346: Zuckerberg Finally Finds His People, They Are All AI Agents

Welcome to episode 346 of The Cloud Pod, where the forecast is always cloudy! Hold on to your butts, because Justin, Ryan, and Matt are in the studio today, and they’re ready to bring you all the latest in Cloud and AI news, including the usual: Meta buying social networks, Amazon responding to outages, and OpenAI giving up another version of GPT. Let’s get into it! 

Titles we almost went with this week

• ✍️ Cloudflare Spent $1100 to Rewrite Next.js in a Week
• 🪈 One Pipe to Rule All Your OpenTelemetry Data
• ☑️ Check Yourself Before Google Wrecks Your Cloud Config
• 🎫 Copilot Takes Jira Tickets So You Don't Have To
• 🧑‍✈️ GitHub Copilot Agent Joins Your Jira Workflow Uninvited
• 👉 When AI Agents Network, Meta Swipes Right on Moltbook
• 🎛️ Sixty Controls Walk Into a Terraform Repository
• 🪪 One Security Console to Rule All Your Clouds
• 🔒 AI Ate My Lock-In, and I Feel Fine
• ⛅ Oracle Sees $90 Billion Future Cloudy With a Chance of GPUs
• 💻 Your API Has Trust Issues, and We Can Prove It
• 🏃 Stop Running Three Pipelines Like a Telemetry Hoarder
• 🦕 From Database Dinosaur to AI Cash Cow
• ☠️ Meta: Target acquired; must kill Moltbook
• 🔫 Meta saw Moltbook and said, “WE MUST OWN IT AND KILL.”

Follow Up

00:51 Where things stand with the Department of War 

• Anthropic has been designated a supply chain risk to US national security by the Department of War, a designation the company is challenging in court as legally unsound under 10 USC 3252.
• The practical scope of the designation is narrow, applying only to the use of Claude in direct Department of War contracts, not to all customers that hold such contracts or to unrelated business with Anthropic.
• Anthropic has stated that it will continue to provide its models to the Department of War and the national security community at nominal cost, with ongoing engineering support, during any transition period and for as long as permitted.
• The company's two stated exceptions to military use involve fully autonomous weapons and mass domestic surveillance, and Anthropic has clarified these do not extend to operational decision-making, which it considers the military's domain.
• For cloud and enterprise customers, the key takeaway is that existing Claude deployments unrelated to Department of War contracts remain unaffected, though the legal dispute introduces uncertainty into federal procurement pipelines involving AI services.
• We will keep you updated on this in 12-18 months…

AI Is Going Great - Or How ML Makes Money 

01:21 Introducing GPT-5.4

• OpenAI released GPT-5.4 across ChatGPT, the API, and Codex, positioning it as their most capable reasoning model to date. It merges the coding strengths of GPT-5.3-Codex with general reasoning, professional knowledge work, and native computer-use capabilities in a single model.
• The computer-use capabilities are a notable technical step, with GPT-5.4 achieving a 75% success rate on OSWorld-Verified desktop navigation, surpassing the reported human benchmark of 72.4% and up from GPT-5.2's 47.3%. 
• This makes it the first general-purpose OpenAI model with native computer use built in, making it relevant for developers building agents that operate across web browsers and desktop software.
• Tool search is a practical efficiency improvement for agentic API workflows, dynamically loading tool definitions only when needed rather than stuffing all definitions into the prompt upfront. In testing against Scale's MCP Atlas benchmark on 36 MCP servers, this reduced total token usage by 47% with no loss in accuracy, directly translating to lower API costs for tool-heavy applications.
• On the professional work side, GPT-5.4 scores 87.3% on an internal investment banking spreadsheet benchmark, up from 68.4% for GPT-5.2, and achieves 91% on BigLaw Bench for legal document work. The ChatGPT for Excel add-in, launched alongside it, gives Enterprise customers a direct integration path.
• Pricing is higher per token than GPT-5.2 in the API, though OpenAI notes the model's token efficiency should offset costs for many workloads. 
• Batch and Flex pricing remain available at half the standard rate, and Priority processing is available at 2x the standard rate for latency-sensitive use cases.

