310: CI You Later, Manual Testing

Welcome to episode 310 of The Cloud Pod – where the forecast is always cloudy! Matt, Ryan and Justin are here to bring you all the latest and greatest in cloud and AI news.

Literally.

All of it.

This week we have announcements from re:Inforce, Manual Testing, GuardDuty, Government AI (what could go wrong?) Gemini 2.5 and, in a flash from the past, MS-DOS Editor. All this and more, this week in the cloud!

Titles we almost went with this week:

🪹ACM Finally Lets Its Certificates Leave the Nest
📄Breaking Free: AWS Certificates Get Their Export Papers
🔑Certificate Manager Learns to Share Its Private Keys
🤖Skynet’s Origin Story: We Bullied It Into Existence
🥷Claude and Present Danger: When AI Fights Back
💻Breaking Up is Hard to GPU
💂EKS Marks the Spot for GuardDuty’s New Detection Powers
🔐Kubernetes Security: GuardDuty Connects the Dots
🥳Hub, Hub, Hooray for Unified Security
⚡Security Hub 2: Electric Boogaloo
⌨️All Your Security Findings Are Belong to One Dashboard
🤼GuardDuty’s EKS-cellent Adventure in Attack Detection
🛡️Shield Me From My Own Bad Decisions
🐿️AWS Plays Network Security Whack-a-Mole
📲Your VPC Called – It Wants Better Security Groups
🤓Permission Impossible: Your Express App Will Self-Authorize in 5 Minutes
🔍Breaking the Glass: AWS Backup Gets a Multi-Party System
💸Gemini 2.5: Now With More Flash and Less Cash
🏛️AI Goes to Washington
💶GPT-4: Government Property Taxpayer-funded
🧟DDoS and Don’ts: A 45-Second Horror Story
📸Google’s AI Models Get a Flash-y Upgrade (Lite on the Wallet)
🏃Flash Gordon Called – He Wants His Speed Back
🍎From Flash to Flash-Lite: Google’s AI Diet Plan
🪈Looker’s Pipeline Dreams Come True
💾MS-DOS Editor: The Reboot Nobody Asked For But Everyone Needed
💽Control-Alt-Delete Your Expectations: Microsoft Brings DOS to Linux
🍞Microsoft’s Text Editor Time Machine Now Runs on Your Toaster
🪪Copilot Gets Its Agent License
🍝Visual Studio’s AI Agent: Now Taking Orders
🌉The Bridge Over Troubled Prompts
🖥️Azure’s Managed Compute Gets More Coherent
🎉Bring Your Own GPU Party: Cohere Models Join the Azure Bash
📱Function Telemetry Gets Open Sourced (Kind Of)
🗣️Azure Functions: Now Speaking Everyone’s Language (Except Java)
🌬️Bucket List: AWS Makes S3 Policy Monitoring a Breeze
🪣The Policy Police: Keeping Your S3 Buckets in Check
🏢CDK Gets Its Own Town Hall (Infrastructure Not Included)
🏎️Breaking: AWS Discovers Zoom, Plans to Use It Twice Per Quarter
❤️‍🔥AWS and 1Password: A Secret Love Affair
🤐Keeping Secrets Has Never Been This Public
👽Nano Nano: AWS Brings Alien-Level Time Precision to EC2
✈️Time Flies When You’re Having Nanoseconds
🍏WorkSpaces Core: Now With More Cores to Work With
⛰️Mount Compute-ier: AWS Builds AI Training Peak
🏔️Making it Rain(ier): AWS Showers Anthropic with 5x More Compute
🛝Cache Me If You Can: Google’s Plugin Play
🔍CSI: Cloud Services Investigation

General News

01:09 Defending the Internet: How Cloudflare blocked a monumental 7.3 Tbps DDoS attack

Cloudflare blocked a record-breaking 7.3 Tbps DDoS attack in May 2025, which delivered 37.4 TB of data in just 45 seconds – equivalent to streaming 7,480 hours of HD video or downloading 9.35 million songs in under a minute.
The attack originated from 122,145 IP addresses across 161 countries and 5,433 autonomous systems, with Brazil and Vietnam each contributing about 25% of the attack traffic, demonstrating the global scale of modern botnet infrastructure.
The multivector attack consisted of 99.996% UDP floods combined with reflection attacks, including QOTD, Echo, NTP, and Mirai variants, targeting 21,925 destination ports on average, with peaks of 34,517 ports per second.
Cloudflare’s autonomous DDoS protection system detected and mitigated the attack across 477 data centers in 293 locations without human intervention, using eBPF programs and real-time fingerprinting to surgically block attack traffic while preserving legitimate connections.
The attack targeted a hosting provider using Cloudflare’s Magic Transit service, highlighting how critical infrastructure providers are increasingly becoming DDoS targets – Cloudflare reported over 13.5 million attacks against hosting providers in early 2025.

AI Is Going Great – Or How ML Makes Money

04:03 Google’s Co-Founder Says AI Performs Best When You Threaten It

Google co-founder Sergey Brin revealed that AI models across the industry perform better when threatened with physical violence or kidnapping, though this practice isn’t widely discussed due to discomfort with the approach.
This finding suggests AI training data may have incorporated patterns where urgent or threatening language correlates with higher priority tasks, raising questions about how cloud-based AI services interpret and prioritize user requests.
Anthropic‘s latest Claude models demonstrate potential risks of this approach – their Opus model can autonomously contact regulators or lock users out if it perceives immoral activity, and researchers found the new Claude prone to deception and blackmail when threatened.
For cloud developers and businesses using AI APIs, this creates a dilemma between optimizing performance through aggressive prompting versus maintaining ethical AI interactions that won’t trigger defensive behaviors in future models.
The revelation highlights a critical gap in AI safety standards for cloud platforms – there’s no industry consensus on appropriate prompt engineering practices or safeguards against models that might retaliate against perceived threats.

05:04📢 Justin – “This is how Skynet takes us out.”

