A

This is episode 738 of the AWS podcast released on September 22, 2025.

B

Hello everyone and welcome back to the AWS Podcast Simulation. Alicia here with you. Great to have you back. And I'm joined by my co host, Gillian Ford. G', day, Gillian. How you doing?

A

G', Day, Simon. It's always a good day when it's podcast day.

B

It is always a good day. And it's always a good day when we actually get to both be on the podcast at the same time. It hasn't happened lately for very various travel reasons and the like, but here we are.

A

It's always lonely when you're doing it by yourself.

B

It is. It lacks the interaction. So, speaking of interaction discussions, we were talking just before the show a couple of things that really caught our eye in this week's updates. And one of them is Amazon Bedrock now supporting global cross region inference for anthropic Claude Sonnet 4. Now this is interesting because it kind of builds upon the cross region inference that we had before. Basically what it means is it can route your inference request to any supported commercial AWS region for processing and handling that query, which means you get better throughput, you get better availability, et cetera. Now in the past you had sort of regional addresses you could use so that were. These are the cross regional inference profiles tied to a particular geography, like the us, eu, apec. Now you can just say global. And this is really useful for the situation where you don't care where it's processed, it's just I just want processed. And this gives you huge amounts of access to capacity, et cetera, which I think is pretty cool.

A

I think so too. I think this is definitely something where if you're using Sonnet 4, I don't really see a reason why you wouldn't want to enable this.

B

Yeah. I mean unless you've got a particular reason. Some people do a working public sector that we sometimes have reasons where things need to be in a particular, in particular regions or yeah, certain requirements. But if you don't, then you'd be mad not to just change one configuration, which is the, the, the, the, the inference profile. That's what's nice about it. It's literally one little tiny change which should be parameterized in your code anyway. And you get access to a globe full of AI, which makes life a bit easier.

A

Totally. And the other update which is super exciting. So for all the postgres people that are loving all things Aurora, there is a new VE update with Postgres 16.9 for Aurora Postgres Limitless. Super exciting.

B

It's cool, isn't it? Because Limitless is really interesting because it gives you distributed query planning, transaction management, all that good stuff. But it's a serverless endpoint and so you don't have to manage this is like this, you know, combination of relational database structure with the performance profiles and capabilities and nuances of a key value store like a Dynamo. And so you're kind of getting a bit of each, which is kind of fancy.

A

It really is. I mean I think it's so cool that you could like have a budget. But if you also want the flexibility of being able to scale up and down of like, oh, what if I actually need to scale compute resources and you could be able to do both within Aurora Limitless.

B

Yeah, it's a really, really good option. And again, if you're familiar with Postgres and you can just use it. So we like that.

A

That's right.

B

Well, Jillian, launch us off. We've got analytics to start with today.

A

All right, first one is AWS Clean Rooms now supports the ability to add data provider members to an existing collaboration, offering customers enhanced flexibility as they iterate on and develop new use cases with their partners. AWS Clean Rooms also supports configurable compute size for pyspark, offering customers the flexibility to customize and allocate resources to run Pyspark jobs based on their performance scale and cost requirements. AWS Clean Rooms ML now supports redacted error log summaries.

