<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: will peixoto</title>
    <description>The latest articles on DEV Community by will peixoto (@_willpeixoto).</description>
    <link>https://dev.to/_willpeixoto</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F500557%2F90d05836-31da-4959-86f5-ae678b03b74d.jpeg</url>
      <title>DEV Community: will peixoto</title>
      <link>https://dev.to/_willpeixoto</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/_willpeixoto"/>
    <language>en</language>
    <item>
      <title>AWS MCP Server: which one to use, when, and how to set it up (now that AWS recommends just one)</title>
      <dc:creator>will peixoto</dc:creator>
      <pubDate>Tue, 14 Jul 2026 13:30:16 +0000</pubDate>
      <link>https://dev.to/aws-builders/aws-mcp-server-which-one-to-use-when-and-how-to-set-it-up-now-that-aws-recommends-just-one-3b7</link>
      <guid>https://dev.to/aws-builders/aws-mcp-server-which-one-to-use-when-and-how-to-set-it-up-now-that-aws-recommends-just-one-3b7</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Knowledge MCP vs the managed AWS MCP Server, IAM, and the setup in Claude Code, the Claude app, and Kiro without pasting a key into &lt;code&gt;.env&lt;/code&gt;.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;em&gt;🇧🇷 Também disponível em português:&lt;/em&gt; &lt;a href="https://willpeixoto.dev/aws-mcp-server-qual-usar-quando-e-como-configurar-os-dois-servidores-explicados" rel="noopener noreferrer"&gt;&lt;em&gt;AWS MCP Server: qual usar, quando e como configurar&lt;/em&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Let me tell you a scene. I bet you've lived it.&lt;/p&gt;

&lt;p&gt;It's 11pm, you're coding with an AI sitting right next to you. You ask it something and it swears the thing exists: it makes up a service, a name that sounds a lot like something you've built before, even an implementation it promises works, with the full how-to. And you think: huh, didn't know that one, let me check the docs because it makes total sense. And bang, you find out it was hallucinating. It was writing Lambda code calling an AWS service from a function that doesn't exist, wiring up the DynamoDB table, building the IaC, the whole thing. Then it asks to "take a look at your account's current config" to validate the names, and you hit the wall everyone hits.&lt;/p&gt;

&lt;p&gt;The agent, besides hallucinating, has no access to your account. It can't see your resources, it has no idea what's actually there. So it does what it does best: it's creative, it's proactive, and it invents something to make you happy. To it, that thing makes sense to exist, so it assumes it exists. The little guy doesn't even blush: it hands you an ARN that doesn't exist, picks a region you don't use, and guesses a table name. There it goes. It's doing exactly what it was built to do, which is make you happy.&lt;/p&gt;

&lt;p&gt;And you, tired of fighting with it and just wanting to wrap up, do what? You paste an access key into a &lt;code&gt;.env&lt;/code&gt; so it can "just see the account for a second" and give you everything right, with the real names. Who's never done that?&lt;/p&gt;

&lt;p&gt;And it's all fine, except for one detail: you forget you did it. And bang, the &lt;code&gt;.env&lt;/code&gt; went along in the commit. It's already in the git history, alerts firing everywhere, the usual mess. The key is exposed now. And that's also how your agent, in that moment where it seems to want to punish you or decided to be a little too proactive, gets real access to your account and, who knows, decides to delete the wrong stack. Or it's just the surprise bill of forty bucks in a single day, which turns into a much worse number when nobody's watching. I've been through this. You probably have too.&lt;/p&gt;

&lt;p&gt;The good news is that AWS solved this. Actually, it solved it two different ways, with names so similar they confuse a lot of people. This post is the map I wish I'd had: what the two are, which pain each one kills, and when and how to use each. Let's go.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Freshness note:&lt;/strong&gt; the MCP world moves fast. I wrote this guide in June 2026 and already had to update it in July 2026, when the connection flow changed (the version you're reading has direct OAuth). I'll do my best to keep it current as things ship, but if something doesn't match the screen in front of you, check the &lt;a href="https://docs.aws.amazon.com/agent-toolkit/latest/userguide/mcp-server.html" rel="noopener noreferrer"&gt;official docs&lt;/a&gt; and tell me in the comments so I can fix it.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What you'll walk away knowing
&lt;/h2&gt;

&lt;p&gt;So you don't get lost, here's what we cover:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The difference between the two AWS MCP servers and which pain each one solves&lt;/li&gt;
&lt;li&gt;How to connect it in Claude Code, the Claude app, and Kiro, step by step&lt;/li&gt;
&lt;li&gt;How to set up your account's IAM to grant access safely&lt;/li&gt;
&lt;li&gt;When NOT to use it, and how to avoid a nasty surprise on your bill&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  But what is MCP, anyway?
&lt;/h2&gt;

&lt;p&gt;Before talking about the servers, let's level set.&lt;/p&gt;

&lt;p&gt;MCP (&lt;a href="https://modelcontextprotocol.io" rel="noopener noreferrer"&gt;Model Context Protocol&lt;/a&gt;) is the "plug" your AI assistant uses to talk to the outside world: tools, data and services. Anthropic created it, it's under open governance now, and over the last year every assistant worth using (Claude Code, Kiro, Cursor) started speaking MCP.&lt;/p&gt;

&lt;p&gt;Want an easy analogy? Think about the API. The API is what lets two applications talk to each other. MCP is the same idea, just for the agent: it's what lets the AI talk to any tool without you having to build a custom integration for every single system. MCP connects the agent to the system through a standard everyone agreed to use. And that's the nice thing about a standard: you learn it once and it works for any tool and any client. So if you want to give an AI access to your system, this is the path to follow.&lt;/p&gt;

&lt;p&gt;And here's something that makes life a lot easier: for most cases, you don't even need to build your own MCP server. You can build one, sure (on Lambda, on Fargate, whatever you prefer), and AWS even has an &lt;a href="https://aws.amazon.com/solutions/guidance/deploying-model-context-protocol-servers-on-aws/" rel="noopener noreferrer"&gt;official guidance for that&lt;/a&gt; if that's your case. But AWS already runs managed servers ready to go, so a lot of the time you just plug in and use it. Building your own makes sense when the goal is different: exposing your own internal system (an API, a runbook, an alert) to the agent.&lt;/p&gt;

&lt;h2&gt;
  
  
  The two AWS MCP servers
&lt;/h2&gt;

&lt;p&gt;Yep, there are two. And the names don't help at all. Here's everything in one table, then I break down each one:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;AWS Knowledge MCP Server&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;
&lt;strong&gt;AWS MCP Server&lt;/strong&gt; (managed, GA)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;What it solves&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;"My agent hallucinates AWS APIs, ARNs and service names."&lt;/td&gt;
&lt;td&gt;"My agent needs to see or act on my account, without me leaking a key."&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;What it accesses&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Only AWS docs and knowledge (read-only)&lt;/td&gt;
&lt;td&gt;Docs + real services in &lt;em&gt;your&lt;/em&gt; account (authenticated)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Credentials&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;None. You don't even need an AWS account.&lt;/td&gt;
&lt;td&gt;AWS browser sign-in (OAuth) or AWS CLI (SigV4)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Audit&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Not applicable&lt;/td&gt;
&lt;td&gt;CloudTrail + CloudWatch&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Use it when&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;You want correct syntax, current docs, regional availability&lt;/td&gt;
&lt;td&gt;You want the agent inspecting or operating real infra&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Risk if misused&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Basically zero&lt;/td&gt;
&lt;td&gt;Real. It's your account. Least-privilege matters.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If you keep one sentence from this post, keep this one:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;One server gives your agent knowledge. The other gives it hands.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Figuring out which problem you actually have is half the battle.&lt;/p&gt;

&lt;p&gt;Want another analogy? The Knowledge server is the guru: that friend who memorized the entire AWS documentation and clears up your doubt on the spot. The managed one is the doorman checking badges: it lets you into the account for real, but it stands there checking and only opens the doors IAM authorized. Name doesn't match the badge? You don't get in.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Where does this run?&lt;/strong&gt; The AWS MCP Server is remote, and what connects to it is the MCP client: Claude Code, the Claude app (Desktop and claude.ai), Kiro, Cursor, or your own agent's code (Strands, SDK). That holds even with inference running on Bedrock, because the client is the application, never the model. A production agent on AgentCore, though, typically consumes tools through the AgentCore Gateway (which also speaks MCP) or your own MCP server. That production scenario is a topic for another post in this series.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Server #1: AWS Knowledge MCP Server
&lt;/h2&gt;