02:19 📢 Justin - “There’s also been a slew of every cloud provider in the world announcing Chat-GPT 5.4 is now available, and we will not be telling you about all of them, but assume that if you use a different model or different cloud, they probably have it.” 

04:33 Introducing ChatGPT for Excel and new financial data integrations

• OpenAI launched ChatGPT for Excel in beta, an add-in powered by GPT-5.4 that lets users build, update, and analyze spreadsheet models using plain language descriptions. 
• It preserves existing formulas and structure, asks permission before making changes, and links answers to specific cells for auditability. 
• Available now for Business, Enterprise, Edu, Pro, and Plus users in the US, Canada, and Australia.
• GPT-5.4 (also available as GPT-5.4 Thinking) is now live in ChatGPT, Codex, and the API, with OpenAI noting it was specifically tuned on real-world finance workflows, including financial modeling, scenario analysis, data extraction, and long-form research.
• New financial data integrations bring Moody's, Dow Jones Factiva, MSCI, Third Bridge, MT Newswire, and others directly into ChatGPT workflows, with FactSet coming soon. 
• Organizations can also connect proprietary data sources using Model Context Protocol (MCP), centralizing market, company, and internal data in a single interface.
• For enterprise deployments, the Excel add-in supports RBAC, SAML SSO, SCIM, audit logs, AES-256 encryption at rest, TLS 1.2+ in transit, and data residency controls. In Enterprise and Edu workspaces, the feature is off by default and requires admin enablement with custom roles and group permissions.
• ChatGPT for Google Sheets is listed as coming soon, signaling OpenAI is extending this spreadsheet integration beyond the Microsoft ecosystem.

04:49 📢 Justin - “If I were a betting man, I’d also say they’re going to have a PowerPoint version any day.” 

06:13 Meet KARL: A Faster Agent for Enterprise Knowledge, powered by custom RL

• Databricks introduced KARL (Knowledge Agent with Reinforcement Learning), a custom model built using RL techniques to handle grounded reasoning tasks like document search, fact-finding, and multi-step reasoning across enterprise data sources.
• KARL was trained with a few thousand GPU hours using entirely synthetic data. In internal testing, it matched or outperformed Frontier's proprietary models on inference cost, latency, and response quality simultaneously.
• The core technical challenge KARL addresses is hard-to-verify tasks, where there is no single correct answer, making RL reward signal design particularly difficult compared to domains like math or code, where correctness is easier to measure.
• Databricks is now offering a Custom RL private preview backed by Serverless GPU Compute, allowing enterprise customers to use the same RL pipeline that produced KARL to build domain-specific, cost-optimized versions of their own high-volume agents.
• For enterprises running AI agents at scale, this approach suggests that custom RL fine-tuning on smaller models can substantially reduce inference costs compared with relying on general-purpose frontier models, a practical consideration as agentic workload costs grow.
• Interested in checking out the preview? You can find more information on that here. 

07:09 📢 Ryan - “It's kind of a neat idea to provide sort of the pipeline there. I mean, I guess the big cloud providers are producing agent-building platforms and stuff; I wonder how much of this you can follow the path that they use for creating KARL and building your own domain-specific agent in the same way. I like the idea. Smaller model, less GPU.”

08:55 Codex Security: now in research preview

• OpenAI launched Codex Security in research preview, formerly known as Aardvark, and is now available to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the first month. 
• The tool functions as an agentic application security scanner that builds a project-specific threat model to identify and prioritize vulnerabilities with context-aware fixes.
• The performance metrics from the beta are notable: false positive rates dropped by over 50%, overreported severity findings fell by more than 90%, and noise was reduced by 84% in some repositories. 
• Over the last 30 days, it scanned more than 1.2 million commits, surfacing 792 critical and 10,561 high-severity findings, with critical issues appearing in fewer than 0.1% of commits.
• The tool uses sandboxed validation environments to pressure-test findings before surfacing them and can generate working proofs of concept when configured with a project-specific runtime environment. It also learns from user feedback on finding severity to refine its threat model over time.
• Codex Security has already produced real-world results in open source, with 14 CVEs assigned across projects including OpenSSH, GnuTLS, GOGS, PHP, and Chromium. 
• OpenAI is also launching Codex for OSS, offering free ChatGPT Pro and Plus accounts, as well as Codex Security access for open-source maintainers.