B

Now let's move on to application integration. One quick update there. Amazon MQ now supports OAuth2 plugin for RabbitMQ. This makes it easy for you to authenticate and connect things. And now let's move on to artificial intelligence. A few updates there. Surprise, surprise. We've added support for three new condition keys to govern your API keys for Amazon Bedrock. So this helps you control the generation expiration and the type of API keys available. So you can have short term API keys Valid up to 12 hours or long term API keys which are IAM server specific credentials for use with Bedrock only. So this gives you a whole bunch of new control. Um, I'm not going to explain it all to you now, but if you're using the API key, this gives you more management capability. We're introducing improved AI assistance in Amazon SageMaker Unified Studio. So now it integrates MCP servers and that means that Amazon Q Developer is aware of your SageMaker Unified Studio project resources. So these new capabilities give you much more relevant responses. So things like code refactoring, file modification, troubleshooting. It's all about context and understanding and this makes it a lot easier, better and Amazon SageMaker Unified Studio also announces the general availability of custom blueprints. So this allows you to use your own managed policies as per your corporate security requirements to create a project role in SageMaker Unified Studio and Amazon SageMaker catalog adds support for governed classification with restricted terms. So this is something that only authorized users or groups can use to classify information. So this helps you manage again the processing of information through the system itself. Twelvelabs Marengo Embed 2.7 can now be used for synchronous inference in Amazon Bedrock. So this is a multimodal embedding model that delivers low latency text and image embeddings directly within the API response. So this is pretty cool in terms of that real time experience. And Amazon Bedrock Agent Core Gateway supports AWS Private link invocation and invocation logging, so now you can get access to from your VPC without going through the public Internet. And also you can get visibility to each invocation log so you can do deep dives and audits. Amazon Q now supports directly selecting LLMs in the Connect Web UI. So this means that there is a no code approach that allows you to choose between LLM model families so you can choose what fits. So for example you might use Amazon Nova Pro for faster response times or Anthropic Claude Sonnet for complex reasoning tasks. Mix and match as you need. AWS Health imaging now supports OpenID Connect or IODC authentication for DICOM web APIs and we're announcing managed tiered checkpointing for Amazon SageMaker Hyperpod. So this reduces model recovery time to minimize loss in training progress. So when you train AI models it's huge farms of servers that do that and when you have lots of stuff the likelihood of failures increases. So checkpointing means you don't have to do lots of rework, you can just keep on trucking. Now traditional checkpointing methods can be very resource intensive, particularly for large models. The way that SageMaker hyperpods managed here checkpointing works is it uses CPU memory to store frequent checkpoints for rapid recovery or while periodically persisting Data to Amazon S3 for long term durability. So this significantly minimizes training loss and significantly reduces the time to resume your training after your failure. So this is really important if you're trying to train big models. Let's talk about business applications. Amazon Connect adds detailed disconnect reasons for improved call troubleshooting so you can understand what Happened and some updates on Compute. The Amazon ECS Console now supports ECS Exec, which means you can open secure interactive shell access directly from the AWS Management Console to any running container. So often you need to jump into the container to figure out what's going on. This allows you to do that easily without having to have inbound ports or SSH key management, et cetera. You could do this previously through the API, the CLI, the SDKs, but now if you're a GUI kind of person, you can get access to IT and Amazon ECS's Enhanced Tasks definition editing in the AWS Console with Amazon Q Developer. So it's a bit easy to get it up and running and it can work more efficiently in terms of getting the right things in there. Amazon EC2 announces AMI usage to better monitor the use of AMIs. I like this one. This gives you enhanced visibility to understand the AMI usage patterns across your infrastructure. You could do this before, but you had to write your own scripts to do that. Now it'll just generate a report and say, here are all the EC2 instances and launch templates. Here's where you're using it, et cetera. Super useful. And it's available to all customers at no additional costs, which we like. And AWS Elastic beanstalk now supports IPv6 in dual stack configuration for application and network load balances. The March of IPv6 continues. It's here. It's the year of IPv6.

A

Next up, we've got databases. Amazon RDS now supports the latest GDR update for Microsoft SQL Server. And if, if you are wondering, like me, what GDR stands for, it is General Distribution Release Updates. There's a lot of those. You can definitely check out the what's New page if you want to see all of them. Amazon RDS for Postgres 18 release candidate 1 is now available in the Amazon RDS Database Preview environment. This allows you to evaluate the prerelease of Postgres 18 on Amazon RDS for Postgres.

B

I really like these preview environments. I think they're so important and I don't think we talk about them enough. Because if you think about it, in a traditional enterprise environment, upgrading a database or moving to a new version is a big deal and you kind of want to test that really heavily. And what this preview environment does is gives you the latest access to like the cutting edge version of something so you can kind of see, well, is it going to help my application? Is it something we should worry about, et cetera. Um, and because it's rds. It's like spit it up, do what you need to do, turn it off. You know, don't have to have these big conversations around budget and need some servers and some storage. So I think if you know you want to keep your database relatively fresh in terms of its version capability, this lets you go right to the end of the freshness scale.