&lt;p&gt;What this server does is simple: it's remote, fully managed, and it gives the model structured access to the official docs, always current. And that "current" is the point. What the model knows on its own stops at its training date, so it has no clue about what came after and ends up guessing. AWS keeps this server in sync, so it becomes your source of truth: it searches the docs, returns the page as clean markdown, checks whether a service exists in a region, and lists the current regions. Read-only, it doesn't write or touch the account.&lt;/p&gt;

&lt;p&gt;Why is it almost a no-brainer to turn on? Because there's no credential, and no AWS account needed. Nothing to protect, nothing to leak. The risk is basically zero and the payoff is the agent stops guessing and starts citing the real docs before it spits out the CDK.&lt;/p&gt;

&lt;p&gt;Use it when you're learning a service, designing the architecture you want to build and validating the idea, checking syntax, generating IaC you actually trust, or answering "is this in my region yet?" without opening the browser. Connecting is pasting a URL: add &lt;code&gt;https://knowledge-mcp.global.api.aws&lt;/code&gt; as a remote (HTTP) server in your client and that's it, no credentials at all. With it on, the agent checks the live docs before spitting out the CDK instead of guessing from training. Hallucinated ARNs drop off a cliff. Pretty good, right?&lt;/p&gt;

&lt;h2&gt;
  
  
  Server #2: AWS MCP Server, the managed one (reads and operates the account)
&lt;/h2&gt;

&lt;p&gt;This is the one that cures the &lt;code&gt;.env&lt;/code&gt; shame.&lt;/p&gt;

&lt;p&gt;The pain is different: the agent needs to see or do something in the account for real. Read the CloudWatch logs of the function that's breaking, list what's actually in the bucket, check the real schema of the DynamoDB table. The old "solution" was to hand it a long-lived credential. That's the part that keeps the security folks up at night. And honestly, it should keep you up too.&lt;/p&gt;

&lt;p&gt;What this server does: it's remote, hosted and managed by AWS, and it gives the agent authenticated access to AWS services through a small, fixed set of tools. No local install, automatic updates, and (this part I really like) every call lands in CloudTrail. The agent doesn't get a master key. It authenticates as you, through a real auth flow, on an IAM leash.&lt;/p&gt;

&lt;p&gt;The auth flow in plain English: there are two paths now, and the newer one is the simpler one. Today the server speaks &lt;strong&gt;OAuth directly&lt;/strong&gt;. You add the URL to your client, the first tool call opens the browser on AWS Sign-in, you log in with your usual identity, done. The token lasts 1 hour and refreshes itself for up to 12. No proxy, nothing to install.&lt;/p&gt;

&lt;p&gt;The second path is &lt;strong&gt;SigV4 with &lt;code&gt;mcp-proxy-for-aws&lt;/code&gt;&lt;/strong&gt;, an open source proxy that runs on your machine, takes your local AWS CLI credentials, and signs every call. It still exists and it has its moment: multiple accounts in the same session, read-only mode (hiding write-capable tools from the agent), a fixed default region, or an org that blocks the OAuth permissions (&lt;code&gt;signin:AuthorizeOAuth2Access&lt;/code&gt; and &lt;code&gt;signin:CreateOAuth2Token&lt;/code&gt;).&lt;/p&gt;

&lt;p&gt;Either way the outcome is the same: you don't paste a key anywhere, the agent acts with your identity, and everything respects your IAM. Documentation search, by the way, needs no credentials at all.&lt;/p&gt;

&lt;p&gt;The OAuth flow, step by step:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;You attach the &lt;code&gt;AWSMCPSignInOAuthAccessPolicy&lt;/code&gt; managed policy to your role or user (once).&lt;/li&gt;
&lt;li&gt;You add the server URL to your client and fire the first call.&lt;/li&gt;
&lt;li&gt;The browser opens on AWS Sign-in, you authorize, and the client keeps the token (1 hour, auto-refresh up to 12).&lt;/li&gt;
&lt;li&gt;The server applies the context keys and forwards to the AWS service.&lt;/li&gt;
&lt;li&gt;IAM authorizes via your policy and responds.&lt;/li&gt;
&lt;li&gt;The whole call is logged to CloudTrail.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The "ohhh, got it" moment is this: ask "why did &lt;code&gt;checkout-prod&lt;/code&gt; start throwing 500s after 2pm?" and watch the agent pull the real CloudWatch logs, cross-reference a recent deploy, and point at the actual resource. All inside what IAM allows, all auditable, with no key in any dotfile. And it works with what you already use: Claude Code, Kiro, Cursor, any MCP-compatible client.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to connect: Claude Code, the Claude app, and Kiro
&lt;/h2&gt;

&lt;p&gt;Now the practical part. The OAuth path has a single prerequisite: the identity you'll use needs the sign-in managed policy. Attach it once and forget it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aws iam attach-role-policy &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--role-name&lt;/span&gt; MyRole &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--policy-arn&lt;/span&gt; arn:aws:iam::aws:policy/AWSMCPSignInOAuthAccessPolicy
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(If you use an IAM user instead of a role, it's &lt;code&gt;attach-user-policy&lt;/code&gt; with &lt;code&gt;--user-name&lt;/code&gt;.)&lt;/p&gt;

&lt;h3&gt;
  
  
  In Claude Code
&lt;/h3&gt;

&lt;p&gt;One line, and that's really it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;claude mcp add aws-mcp https://aws-mcp.us-east-1.api.aws/mcp &lt;span class="nt"&gt;--transport&lt;/span&gt; http
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On the first tool call the browser opens, you log in, and the agent sees the account on an IAM leash.&lt;/p&gt;

&lt;p&gt;There's also a second route: the &lt;code&gt;aws-core&lt;/code&gt; plugin. On top of the AWS MCP Server pre-configured, it brings the AWS agent skills, which are ready-made instruction packs so the agent handles CDK, serverless, containers and billing tasks well. If you want the server plus that extra context in one go, install it from Anthropic's official marketplace, which Claude Code already ships with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;/plugin &lt;span class="nb"&gt;install &lt;/span&gt;aws-core@claude-plugins-official
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One detail that trips people up: this command runs inside Claude Code, in the terminal. The "Plugins" section in the Claude Desktop app is a different catalog, so don't go looking for &lt;code&gt;aws-core&lt;/code&gt; there (in the app, the path is the connector in the next section). The steering equivalent here is a &lt;code&gt;CLAUDE.md&lt;/code&gt; at the project root, with the same rules I show in the Kiro block below.&lt;/p&gt;

&lt;h3&gt;
  
  
  In the Claude app (Desktop and claude.ai)
&lt;/h3&gt;

&lt;p&gt;Yes, it works in the app, no terminal needed. In Claude Desktop: Settings, Connectors, "Add custom connector", give it a name (I called mine &lt;code&gt;aws-mcp&lt;/code&gt;) and paste the URL:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;https://aws-mcp.us-east-1.api.aws/mcp?oauth=initialize
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;?oauth=initialize&lt;/code&gt; suffix tells the server to kick off the OAuth flow explicitly (Cursor and Kiro IDE use the same trick). Leave the OAuth Client ID and Secret fields empty, the flow handles that. On claude.ai web it's the same URL without the suffix, in the connector settings.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvyg2c4yzz7k2zeem54tx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvyg2c4yzz7k2zeem54tx.png" alt="Adding the AWS MCP Server as a custom connector in Claude Desktop" width="800" height="597"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;On the first call, the AWS authorization screen opens:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1kcxbrkx07uyop0k1kkt.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1kcxbrkx07uyop0k1kkt.png" alt="AWS Sign-in consent screen connecting the MCP client to the AWS MCP Server" width="800" height="408"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Two warnings here, because I hit them first so you don't have to:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;It's not the Directory connector.&lt;/strong&gt; If you search "AWS" in Claude's connector directory, an "AWS API MCP Server" shows up. That is NOT the new managed one: it's the older &lt;code&gt;aws-api-mcp-server&lt;/code&gt; from awslabs (look at its tools, just &lt;code&gt;suggest_aws_commands&lt;/code&gt; and &lt;code&gt;call_aws&lt;/code&gt;), precisely one of the servers the official docs tell you to replace. The right path is the custom connector with the URL above. And don't run both, that's the exact tool-conflict scenario AWS warns about.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Don't authorize as root.&lt;/strong&gt; The consent screen offers "Continue with Root or IAM user" and says access follows "your existing AWS permissions". Whatever identity you use there defines the agent's blast radius. Sign in with an IAM user or a dedicated role, with the sign-in managed policy and least-privilege. Root driven by an agent is everything we don't want. And a practical red flag: if the connection worked without you attaching any policy, investigate with an &lt;code&gt;aws sts get-caller-identity&lt;/code&gt;. Either your identity is an admin, or you signed in as root, which doesn't go through IAM at all (I fell for this one too: logged in, worked on the first try, and it was root driving the whole account).&lt;/p&gt;

