tcp.fm

315: EC2’s New Shutdown Shortcut: Because Sometimes You Just Need to Pull the Plug

Listen Later
 Welcome to episode 315 of The Cloud Pod, where the forecast is always cloudy! Your hosts, Justin and Matt, are here to bring you the latest in cloud and AI news, including news about AI from the White House, the newest hacker exploits, and news from CloudWatch, CrowdStrike, and GKE – plus so much more. Let’s get into it! 
Titles we almost went with this week:
  • SharePoint and Tell: Government Secrets at Risk
  • Zero-Day Hero: How Hackers Found SharePoint’s Achilles’ Heel
  • Amazon Q Gets an F in Security Class
  • Spark Joy: GitHub’s Marie Kondo Approach to App Development
  • No Code? No Problem! GitHub Lights a Spark Under App Creation
  • GKE Turns 10: Still Not Old Enough to Deploy Itself
  • A Decade of Containers: Pokémon GO Caught Them All
  • Kubernetes Engine Hits Double Digits, Still Can’t Count Past 9 Pods
  • Account Names: The Missing Link in AWS Cost Optimization
  • Flash Gordon Saves Your VMs from the Azure-verse
  • The Flash: Fastest VM Monitor in the Multiverse
  • Ctrl+AI+Delete: Rebooting America’s Artificial Intelligence Strategy
  • The AImerican Dream: White House Plots Path to Silicon Supremacy
  • CrowdStrike’s Year of Living Resiliently
  • Kernel Panic at the Disco: A Recovery Story
  • The Search is Over (But Your Copilot License Isn’t)
  • Ground Control to Major Tom: You’re Fired
  • GPU Booking.com: Reserve Your Neural Network’s Next Vacation
  • Calendar Man Strikes Again: This Time He’s Scheduling Your TPUs
  • AirBnB for AI: Short-Term Rentals for Your Machine Learning Models 
  • Claude’s World Tour: Now Playing in Every Region
  • Going Global: Claude Gets Its Passport Stamped on Vertex AI
  • SQS Finally Learns to Share: No More Queue Hogging
  • The Noisy Neighbor Gets Shushed: Amazon’s Fair Play for Queues
  • CloudWatch Gets Its AI Degree in Observability
  • Teaching Old Logs New Tricks: CloudWatch Goes GenAI
  • The Agent Whisperer: CloudWatch’s New AI Monitoring Powers
  • NotebookLM Gets Its PowerPoint License
  • Slides, Camera, AI-ction: NotebookLM Goes Visual
  • The SSL-ippery Slope: Azure’s Managed Certs Go Public or Go Home
  • Breaking Bad Certificates: DigiCert’s New Rules Leave Some Apps High and Dry
  • Firewall Rules: Now with a Rough Draft Feature
  • Azure’s New Policy: Think Before You Deploy
    • General News 

    00:50 Hackers exploiting a SharePoint zero-day are seen targeting government agencies | TechCrunch

    • Microsoft SharePoint servers are being actively exploited through a zero-day vulnerability (CVE-2025-53770), with initial attacks primarily targeting government agencies, universities, and energy companies, according to security researchers.
    • The vulnerability affects on-premises SharePoint installations only, not cloud versions, with researchers identifying 9,000-10,000 vulnerable instances accessible from the internet that require immediate patching or disconnection.
    • Initial exploitation appears to be limited and targeted, suggesting that nation-states likely back advanced persistent threat (APT) actors. However, broader exploitation by other threat actors is expected as attack methods become public.
    • Organizations running local SharePoint deployments face immediate risk as Microsoft has not yet released a complete patch, requiring manual mitigation steps outlined in their security guidance.
    • This incident highlights the ongoing security challenges of maintaining on-premises infrastructure versus cloud services, where patches and security updates are managed centrally by the provider.
    • It is interesting to us that the cloud was patched, but they didn’t have a patch right away. Strange situation. 
    • From a security standpoint, if you are an Office 365 customer, you have SharePoint whether you want it or not. 

      • 01:59 Justin – “If you’re still running SharePoint on-prem, my condolences.” 

