341: AWS Layoffs: Scaling Down Instead of Scaling Out

February 12, 2026 01:13:29
341: AWS Layoffs: Scaling Down Instead of Scaling Out

341: AWS Layoffs: Scaling Down Instead of Scaling Out

February 12, 2026 01:13:29
0:00
0:00

Download & Resources

Download MP3 View Transcript

Welcome to episode 341 of The Cloud Pod, where the forecast is always cloudy! Matt & Ryan are picking up Justin’s slack this week while he’s traveling for work, but don’t worry, because they have plenty of news! We’re talking about those mass layoffs over at AWS, a major security breach over at Notepad++, and some new slight of hand over at Elon’s companies. There’s a lot to cover, so let’s get into it! 

Titles we almost went with this week

  • 🏠 Finally, a Chatbot That Actually Knows Where Your Data Lives **Anthropic
  • 🔐 Microsoft Adds Security Analyzer to MSSQL Extension: Because Bobby Tables Jokes Are Only Funny Until They Happen to You
  • 😢 From Sequential Sadness to Parallel Paradise: GKE Node Pools Get Concurrent
  • 🧑‍💻 From Vibe Coding to Production: AWS MCP Server Gets SOPs
  • 💍 One Prompt to Deploy Them All: AWS MCP Server Automates Infrastructure
  • ↘️ AWS Layoffs: Scaling Down Instead of Scaling Out
  • 👩‍❤️‍👨 Mutual TLS: Because CloudFront and Your Origin Need Couples Therapy
  • 🪑 Claude Team Plan: Now With More Seats and Less Bills
  • ❄️ From Snowflake to Snowball: Rolling Data and Dev Into One Platform
  • 📒 From Notepad++ to Notepad Pwned: A Six-Month Hosting Horror Story
  • 💆 EventBridge Payload Capacity Gets a 4x Upgrade: No More Event Splitting Headaches
  • 🪪 CloudFront Finally Learns to Check ID Before Knocking on Origin’s Door

General News 

01:30 SpaceX acquires xAI, plans to launch a massive satellite constellation to power it – Ars Technica

  • SpaceX has acquired xAI to create a vertically integrated AI and space infrastructure company, with plans to deploy up to 1 million satellites as orbital data centers. 
  • This represents a significant bet that space-based compute infrastructure can be cost-competitive with traditional ground-based data centers for AI workloads.
  • The merger combines SpaceX’s launch capabilities and satellite manufacturing expertise with xAI’s Grok chatbot and X social platform
  • The strategy assumes AI demand will continue to grow and that compute capacity, rather than other factors, is the primary bottleneck to AI adoption.
  • The orbital data center concept raises questions about latency, power requirements, thermal management, and maintenance compared to terrestrial facilities. 
  • Traditional cloud providers have invested heavily in ground-based infrastructure optimized for these factors.
  • This consolidation of Musk’s companies creates potential conflicts between SpaceX’s established government and commercial contracts and xAI’s more controversial products. 
  • The integration of a proven aerospace company with a newer AI venture introduces execution risk to SpaceX’s core business.
  • The plan depends on several unproven assumptions, including sustained AI market growth, viable economics for space-based computing, and the ability to manufacture and launch satellites at unprecedented scale. 
  • Cloud providers and enterprises will need to evaluate whether orbital compute offers advantages over existing multi-region terrestrial deployments.

03:22📢 Ryan – “I feel like this is a shell game con; taxes are over here – no, now they’re over here!” 

06:49 Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

  • Chinese state-sponsored hackers compromised Notepad++ update infrastructure from June through December 2025 by exploiting vulnerabilities at the shared hosting provider level, not in Notepad++ code itself. 
  • The attackers maintained access to internal service credentials even after losing server access in September, allowing them to selectively redirect update traffic to malicious servers until December 2025.
  • The attack exploited insufficient update verification controls in older Notepad++ versions, with attackers specifically targeting the update manifest endpoint to serve compromised installers to selected users. 
  • Version 8.8.9 added certificate and signature verification for downloaded installers, while the upcoming version 8.9.2 will enforce XMLDSig signature verification on update server responses.
  • The hosting provider confirmed the compromise was limited to one shared hosting server and found no evidence of other clients being targeted, though the investigation of 400GB of logs yielded no concrete indicators of compromise like binary hashes or IP addresses. Rapid7 and Kaspersky later published a more detailed technical analysis with actual IoCs.
  • This incident demonstrates supply chain attack risks even for open source software with millions of users, particularly when update infrastructure relies on shared hosting environments. 
  • The Notepad++ project has since migrated to a new hosting provider with stronger security practices and implemented multiple layers of cryptographic verification.