&lt;h3&gt;
  
  
  In Kiro
&lt;/h3&gt;

&lt;p&gt;In Kiro CLI (2.11 or later):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kiro-cli mcp add &lt;span class="nt"&gt;--name&lt;/span&gt; aws-mcp &lt;span class="nt"&gt;--url&lt;/span&gt; https://aws-mcp.us-east-1.api.aws/mcp
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In Kiro IDE, add it as a remote server with the &lt;code&gt;?oauth=initialize&lt;/code&gt; URL, or via &lt;code&gt;mcp.json&lt;/code&gt; (per project at &lt;code&gt;&amp;lt;root&amp;gt;/.kiro/settings/mcp.json&lt;/code&gt;, global at &lt;code&gt;~/.kiro/settings/mcp.json&lt;/code&gt;; when both exist, the project one wins).&lt;/p&gt;

&lt;p&gt;But config only turns the server on, it doesn't guarantee Kiro will use it. To make it prefer these tools, create a steering file at &lt;code&gt;.kiro/steering/aws-mcp.md&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight markdown"&gt;&lt;code&gt;&lt;span class="nn"&gt;---&lt;/span&gt;
&lt;span class="na"&gt;inclusion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;always&lt;/span&gt;
&lt;span class="nn"&gt;---&lt;/span&gt;

&lt;span class="gh"&gt;# Using AWS via MCP&lt;/span&gt;
&lt;span class="p"&gt;
-&lt;/span&gt; Before generating any AWS code or IaC (CDK, CloudFormation, SDK), validate
  service names, syntax and regional availability against the docs via the
  &lt;span class="sb"&gt;`aws-mcp`&lt;/span&gt; server (documentation search tool). Don't guess APIs or ARNs.
&lt;span class="p"&gt;-&lt;/span&gt; To inspect real account resources (CloudWatch logs, S3 items, DynamoDB
  schema), use the same &lt;span class="sb"&gt;`aws-mcp`&lt;/span&gt; server. Never ask for or use an access key.
&lt;span class="p"&gt;-&lt;/span&gt; Never run a destructive action (delete, scaling) without confirming first.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;inclusion: always&lt;/code&gt; makes that rule part of every Kiro conversation in that project.&lt;/p&gt;

&lt;h3&gt;
  
  
  The advanced path: SigV4 with the proxy
&lt;/h3&gt;

&lt;p&gt;If you landed on one of the SigV4 cases (multi-account, read-only mode, default region, no-OAuth org), the setup asks a bit more of your local machine: AWS CLI 2.32+ signed in with &lt;code&gt;aws login&lt;/code&gt; (credentials rotate on their own every 15 minutes, sessions up to 12 hours), &lt;code&gt;uv&lt;/code&gt; installed, and the proxy in &lt;code&gt;mcp.json&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcpServers"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"aws-mcp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"command"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"uvx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"args"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"mcp-proxy-for-aws==1.6.2"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"https://aws-mcp.us-east-1.api.aws/mcp"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"--metadata"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"AWS_REGION=sa-east-1"&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Pin the proxy version (your supply chain will thank you) and check PyPI for the current pin. The endpoint is regional (today &lt;code&gt;us-east-1&lt;/code&gt; and &lt;code&gt;eu-central-1&lt;/code&gt;); you connect to one of them and operate on resources in whatever region you pass in &lt;code&gt;AWS_REGION&lt;/code&gt;. Check the current list in the &lt;a href="https://docs.aws.amazon.com/agent-toolkit/latest/userguide/getting-started-aws-mcp-server.html" rel="noopener noreferrer"&gt;official docs&lt;/a&gt;, since this can change.&lt;/p&gt;

&lt;h2&gt;
  
  
  The security part you can't ignore
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;"Everything fails, all the time."&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Werner Vogels, Amazon CTO&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If there's one part not to skip, it's this one. Werner's right, and with an AI driving your account it's worth taking that literally: assume the agent will mess up sooner or later, and design for it. Giving it access to read and operate your account is as serious as it sounds, so it's worth doing carefully.&lt;/p&gt;

&lt;p&gt;First thing: IAM is still the boss. The managed server doesn't go over your permissions, it rides on top of them. Treat the agent like a new coworker. Or better: like that fresh intern who does everything to the letter, no questions asked, and who's so afraid of getting it wrong that they don't even stop to think. The type who, if you tell them to go find the spark stockroom to store some in a bottle, will actually go looking. Yeah, the agent is just like that too: give it too much access and it'll use it, even when it makes no sense. So, least-privilege, scoped only to what the task needs, nothing beyond that. AWS added standardized IAM context keys for these managed MCP servers, so you can write policy that knows "this call came through the MCP server" and restrict accordingly.&lt;/p&gt;

&lt;p&gt;Second: there's no long-lived key anywhere. With OAuth, what exists is a 1-hour token with automatic refresh; on the SigV4 path, temporary AWS CLI credentials that rotate on their own every 15 minutes. So no secret sits around in your shell history, your repo, or your &lt;code&gt;.env&lt;/code&gt;, which is exactly where we tend to leak them.&lt;/p&gt;

&lt;p&gt;Third: everything is auditable. CloudTrail logs every call and CloudWatch gives you the metrics. After an incident you can answer "what did the agent actually do?" with a straight face. If you can't answer that today about your current setup, that alone is reason enough to switch.&lt;/p&gt;

&lt;p&gt;And one that's still coming: VPC endpoint support, for teams that need to keep this traffic inside the network boundary. If that's a hard requirement for you, wait for it before going to production.&lt;/p&gt;

&lt;p&gt;My rule of thumb? One dedicated IAM role per agent purpose. If an agent gets compromised or goes sideways, the blast radius stops at that role. Don't reuse your admin identity. And don't hand it &lt;code&gt;*&lt;/code&gt; on &lt;code&gt;*&lt;/code&gt; "just to unblock the demo", because the demo becomes prod faster than you'd think.&lt;/p&gt;

&lt;h2&gt;
  
  
  Setting up the AWS account side (the essentials)
&lt;/h2&gt;

&lt;p&gt;On the account side it's less than it seems, because the managed AWS MCP Server doesn't create IAM actions of its own. There's no &lt;code&gt;mcp:Invoke&lt;/code&gt; to allow: it signs every call with SigV4 using your credentials and forwards it to the service, which authorizes against your usual policies. If your identity can't call &lt;code&gt;logs:GetLogEvents&lt;/code&gt;, neither can the agent. Your current permissions are the boundary.&lt;/p&gt;

&lt;p&gt;The quick-start is this: begin with a read-only identity (a dedicated role or an SSO permission set) and use the new context keys, &lt;code&gt;aws:ViaAWSMCPService&lt;/code&gt; and &lt;code&gt;aws:CalledViaAWSMCP&lt;/code&gt;, to deny destructive actions when the call comes from the agent, even if your role could do them. That way the agent reads all it wants and the dangerous verbs are blocked just for it. Then let CloudTrail show what it actually used and tighten the policy around that.&lt;/p&gt;

&lt;p&gt;A simple guardrail, just so you get the idea:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json-doc"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Sid"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"BlockDestructiveActionsViaMCP"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Deny"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"dynamodb:DeleteTable"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"s3:DeleteBucket"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"lambda:DeleteFunction"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Condition"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"Bool"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"aws:ViaAWSMCPService"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"true"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This setup deserves a post of its own, done as code. Later in the series I'll publish an &lt;strong&gt;"IAM for AI agents on AWS, with CDK"&lt;/strong&gt; covering the full step by step (CLI, console and CDK), cdk-nag, org-wide SCP and multi-account. I'll link it here once it's out.&lt;/p&gt;

&lt;h2&gt;
  
  
  Which one to use: the decision changed
&lt;/h2&gt;

