AI 资讯
AWS Is Not Simpler. Agents Just Got Better at Reading It.
I optimized my architecture for the wrong model. I used to think black-box infrastructure was the right abstraction for AI-driven development. Vercel, Supabase, Cloudflare Workers — a sharp contract in front, a managed backend behind — felt like the obvious fit. The less an agent had to reason about, the fewer places it could get lost. Give it a clean interface, hide the messy backend, move fast. I still think that was right for the agents we had last year. I don't think it's right for the agents we're starting to use now. The shift is not that AWS got simpler. It didn't. Setup still takes longer, CI/CD takes more work to wire, and cost control has real limits. The shift is that agents got better at reading complexity — and once an agent can actually use a large structured context, the things I treated as overhead (resources, provider schemas, IAM policies, explicit queues, explicit alarms, explicit networks) become the highest-signal context I can hand it. To keep this concrete, I'm holding the tool constant. This is HCL/Terraform on AWS vs HCL/Terraform on Cloudflare — same language, same workflow, two providers. The inversion Agents are… Best served by… Context-poor (last year's loops) Black boxes — shrink the surface, hide the backend Context-rich (now) Inspectable systems — describe everything as code The one-line version: The better agents get at reading, the more valuable explicit infrastructure becomes. I didn't become more pro-AWS because AWS got easier. I became more pro-AWS because agents got better at reading it. Same Terraform, two providers The interesting comparison isn't AWS-elegance vs Cloudflare-elegance. It's how much of the infrastructure topology and operational contract an agent can reconstruct from the HCL plus the provider schema alone. Terraform × AWS Terraform × Cloudflare Provider maturity AWS provider is about as battle-tested as IaC gets; enormous public corpus of modules/examples v5 is a ground-up, OpenAPI-generated rewrite — improving
AI 资讯
Your AI Workloads Are the New Cloud Sprawl — And Nobody Is Watching
AI is coming for your cloud budget before it comes for your job. Everyone is talking about what AI will do to engineers. Nobody is talking about what AI services are doing to cloud bills right now. Every team is spinning up AI workloads. LLM endpoints; vector databases; GPU instances; embedding pipelines. All of them expensive. Most of them ungoverned. I have seen environments where AI service costs doubled in 30 days because nobody set a budget limit. No alerts. No guardrails. Just an invoice that surprised everyone at month end. This is the new cloud sprawl. But instead of forgotten EC2 instances it is uncontrolled AI API calls and model inference costs running 24/7. The same discipline that applies to cloud infrastructure applies here. Who is allowed to spin up AI services. What models are approved for use. How are API keys being managed. Are there rate limits in place. Is anyone reviewing the cost daily. AI governance in the cloud is not an AI problem. It is a cloud security and FinOps problem wearing an AI hat. The teams that win with AI are not the ones moving fastest. They are the ones who built guardrails before the bill arrived. Govern your AI workloads the same way you govern everything else in your cloud. Before the invoice does it for you.