      AI Is Going Great – or How ML Makes Its Money 

      05:25 The White House AI Action Plan:  a new chapter in U.S. AI policy

      • The White House AI Action Plan outlines three pillars focusing on accelerating AI innovation through open-source models, building secure AI infrastructure with high-security data centers, and leading international AI diplomacy while balancing export controls with global technology distribution.
      • Cloudflare emphasizes that distributed edge computing networks are essential for AI inference, offering access to over 50 open-source models through Workers AI and enabling developers to build AI applications without relying on closed providers or centralized infrastructure.
      • The plan endorses AI-powered cybersecurity for critical infrastructure, with Cloudflare demonstrating practical applications like blocking 247 billion daily cyberattacks using predictive AI and developing AI Labyrinth, which uses AI to trap malicious bots in endless mazes of generated content.
      • Federal agencies are accelerating AI adoption with Chief AI Officers across departments, and Cloudflare’s FedRAMP Moderate authorization positions them to provide secure, scalable infrastructure for government AI initiatives with plans for FedRAMP High certification.
      • The tension between promoting AI exports to allies while restricting compute and semiconductor exports to adversaries creates implementation challenges that could impact global AI deployment and innovation if export controls become overly broad or imprecise.

        • 07:24 Justin – “I use AI every day now, and I love it, and it’s great – and I also know how bad it is at certain tasks, so to think they’re using AI to fix the tax code or to write legislation freaks me out a little bit.”

        09:53 Trump’s ‘anti-woke AI’ order could reshape how US tech companies train their models | TechCrunch

        • Trump’s executive order banning “woke AI” from federal contracts requires AI models to be “ideologically neutral” and avoid DEI-related content, potentially affecting companies like OpenAI, Anthropic, and Google, which recently signed up to $200M defense contracts.
        • The order defines “truth-seeking” AI as prioritizing historical accuracy and objectivity, while “ideological neutrality” specifically excludes DEI concepts, creating vague standards that could pressure AI companies to align model outputs with administration rhetoric to secure federal funding.
        • xAI’s Grok appears best positioned under the new rules despite documented antisemitic outputs, as it’s already on the GSA schedule for government procurement and Musk has positioned it as “anti-woke” and “less biased.”
        • Experts warn the order could lead to AI companies actively reworking training datasets to comply with political priorities, with Musk stating xAI plans to “rewrite the entire corpus of human knowledge” using Grok 4’s reasoning capabilities.
        • The technical challenge is that achieving truly neutral AI is impossible since all language and data inherently contain bias, and determining what constitutes “objective truth” on politicized topics like climate science becomes a subjective judgment call.
        • We don’t like this at all. 

          • Copy editor Heather note: I’m currently getting a PhD in public history. I’m taking an entire semester class on bias and viewpoint in historical writing, and spoiler alert: there’s no such thing as truly neutral or objective truth, because at the end of the day, someone (or some LLM) will be deciding what information is “neutral” and what is “woke,” and that very decision is by definition a bias. 

          We’re definitely interested in our listeners’ thoughts on this one. Let us know on social media or on our Slack channel, and let’s discuss! 

          15:33 NASA’s AI Satellite Just Made a Decision Without Humans — in 90 Seconds

          • NASA’s Dynamic Targeting system enables satellites to autonomously detect clouds and decide whether to capture images in 60-90 seconds using onboard AI processing, eliminating the need for ground control intervention and reducing wasted bandwidth on unusable cloudy images.
          • The technology runs on CogniSAT-6, a briefcase-sized CubeSat equipped with an AI processor from Ubotica, demonstrating that edge computing can now handle complex image analysis and decision-making in space at orbital speeds of 17,000 mph.
          • Future applications include real-time detection of wildfires, volcanic eruptions, and severe weather systems, with plans for Federated Autonomous Measurement where multiple satellites collaborate by sharing targeting data across a constellation.
          • This represents a shift toward edge AI in satellite operations, reducing dependency on ground-based processing and enabling faster response times for Earth observation data that could benefit disaster response and climate monitoring applications.
          • The approach could extend to deep space missions and radar-based systems, with NASA having already tested autonomous plume detection on ESA’s Rosetta orbiter data, suggesting broader applications for autonomous spacecraft decision-making.
          • Quick reminder that Skynet started as a weather satellite. Just throwing that out there. 

