Off-by-none: Issue #360
April 7, 2026
Anthropic’s Wardrobe Malfunction 🫣
In our previous issue, App Runner got sent to maintenance mode, agents started looking like real software, and efficiency may have become the new AI race. This week, Claude leaks its secrets, AWS locks down S3, and Cloudflare makes a run at WordPress. Plus, we've got a whole bunch of amazing content from the cloud, serverless, and AI communities.
News & Announcements
Anthropic is having a month. Their very public Claude Code leak gave us an unexpected peek under the hood. Lots to learn from it, including their concept of “skeptical memory” and how it maps to patterns emerging in agent design. Not exactly how you want transparency to happen, but still… fascinating.
AWS is continuing to tighten the screws on security with S3 rolling out new default bucket protections they announced last year. I'm sure this will break someone's CI/CD pipeline, but if this prevents another “oops, we exposed millions of records to the internet” incident, it’s worth it.
On the AI safety front, Amazon Bedrock Guardrails now support cross-account safeguards (GA), which is a big step toward centralized governance of AI systems. The deeper dive on how cross-account guardrails work is worth a read. This is the kind of thing enterprises actually need: consistent policies, enforced everywhere, without duct-taping controls into every individual service.
AWS also introduced frontier agents for security testing and cloud operations, which is both exciting and mildly terrifying. Letting agents poke at your infrastructure to find weaknesses sounds great… assuming they don’t introduce a few outages along the way. 😬 Given AWS’s recent adventures with agentic coding tools taking down services, let's hope they spent a few extra human cycles on this one.
Observability keeps evolving too. CloudWatch adding OpenTelemetry metrics support is actually a big deal. Standardizing metrics across systems has been messy for years, and leaning into OpenTelemetry makes it a lot easier to build portable, vendor-agnostic observability pipelines.
And speaking of observability, OpenSearch introduced agentic AI for log analytics, another signal that logs are no longer just something you query, they’re something you collaborate with. Expect more systems where you ask questions and let agents do the digging.
On the security side, this one’s a bit of a nightmare: a trojan slipped into axios via an npm supply chain attack. Axios is everywhere, which makes this especially concerning. Friendly reminder to pin your dependencies, use proper scanning tools, and maybe don’t blindly trust package libraries.
Cloudflare introduced EmDash, as a spiritual successor to WordPress. It’s positioning itself as a more secure, modern alternative to the plugin-heavy ecosystem we’ve all wrestled with. WordPress killer? Maybe. Or at least another sign that the PHP-era assumptions about how we build content systems are starting to fade.
And finally, Luc van Donkersgoed announced semantic content search for AWS News. Good stuff.
Tutorials
- Amazon Aurora DSQL: A Guide to AWS's Distributed SQL DB by Darryl Ruggles
- Building real-time conversational podcasts with Amazon Nova 2 Sonic by Madhavi Evana
- Serverless applications on AWS with Lambda using Java 25, API Gateway and DynamoDB - Part 4 SnapStart + DynamoDB request priming by Vadym Kazulkin
- Stream live data from Amazon Keyspaces to S3 vector for real time AI applications by Siva Palli
- Working with identity columns and sequences in Aurora DSQL by Arnab Chowdhury
- Single-Cluster Duality View by Franck Pachot
- Add Chat AI Summary Using Amazon Bedrock and HTTP Response Streaming by Marko Djakovic
- Simulate realistic users to evaluate multi-turn AI agents in Strands Evals by Ishan Singh
- Control which domains your AI agents can access by Evandro Franco
- Build a FinOps agent using Amazon Bedrock AgentCore by Salman Ahmed
- Build reliable AI agents with Amazon Bedrock AgentCore Evaluations by Akarsha Sehwag
- Stop Losing Your Screenshots: Build a Personal LINE Summarization and Search Bot with AWS and Claude by Hiro O.
Reads
How I Use AI Every Day Without Losing My Mind
Marco Troisi shares three principles for using AI coding tools without experiencing developer burnout: stay actively engaged in the code, maintain focus on customer needs, and reject multitasking for focused single-task work. His approach rightly emphasizes treating AI as a collaborator rather than letting it automate everything.
Build Smarter AI Apps with Claude | 3 Key Patterns
Love this take on agent harness design from Anthropic. Their point about assumptions growing stale as Claude improves is spot on. I've definitely found myself over-engineering orchestration layers for things Claude can now handle directly, and it's a good reminder to periodically question what actually needs to live in the harness.
AI Made Everyone a Builder and That's a Problem
Ran Isenberg shares his thoughts on the unintended consequences of AI-powered development. The point about AI making it easy to ship demos but hard to maintain production systems is something I see all the time. And I've definitely seen the explosion of half-baked open source projects inadvertently name-squatting. 🤨
Proudly Found Elsewhere
Great post by Seth Orell on embracing managed services over building everything yourself. I completely agree with his litmus test: only build what's a distinguishing, separately marketable feature of your business, otherwise find a provider. This is exactly the kind of thinking that makes serverless architectures so compelling (even if we're still figuring out where the boundaries are).
