My Favorites from Re:Invent 2025

In the month since Re:Invent, I’ve put together my own greatest hits list of all the Pre:Invent and Re:Invent announcements. I missed Re:Invent in person, but sessions and announcements were put online almost-live. Sincerely, thank you AWS online events team that put together the live streams. Chalk Talks aren’t streamed, and were what I missed most.

My Top 5

1. The AWS CLI gets a revamp of SSO integration with the aws login command. It obsoletes most of aws-sso-util and awsume by bringing session-aware keys into the main CLI.

2. DynamoDB gets a drastic change: instead of manually making sort keys like ID#123#ORDER#ABC DynamoDB can create composite keys for you. This is only for GSI’s and requires that you use the same source attributes for the multipart key, which isn’t ideal for single-table design. See AWS’ docs for full details.

3. AWS Lambda durable functions creates Step Function-like features in regular Lambdas. Functions can pause for up to 1 year and wait for external services, and use custom retry policies. The announcement is very AI-focused, but this is pretty universally useful. Only JS/TS and Python are supported so far, but this is extremely nice. The main objection I hear to Step Functions is learning Amazon States Language (ASL), and using existing decorator syntax to bring those features to Lambda squashes that.

4. S3 adds conditionals to S3 CopyObject allowing the if-none-match and if-match conditionals to avoid overwriting objects you don’t expect to be there. This comes after 2024’s conditional write support that allowed atomic compare-and-swap (CAS) operations and spackle-punched client-side locking code.

5. CodeCommit got saved! In July, AWS announced CodeCommit would be deprecated and would not accept new customers. AWS rolled this back and will be supporting CodeCommit for the forseeable future. Every service doesn’t need to be supported in perpetuity, but code hosting is table stakes if AWS wants to build other developer tooling (CodePipeline, CodeBuild, etc).

Serverless Updates

Incremental serverless changes, update your priors accordingly:

• TypeScript SDK for Strands Agents (preview) there was already a Python version.
• Kinesis On-Demand Advantage pre-warming for “serverless” Kinesis streams
• AWS Lambda’s SQS event source adds Provisioned Mode the amount you’d be spending to use SQS this way is baffling. This will process SQS messages from up to 20,000 concurrent Lambda’s with lower latency than the default SQS polling configuration.
• AWS Lambda’s Kafka event source adds Provisioned Mode same as above, but for Kafka.
• AWS Lambda networking with IPv6 lets you ditch the NAT Gateway and save the processing charge.
• API Gateway now supports response streaming allowing you to break 2 API Gateway limits: 10MB response size, and 29 second timeout. Now you can serve live responses for up to 15 minutes (the max Lambda runtime). Previously you had to use Lambda Function URLs or direct SDK invokes for streaming, or return S3 URLs for requests over 6MB (the Lambda limit). For Function URLs and API Gateway you are limited to 2MB/s after the first 6MB or 10MB respectively. For chatbot streaming responses this isn’t a huge deal, but image resizers and other bulk ops will feel this limit.
• AWS Lambda increases maximum payload for async invocation from 256kb to 1MB
• Kinesis Data Streams increases max record size from 1MiB to 10MiB too bad you already architected around the 1MiB limit. As a fun rake to step on later, AWS raised the Lambda payload limit from Kinesis to 6MiB. Enjoy that!
• S3 increases max object size to 50TB upgrade your objects from “big” at 5TB to “absolute unit” at 50TB.

Compute Capacity & Management

Capacity and compute management is changing A LOT. Managed instances for ECS and Lambda, tenant-isolated routing for Lambda, and improved pre-warming are the big themes. Reading between the lines, I didn’t see much new for Fargate and that may mean its features are rolling into EC2-Managed instances as the ECS/EKS offerings grow serverless-er. There’s the new EC2 Capacity Manager for admins to keep an eye on reservations, spot instances, and overall usage. Previously you needed Cost Explorer, the billing console, Excel, and an iron will. I’m not trauma-dumping, you’re trauma-dumping.