AI 资讯
100 Days of DevOps, Day 6: Cron's Sneaky OR, and the EC2 Key You Only Get Once
Automation is the part of DevOps that actually earns the title. Day 6 was two of the most everyday automation tasks there are, and both had a trap sitting in plain sight. One Linux task, one AWS task. Schedule a recurring job with cron, and launch an EC2 instance from the AWS CLI. The tasks come from the KodeKloud Engineer platform if you want the same lab to work through. Cron: five fields, one rule that trips everyone Cron is the scheduler that has quietly run Linux automation for decades. You hand it a job and a schedule, and its daemon, crond, wakes up every minute to check whether anything is due. If that daemon is not running, nothing fires, so the first move is making sure it is installed and enabled. # Become root sudo su - # Install the cron daemon if it is missing yum install cronie -y # Enable it at boot, start it now, and confirm it is alive systemctl enable crond.service systemctl start crond.service systemctl status crond.service cronie is the package name on RHEL-family distros. enable makes the service survive a reboot, start brings it up right now, and status is how you confirm it is actually running instead of assuming it is. Now edit the crontab: # Edit the current user's crontab crontab -e # minute hour day-of-month month day-of-week command 0 2 * * * /path/to/script.sh # List what is currently scheduled crontab -l That line runs the script every day at 2am. The five fields, in order, are minute, hour, day of month, month, and day of week: minute: 0 to 59 hour: 0 to 23 day of month: 1 to 31 month: 1 to 12 day of week: 0 to 7, where both 0 and 7 mean Sunday Here is the rule that quietly breaks schedules. When you set both the day-of-month field and the day-of-week field to something other than a star, cron treats them as OR, not AND. So 0 0 13 * 5 does not mean midnight on Friday the 13th. It means midnight on every 13th of the month, and also every Friday, whichever lands first. If you actually want the AND, you restrict one field in cron and che
AI 资讯
Your SQS Queue Is Redelivering Messages Your Lambda Is Still Processing
Your order-processing Lambda starts sending duplicate confirmation emails. Not always — maybe one order in twenty. CloudWatch shows more invocations than messages published. The function code hasn't changed in weeks. What changed is that someone added a fraud check that pushed processing time from 25 seconds to around 45, and your SQS queue is still running the default 30-second visibility timeout. That combination is the whole bug. When a Lambda pulls a message from SQS, the message isn't deleted — it's hidden for the duration of the visibility timeout. If the function is still working when that window closes, SQS assumes the consumer died and hands the same message to another invocation. Now two Lambdas are processing the same order, both will "succeed," and both will send the email. Nothing errors. Nothing retries. There is no log line that says "this message was delivered twice because your timeouts are misconfigured." Infrawise ( npm ) flags this exact mismatch as a high-severity finding before it costs you an afternoon of staring at idempotency-free handler code. This post walks through why the bug is so hard to see, how the detection works, and how to keep an AI assistant from reintroducing it. Why you never catch this one yourself Three things make this misconfiguration nearly invisible: It passes every test. In local tests and staging, your handler processes a synthetic message in two seconds. The 30-second visibility window never comes close to expiring. The bug only exists under production conditions — real payload sizes, real downstream latency, cold starts stacking on top of slow dependencies. The defaults set the trap. SQS queues default to a 30-second visibility timeout. Lambda functions routinely get their timeout bumped to 60, 120, or 900 seconds as they grow. Nobody bumps the queue at the same time, because the two settings live in different consoles, different IaC resources, and usually different pull requests. The failure signature points elsewhe
AI 资讯
Identity Is the New Perimeter: Why AI Agents Break Zero Trust
For years, Zero Trust architectures were designed around one assumption: Humans make the decisions. That assumption is breaking apart. Autonomous AI agents can now query databases, trigger workflows, call APIs, and interact with other systems without direct human involvement. Modern AI systems no longer just generate text. They execute actions inside enterprise environments. When an AI agent can operate on behalf of a user inside your cloud infrastructure, its identity becomes just as critical as any human identity. And that fundamentally changes the security model. The Rise of Tool Calling Platforms like Amazon Bedrock Agents have changed the architecture of enterprise AI. These systems can now interpret a user request, decide which tools are required, and autonomously execute backend operations through Lambda functions, APIs, databases, and external services. A simple prompt can trigger an entire chain of actions. Example Workflow User Prompt: "Summarize customer complaints from the last 30 days." Agent Actions: Query the CRM database Call the analytics API Pull support ticket data Generate a report Powerful for productivity. Extremely dangerous if not properly secured. The New Attack Surface A single successful prompt injection can completely hijack an agent’s behavior. With overly broad permissions, an attacker can force it to: Access sensitive customer data Execute unauthorized API calls Modify records Trigger privileged backend workflows The risk becomes even worse in multi-agent systems. A compromised customer-facing agent can pass malicious instructions to a highly privileged backend agent. Traditional network perimeters and security tools often miss this entirely because the traffic comes from a trusted internal service. Why Traditional Zero Trust Falls Short Classic Zero Trust was designed for human behavior and relatively predictable access patterns. AI agents operate differently: They act autonomously and at machine speed They make decisions without real
AI 资讯
AI For Fun! Électrique Chats at Hack the Kitty, Built with Kiro.