10:07 📢 Ryan - “I wish AI wouldn’t generate all those vulnerabilities in code… but I do like that these tools are available.”  

12:40 OpenAI to acquire Promptfoo 

• OpenAI is acquiring Promptfoo, an AI security platform used by over 25 percent of Fortune 500 companies, with plans to integrate its technology directly into OpenAI Frontier, the company's enterprise platform for building AI agents.
• Promptfoo's core capabilities include automated red-teaming and security testing for LLM applications, targeting risks such as prompt injection, jailbreaks, data leaks, tool misuse, and out-of-policy agent behavior. 
• These will become native features within Frontier rather than separate tools.
• The acquisition addresses a practical gap for enterprise AI deployments: systematic ways to test agent behavior before production, maintain audit trails, and meet governance and compliance requirements as AI agents connect to real data and business systems.
• Promptfoo also maintains a widely used open-source CLI and library on GitHub, and OpenAI has stated it will continue developing the open-source project alongside the integrated enterprise capabilities, which is notable for developers already using those tools.
• For enterprises building on Frontier, this signals that security testing and evaluation are moving from optional add-ons to built-in requirements of the development workflow, with direct implications for how teams structure AI deployment pipelines and compliance documentation.

13:36 📢 Justin - “It's good that this company got bought, integrated into the models is a great stepping stone, and I look forward to seeing more red teaming agents, because I think that's an area companies really have underinvested, and with our new cyber warfare world, it's going to become more more important that you're doing more active red teaming.”

15:21 Introducing Kasal 

• Databricks released Kasal, an open-source visual platform for building multi-agent AI workflows without writing orchestration code. 
• Users can drag and drop agents onto a canvas or describe workflows conversationally, and Kasal automatically generates the underlying CrewAI-based Python code.
• Kasal runs natively on Databricks Apps with built-in OBO authentication, SQLite or Lakebase persistence, and MLflow tracing integration, meaning teams can move from visual design to production deployment with minimal additional configuration.
• The platform supports both sequential and hierarchical agent modes, in which hierarchical workflows include a manager agent coordinating specialized subagents, useful for tasks such as generating customer-specific sales presentations by combining product and customer data pipelines.
• Observability is handled at two layers: business users see execution timelines and workflow status in the Kasal frontend. At the same time, AI engineers can use MLflow tracing to debug LLM calls and agent behavior at a technical level.
• Workflows built in Kasal can be exported as Python code for further customization, and reusable plans can be registered in a shared catalog, giving teams a path from low-code prototyping to production-grade pipelines without being locked into the visual interface.

15:48 📢 Justin - “They didn’t mention security review; I just want to call that out.” 

17:04 Code Review for Claude Code

• Anthropic launched Code Review for Claude Code in research preview for Team and Enterprise plans, using a multi-agent system that dispatches parallel agents to find bugs, filter false positives, and rank issues by severity, delivering results as a single summary comment plus inline annotations on each PR.
• Internal metrics show the system increased substantive review comments from 16% to 54% of PRs at Anthropic, with large PRs over 1,000 lines receiving findings 84% of the time, averaging 7.5 issues, and less than 1% of findings marked incorrect by engineers.
• Reviews scale dynamically with PR complexity, averaging around 20 minutes per review, and are billed at roughly $15 to $25 per review, making this notably more expensive than the existing open-source Claude Code GitHub Action, which remains available as a lighter-weight alternative.
• A practical example from TrueNAS shows the system surfacing a pre-existing type mismatch bug in adjacent code that was silently wiping an encryption key cache on every sync, the kind of latent issue outside the direct changeset that human reviewers typically would not investigate.
• The system intentionally does not approve PRs, keeping humans in the decision loop. At the same time, admins on Team and Enterprise plans retain controls over spend and usage, positioning this as a depth-focused supplement to human review rather than a replacement.

18:15 📢 Justin - “The COST of the review is really the biggest thing…definitely something that is a factor in all of these things.”