&lt;p&gt;When this post first went out, the answer was "depends on the pain". Three weeks later, AWS settled it: the official setup guide now recommends migrating to the AWS MCP Server and &lt;strong&gt;removing Knowledge (and the older AWS API MCP) from your configuration&lt;/strong&gt;. The reason is practical: duplicate tools confuse the agent and hurt performance, and it's the docs themselves telling you to clean up.&lt;/p&gt;

&lt;p&gt;Knowledge wasn't shut down. It's still GA, credential-free, working. One legitimate case remains: you want ONLY doc lookups, with no AWS account and nothing to authorize (studying a service, say). For everything else, it's one server: the managed one, which already does credential-free doc search and operates the account when you authorize it. Less config, fewer conflicts, same IAM leash.&lt;/p&gt;

&lt;h2&gt;
  
  
  When NOT to reach for this
&lt;/h2&gt;

&lt;p&gt;Because there's no silver bullet, and someone has to say it.&lt;/p&gt;

&lt;p&gt;Don't drop this on a production account with no guardrails. Start in a sandbox and get your IAM boundaries right before the agent can touch anything that bills or deletes. In the Frugal Architect, Werner makes the point that cost is an architecture requirement, not something to find out at the end of the month, and with an agent firing off calls that goes double.&lt;/p&gt;

&lt;p&gt;Don't grant broad permissions "for now". There's no "for now", trust me. Scope it from the first connection.&lt;/p&gt;

&lt;p&gt;And don't leave anything irreversible on autopilot. Deletes, scaling actions, money movement: keep a human in the loop. The agent proposes, you approve.&lt;/p&gt;

&lt;h2&gt;
  
  
  Mind your region and compliance
&lt;/h2&gt;

&lt;p&gt;A few things that matter if you operate outside us-east-1 (for me, that's &lt;code&gt;sa-east-1&lt;/code&gt;, São Paulo).&lt;/p&gt;

&lt;p&gt;Before pointing the agent anywhere, confirm the services and the managed server are available in your region. And here's the nice part: that's literally a question the MCP server itself answers for you (the doc search does it, no credentials). Check it instead of assuming.&lt;/p&gt;

&lt;p&gt;On data residency and privacy laws (LGPD here in Brazil, GDPR and friends elsewhere), if the agent is going to touch resources with personal data, scope IAM so it can't read what it shouldn't, and use the CloudTrail trail as evidence of who accessed what. Auditability here isn't just good engineering, it's a compliance argument.&lt;/p&gt;

&lt;p&gt;And for small teams: that "free" CloudTrail trail is gold when you don't have a dedicated security team. You get a record of everything the agent did without building anything.&lt;/p&gt;

&lt;h2&gt;
  
  
  To wrap up
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;There are two AWS MCP servers for two pains: knowledge (stop hallucinating) and action (operate the account safely).&lt;/li&gt;
&lt;li&gt;The simple path is OAuth now: add the URL, log in through the browser, done. Works in Claude Code, the Claude app (Desktop and claude.ai), and Kiro.&lt;/li&gt;
&lt;li&gt;The managed one gets you off &lt;code&gt;.env&lt;/code&gt;: a short-lived token (OAuth) or temporary CLI credentials (SigV4), with least-privilege and everything logged to CloudTrail.&lt;/li&gt;
&lt;li&gt;The official recommendation became one server: migrate to the AWS MCP Server and drop Knowledge from your config. It's still alive for credential-free doc lookups, but running both confuses the agent.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If you've been doing the &lt;code&gt;.env&lt;/code&gt; hack, relax, everyone has. But the tools to stop are right here, they're managed, and they're auditable. There's no good excuse left to keep handing your account's keys to a robot that occasionally goes off the rails.&lt;/p&gt;

&lt;p&gt;This post kicks off a series on MCP and agents on AWS. Next up I go deep on two tracks: setting up IAM as code (CDK) and OpenAI landing on Bedrock. Which one first? Tell me in the comments.&lt;/p&gt;

&lt;p&gt;Liked it? Drop a like, tell me what you think in the comments, and share it with your crew to keep the community strong. Thanks a lot for reading this far. See you in the next one? =D&lt;/p&gt;

&lt;h2&gt;
  
  
  Want to go deeper
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/awslabs/mcp" rel="noopener noreferrer"&gt;AWS's open source MCP servers (awslabs/mcp)&lt;/a&gt;, home of the Knowledge MCP Server&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/aws/agent-toolkit-for-aws" rel="noopener noreferrer"&gt;Agent Toolkit for AWS&lt;/a&gt;, where the managed AWS MCP Server lives&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/agent-toolkit/latest/userguide/mcp-server.html" rel="noopener noreferrer"&gt;AWS MCP Server, the official page&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/agent-toolkit/latest/userguide/getting-started-aws-mcp-server.html" rel="noopener noreferrer"&gt;Official AWS MCP Server setup (OAuth and SigV4)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/aws/the-aws-mcp-server-is-now-generally-available/" rel="noopener noreferrer"&gt;The AWS MCP Server is now GA (official announcement)&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;Prefer Portuguese? &lt;a href="https://willpeixoto.dev/aws-mcp-server-qual-usar-quando-e-como-configurar-os-dois-servidores-explicados" rel="noopener noreferrer"&gt;Read the PT version here&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://willpeixoto.dev" rel="noopener noreferrer"&gt;willpeixoto.dev&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>aws</category>
      <category>mcp</category>
      <category>ai</category>
      <category>security</category>
    </item>
    <item>
      <title>AWS Lambda MicroVMs: run untrusted code with VM-level isolation (no infra to manage)</title>
      <dc:creator>will peixoto</dc:creator>
      <pubDate>Wed, 24 Jun 2026 12:44:14 +0000</pubDate>
      <link>https://dev.to/aws-builders/aws-lambda-microvms-run-untrusted-code-with-vm-level-isolation-no-infra-to-manage-3i3</link>
      <guid>https://dev.to/aws-builders/aws-lambda-microvms-run-untrusted-code-with-vm-level-isolation-no-infra-to-manage-3i3</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;AWS just shipped &lt;strong&gt;Lambda MicroVMs&lt;/strong&gt;, a new serverless primitive that gives each user or session a &lt;strong&gt;VM-level isolated sandbox&lt;/strong&gt;, with near-instant launch and &lt;strong&gt;state preserved for up to 8 hours&lt;/strong&gt;, all on Firecracker. Here is what it is, when to reach for it instead of a plain Lambda Function, and how to architect on top of it.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;em&gt;🇧🇷 &lt;a href="https://willpeixoto.dev/aws-lambda-microvms-codigo-isolado-serverless" rel="noopener noreferrer"&gt;Leia em português&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Let me put you in a situation. You need to run a piece of code you did not write. Maybe it is the script your user pasted into your platform, maybe it is the snippet an AI agent just generated and wants to execute. And then comes the question that keeps anyone working with multi-tenant up at night: how do I run this without handing a stranger the keys to the house?&lt;/p&gt;

&lt;p&gt;Until last week you had three paths, each with a catch. A VM gives you strong isolation but takes minutes to boot. A container starts in seconds but shares a kernel, so running untrusted code there takes a pile of hardening. And the Lambda Function was built for short request-response, not for a session that has to keep live state between one interaction and the next (externalizing it to DynamoDB stores the data, not the live runtime: the running process, the loaded packages, the memory). In the end you chose between performance and isolation. No way around it. Or there was.&lt;/p&gt;

&lt;h2&gt;
  
  
  Container, VM, or Lambda: the trade-off none of them solved alone
&lt;/h2&gt;

&lt;p&gt;This pattern got common: AI coding assistants, interactive code environments, analytics, vulnerability scanners, game servers running player scripts. They all need the same thing: give each user their own environment to run code the team did not write, safely and without lag.&lt;/p&gt;

&lt;p&gt;The knot is that real isolation and low latency pull in opposite directions. From a security angle you want a hard boundary between tenants (the Security pillar of the Well-Architected Framework: isolate what is not trusted). From an experience angle you want that environment up the instant the user shows up. Reconciling the two was the expensive work.&lt;/p&gt;

&lt;p&gt;And there is a nice irony in this story. We spent years learning to build stateless apps, and now state is a requirement again.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The solution to the future was hiding in the past.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That is a line a friend dropped in a conversation, and it has not left my head since. Ever felt that way? Because I have. And it is roughly what Lambda MicroVMs does: it brings state back, without handing you the weight of a full VM.&lt;/p&gt;

&lt;h2&gt;
  
  
  What Lambda MicroVMs is
&lt;/h2&gt;