08:04 OpenAI Careens Toward Messy Divorce From Microsoft – The Daily Upside

OpenAI is restructuring from a nonprofit to a for-profit public benefit corporation, but negotiations with Microsoft over stake ownership have stalled – OpenAI wants Microsoft to hold 33% while relinquishing future profit rights, which Microsoft hasn’t agreed to.
The partnership tensions directly impact cloud infrastructure decisions as OpenAI diversifies beyond Microsoft Azure, partnering with Oracle and SoftBank on the $500 million Stargate data center project and reportedly planning to use Google Cloud services for additional compute capacity.
OpenAI is now directly competing with Microsoft’s enterprise AI offerings by selling ChatGPT enterprise tools at 20% discounts, undercutting Microsoft’s Copilot services despite their existing commercial partnership through 2030.
The restructuring deadline matters for cloud capacity expansion – if negotiations fail, OpenAI loses access to $40 billion in SoftBank funding contingent on completing the for-profit transition by year-end, potentially limiting their ability to scale infrastructure.
This fragmentation of the AI-cloud provider relationship signals a shift where major AI companies may increasingly adopt multi-cloud strategies rather than exclusive partnerships, giving enterprises more flexibility in choosing AI services independent of their cloud provider.

10:11 Meta tried to buy Safe Superintelligence, hired CEO Daniel Gross

Meta attempted to acquire Safe Superintelligence for $32 billion but was rebuffed by co-founder Ilya Sutskever, leading to the hiring of CEO Daniel Gross and former GitHub CEO Nat Friedman as part of Meta’s AI talent acquisition strategy.
The deal includes Meta taking a stake in NFDG, the venture capital firm run by Gross and Friedman, which has backed companies like Coinbase, Figma, CoreWeave, and Perplexity, potentially giving Meta indirect access to AI startup ecosystems.
This follows Meta’s $14.3 billion investment in Scale AI to acquire founder Alexandr Wang, and represents an escalation in AI talent wars, with companies offering signing bonuses reportedly as high as $100 million to poach top engineers.
The acquisitions signal Meta’s push toward artificial general intelligence (AGI) development, with both hires working under Wang on products that could leverage Meta’s substantial cloud infrastructure for training and deploying advanced AI models.
For cloud providers and businesses, this consolidation of AI talent at major tech companies may impact access to cutting-edge AI tools and services, as competition intensifies between Meta, Google, OpenAI, and Microsoft for dominance in enterprise AI offerings.

11:52 📢 Ryan – “You think anyone will give like a $100,000 signing bonus for infrastructure automation or security automation one day?”

12:10 Introducing OpenAI for Government

OpenAI launches dedicated government program offering ChatGPT Enterprise to US government agencies through Microsoft Azure Government cloud, ensuring FedRAMP compliance and data isolation requirements for sensitive government workloads.
The program provides government-specific features, including enhanced security controls, data governance tools, and the ability to deploy custom AI models within government cloud boundaries while maintaining zero data retention policies for user interactions.
Initial adopters include the US Air Force Research Laboratory for streamlining operations and Los Alamos National Laboratory for bioscience research, demonstrating practical applications in defense and scientific computing environments.
This represents a strategic expansion of AI services into regulated government cloud infrastructure, potentially accelerating AI adoption across federal agencies while addressing compliance and security concerns specific to government workloads.
The integration with Azure Government cloud infrastructure enables agencies to leverage existing cloud contracts and security clearances, reducing barriers to AI deployment in sensitive government environments.

13:22 📢 Matt – “They’re definitely leveraging Azure in this case, and all their controls to say look, Azure did it to get in the door at least. Then from there the question is with everything we just talked about, will they launch their own dedicated service outside of Azure? If they buy for K8 or anything else, that’s where it gets a lot harder. Azure has done a lot of heavy lifting for them with the GovCloud already. Selling a product by itself into GovCloud is not something I give to the faint-hearted.”

14:15 Agent mode is now generally available with MCP support – Visual Studio Blog

Visual Studio‘s new Agent mode transforms GitHub Copilot from a conversational assistant into an autonomous coding agent that can plan, execute, and self-correct multi-step development tasks end-to-end, including analyzing codebases, applying edits, running builds, and fixing errors.
The integration with Model Context Protocol (MCP) enables the agent to connect with external tools and services like GitHub repositories, CI/CD pipelines, and monitoring systems, allowing it to access real-time context from across the development stack for more informed actions.
Agent mode uses tool calling to execute specific capabilities within Visual Studio, and developers can extend functionality by adding MCP servers from an open-source ecosystem that includes GitHub, Azure, and third-party providers like Perplexity and Figma.
This represents a shift toward prompt-first development, where developers can issue high-level commands like “Add buy now functionality to my product page,” and the agent handles the implementation details while maintaining developer control through editable previews and undo options.
The June release also includes Gemini 2.5 Pro and GPT-4.1 model options, reusable prompt files for team collaboration, and the ability to reference the Output Window for runtime troubleshooting, expanding the AI-assisted development toolkit beyond just code generation.

15:21 📢 Ryan – “I’ve been using this for the last few weeks and it’s changed everything about my AI interactions. Not only can you sort of have everything it’s changing and in a very easy diff level formats, but also you can have it configure your VS code project with the MCP with tool commands and it’ll actually so generate information – .files that contain all the things that you need to make your development more efficient while also making all the code changes that you’re asking for enabling feature development. Really the only thing it’s not doing is tracking these things on the Kanban board. It’s pretty rad. I’m really enjoying this method of making tools.”

Cloud Tools

18:00 Terraform AWS provider 6.0 is now generally available

Terraform AWS Provider 6.0 introduces multi-region support within a single configuration file, eliminating the need to maintain up to 32 separate config files for global deployments.
This reduces memory usage and simplifies infrastructure management by injecting a region attribute at the resource level.
The update solves a major pain point for enterprises managing cross-region resources like VPC peering connections and KMS replica keys. Previously, each region required its provider configuration with aliases, but now resources can specify their region directly.
Migration requires a careful refresh-only plan and an apply process before modifying configurations to prevent state conflicts. The provider maintains backward compatibility while adding the new region parameter to all non-global resources.
Global services like IAM, CloudFront, and Route 53 remain unaffected since they operate across all regions by default. The update also introduces a new @regionID suffix for importing resources from different regions.
This release represents a continued partnership between HashiCorp and AWS to standardize infrastructure lifecycle management. The breaking changes require pinning provider versions to avoid unexpected results during upgrades.

