guy. I mean, he's also a former engineer, so I should like him more than I do. But, you know, it was, he, I felt like he was lacking kind of a narrative through line through his presentation. Like it just sort of was kind of like, it meandered around and was on foundational. And then it had a customer out for 10 minutes. And then, you know, I lost the thread of where we were at and then he came back around. I don't know. What did you guys think of Matt? I think his presentation's getting better. I think even just like his vocal patterns, I feel like are, you know, used to be a lot worse and they're getting, you know, there's more ups and downs. there's more intonation in it where before I felt like it was a little bit more flatlined when he was presenting versus like if you ever see like an interview with him he's a lot better when he's not just straight presenting it feels like yeah he's definitely better one-on-one in like podcasts listen to him on or interviews he's definitely better than those in my opinion and I think he's that skill set is slowly moving into his keynotes I will say it was one of his better ones but the marketing team, I agree. I felt like I got lost in where we were going. I really liked the last kind of funness of the last 10 minutes, which I know we're going to get to later on. But like the first hour and 15 minutes just felt like I was lost on a suit and ladders board almost. It's funny because I wouldn't really think about that as like something that Andy Jassy brought. I would think that the thematic sort of keynote sort of structure, I would think would be marketing, or a lot of different players in that, but it has been missing in all of Garmin's keynotes. So it is sort of interesting there, but I wonder how these actually go. It was interesting because Matt just alluded to it. So basically, he was on stage for two hours-ish, somewhere two hours in chain, and it was long. But then in the last 15 minutes, he basically says, we know you care about non-AI things too. And I was like, wow, that's you are my survey comments. Yeah. And so he says, I'm going to do 25 exciting new announcements in 10 minutes with a counter. And I basically had to get through all of these. And he got through 25 items very quickly. And I'm like, OK, you're so close. Like, I mean, hey, the 10 minute, the way he started that was great. So it was like it was quick. It was fast. Like he actually had a little detail. It wasn't just like, oh, here's a new instance and then move on. It was like he told you a little bit about it. So it was enough to wet your whistle, which is why I've stole it aimlessly now for the next part of our show, where we're going to basically do the same thing for all the re-invent instances, because we can't cover them all, but we at least have a little bit of a highlight of each of them. So, in that 25... Sorry, the 25th announcement is 10 minutes. He announced the X8 instance, the instance I'm now nicknamed the Elon instance, because it sounds like his son's name. The C8A instance, the C8INE instance, the M8AZN instance the m3 and m4 max max instances the lambda durable functions hit you terabyte s3 objects s3 batch ops for 10x faster intelligent tiering for s3 tables automatic application for s3 tables s3 access points for fsx netapp s3 vectors gpu index for amazon open search amazon emr serverless with no storage provisioning guard duty to ecs and ec2 security hub is now generally available unified data store and cloud watch increases storage for sql and oracle rds optimizes CPUs for RDS for SQL server and SQL server development support and database savings plans all within 10 minutes which that could have been a whole keynote and I would have been ecstatic so I mean two hours on the AI stuff and then 10 minutes on this I like okay I appreciate you did it I'd like a little more balance still you know maybe we could do an hour and a half of AI and 30 minutes of this or maybe we could do it 50-50 because the reality of it too is then you have Swami come out and he talks a lot of AI and ML. You have Peter come out. He also talks a bit of AI, but more about the CPU and the training. And he talks about AI, some of the AI, Nova Forge, which lets you basically help create foundational models. So there's plenty of opportunities for AI throughout all the keynotes. And so I don't necessarily know that he needs to do all the announcements. But it sort of reminded me a little bit of the year that Andy Jassy did the song thing, where the songs reminded him of different features. And it was kind of a nice narrative through line that Andy did on that. So A plus for the 10 minutes. Overall, his presentation was a little weird narratively, but I agree with you. I think his presentation skills are getting better. So overall, I would give him a solid B plus on his keynote. You? Yeah, and the balance stuff. I'm not sure, like, look, we talk about, you know, this is called the cloud pod, but 50% of what we talk about, probably 70% of what we talk about is really AI at this point. only because it's all they announce right not disagreeing with you on about the fact but you know it's just where the market is you know it's clearly what the investors want to hear is clearly what customers are asking them about they are definitely you know dealing with the customer side of it and and i i just you know it's not what i fell in love with aws about and so i want right more of the balance i and i hear you that you have i would have i would have been disappointed they didn't have a nova tube i would have been disappointed if they didn't do agents because everyone else is doing it and so it would be like you're lacking all your competitors are doing so i you know but nothing they announced any of those things was like amazingly better uh you know it was like so like it didn't have to spend a lot of time in some of those areas but i would say they spent 25 these 10 minutes they announced 25 announcements so like Okay, a little bit of rapid fire here. I get it. It was fun. But in a hundred and math late at night, 110 minutes, let's say, of the rest of it, he announced 10, maybe 15 things. You know, granted, there's the customer stories, how they're doing stuff. He touches upon features. But, like, it felt like they just dragged on things on the early part where, you know, which was interesting. and they always do the customers things, which I'm not in love with sitting there watching and I'm not going to lie, fast forward through half of them. But on the flip side, it just felt like it needed a little bit more balance. So like, I still remember when they announced like time series database and whatnot. Like it was like a five minute segment about the buildup to this and how they presented it. Not 20 minutes to build up to a feature release. And that's where I feel like it's still missing for me. It makes sense. I mean, I agree to disagree. I mean, a lot more infrastructure stuff still. Like, that's where we all came from. That's what we like about it. But yes. I mean, even if you were like, look, okay, Garmin and Swan are going to do nothing but AI and this stuff. That's cool. Then just think Peter do all the infrastructure stuff. That's fine, too. I'm okay with that. Which also, I will point out that we started with Matt this year because they kicked Peter off on Monday Night Live. Moved him to Thursday morning in Warner's slot. they move Warner to an afternoon slot, which I assume that was because DeSantis was tired of missing Monday Night Football. So I'm not really sure how that happened, but yeah, it was nice to see him in a different time zone, too. But he did mention he couldn't serve beer, you know, at a morning keynote, which is disappointing. So it's fair. I assume they also did it as to kind of like segue Warner out a little bit. Well, and also I think at least from my historical knowledge has been pretty much after Thursday's keynote, people's kind of started bailing out and so by moving warner into an afternoon keynote slot before reinvent maybe people would stick around longer um but again i i don't know if i would have changed my calculation on that but i could see people doing it uh all right next one was swami's keynote uh any feedback on swami and his uh keynote no i did not other than he's a little he's a little dull i watch it at 2x and i can only get through half of it exactly not because he's not a good speaker he's a good speaker he does a good job he had a good narrative to it but i just don't care about what he's presenting about in any way shape or form and i just can't do it i i haven't watched one of his in years so i tried to struggle for you know and i felt like i wasn't getting it and it felt like the content and you know there's a lot of you know specific ml terms and stuff that if you're not in that heavy data science space aren't but it's one of those like if we were at the house drinking like we used to do when we were at reinvent and we just watched the canons from the house with beer where we could mercifully mock it as it went through. We'd probably watch it and enjoy it. That'd be fine. Or if we were doing the live streaming where we live streamed over the keynotes like we did that one year, maybe that'd be fun and we would enjoy that. Just watching it by myself. No, thank you. I tried 3X today and I still couldn't get through it. Like you said, it's not that it's bad, it's just the content is rough for me. Yeah, and if we have someone who's really into ML, I mean, if Jonathan's maybe here. Maybe he would have enjoyed it more. I don't know. But it's definitely a possibility. Alright, we'll move on around. I give him a solid B. Again, it's not him. It's not the presentation. It's me. It's not you. It's me. Yeah, it's not you. It's me. Peter DeSantis had a great infrastructure-based talk. He didn't do the history of computing kind of thing he did in the past, but it was a little bit more... He picked up a little bit of the Werner things. He kind of blended it with his own style. overall I enjoyed it quite a bit. He talked about Graviton, the new Graviton chips. He did his normal dog and pony about Nitro and why Nitro is so important. And again, it was a little bit of history, a little bit of cool technology, a