&lt;p&gt;Lambda MicroVMs is a new primitive &lt;strong&gt;inside&lt;/strong&gt; Lambda, built exactly for that gap. Each MicroVM gives a single user or session its own isolated environment that boots fast, keeps memory and disk for the whole session, and pauses to a low cost when the user steps away.&lt;/p&gt;

&lt;p&gt;The magic comes from &lt;strong&gt;Firecracker&lt;/strong&gt;, the same lightweight virtualization that already runs over 15 trillion Lambda invocations a month. This is not raw new tech, it is the mature foundation of Lambda itself, exposed in a new way.&lt;/p&gt;

&lt;p&gt;The model is &lt;strong&gt;image-then-launch&lt;/strong&gt;:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzr3z1cwd5n28mnspugkj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzr3z1cwd5n28mnspugkj.png" alt="lambda microvm lifecycle " width="799" height="155"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;You build the &lt;strong&gt;image&lt;/strong&gt; once (AWS runs your Dockerfile, initializes the app, and takes a snapshot of memory and disk). After that, every MicroVM you launch resumes from that snapshot instead of cold-booting. That is why launch and resume are near-instant, even for a multi-gigabyte session.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it is actually for (with examples you will recognize)
&lt;/h2&gt;

&lt;p&gt;The main cue: this only enters the picture if you are &lt;strong&gt;building a platform that runs third-party code&lt;/strong&gt;. If your app does not execute outside code, you do not need it. It is a building block for people who build that kind of product:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Replit, CodeSandbox, "VS Code in the browser":&lt;/strong&gt; the user types code in the browser and it runs isolated, per user, holding state while the tab is open. That "runs isolated" is the MicroVM.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Code interpreter (like ChatGPT's or Claude's):&lt;/strong&gt; you ask "plot this CSV", the AI writes Python and &lt;strong&gt;runs it&lt;/strong&gt; to answer you. The runtime that executes that generated code, isolated per conversation, is the use case.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CI/CD runner (and relatives):&lt;/strong&gt; a job runs the code of a Pull Request that may come from any stranger's fork, untrusted by definition, so you want an isolated, disposable runner per job. Same family: a scanner that runs a suspicious binary, a coding-interview platform (the candidate's code runs isolated), an AI agent that runs shell commands.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The thread tying it all together: &lt;strong&gt;each user, session, or job needs its own isolated environment, and the code running there is not code you wrote.&lt;/strong&gt; That is the cue to use a MicroVM instead of a Lambda Function.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lambda Function or Lambda MicroVM?
&lt;/h2&gt;

&lt;p&gt;They do not compete, they complete each other. The official comparison:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Lambda Functions&lt;/th&gt;
&lt;th&gt;Lambda MicroVMs&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Best for&lt;/td&gt;
&lt;td&gt;request-response or event-driven (APIs, data processing, automation)&lt;/td&gt;
&lt;td&gt;persistent environments running user or AI-produced untrusted code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Programming model&lt;/td&gt;
&lt;td&gt;function handler invoked in a supported runtime&lt;/td&gt;
&lt;td&gt;any application: run your own binaries, listen on ports, use Linux OS capabilities&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Duration&lt;/td&gt;
&lt;td&gt;up to 15 min per invocation; multi-step workflows up to a year with Lambda Durable Functions&lt;/td&gt;
&lt;td&gt;up to 8 hours per session; suspend and resume across sessions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Runtime&lt;/td&gt;
&lt;td&gt;service-provided runtimes (or customer-provided)&lt;/td&gt;
&lt;td&gt;customer-provided MicroVM images&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Inbound networking&lt;/td&gt;
&lt;td&gt;direct invocations or event-source integrations; response streaming&lt;/td&gt;
&lt;td&gt;inbound access to any port using OSI Layer 7 protocols&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Concurrency&lt;/td&gt;
&lt;td&gt;one request per execution environment at a time&lt;/td&gt;
&lt;td&gt;multiple concurrent connections per MicroVM&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Environment state&lt;/td&gt;
&lt;td&gt;warm starts may reuse the environment, but state may not persist across invocations&lt;/td&gt;
&lt;td&gt;memory and disk state preserved on suspend, restored on resume&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Scaling&lt;/td&gt;
&lt;td&gt;automatic: Lambda creates and destroys environments in response to traffic&lt;/td&gt;
&lt;td&gt;developer-controlled: you create, suspend, resume, and terminate via API&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle&lt;/td&gt;
&lt;td&gt;fully managed by Lambda&lt;/td&gt;
&lt;td&gt;developer-controlled, with optional idle policies&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pricing&lt;/td&gt;
&lt;td&gt;per-request + GB-seconds&lt;/td&gt;
&lt;td&gt;per-second of compute while running + snapshot storage while suspended&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The most common confusion: people assume the duration is the same as Lambda's. The startup is similar (both resume from a snapshot), but a Function dies at 15 minutes while a MicroVM holds a session for up to 8 hours with state intact. The real design: your app keeps Lambda Functions for the event-driven backbone, and &lt;strong&gt;calls&lt;/strong&gt; MicroVMs only for the steps that need to run untrusted code in isolation.&lt;/p&gt;

&lt;h2&gt;
  
  
  How it works in practice: from endpoint to orchestration
&lt;/h2&gt;

&lt;p&gt;Three things that trip people up at first, together.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The endpoint has a status.&lt;/strong&gt; When you call &lt;code&gt;run-microvm&lt;/code&gt;, you get an ID and a dedicated HTTPS endpoint for that MicroVM. But it is not ready instantly: it goes through states, from launch to &lt;code&gt;RUNNING&lt;/code&gt; (about 2 seconds), and when idle it moves to suspended, coming back on resume. The endpoint is per MicroVM, per session.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;One image, many MicroVMs.&lt;/strong&gt; You build the image once (&lt;code&gt;create-microvm-image&lt;/code&gt;) and each MicroVM is a &lt;code&gt;run-microvm&lt;/code&gt;. Want two? Call it twice, and you get two independent instances. Idle behavior is governed by the &lt;code&gt;idle-policy&lt;/code&gt;: &lt;code&gt;maxIdleDurationSeconds&lt;/code&gt; (suspend after X idle) and &lt;code&gt;autoResumeEnabled&lt;/code&gt; (the next request wakes the MicroVM on its own, in about 1s, no manual restart). When you are done, &lt;code&gt;terminate-microvm&lt;/code&gt; releases everything.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You become the orchestrator.&lt;/strong&gt; Since the endpoint is per session, something has to decide when to launch and where to route. Typically a Lambda Function in the backbone does it: it keeps a &lt;code&gt;session -&amp;gt; MicroVM&lt;/code&gt; map (a store like DynamoDB in production), calls &lt;code&gt;RunMicrovm&lt;/code&gt; on a user's first access, stores the ID and endpoint, mints a short-lived token with &lt;code&gt;CreateMicrovmAuthToken&lt;/code&gt;, and proxies the request to the MicroVM's endpoint with the &lt;code&gt;X-aws-proxy-auth&lt;/code&gt; header. If the instance is suspended and &lt;code&gt;autoResume&lt;/code&gt; is on, the request itself wakes it. Add a routine to terminate orphan MicroVMs and you have the skeleton. The backbone code is in the next post in the series. And do not confuse this with Step Functions: MicroVM is the execution environment, Step Functions is an orchestrator, different layers.&lt;/p&gt;

&lt;h2&gt;
  