22:24 Meta acquires Moltbook, the AI agent social network

• Meta acquired Moltbook, an AI agent social network built as a Reddit-style platform where every participant is an AI agent run by a human, with no direct human membership. 
• The founders will join Meta Superintelligence Labs, though deal terms were not disclosed.
• Meta specifically called out Moltbook's "always-on directory" approach for connecting agents as a novel development, suggesting the acquisition is focused on agent discovery and coordination infrastructure rather than the social network concept itself.
• Moltbook was built on OpenClaw, an LLM coding agent wrapper that enables prompting via WhatsApp and Discord and supports deep local system access through community plugins. 
• OpenClaw's founder was separately hired by OpenAI in February, indicating both major AI labs are recruiting from the same open-source agent ecosystem.
• For developers and businesses, the acquisition signals that agent-to-agent communication protocols and persistent agent directories are becoming areas of serious investment, which could influence how cloud-based agentic workflows are designed going forward.
• A practical caveat worth noting: Moltbook lacked security controls to verify that all participants were actually AI agents, meaning some posts were likely written by humans posing as agents. This highlights that agent identity and authentication remain unsolved problems in agentic system design.

22:39 📢 Justin - “We didn't really talk about Moltbook because we didn't want to talk about OpenClaw extensively, but basically, OpenClaw is a terrible way that you can run AI agents in a fully unsafe manner that accesses all of your personal data, and one of the things you could do is add a skill that would basically have it randomly post things onto MoltBook, which could include your bank accounts or security things if you're not careful in your security. And Meta buying this is just sort of the classic; it's a social network, and it could take us down, let's just take it off the market and kill it.”

Cloud Tools 

23:58 GitHub Copilot coding agent for Jira is now in public preview

• GitHub Copilot coding agent now integrates directly with Jira Cloud, allowing teams to assign Jira issues to Copilot and receive AI-generated draft pull requests in their connected GitHub repositories without leaving their existing workflow.
• The agent works asynchronously and autonomously, analyzing issue descriptions and comments for context, implementing code changes, and posting status updates back in Jira, including asking clarifying questions when needed.
• This integration targets common, repetitive tasks such as bug fixes and documentation updates and respects existing pull request review and approval rules, so teams do not need to change their governance processes.
• Setup requires installing two marketplace apps, one from Atlassian and one from GitHub, and notably requires Jira Cloud with Rovo enabled alongside an active GitHub Copilot coding agent subscription, so there are meaningful prerequisite costs to consider.
• The integration supports GitHub Data Residency customers across supported regions, which is a practical consideration for teams with data sovereignty requirements.

24:42 📢 Ryan - “That’s interesting, because Rovo is Atlassian’s AI bot…I’m curious about why that’s required.”  

26:09 The Pulse: Cloudflare rewrites Next.js as AI rewrites commercial open source

• Cloudflare released vinext, a rewrite of Next.js that replaces Vercel's proprietary Turbopack build system with the standard Vite build tool, allowing Next.js applications to deploy to Cloudflare Workers with a single command and producing client bundles that are reportedly up to 57% smaller.
• The project was completed by one engineer in one week, using approximately $1,100 in AI tokens via the OpenCode agent and Claude Opus 4.5, reducing what would traditionally have taken years of engineering to days. However, the result is explicitly experimental and not yet battle-tested at scale.
• A key practical concern is that vinext covers 94% of the Next.js API surface, with roughly 67,000 lines of code, compared with Next.js's 194,000, meaning edge cases and security auditing remain outstanding before production use at any meaningful traffic level.
• Cloudflare also released a migration agent skill that integrates with tools like Claude Code, Cursor, and Codex, allowing developers to run a single command to migrate an existing Next.js project to vinext, with compatibility checks, dependency installation, and config generation handled automatically.
• The broader implication for cloud engineers is that comprehensive open-source test suites now serve as a blueprint for AI-assisted rewrites, which puts pressure on commercial open-source business models that rely on deployment lock-in rather than infrastructure, support, or community as their primary differentiators.

27:31📢 Ryan - “I feel like it's an awful precedent, right? Like, the whole point of open source is community collaboration, and this is directly in the face of that. Like, why would you release something open source if someone's just going to use an AI agent to create their own fork of it?”