few announcements sprinkled in there. Not really announcements, they were already announced earlier in the week, but mentions on stage about some of those things, which was nice. And overall, I think he's one of the better presenters at re-invent every year at this point. I'd say a solid A for Peter and his folks he had on stage. Yeah, his presentations are always my favorite. when it has been for a long time. But it might just be because it is the, like I said, it is the part of AWS that I fell in love with. You know, that deep infrastructure and sort of hosting at that scale. I don't know. This presentation is pretty good, too. They're fun. I'll admit I've watched five minutes of it and ran out of time today. I had a lot of random personal stuff this weekend that just didn't lead to watching these. So I missed that one. But my plan is to watch it. Ask me next week and I'll... Now I put myself on the spot, so I actually have to... Yeah, you have to not do it. Sucker. Damn it, that was bad. And then finally Warner keynote He had the best intro video I think he had in years He basically had a It started out with looking at a newspaper that says AI is killing the development And he goes really And then he goes into a beta time machine he's built and goes back to the 70s maybe. Basically goes through all these times where people were like, no sequel is going to kill this. And Cobalt is going to kill the punch card. And basically the message he delivered in that whole thing was development is just going to change. Just like it's changed multiple times before. from all these different things. I did like the subtle shade at Blockchain. Blockchain, that was my favorite. He basically had a Marty McFly type character in the thing and he was teaching, I'll teach you all these things you need to know. One of them was like, Blockchain and I was like, no, you can skip that one. Yeah, it was good. It was like a nice, subtle, just like jab right in the middle of it. It was great. A little dig and then right out of it. it was good but yeah uh so overall you know he went into you know basically talking about you know this is the time of the renaissance developer being able to focus on things and being able to orchestrate across multiple agents and now you have so much more power and capability but you know you're still in control basically it was the message um you know again fantastic warner keynote i always enjoy them their case study and how to do a good technical keynote in my opinion yeah fantastic story narrative all the way through it a a as well so i really like his keynotes i always have and even you know i sent it to my day job you know was like guys i understand we're not on aws but you know you guys should listen to this there's things of it you probably won't get but the underlying pieces of it still should resonate like it's i like the way he talked about it like you know the five principles he touched on and you know how he always presents in the story i think he is always one of the best speakers, at least for me. And I always like it when he makes me feel smart because I've been sort of saying the same thing about development and how it's not going to get rid of development. It's just going to be like the introduction of another tool that you use for development that makes you faster, more efficient, which is super cool. So I'm smart. I'm smart like Warner. I love that guy. I will say, I think you lost weight. oh there's it was the parade of ozempic if i ever saw you know warner's definitely lost weight peter de santis is like half a peter de santis it's uh definitely they they bought a healthcare company if you didn't know and uh that's yeah it's having a good impact on them uh all right well that that's the keynotes let's jump into the bajillions of announcements that came out of it. We'll start out with AI ML because that's what they announced the most of. Of course. So Bedrock now got you service tiers. So you have priority standard and flex to match your AI workload performance with your cost. There's now a reserved service tier for pre-purchase guaranteed tokens per minute capacity with a 99.5% SLA. I mean, it's not for nines. I don't know if I can use it. I thought this was interesting where it's like you can reserve it and we're still not can guarantee that you'll get it. I understand it's three nines and a five. It's still really high. No, it's just 99.5. It's not even three nines. It's two nines and a five. Oh, sorry. Two nines and a five. It doesn't sound great if I'm like, if I know I'm in a churn or I'm building my entire product on this, and I'm going to pre-purchase the guarantee, but you're not really guaranteed it. Just felt weird to me. They could have called it premium. Ultra premium. Yeah. They just charge you more for it. The new Bedrock Agent Core, which is policy controls, evaluations of exact memory for AI agents and controlling your AI agent fleet. Skynet's never been closer through Agent Core. Bedrock reinforcement fine-tuning with RLVR and RLAF for model customizations, which I don't know either of those are, other than I know they are involved in training and grounding. Amazon Nova 2 and all the Nova 2 families. There's a new Nova Forge to help you build your own foundational models where they actually bring, you know, one of the things he talked about in Nova Forge was you know, you don't have all the data you need to be able to successfully build a model of scale and so with Nova Forge they help you basically do that. They provide a bunch of data that you help to use to build the model they help do the navigation of building the model for you and you kind of get out of the box simpler model building. If you're trying to build foundational models, which you should not be. So, if you need to, it's nice to have that exanthropic plotted. Everyone else is like, no, no, we don't do foundational models. It's too expensive. So there you go. I thought it was interesting also where, was it, it was in the Nova forge where they were talking about like you integrate your data in at multiple points. So it doesn't forget about it in the longterm and having that kind of building in it at multiple points so that it retains that information and becomes very much embedded with your logic versus anything else. I thought it was kind of interesting. Maybe that's just general knowledge inside of the foundational model and rag. I mean, I think it is. how most of the models are now fine-tuning with user feedback, is they're doing basically that. But the thing they're giving is they're giving you early training checkpoints rather than the fully trained model addressing the forgetting problem in general and then service blending the customer data set with the Nova curated training data across pre-training, mid-training, and post-training to help do that. So yeah, this is one of the challenges you have even when you're using RAG or using grounding is that the model has all this other data in it, and so it doesn't necessarily have to use your data that came from the RAG to respond. it thinks there's a better path and so it is a challenge so it's definitely a solution to that. Well I agree with you that no one should be building their own foundational models unless it's really truly like built on a data set that's unique I do think that everyone should go through the exercise of building a model to understand how AI works Well I don't think you should build an LLM I do think you should build an SLM and so small language models that are very finely tuned to certain things is basically the same process, but in a slightly different way, and you start with the foundational model to get there. I think that is a very valuable process, and I think Asalim is making a lot of sense for a lot of use cases, because you're typically trying to do something very particular with your AI. 18 new open-weight models, which gave Ryan the point earlier. Amazon Q Developer Cost Management for natural language queries for AWS spending analysis, so your Finox people can now get an AI buddy, which is always helpful. SageMaker Serverless Customization for automated infrastructure for fine-tuning. SageRanker HyperPod for checkpointless and elastic training capabilities. The AWS Cleanroom ML gets privacy-enhancing synthetic dataset generations. And then agent core evaluations allow you to continuously inspect agent quality based on real-world behavior. Make sure your AI hasn't gone Skynet. The last one was interesting because they're like about where it processes it. So they were saying how it processes it before it touches your data, which is interesting. And, you know, I was worried and I still am. They say it doesn't really affect because it's in line. How long? They say it's like 30 milliseconds or 300 milliseconds. I don't remember the number. But if that is to evaluate multiple times, you could add latency, but they say it's not going to affect it. So be curious in the real world, once that gets more usage, how that will actually move on and affect things. All right, moving on to compute with EC2 and Lambda features. We got EC2 P6B300 NVIDIA Blackwell Ultra GPU-based instances. we got the x8aedz which i call the elon musk instance which is an amd epic 5 gigahertz memory optimized for eda and databases we got the new c8a instance which is the amd epic turin with 30 higher compute performance we got the new ec2 m9g which has the new graviton 5 powered instances with 25 better performance than graviton 4 you can get a graviton 5 processor with 192 cores and a 5x larger cache. And this is one of the things Peter talked about in his keynote was the balance between the L1, L2, and L3 cache and the trade-offs they make. But in this particular case, the Graviton 5, they felt like they made a really good balance and they had some really good customer testimonials on some of that as well. Lambda got three big features, and we'll talk about two of them in more depth here in a second, so I'll skip those two. But Lambda tenant isolation mode is the first one, which is built-in multi-tenant separation. And then the final one in the section, AWS AI Factories, which is cloud-scale AI infrastructure in your own data center available to you. So then the two Lambda