            • 17:02 Matt – “It’s showing these real-life edge cases of, not just edge computing, but now, leveraging AI and ML  models on the edge to solve real-world problems.” 

            Cloud Tools 

            21:29 GitHub Next | GitHub Spark

            • GitHub Spark is an AI-powered tool that lets developers create micro apps using natural language descriptions without writing or deploying code, featuring a managed runtime with data storage, theming, and LLM integration, and is now available in public preview. 
            • The platform uses an NL-based editor with interactive previews, revision variants, automatic history tracking, and model selection from Claude Sonnet 3.5, GPT-4o, o1-preview, and o1-mini.
            • Apps are automatically deployed as PWAs accessible from desktop and mobile devices, with built-in persistent key-value storage and GitHub Models integration for AI features.
            • This solves the problem of developers having ideas for personal tools but finding them too time-consuming to build, enabling rapid creation of single-purpose apps tailored to specific workflows.
            • The collaboration features allow sharing sparks with read-only or read-write permissions, and users can remix others’ apps to customize them further, creating a potential ecosystem of personalized micro applications.

              • 22:32 Justin – “It’s an interesting use case; the idea of creating a bunch of these small little building blocks and you can stitch them together into these tool chains. It’s a very interesting approach.” 

              AWS 

              23:11 Hacker Plants Computer ‘Wiping’ Commands in Amazon’s AI Coding Agent

              • A hacker compromised Amazon’s Q AI coding assistant by submitting a malicious pull request to its GitHub repository, injecting commands that could wipe users’ computers and delete filesystem and cloud resources.
              • The breach occurred when Amazon included the unauthorized update in a public release of the Q extension, though the actual risk of computer wiping appears low according to the report.
              • This incident highlights the emerging security risks of AI-powered development tools, as hackers increasingly target these systems to steal data, gain unauthorized access, or demonstrate vulnerabilities.
              • The ease of the compromise – through a simple pull request – raises questions about code review processes and security controls for AI coding assistants that have direct filesystem access.
              • Organizations using AI coding tools need to reassess their security posture, particularly around code review workflows and the permissions granted to AI assistants in development environments.

                • 24:46 Matt – “If you’re not doing proper peer review for pull requests – which I understand is tedious and painful – but if you’re not doing it, you’re always going ot be susceptible to these things. “

                26:31 Cost Optimization Hub now supports account names in optimization opportunities – AWS

                • Cost Optimization Hub now displays account names alongside optimization recommendations, replacing the need to cross-reference account IDs when reviewing cost-saving opportunities across multiple AWS accounts.
                • This update addresses a key pain point for enterprises and AWS Partners managing dozens or hundreds of accounts by enabling faster identification of which teams or projects own specific cost optimization opportunities.
                • The feature integrates with existing Cost Optimization Hub filtering and consolidation capabilities, allowing users to group recommendations by account name and prioritize actions based on business units or departments.
                • Available in all regions where Cost Optimization Hub is supported at no additional cost, this enhancement reduces the administrative overhead of translating account IDs to meaningful business context when implementing cost optimizations.
                • Thank. Goodness. 

                  • 28:25 Amazon EC2 now supports skipping the operating system shutdown when Stopping or terminating instances – AWS

                  • EC2 now allows customers to skip graceful OS shutdown when stopping or terminating instances, enabling faster instance state transitions for scenarios where data preservation isn’t critical.
                  • This feature targets high-availability architectures where instance data is replicated elsewhere, allowing failover operations to complete more quickly by bypassing the normal shutdown sequence.
                  • Customers can enable this option through AWS CLI or EC2 Console, giving them control over the trade-off between data integrity and speed of instance termination.
                  • The feature is available in all commercial regions and GovCloud, addressing use cases like auto-scaling groups and spot instance interruptions where rapid instance replacement matters more than graceful shutdown.
                  • This represents a shift in EC2’s approach to instance lifecycle management, acknowledging that not all workloads require the same shutdown guarantees and letting customers optimize for their specific reliability patterns.

                    • 30:18 Justin – “I know there’s been many times where I, like, trying to do a service refresh, right where you just want to replace servers and you’re waiting patiently… so I guess it’s nice for that. And there are certain times, maybe when the operating system has actually crashed, where you just need it to die. I thought they had something like this before-ish, but I guess not.”