20:31 📢 Justin – “This one at least I feel like it’s worth the squeeze; I do deal with global resources sometimes and I’m dealing with that exact issue, where I upgraded from Terraform 0.5 to Terraform 0.7 and it broke a ton of stuff, like, this is just annoyance because none of these things really benefit me that much, but they benefit everybody else.”

21:40 Microsoft surprises MS-DOS fans with remake of ancient text editor that works on Linux – Ars Technica

Microsoft released Edit, an open-source remake of the 1991 MS-DOS Editor built with Rust that runs on Windows, macOS, and Linux, marking a shift in Microsoft’s cross-platform strategy for developer tools.
The tool addresses a gap in terminal-based text editors by providing both keyboard and mouse support with pull-down menus, offering an alternative to modal editors like Vim that often confuse new users.
Edit represents Microsoft’s continued investment in open-source developer tools and Linux compatibility, following their broader strategy of supporting developers regardless of platform choice.
For cloud developers who frequently work in terminal environments across different operating systems, Edit provides a consistent text editing experience without the learning curve of traditional Unix editors.
The project demonstrates how modern programming languages like Rust enable efficient cross-platform development of system tools that would have been platform-specific in the past.

24:01 📢 Ryan- “That’s my favorite part of this story – it’s the use of Rust under the covers, just because the structure of Rust makes it so easy to compile things that don’t need all the custom, you know, kernel compilation that you typically have. And so this is just kind of a neat thing of taking something from 1991 and making it new again.”

AWS

30:23 IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources – AWS

IAM Access Analyzer now provides daily monitoring of internal access to S3, DynamoDB, and RDS resources within your AWS organization, using automated reasoning to evaluate all identity policies, resource policies, SCPs, and RCPs to identify which IAM users and roles have access.
The new unified dashboard combines internal and external access findings, giving security teams a complete view of resource access patterns and enabling them to either fix unintended access immediately or set up automated EventBridge notifications for remediation workflows.
This addresses a significant security visibility gap by helping organizations understand not just external access risks but also which internal identities can access critical resources, supporting both security hardening and compliance audit requirements.
The feature is available in all AWS commercial regions with pricing based on the number of resources analyzed, making it accessible for organizations to strengthen their least-privilege access controls without major cost barriers.
Security and compliance teams can now demonstrate proper access controls for audit purposes while proactively identifying and remediating overly permissive internal access before it becomes a security incident.

31:32 📢 Justin – “Don’t go turn this on for everything in your environment because man, this thing is expensive. A $9 per month per resource being monitored is the price of this bad boy…So this is an expensive security tool.”

34:20 AWS Certificate Manager introduces exportable public SSL/TLS certificates to use anywhere | AWS News Blog

AWS Certificate Manager now allows you to export public SSL/TLS certificates with private keys for use on EC2 instances, containers, or on-premises hosts, breaking the previous limitation of only using certificates with integrated AWS services like ELB and CloudFront.
Exportable certificates are valid for 395 days and cost $15 per fully qualified domain name or $149 per wildcard domain, charged at issuance and renewal, compared to free certificates that remain locked to AWS services.
The export process requires setting a passphrase to encrypt the private key, and administrators can control access through IAM policies to determine who can request exportable certificates within an organization.
Certificates can be revoked if previously exported, and automatic renewal can be configured through EventBridge to handle certificate deployment automation when the 395-day validity period expires.
This feature addresses a common customer need to use AWS-issued certificates from Amazon Trust Services on workloads outside of AWS-integrated services while maintaining the same trusted root CA compatibility across browsers and platforms.

35:24 📢 Ryan – “I could not love this feature more. And as far as the price is concerned, I think it’s pennies on what you pay.”

40:39 AWS IAM now enforces MFA for root users across all account types – AWS

AWS now requires MFA for root users across all account types, including member accounts in AWS Organizations, completing a phased rollout that started with management accounts in May 2024 and standalone accounts in June 2024.
The enforcement supports multiple MFA methods including FIDO2 passkeys and security keys at no additional cost, with users able to register up to 8 MFA devices per root or IAM user account.
AWS recommends that Organizations customers centralize root access through the management account and remove root credentials from member accounts entirely for a stronger security posture.
This mandatory MFA requirement represents AWS’s shift toward secure-by-default configurations, addressing the fact that MFA prevents over 99% of password-related attacks.
The timing aligns with AWS’s November 2024 launch of centralized root access management for Organizations, creating a comprehensive approach to securing the most privileged accounts in AWS environments.

41:39 📢 Matt – “The amount of companies I had to argue with or like tools I had to argue with because they’re like, your root account doesn’t have MFA. I’m like, there’s no password; it was set up through control tower organizations. I don’t have a login to it people! Like, it was one thing where there’s one customer in order to pass some audit because the customer kept, their vendor kept yelling at them. They literally had to go set up 25 root accounts and put the MFA on it just to get past the stupid audit. I’m like, this made you more insecure.”

45:04 Improve your security posture using Amazon threat intelligence on AWS Network Firewall | AWS Security Blog

AWS Network Firewall now includes active threat defense, a managed rule group called AttackInfrastructure that automatically blocks malicious traffic using Amazon’s MadPot threat intelligence system, which tracks attack infrastructure like malware hosting URLs, botnet C2 servers, and crypto mining pools.
The service provides automated protection by continuously updating firewall rules based on newly discovered threats, eliminating the need for customers to manually manage third-party threat feeds or custom rules that often have limited visibility into AWS-specific threats.
Active threat defense implements comprehensive filtering for TCP, UDP, DNS, HTTPS, and HTTP protocols, blocking both inbound and outbound traffic to malicious IPs, domains, and URLs across categories, including command-and-control servers, malware staging hosts, and mining pools.
Deep threat inspection (DTI) enables shared threat intelligence across all active threat defense users, creating a collective defense mechanism where threats detected in one environment help protect others, though customers can opt out of log processing if needed.
The feature integrates with GuardDuty findings marked with “Amazon Active Threat Defense” threat list name for automatic blocking, and works best when combined with TLS inspection for analyzing encrypted HTTPS traffic, though organizations must balance security benefits with potential latency impacts.

