AWS Lambda MicroVMs: VM-Isolated Stateful Serverless Execution
AWS introduced Lambda MicroVMs on June 22, 2026, a new serverless compute primitive designed specifically for executing user-generated and AI-generated code in fully isolated environments. Unlike traditional Lambda functions, which share a kernel across invocations and target short-lived stateless processing, MicroVMs provide VM-level isolation powered by Firecracker — the same lightweight virtualisation technology behind AWS Lambda's 15+ trillion monthly function invocations — with state preservation for up to 8 hours per instance.
The architecture relies on snapshot-based launches: when a MicroVM image is created (from a Dockerfile and code ZIP in S3), Lambda builds the image, initialises the application, and snapshots the running memory and disk state using Firecracker. Subsequent launches resume from that pre-initialised snapshot rather than booting cold, enabling near-instant startup with full VM-level isolation. Each MicroVM can use up to 16 vCPUs, 32 GB of memory, and 32 GB of disk on ARM64 Graviton instances. An auto-suspend/resume mechanism reduces costs during idle periods while preserving in-memory state transparently when traffic returns.
For developers building multi-tenant applications, the isolation model is the key differentiator: untrusted code from one user cannot access the filesystem, memory, or network of another user's MicroVM. This makes the service well suited for AI coding assistants running sandboxed code generation and execution, Jupyter-like interactive compute platforms that need session state between requests, data analytics workloads with longer runtimes than the traditional 15-minute Lambda limit, and any scenario where running user-supplied code in shared infrastructure carries unacceptable security risk. Lambda MicroVMs complements rather than replaces traditional Lambda Functions — event-driven stateless workloads remain with Functions, while interactive isolated execution moves to MicroVMs. The service is currently available in US East (N. Virginia and Ohio), US West (Oregon), Europe (Ireland), and Asia Pacific (Tokyo).
Read more — AWS News Blog
Amazon S3 Annotations: Rich, Queryable Metadata for AI Agent Workflows
Also announced at the AWS Summit New York 2026, Amazon S3 Annotations allows developers to attach up to 1 GB of rich, mutable, and queryable context directly to S3 objects. Where standard S3 object metadata is limited to 2 KB of key-value pairs, Annotations can store structured context — data lineage information, processing history, business-rule tags, governance records, or semantic descriptions — as first-class queryable data alongside the object itself.
The primary use case driving the feature is agentic AI workflows. As more applications use S3 as a data lake that AI agents browse and act on, having rich metadata directly queryable without downloading the object or maintaining separate metadata systems reduces the latency and complexity of the data-discovery step. An agent can query annotations to determine which objects are relevant to its current task, check processing status, or read governance rules before deciding to act — all without opening the object or hitting a separate database.
For developers, the practical implications are that annotated objects can participate in AI-driven pipelines as first-class actors rather than passive blobs. Data governance teams can attach policy annotations that agents read and enforce, reducing the risk of AI workflows processing data outside permitted boundaries. The feature is available in all standard S3 regions, and annotations are versioned in step with the object to prevent staleness. Pricing is based on annotation storage and query volume, details of which are on the S3 pricing page.
Read more — AWS News Blog
AWS Continuum: Automated Vulnerability Prioritisation and Remediation
AWS Continuum, announced at AWS Summit New York 2026, addresses a chronic bottleneck in enterprise security programmes: the gap between vulnerability discovery and remediation. Traditional SAST and SCA tools surface thousands of findings, but they rarely rank them by actual business impact or assess real exploitability in the context of the specific codebase, leaving security teams to triage manually.
Continuum takes findings from across the environment, prioritises them by business impact, determines exploitability through dynamic analysis of the specific code paths reachable from entry points, and then drives fixes through the development workflow. The exploitability assessment is the differentiating step — rather than simply assigning a generic CVSS score, Continuum analyses whether a vulnerable code path is actually reachable given how the application is deployed and configured. This reduces the noise that causes alert fatigue and allows engineering teams to focus remediation effort on the vulnerabilities that matter.
The service is currently available in gated preview for code vulnerabilities, with infrastructure vulnerability support expected in a later phase. For developer teams already using AWS-hosted build pipelines and code repositories, Continuum integrates at the CI/CD level, meaning findings with exploitability assessments surface in pull requests rather than as a separate security-tool dashboard. The practical effect is moving security decisions closer to the point of code change, where context is fresh and remediation cost is lowest.
Read more — AWS News Blog
Links & Sources
You May Also Enjoy