stories, let me go find them real quick. We're going to bounce around the document here, which is always fun. All right. Introducing AWS Lambda managed instances lets you run Lambda functions on your EC2 instance in your account, while AWS handles all infrastructure management, including patching, scaling, and the load balancing. This will bridge the gap for customers who need specialized EC2 hardware like Graviton 4 processors or want to apply existing EC2 reserve instances and compute savings plans to steady state Lambda workloads without giving up serverless development benefits. The mold-like concurrency feature allows each execution environment to process multiple requests simultaneously rather than one at a time. It reduces compute consumption and eliminates cold starts through pre-provisioned environments. Capacity providers can absorb traffic specs up to 50% without scaling and AWS automatically provisions additional instances within 10 seconds when needed, though extreme surges may trigger 429 throttle responses. Pricing includes three components. the standard lander request charge at 20 cents per million invocation standard easy to instance charges where your existing pricing agreements apply and a 15 compute management fee calculated on easy to on-demand pricing unlike traditional lander you are not charged separately for execution duration per request and the multi-concurrency model helps optimize your total compute time available to you in us east north virginia us east ohio us west oregon asia pacific tokyo and europe ireland regions support from node java.net and python sadly no ruby so i would not be running Ruby on my managed instances. I'm sorry for the no Ruby. No, I'm not. No. You're sort of sad about it. I know. It's okay. I feel like we should have seen this coming, given that they just released the EC2 managed or sorry, ECS managed instances a couple months ago. Yeah. I'm sure this is built on some of that. Yeah. That was kind of the first step. This will be the next one. Now I'm trying to figure out what's next after this. that I should have seen coming. Well, Jonathan saw it coming. Yeah, he did. He just saw it for GPU reasons. It's interesting that their use case that they described in the article was more about you getting access to Graviton 4. And then the use case around, well, I already have a bunch of instances and savings plans and now you're telling me to go to Lambda and lose all that. Well, that's actually a great transition area for customers who are on legacy EC2-based infrastructure who want to move to serverless. Now you can reuse your spend thing. So there's a lot of the benefits to it, potentially for certain customer types. in addition to some of the benefits for long-turning transactions. You still got savings plans. We're still on Lambda, too. Yeah, you have that available. Yeah, it just was a much lower percentage. I didn't realize that. One of the complaints, too, in high volume Lambda shops is the cost can get pretty astronomical and it's super high volume. Most enterprise applications won't ever have that volume problem, but in really large shops, it has been a complaint that you can rack up a lot of costs moving data between the different parts of the Lambda function. So this also helps you with some of the savings there. So there's that benefit. All right, the next one for Lambda was they're building, you can now build multi-step applications and AI workflows with AWS Lambda durable functions. Durable functions enable developers to build multi-step workflows using sequential code with automatic state management, checkpointing, and retries. The feature uses a checkpoint and replay mechanism where functions can suspend execution for up to one year without incurring compute charges during wait periods. making it suitable for long-running processes like payment workflows, AI agent orchestration, or approval processes requiring human interventions. The invitation uses an open-source SDK available for Node.js and Python that provides primitives like context step for automatic retries and checkpointing, context.wait for suspending execution, and context create callback for handling external events. While failures occur, Lambda automatically resumes from the last checkpoint and replays the event handler while skipping already completed operations, allowing the need for custom state management infrastructure. This is just Lambda as a direct alternative to AWS subfunctions for certain workload patterns, particularly where developers prefer writing sequential code in their Lambda functions or either defining state machines in JSON. The feature competes with Azure Durable Functions and provides built-in idempotency. Event bridge integration for monitoring and the ability to use Lambda versions to ensure consistent replay behavior during long-running executions. Currently available to you only in the U.S. East Ohio region with plans for broader expansion coming soon. Pricing follows standard Lambda compute charges but eliminates costs during wait periods, which could provide substantial savings for workflows with long idle times. so I mean are we now officially saying serverless is dead now we can write true durable state functions yeah is it still serverless if it's yeah just sort of I guess still running on compute somewhere and it's not yours and so that's really yeah it's a fun I can't wait to troubleshoot the lambda function that ran 11 months ago and now I can't seem to get my transaction to close properly because it's been waiting all this time. It's sort of interesting out of use case. I'm curious how it handles, like, I've rolled out 16 new versions since then. I have blob storage, drop off the pumps of the original function. I changed my JSON schema in the payload, and now what are you going to do now, bitch? Yeah, like, I don't understand how to make that work. Also, if your payment takes a year, I have other problems, like... I don't think payment processing is the use case for that. I mean, it is crazy that it's up to a year because that just seems like a really long window. Isn't that what step functions is, like up to a year away? I mean, I've never built a step function that had a use case of a year either, so maybe I just don't know. It is interesting. Step function max timeout. Because it is like, you know, thinking about, you know, maintaining state and step functions. And it's not something that I really do within Python in general just because it's expensive. The durable functions is kind of an interesting... I feel like it would be a really neat solution to a problem I don't have. So I don't understand it. I want to like it. When I built Bolt, one of the problems is I originally was going to go serverless for it. One of the things I was struggling with was well, I basically need to do an async call to Claude to do the summarization. And so then you got into the complexities dealing with the wait timeout and all that. And so fundamentally, I kind of said, well, this is just gonna be easier to do in container. And I bailed out of the serverless side. But with this, I could see how having this basic multi-step workflow capability and a durable function, I could do what I was trying to do much easier with a durable function than I would be able to do with a typical serverless function. So I could see that use case. And so again, if you're calling third-party services and you have payment processing is one they use, but like Claude or any AI model is another example of that. So this solves kind of one of those use cases, which is probably the reason why I don't see a lot of people doing Lambda for AI workloads. That's a very good point. And I wonder if this opens up that story a bit more. Then it would make sense, right? Why the timing of the announcement as well. So in your example, and this is where I guess my head's just not wrapping around it properly you're making it you take a story you send it over to claw it does something before it was stepped if we're in your container it just waits and runs and sits there and waits for a response and it gets a response back and you could do the same thing in Lambda but then the problem is that it could be it's unpredictable how long the clawed model is going to take to respond back to your request and so you would end up either having to create a secondary event secondary function that would basically take the return or response, but then because you're not the calling response, it comes with all kinds of state problems I was running into. It could have been done, it just was more effort than I wanted to put into Bolt. So I guess with this, so with this new feature, that's where I'm trying to wrap my head around. What triggers it to start again? Is it the response back from Claude in this example? Alright, so the response back would then trigger to re- wake up and kind of move on from that. You would basically put a wait event into the code. Basically, I'm going to do that wait type that they called out earlier. Okay. And then basically, now I'm waiting for Cloud to return, and now returns, I can resume based on where that wait occurred at. I mean, it could really save you, even anything else, it could save you some decent money, too. Yeah. Because the other way we did before is you basically ran the lambda function until Cloud returned. Right. It could have been quiet because Cloud's going to take two or three seconds, and then it could have kicked up another one. but yeah yeah and either did you know either dealt with the timeout of 15 minutes or you did handoff yeah yeah something else that takes it back and you know i've done it also with the interim function that kind of takes it listens and then puts a message back on another queue to yeah to kind of process that well that's the thing is here you can get away from a lot of you know one of the things you see a lot in the lambda patterns is you'll see like a lot of heavy usage of queues for that exact reason because you're and so you know the expense of going a message on a queue and then picking it back up is kind of silly in some cases it's just you know you need to do a wait but it doesn't it's not a super long wait so that I can see the use cases again I this is where stuff