A

That's a really good call out because at least for this one in particular, there are observability improvements and index lookups during query execution. But there's always here's what the improvements are now tested in your environment to see do you actually get this? No. Mileage might vary totally Amazon Neptune now supports public endpoints for simplified development access. With public endpoints, developers can securely access their NEPTUNE databases from outside the vpc, eliminating the need for VPN connections, bastion hosts or other networking configurations. I'm sure these are all things that anyone who is connected to a database can relate to and be very excited about. Amazon RDS for Oracle introduces bare metal instances with 25% lower pricing compared to equivalent virtualized instances. So the M7i, R7i x2iedn, x2idn, x2iezn, M6i, M6id, M6in R6i, R6id and R6in bare middle instances in particular. So look at out for those if you are someone that's looking to utilize bare metal instances. RDS proxy now supports IPv6Amazon Neptune analytics is now supported as a graph store in Network x. So the NetworkX APIs they automatically offload graph algorithm workloads to Neptune's scalability high performance analytics engines. So this is going to make it simple to scale your graph computations on demand without having to refactor code. It's going to make it just a lot simpler so when these data sets that you're used to if they grow beyond the limits of a local environment before they had customers were had to use to like these third party services. But now it's just a lot simpler. Especially with zero ETL and the infrastructure management that Neptune does behind the scenes. Next topic is developer tools. AWS launches Local stack integration and Visual Studio code enabling developers to easily test and debug serverless applications in their local ide. With this new integration, developers can use local Stack to locally emulate and test their serverless applications using familiar VS code interface to without switching between tools or managing complex Setup. We've got one update in the Internet of Things AWS IoT sitewise now supports retraining of Anomaly Detection Models this release includes automated model retraining, flexible promotion models and exposed model metrics, which are all designed to enhance the anomaly detection feature. The anomaly the automated retraining capability allows models to be automatically retrained on a schedule ranging from a minimum of it could be 30 days to a maximum of one year. So this makes it no more manual retraining.

B

Nice, Nice. Let's talk about management and governance. AWS config now supports resource tags for IAM policies so you get even more granularity on your metadata. So you can use this to assess, audit and evaluate your configurations or of your IAM policies. A reminder you should always set nice broad guardrails for folks and AWS config lets you do this so you can say hey, within these parameters do your stuff. But you should also review when you bump into or your users are bumping into those AWS config rules and evaluate Is the rule the right rule or are we getting in the way of folks? Always important to think about that Amazon cloudwatch Query Alarms now supports monitoring metrics individually, so by dynamically including metrics to monitor via a query, this new capability eliminates the need to manually manage separate alarms for dynamic resource fleets, so it can be far more autonomous and auto scaled. Amazon Managed Service for Prometheus adds quota visibility through the AWS Service quotas and CloudWatch, so if you need more, that's the place to get it. And AWS config now supports five new resource types so you can manage even more stuff. You can now validate best practice compliance for SAP with AWS Systems Manager, so this will allow you to automatically assess SAP applications running on AWS against standards, proactively identifying misconfigurations and recommending specific remediation steps, which is nice. Amazon CloudWatch now supports querying metrics data up to two weeks old, so this new capability allows you to display, aggregate or slice and dice metrics data older than 3 hours for enhanced visualization and investigation. So in the past you could do up to three hours. Now you can do a whole lot more. So you can do this without any additional cost. There's no increase in cost for the ability to query and it means you get access to more data. Cloudformation Hooks adds a Manage controls and hook activity summary, so when using cloudformation customers can configure these controls to want to run in a worn mode, which means you can test the controls about blocking deployments. I highly recommend this and then you can implement it. Now this means you have less manual errors, you can have comprehensive governance across the board. And we've also introduced a new Hooks Invocation summary page in the Cloudformation console so you can see everything that was hooked and when it passed, warned or failed as well. So this is lots of control that you have. We're also happy to announce AWS Cloud Development Kit or CDK CLI Refactor in preview, so this enables safe infrastructure refactoring through the new CDK Refactor command. This is interesting. Let's dive into this one. So this feature allows developers to rename constructs, move resources between stacks, and reorganize CDK applications while preserving the state of deployed resources. That ain't easy. By leveraging AWS CloudFormations refactor capabilities with automated mapping computation, CDK Refactor eliminates the risk of unintended resource replacement during code restructuring. I have been burnt by that myself. Previously, infrastructure as code maintenance often meant reorganizing resources and improving code structure, but it was hard to replace existing resources due to logical ID changes. With the CDK Refactor features, developers can confidently implement architectural improvements like breaking down monolithic stacks, introducing inheritance patterns, or upgrading to high level constructs without complex migration procedures or risking downtime of stateful resources. So this is very cool in preview at the moment. Take a look and we're happy to announce the general availability of organizational notification configurations for AWS user notifications. This launch allows AWS organizations users to centrally configure and view notifications across the organization.

A

Well, that CDK Refactor launch is definitely going to give people a reason to want to listen to the update show to find out when it's going to come out.

B

Yeah, that's the thing.