A cat astrologer, spec-driven and running on Amazon Bedrock A companion to A Builder in Paris: Do Devs Dream of Électrique Chats? Last month I wrote about the idea. Six rainy days in Paris, a closed laptop, and a hackathon I did not mean to enter, and somewhere between the Musée de l'Orangerie and a lot of walking, an idea arrived. Cats are inscrutable. The people who love them are obsessed with understanding them anyway. Astrology is an old framework for making the unknowable feel readable, and maybe, just maybe, it helps us understand them a little. Her name is Madame Minou , a French cat astrologer who reads your cat's stars from a café terrace. That first article was the idea . This one is the build. Vibe-coded, but on rails Was it vibe-coded? You know it! AI wrote the lines, and I said "no, not like that" more times than I can count. But it was vibe-coding on rails, and the rails were Kiro. Before a single line of app code, I wrote the requirements in EARS notation, a design doc, and a build-ordered task list, all living in .kiro/specs . Decide what "done" means before letting anyone, human or model, start building. The specs are what kept the vibes on track. Then the steering files. .kiro/steering held the enduring rules of the project: product principles, security guardrails, technical direction, and UI law. These were the thing that kept a long, multi-session build from drifting. When a new session opened, the steering files were already the shared context. "The café blue" was one token, not five guesses. Security was not optional. The garbled café sign was a deliberate easter egg, not a bug to fix. From there, the loop: Kiro implemented one approved block at a time, ran each task's PASS/FAIL QA gate on itself before moving to the next, and only stopped for my review on the two things that actually mattered. I directed and approved. Kiro proposed and built. Spec first, block by block, human in the loop. The facts are sacred Here is the part that looks like a
AI 资讯
A Docker-Based AWS SES Smoke Test With Disposable Inboxes
Use Docker and a disposable mailbox to verify AWS SES delivery in CI before release without touching shared inboxes or leaking test mail. Shipping an app that "sent the email" is not the same as shipping an app that delivered a usable message. In AWS stacks, the miss usually shows up late: a container points at the wrong SES region, a preview environment uses stale credentials, or the message lands with broken links after templating. A disposable email address check is a simple final guardrail, and its easy to automate when your mail sender already runs in Docker. This is the pattern I recommend when teams are searching for temp mail com style testing, but need something cleaner for production-like CI. The goal is not to replace unit tests or the Amazon SES mailbox simulator . The goal is to prove that your real app container, with real environment wiring, can send one controlled message and that the inbox content is worth shipping. Why this check belongs in the release path AWS SES is strict in useful ways. If your account is still in the sandbox, you can only send to verified identities or the mailbox simulator . Even after production access, delivery problems still happen becuase the application layer and the cloud layer drift separately. A practical smoke test catches things that mocks often miss: wrong AWS_REGION or SES endpoint selection missing secrets in the container runtime template variables that render empty in preview builds broken confirmation links caused by bad environment URLs unexpected sender identity changes between staging and release That list looks basic, but it doesnt stay basic when three services, one worker, and a release job all touch outbound email. A small Docker pattern that keeps the test deterministic Keep the sender in the same Docker image you deploy, but trigger a narrow email scenario from CI. For example, seed a temporary user, call the notification path once, then poll a disposable inbox API for the matching subject line. servi
AI 资讯
[Real Experience] Auditing My Indie SaaS Subscriptions: 5 Alternatives That Cut $800/Year