09:24📢 Matt – “Getting in at this level – and that maintenance of control for 7 months – is crazy. It’s a pretty big attack.” 

15:25 Internal Messages Reveal Teams, Jobs Affected in Amazon Layoffs – Business Insider

  • Amazon is cutting 16,000 corporate roles in its second major layoff round within four months, affecting multiple AWS service teams, including Bedrock AI, Redshift data warehouse, and ProServe consulting divisions. 
    • The cuts represent a significant restructuring of Amazon’s corporate workforce of approximately 350,000 employees.
  • AWS engineering teams appear heavily impacted based on internal Slack messages, with software engineers from core cloud services posting job searches. 
  • This raises questions about AWS’s product development velocity and customer support capacity during a period of intense AI competition with Microsoft Azure and Google Cloud.
  • Affected US employees receive 90 days for internal job searches with severance and benefits for those unable to find new positions. 
  • The timing follows Amazon’s return-to-office mandate and broader tech industry cost-cutting trends.
  • The layoffs touch customer-facing teams like Prime subscription services and last-mile delivery alongside cloud infrastructure groups. This dual impact on retail and AWS operations suggests company-wide efficiency initiatives rather than targeted underperformance in specific business units.

17:24 📢 Matt – “It really did affect a broad spectrum of the org.” 

AI Is Going Great – Or How ML Makes Money 

19:10 Project Genie: AI world model now available for Ultra users in U.S.

  • Google DeepMind launches Project Genie, an experimental web app now available to Google AI Ultra subscribers in the U.S. (18+), powered by the Genie 3 world model that generates interactive 3D environments in real-time based on text prompts and images. 
    • Unlike static 3D snapshots, Genie 3 simulates physics and interactions dynamically as users navigate, creating expanding worlds on the fly.
  • The platform offers three core capabilities: World Sketching (using Nano Banana Pro for image preview and fine-tuning before entering), World Exploration (real-time path generation based on user actions with adjustable camera controls), and World Remixing (building on existing worlds from galleries). 
    • Users can define character perspectives (first-person or third-person) and movement types (walking, flying, driving).
  • Current limitations include 60-second generation caps, occasional physics inconsistencies, character control issues with higher latency, and generated worlds that may not always match prompts precisely. 
  • Some Genie 3 capabilities announced in August, like promptable events that modify worlds during exploration, are not yet included in this prototype.
  • This release represents Google’s approach to building general-purpose AI systems that can navigate diverse real-world scenarios, moving beyond domain-specific agents like AlphaGo. 
  • The technology has potential applications in robotics simulation, animation modeling, location exploration, and historical setting recreation, though it remains an early research prototype in Google Labs.

24:07 Retiring GPT-4o, GPT-4.1, GPT-4.1 mini, and OpenAI o4-mini in ChatGPT | OpenAI

  • OpenAI will retire GPT-4o, GPT-4.1, GPT-4.1 mini, and o4-mini from ChatGPT on February 13, 2026, though API access remains unchanged. 
  • Only 0.1% of users still select GPT-4o daily, with most usage shifted to GPT-5.2.
  • GPT-4o was previously deprecated, then restored after user feedback about creative ideation needs and preference for its conversational warmth. 
  • This feedback directly influenced GPT-5.1 and GPT-5.2 development, which now includes customizable personality controls for warmth, enthusiasm, and conversational styles like Friendly.
  • OpenAI is addressing user complaints about unnecessary refusals and overly cautious responses in newer models. The company is developing an adult-focused version of ChatGPT for users over 18 with expanded freedom within appropriate safeguards, supported by age prediction rollout in most markets.
  • The model retirement strategy allows OpenAI to concentrate resources on improving models with active user bases rather than maintaining legacy versions. 
  • This follows a pattern of deprecating older models as newer versions incorporate user-requested features and achieve broader adoption.

25:43 📢 Matt – “Deprecation of things is one of the hardest things; we joked a lot last year when AWS finally deprecated things, but it’s hard. People have it built in and hard-coded into their apps and workflows. They’re used to specific types of responses.” 