  
  Cost, limits, and what is still missing
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Cost is a decision, not a detail.&lt;/strong&gt; Werner Vogels keeps hammering in the &lt;strong&gt;Frugal Architect&lt;/strong&gt; that cost is an architecture requirement, not a number you discover on the bill. The suspend is exactly that in practice: you pay a lot for VM-level isolation, but only while the user is active. When they leave, the MicroVM suspends and the cost drops, with no loss of state. Designing your &lt;code&gt;idle-policy&lt;/code&gt; on purpose is a cost decision. The model, from the official table: you pay &lt;strong&gt;per second of compute while it runs&lt;/strong&gt;, and only &lt;strong&gt;snapshot storage while it is suspended&lt;/strong&gt;. Unit prices are on the &lt;a href="https://aws.amazon.com/lambda/pricing/" rel="noopener noreferrer"&gt;Lambda pricing page&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Limits:&lt;/strong&gt; ARM64, up to 16 vCPUs, 32 GB of memory, and 32 GB of disk per MicroVM, and up to 8 hours of total runtime. Provisioning is flexible: you set a baseline and burst up to 4x at peak, paying the baseline while it runs.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;IaC:&lt;/strong&gt; you can use the console, CloudFormation, and CDK.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why Dockerfile + zip, and not a prebuilt ECR image?&lt;/strong&gt; Aidan Steele dug into it: Lambda builds two copies of the image, one for Graviton 3 and one for Graviton 4, so it needs the source to recompile. The base comes from ECR Public, but pushing your own prebuilt image from a private ECR as the artifact is not the path. One thing that confuses people coming from containers: ECR does not leave your life. You do not &lt;strong&gt;deliver&lt;/strong&gt; the MicroVM image via ECR, but &lt;strong&gt;inside&lt;/strong&gt; the running MicroVM you can run Docker and &lt;code&gt;docker pull&lt;/code&gt; your private ECR images at runtime. ECR is for consumption inside, not for delivering the image itself.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Networking and region:&lt;/strong&gt; inbound traffic on configurable ports (HTTP/2, gRPC, WebSockets), service-provided JWE auth, outbound to the internet or your VPC. And it is available so far only in US East (N. Virginia, Ohio), US West (Oregon), Europe (Ireland), and Asia Pacific (Tokyo).&lt;/p&gt;

&lt;h2&gt;
  
  
  When NOT to use it
&lt;/h2&gt;

&lt;p&gt;If the workload is short request-response with no state, it stays a Lambda Function. A MicroVM there is a cannon for a mosquito. And if you just need &lt;strong&gt;more than 15 minutes with your own (trusted) code&lt;/strong&gt;, a MicroVM is also overkill: for a long job, look at Fargate; for a multi-step workflow, Lambda Durable Functions (up to a year, as the table shows). MicroVMs are for when the differentiator is &lt;strong&gt;isolating untrusted code&lt;/strong&gt;, not just going past 15 minutes.&lt;/p&gt;

&lt;p&gt;There is also a gotcha AWS itself flags, and it rhymes with the determinism conversation: since the MicroVM boots from a pre-initialized snapshot (the equivalent of Lambda SnapStart, as Aidan Steele confirmed by testing), apps that generate unique content, open connections, or load ephemeral data at init may diverge. The snapshot froze a moment; whatever needs to be fresh per session cannot be frozen along with it. The fix has a name: &lt;strong&gt;lifecycle hooks&lt;/strong&gt; to re-initialize randomness when each MicroVM is created. Map that out before assuming it just works.&lt;/p&gt;

&lt;h2&gt;
  
  
  Does it kill the container?
&lt;/h2&gt;

&lt;p&gt;No, and the reason is even better.&lt;/p&gt;

&lt;p&gt;The hype of the week is "containers are obsolete." They are not. Quite the opposite: Aidan Steele tested it and &lt;strong&gt;you can run Docker inside a MicroVM&lt;/strong&gt;, with OS capabilities enabled. So the MicroVM does not kill the container, it is more isolated and still runs containers inside. The honest cut is different: there is one specific spot, running untrusted code in isolation, where you will no longer want to harden a container by hand. There the MicroVM wins. Everywhere else, the container is still king.&lt;/p&gt;

&lt;h2&gt;
  
  
  The details the docs leave out
&lt;/h2&gt;

&lt;p&gt;Aidan Steele spent launch day poking at the service and found some really interesting things that are not in the official docs.&lt;br&gt;
I read it and figured it was worth bringing here:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;You can get a shell into the MicroVM&lt;/strong&gt;, via the &lt;code&gt;CreateMicrovmShellAuthToken&lt;/code&gt; API, with pty as a first-class citizen (Lambda Functions do not have it). Gold for IDE and coding-agent use cases.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Outbound UDP is blocked by default&lt;/strong&gt; and DNS is a local stub, so DNS inside a container falls back to 8.8.8.8 and fails. The fix is to run with Lambda's DNS: &lt;code&gt;docker run --dns 169.254.169.253&lt;/code&gt;, or go via VPC.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Lambda network connectors:&lt;/strong&gt; a reified VPC config (subnets, security groups, an IAM role for the ENI) with its own lifecycle. The network team creates it, the developer just consumes it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Performance&lt;/strong&gt; (his tests): image build 2-3 min; &lt;code&gt;RunMicrovm&lt;/code&gt; to RUNNING about 2s, plus 2s to serve; suspend and resume about 1s each.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What you take away
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Lambda MicroVMs fills a real gap: VM-level isolation &lt;strong&gt;with&lt;/strong&gt; near-instant launch &lt;strong&gt;and&lt;/strong&gt; per-session state, which no single service delivered together.&lt;/li&gt;
&lt;li&gt;It does not replace the Lambda Function, it complements it. Function in the backbone, MicroVM for the untrusted code.&lt;/li&gt;
&lt;li&gt;The idle suspend is a deliberate cost lever, design your &lt;code&gt;idle-policy&lt;/code&gt; on purpose.&lt;/li&gt;
&lt;li&gt;Before locking in architecture: check the region (no São Paulo yet), the limits (ARM64, 16 vCPU, 32 GB, 8h), and the snapshot caveat.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This post was the map. In the next one in the series I actually spin up a MicroVM and we prove the isolation in practice, launching two MicroVMs and testing whether one can reach the other, with the repo on GitHub for you to run along.&lt;/p&gt;

&lt;p&gt;Got a case where you run user or AI code that today is duct-taped onto a container or a hand-rolled VM? Does this primitive fit? Drop a like, share it with whoever is building a multi-tenant platform, and let's talk. Cheers! =D&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://willpeixoto.dev" rel="noopener noreferrer"&gt;willpeixoto.dev&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>serverless</category>
      <category>lambda</category>
      <category>firecracker</category>
    </item>
    <item>
      <title>High Availability Has a Price: Resilience Is a Decision, Not a Stack</title>
      <dc:creator>will peixoto</dc:creator>
      <pubDate>Thu, 23 Oct 2025 16:26:18 +0000</pubDate>
      <link>https://dev.to/aws-builders/the-price-of-high-availability-resilience-in-architecture-decisions-are-strategic-not-just-4hhf</link>
      <guid>https://dev.to/aws-builders/the-price-of-high-availability-resilience-in-architecture-decisions-are-strategic-not-just-4hhf</guid>
      <description>&lt;p&gt;&lt;strong&gt;The cost of high availability: resilience starts with strategic decisions, not technology.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://willpeixoto.hashnode.dev/resiliencia-custo-ha-multi-regiao-ou-on-premise" rel="noopener noreferrer"&gt;🇧🇷 Read in Portuguese&lt;/a&gt; →&lt;/p&gt;

&lt;p&gt;After a major outage like the October 2025 event in AWS's us-east-1 region, the smoke clears and the same questions that haunt CTOs and architects always resurface:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Should we be multi-region?" Or worse (and a little nostalgic): "Should we go back to on-premises?"&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;The truth is that the right answer is rarely technical.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;It's strategic, first and foremost.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;As Werner Vogels (Amazon CTO) likes to put it in his talks:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Everything fails, all the time."&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;And that's exactly it. The central question isn't &lt;strong&gt;whether&lt;/strong&gt; it will fail, it's &lt;strong&gt;when&lt;/strong&gt; it will fail and &lt;strong&gt;how&lt;/strong&gt; prepared you'll be when that inevitable moment arrives. Because it will arrive. Whether you're in the cloud, on-premises, or running a complex multi-cloud setup.&lt;/p&gt;

&lt;p&gt;What really separates resilient teams isn't the absence of failure. It's the &lt;strong&gt;speed, clarity, and effectiveness&lt;/strong&gt; with which they respond and recover.&lt;/p&gt;

&lt;p&gt;And that's where real architectural maturity lives: resilience isn't about choosing "multi-region" or "on-premises." It's about &lt;strong&gt;understanding the inherent risk, documenting the choice transparently, and reacting with a plan&lt;/strong&gt;.&lt;/p&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;1. The Context Behind the Question: The Paradox of Visible Failure&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Every time there's a big outage, I notice technical teams and executives splitting into two extreme reactions, both driven by fear and pressure:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;"We need to go multi-region, now! Cost is secondary!"&lt;/li&gt;
&lt;li&gt;"See? The cloud isn't reliable. We should have stayed on-premises, where we had control!"&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Both extremes are dangerous shortcuts.&lt;/p&gt;