Auditing My Indie SaaS Subscriptions: 5 Alternatives That Cut $800/Year TL;DR Fixed costs for indie dev projects balloon through "subscriptions you signed up for and forgot." I switched 5 services to free tiers or self-hosted alternatives, cutting ¥10,000/month — ¥120,000/year (roughly $800). The short version: Before Monthly After Monthly Annual Savings Heroku Hobby (2 dynos + DB) ¥2,800 Fly.io / Railway free tier ¥0 ¥33,600 Vercel Pro ¥3,000 Cloudflare Pages ¥0 ¥36,000 Datadog (1 host) ¥2,300 Grafana Cloud Free ¥0 ¥27,600 Mailgun Foundation ¥1,400 Resend free tier ¥0 ¥16,800 Algolia Build overage ¥500 Meilisearch (self-host) ¥0 ¥6,000 At indie-project traffic levels, you're probably using less than 10% of what paid plans offer. The first step is auditing your usage and checking whether your actual numbers fit inside a free tier. The Approach: Measure First, Decide Second Cut decisions should be based on real data, not gut feeling. Start with a billing audit. # Export each service's plan and recent usage to a spreadsheet # Example: check request count for the last 30 days from nginx access log awk '{print $4}' access.log | grep -c " $( date +%d/%b/%Y ) " # → A few thousand requests/day fits comfortably inside almost every SaaS free tier The key is looking at actual traffic , not peak spikes. Most indie projects fit well within Vercel/Cloudflare free tiers (100k requests/month to unlimited bandwidth). Step-by-Step Migration 1. Hosting: Heroku → Fly.io # Deploy to fly.io — existing Dockerfile or buildpacks work as-is curl -L https://fly.io/install.sh | sh fly launch # interactively generates fly.toml fly deploy fly scale count 1 # 1 instance is enough for indie projects fly postgres create # small instance, effectively free The key to cost control: lock to fly scale count 1 and the minimum VM ( shared-cpu-1x ). 2. Frontend: Vercel Pro → Cloudflare Pages Unlimited bandwidth, generous build limits, and free equivalents of Pro features (Analytics, etc.) that most indie
产品设计
T-Mobile moving tens of thousands of virtual machines off VMware amid lawsuit
T-Mobile wants Broadcom to keep supporting its VMware perpetual licenses.
AI 资讯
AWS Bedrock Managed Knowledge Bases: Should We Use Them?
AWS released Managed Knowledge Bases for Amazon Bedrock on 17 June 2026. The feature significantly reduces the operational complexity of building Retrieval-Augmented Generation (RAG) solutions by allowing Bedrock to manage the vector storage, indexing, embeddings, and retrieval infrastructure on your behalf. For teams looking to deliver an Agent Core proof of concept or their first production RAG workload quickly, this can be a compelling option. However, there are some important trade-offs to understand before committing to the managed approach. Traditionally, a Bedrock Knowledge Base required a customer-managed vector store such as: OpenSearch Serverless OpenSearch Managed Clusters Aurora PostgreSQL with pgvector Pinecone DocumentDB Other supported vector databases With a Managed Knowledge Base, Bedrock handles the underlying vector infrastructure and embedding model selection for you. Creating one from the AWS CLI is straightforward: aws bedrock-agent create-knowledge-base \ --name "my-managed-kb" \ --role-arn "arn:aws:iam:: ${ AWS_ACCOUNT_ID } :role/service-role/AmazonBedrockExecutionRoleForKnowledgeBase_ihv1p" \ --knowledge-base-configuration '{ "type": "MANAGED", "managedKnowledgeBaseConfiguration": { "embeddingModelType": "MANAGED" } }' Advantages Lower operational overhead There is no need to provision, secure, monitor, patch, or scale a separate vector database. Lower costs S3 storage is cheaper than database storage. Pay only for each ingestion and retrieval operation. Indexing and searching compute is free. No 24/7 server costs. Faster time-to-value Managed Knowledge Bases make it possible to stand up a RAG solution in minutes rather than days. Automatic embedding management Bedrock manages embedding selection and indexing, reducing the number of architectural decisions required from development teams. Cost-effective for smaller workloads The managed model can be attractive for: Proofs of Concept Departmental knowledge bases Agent Core pilots Workloads wi
AI 资讯
Prepare Application Artifacts To Be Deployed To AWS | 🏗️ Build A Multi-Environment Serverless App