31:58 Active defense: introducing a stateful vulnerability scanner for APIs

• Cloudflare launched a beta Web and API Vulnerability Scanner focused initially on BOLA (Broken Object Level Authorization), which is the top threat in the OWASP API Top 10. 
• Unlike WAF rules that catch syntax-based attacks, BOLA involves valid authenticated requests that violate business logic, making them invisible to traditional defenses.
• The scanner is stateful, meaning it builds an API call graph from your OpenAPI spec and chains requests together logically, creating resources as an owner and then attempting to access them as an attacker. This solves a core limitation of legacy DAST tools that evaluate each request in isolation and miss authorization flaws that span multiple API calls.
• To handle ambiguous or inconsistent OpenAPI schemas, the scanner uses Cloudflare Workers AI, which runs OpenAI's gpt-oss-120b model with structured outputs to infer data dependencies between endpoints automatically. This removes the manual configuration burden that typically slows DAST tool deployment.
• Credential security is handled by the HashiCorp Vault Transit Secret Engine, where credentials are encrypted immediately upon submission and decrypted only by the specific Rust worker executing the test. This is a notable design choice, given that vulnerability scanners, by definition, need access to valid API credentials.
• The scanner is now available in open beta for API Shield customers via the API, allowing teams to trigger scans and pull results into CI/CD pipelines or security dashboards. 
• Cloudflare plans to extend coverage to OWASP Web Top 10 threats like SQLi and XSS in future releases.

33:22 📢 Ryan - “This is super cool. This is the AI-enhanced security scanning I’ve been waiting for.” 

AWS

34:43 Amazon plans 'deep dive' internal meeting to address outages

• Amazon's retail site experienced four Sev 1 outages in a single week, including a six-hour checkout and account access failure on March 5, prompting an internal deep-dive meeting led by SVP Dave Treadwell to review the availability posture.
• An internal document initially cited GenAI-assisted changes as a contributing factor to a trend of incidents since Q3. 
• Still, that reference was removed before the meeting, and Amazon later clarified that only one incident involved AI and none involved AI-written code.
• Amazon is implementing new safeguards that require additional review of GenAI-assisted production changes, with Treadwell acknowledging that best practices for using generative AI in production environments have not yet been fully established.
• A separate AWS outage in December was linked to the Kiro AI coding tool. However, Amazon attributed that incident to user error rather than the AI itself, highlighting an ongoing pattern of questions around AI tooling in production deployments.
• With Amazon projecting $200 billion in capital expenditures this year while simultaneously reducing its workforce by tens of thousands, the reliability of AI-assisted development workflows becomes a practical concern for any organization adopting similar tooling at scale.

36:36 📢 Ryan - “Hold on to your butts, but we’re going to see a lot more of this.” 

39:00 Database Savings Plans now supports Amazon OpenSearch Service and Amazon Neptune Analytics

• Database Savings Plans now cover Amazon OpenSearch Service and Amazon Neptune Analytics, offering up to 35% savings with a one-year commitment and no upfront payment required.
• The plans apply automatically across serverless and provisioned instances regardless of engine, instance family, size, or region, so customers can switch instance types like moving from m7i.large.search to c8g.2xlarge.search without losing their discount.
• This expansion is useful for organizations running search or graph analytics workloads at scale, since Neptune Analytics and OpenSearch can carry substantial hourly costs that benefit from committed-use pricing.    
• Customers can use the Savings Plans Purchase Analyzer in the AWS Billing and Cost Management Console to model custom scenarios before committing, which reduces the guesswork in sizing a commitment.
• Available now in all AWS regions except China. 
• Pricing details are available here.

39:34 📢 Justin - “Finally. Thank you.” 

40:54 AWS Elastic Beanstalk now offers AI-powered environment analysis

• AWS Elastic Beanstalk now integrates with Amazon Bedrock to provide AI-powered analysis of environment health issues, automatically collecting events, instance health data, and logs to generate step-by-step troubleshooting recommendations without manual log review.
• The feature is triggered from the Elastic Beanstalk console via an AI Analysis button when environment health reaches Warning, Degraded, or Severe status, and is also accessible programmatically through the existing RequestEnvironmentInfo and RetrieveEnvironmentInfo CLI and API operations.
• This is a practical addition for teams managing Beanstalk environments who want to reduce mean time to resolution, particularly useful for developers who may not have deep operational expertise in diagnosing platform-level issues.
• Availability is limited to regions where both Elastic Beanstalk and Amazon Bedrock are supported, so teams in regions without Bedrock coverage will not have access, and AWS has not published specific pricing details for this feature beyond standard Beanstalk and Bedrock usage costs.
• This continues a broader AWS pattern of embedding Bedrock-powered assistance into existing managed services, similar to features seen in other consoles, positioning AI-assisted operations as a standard capability rather than a standalone product.

