#42 Security updates galore! 🛡️

This week, our expert is AWS Lambda Principal Engineer Rajesh Pandey, our spotlight falls on Developer Advocate Ricardo Sueiras, we look at the latest service releases, news, articles, & more!

Jun 21, 2025

Welcome

In last week’s issue, our serverless expert was AWS Community Builder Uriel Bitton, and our spotlight fell on AWS Community Builder Matthew Gillard!
This week, our serverless expert is AWS Lambda Principal Engineer Rajesh Pandey, our spotlight falls on AWS Principal Developer Advocate Ricardo Sueiras, we look at the latest AWS service releases, blog posts, hints and tips, news and more!
This week’s newsletter is sponsored by Leighton.

📰 Articles that caught the eye

Here are some stand-out articles I read during the week in the World of Serverless, AI, Engineering and Architecture!

⭐ My favourite this week was by Ran Isenberg, as there were a couple of vibe coding tips that I wasn’t aware of, which I am going to try out!

Marc Brooker has a non-technical but great career-advice-driven article titled “Career advice, or something like it“.
Ran Isenberg discusses ”Agentic AI Prompting: Best Practices for Smarter Vibe Coding”.
Vadym Kazulkin releases part 5 of his series “Quarkus 3 application on AWS Lambda- Part 5 Measuring Lambda cold and warm starts with GraalVM Native Image“.
Damien Jones covers “Simplified Data Workflows With AWS Step Functions Variables“. (originally published on 03 March 2025 but now updated on Dev.to)
Davide De Sio has a great second part of his series titled “Build a serverless agent with persistent context using Strands Agents SDK“.

🎓 Ask the Expert

Each week, I ask a different serverless expert the same three questions to get their personal insights - this week, we have AWS Lambda Principal Engineer Rajesh Pandey:

Opinions are the author’s and do not express the views of their employer.

1. What is one common mistake you see teams making when implementing serverless solutions, and how can they avoid it?

Chasing scale before hitting reality. A common mistake I see is teams designing for theoretical scale too early, building complex workflows, layering retries, or over-optimizing cold starts, before their system even has real traffic. Serverless can scale, but only if you deeply understand how your system behaves in production. Without that, it’s easy to build the illusion of resilience while silently introducing failure loops.

In one system I helped review, a background retry quietly buried a downstream failure for weeks. Dashboards looked fine - until latency spiked and queues ballooned. The root issue wasn’t capacity - it was a lack of feedback from the system.

The fix? Design for iteration, not perfection. Prioritize simplicity, observability, and the ability to recover fast. Ask: What does failure look like? How will I detect and contain it? Serverless rewards teams who build for evolution, not speculation.

2. Which serverless tool or service are you most excited about right now, and why?

Oh, this is a fun one! Right now, I’m most excited about how serverless is evolving to support GenAI workloads as first-class citizens.

We’re no longer just running inference functions in the cloud - we're building systems that account for bursty loads, variable execution time, and unpredictable latency. What excites me most is the emergence of new architectural primitives that make it easier to design GenAI pipelines without giving up on serverless fundamentals: elasticity, low ops, and cost-aware scaling.

We’re standing at the intersection of event-driven infrastructure and cognitive workloads, and it's clear that the lessons from resilient serverless design-loose coupling, bounded execution, and contract-first thinking are more relevant than ever. Serverless isn’t just keeping pace with GenAI - it’s quietly becoming the most natural way to run it.

3. What is your favourite trick or tip when working with serverless that the readers may find interesting?

One of my favorite tricks is to treat asynchronous workflows as guilty until proven innocent.

It’s tempting to insert a queue or event bus and assume the system is now resilient. But in practice, async boundaries often hide the toughest problems - silent retries, delayed failures, stale state, and cascading timeouts.

My tip: instrument async flows like you would synchronous ones. Tag events with trace metadata, log intent at emission and outcome at consumption, and track message age aggressively. If you can’t answer “Where did this event come from?” and “Why is it still here?”, you’re operating in the dark.

Asynchronous doesn’t mean invisible. The more confidence you build into these flows, the more safely you can scale and evolve your system.

✅ Bonus tip: join the hashtag#believeinsls discord! There is a community there to answer any questions you may have without getting overzealous on serverless or without judgment! Check it out!

🚀 New Releases

Here are the latest and most interesting releases this week in the AWS World:

⭐ This week, there were a lot of security-related releases due to AWS re:Inforce, but outside of this, the two interesting ones for me are the ability to use public certificates anywhere, and Claude 3.7 being available in the London region.

🔥 Tip: Check out https://aws-news.com/ for the very latest up-to-date serverless releases as they happen, created by the talented AWS Serverless Hero Luc van Donkersgoed.

👷🏻 Tools & Frameworks

Check out the latest open-source frameworks, news, and tool updates from the past week.

Lambda-MCP-Server - The project just hit 100 stars on GitHub and has had some major updates.
workers-oauth-provider - CloudFlare just released a TypeScript library that implements the provider side of the OAuth 2.1 protocol with PKCE support.
EventCatalog - Introducing Authentication and SSR Mode to EventCatalog.
strands-agent-on-lambda - This repo contains a sample implementation of user-aware AI Agent and MCP Server running on Lambda.
type-safe-env - A TypeScript library that provides type-safe environment configuration.