28:15 Introducing the Codex app | OpenAI 

  • OpenAI launches the Codex desktop app for macOS, a command center interface for managing multiple AI coding agents simultaneously across long-running development tasks. 
  • The app includes native support for parallel agent workflows using git worktrees, allowing multiple agents to work on isolated copies of the same repository without conflicts while maintaining separate thread contexts per project.
  • Codex now extends beyond code generation through a Skills system that bundles instructions, resources, and scripts for tasks like Figma design implementation, Linear project management, and cloud deployment to Cloudflare, Netlify, Render, and Vercel
  • OpenAI demonstrated this by having Codex autonomously build a complete racing game using 7 million tokens from a single prompt, with the agent taking on designer, developer, and QA tester roles.
  • The app introduces Automations for scheduled background tasks like daily issue triage, CI failure analysis, and release briefs, with results landing in a review queue for developer oversight. All agents run in configurable system-level sandboxes by default, restricted to editing files in their working folder and requiring permission for elevated operations like network access.
  • For a limited time, OpenAI is including Codex access with ChatGPT Free and Go tiers and doubling rate limits across all paid plans (Plus, Pro, Business, Enterprise, Edu). 
  • Usage has doubled since GPT-5.2-Codex launched in mid-December, with over one million developers now using the service, and Windows support is planned for future releases.

29:52 📢 Ryan – “They’ve got a lot of catching up to do. Claude Code is all I hear about…it’s everywhere. I do hear about Gemini Code, mostly because I live in that ecosystem. I haven’t had a chance to play with it and compare it to the other tools.” 

AWS 

35:20 AWS announces Deployment Agent SOPs in AWS MCP Server

  • AWS introduces Deployment Agent SOPs in the AWS MCP Server in preview, enabling developers to deploy web applications to production using natural language prompts through MCP-compatible tools like Claude, Cursor, and Kiro
  • The system automatically generates CDK infrastructure, deploys CloudFormation stacks, and sets up CI/CD pipelines with AWS security best practices included.
  • The feature addresses the gap between AI-assisted prototyping and production deployment by allowing developers to move from vibe-coded applications to production environments in a single prompt. This is fine. Just fine. 
  • Agent SOPs follow multi-step procedures to analyze project structure, create preview environments on S3 and CloudFront, and configure CodePipeline for automated deployments from source repositories.
  • Support includes popular web frameworks like React, Vue.js, Angular, and Next.js, with automatic documentation generation that enables AI agents to handle future deployments and troubleshooting across sessions. The deployment process creates persistent documentation in the repository for continuity.
  • Currently available in preview at no additional cost in US East N. Virginia region only, with customers paying standard rates for AWS resources created and applicable data transfer costs. 
  • This represents AWS’s integration of AI agents into the deployment workflow, competing with other infrastructure-as-code and deployment automation tools.

36:58 📢 Ryan – “I like and hate this all at the same time.” 

40:54 AWS STS now supports validation of select identity provider-specific claims from Google, GitHub, CircleCI and OCI

  • AWS STS now validates provider-specific claims from Google, GitHub, CircleCI, and Oracle Cloud Infrastructure when federating into AWS via OIDC
  • This allows customers to reference custom claims as condition keys in IAM role trust policies and resource control policies, enabling more granular access control for federated identities beyond the standard OIDC claims.
  • The feature addresses a common security gap where organizations previously could only validate standard OIDC claims like subject and audience, but couldn’t enforce conditions based on provider-specific attributes like GitHub repository names or Google Workspace domains. 
    • This enhancement helps establish data perimeters by allowing customers to restrict access based on the specific context of the federated identity.
  • Available now in all AWS Commercial Regions at no additional cost beyond standard STS API usage. 
  • Organizations using OIDC federation for CI/CD pipelines, developer access, or multi-cloud identity management can immediately implement more restrictive trust policies without changing their authentication flows.
  • The supported claims vary by provider and include attributes like GitHub repository visibility, CircleCI project IDs, and OCI tenancy information. Full documentation of available condition keys is provided in the IAM User Guide under Available Keys for OIDC federation.

17:00 📢 Matt – “This is a fantastic feature that I was convinced was a brand new announcement, until Matt schooled me and said, ‘I’ve been doing this for months, ‘ because I didn’t know you could do this with STS.” 

46:33 Amazon CloudFront announces mutual TLS support for origins

  • CloudFront now supports mutual TLS authentication for origins, allowing customers to verify that requests to their backend servers come only from authorized CloudFront distributions using certificate-based authentication. 
  • This eliminates the operational overhead of managing custom solutions like shared secret headers or IP allow-lists that previously required constant rotation and maintenance.
  • The feature works with AWS Private Certificate Authority or third-party private CAs imported through AWS Certificate Manager, providing cryptographic verification of CloudFront’s identity to any origin that supports mTLS, including Application Load Balancers, API Gateway, on-premises servers, and third-party cloud providers. There is no additional charge for using origin mTLS beyond standard CloudFront pricing.
  • This addresses a common security gap for organizations serving proprietary content through CloudFront, particularly when origins are publicly accessible or hosted externally. 
  • Previously, customers had to build custom authentication layers to ensure only their CloudFront distributions could access backend infrastructure, creating an ongoing operational burden.
  • Configuration is available through the AWS Management Console, CLI, SDK, CDK, or CloudFormation, making it straightforward to implement across existing CloudFront distributions. The feature is also included in CloudFront’s Business and Premium flat-rate pricing plans at no extra cost.