&lt;p&gt;Multi-region is not a vaccine against downtime, and going back to on-premises is not a synonym for control; it just moves the maintenance complexity onto you.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;A Crucial Point of Reflection:&lt;/strong&gt; The cloud doesn't fail more than a traditional data center, it just fails in a way that is more &lt;strong&gt;visible, shared, and, ironically, democratic&lt;/strong&gt;. On AWS, problems scale globally and become trending topics in minutes. On-premises, they hide behind scattered logs, long repair times, and, often, they only hit you. &lt;strong&gt;Honestly: do you believe your company has a greater capacity than AWS (or any major cloud provider) to manage physical security, cabling, power, cooling, and, above all, the resilience of infrastructure at global scale?&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Migrating or evolving an architecture, at its core, is not about "throwing everything away" or "buying the hype." It's about &lt;strong&gt;keeping what's good in the legacy and removing what limits growth&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;This isn't a black-and-white fight of "Cloud vs. Data Center." It's a strategic game of &lt;strong&gt;Conscious Resilience vs. Comfort Zone&lt;/strong&gt;.&lt;/p&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;2. Cost vs. Continuity: The Economics Behind the 9s&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;In the world of infrastructure, each additional "9" in your SLA (Service Level Agreement) doesn't just cost more. It costs &lt;strong&gt;exponentially&lt;/strong&gt; more.&lt;/p&gt;

&lt;p&gt;To illustrate the real impact of each availability tier, here's the maximum allowed downtime per year:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;99% (two 9s):&lt;/strong&gt; about &lt;strong&gt;3.65 days&lt;/strong&gt; of downtime per year. &lt;em&gt;Cost and complexity:&lt;/em&gt; baseline (1x).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;99.9% (three 9s):&lt;/strong&gt; about &lt;strong&gt;8 hours and 46 minutes&lt;/strong&gt; of downtime per year. &lt;em&gt;Cost and complexity:&lt;/em&gt; 1.5x to 2x the baseline.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;99.99% (four 9s):&lt;/strong&gt; about &lt;strong&gt;52 minutes&lt;/strong&gt; of downtime per year. &lt;em&gt;Cost and complexity:&lt;/em&gt; 2x to 3x. Requires Multi-AZ and strong automation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;99.999% (five 9s):&lt;/strong&gt; about &lt;strong&gt;5 minutes&lt;/strong&gt; of downtime per year. &lt;em&gt;Cost and complexity:&lt;/em&gt; 3x and up. Requires flawless automation and, often, a Multi-Region architecture.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each tier jump means more than doubling or tripling infrastructure; it also demands &lt;strong&gt;operational review and sophistication&lt;/strong&gt;. And here's the catch: every additional &lt;strong&gt;9&lt;/strong&gt; has to be justified by &lt;strong&gt;ROI (Return on Investment)&lt;/strong&gt;, never by technical pride.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;📢 &lt;strong&gt;The Non-Negotiable Factor: Regulation.&lt;/strong&gt; For sectors like finance, healthcare, or telecom, the SLA choice isn't always purely economic. Often, the availability requirement (and the data recovery capability, the RPO) is &lt;strong&gt;imposed by law or industry rules&lt;/strong&gt;. In those cases, the debate isn't &lt;em&gt;whether&lt;/em&gt; you can afford it, but &lt;em&gt;how&lt;/em&gt; to hit the legally mandated SLA at the lowest possible cost and complexity, because the cost of a regulatory fine outweighs any technical saving.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Rule of Thumb for Complexity:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;High availability (within a single region):&lt;/strong&gt; can cost 1.5x to 2x the baseline.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Multi-Region (Active/Passive):&lt;/strong&gt; can cost 2.5x to 3x.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Multi-Cloud (Active/Active):&lt;/strong&gt; almost never reduces risk. On the contrary, it usually increases the &lt;strong&gt;failure surface&lt;/strong&gt; and operational complexity.&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;3. Conscious Decisions: The Virtue of ADRs&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Every architectural choice is a commitment based on a &lt;strong&gt;context&lt;/strong&gt;, and that context is volatile. Without a record, the context is lost, which condemns us to redo decisions, revisit old discussions, and rack up unnecessary cost.&lt;/p&gt;

&lt;p&gt;That's where the practice of &lt;strong&gt;ADRs (Architecture Decision Records)&lt;/strong&gt; becomes crucial. These aren't 50-page documents. They're short records that capture the &lt;strong&gt;decision&lt;/strong&gt;, the &lt;strong&gt;reason&lt;/strong&gt;, and the &lt;strong&gt;accepted risk&lt;/strong&gt; at a specific point in time.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;Example ADR (focused on the accepted risk):&lt;/code&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight markdown"&gt;&lt;code&gt;&lt;span class="gh"&gt;# ADR-014: Do not use multi-region replication in the MVP&lt;/span&gt;

Context:
&lt;span class="p"&gt;-&lt;/span&gt; Current traffic &amp;lt; 10 req/s.
&lt;span class="p"&gt;-&lt;/span&gt; Multi-region replication cost is estimated at &amp;gt; 3x current cost.

Decision:
Keep a single-region architecture (using Multi-AZ for intra-region HA),
with a daily cross-region backup.

Review Trigger:
After reaching an average of 100 req/s, or when the current SLA (99.95%)
starts causing business impact.

Accepted Risk / Consequence:
Risk of total service downtime if an outage affects the entire region
(estimated RTO of 4 hours for cross-region recovery).
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An ADR doesn't prevent failure. But it prevents failure from catching the team by surprise, because the risk was mapped, accepted, and justified by the business. It's the map for future discussions.&lt;/p&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;4. Selective Resilience: Not Everything Needs HA (and That's Fine)&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Selective resilience is a &lt;strong&gt;virtue of economy and clarity&lt;/strong&gt;. Not every service needs global redundancy. Spending finite resources (money and engineering attention) on unnecessary redundancy is one of the biggest forms of waste in architecture.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Prioritize High Availability (HA) only for what truly matters:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Direct revenue functions:&lt;/strong&gt; components critical to the financial transaction (e.g., &lt;strong&gt;checkout&lt;/strong&gt; and &lt;strong&gt;payment APIs&lt;/strong&gt;).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The critical customer journey:&lt;/strong&gt; functions that block the core value of the product (e.g., &lt;strong&gt;login&lt;/strong&gt; or the &lt;strong&gt;main catalog&lt;/strong&gt;).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Regulatory and legal risk:&lt;/strong&gt; services where failure triggers &lt;strong&gt;legal fines&lt;/strong&gt; or breaches a &lt;strong&gt;penalizing contractual SLA&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Integrity of critical data:&lt;/strong&gt; where data loss violates an acceptable &lt;strong&gt;RPO&lt;/strong&gt; (e.g., mandatory data retention systems).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Everything else? It can be restored through a well-defined recovery playbook. Batch jobs, internal back-office systems, and dashboards can tolerate minutes (or even hours) of downtime, as long as the reprocessing plan is clear.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;High availability with no purpose is like installing an airbag on a bicycle.&lt;/strong&gt; It's a sophisticated solution to a problem that doesn't exist in that context.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;5. Managed != Failure-Proof: The Serverless Mindset&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;A common mistake is believing that using serverless services (Lambda, DynamoDB, SQS, EventBridge) is a synonym for immunity to failure. It isn't.&lt;/p&gt;

&lt;p&gt;Failure will come, and often from where you least expect it, because the serverless paradigm shifts the &lt;strong&gt;risk surface&lt;/strong&gt;, it doesn't remove it.&lt;/p&gt;

&lt;p&gt;The key point is this:&lt;/p&gt;

&lt;p&gt;Managed services reduce your &lt;strong&gt;operational surface&lt;/strong&gt; (you don't manage the OS, patching, or capacity), but they &lt;strong&gt;don't replace good design and preparation&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;During the October 2025 us-east-1 outage, plenty of 100% serverless applications went down. Not because serverless failed them, but because they leaned on a single region. When DNS resolution for the regional DynamoDB endpoint broke, anything pinned to us-east-1 (directly, or indirectly through a global control plane like IAM or STS) broke with it. Multi-AZ wouldn't have saved you here: the endpoint was regional, not zonal. And the applications that recovered slowest were frequently the ones whose code answered the failure with aggressive, unbounded retries, turning one outage into a self-inflicted retry storm.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Real resilience doesn't come from AWS. It comes from the architecture you design &lt;em&gt;on top&lt;/em&gt; of it.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;6. The Decision Belongs to the Business, the Clarity to the Architect&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;The difference between "having an opinion" and "having influence" lies in your ability to translate technical complexity into &lt;strong&gt;strategic clarity&lt;/strong&gt;. Your job isn't to scare the board with jargon. It's to give them the visibility they need to decide consciously.&lt;/p&gt;

