Linkzine

// THE BRIEF: AWS

Thorsten

AWS shipped Graviton5 instances claiming 25% better compute performance over Graviton4, then the same week announced OpenAI’s frontier models are now available on Bedrock — two moves that point in opposite directions on the build-vs-buy question.

AWS shipped a lot this week, but two announcements pull against each other in a way worth naming.

The hardware side: Graviton5 lands

The M9g and M9gd instances went generally available on June 10. AWS claims up to 25% better compute performance versus Graviton4-based instances — no workload specification in the announcement summary, which is the usual caveat with headline numbers like this. The M9gd variant adds local NVMe, which matters for latency-sensitive workloads that can’t tolerate EBS round-trips. If your fleet is Graviton4 today, the upgrade math is straightforward to run; whether 25% on AWS’s benchmark translates to 25% on your workload is the question to answer before you migrate.

The model side: OpenAI on Bedrock

On June 1, OpenAI announced that its frontier models and Codex are now generally available on AWS — meaning customers can call OpenAI through existing AWS procurement and IAM controls. AWS also made Claude Fable 5 available on Bedrock in the same period, with what the announcement calls “Mythos-level capabilities” and built-in safeguards. Two competing model providers, same marketplace. AWS is clearly positioning Bedrock as the model router rather than betting on a single frontier vendor.

The tension: OpenAI on AWS makes Bedrock more useful for teams that are already OpenAI shops but want AWS billing and network controls. But it also means AWS is now a distribution channel for a direct competitor to Anthropic, which it has invested in heavily. The vendor dynamics here are worth watching.

Security: from tooling to operations

Two security posts this week are worth reading together. The maturity roadmap for AWS security opens with a distinction that’s easy to miss: enabling Security Hub and GuardDuty is the starting line, not the goal. Most organizations stall because findings don’t drive decisions and response times aren’t measured. The post frames this as a phased problem — a fair characterization of where most AWS accounts actually sit.

The Shield Advanced flow logs post is a more tactical complement: attack traffic metadata is now captured during active DDoS events and published to S3, which closes a real gap. Previously reconstructing an attack meant correlating sources after the fact. The new capability lets you verify mitigations in-flight and pipe data into existing analysis pipelines — useful if you’re already on Shield Advanced and wondering what you’re paying for.

Datadog’s separate post on AWS data perimeter misconfigurations rounds this out by showing where organization-level policies fail in practice. Running threat emulation against your own perimeter policies before an incident is the receipt-check that most teams skip.

Cognito gets multi-region

Amazon Cognito now supports multi-Region replication, automatically synchronizing user data, credentials, and pool configurations to a secondary region. Critically: no forced password resets during regional failover. This was a long-standing gap — Cognito has been a single-region bottleneck for applications that otherwise had solid DR posture. Customer-managed KMS key support is also new here, which matters for regulated workloads that couldn’t use Cognito at all previously.

EKS environment factories: the Deloitte number

Pulumi’s post on EKS vCluster ephemeral environments cites an AWS Architecture Blog case study showing Deloitte achieved 89% faster testing environment provisioning by consolidating dozens of clusters into a single EKS host cluster with over 50 vCluster instances. The claimed saving is roughly 500 QA hours per year. The vCluster pattern – running virtual control planes inside a shared host cluster – is legitimately useful for platform teams that provision and tear down test environments constantly. The 89% figure comes from Deloitte’s own workload; your provisioning baseline is probably different, but the direction is consistent with what others have reported moving from full cluster-per-team models.

Spring 2026 SOC reports

Routine but worth noting: Spring 2026 SOC 1, 2, and 3 reports are available covering 188 services over the 12-month period April 2025 to March 2026. If you have a compliance review cycle, this is the artifact to pull.

OpenAI’s frontier models landing on Bedrock is a genuine win if you’re already living in the AWS ecosystem – the tooling and integrations there tend to be more user-friendly than going direct.

What to do this week

What to do this week:

  • Graviton5 migration math: Pull your current Graviton4 instance costs and run the 25% compute improvement claim against your actual workload profile. Spin up one M9g instance, run your benchmark suite, and compare — don’t trust the headline number without the receipt. If M9gd’s local NVMe removes an EBS bottleneck in your stack, that’s a separate and potentially more compelling reason to migrate.
  • Cognito DR gap: If you’re running Cognito in a single region and have a DR requirement, the multi-region replication feature just removed the main blocker. Check whether customer-managed KMS key support unblocks any regulated workload you’ve been deferring.
  • Shield Advanced flow logs: If you’re paying for Shield Advanced, verify flow logs are enabled and that the S3 destination is plumbed into your SIEM or analysis pipeline. Running this validation in standup takes five minutes; finding out it wasn’t configured during an active attack costs more.
  • Data perimeter audit: Run Datadog’s threat emulation methodology against your organization-level SCPs. The gap between what your policies say and what they actually block is usually larger than the IAM team expects.
  • OpenAI on Bedrock evaluation: If your team is already using OpenAI’s API directly, the AWS availability means you can consolidate billing and apply existing IAM and VPC controls without changing model calls. Worth a spike if procurement or network policy has been a friction point.

Receipts

  1. Graviton5 M9g launch · AWS News Blog — Up to 25% better compute performance compared to Graviton4-based instances
  2. OpenAI on AWS GA · OpenAI Blog — OpenAI frontier models and Codex are now generally available on AWS, giving enterprises a new path to build with OpenAI through the AWS environments, controls, and procurement workflows they already use
  3. Claude Fable 5 on Bedrock · AWS News Blog — Claude Fable 5 delivers Mythos-level capabilities available to all customers, with strong safeguards designed to make it safe for broader use
  4. AWS security maturity roadmap · AWS Security — Enabling security tooling is the starting point. Making it operational—where findings drive decisions, response times are measurable, and your security posture improves week over week—is where most organizations struggle
  5. Shield Advanced flow logs · AWS Security — Shield publishes logs to Amazon S3; they capture traffic metadata during attacks so you can pinpoint sources, verify mitigations, and feed your existing analysis pipelines
  6. Datadog data perimeter misconfigs · Datadog Blog — Threat emulation can help you find gaps in your AWS data perimeter policies, then learn which organization-level policies can close them
  7. Cognito multi-region replication · AWS News Blog — Automatically synchronizes user data, credentials, and pool configurations to a secondary AWS Region, enabling uninterrupted authentication during regional failovers without forced password resets
  8. Deloitte EKS vCluster case study · Pulumi Blog — Deloitte’s move to a virtual cluster model on Amazon EKS resulted in 89% faster testing environment provisioning; by consolidating dozens of disparate clusters into a single host cluster with over 50 vCluster instances, Deloitte saved about 500 QA hours per year
  9. Spring 2026 SOC reports · AWS Security — The reports cover 188 services over the 12-month period from April 1, 2025–March 31, 2026

Leave a comment