Exam Guide: Developer - Associate 🏗️ Domain 3: Deployment 📘 Task 1: Prepare Application Artifacts To Be Deployed To AWS Before you can deploy anything to AWS, you need to package it properly. This task covers Lambda deployment packaging (zip vs container), managing dependencies, structuring projects for multi-environment deployment, and using AWS AppConfig for runtime configuration. 📘Concepts Lambda Deployment Packaging Options Option Max Size Build Complexity Cold Start Best For Zip Package (inline editor) 3 MB (editor limit) None Fastest Simple functions, no dependencies Zip Package (upload) 50 MB compressed / 250 MB uncompressed Low Fast Most Lambda functions Zip + Lambda Layers 250 MB total (function + all layers) Medium Fast Shared dependencies across functions Container Image 10 GB Higher Slower (first invoke) ML libraries, large dependencies, custom runtimes 💡 If a scenario is about a deployment package exceeding 250 MB, the answer is container images. If it mentions sharing dependencies across multiple functions, the answer is Lambda Layers. Zip is the default for most workloads. Lambda Layers Aspect Detail What They Are Zip archives containing libraries, custom runtimes, or other dependencies Max Layers Per Function 5 Size Limit 250 MB total (function code + all layers uncompressed) Versioning Each publish creates an immutable version Sharing Can be shared across functions, accounts, or made public Path Contents extracted to /opt in the execution environment Dependency Management Strategies Strategy How It Works Pros Cons Bundle In Zip Install deps into package directory, zip together Simple, self-contained Larger package, duplicated across functions Lambda Layers Package deps as a layer, attach to functions Shared across functions, smaller deploys Layer version management, 5-layer limit Container Image Install deps in Dockerfile Full control, large deps supported Slower cold starts, ECR management sam build SAM resolves deps from requirements.txt automatic
AI 资讯
Building a Geography Game with a Custom Building Block with AWS Blocks
AWS Blocks handles authentication, databases, file storage, AI agents and more out of the box. But...
AI 资讯
How to right-size RDS instances without downtime
Quick Answer (TL;DR) Modifying an RDS instance class in place causes 5 to 15 minutes of downtime while AWS reboots the database. To right-size without downtime, use RDS Blue/Green Deployments (fastest, cleanest), a read-replica promotion (works on older engines), or a Multi-AZ failover to a resized standby. Blue/Green is the 2026 default for most workloads on MySQL, MariaDB, Postgres, and now SQL Server. Why this happens RDS instances are Managed EC2 hosts running the DB engine, and a class change (say db.m6i.large to db.m6i.xlarge ) requires stopping the process, migrating the EBS volumes to a new host, and restarting. AWS's default "modify" workflow does this in place and warns you about downtime. The workarounds exist because that reboot is unacceptable for user-facing services, so you build the new instance alongside the old one and cut over. Fix #1: Use RDS Blue/Green Deployments The 2026 default. Available for RDS MySQL, MariaDB, PostgreSQL, and SQL Server (added mid-2025). Steps: In the RDS console, select the instance and choose Actions → Create Blue/Green Deployment . Set the Green instance to your target instance class. AWS creates a full standby using logical replication, keeps it in sync, and validates health. When ready, click Switch over . Cutover typically takes under 60 seconds. Applications reconnect using the same endpoint. Command-line equivalent: aws rds create-blue-green-deployment --blue-green-deployment-name resize-prod --source arn:aws:rds:... --target-db-instance-class db.m6i.xlarge Best when: your engine supports it and you can tolerate the extra cost of running two instances for the sync window. Fix #2: Read-replica promotion For engines or versions that do not yet support Blue/Green, or for cross-region resizing. Steps: Create a read replica with the desired new instance class. Wait for the replica to catch up (near-zero lag). Point application writes to the read replica endpoint (requires connection-string change or DNS switch). Promote
AI 资讯
EC2 Spot vs On-Demand: the true cost difference in 2026