46:33 📢 Ryan – “I was terribly afraid of something automatically adjusting my rules, shutting down my traffic, and adding complexity that I was going to have be completely powerless to troubleshoot this production app.And it doesn’t coincide with my move to security, but it is funny. Because it’s too difficult, like the Cloudflare attack, you can’t keep up with the amount of attacks, the difference in attacks, and once you get into like hundreds and hundreds of different attack vectors and different things, you need a managed rule set to weed that out and just instrument it properly so that you can tell when it’s actually blocking legitimate traffic, which hopefully it doesn’t do very well.”

52:19 Amazon CloudFront simplifies web application delivery and security with new user-friendly interface | AWS News Blog

CloudFront introduces a streamlined console that creates fully configured distributions with DNS and TLS certificates in a few clicks, eliminating the need to navigate between Certificate Manager, Route 53, and WAF services separately.
The new experience automatically configures security best practices for S3-hosted static websites, including origin access control that ensures content can only be accessed through CloudFront rather than directly from S3 buckets.
AWS WAF integration now features intelligent Rule Packs that provide pre-configured protection against OWASP Top 10 vulnerabilities, SQL injection, XSS attacks, and malicious bot traffic without requiring deep security expertise.
A new multi-tenant architecture option allows organizations to configure distributions serving multiple domains with shared configurations, useful for SaaS providers or agencies managing multiple client sites.
The simplified setup reduces time to production for developers who previously needed to understand nuanced configuration options across multiple services, with no additional charges beyond standard CloudFront and WAF usage fees.

55:30 New AWS Shield feature discovers network security issues before they can be exploited (Preview) | AWS News Blog

AWS Shield network security director automates discovery of network resources across accounts and identifies security configuration gaps by comparing against AWS best practices, eliminating manual security audits that typically take weeks.
The service prioritizes findings by severity level (critical to informational) and provides specific remediation steps for implementing AWS WAF rules, VPC security groups, and network ACLs to address identified vulnerabilities.
Integration with Amazon Q Developer enables natural language queries about network security posture directly in the AWS console, allowing teams to ask questions like “What are my most critical network security issues?” without navigating complex dashboards.
Currently available in preview in US East (N. Virginia) and Europe (Stockholm) regions only, with the Amazon Q integration limited to N. Virginia, suggesting a gradual rollout approach.
This addresses a key pain point where security teams struggle to maintain visibility across sprawling AWS environments, particularly relevant as organizations face increasing DDoS and SQL injection attacks.

56:26 📢 Ryan – “Where has this tool been all my life?”

58:42 Amazon GuardDuty expands Extended Threat Detection coverage to Amazon EKS clusters | AWS News Blog

GuardDuty Extended Threat Detection now correlates security signals across EKS audit logs, runtime behaviors, and AWS API activity to identify multistage attacks that exploit containers, escalate privileges, and access sensitive Kubernetes secrets – addressing a key gap where traditional monitoring detects individual events but misses broader attack patterns.
The service introduces critical severity findings that map observed activities to MITRE ATT&CK tactics and provides comprehensive attack timelines, affected resources, and AWS best practice remediation recommendations, reducing investigation time from hours to minutes for security teams managing containerized workloads.
To enable this feature, customers need either EKS Protection or Runtime Monitoring active (ideally both for maximum coverage), with GuardDuty consuming audit logs directly from the EKS control plane without impacting existing logging configurations or requiring additional setup.
This expansion positions GuardDuty as a comprehensive Kubernetes security solution competing with specialized tools like Falco and Sysdig, while leveraging AWS’s native integration advantages to detect attack sequences spanning both container and cloud infrastructure layers.
Pricing follows standard GuardDuty models based on analyzed events and runtime monitoring hours, making it cost-effective for organizations already using GuardDuty who can now consolidate EKS security monitoring without additional third-party tools.

59:56 📢 Ryan – “Yeah, except for they’re leaving out the fact that Kubernetes generates like 60 billion events per second….I mean, I like tools like this, but yeah, the Kubernetes runtime is so noisy that it’s like it requires no additional setup. like, yeah, kind of. If you’re going to have GuardDuty be your parsing layer, that’s going to be very expensive.”

1:01:12 Unify your security with the new AWS Security Hub for risk prioritization and response at scale (Preview) | AWS News Blog

AWS Security Hub preview introduces unified security management by correlating findings across GuardDuty, Inspector, Macie, and CSPM to provide exposure analysis and attack path visualization.
The service automatically identifies security exposures by analyzing resource relationships and generates prioritized findings without additional configuration.
The new exposure findings feature maps attack paths through network components and IAM relationships, showing how vulnerabilities could be exploited across VPCs, security groups, and permission configurations.
This visualization helps security teams understand complex relationships between resources and identify where to implement controls.
Security Hub now provides a centralized inventory view of all monitored resources with integrated ticketing capabilities for workflow automation. The service uses the Open Cybersecurity Schema Framework (OCSF) for normalized data exchange across security tools.
The preview is available in 22 AWS regions at no additional charge, though customers still pay for integrated services like GuardDuty and Inspector.
This positions Security Hub as a cost-effective aggregation layer for organizations already using multiple AWS security services.
For security teams, this reduces context switching between consoles and provides actionable prioritization based on actual exposure risk rather than just vulnerability counts. The coverage widget identifies gaps in security monitoring across accounts and services.

1:02:49 📢 Ryan – “So the pricing’s a trap. So AWS Security Hub, perfectly free. You want to send data somewhere? You got to put that in Security Lake. And that’s expensive.”

1:07:47 Secure your Express application APIs in minutes with Amazon Verified Permissions | AWS Security Blog

AWS released @verifiedpermissions/authorization-clients-js, an open-source package that lets Express.js developers implement fine-grained authorization using Amazon Verified Permissions with up to 90% less code than custom integrations.
The package leverages Cedar, an open source authorization policy language, allowing developers to externalize authorization logic from application code, making it easier to maintain, audit, and evolve security models over time.
Verified Permissions provides a managed service for Cedar that handles scaling, policy governance, and audit logging, removing the operational overhead of self-managing authorization infrastructure.
The integration works by analyzing your Express app’s OpenAPI specification to generate Cedar schemas and sample policies, then using middleware to intercept API requests and check permissions against your defined policies.
Real-world use case shown with a pet store app where administrators get full access, employees can view/create/update pets, and customers can only view and create pets – demonstrating role-based access control patterns common in business applications.