functions is really helpful and where you could use stuff functions quite a bit so now the question is going to be that's not to give a serverless app am I going to do stuff functions or am I going to use this distributed durable function yeah it's exactly the durable function is going to win out more because it's more advantage to it is it's more natural to how engineers think about async await anyways in their process so it's going to be easier for developers to take advantage of it I think as well I mean so step functions has a limit of up to one year under the hood if you use the standard workflow so I'm wondering if this is somehow built on that or they've re-engineered to make it you know be the AWS way of how many different ways to do the same thing I'm going to say it's Amazon's built a bunch of ways to do the same thing and this is probably this is probably a new primitive that becomes something bigger later. Yeah, that's where I think that's going. Yeah. All right, let's move on to containers. We've got EKS capabilities of managed Argo, CD, Ack, KRO, and all in AWS-owned infrastructure, which was a bit of a challenge before. You get EKS MCP servers, you know, you can talk natural language with Kubernetes like, please run my pod, you piece of crap, Kubernetes. EKS container network availability with service map, flow tables, and performance metrics. and EKS and ECS now has an Amazon Q troubleshooting capability to let the AI help you figure out why your container won't start which has been me many a time and then finally ECS Express Mode, a simplified deployment with automatic ALB domains and HTPS ECS Express Mode is their new simplified deployment option for containerized applications that automatically provisions infrastructure including load balancer, domain, and HPS endpoint with just a container image and this targets developers who want production-ready container orchestration without manually configuring, networking, scaling and routing components. Service auto-consolidates up to 25 express mode services behind a single application load balancer using intelligent rule-based routing, which reduces your interest or costs while maintaining your service isolation. So yeah, this is basically giving you a lot more platforming capabilities to run a container on top of ECS without you having to think quite so hard. I think this is what I've always wanted Beanstalk and LightSail to be, is this service. This, for me, feels like the best of both worlds in the sense of I still get all of my infrastructure bits and I get all the knobs and I'm building them in the same way without all the abstraction and just sort of sending off my application into the machine. But this is sort of taking that sort of low level, like gluing it all together and sort of automating that away, which is great. I would agree with everything, but I really thought that this is what I wanted AppRyder to be. Because AppRunner was the container version. To me, Beanstalk was really Java, .NET, whatever. I know they have the container capability, but to me, that was always an add-on thing they did. AppRunner, I always thought, was supposed to be the replacement of Beanstalk because it was a container native. That was all they did. So that's where I thought that this AppRunner was an ECS Fargate container in the hood, and they've done the load balancer and everything else to it. this I feel like is kind of that next step of really, like you said, what I want it to be managed load balancer, managed the end point set, the ACM cert, all those little things that I've done in Terraform a million times. It just manages for you. Makes sense. I mean, it's a big, I would do more research on this one too, because I feel like it's super cool. And I kind of agree with you. It's kind of the light sail version of ECS. So yeah, I'm intrigued. I don't know how you like specify some of the things like the domain, for the container but like i again i have to do some research on it but it it does sound cool uh in your networking and content delivery area they give you cloud front flat rate pricing a bundle delivery waft ddos protection all for zero to a thousand dollar a month tiers basically it's a way to make your cloud front prices more predictable which is always great and includes quite a bit of out-of-the-box capabilities the vpn concentrator gets you now 25 to 100 low bandwidth sites connectable via a single transit gateway attachment which is a nice upgrade because before you limited at I think 20 of them before So you had a lot of transit gateways Now you can have up to 100 connections to that transit gateway Route 53 accelerated recovery now guarantees a 60-minute RTO for DNS during regional outages. And Route 53 global resolver in preview is new Anycast DNS for remote distributed clients. then they gave us NAT gateways now support regional availability this automatically scales across all ability zones in a VPC based on workload presence and the need to manually create and manage separate NAT gateways per AZ thank you this simplifies network architecture by removing the requirement for public subnets to host NAT gateways and automatically update route tables as workloads expand or contract the feature addresses a common operational pain point where customers previously had to produce NAT gateways in each AZ they are workloads manually managing route tables and dealing with the complexity of multi-AZ deployments. Regional NATs maintain high ability reducing management overhead and potential configuration errors. Customers can use either Amazon-provided IP addresses or bring their own IP address with regional NAT gateway, providing flexibility for organizations with specific IP address requirements. A change could impact your NAT gateway costs since the service now on-offing provisions capacity across multiple AZs based on workload presence, but AWS has not published specific pricing details for these quite yet. But assuming you can turn off a bunch of AZ NAT gateways, it can save you some money. Yeah, I mean, this is pretty cool. I remember having to write production versus dev, Amazon sort of bootstrap account, you know, stuff to address many of these shortcomings for networking and building the PPC. So this is definitely a toil that you no longer have to sort of orchestrate at that level because you can now just have sort of a one configuration that scales to what you need. my only negative part of this is I mean it costs the same I was looking at the pricing page and it literally is just if you have still set your production up or your dev up with three zones it's just going to add three zones to it which means you're paying the same thing as if you set it up so there still is benefit of doing the I'm going to call it single AZ NAT gateway versus the regional gateway because like for dev I always just do one NAT gateway and even like the AWS VPC Terraform module that they released has a flag in there for one NAT gateway because they cost so freaking much so but this is great I think for like a production where you don't want to think about it yeah I wish it was cheaper but yeah I mean I always wish it was cheaper but that's never the way well I wish they would have done like okay if you use this and you use three they target you for two and they do some magic on the back end like for load balancing and scaling up and down each zone but I assume for availability they want it. It would be nice to know also like if I have an auto scaling group let's say that you know it typically gets set at one node but then during the day it boosts up to three and it needs outbound connectivity like as it autoskills on and down is the NAT gateways and the other AZs going to go up and down as well because that would be nice savings and potential and maybe that's of future attraction that we just don't have yet but uh definitely interesting this one must have been wanted to be talked about by ryan because it's security uh you can now enforce encryption in transit within and across vpcs in a given region vpc encryption control now provides centralized visibility and enforcement of encryption in transit for all traffic within and across vpcs in a region addressing compliance requirements for hipaa pci dss and fed ramp without managing complex pki infrastructure The feature operates in two modes, Monitor Mode, which adds encryption status fields to VPC full logs to identify plain text traffic. On Force Mode, blocks unencrypted traffic and ensures all new resources use encryption-compliant Nitro hardware. ADOS automatically migrates network load balancers, application load balancers, and Fargate tasks Nitro hardware transparently during Monitor Mode. The customers must may upgrade older EC2 instances, RDS databases, and Elastocast clusters. Another service is to modern Nitro-based instance types. encryption uses AES 256 GCM at the hardware level through the Nitro system with no performance impact and VPC full log show encryption status values from zero for plain text to three for both TLS and Nitro encryption. Available to you in 23 regions which is almost all of them so definitely available to you most likely in the region that you're using today. And if you've ever had to do any kind of compliance evidence that's the reason why this exists and this is why I love it so much is just because it's the song and dance that you have to do to sort of illustrate your use of encryption across your environment is just sort of painful. And, you know, I love that they're adding, sort of enriching the data set for flow logs and adding it all in there. So it just makes it really easy to provide that to an external auditor and have it be part of your controls. And I love it. didn't Azure or GCP just release this or did I read this while in the last week and re-remember it? I swear I just read about it as part of preparing for the podcast last week or one of the other cloud providers they did something similar to this. I don't recall. I think I'm just re-re- I think I'm thinking no I just read it last week. I mean I do I mean, I think Google has it available. He's had it for a while. So maybe Azure did it because you would probably see that more often. But Google has this capability as well. All