Quick Answer (TL;DR) EC2 Spot lists at up to 90% off On-Demand , but the effective savings after accounting for interruptions, engineering overhead, and workload retries land closer to 40 to 60% for most teams in 2026. Spot wins for stateless, retryable, or checkpointable workloads. It loses money on single-instance stateful services with strict SLAs. The honest formula: True savings = Spot discount × Utilization ÷ (1 + Interruption overhead) . Why the sticker discount is misleading The Spot price is a market price. AWS sets it against unused capacity in a given instance family, region, and Availability Zone, and it can move in minutes. The 90% headline is the maximum discount for a rarely-used instance family in an off-peak region. The workhorses ( m6i , c7i , r7g in us-east-1 ) usually sit at 55 to 75% off. Then there is the hidden cost of interruption. AWS gives a 2-minute warning before reclaiming a Spot instance. Handling that gracefully requires either a stateless workload, a checkpointed job, or careful autoscaler wiring. Teams that do not build for interruption end up with retries, half-finished batches, and engineering time that erases the savings. Fix #1: Diversify across instance types and AZs The single most effective way to reduce Spot interruption rate. Instead of asking for m6i.large specifically, ask for "any of m6i.large , m6a.large , m7i.large , m7a.large in any AZ." AWS pools capacity across the diversification pool. With Karpenter or Auto Scaling Groups: Set the NodePool or ASG's requirements to allow 5 to 15 instance types across families. Include both x86 and ARM (Graviton) options when your workload runs on both. Enable capacity-optimized-prioritized allocation strategy, which picks the deepest capacity pool at launch. Result: interruption rate drops from ~5% per instance-hour to under 1% on most workloads. Fix #2: Use Spot for the right workload shape Not every workload should be on Spot. The rule I use: Great fits : batch processing, data pi
AI 资讯
AWS EFS Essentials — Shared File Storage Across Multiple EC2 Instances
Part of my AWS learning journey — transitioning from Systems Engineer to Cloud/DevOps. This session covers Amazon EFS — shared storage that multiple EC2 instances can read/write simultaneously. 📋 Topics Covered # Topic Type 1 What is Amazon EFS Concept 2 EFS vs EBS vs S3 Concept + Interview 3 EFS Architecture (Mount Targets, AZs, NFS) Concept + Cert 4 Mounting — What It Means Concept 5 Mount Targets & Security Group Config Concept + Lab 6 EFS Storage Classes Concept + Cert 7 EFS Lifecycle Management & Policies Concept + Cert 8 EFS Performance Modes & Throughput Modes Concept + Cert 9 Benefits of EFS Concept 10 Security & Encryption Concept + Interview 11 EFS Pricing & Cost Optimization Concept 12 Lab: Launch 2 EC2 Instances Lab 13 Lab: Create & Configure EFS Lab 14 Lab: Mount EFS on Both Instances Lab 15 Lab: Demonstrate File Sharing Lab 16 Cleanup Checklist Lab 17 Assignment — Independent Repeat Practice What is Amazon EFS? EFS = Elastic File System — a fully managed, auto-scaling shared file system that multiple EC2 instances can mount and use at the same time , both reading and writing. Analogy: Think of EBS as a personal hard drive — it belongs to one laptop only. EFS is like a shared Google Drive folder that your entire team can open simultaneously from different computers, see the same files, and edit them in real time. Key characteristics: Uses the NFS 4.1 protocol (Network File System — standard Linux file sharing) Serverless — no capacity to provision, no servers to manage Auto-scales — grows from KB to PB automatically, shrinks when files are deleted Highly available — data replicated across multiple AZs in a Region Pay-as-you-go — billed per GB actually stored, no pre-provisioning EFS vs EBS vs S3 — The Big Comparison This is one of the most commonly tested comparisons in AWS certifications. Feature EBS EFS S3 Access Single EC2 instance only Multiple EC2 instances simultaneously Internet / API, unlimited clients Protocol Block storage NFS v4.1 HTTP/REST (
AI 资讯
AWS ECR: How Container Registry Works for ECS Fargate Teams