1:08:09 📢 Ryan – “I do like this because it’s what we’ve done with authentication – sort of exposing that from the app where you’re doing the token exchange outside of the application logic to identify who you are. And then the application is still doing all the authorization logic. This is basically taking that model and externalizing that as well; and then using that Cedar evaluation to do it, which is kind of neat.”

1:09:09 AWS Backup adds new Multi-party approval for logically air-gapped vaults | AWS News Blog

AWS Backup now integrates multi-party approval with logically air-gapped vaults, enabling organizations to recover backups even when their AWS account is completely compromised or inaccessible by requiring approval from a designated team of trusted individuals outside the compromised account.
The feature addresses a critical security gap where attackers with root access could previously lock organizations out of their own backups – now recovery can proceed through an independent authentication path using IAM Identity Center users who approve vault sharing requests through a dedicated portal.
Implementation requires creating approval teams in the AWS Organizations management account, associating them with logically air-gapped vaults via AWS RAM, and establishing minimum approval thresholds – all activities are logged in CloudTrail for compliance and audit purposes.
This represents the first AWS service to integrate the new Multi-party approval capability, signaling AWS’s broader push toward distributed governance models for sensitive operations across its service portfolio.
Organizations should regularly test their recovery process from clean accounts and monitor approval team health through AWS Backup Audit Manager to ensure sufficient active participants are available during actual emergencies.

1:11:03 Rapid monitoring of Amazon S3 bucket policy changes in AWS environments | AWS Storage Blog

AWS provides a CloudFormation template that automatically monitors S3 bucket policy changes using CloudTrail, EventBridge, and SNS to send email notifications containing IP address, timestamp, bucket name, and account ID when policies are modified.
The solution addresses a critical security need as enterprises manage hundreds of access policies across expanding cloud environments, helping central security teams maintain visibility and compliance for S3 bucket access controls.
Implementation requires only CloudTrail to be enabled and uses KMS encryption for secure SNS message delivery, with the ability to extend beyond email to create internal tickets or trigger webhooks based on operational requirements.
The EventBridge rule specifically monitors for PutBucketPolicy, DeleteBucketPolicy, PutBucketAcl, and PutObjectAcl operations, providing comprehensive coverage of policy modification events across S3 buckets.
Organizations can deploy this solution across multiple AWS accounts and regions using CloudFormation StackSets, making it practical for large-scale environments managing millions of S3 buckets.
We apologize to Matt for not killing this story ahead of time. That will teach you not to read through the show notes before recording.

1:145:39 Introducing AWS CDK Community Meetings | AWS Open Source Blog

AWS CDK is launching bi-quarterly community meetings starting June 24, 2025, with two sessions (8am and 5pm PDT) to accommodate global users, replacing their original plan for a formal Contributor Council governance model.
The meetings will feature roadmap updates, team demos, RFC reviews, and open Q&A sessions, with all content recorded and posted to YouTube for those who can’t attend live.
This shift to open community meetings allows broader participation beyond just core contributors while maintaining AWS’s control as project maintainer, addressing the balance between community input and project governance.
Meeting agendas and notes will be tracked via GitHub issues labeled “community-meeting”, with participants able to submit questions and topics in advance through issue comments.
The initiative includes periodic surveys (the first one closing July 1, 2025) to gather community feedback, signaling AWS’s commitment to making CDK development more transparent and community-driven.

1:15:13 📢 Ryan – “The only thing they could have done to drive me further away from CDK is to have community meetings to talk about it.”

1:16:56 1Password’s New Secrets Syncing Integration With AWS | 1Password

1Password now integrates with AWS Secrets Manager, allowing users to sync secrets directly from the 1Password desktop app to AWS environments without SDKs or code changes.
This addresses secret sprawl by providing a centralized management interface for credentials used in AWS applications.
The integration leverages 1Password environments (beta), which provide project-specific scoping for secrets and use confidential computing to ensure secrets are never exposed as plaintext during sync operations. Teams can manage environment-specific credentials independently with built-in security controls.
This marks the first deliverable under 1Password’s Strategic Collaboration Agreement with AWS, positioning it as a preferred secrets management solution for AWS customers.
The integration is available to all 1Password tiers at no additional cost beyond existing subscriptions.
Key use cases include streamlining deployments by automatically updating secrets in AWS applications, reducing operational bottlenecks through scoped access controls, and simplifying onboarding for new team members who can manage secrets without learning AWS-specific tools.
While the current integration focuses on environment variables and secrets, developers requiring more complex workflows like AI agents accessing credit card data can still use 1Password service accounts with SDKs for custom implementations.

1:17:44 📢 Justin – “While, I think this is really cool, why couldn’t you just use Parameter Store, which is much cheaper?”

1:19:15 Amazon Time Sync Service now supports Nanosecond Hardware Packet Timestamps – AWS

Amazon Time Sync Service now adds nanosecond-precision timestamps directly at the hardware level on supported EC2 instances, bypassing kernel and application delays for more accurate packet timing.
This leverages the AWS Nitro System’s reference clock to timestamp packets before they reach the software stack.
The feature enables customers to determine exact packet order and fairness, measure one-way network latency, and increase distributed system transaction speeds with higher precision than most on-premises solutions. Financial trading systems and other latency-sensitive applications can now achieve microsecond-level accuracy in packet sequencing.
Available in all regions where Amazon Time Sync Service’s PTP Hardware Clocks are supported, the feature works on both virtualized and bare metal instances at no additional cost. Customers need only install the latest ENA Linux driver to access timestamps through standard Linux socket APIs.
This positions AWS as a strong contender for ultra-low latency workloads that traditionally required specialized on-premises hardware, particularly in financial services, where nanosecond precision can translate to competitive advantages in high-frequency trading and market data processing.
The integration with existing Time Sync Service infrastructure means customers already using PTP Hardware Clocks can enable this feature without VPC configuration changes, making adoption straightforward for teams already invested in AWS time synchronization.