right. And our final networking item is one for Peter, who's not here, but it hasn't here for a while. But AWS Network Firewall Proxy is in preview. This, of course, is a preview of an explicit proxy service that centralizes outbound traffic filtering to prevent data exfiltration and malware injection. The service protects against domain and S&I spoofing while offering granular HTTP header filtering and TLS inspection capabilities. Proxy deployment requires just a few clicks to configure an explicit mode where applications route traffic through the proxy for inspection before reaching external destinations. Organizations can whitelist trusted domains and IP addresses while blocking unwanted responses from external servers, addressing common security gaps in your application level control. Available for free during the preview in the U.S. East Ohio region. The comprehensive logging into S3 and CloudWatch for audit analysis. and the service fills a gap in AWS's native security tooling that we've been asking for since the podcast began. It's funny because this was one of Peter's prediction requests. Every prediction he was like, I want this thing. And we're like, yeah, it's not going to happen. Squid as a service. I did quickly look about the other one. Microsoft Azure just released it recently. roughly the same feature set. I think it was like October. That's good. All right, moving on to storage and FSX. So S3 vectors is now officially general availability to allow you to have data vector support in S3 with 2-bit vector indexes and 20-terabyte vector buckets. S3 tables replication and intelligent tiering to automatically replicate your table to other regions, as well as move to lower-cost storage if you are not using the data as quickly as you thought. S3 storage lens is being enhanced with performance metrics, billions of prefixes, S3 table export, and S3 encryption controls are now enforceable at the bucket level. There's also a new S3 block public access, which we'll talk about now, block public. So AWS organizations will now let you enforce S3 block public access heading across all accounts of your organization from a single policy configuration, learning the need to manage public access controls individually per account. Policies can be applied at the root, the OU level, or to specific accounts with new member accounts automatically inheriting the setting. This addresses a common security challenge where organizations struggle to maintain consistent S3 public access controls across multiple accounts. And we were very glad when they added it to begin with, but yeah, the per account is a killer. So nice to have it now at the OU level basically. Yeah, this is one of those easy compliance controls that you just had to check the box on every single time to prove that you didn't do this. So it's a nice quality of life improvement. Yeah. I mean, and I hope that, you know, because there's always exceptions, right? You want these specific buckets to be public. So I hope that management of that is sort of built in. But I do think that this is a good thing to have for sure. Because I do, you know, I do remember like compiling trusted advisor results across, you know, hundreds of AWS accounts to illustrate this is turned on. Yeah. they also now I remember which presentation was maybe in Peter's or maybe it was Swami but basically they're talking about one of the things S3 is it's had a 5 terabyte limit for a long time and so they are to enable more use cases including high resolution video seismic data file larger AI training data sets they've now increased the limit by 10x to 50 terabytes which is awesome if you have those use cases and you use it for those use cases, but it's really bad for all those developers out there who don't think it's hard and now are going to create you 50 terabyte objects in your bucket. So I appreciate it in one side and on the other side, I'm sort of apprehensive about this one. I had that thought when I read this. You know what I've never run into? A five terabyte object limit. I've never once said, oh man, if only this was more. And so that's crazy. Your 5 terabyte object? Sorry, your 50 terabyte object, just that one object you make is $110 a month. Roughly. It's a steal of a deal. Yeah. I mean, from a price point, it's not bad for 50 terabytes. Why is my object not downloading to my container and it keeps crashing? Well, you tried to download a 50 terabyte object to your 5 gig temp folder. What could possibly go wrong? And I get a multi-part upload and being able to have multiple streams for downloads. I'm sure there's a good use case for this. I'm just not sure what it is. And then in probably the weirdest announcement of the conference for me, Amazon FSX for NetApp ONTAP now supports S3 access points, allowing enterprise file data to be accessed through S3 APIs while remaining in the FSX file system. This enables your organization to use their existing NetApp file data with AWS AI ML services like Amazon Bedrock, SageMaker, and QuickSuite without data migration or changing file manager practices. And the integration bridges traditional NAS storage with cloud-native applications by creating S3 endpoints attached to FSX volume. And I read this and I'm just like, why? Like, I get that you don't want to move your data, but you want to use it more for AI, so that's the use case, but I like so you're expecting that the NetApp on tap is going to handle all of the access through the API endpoint like you're having a lot of faith in NetApp in my opinion to scale for your use case and this was also announced wasn't this on the keynote too like this was announced pretty heavily live too which I was surprised by yeah it was they were definitely very big about it it's clear NetApp was probably saying, hey, we sponsored you. You better mention us on MainStage somewhere. What I love is that ONTAP is almost certainly sharding data chunks into S3 as part of its intelligence theory. So it's like, you know, it's just a circular thing. It's just, you know, all the way down. All the way down. Yeah, that was the strangest announcement I think of at the conference for me. All right, databases. Aurora D-SQL gets you cost estimates. Now you can do statement-level DPU usage and query plans. which is nice because if you ever read the documentation how dsql works and try to figure out how to then figure out the cost of it you was like uh i don't understand i don't have a phd that i need for this postgres aurora uh dynamic data masking to basically use the pg column mask extension so you'll make the mask data open search 3.3 with the genetic search and semantic highlighter improvements was launched and open search gpu acceleration for 6 to 14x faster vector indexing all available to you. And then we got a bunch of RDS SQL enhancements. So let me go jump to those. First up, I love trying to jump through articles this way. We don't do it this way normally for a reason. Next time we'll add in anchors. Yeah, you know, mistakes were made. AWS is adding four new capabilities to RDS for SQL Server and Oracle. Focused on cost optimizations and storage flexibility. SQL Server Developer Edition is now available for free. for non-production workloads with full enterprise edition features and new M7i and R7i instances offer up to 55% better cost reduction with separate licensing, billing, and CPU optimization to reduce vCPU based licensing cost while maintaining memory and IOPS performance. So basically you can turn off all those CPUs you don't actually want to use because you need the memory which will save you a bunch of money in licensing costs which is a big win in general. So that's a great one for sure. I mean I wish it wasn't needed but It's definitely something that's very much used. The other one is, of course, our favorite. We finally got savings plans for databases. I feel like this is Matt's version of the Squid Proxy. I think Matt's been asking for this for a while. There's been a bunch of us ranting about this need for a while. Where did that one go? Again, anchors. Database savings plans extends AWS existing savings plans models to manage database services, offering up to 35% savings on serverless deployments, up to 20% on provisioned instances when customers commit to a consistent hourly spend over a one-year term. This applies to nine database types, including Aurora, RDS, DynamoDB, ElastiCache, DocumentDB, Neptune, Keyspaces, Timestream, and DMS. The key flexibility advantage is that commitments remain valid even when customers change database engines, switch between provisioned and serverless deployments, or shift usage across AWS regions during migrations or modernization efforts. so yeah this is quite nice and quite broad so they definitely heard all the community saying please bring us database savings plans I mean for RDS itself it's not that big of a deal but for DynamoDB and all the other SQL databases that it supports like that's where I feel like the real win is here that like you can get that savings I mean you can get RIs I mean the RDS you got RIs but with savings plans now I can move I can move from MySQL to Aurora without losing my discount or wasting money. So that's the value part of it that I think in the savings plan piece. But yeah, so you're right. I know a piece is bigger. And our eyes were bound to RDS instance site, right? That was always the... Right, which is why you didn't get it when you moved to Aurora or if you moved over from R5 to RAGs. But that to me was less of an ordeal because enough times you said, hey, we're just changing this support. Can you help us? like we're moving to a new tier, they would really work with you on that. Agreed. And then the last one from databases that I want to mention here, because it's one that blocked me from using things many times, is that you can now enable the RDS SQL Server Resource Governor. So if you would like to prevent your multi-tenant databases from having one customer with a really noisy neighbor problem, you can now do that because you can enable the SQL Server Resource Governor natively, which is fantastic. Yeah. Thank you. Oh, that's kind of like Elastic Pools on Azure. I didn't realize that. Take your word for it. So Elastic Pools, essentially, you