AWS Lambda MicroVMs: serverless sandboxes for AI and untrusted code

AWS just shipped one of the more interesting Lambda launches in years: AWS Lambda MicroVMs. It is not “Lambda functions, but bigger.” It is a new serverless compute primitive aimed at a problem that has become very real with AI agents: how do you safely run code that your application did not write?

If you are building an AI coding assistant, a browser-based IDE, a data notebook platform, a vulnerability scanner, a multi-tenant CI runner, or any product that executes user-supplied scripts, you usually have to pick two out of three: strong isolation, fast startup, and stateful sessions. Traditional VMs give you isolation but can be slow and operationally heavy. Containers are fast, but shared-kernel isolation is a risk when the workload is untrusted. Functions are great for request-response workloads, but they are not designed for long-lived interactive environments that need to preserve state across user actions.

Lambda MicroVMs is AWS trying to close that gap.

What changed

According to the AWS announcement, Lambda MicroVMs provides VM-level isolation, near-instant launch and resume, and state preservation for user-generated or AI-generated code. The service is built on Firecracker, the same lightweight virtualization technology behind AWS Lambda functions. AWS says Firecracker powers more than 15 trillion monthly Lambda function invocations, which matters because this is not an experimental isolation model bolted onto Lambda; it is based on a virtualization layer AWS already runs at massive scale.

The AWS News Blog launch post frames the service around a new class of multi-tenant applications: AI coding assistants, interactive coding environments, analytics platforms, vulnerability scanners, and game servers that run user-supplied scripts. These systems need one isolated environment per user, job, or session. Lambda MicroVMs gives each session a dedicated MicroVM with no shared kernel and no shared resources between sessions.

That last point is the key architectural difference. This is not just a container with stricter defaults. The isolation boundary is a virtual machine boundary.

How the model works

The developer flow is different from regular Lambda functions. The Lambda MicroVMs developer guide describes the lifecycle like this:

1. Package your application code and a Dockerfile into a zip file and upload it to S3.
2. Call the Lambda API to create a MicroVM image.
3. Lambda builds the image, starts the application, and captures a snapshot of the initialized environment.
4. When your app needs a sandbox, call run-microvm.
5. Lambda launches a MicroVM from the snapshot and creates a dedicated HTTPS endpoint.
6. When idle, the MicroVM can suspend while preserving memory and disk state.
7. When traffic returns, it resumes.
8. When the session ends, you terminate it.

That snapshot-based startup is what makes the service interesting. Instead of booting from scratch every time, a new MicroVM starts from a pre-initialized image. For interactive workloads, that means the environment can feel ready quickly while still keeping an isolation model closer to VMs than containers.

A concrete CLI example

The running MicroVMs documentation shows a run-microvm command like this:

aws lambda-microvms run-microvm \
  --image-identifier arn:aws:lambda:us-east-1:123456789012:microvm-image:my-microvm-image \
  --ingress-network-connectors "arn:aws:lambda:us-east-1:aws:network-connector:aws-network-connector:ALL_INGRESS" \
  --egress-network-connectors "arn:aws:lambda:us-east-1:aws:network-connector:aws-network-connector:INTERNET_EGRESS" \
  --idle-policy '{"autoResumeEnabled":true,"maxIdleDurationSeconds":900,"suspendedDurationSeconds":1800}' \
  --maximum-duration-in-seconds 14400

The only required parameter is the image identifier. The rest control networking, execution role, idle policy, logging, runtime payload, and maximum duration. The maximum time a MicroVM can remain running or suspended is 28,800 seconds, or 8 hours.

There is also an important networking detail: each MicroVM has its own dedicated endpoint. There is no load balancing across many MicroVMs behind a single endpoint. The endpoint maps to one MicroVM, which fits the “one sandbox per user/session/job” model.

Why this matters for AI agents

AI agents changed the risk profile of application infrastructure. It is now normal to have software generating code, executing shell commands, installing packages, reading files, transforming data, or running tests. If you let that happen inside a generic shared container pool, you inherit a security problem.

Lambda MicroVMs is useful because it gives product teams a managed primitive for isolated execution without asking them to become virtualization experts. A SaaS company building an AI data analyst could create one MicroVM per user session, preload dependencies, expose a notebook-like endpoint, suspend it after 15 minutes of inactivity, and resume it when the user returns. A security product could run each scan in a clean VM-level boundary. A CI platform could isolate tenant jobs without maintaining its own fleet of Firecracker hosts.

This does not remove application-level security work. You still need IAM boundaries, careful network egress rules, secret handling, logging, quota controls, and abuse protection. But it moves the hardest part of the compute isolation problem into a managed AWS service.

Limits and tradeoffs to watch

The launch is promising, but it is not a drop-in replacement for every compute pattern.

First, the service is region-limited at launch. AWS lists availability in US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Tokyo), and Europe (Ireland) in the announcement.

Second, the lifecycle is session-oriented. If you need a continuously running service, ECS, EKS, EC2, or Lambda Managed Instances may still be a better fit. Lambda MicroVMs shines when you need isolated, stateful, per-user or per-job environments.

Third, pricing requires a different mental model from Lambda functions. The Lambda pricing page says Lambda MicroVMs are priced by compute resources used, snapshot read/write operations, snapshot storage, and standard data transfer. The announcement also notes that you pay for baseline compute resources while the MicroVM is running, and only for active duration of additional resources when the workload exceeds that baseline. In other words: idle suspension is not a minor feature; it is central to making the economics work.

My take

This launch shows where serverless is heading. The original Lambda abstraction was “run this function when an event arrives.” Lambda MicroVMs expands the idea to “give me a secure, stateful, short-lived compute environment for this user or agent.” That is a very different primitive.

For AI-native applications, this is likely to become one of the more important AWS building blocks to evaluate. The winners will be teams that treat Lambda MicroVMs as a sandbox lifecycle service, not as a generic container platform. Model your sessions clearly, minimize what goes into the image, make idle policy explicit, constrain networking, and terminate aggressively when work is done.

The direction is clear: AWS is turning the infrastructure needed for AI agents into managed primitives. Bedrock gives you models and agent tooling. Lambda MicroVMs gives you safer places to execute the messy code those agents produce.

Sources

• AWS introduces Lambda MicroVMs for isolated execution of user and AI-generated code
• Run isolated sandboxes with full lifecycle control: AWS Lambda introduces MicroVMs
• AWS Lambda MicroVMs developer guide
• Running and using MicroVMs
• AWS Lambda pricing