49:33 AWS Management Console now displays Account Name on the Navigation bar for easier account identification

  • The AWS Management Console now displays account names in the navigation bar, replacing the previous reliance on account numbers for identification. 
    • This addresses a common pain point for organizations managing multiple AWS accounts across development, production, and different business units.
  • The feature is available at no additional cost across all public AWS regions and requires administrator enablement through IAM managed policies. 
  • Once enabled, all authorized users in an account will see the account name displayed in the console navigation bar.
  • This update provides immediate value for teams working across multiple accounts who previously had to memorize or reference 12-digit account numbers. 
  • The visual distinction helps reduce errors when switching between environments like dev and prod.
  • The implementation follows AWS best practices for multi-account architectures, making it easier to maintain account separation while improving operational efficiency. Organizations using AWS Organizations or Control Tower will particularly benefit from clearer account identification.

51:21 📢 Matt – “Not the sexiest feature, but for the love of God the most USEFUL feature of this podcast.” 

53:22 Announcing increased 1 MB payload size support in Amazon EventBridge 

  • EventBridge now supports 1 MB event payloads, up from the previous 256 KB limit, eliminating the need for developers to split large events, compress data, or store payloads externally in S3. 
  • This simplifies architectures for applications handling LLM prompts, telemetry data, and complex JSON structures from machine learning models.
  • The increased payload size reduces architectural complexity and operational overhead by allowing comprehensive contextual data to be included in a single event rather than requiring chunking logic or coordination with external storage systems. 
    • This is particularly relevant for AI/ML workloads where model outputs and prompts can exceed the previous size constraints.
  • The feature is available now in most commercial AWS regions where EventBridge operates, with notable exceptions including Asia Pacific regions like New Zealand, Thailand, Malaysia, and Taipei, plus Mexico Central. No additional cost is mentioned for the larger payload support beyond standard EventBridge pricing.
  • This change addresses a common pain point in event-driven architectures where developers previously had to implement workarounds for large payloads, adding code complexity and potential failure points. 
  • The 4x increase in payload size aligns EventBridge more closely with modern application needs around AI and real-time data processing.

54:44 📢 Ryan – “I think this is a good thing. I was lauhging at this because I remember event size in Kinesis being a big to-do and a project forever ago, and trying to think through all the limits…but now I was thinking through the AI workloads and how much of a pain it would be to have your prompts referencing and external source everytime…so glad to see this.” 

56:55 AWS Network Firewall now supports GenAI traffic visibility and enforcement with Web category-based filtering

    • AWS Network Firewall adds URL category-based filtering that lets you control access to GenAI applications, social media, streaming services, and other web categories using pre-defined categories instead of maintaining manual domain lists. 
    • This reduces operational overhead for security teams who need to enforce consistent policies across AWS environments while gaining visibility into emerging technology usage.
    • The GenAI traffic visibility component addresses a growing compliance need as organizations struggle to track and govern employee access to ChatGPT, Claude, Gemini, and other AI services. 
    • Security teams (booo) can now restrict GenAI usage to approved corporate tools or block access entirely based on their risk tolerance and regulatory requirements.
    • When combined with TLS inspection, the feature enables full URL path inspection for granular control beyond just domain-level blocking. 
    • This matters for scenarios where you need to allow access to a domain but block specific paths or query parameters that might expose sensitive data.
    • The feature is available now in all AWS commercial regions where Network Firewall operates, with no additional base cost beyond standard Network Firewall pricing, which starts at 0.395 dollars per firewall endpoint hour plus 0.065 dollars per GB processed. 
    • You can implement this through stateful rule groups using the AWS Console, CLI, or SDKs without requiring new infrastructure deployment.
  • Did we talk about this one last week? It feels like we talked about this one already. Guess it’s time to build another bot. 