give 10 databases. I mean, it's down one more level. You give 10 databases, 15 cores, and you say each one can use no more than six at a time. So you're essentially over-provisioning and putting the governor in there to eliminate. So it's essentially going to be their way to kind of get that same type of feature. So it's intentionally creating noisy neighbors. got it i mean it's no different than the old school vmware over provisioning your your on-prem cluster you know but you're like i have you know 500 gigs of memory i'm allocating 750 knowing that not everyone's gonna log in at you know where nothing's gonna happen all at the same time until it does and then you swear a lot one of the two all right moving on to security identity ryan's here at parts uh security hub is done all available we talked about this this because you've got real-time analytics, risk prioritization, and trending. You now have Secrets Manager External Secrets to manage the rotation for Salesforce, Snowflake, and BigID. I assume that you'll see additional customers and SaaS companies adopting some of that in the future. IAM Outbound Identity Federation for short-lived JOTs for external service dedication. So think service-to-service, but go into an external service. You need a JOT token. You can now do that with your federation. The AWS Login CLI command, which eliminates long-term access keys with OAuth 2, which that's been long in the waiting. WAF, WebBotAuth, which is Crypto Objective Intervocation for Legitimate AI Agents. So you can make sure those AI scanning website are legit. And then Agent Core Identity to help you solve all of your agent identity challenges. And then we've got three that we're going to talk about. GuardDuty Extended to... Where is it? Again, we should have done links. Amazon Gertrude is adding extended threat detection for Amazon EC2 and Amazon ECS. This basically now correlates security signals across EC2 instance groups and ECS clusters to identify multi-stage attacks, join existing capabilities for IAM, S3, and EKS. The service uses AI and NL models to automatically link related suspicious activities like initial access, persistence attempts, and unusual data access to single critical security findings across instead of scattered alerts. The feature analyzes runtime activity of VPC full logs, DNS queries, cloud trial events, and malware detection to build attack sequences across resources that share auto-scaling groups, launch templates, AMIs, and IAM instance profiles. And each sequence finding includes an incident summary, timeline, and MITRE attack mapping. Extended threat detection works with GuardDuty's foundational plan, but enabling runtime monitoring for EC2 and ECS provides deeper process and network telemetry that improves detection accuracy. Expanded coverage is available now in all Avis regions where GuardDuty operates. so if you're in security you've had the conversation billions of times like oh you know how is this one change my security group setting or this so you're gonna really you know how is this really going to be a big deal what this will do is literally lay out the the whole like sort of kill chain in a graphical form in a way that is very easy to communicate how all these things sort end up into potential breach. And it's really easy to communicate and really gets people thinking about the defensive depth that's needed to protect things with all these layers. And I really love features like this. Google's had this for quite a while and it's one of my favorite features. It really does illustrate it very clearly. I feel like I learned things from it. That's great. I mean, I'm definitely glad to see GuardDuty extended to EC2. I mean ECS was a nice ad and then they said easy too and I was like okay now we're talking because it's on EKS for a while which is nice but easy too now means it covers all kinds of applications not just containerized ones which is super powerful the one I got a point on AWS Security Agent is a new AI powered tool that automates application security reviews, code scanning and penetration testing throughout the development lifecycle unlike traditional SAS and DAS tools that lack context this agent understands application design code and organizational security requirements to provide continuous validation from design to deployment services currently in preview and free during this period available in u.s east one penetration testing capabilities address a critical bottleneck where 81 percent of organizations knowingly deploy vulnerable code to meet deadlines because traditional pen testing takes weeks to schedule a database security agent runs on-demand tests and hours instead of days using contacts from source code and specifications execute sophisticated multi-step attack scenarios across 13 risk categories, including OAuth's top 10 vulnerabilities. Smugbug reports completing assessments in hours rather than days at a fraction of the manual testing cost. The service integrates a GitHub or automated pull request scanning and enforces custom organizational security requirements beyond standard vulnerability detection. And for example, it can flag policy violations like incorrect log retention periods or missing customer managed encryption keys that function security tooling would miss. Design and review capabilities and analyzed architectural documents before code is written, checking compliance against AWS managed requirements or custom organizational policies. That system can categorize finding that's compliant, noncompliant, insufficient data, or not applicable. Which, I mean, Logitator Framework is one that always needs a non-applicable. So nice to see security agents now does that as well. I mean, this is neat. I can't wait to play with this. This sounds like a dream, having something that runs in your environment and sort of like virtual red teaming that does all the things. Well, the fact that it runs, it definitely came out it's definitely competing with Azure released the same thing during their conference but the piece I like about this is the pen test piece because it now lives in your source code which you probably already have an SCA or static code analysis tool and it lives also after it's live so if you're running any sort of pen test, automated pen test but it's running this which feels like it's going to be more in depth than a DAS maybe I'm wrong, but it feels like it's going to be that next level. Because to me, a pen test isn't just a DAS scan. A pen test includes, you know, trying different things iterations you know a little bit more detailed of it And since it in the entire lifecycle of it hopefully it gains more knowledge and kind of can give you that you know internal threat detector too Internal threat actor too. Yeah. And then AWS has announced a feature that I think we're talking about trying to build at one point. Definitely. They've released IAM Policy Autopilot, a free open source tool that analyzes application code locally to generate baseline IAM policies. reducing the manual effort of writing permissions and troubleshooting access issues. The tool works as a model context protocol server that integrates with AI coding systems like Kiro, CloudCode, and Cursor. The tool currently supports Python, TypeScript, and Go applications, and automatically stays up to date with the latest AWS services and IAM permissions, addressing a common pain point where developers struggle to keep policies current with AWS's rapid-to-service expansion. IAM Policy Autopilot runs entirely on your local machine and is available at no cost to the GitHub repository at github.com slash idioslab slash IAMPolicyAutopilot. So thank you, Amazon, for developing the thing I wanted to build. Yeah, I've tried to build this a lot of times and built, like, kind of crappier versions of it that weren't, you know, that were just doing, like, regex and search strings and trying to compare, like, sort of the SDK functions to permission sets. And this is great because this is the biggest challenge, and I hope every cloud develops It's their own version of this because it's a challenge on every single crowd. You write an application and you have to go through this iterative process. You either over-permission it from the get-go or it takes you several revisions of generating that policy until you get it right. And then you still probably miss something that's an edge case permission that it needed only in this one state later on. So this is great. It was already – there's been third parties. there was like I am I am or something where you essentially made it go through a proxy you know there's been a few pretty good stabs at it you know where it would like essentially but it never was always up to date with the latest so this is going to be part of the release process where it stays up to date that will be golden for sure I mean I definitely I didn't like those solutions I had to go through a proxy just because you know it's a man in the middle attack now and you have to scale it and can it scale properly, so this is much better that it's cloud-native, so I'm much happier. And it's more exposed directly to the development, rather than sort of having this middleware sort of component that has to be set up on either support as part of a developer platform or however you want to do it. For our FinOps friends, we've got some stuff this week as well. Cost Explorer forecasting has been extended from 12 months to 18 months, which is just nice. And they also give you an explainable AI for that, so it tells you why it thinks your forecast for 18 months. So it can not only tell you the forecast, but also tell you why. So when your CFO is mad at the forecast, you can say, this is what the AI says. Here's the reasons. Don't argue with AI. Yeah, don't. He's smarter than me. Cost efficiency metric, a single percentage score combining optimization opportunities, which a lot of FinOffs teams are looking for a KPI or a metric that they can use. So that's pretty nice. Anyways, data exports in the Focus 102 format. And then billing transfer to allow centralized billing across multiple organizations. So if you have a reason, you know, a big multinational company that needs to have different organizations, you now