AWS ECR Guide for ECS Fargate Teams Originally published at https://fortem.dev/blog/aws-ecr-guide AWS ECR from the ECS Fargate operator's seat: how pulls work, the execution-role IAM, why private-subnet tasks fail, real pricing, and the lifecycle policy that cuts the bill. Every ECS Fargate deploy pulls an image from ECR — and ECR is the part nobody owns until it breaks. A task in a private subnet throws ResourceInitializationError , or five years of untagged images quietly push the bill to $400/month. This is ECR from the ECS operator's seat: how pulls actually work, the IAM the execution role needs, what it costs at fleet scale, and the lifecycle, scanning, and replication settings that matter at 10+ environments — with the AWS-verified pricing nobody else itemizes. TL;DR ECR is AWS's managed container registry — the default image store for ECS and EKS. Registry → repository → image, with IAM-based access and a short-lived auth token per pull. The #1 ECR failure on Fargate is a private-subnet task that can't pull: it needs either a NAT gateway or three ECR VPC endpoints, plus AmazonECSTaskExecutionRolePolicy on the execution role. ECR storage is $0.10/GB-month; same-region pulls to Fargate are free. The hidden bill is old images — one team went from $400/mo to ~$15/mo with a 30-day lifecycle policy. At fleet scale three settings matter: lifecycle policies (cost), scan-on-push (security), and cross-account replication (multi-account image distribution). For ECR-heavy fleets in private subnets, VPC interface endpoints are often cheaper than routing every pull through a NAT gateway. Ready to use — copy this today Push an image, then a lifecycle policy that keeps the bill flat, then the exact networking + IAM a private-subnet Fargate task needs to pull: # 1. Authenticate Docker to your private ECR registry, then push aws ecr get-login-password --region us-east-1 \ | docker login --username AWS --password-stdin \ 123456789012.dkr.ecr.us-east-1.amazonaws.com docker tag
AI 资讯
Can you build observability ingestion on S3 alone — no Kafka, no disks, no coordination layer?
TL;DR — A Kafka + Flink + OTel ingestion pipeline cost us ~$700–800/month at 10 MB/s. We rebuilt it as a single binary where the data, the write-ahead log, and the Iceberg catalog all live in S3 alone — no Kafka, no local disks, no coordination service — for ~$100/month . Here's the design. Self-hosted observability sooner or later runs into the problem of storing state. Query load, CPU, and data volume can all be handled by scaling out, but the stateful layer is something you have to operate by hand. At first it's almost unnoticeable: a disk degrades here, replication falls behind there, a recovery hangs somewhere else. As the data grows, incidents stop being one-offs and start to recur. At some point your observability stack - whether it's Grafana Loki, Elastic, or ClickHouse - starts demanding the same attention as a full-blown database that you're on the hook for. Kubernetes operators cover some of these cases, but operating the state is still on you. Managed solutions take that burden away and bring their own: rising costs, ingestion-pipeline constraints, and limits on retention and cardinality. But if you'd rather not sign up for the constant operational grind - or live with the constraints of managed solutions - it's worth asking: can we take the stateful part out of operations entirely? Storage and format The first candidate for offloading storage responsibility is Amazon S3. S3 gives you what local disks can't: fault tolerance and practically unlimited scale, with no storage to manage yourself. It isn't free, though: data-access latency goes up, and you pick up separate costs for API operations. For OLTP workloads that's a dealbreaker. For observability workloads - which are dominated by sequential writes and analytical reads - these trade-offs are often acceptable. At first glance, this problem is already solved. Loki , for example, uses S3 as its primary storage. But according to Loki's public documentation (v3.6.x) at the time of writing, Loki doesn't re
AI 资讯
Learn DynamoDB by running it - accesspatterns.dev