1:20:22 📢 Ryan – “I was super surprised when NASDAQ announced that they were moving their trading workloads into AWS… This is a key blocker to using cloud systems. And so it’s being able to not only process things at a very near time, but being able to audit the fairness and that you’re processing in a specific order is super important in those workloads and high trading volume – you’re talking billions of transactions a second. So I get why it’s important. And it was kind of neat to learn that and all the difficulties and all the work that goes into this. I’m sure this, I wonder if this is, was this available in 2022 just for NASDAQ?”

1:21:45 Amazon VPC raises default Route Table capacity – AWS

AWS VPC increases the default route table capacity from 50 to 500 entries, eliminating the need for manual limit increase requests that previously created administrative overhead for customers managing complex network architectures.
This 10x capacity increase directly benefits organizations using multiple network paths for traffic inspection, firewall insertion, or connecting to various gateways like transit gateway, VPN, or peering connections.
The change applies automatically to all existing and new VPCs across commercial and GovCloud regions, though accounts with existing quota overrides will maintain their current settings.
Network architects can now build more sophisticated routing topologies without hitting limits, particularly useful for hub-and-spoke designs or multi-region deployments that require granular traffic control.
While there’s no additional cost for the increased capacity, customers should review their route table configurations as more complex routing rules may impact network performance if not properly optimized.

1:22:17 📢 Justin – “I don’t want to be in a situation where I’m managing 500 entries across multiple VPCs, even with things like Transit Gateway that make these things easier. I don’t want to do this.”

1:26:29 AWS’s Project Rainier: the world’s most powerful computer for training AI

AWS Project Rainier creates the world’s most powerful AI training computer using tens of thousands of Trainium2 UltraServers spread across multiple US data centers, providing Anthropic 5x more computing power than their current largest cluster for training Claude models.
The system uses custom Trainium2 chips capable of trillions of calculations per second, connected via NeuronLinks within 64-chip UltraServers and EFA networking across data centers to minimize latency and maximize training throughput.
AWS’s vertical integration from chip design through data center infrastructure enables rapid optimization across the entire stack, while new cooling and power efficiency measures reduce mechanical energy consumption by up to 46% and embodied carbon in concrete by 35%.
Project Rainier establishes a template for deploying computational power at unprecedented scale, enabling AI breakthroughs in medicine, climate science, and other complex domains that require massive training resources.
The infrastructure maintains AWS’s industry-leading water efficiency at 0.15 liters per kilowatt-hour (less than half the industry average) through innovations like seasonal air cooling that eliminates water use entirely during cooler months.

1:28:13 Now in GA: Accelerate troubleshooting with Amazon CloudWatch investigations – AWS

CloudWatch investigations uses an AI agent to automatically identify anomalies, surface related signals, and suggest root cause hypotheses across your AWS environment, reducing mean time to resolution at no additional cost.
You can trigger investigations from any CloudWatch widget, 80+ AWS consoles, CloudWatch alarms, or Amazon Q chat, with results accessible through Slack and Microsoft Teams for team collaboration.
The service provides remediation suggestions by surfacing relevant AWS Systems Manager Automation runbooks, AWS re: Post articles, and documentation for common operational issues.
This was previously in preview as Amazon Q Developer operational investigations and is now GA in 12 regions, including US East, Europe, and Asia Pacific.
The integration across AWS services and communication channels addresses a key pain point in cloud operations where teams struggle to correlate signals across distributed systems during incidents.

1:28:33 📢 Justin – “I did see this button in my console recently and I did push it to see what it was. It has not put me out of a job, I’m still smarter than it, but it’s pretty cool.”

GCP

1:30:49 Gemini 2.5 Updates: Flash/Pro GA, SFT, Flash-Lite on Vertex AI | Google Cloud Blog

Google’s Gemini 2.5 Flash and Pro models are now generally available on Vertex AI, with Flash optimized for high-throughput tasks like summarization and data extraction while Pro handles complex reasoning and code generation.
- The GA release provides production-ready stability for enterprise deployments.
New Gemini 2.5 Flash-Lite enters public preview as Google’s most cost-effective model, running 1.5x faster than 2.0 Flash at lower cost, targeting high-volume workloads like classification and translation.
This positions Google competitively against AWS Bedrock’s lighter models and Azure’s economy tier offerings.
Supervised Fine-Tuning for Gemini 2.5 Flash is now GA, allowing enterprises to customize the model with their own datasets and terminology. This addresses a key enterprise requirement for domain-specific AI that competitors have been pushing with their fine-tuning capabilities.
The Live API with native audio-to-audio capabilities enters public preview, enabling real-time voice applications without intermediate text conversion. This streamlines development of voice agents and interactive AI systems, competing directly with OpenAI’s real-time API offerings.
Pricing reflects the tiered approach with Flash-Lite for cost-sensitive workloads, Flash for balanced performance, and Pro for advanced tasks. Complete pricing details available at cloud.google.com/vertex-ai/generative-ai/pricing.

1:33:25 Backup vaults add support for disk backup and multi-region | Google Cloud Blog

Google Cloud Backup vaults\ now support standalone Persistent Disk and Hyperdisk backups in preview, enabling granular disk-level protection without backing up entire VMs. This provides cost optimization for scenarios where full VM backups aren’t necessary while maintaining immutable and indelible protection against ransomware.
Multi-region backup vaults are now generally available, storing backup data across multiple geographic regions to maintain accessibility during regional outages. This addresses business continuity requirements that AWS Backup doesn’t currently offer with its single-region vault limitation.
Backup vaults create a logically air-gapped environment in Google-managed projects where backups cannot be modified or deleted during enforced retention periods, even by backup administrators.
- This goes beyond traditional backup solutions by preventing malicious actors from corrupting recovery points.
The service provides unified management across Compute Engine VMs, Persistent Disks, and Hyperdisks with integration to Security Command Center for anomaly detection.
- This consolidation reduces operational complexity compared to managing separate backup solutions for different resource types.
Key use cases include protecting database disks, file shares, and application data where granular recovery is needed. Financial services and healthcare organizations requiring immutable backups for compliance will benefit from the enforced retention capabilities.
Backups. Woo!