still have centralized billing across multiple organizations, which was a limitation before. And then the next one we're going to talk about is the Compute Optimizer for NAT Gateways. I don't know what this is. Optimizer. I can't spell. It is launching cost efficiency metric and cost optimization. That's the right one. Too many. Too many stories. there we are okay anyways compute optimizer now identifies unused NAT gateways by analyzing 32 days of cloud watch metrics including active connections and packet traffic helping customers eliminate costs from idle resources service cross-references route table associations to avoid flagging critical backup NAT gateways as unused NAT gateways of course cost four and a half cents per hour plus data processing charges so identifying unused instances can save customers over $30 per month per gateway before factoring in data transfer costs feature extends compute optimizers idle resource detection beyond EC2 instances and EBS volumes to network infrastructure addressing a common cost optimization blind spot available in all AWS regions where compute optimizer operates except AWS GovCloud US and China regions which is a nice cost saving because the amount of NAT gateways I've seen not used is astronomical in my career that's not a problem I've had I'm sure it is a good thing I just never had it but I guess this is why that other NAT gateway feature makes sense because you had a server in the zone and now that server doesn't exist. You know, you're paying for a gateway you don't need. For developer tools and modernization, we've got a couple of things here. Step functions, local testing, so you can do test state API with mocking support. API gateway developer portals or native API discovery and documentation portals, which we asked for many, many moons ago. So that's pretty nice. And then there's several updates to the transform family, including transform mainframe, transform custom, and transform windows, which we'll talk about. right now. So the three transforms, so there's first of the custom to basically look at any of your custom code and help you address your scenarios like Python 3.8 or 3.1.3 Lambda migrations and all things like that. And then the mainframe, of course, helps you migrate from your legacy COBOL applications, but the one that I thought was interesting was the Windows one, which will let you handle full-stack Windows modernization, including .NET framework to cross-platform .NET, SQL server to Aurora Postgres SQL migration with stored procedure conversion and asp.net webform to blazor ui updates the service analyzes dependencies across all three tiers and orchestrates transformations and waves aiming to accelerate modernization by up to five times compared to manual approaches the service automatically converts sql service schemas to postgres sql compatible structure migrates all data using ados dms and refactors dependent application code to work with the new database it deploys transform applications to ec2 linux or ecs for testing and generates cloud formation templates for production deployment, handling the entire stack in a coordinated way. New capabilities in AWS Transformer.net includes support for porting to .NET 10 and .NET Standard, a real-time transformation progress with estimated completion times and editable transformation reports. That service now converts those ASP.NET webform projects to server-side Blazor components and generates the next-step markdown files for remaining manual tasks. Currently available to you in US East North Virginia with no additional charges for the transformation service itself, the standard AWS resource repricing applies for deployed infrastructure. So that's if you were stuck in a legacy.net shop that's a good one right there you guys are wowed I can tell speechless about it speechless yeah I just talked about similar type of solutions for so long and still just can't beat developer teams to use them well before re-invent and the pre-invent phase something happened in Amazon land that has never happened before lots of things never happened in Amazon a year and a half ago we talked about the fact that they've never deprecated a service, now they've deprecated a bunch of services and one of those services they deprecated was CodeCommit and at the time we sort of said, hmm, that's interesting because there's lots of use cases where CodeCommit still makes sense and apparently customers were outraged and so Amazon has reversed its July 2024 decision to de-emphasize CodeCommit and is returning the service to full general availability immediately reopening new customer signups after customer feedback revealed the services as IAM integration, BPC endpoint support, and cloud trail logging are critical for regulated industries and teams wanting AWS native development infrastructure. The reversal comes with a concrete investment roadmap, including Git LFS support arriving in Q1 2026 to handle large binary files without loading repositories, and regional expansion starting in Q3 2026 with EU South 2 and CA West 1 regions joining the existing 29 region footprint. Current customers who stay with CodeCommit will see AWS work through accumulated feature requests and support tickets. For those who migrate to GitHub, GitLab, or BitBucket can return with assistance from AWS support teams, though AWS acknowledges those platforms remain valid choices. Pricing remains unchanged from existing structure available on the CodeCommit pricing page with service to maintain the 99.9% uptime SLA, making this primarily a strategic reversal rather than a technical or pricing update. Now it's going to represent an unusual public acknowledgement of a strategic misstep by AWS with the company directly apologizing customers to invested resources in migrating away from CodeCommit. Crazy town. I mean, I hope all customers had some sort of plan, but knowing that I've seen many companies say, oh my God, we got this notice six months ago, we'll deal with it in six months, and now it's five months, four weeks, or three weeks and six days. Oh my God, this thing's going to expire tomorrow. There's probably a large swath of customers that still are there. Migrating from your full repository is challenging. And the announcement listed several use cases that I hadn't even thought about and how difficult it would be. If you've got your entire compliance development environment controls built around IAM, it would be a big challenge to move that. Well, even we talked about, I think when they deprecated, there's certain services that are directly integrated to CodeCommit for getting configuration. And so there was a bit of a question in my mind on how some of those services are going to update to support GitHub. And I assume they'd already had done that, but I'm not using those services right now, so I don't know. But there's also, you know, ability to do CICD operations from inside of your Amazon, you know, portfolio in a state, like you mentioned, for regulated, but just other compliance requirements sometimes require those things as well. So, I mean, I don't recommend using code commit as your only Git service, but it's definitely an option if you need to do something that, you know, maybe you commit on GitHub and then you have a replication process that replicates, you know, certain releases to your code commit for deployment reasons. There's lots of benefits to doing something like this that may make sense to your organization. So I'm glad to see this one get reversed. I'm not sad about any of the other ones that got deprecated previously. No, I can't say that I am either. But it does show that they are listening to customers, which is nice, because I started questioning if all of the leadership principles still applied at some point. But hey, customers were demanding it, and they did it, so A+. The only one I'm still surprised is Cloud9. While I never used it, it never was a production. It was good for Amazon coming out or teaching you something, so it was a good way to set up a thing to run everything locally. so to me that wasn't like a production or developer tool but more of like how to sell to other customers so more things to customers I mean there's probably a path where you see it get replaced by like Kiro Kiro Web or something like that where you use an AI to do coding exercises on the web you know like that's what you see with CloudCo and others where they've got a web interface for those so I suspect you'll see it kind of get rebirthed but just in an AI product yeah it makes sense which would make sense so All right, I was really in monitoring. We're almost through this, guys. CloudWatch Unified Data Management, which has consolidated ops security and compliance logs. Yay. CloudWatch Deletion Protection, which prevents the accidental log group removal. And then the CloudWatch Network Flow Monitor Container Networking, I was really for EKS. The Unified Data Management is actually really nice because it does pull together multiple different log streams together, which was kind of a challenge. If you needed to have different logs from different regions, you can pull them together with this feature. a couple other benefits to it as well. So that one of those three is the most exciting to me. The accidental log group removal is not my problem because I never know which ones I should delete or not delete. So I just leave them forever because they don't cost you anything if they don't take any data ingestion. That's pretty funny. Governance and management control tower controls are dedicated. So you can now use management controls without full landing zones, which was one of the big complaints that we had about control tower when it first came out was that this is great. has amazing things, but I don't want to implement their landing zone because I already have one. So now you can use some of their controls without the landing zone. Service quotas now have automatic management for auto-adjust limits based on usage. And then supplementary packages for Amazon Linux are now pre-built for you for Amazon Linux. And then our final chatting one here is our AMI Ancestry story. AMI Ancestry provides automatic lineage tracking for Amazon machine images from creation through all