I've been building on DynamoDB since around 2015, and these days I build tools for it: dynoxide , a DynamoDB engine, and Nubo , a native client. So I'm not neutral about it. It's the first database I reach for, and with reason - the operational overhead is close to nil, no connections to pool or instances to size, and it holds the same single-digit-millisecond reads whether the table has a thousand items or a billion. The data modelling is a craft, and a satisfying one. It's also one of the harder databases to learn, and that's the part I keep coming back to. DynamoDB punishes the instincts you bring from SQL. You don't normalise and join at read time; you work out the questions your app will ask first, and shape the data around those access patterns, until one table answers all of them. It's a real shift in how you think, and it's where a lot of people bounce off - it feels backwards right up until it clicks. The people who teach it best all teach it the same way. Alex DeBrie's The DynamoDB Book , the arc.codes team's examples, Rick Houlihan's re:Invent talks - the legendary ones, where he models half a dozen access patterns onto a single table at a hundred miles an hour - none of them hand you rules to memorise. They show you patterns and make you run them. I learned a lot of my DynamoDB from all three, and it stuck because I was building as I went. That last part is the bit that's hard to come by on your own. Reading about an access pattern and having it in your fingers are different things, and to run one - build the table, write the items, fire the query and see what comes back - you need an AWS account, or a local emulator installed and seeded. Enough friction that plenty of people read about single-table design without ever building one. There was a second thing pulling the same way. dynoxide had learned to run in the browser only last month, compiled to WebAssembly with no server behind it, and it was a preview I didn't fully trust. What it needed was a real
AI 资讯
Setting up the Agent Toolkit for AWS in Kiro (and Codex, Claude Code, and Cursor)
If you've let a coding agent loose on AWS, you've watched it guess. It invents API parameters that don't exist, or hands you an S3 bucket a security review will bounce on sight. The Agent Toolkit for AWS is built to stop that. By the end of this post you'll have it running in whatever editor you use, plus a tour of what's in it and three workflows worth pointing it at. I use Kiro day to day, so I'll walk through that setup first. It also works with Codex, Claude Code, Cursor, and any other agent that speaks MCP, the Model Context Protocol, which is the open standard agents use to connect to outside tools and data. I'll cover those too. What is the Agent Toolkit for AWS? The Agent Toolkit for AWS is a free, AWS-supported set of tools that gives AI coding agents secure access to AWS, current documentation they can read mid-task, and tested procedures for the work they tend to fumble. It plugs into the agent you already use rather than asking you to switch. In practice, that shows up in a few ways, all detailed in the AWS user guide . The agent stops guessing about APIs it never saw. The models behind these agents trained on data that's months or years old, so anything AWS shipped recently is missing or wrong in their heads, and the toolkit hands them current docs and references at request time. For multi-step work like least-privilege IAM or a production serverless stack, it follows a vetted skill instead of reconstructing the steps from half-memory. Every call goes through your own IAM credentials, shows up in CloudWatch, and gets logged to CloudTrail, so you can scope an agent to read-only even when your role can write. And the toolkit costs nothing on its own; you pay only for the AWS resources the agent creates. It's the successor to the MCP servers, skills, and plugins AWS shipped under AWS Labs in 2025. Two things make me reach for it over a raw MCP setup: condition keys that let a policy tell an agent apart from a human, and skills that have been evaluated end
AI 资讯
AWS Launches Lambda MicroVMs for Isolated Agent and User Code Execution
AWS launched Lambda MicroVMs, a new serverless compute primitive that runs each user session or AI agent in its own Firecracker virtual machine with hardware-level isolation, snapshot-based rapid launch, and state preservation for up to eight hours. Reddit community analysis found the minimum setup costs $3.03/day, roughly 9x Fargate spot pricing. By Steef-Jan Wiggers