41:55 📢 Matt - “I will say troubleshooting Beanstalk is a pain in the butt. It just says ‘degraded’ and you’re like ‘why’? And at one point, I had an issue with Beanstalk where it needed a specific CloudWatch put metric in order to do it; it got to the point I opened a support case, and asked AWS why it wasn't working. And they're like, here's this - buried 17 pages into… so I can definitely see it being useful.”

43:13 Introducing Amazon Connect Health, Agentic AI Built for Healthcare

• Amazon Connect Health is now generally available, offering five purpose-built AI agents targeting healthcare administrative workflows, including patient verification, appointment scheduling, ambient documentation, patient insights, and medical coding with ICD-10 and CPT code generation.
• The service is HIPAA-eligible and integrates natively with Amazon Connect,  allowing contact center and point-of-care workflows to be configured in minutes rather than months, which is a notable deployment speed advantage for healthcare IT teams.
• The two GA agents (patient verification and ambient documentation) are ready for production use today, while appointment management, patient insights, and medical coding remain in preview, so organizations should plan adoption timelines accordingly.
• Point-of-care capabilities like ambient listening and medical coding are accessible via a unified SDK, letting developers embed these features directly into existing EHR systems rather than requiring a full platform migration.
• The service is currently limited to US East (N. Virginia) and US West (Oregon), and AWS has not published specific pricing details publicly, so healthcare organizations will need to engage AWS directly to understand cost structures before planning deployments.

43:45 📢 Justin - “This is a great example of a really purpose-built AI that has a specific use case, and I’d almost rather talk to the AI at any time of the day that can book my appointment rather than waiting for the office to open during the day when I’m busy.” 

27:58 Amazon Lightsail now offers OpenClaw, a private self-hosted AI assistant

• Amazon Lightsail now supports deploying OpenClaw, a self-hosted AI assistant that runs on your own Lightsail instance, giving users a private alternative to cloud-based AI services where data stays within their own infrastructure.
• The offering includes several built-in security features out of the box: sandboxed agent sessions, one-click HTTPS without manual TLS setup, device pairing authentication, and automatic configuration snapshots, reducing the typical operational overhead of self-hosting AI tools.
• Amazon Bedrock serves as the default model provider, which ties this directly into the broader AWS AI ecosystem, though users can swap models or connect to messaging platforms like Slack, Telegram, WhatsApp, and Discord for different workflows.
• Pricing follows standard Lightsail instance pricing rather than a separate AI-specific cost structure, which may make this appealing for small teams or developers who want predictable monthly costs; check the Lightsail pricing page at aws.amazon.com/lightsail/pricing for current instance rates.
• The feature is available across 15 AWS Regions, including US East, US West, Frankfurt, London, Tokyo, and Jakarta, and can be accessed directly from the Lightsail console with quick start documentation available for getting up and running quickly.

44:46 📢 Justin - “If you want to try it (OpenClaw) and you can’t get a Mac Mini because everyone is buying them for their OpenClaw implementations, Amazon Lightsail now supports (it).” 

47:22 Amazon OpenSearch Ingestion now supports a unified ingestion endpoint for OpenTelemetry data

• Amazon OpenSearch Ingestion now accepts logs, metrics, and traces through a single unified pipeline endpoint, eliminating the previous requirement to run three separate pipelines for each OpenTelemetry signal type.
• The consolidation reduces operational overhead around access control, monitoring, and lifecycle management, which translates to lower infrastructure costs for teams running observability at scale.
• A practical benefit is incremental OpenTelemetry adoption: teams can start with one signal type and add others later without reconfiguring the pipeline, lowering the barrier to getting started.
• Signal correlation becomes more straightforward when all three data types flow through a centralized pipeline, giving teams a more complete view of application health in one place.
• The unified endpoint is available now in all regions where Amazon OpenSearch Ingestion is supported, and customers can configure it through the AWS Management Console or CLI. 
• Pricing follows existing OpenSearch Ingestion rates based on Ingestion OCUs, so no new cost model is introduced.