regional copies back to the root AMI, only the need for manual tagging and custom record-keeping systems. The address is a long-standing operational challenge where teams had to build their own tracking messages to understand AMI providence across multi-region deployments. The feature solves a critical security and compliance workflow by enabling teams to quickly identify all downstream AMIs when vulnerabilities are discovered in the apparent image, and organizations can now trace which production workloads might be affected by a compromised image without maintaining separate documentation systems or relying on naming conventions that break down at scale. available at no additional costs for all adb regions including china and gov cloud amy ancestry is accessible through adb console cli and the sdk uh so yeah this is a good one uh definitely glad this one is finally here i have built three different ways to do this in my career four if you count my current day job on azure you know you always want to start and then know where it came from so there's a vulnerability you know where to start patching and go up from there. And it's always easy to say you start all the way at the beginning, but if you have multiple teams that have to you know, that you build something, then multiple teams build off that, then teams build off that, it's always hard to track. So knowing and being able to track all that is a godsend versus DynamoDB hackery that I've done in my life. DynamoDB hackery, S3 hackery, like oh, so many bad ways to manage AMIs and try to you know defecate older ones without breaking someone yeah this is this is fantastic tags on the on the next image they then get lost you copy them or share them and then how you deal with sharing them would you share them which i don't know if this will do is how you share between other regions like it's just bad across the board i forgot about the tags and then the tag yeah made that mistake that's the first one everyone does and everyone runs into it at one point where you're like oh i'm copying it oh crap i lost my tags yeah yeah that's a good scar tissue scar tissue for sure uh devops and operations we've got aws devops agent and preview which gives you autonomous instant investigation and root cause analysis which i don't know why it's called the devops agent because that's It doesn't make any sense. It's an SRE thing. Come on. Amazon doesn't know what SRE is either. That's a problem. Apparently, our Amazon support plans are getting restructured. They're restructuring it and lowering the price but also maybe lowering the quality? Maybe? I don't know. AWS has restructured its support offerings into three AI-enhanced tiers with business support at $29 a month, which is 71% cheaper than before. Enterprise support at $5,000 $5,000 a month, which is a C7 production, and unified operations at $50,000 a month. The new plan shifts from reactive troubleshooting to proactive issue prevention using AI-powered monitoring and contextual recommendations that maintain account history across support interactions. Response times have improved significantly across all tiers of business support, plus offering 30-minute critical case response twice as fast as the previous business tier. Enterprise support at 15 minutes and unified operations delivering 5-minute response times. I mean, response is just I got your ticket. Yeah. Yeah, you have an agentic AI generator response. This isn't good. All plans now include AI agents that provide contacts to support engineers before human handoff that limit the need for customers to repeat information. Enterprise support now includes AWS security incident response at no additional cost, providing automated security event monitoring and investigation capabilities, and the tier also offers access to interactive workshops and hands-on programs for continuous technical development beyond traditional case-based support. Unified operations provides the most comprehensive support with dedicated teams including a TAM, a domain engineer and a senior billing specialist plus on-demand migration and security experts as the tier includes 24 7 monitoring systematic application reviews operational readiness validation and support for business critical events the full context of your customer environment existing customers on developer business classic and enterprise on-end plans can continue their current support through january 1st 2027 with the option to migrate earlier through the adus manager console and the new plans are available in all commercial adus regions with tiered pricing that reduces marginal costs costs at higher usage levels. I hope this ends up being decent service, but in my head, I'm like, yeah, they're lowering the cost because they're just getting rid of all their support staff and putting bots in it. Yeah, they've been laying off all those people. But I also think support's gone down dramatically. Has it? Like back in the day, I remember being, yeah, I remember I would wait to open support tickets after 4 o'clock Pacific time because you would get the Australia team, which was amazing. and this was like 10-12 years ago and like their support was always so much better than when you opened up in US so I always learned I either open support tickets really early in the day to Ireland or I would wait till the Australia group came on but I feel like since then it's just I've opened support and they're like they give you the most basic generic answer and I'm like are you dumb or are you just not even listening to what I've said or do you just assume that I'm I'm a moron. I have no idea what I'm talking about. The last one. It's the last one. They'll give you a full detailed story of everything. Yeah, I know. But I do like the idea that it's going to give them AI-generated summaries of a case because I have ran into the thing where I had to repeat my issue to multiple support people. That's super annoying. So that alone might be helpful. But I don't know. I was telling someone earlier about how good Amazon support was back in the day when you had a TAM and everything and the amount of abuse those people took because, of course, engineers blame the cloud every time. something goes wrong every time yeah and uh so you know they we allowed all of them to open support cases directly to to aws and so the only thing we policed on them was like please don't open high priority taste cases if they're not really a high priority uh and so i would watch tickets go through and like the dumbest questions being asked so like hey we think amazon blah blah is broken because of this error and like and you know you see this support person patiently respond back to them with like no your code is doing this which is incorrect uh you know this even good async operations that you're doing here. And the kindest most polite way possible, not calling them an idiot, but basically implying like, no, it's not us, it's you. And so, you know, some of that stuff, though, could definitely be on my AI. So I do suspect that there is some benefit. And it's nice that they're not just adding this and saying everyone's going to get this and you're going to pay the same price. They're just going to improve our margins. We're like, no, we're going to try to help it make it better and we're going to give you a slightly lower price and hopefully provide better support net net. We'll see how it works. I'm curious real-time feedback from customers out in the wild how good or bad this is if they opt for it. I know for my personal business support, $29 a month is a way better price, so I'm not positive of business support, folks. Business support plus. Yes, business support plus. Correct. They had to rebrand it here. Yeah, they did. And then our final two sections before we wrap up for the night. Marketplace and Partner Central and Console, so if you're buying your Amazon services through a partner, you can now see the partner experience and the customer experience together. I assume segmented in some way, which is nice. Multiproduct solutions. You can now bundle offerings from multiple vendors in a solution. So, you know, a private marketplace offering that includes SAP and other vendors in that bundle. You can now do that. And then CrowdStrike Falcon is now integrated to provide automated SIM setup wizard experience through the marketplace. So now you get a much better onboarding experience for CrowdStrike Falcon, which is interesting. They called that one out specifically. And then if you're in the connectivity and contact center area, Amazon kind of got way more announced than just this. I just like, it was such a long list that I just said, these are the two I care about. One is predictive insights, which is AI powered recommendations for your support cases. Then Amazon connect MCP support, which is a standardized tools for agents. And again, considering that Amazon support probably uses Amazon connect, this all makes sense. Oh yeah, no, this is definitely that tool. Yeah. Amazon connect has been their support tool for a long time before it was a product. So that's reInvent. That was a lot. I think compared to last year, I feel this is a much better reInvent. The announcements were better. I think the things they focused on, I think they got the memo that AI is cool and we know you need to do it, but you can mix it up a little bit. I appreciate that. We just want to mix it up a little bit more. I'd like to see what Nova 2 actually can do and see if they were showing beating Claude and OpenAI and Benchmarks and I was like sure it is I don't know if I believe that so I'm curious to see as real worlds are actually using some of these features what they think and how they go from there so anyways I'm glad we got through this we'll see you all next week here at the Claudebot bye everybody bye everyone bye And that's all for this week in cloud. We'd like to thank our sponsor, Archerra. Be sure to click the link in our show notes to learn more about their services. While you're at it, head over to our website at thecloudpod.net, where you can subscribe to our newsletter, join our Slack community, send us your feedback, and ask any questions you might have. Thanks for listening, and we'll catch you on the next episode. Bye.