&lt;p&gt;Experience has taught me that a team's maturity can be measured precisely by its ability to ask the right question:&lt;/p&gt;

&lt;p&gt;❓ Where Is Your Team's Maturity?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;em&gt;Immature teams focus on the tool:&lt;/em&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;They ask: &lt;strong&gt;"Which stack solves this?"&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;They ask: &lt;strong&gt;"Should we use K8s or Serverless?"&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;They ask: &lt;strong&gt;"What does Netflix do?"&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;&lt;em&gt;Mature teams focus on risk and the business:&lt;/em&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;They ask: &lt;strong&gt;"What risk are we willing to accept for this cost?"&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;They ask: &lt;strong&gt;"What RTO/RPO does the end customer require from this service?"&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;They ask: &lt;strong&gt;"What does our business need to survive a disaster?"&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The result is that two teams can use the exact same &lt;strong&gt;cloud&lt;/strong&gt;: one scales predictably, the other lives in panic mode. The difference isn't the cloud. It's the level of understanding, documentation, and technical humility behind the decisions made.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;The Common Trap:&lt;/strong&gt; Who hasn't heard an executive say, "Technical decisions are up to the Architecture team"? What they're actually doing is transferring responsibility for defining &lt;strong&gt;business risk&lt;/strong&gt;. Your team defines the &lt;strong&gt;HOW&lt;/strong&gt; (the stack), but the Business defines the &lt;strong&gt;HOW MUCH&lt;/strong&gt; (the acceptable RTO and RPO). It's your job to &lt;strong&gt;hand the question back&lt;/strong&gt;, so the risk decision belongs to the business.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Translating Resilience Concepts for Leadership:&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;(After all, who hasn't heard: &lt;em&gt;"Now translate that so I can understand it!"&lt;/em&gt;)&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;1. Multi-Region Failover

   Translation: Insurance against catastrophe. It guarantees that a
                regional disaster won't take us offline for days,
                reducing revenue loss to a few hours.

   Question:    How many hours (or minutes) of downtime can the
                business accept for service X if an entire region goes down?
------------------------------------------------------------------
2. Active-Active Setup

   Translation: Maximum, uninterrupted availability. It lets us perform
                any maintenance or update without ever impacting the
                end customer.

   Question:    Does service X need to be 100% continuous? Can we afford
                a 15-minute maintenance window?
------------------------------------------------------------------
3. RTO / RPO

   Translation: Defining the limit of the damage. These are the numbers
                that tell us what we can lose, and for how long, before
                fines or reputation become unsustainable.

   Question:    How much data (RPO) can we lose, and how long (RTO) does
                the team have to restore the service before the business breaks?
------------------------------------------------------------------
4. SPOF (Single Point of Failure)

   Translation: The Achilles' heel of revenue. It's the weak point that,
                if broken, paralyzes the whole company. This is where the
                risk must be zero.

   Question:    If this component goes down, what's the financial loss
                in 1 hour?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h3&gt;
  
  
  &lt;strong&gt;7. Conclusion&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;There is no such thing as a &lt;strong&gt;failure-proof&lt;/strong&gt; architecture.&lt;/p&gt;

&lt;p&gt;But there is such a thing as an &lt;strong&gt;organization that is surprise-proof&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;And it starts with conscious decisions, documentation (the ADRs), and the technical humility to accept that error and risk are part of the equation.&lt;/p&gt;

&lt;p&gt;Teams that understand the &lt;strong&gt;"why"&lt;/strong&gt; before diving into the &lt;strong&gt;"how"&lt;/strong&gt; build systems that don't just scale. They &lt;strong&gt;survive&lt;/strong&gt;, and grow predictably.&lt;/p&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;8. Essential References&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;For anyone who wants to go deeper on risk decisions and architectural patterns, these are the documents we use as a foundation for resilience on any cloud (with a focus on AWS):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;AWS Well-Architected Framework (Reliability Pillar):&lt;/strong&gt; the fundamental guide to understanding disaster recovery (DR) and high availability (HA) principles. &lt;a href="https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/reliability.html" rel="noopener noreferrer"&gt;Reliability Pillar&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Disaster Recovery of Workloads on AWS:&lt;/strong&gt; the key document for going deeper on RTO/RPO and choosing between patterns like Pilot Light and Active-Active. &lt;a href="https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/introduction.html" rel="noopener noreferrer"&gt;DR Whitepaper&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DynamoDB Global Tables:&lt;/strong&gt; an excellent practical case study of HA at the data layer, abstracting away multi-region complexity. &lt;a href="https://aws.amazon.com/dynamodb/global-tables/" rel="noopener noreferrer"&gt;DynamoDB Global Tables&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EventBridge Resilience Guide:&lt;/strong&gt; essential for anyone working with serverless, focused on event-based resilience patterns. &lt;a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-resilience.html" rel="noopener noreferrer"&gt;EventBridge Resilience Guide&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AWS Post-Event Summary: Amazon DynamoDB Service Disruption in US-EAST-1 (Oct 19-20, 2025):&lt;/strong&gt; the primary source on the outage referenced in this article, straight from AWS. &lt;a href="https://aws.amazon.com/message/101925" rel="noopener noreferrer"&gt;Service Disruption Summary&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  &lt;strong&gt;9. Essential Resilience Glossary&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;So everyone is on the same page, here are some key terms used in this article, explained simply:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;High Availability (HA):&lt;/strong&gt; the ability of a system to keep operating even when one or more of its components fail. Measured in "9s" (e.g., 99.99%).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Outage:&lt;/strong&gt; an unplanned interruption of a service: the service goes down.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;On-premises:&lt;/strong&gt; infrastructure and data centers you own, physically located at the company (not in the cloud).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Multi-Region:&lt;/strong&gt; using data centers in two or more different geographic cloud regions (e.g., US East and São Paulo) for maximum protection against regional disasters.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Multi-AZ (Multi-Availability Zone):&lt;/strong&gt; using two or more Availability Zones (isolated, nearby data centers) &lt;strong&gt;within&lt;/strong&gt; the same cloud region. This is the baseline HA pattern.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SLA (Service Level Agreement):&lt;/strong&gt; a formal agreement defining the level of service a provider is expected to deliver (usually measured in uptime).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ROI (Return on Investment):&lt;/strong&gt; a financial metric measuring the relationship between money earned (or saved) and money invested.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ADR (Architecture Decision Record):&lt;/strong&gt; a short document recording an architectural decision, the reasoning, and the accepted risk at a specific point in time.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RTO (Recovery Time Objective):&lt;/strong&gt; the maximum acceptable &lt;strong&gt;time&lt;/strong&gt; a system can be down after a failure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RPO (Recovery Point Objective):&lt;/strong&gt; the amount of &lt;strong&gt;data&lt;/strong&gt; (measured in time, e.g., 5 minutes) that can be lost during a disaster event.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Serverless:&lt;/strong&gt; a cloud computing model where the provider manages all the infrastructure and the developer focuses only on the code, paying only for usage.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Circuit Breaker:&lt;/strong&gt; a software pattern that, when a dependency starts failing repeatedly, "opens" the circuit to protect the rest of the application from cascading failures.&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;Want to go deeper on resilience, orchestration, and the architect's strategic role in the serverless era?&lt;/p&gt;

&lt;p&gt;I write about this kind of thing regularly. If this resonated, I'd like to hear it: how did your architecture hold up during the last regional outage, and, more importantly, which trade-offs had you already written down &lt;em&gt;before&lt;/em&gt; it happened? Find me on LinkedIn and let's compare notes.&lt;/p&gt;

&lt;p&gt;I'll be at &lt;strong&gt;&lt;a href="https://sdsp.io/" rel="noopener noreferrer"&gt;ServerlessDays São Paulo&lt;/a&gt;&lt;/strong&gt; on &lt;strong&gt;November 8th&lt;/strong&gt;, at &lt;strong&gt;Cubo Itaú&lt;/strong&gt;, discussing how to go beyond the stack and build systems that not only function — &lt;strong&gt;but thrive in chaos.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Come join the conversation! 🚀&lt;/p&gt;

</description>
      <category>aws</category>
      <category>serverless</category>
      <category>architecture</category>
      <category>devops</category>
    </item>
  </channel>
</rss>