✖️ Social of the Week

This week’s social is on LinkedIn by AWS Hero Rehan van der Merwe, sharing even more great CDK open-source projects:

This is a great post with lots of great open-source AWS CDK projects that many of which I had no idea about!

🎙️ YouTube & Podcasts

Here are some of my favourite videos and podcasts this week.

⭐ My favourite video this week is by James Eastham covering AWS Lambda with .NET Aspire!

James Eastham has a great video called ‘Simplify your local AWS Lambda development with .NET Aspire’.
Kief Morris & Abby Bangser chat about ‘Infrastructure as Code‘.
Brooke Jamieson discusses ‘From Napkin Sketch to Deployed Full Stack AWS App: An AI Did All the Coding‘.
Steve Sanderson covers “Add Useful AI to Your Web App (Not Just Chatbots)“.
ThePrimeagen’ has a fun video titled ‘THIS IS THE REAL VIBE CODING‘.
Johannes and Raphael talk all things observability and pipelines in this video called ‘How to simply collect CI/CD telemetry from GitHub Actions‘.
Dave Farley discusses the differences between “Coder vs Developer vs Software Engineer“

Weekly Case Study 🔍

This week’s case study comes from Genentech.

Genentech developed a generative AI system called gRED Research Agent, built using Amazon Bedrock Agents, to automate the time-consuming process of analysing massive amounts of scientific data for drug discovery and biomarker validation. The solution is expected to save nearly 5 years of manual effort in biomarker validation across therapeutic areas, enabling scientists to focus on high-impact research and ultimately bring new medicines to patients faster.

🗣️ Inspirational Quotes and Thoughts

This week’s inspirational quote is by chaos engineering expert Adrian Hornsby:

“We test our code continuously, deploy multiple times a day, but somehow our runbooks are written once and forgotten.

Most organizations forget that runbooks don't stay accurate by themselves. You have to test and update them regularly, just like your code, or they'll be useless when you really need them.

One good practice for keeping your runbooks in shape is to have your on-call rotation team (secondary, for example) go through and test the runbooks once a week - call that a mini GameDay :)

Time-box these to 2 hours max. Don't overthink it, and don't ask the team to automate everything or build a complicated framework; it will be too much upfront investment.

By doing that, you can catch any missing troubleshooting steps, outdated information, or redundant procedures in the runbooks.

It also gives the team more chances to practice responding to incidents, getting them comfortable with the processes, and building their confidence for when they're actually on call.

It is especially nice for new team members. They get to learn the service while practicing their operational skills.

On top of that, regularly testing and updating the runbooks directly helps make your systems and services more resilient overall.

If you have a lot of runbooks, just pick the oldest or the least-used one and work through the list one by one.

It'll take a bit of time, but trust me, your future on-call self will thank you.

Better to find out your runbook is outdated during a 2-hour practice session than during a 2 AM production incident.”
- Adrian Hornsby

This full passage of text is so on-point! I have seen many organisations create runbooks as part of Well-Architected Reviews in the past and then never read them again, simply a tick box exercise, yet other organisation do regularly review them.

What processes do you put in place to keep them updated?

What are your thoughts and experiences with this? Feel free to leave a comment below.

🗳️ Poll of the Week

In last week’s poll, we asked the question “Which aspect of AWS Step Functions do you find most challenging or confusing?”.

Interestingly, 40% each said Debugging/Tracing and Managing state and errors, with 20% saying other. I'm not a huge fan of Step Functions and use them very rarely and intermittently, but the recent service releases have improved the DX around it for sure.

This week, we ask the question, “Do you pay personally for an AI license to use in your software development?”. Do you pay personally for tools like ChatGPT, Claude, Windsurf, Cursor and/or others to help with your day-to-day software engineering and side projects?

Feel free to leave a comment below on why you chose your answer and your experiences!

📅 Serverless Events

The following serverless events are upcoming, so mark your calendars.

🎟️ To note, CFP is currently open for the AWS North Community Conference, which I am helping organise, and we also have opportunities for lightning talks throughout the day. Go check it out!

Other fantastic events happening soon:

ACD Australia - 15th August 2025
ACD Adria - 5th Sept 2025
AWS Community Day Baltic - 10th Sept 2025
ACD Aotearoa - 18th Sept 2025
ACD Poland - 18th Sept 2025
ACD Portugal - 27th Sept 2025
ACD DACH - 7th Oct 2025
AWS North Community Conference - 16th Oct 2025

Do you have any upcoming events that you want to highlight? Message me below!

⭐ Spotlight

This week’s spotlight falls on AWS Principal Developer Advocate Ricardo Sueiras:

Ricardo runs (in my opinion) the best AWS open-source newsletter there is going, and its astonishing how much content he packs into each one! It covers services, tools, demos, samples, data and analytics, solutions, workshops and more; many of which have accompanied videos or fantastic graphics that compliment that particular update. It is one of my favourite reads personally! Go check it out now.

Thank you for all you do for our wonderful community!

Thank you for reading the latest Serverless Advocate Newsletter!

If you want to find out a little more about me, please have a look at:

https://www.serverlessadvocate.com/

See you next time,

Lee