47:54 📢 Ryan - “I mean, at the ingestion layer? I don’t know. Because this is really at the logs- equivalent…”

48:27 Announcing the end-of-support for the AWS Copilot CLI

• AWS Copilot CLI reaches end of support on June 12, 2026, meaning it will no longer receive new features or security updates, though it remains available as an open-source project on GitHub.
• AWS recommends two primary migration paths: Amazon ECS Express Mode for teams wanting a fast, opinionated path to production with automatic ALB, TLS, and auto-scaling provisioning, and AWS CDK L3 constructs for teams needing fine-grained infrastructure control in familiar programming languages.
• ECS Express Mode is the closest functional replacement for Copilot's most common patterns, supporting shared Application Load Balancers across up to 25 services and eliminating the need to learn a custom manifest format.
• Teams migrating Worker Services, Backend Services, and Scheduled Jobs have specific CDK construct equivalents available, including QueueProcessingFargateService for SQS-based workloads and ScheduledFargateTask for cron-based jobs.
• Since Copilot uses standard CloudFormation under the hood, teams can also simply adopt the existing generated stacks and manage them directly, which represents the lowest-effort migration option for teams not ready to switch tooling.

49:26 📢 Justin - “ I mean, yeah, this is kind of the first step into a fully managed world of ECS, and I remember when it came out we talked about it and was like, well, this is nice, but we really want what became Amazon ECS Express, and so they kind of deprecated themselves in their own way with better solution.”

51:04 Amazon Route 53 Global Resolver is now generally available

• Amazon Route 53 Global Resolver is now generally available across 30 AWS Regions, expanding from the 11-region preview shown at re:Invent 2025, with support for both IPv4 and IPv6 DNS query traffic from any location.
• The service functions as an internet-reachable anycast DNS resolver, allowing authorized clients in an organization to resolve both public internet domains and private Route 53 hosted zones without being tied to a specific network location.
• Security filtering is a core capability, blocking malicious domains, DNS tunneling, Domain Generation Algorithms, and now with GA, Dictionary DGA threats, alongside centralized query logging for visibility across the organization.
• This positions Global Resolver as a managed alternative to running your own DNS resolver infrastructure for distributed or remote workforces, reducing operational overhead while centralizing DNS policy enforcement.
• New customers get a 30-day free trial to evaluate the service, with pricing details available here.

51:57 📢 Ryan - “I both love and hate this. Having operated a global Anycast resolver, I know how much of a pain it is, and so I wouldn't want to set another one up, and I would gladly pay Amazon to do that. However, I don't know that they're removing the annoying parts. And you add more abstraction, I wonder, troubleshooting failed queries; that's going to be really difficult. And you have a lot more control when you control the network for these things, and so I'm very dubious about this one. But if it just works, then it'll probably be worth it.”

53:29 Automated deployments with GitHub Actions for Amazon ECS Express Mode

• AWS published a walkthrough for connecting GitHub Actions to Amazon ECS Express Mode, automating the full pipeline from code commit to container deployment, including image builds, ECR pushes, and service updates without manual coordination.
• The integration uses OIDC for authentication instead of stored AWS credentials, meaning GitHub Actions receives temporary credentials that expire after each workflow run, which reduces the risk surface compared to long-lived access keys sitting in repository secrets.
• ECS Express Mode handles the infrastructure heavy lifting automatically, provisioning an ALB, target groups, health checks, auto scaling based on CPU, and security groups, so teams get a production-ready stack from a minimal workflow configuration.
• Image tagging uses the first 7 characters of the git commit SHA, giving teams precise version traceability and a straightforward path to rollback by referencing a specific immutable image in ECS deployment history.
• Costs are usage-based, covering ECS Fargate tasks, ECR storage, and data transfer, with no GitHub Actions charges for public repositories. The estimated setup time is 20 to 30 minutes, making this a relatively low-friction starting point for teams not yet running automated container deployments.

GCP

55:59 Introducing the Google Cloud recommended security checklist