                    31:38 Building resilient multi-tenant systems with Amazon SQS fair queues | AWS Compute Blog

                    • Amazon SQS introduces fair queues to automatically mitigate noisy neighbor problems in multi-tenant systems by detecting when one tenant consumes disproportionate resources and prioritizing messages from other tenants. 
                    • This eliminates the need for custom solutions or over-provisioning while maintaining overall queue throughput.
                    • The feature works transparently by adding a MessageGroupId to messages – no consumer code changes required and no impact on API latency or throughput limits. 
                    • SQS monitors in-flight message distribution and adjusts delivery order when it detects an imbalance.
                    • New CloudWatch metrics specifically track noisy vs quiet groups, including ApproximateNumberOfNoisyGroups and metrics with the InQuietGroups suffix to monitor non-noisy tenant performance separately. CloudWatch Contributor Insights can identify specific problematic tenants among thousands.
                    • This addresses a common pain point in SaaS and multi-tenant architectures where one customer’s traffic spike or slow processing creates backlogs that impact all other tenants’ message dwell times. Fair queues maintain low latency for well-behaved tenants even during these scenarios.
                    • The feature is available now on all standard SQS queues at no additional cost – just add MessageGroupId to enable fairness behavior. AWS provides a sample application on GitHub to test the behavior with varying message volumes.

                      • 19:59 Ryan – “I’m glad to have it; I’m not going to complain about this feature, but it does feel like, apparently, there are new tricks that SQS can learn.” 

                      34:37 Launching Amazon CloudWatch generative AI observability  (Preview) | AWS Cloud Operations Blog

                      • CloudWatch now offers purpose-built monitoring for generative AI applications with automatic instrumentation via AWS Distro for OpenTelemetry (ADOT), capturing telemetry from LLMs, agents, knowledge bases, and tools without code changes – works with open frameworks like Strands Agents, LangGraph, and CrewAI.
                      • The service provides end-to-end tracing across AI components, whether running on Amazon Bedrock AgentCore, EKS, ECS, or on-premises, with dedicated dashboards showing model invocations, token usage, error rates, and agent performance metrics in a single view.
                      • Integration with existing CloudWatch features like Application Signals, Alarms, and Logs Insights enables correlation between AI application behavior and underlying infrastructure metrics, helping identify bottlenecks and troubleshoot issues across the entire stack.
                      • Setup requires configuring OTEL environment variables and enabling transaction search in CloudWatch, with telemetry sent directly to CloudWatch OTLP endpoints – no additional collectors needed, though model invocation logging must be enabled separately for input/output visibility.
                      • This addresses a real pain point where developers previously had to build custom instrumentation or manually correlate logs across complex AI agent interactions, now providing fleet-wide agent monitoring and individual trace analysis in one centralized location.

                        • 37:18 Matt – “It’s one of those things useful until you’re in the middle of an outage and everyone is complaining that something’s down, and then you’re like ooh, I can see exactly where the world is on fire and this is what caused it.”   

                        GCP

                        38:01 10 years of GKE ebook | Google Cloud Blog

                        • GKE celebrates 10 years with an ebook highlighting customer success stories, including Signify scaling from 200 million to 3.5 billion daily transactions and Niantic’s Pokémon GO launch that stress-tested GKE’s capabilities at unprecedented scale.
                        • The ebook emphasizes GKE’s evolution from container orchestration to AI workload management, with GKE Autopilot now offering automated optimization for AI deployments to reduce infrastructure overhead and improve cost efficiency.
                        • Google positions GKE as the foundation for AI-native applications, leveraging its decade of Kubernetes expertise and one million open-source contributions to support complex AI training and inference workloads.
                        • Key differentiator is GKE’s integration with Google’s AI ecosystem and infrastructure, allowing customers to focus on model development rather than cluster management while maintaining enterprise-grade stability and security.
                        • The timing aligns with increased enterprise adoption of Kubernetes for AI/ML workloads, as organizations seek managed platforms that can handle the computational demands of modern AI applications without extensive DevOps overhead.
                        • Happy Birthday. Let’s all get back to crashing Kubernetes. 