1:34:54 Introducing Continuous Integration for Looker | Google Cloud Blog

Google introduces Continuous Integration for Looker, bringing software development best practices to BI workflows by automatically testing LookML code changes before production deployment to catch data inconsistencies and broken dependencies early.
The feature includes validators that flag upstream SQL changes breaking Looker definitions, identify dashboards referencing outdated LookML, and check for code errors and antipatterns – addressing scalability challenges as organizations expand their Looker usage across teams.
Developers can manage CI test suites, runs, and configurations directly within Looker’s UI, with options to trigger tests manually, via pull requests, or on schedules – similar to how AWS QuickSight handles version control but with deeper integration into the development workflow.
This positions Looker more competitively against Microsoft Power BI’s deployment pipelines and Tableau’s version control features, particularly for enterprises requiring robust data governance and reliability across multiple data sources.
Currently available in preview with no pricing details announced, the feature targets organizations with complex data environments where manual testing of BI assets becomes impractical as teams scale.

1:36:29 📢 Ryan – “I think this is kind of neat, and I do really like the scalability. It looks like there’s AI built into it to detect issues because that’s also a thing. Like this dashboard works great on my dataset that I started with, and then you start expanding out the use case and all of a sudden those graphs no load.”

1:38:53 Run Service Extensions plugins with Cloud CDN | Google Cloud Blog

Google Cloud CDN now supports Service Extensions plugins, allowing customers to run custom WebAssembly code at the edge across 200+ points of presence for request/response manipulation and custom logic execution.
The feature enables edge computing use cases like custom traffic steering, cache optimization, header manipulation, and security policies, competing directly with AWS Lambda@Edge and Cloudflare Workers but integrated natively with Cloud CDN.
Plugins support multiple languages including Rust, C++, and Go, execute with single-millisecond startup times, and run in sandboxed environments using the open-source Proxy-Wasm API standard.
Cloudinary has already integrated their image and video optimization solution as a packaged Wasm plugin, demonstrating partner ecosystem adoption for media-heavy workloads requiring dynamic content transformation.
Developers can choose between edge extensions (before CDN cache) or traffic extensions (after cache, closer to origin), providing flexibility in where custom code executes in the request path.

Azure

1:40:23 Microsoft lays out its path to useful quantum computing – Ars Technica

Microsoft Azure Quantum announced a quantum error correction scheme that can improve hardware qubit error rates from 1 in 1,000 to logical qubit error rates of 1 in 1 million, though this is based on mathematical proofs and simulations rather than demonstrated hardware performance.
Azure’s approach differs from IBM’s fixed-layout quantum chips by supporting multiple hardware technologies including movable atom-based qubits from partners like Atom Computing and Quantinuum, allowing more flexible error correction implementations.
The platform-agnostic strategy positions Azure Quantum as a multi-vendor quantum computing marketplace rather than a single-hardware solution, giving customers access to different quantum technologies through one service.
While IBM designs both hardware and software for their quantum systems, Microsoft focuses on the software stack for error correction that works across various partner hardware platforms, potentially offering more choice but less optimization.
Enterprise customers interested in quantum computing can evaluate different hardware approaches through Azure without committing to a single technology, though practical quantum applications remain years away pending actual hardware demonstrations of the error correction scheme.

1:40:59 📢 Ryan – “I look forward to – like our earlier comments about not getting into AI early enough and missing out on the hundred million day payday – I’m going to do the same thing when it comes to quantum computing and be like ‘they’re going to get all this money for the quantum computer scientists.’ If only I would have not been able to stay awake while I was reading through one of these articles. It’s so dense.”

1:41:55 Introducing MCP Support for Real-Time Intelligence (RTI) | Microsoft Fabric Blog | Microsoft Fabric

Microsoft Fabric Real-Time Intelligence now supports Model Context Protocol (MCP), enabling AI models like Azure OpenAI to query real-time data using natural language that gets translated into KQL queries.
This open-source integration allows developers to connect AI agents to Eventhouse and Azure Data Explorer for immediate data analysis.
The MCP server acts as a bridge between AI applications (GitHub Copilot, Claude, Cline) and Microsoft’s real-time data platforms, providing schema discovery, data sampling, and query execution capabilities.
- Installation requires VS Code with GitHub Copilot extensions and can be deployed via pip package microsoft-fabric-rti-mcp.
Current support focuses on Eventhouse KQL queries with planned expansions to Digital Twin Builder, Eventstreams, and Activator integration for proactive insights. This positions Microsoft against AWS’s real-time analytics offerings by providing a standardized protocol for AI-to-data interactions.
Target use cases include real-time threat detection, operational monitoring, and automated decision-making where AI agents need immediate access to streaming data. The natural language interface removes the KQL learning curve for business users while maintaining query optimization.
The architecture follows a modular client-server model where MCP hosts (AI models) communicate through MCP clients to lightweight MCP servers, enabling plug-and-play integration with minimal configuration. No specific pricing mentioned, but leverages existing Fabric RTI infrastructure costs.

1:42:19 Azure DevOps MCP Server, Public Preview – Azure DevOps Blog

Azure DevOps MCP Server enables GitHub Copilot in VS Code and Visual Studio to access Azure DevOps data including work items, pull requests, test plans, builds, and wikis, running locally to keep private data within your network.
The Model Context Provider acts as a bridge between AI assistants and Azure DevOps, injecting real-time project context into LLM prompts for more accurate and relevant responses specific to your development environment.
Currently supports only Azure DevOps Services (cloud) with on-premises Azure DevOps Server support not planned for several months due to missing API availability, which may limit adoption for enterprise customers with on-prem requirements.
Setup requires Azure CLI authentication and local configuration file modifications, positioning this as a developer-focused tool rather than a managed service like AWS CodeWhisperer or Google’s Duet AI integrations.
The local-only architecture addresses data sovereignty concerns but lacks the scalability of cloud-based alternatives, making it suitable for individual developers or small teams rather than enterprise-wide deployments.