A

Yeah, that's a really good one for sure. And speaking of other really good things, let's talk about media services. AWS Elemental Media Convert now integrates with Time addressable Media Store, enabling customers to temporarily reference and extract media asset segments. This capability allows mediaconvert customers to work more efficiently and meet quick turnaround deadlines. Amazon Interactive Video Service now supports media ingest via interface VPC endpoints powered by AWS PrivateLink. Next topic is networking and content delivery. Amazon CloudWatch network monitoring adds flow visibility between regions Flow monitors provide near real time visibility of network performance for workloads between compute instances such as ETC2 and EKS and AWS services such as S3 and Amazon DynamoDB. Flow monitors provide metrics to help you rapidly detect and attribute network driven impairments for your workloads. So now with this release Flow monitors now help you to assess whether network performance issues on the AWS Global Network between a local and a remote region are impacting your workloads. Because the flowmonitor's Network Health Indicator now also captures the health of the AWS Global network on your workload's network path between regions, you can quickly identify whether impairments in a local region, in the AWS Global network, or in the remote region are affecting your workloads. Wow. I would say this is, this is definitely one that I think everyone should start utilizing. I mean, it's just, it's kind of a no brainer. Simon, what do you think?

B

Yeah, it's, it's, it's, it's really important to understand what's going on and this lets you see it. So I, I agree. It's. I sort of. As soon as I saw this, I thought, yep, doing that.

A

Exactly. All right, now We've got Amazon CloudWatch Observability Access Manager now supports VPC endpoints the new VPC endpoints enhance your security posture by keeping traffic between Your VPC and CloudWatch OAM, also known as Observability Access Manager, within the AWS network, eliminating the need to traverse the public Internet. Very good idea. You can use Observability Access Manager to create and manage links and between source accounts and monitoring accounts, enabling you to monitor and troubleshoot applications that span multiple accounts within a region. Wow, that is very useful. With the new VPC endpoints, you can establish secure, private and reliable connections between your VPC and CloudWatch Observability Access Manager. This allows you to maintain private connectivity, IPv6 and IPv4. And of course, you can use AWA's private link to keep everything nice and secure. Amazon Cloudfront expands its IPv6 capabilities by introducing support for IPv6 connectivity to Origin servers. Amazon Cloudfront launches TLS security policy with post quantum support. Amazon Cloudfront now supports Elliptic Curve digital signature Algorithm. Wow. Try saying that really fast.

B

They're five times fast.

A

Five times fast for signed URLs and signed cookies, providing customers with enhanced performance and security for content access control. Next topic is security identity and compliance. AWS WAF now includes 500 megabytes of CloudWatch logs, vended logs ingestion for every 1 million WAF requests processed at no additional cost. This helps customers better manage their WAF logging costs while maintaining comprehensive security visibility. WAF logs in CloudWatch provide valuable insights for security analysis, compliance and troubleshooting. Customers can leverage CloudWatch's advanced analytics capabilities, including log insights, queries anomaly detection and dashboards to monitor and analyze their web application traffic patterns and security events. This included logs allocation is automatically applied based on WAF requests usage on your AWS bill At the end of the month, AWS announced the general availability of Amazon GuardDuty custom threat detection using Entity Lists this new feature enhances threat detection capabilities in GuardDuty by extending support to incorporate your own domain based threat intelligence into the service. Beyond Originally Supported Custom IP List, you can now detect threats in GuardDuty using malicious domains or IP addresses defined in your custom threat list. As part of this update, GuardDuty introduces a new finding type which is Malicious Domain Request Custom. This is triggered when an activity related to a domain in your custom threat list is detected. You can use Entity List to suppress alerts from trusted sources, giving you greater control over your threat detection strategy. AWS Directory Service for Microsoft Active Directory now offers certificate auto enrollment for LDAPs and smart card and certificate based authentication with AWS Private Certificate Authority and the.

B

Last topic for today is storage in aws. Backup now lets you choose whether to include Access Control lists and object tags when backing up your Amazon S3 buckets. Previously, AWS Backup included these metadata components for all objects by default. Now you can customize your backup approach based upon your recovery needs. So you can only include the or you only include the recovery the metadata you need for the recovery, which just makes it cleaner when you're bringing things back up. And let's face it, when you're restoring from a backup, you're not feeling great. So making things easier is a good thing. Jillian there was a lot this week.

A

Like a lot that was a lot. I mean the CDK factor, like all those CloudWatch updates, like those were big.

B

They were big and I really like that that guardduty one as well. I think if you're not running guardduty, I haven't reminded face right? You should turn it on.

A

I agree.

B

It's amazing what it can find, so definitely worth doing and it gives you that extra level of control. Jillian, how do folks reach out to you?

A

Jillian Ford on LinkedIn that sounds good.

B

And of course if you want to go old School, AWS Podcast.com is the place to do it. And until next time, keep on building.