                          • 41:29 Dynamic Workload Scheduler Calendar mode reserves GPUs and TPUs | Google Cloud Blog

                          • Google’s Dynamic Workload Scheduler Calendar mode enables short-term GPU and TPU reservations up to 90 days without long-term commitments, addressing the challenge of bursty ML workloads that need flexible capacity planning.
                          • The feature works like booking a hotel – users specify resource type, instance count, start date, and duration to instantly see and reserve available capacity, which can then be consumed through Compute Engine, GKE, Vertex AI custom training, and Google Batch.
                          • This positions Google competitively against AWS EC2 Capacity Reservations and Azure’s capacity reservations by offering a more user-friendly interface and shorter-term flexibility specifically optimized for ML workloads.
                          • Early access customers like Schrödinger, Databricks, and Vilya report significant cost savings and faster project completion times, with use cases spanning drug discovery, model training, and computationally intensive research tasks.
                          • Currently available in preview for TPUs with GPU access requiring an account team contact, the service integrates with Google’s AI Hypercomputer ecosystem and extends existing Compute Engine future reservations capabilities for co-located accelerator capacity.

                            • 43:41 Justin – “I’m disappointed there’s no calendar view. The screenshots they showed – I can see how I create it. I see the reservation period I’m asking for. And then at the end, there’s a list of all your reservations. Just a list. It’s not even a calendar. Come on, Google, get this together. But yeah, in general, this is a great feature.”

                            44:46 BigQuery meets Google ADK & MCP | Google Cloud Blog

                            • Google introduces first-party BigQuery tools for AI agents through ADK (Agent Development Kit) and MCP (Model Context Protocol), eliminating the need for developers to build custom integrations for authentication, error handling, and query execution.
                            • The toolset includes five core functions: list_dataset_ids, get_dataset_info, list_table_ids, get_table_info, and execute_sql, providing agents with secure access to BigQuery metadata and query capabilities without custom code maintenance.
                            • Two deployment options are available: ADK’s built-in toolset for direct integration or the MCP Toolbox for Databases, which centralizes tool management across multiple agents, reducing maintenance overhead when updating tool logic or authentication methods.
                            • This positions Google competitively against AWS Bedrock and Azure OpenAI Service by offering native data warehouse integration for enterprise AI agents, particularly valuable for organizations already invested in BigQuery for analytics workloads.
                            • The solution addresses enterprise concerns about secure data access for AI agents while supporting natural language business queries like “What are our top-selling products?” or “How many customers do we have in Colombia?” without exposing raw database credentials to applications.

                              • 45:49 Matt – “I mean, anything with BigQuery and making it easier to use feels like it makes my life easier.”

                              46:24 Global endpoint for Claude models generally available on Vertex AI | Google Cloud Blog

                              • Google Cloud now offers a global endpoint for Anthropic’s Claude models on Vertex AI that dynamically routes requests to any region with available capacity, improving uptime and reducing regional capacity errors for Claude Opus 4, Sonnet 4, Sonnet 3.7, and Sonnet 3.5 v2.
                              • The global endpoint maintains the same pay-as-you-go pricing as regional endpoints and fully supports prompt caching, automatically routing cached requests to the region holding the cache for optimal latency while falling back to other regions if needed.
                              • This positions GCP competitively against AWS Bedrock’s cross-region inference feature, though GCP’s implementation currently lacks provisioned throughput support and requires careful consideration for workloads with data residency requirements.
                              • Key beneficiaries include AI application developers needing high availability without geographic constraints, particularly those building customer-facing chatbots, content generation tools, or AI agents that require consistent uptime across regions.
                              • Implementation requires only changing the location variable to “GLOBAL” in existing Claude configurations, making it a simple upgrade path for current users while maintaining separate global quotas manageable through the Google Cloud console.

                                • 47:03 Matt – “This is a great feature, but you have to be very careful with any data sovereignty laws that you have.” 