How I Built an AI Film Crew on AWS
Linda Mohamed, one of my favorite AWS Heroes, built an AI-powered video editing system using Step Functions to orchestrate MediaConvert, Rekognition, Transcribe, and Bedrock agents. This post is loaded with deep technical expertise and demonstrates a production-grade implementation, not just concepts.
Podcasts, Videos, and more
AWS Lambda Performance Tuning | Serverless Office Hours
Julian Wood hosts Matt Diamond and Paras Jain for a deep dive into Lambda performance optimization. The session covers configuration tuning, memory settings, and initialization best practices with practical examples for improving function speed and efficiency.
Building Real-Time Applications at Scale | Serverless Office Hours
Brian Zambrano and Kim Wendt join Eric Johnson to show essential strategies for managing high-volume connection requests, implementing effective filtering patterns, and handling event distribution at scale.
Stop Your Bad Lambda Deployments Before They Hit Production
Excellent hands-on walkthrough by James Eastham showing how to implement automated rollbacks with Lambda aliases and versions. The practical CodeDeploy setup he demonstrates is exactly the kind of safety net your serverless applications need.
An AI state of the union: We’ve passed the inflection point, dark factories are coming, and automation timelines | Simon Willison
Lenny Rachitsky chats with Simon Willison about the practical patterns for what he calls "agentic engineering" and explains why mid-career engineers might face more risk than juniors or seniors. The conversation covers everything from security challenges with prompt injection to how pelicans on bicycles became an unofficial AI quality benchmark. I also agree that deciding what to build is the new bottleneck.
New from AWS
- Amazon SageMaker Unified Studio adds notebook import/export and developer acceleration features
- AWS Cost Explorer launches Natural Language Query capabilities powered by Amazon Q
- AWS announces general availability of Smithy-Java client framework
- Amazon ECS announces Managed Daemons for ECS Managed Instances
- Amazon Verified Permissions now supports policy store aliases and named policies and policy templates
- Amazon CloudWatch expands auto-enablement to Amazon CloudFront logs and 3 additional resource types
- Amazon CloudFront now supports SHA-256 for signed URLs and signed cookies
- AWS Secrets Manager console now supports custom input for AWS KMS keys
- Amazon S3 Vectors expands to 17 additional AWS Regions
- Apache Spark troubleshooting and upgrade agents now available as Kiro powers
- Amazon ElastiCache Serverless now supports IPv6 and dual stack connectivity
- AWS Organizations now provides organization paths in API responses
- Amazon SES Mail Manager adds new features for enhanced security and email processing
Developer Tools
yetanotheraryan/coldstart by Aryan Tiwari
coldstart is a zero-dependency startup profiler for Node.js that instruments CommonJS and ESM startup loading, reconstructs the dependency tree, and points at the modules that actually slow boot time down.
AutoAgent: first open source library for self-optimizing agents by Kevin Gu
AutoAgent is an open source library where a meta-agent autonomously optimizes a task agent by tweaking prompts, adding tools, and refining orchestration. Kevin Gu reports it achieved top leaderboard scores on spreadsheet and terminal benchmarks after 24+ hours of iterative self-improvement.
Introducing Dynoxide: a fast, embeddable DynamoDB engine by Martin Hicks
Dynoxide is a new DynamoDB-compatible engine written in Rust and backed by SQLite, designed as a fast, embeddable alternative to DynamoDB Local.
Final Thoughts 🤔
It’s been a rough few weeks for “secure by default.”
Between accidental leaks, supply chain attacks, and the constant stream of “oops” moments, it’s clear that the pace of building is still outpacing the guardrails meant to keep things in check. Even the companies building the tools are learning these lessons in real time.
But there’s a flip side to all of this.
You can see the industry responding. S3 locking things down by default. Centralized guardrails for AI systems. Better observability standards. Even agents being tasked with finding vulnerabilities before humans do. It’s messy, but it’s progress.
We’re not slowing down, so the only real option is to get better at building systems that can keep up with us.
And maybe that’s where things are heading. Not just faster development, but safer defaults, stronger guardrails, and tooling that assumes mistakes will happen and is ready for them when they do.
See you next week,
Jeremy
I hope you enjoyed this newsletter. We're always looking for ideas and feedback to make it better and more inclusive, so please feel free to reach out to me via Bluesky, LinkedIn, X, or email.
Sign up for the Newsletter
Stay up to date on using serverless to build modern applications in the cloud. Get insights from experts, product releases, industry happenings, tutorials and much more, every week!
This Week's Top Links
We share a lot of links each week. Check out the Most Popular links from this week's issue as chosen by our email subscribers.
This Week's Sponsor
Check out all of our amazing sponsors and find out how you can help spread the #serverless word by sponsoring an issue.
About the Author
Jeremy is the founder of Ampt, a Cloud & AI consultant, and an AWS Serverless Hero that has a soft spot for helping people
solve problems using the cloud. You can find him ranting about serverless, cloud, and AI on Bluesky, LinkedIn, X, and at
conferences around the world.
Nominate a Serverless Star
Off-by-none is committed to celebrating the diversity of the serverless community and recognizing the people who make it awesome. If you know of someone doing amazing things with serverless, please nominate them to be a Serverless Star ⭐️!