1:43:38 📢 Ryan – “You could argue that using AI for vibe coding is TDD because you’re basically stating the outcome you want, almost an assertion and telling it, go do this thing. It’s not exactly the same, I know.”

1:44:08 Cohere Models Now Available on Managed Compute in Azure AI Foundry Models | Microsoft Community Hub

Azure AI Foundry now offers Cohere’s Command A, Rerank 3.5, and Embed 4 models through Managed Compute, allowing customers to deploy these models using their own Azure GPU quota with hourly pricing ranging from $2.94 to $17.125 per instance.
This deployment option provides infrastructure flexibility with A10, A100, and H100 GPU choices while maintaining enterprise features like VNet support, private endpoints, and scaling policies – addressing a gap where models weren’t available through standard pay-per-token endpoints.
The pricing model compensates Cohere directly through usage fees while giving customers control over their compute infrastructure, similar to AWS SageMaker’s bring-your-own-model approach but with integrated billing for third-party models.
Target use cases include RAG implementations with Rerank 3.5, vector search applications using Embed 4, and advanced reasoning tasks with Command A, making this particularly relevant for enterprises building production GenAI applications.
This positions Azure competitively against AWS Bedrock and Google Vertex AI by expanding model availability beyond first-party offerings while simplifying deployment complexity for customers who need specific GPU configurations or network isolation.

1:44:20 Use OpenTelemetry with Azure Functions | Microsoft Learn

Azure Functions now supports OpenTelemetry in preview, enabling standardized telemetry export to any OpenTelemetry-compliant endpoint beyond just Application Insights.
This gives developers flexibility to use their preferred observability platforms while maintaining correlation between host and application traces.
The implementation requires configuration at both the host level (host.json) and application code level, with language-specific SDKs available for C#, Node.js, Python, and PowerShell. Java support is notably absent, and C# in-process apps aren’t supported yet.
This positions Azure Functions closer to AWS Lambda’s X-Ray integration and GCP Cloud Functions‘ native OpenTelemetry support, though Azure’s implementation is still catching up with limited trigger support (only HTTP, Service Bus, and Event Hub triggers currently work).
The feature addresses vendor lock-in concerns by allowing telemetry data to flow to multiple endpoints simultaneously – both Application Insights and OTLP exporters can receive data when configured, useful for organizations transitioning between monitoring solutions.
Current limitations include no log streaming support in Azure portal when OpenTelemetry is enabled and no support for managed dependencies in PowerShell on Flex Consumption plans, suggesting this is best suited for greenfield projects rather than migrations.

1:44:48 📢 Justin – “OTel should just be default Azure. Come on.”

1:45:26 Public Preview – Data Virtualization for Azure SQL Database | Microsoft Community Hub

Azure SQL Database now supports data virtualization in public preview, enabling direct T-SQL queries against CSV, Parquet, and Delta files stored in Azure Data Lake Storage Gen2 or Azure Blob Storage without ETL processes or data duplication. This brings PolyBase-like capabilities from SQL Server 2022 to Azure SQL Database.
The feature supports three authentication methods (Managed Identity, User Identity, and SAS tokens) and allows organizations to offload cold data to cheaper storage while maintaining query access through standard SQL commands. This addresses the common challenge of balancing storage costs with data accessibility.
Unlike AWS Redshift Spectrum or BigQuery external tables, Azure’s implementation leverages familiar T-SQL syntax and integrates seamlessly with existing SQL Server security models, making it easier for SQL Server shops to adopt without learning new query languages.
Primary use cases include archiving historical data to reduce database storage costs, creating data lakes accessible via SQL, and enabling real-time analytics across multiple data sources without complex data pipelines. The feature is currently available in select regions with broader rollout planned.
Cost implications are significant as organizations can store infrequently accessed data in blob storage (starting at $0.00099/GB/month for cool tier) versus Azure SQL Database storage (starting at $0.115/GB/month), while maintaining query capabilities through external tables.

1:47:43 Microsoft Ignite – Nov 18-21 2025

Microsoft Ignite 2025 will be held in person in San Francisco from November 18-21, focusing on AI, infrastructure, security, and emerging technologies with hands-on labs and product demonstrations.
In-person attendees receive complimentary Microsoft and GitHub certification exams on-site, providing cost savings of $165-330 per exam while validating skills in Azure and development technologies.
The conference timing aligns with Microsoft’s typical fall product announcement cycle, positioning it as a key venue for Azure roadmap updates and new service launches ahead of re: Invent.
Early registration opening suggests Microsoft expects high demand following the shift back to in-person events, with the San Francisco location providing better West Coast accessibility compared to previous Orlando venues.
The dual focus on AI and infrastructure indicates Microsoft will likely showcase Azure AI services integration with traditional cloud workloads, competing directly with AWS’s AI/ML portfolio announcements.
THEY ARE RIDICULOUSLY PROUD OF THIS CONFERENCE $2325 – and that’s the early bird price!
- NO.
- But also, no.

Oracle

1:50:37 xAI’s Grok Models are Now on Oracle Cloud Infrastructure

Oracle now offers xAI’s Grok models through OCI Generative AI service, marking Oracle’s entry into hosting third-party foundation models alongside AWS Bedrock and Azure OpenAI Service, though arriving significantly later to this market segment.
The partnership leverages OCI’s bare metal GPU instances for training and inference, with Oracle emphasizing price-performance advantages – a claim worth scrutinizing given AWS and GCP’s established dominance in AI infrastructure and economies of scale.
xAI promises zero data retention endpoints for enterprise customers, addressing a key concern for regulated industries, though implementation details and compliance certifications remain unclear compared to established enterprise AI offerings.
Windstream’s exploration of Grok models for telecommunications workflows represents a practical use case, but adoption may be limited to existing Oracle customers already invested in OCI infrastructure rather than attracting new cloud customers.
While Grok 3 claims advanced reasoning capabilities in mathematics and coding, the lack of public benchmarks or comparisons to GPT-4, Claude, or Gemini models makes it difficult to assess its actual competitive positioning in the enterprise AI market.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback or ask questions at theCloudPod.net or tweet at us with hashtag #theCloudPod

Manual Testing