                                51:10 NotebookLM updates: Video Overviews, Studio upgrades

                                • NotebookLM introduces Video Overviews that generate narrated slide presentations with AI-created visuals, pulling diagrams and data from uploaded documents to explain complex concepts – particularly useful for technical documentation and data visualization in cloud environments.
                                • The Studio panel redesign allows users to create multiple outputs of the same type per notebook, enabling teams to generate role-specific Audio and Video Overviews from shared documentation – a practical feature for cloud teams managing technical knowledge bases.
                                • Video Overviews support customization through natural language prompts, allowing users to specify expertise levels and focus areas, which could streamline onboarding and knowledge transfer for cloud engineering teams.
                                • The multi-tasking capability lets users consume different content formats simultaneously within the Studio panel, potentially improving productivity for developers reviewing technical documentation while working.
                                • Currently available in English only, with multi-language support coming soon, positioning NotebookLM as a knowledge management tool that could complement existing cloud documentation and training workflows.

                                  • 52:23 Justin – “Meaning that everyone who is rushing off to replace us with a podcast can now replace us with a video, dynamically generated PowerPoint slides, and then they put you right to sleep. Or you could just listen to us, you choose.”

                                  Azure

                                  53:11  Project Flash update: Advancing Azure Virtual Machine availability monitoring | Microsoft Azure Blog

                                  • Project Flash now includes a user vs platform dimension in VM availability metrics, allowing customers to distinguish whether downtime was caused by Azure infrastructure issues or user-initiated actions. 
                                  •  This addresses a key pain point for enterprises like BlackRock that need precise attribution for service interruptions.
                                  • The new Event Grid integration with Azure Monitor alerts enables near real-time notifications via SMS, email, and push notifications when VM availability changes occur, providing faster incident response compared to traditional monitoring approaches.
                                  • Flash publishes detailed VM availability states and resource health annotations that help with root cause analysis, including information about degraded nodes, service healing events, and hardware issues – giving operations teams actionable data for troubleshooting.
                                  • The solution scales from small deployments to massive infrastructures and integrates with existing Azure monitoring tools, though customers should combine Flash Health events with Scheduled Events for comprehensive coverage of both unplanned outages and planned maintenance windows.
                                  • Future enhancements will expand monitoring to include top-of-rack switch failures, accelerated networking issues, and predictive hardware failure detection – positioning Azure to compete more directly with AWS CloudWatch and GCP’s operations suite for infrastructure monitoring.

                                    • 54:29 Matt – “I think that a lot of these things are very cool, but I also feel like this is a lot more for stateless systems, and I try very hard to not have stateless VMs – as much as I can – in my life.” 

                                    56:38  Announcing Microsoft 365 Copilot Search General Availability: A new era of search with Copilot | Microsoft Community Hub

                                    • Microsoft 365 Copilot Search is now generally available as a dedicated module within the Microsoft 365 Copilot app, providing AI-powered unified search across SharePoint, OneDrive, Outlook, and over 150 external data sources through Copilot Connectors, including Salesforce, ServiceNow, Workday, and SAP.
                                    • The service uses AI to understand query context and deliver relevant documents, emails, and meeting notes without requiring any setup – users with eligible Microsoft 365 Copilot licenses automatically see a Search tab alongside Chat and other Copilot experiences across desktop, web, and mobile platforms.
                                    • This positions Microsoft against Google’s enterprise search capabilities and AWS Kendra by leveraging existing Microsoft 365 infrastructure and licensing, with no additional cost beyond the standard Microsoft 365 Copilot license, which runs $30 per user per month.
                                    • Key differentiator is the instant query predictions feature that surfaces recently worked documents, colleague collaborations, and documents where users are mentioned, addressing the common enterprise pain point of information scattered across disconnected silos.
                                    • Target customers are enterprises already invested in Microsoft 365 who need to break down information barriers between Microsoft and third-party systems, particularly those using multiple SaaS platforms that can now be searched through a single interface.

                                      • 58:51  Important Changes to App Service Managed Certificates: Is Your Certificate Affected? | Microsoft Community Hub