GCP

59:49 Conversational Analytics in BigQuery is in preview 

  • Google launches Conversational Analytics in BigQuery as a preview feature that lets users query data using natural language instead of SQL. 
  • The AI agent uses Gemini models to generate queries, execute them, and create visualizations while maintaining security controls and audit logging within BigQuery’s existing governance framework.
  • The system goes beyond basic chatbots by grounding responses in actual BigQuery schemas, metadata, and custom business logic, including verified queries and User Defined Functions. 
  • This ensures generated SQL aligns with production metrics and enterprise standards rather than making generic assumptions about data structure.
  • Users can perform predictive analytics through natural language by leveraging BigQuery AI functions like AI.FORECAST and AI.DETECT_ANOMALIES without writing code. 
  • The agent also supports querying unstructured data such as images stored in BigQuery object tables, expanding analysis beyond traditional row-column datasets.
  • The agents can be deployed across multiple surfaces, including Looker Studio Pro, the BigQuery UI, custom applications via API, and existing agentic ecosystems through ADK tools. 
  • Documentation and codelabs are available at cloud.google.com for implementation guidance, though specific pricing details were not disclosed in the announcement.
  • This addresses a common enterprise bottleneck where business users wait in queues for data teams to write queries, potentially reducing time-to-insight from hours or days to seconds for authorized users.

1:01:11📢 Matt – “Anything that makes BigQuery easier to use.” 

1:01:36 Introducing Single-tenant Cloud HSM for more data encryption control 

  • Google Cloud has launched Single-tenant Cloud HSM, a dedicated hardware security module service that gives organizations exclusive control over cryptographic keys with FIPS 140-2 Level 3 validation. 
  • Unlike multi-tenant solutions, customers get sole access to physical HSM partitions with hardware-enforced isolation, meaning their keys are cryptographically separated from other customers and Google operators. The service is generally available now in the US and EU, with “competitive” pricing https://cloud.google.com/kms/pricing#stch_pricing ($3500/month). 
  • The service targets highly-regulated industries like financial services, defense, healthcare, and government that need strict compliance controls but want to avoid managing physical hardware. 
  • Key security features include full ownership of root keys, quorum-based administration requiring multiple authorized users for sensitive operations, and the ability to revoke Google’s access at any time, which immediately makes all keys and encrypted data inaccessible until authorization is restored.
  • Single-tenant Cloud HSM integrates directly with existing Cloud KMS APIs and works with Customer-Managed Encryption Keys (CMEK) across Google Cloud services. Setup takes approximately 15 minutes using standard gcloud commands, and the service automatically scales to handle peak traffic loads while maintaining high availability across multiple zones. 
  • The service has already obtained compliance certifications, including FedRAMP, DISA IL5, ITAR, SOC 1/2/3, HIPAA, and PCI DSS.
  • Google manages all hardware provisioning, configuration, monitoring, and compliance, removing the operational burden of physical HSM management while maintaining the same redundancy and availability standards as multi-tenant Cloud HSM. 
  • Administrators can use hardware tokens like YubiKey or other key management systems to generate and manage their administrative credentials, with quorum requirements preventing any single individual from making unauthorized changes.

1:06:21 📢 Ryan – “And that’s why Google is announcing this. Someone had this checkbox – someone with deep enough pockets had this checkbox.” 

Azure

44:40 Public Preview: 7th generation Intel-based VMs – Dlsv7/Dsv7/Esv7 

  • Azure launches Dlsv7, Dsv7, and Esv7 virtual machines in public preview, powered by Intel Xeon 6 processors codenamed Granite Rapids. 
  • These 7th-generation Intel-based VMs represent the latest iteration in Azure’s general-purpose and memory-optimized VM families, bringing newer processor architecture to cloud workloads.
  • The new VM series targets customers running compute-intensive and memory-intensive workloads that can benefit from the latest Intel processor improvements. 
  • General-purpose Dlsv7 and Dsv7 VMs suit balanced workloads like web servers and application hosting, while Esv7 VMs are optimized for memory-heavy applications such as databases and in-memory analytics.
  • Intel Xeon 6 processors introduce architectural improvements over previous generations, though specific performance metrics and pricing details are not provided in the announcement. 
  • Customers interested in testing these VMs should evaluate them during preview to determine if the newer processor generation delivers meaningful improvements for their specific workloads.
  • The preview status means these VMs are available for testing but may not yet be suitable for production workloads, depending on service level agreements and regional availability. 
  • Organizations should check Azure documentation for supported regions and any preview limitations before deploying workloads on these new VM series.

1:11:15 📢 Matt – “The other reason I wanted to keep it in was, I’m still struggling to get the V6 in some regions. And granted, these are less common regions, you know, but I have a different skews based on region availability because I just can’t get it, and in some places it’s like, ‘we can do it in two zones.’ And I’m like, cool, thank you. Way to make yourself more money.”

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0:00
0:00