• AWS Lambda adds tenant-isolated execution. Along the same lines as SQS Fair Queueing, but for compute. I haven’t tested this but the cold start penalty here must be nasty. For this to work well, you’d need to be at a very specific balance of volume per tenant, security concerns, and number of tenants. Lambda would only be able to re-use warm environments for the same tenant.
• EC2-Managed ECS instances takes away the headache of ECS with special instance types. This automatically picks the appropriate instance type and size based on the mix of pending tasks, and lets you get the full RI discount as if you were managing the fleet yourself. This was announced in October and has since added scale-in protections.
• AWS Lambda Managed Instances is a radical change to “serverlessness” and combined with Lambda’s container image support this is what makes me wonder about Fargate’s future. You could use this to avoid cold starts for less cost than provisioned concurrency.
• EC2 announces interruptible Capacity Reservations remember the resale market for reserved instances? This lets other org members borrow unused capacity reservations while still letting you override them later.
• Database Savings Plans for RDS, DynamoDB, Elasticache, and more continue Amazon’s move away from Reserved Instances to per-hour spend commitments.
• ECS Express Mode feels like what Elastic Beanstalk would be if it were re-built today (in a good way). One-step deployment for containerized apps, with room to eject to regular ECS.
• Auto Scaling mixed instance policies + warm pools let you mix-and-match even more instance types and prepare for scaling events.

Network & CDN’s

• Flat Rate CloudFront adds new monthly $0, $15, $200, and $1000 tiers that include different WAF, bandwidth, and request limits with no overages. Instead of charging, the performance will degrade after you go over the plan’s caps. This is related to last year’s free WAF blocking and S3 making HTTP 403’s free after a very public denial-of-wallet attack.
• CloudFront announces mTLS authentication allowing CloudFront to validate client certs. For Crunchyroll, this means we can secure the Cloudflare-to-CloudFront hop in a simpler way.
• Region-Wide single NAT Gateway IPs and given their cost, this is how they always should have worked. One route table entry, one egress IP address, no more accidental cross-az bandwidth on top of the NAT Gateway processing charge.
• Route53 DNS Firewall adds protection against dictionary-based enumeration attacks to make infrastructure discovery and lateral movement harder for attackers.
• Route53 Global Resolver enters preview and forces AWS to rename Route53 Resolver to Route53 VPC Resolver. In an increasingly zero-trust world this makes sense and simplifies client DNS configs. DNS-over-HTTP with token auth allows you to keep infrastructure private for roaming devices.
• VPC Lattice now supports custom domain names
• Streamline in-place application upgrades with Amazon VPC Lattice shows the upgrade process for an EKS service with and without Lattice.

All About DSQL

I’m a big DSQL fan, and have used it for workloads roughly equal to blowing out birthday candles with a leafblower. There were a ton of capacity and quality-of-life announcements for DSQL. I don’t think my quality of life was impacted by the 90-120 second database creation times, but bringing that under 10 seconds is cool.

• Aurora DSQL launches Python, NodeJS, and JDBC connectors with builtin IAM authentication. Previously you had to roll your own psycopg driver to refresh the DB token, this is nice.
• I was roughly right about the dimensions in my DSQL pricing estimates post last year. Aurora DSQL provides statement-level cost estimates in query plans because the billing model for DSQL is so complex, you can now EXPLAIN ANALYZE VERBOSE and get the predicted DPU (Distributed Processing Unit) usage for each statement.
• I’d love to meet the customer that wanted this: Aurora DSQL increases max volume size to 256 TiB from 128 TiB
• Aurora DSQL speeds up cluster creation it was already faster than making any RDS instance type, but now it’s as fast as creating a DynamoDB table. I wonder if I can use the table name field as a database……
• Aurora DSQL now supports resource-based policies including Block Public Access and AWS organization provenance
• For my personal early Christmas, Aurora DSQL released a 5-part series about the internals of the database. SQL Inject it into my veins
  • Aurora DSQL Internals: Part 1 - Setting the scene
  • Aurora DSQL Internals: Part 2 - Shallow view
  • Aurora DSQL Internals: Part 3 - Transaction Processing
  • Aurora DSQL Internals: Part 4 - DSQL components
  • Aurora DSQL Internals: Part 5 - How the service uses clocks

Favorite Sessions & Blogs

• Lessons in resilience from the October 2025 service disruption: DynamoDB DAT453
• Deep Dive on AWS Lambda Durable Functions
• Securing AI Agents SEC328
• AI-Driven Software Development at Amazon (AI-DLC)
• HA and DR with Amazon Aurora DAT442
• Werner Vogels’ last keynote, The Renaissance Developer
• How CloudFront survived a 268 TERABIT per second game launch
• The life of an Amazon CloudFront Request

Disappointingly Oversold

My least favorite announcement was “Tag Policies Enforce required tags in CloudFormation, Terraform, and Pulumi”. I thought this would be an extension to the Tag Editor/Tag Policies support in Terraform to the other Infrastructure-as-Code (IaC) tools. Instead, it’s just validators for Pulumi and CloudFormation without the same auto-tagging support the Terraform tag policy provider has.