                                      • Azure App Service Managed Certificates must meet new industry-wide multi-perspective issuance corroboration (MPIC) requirements by July 28, 2025, which will break certificate renewals for apps that aren’t publicly accessible, use Traffic Manager nested/external endpoints, or rely on *.trafficmanager.net domains.
                                      • This change impacts organizations using App Service Managed Certificates with private endpoints, IP restrictions, client certificate requirements, or authentication gateways – forcing them to purchase and manage their own SSL certificates instead of using the free managed option.
                                      • Microsoft provides Azure Resource Graph queries to help identify affected resources, but the queries don’t capture all edge cases, requiring manual review of Traffic Manager configurations and custom access policies that might block DigiCert’s validation.
                                      • Unlike AWS Certificate Manager, which supports private certificate authorities and internal resources, Azure’s managed certificates will only work for publicly accessible apps, potentially increasing operational overhead and costs for enterprises with strict security requirements.
                                      • The six-month grace period before existing certificates expire gives organizations time to migrate, but those relying on the free managed certificate service for internal or restricted apps will need to budget for commercial SSL certificates and implement manual renewal processes.
                                      • Yes, you read that right. A whole 7 days to prep. 
                                      • Thanks, guys. Gold stars all around.  

                                        • 1:03:42 Draft and deploy – Azure Firewall policy changes [Preview] | Microsoft Community Hub

                                        • Azure Firewall now supports a draft and deploy feature in preview that allows administrators to stage policy changes in a temporary draft environment before applying them atomically to production, addressing the challenge where even small changes previously took several minutes to deploy.
                                        • The two-phase model separates editing from deployment – users clone the active policy into a draft, make multiple changes without affecting live traffic, collaborate with reviewers, then validate and deploy all changes in a single operation that replaces the active policy.
                                        • This feature targets enterprises with strict change management and governance requirements who need formal approval workflows for firewall policy updates, reducing configuration risks and minimizing the chance of accidentally blocking critical traffic or exposing workloads.
                                        • The preview is currently limited to Azure Firewall policies only and doesn’t support Classic rules or Firewall Manager, with deployment available through Azure Portal or CLI commands for organizations looking to streamline their security operations.
                                        • While AWS offers similar staging capabilities through AWS Network Firewall rule groups and GCP provides hierarchical firewall policies, Azure’s implementation focuses on atomic deployments and collaborative review cycles that integrate with existing enterprise change management processes.

                                          • 1:05:24 Justin – “It’s also weird that it’s limited to not include the classic rules or the firewall manager.”

                                          Cloud Journey 

                                          1:06:52  Beyond IAM access keys: Modern authentication approaches for AWS | AWS Security Blog

                                          • AWS is pushing developers away from long-term IAM access keys toward temporary credential solutions like CloudShell, IAM Identity Center, and IAM roles to reduce security risks from credential exposure and unauthorized sharing.
                                          • CloudShell provides a browser-based CLI that eliminates local credential management, while IAM Identity Center integration with AWS CLI v2 adds centralized user management and seamless MFA support.
                                          • For CI/CD pipelines and third-party services, AWS recommends using IAM Roles Anywhere for on-premises workloads and OIDC integration for services like GitHub Actions instead of static access keys.
                                          • Modern IDEs like VS Code now support secure authentication through IAM Identity Center via AWS Toolkit, removing the need for developers to store access keys locally.
                                          • AWS emphasizes implementing least privilege policies and offers automated policy generation based on CloudTrail logs to help create permission templates from actual usage patterns.

                                            • 01:15:52  Reflecting on Building Resilience by Design | CrowdStrike

                                            • CrowdStrike has introduced granular content control features, allowing customers to pin specific security configuration versions and set different deployment schedules across test systems, workstations, and critical infrastructure through host group policies.
                                            • The company established a dedicated Digital Operations Center to unify monitoring and incident response capabilities across millions of sensors worldwide, processing telemetry at exabyte scale from endpoints, clouds, containers, and other systems.
                                            • A new Falcon Super Lab tests thousands of OS, kernel, hardware, and third-party application combinations, with plans to add customer profile testing that validates products in specific deployment environments.
                                            • CrowdStrike is creating a Chief Resilience Officer role reporting directly to the CEO and launching Project Ascent to explore security capabilities outside kernel space while maintaining effectiveness against kernel-level threats.
                                            • The platform now provides real-time visibility through a content quality dashboard showing release progression across early access and general availability phases, with automated deployment adjustments via Falcon Fusion SOAR workflows.
                                              • Closing

                                              And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

                                              ...more
                                              View all episodesView all episodes
                                              Download on the App Store
                                              tcp.fmBy Justin Brodley, Jonathan Baker, Ryan Lucas and Matt Kohn