Last year in AWS with Corey Quinn

Transcript - Last year in AWS with Corey Quinn

Beth Pariseau: From Informa TechTarget, I'm Beth Pariseau, and this is IT Ops Query.

This podcast distills the signal from the noise about enterprise software development and platform engineering. Each week, we'll talk to expert guests about the latest tech industry news and trends that engineering and IT leaders need to know.

Don't forget to subscribe to IT Ops Query for more conversations on AI and the future of the enterprise digital workspace.

Corey Quinn is the chief cloud economist at Duckbill, where he specializes in helping companies improve their AWS bills, quote, 'by making them smaller and less horrifying,' end quote, according to his website bio.

He also hosts the Screaming in the Cloud and AWS Morning Brief podcasts and curates the weekly newsletter Last Week in AWS. He is also the only podcast guest of mine, so far, whose face is a sticker on my laptop.

Welcome, Corey.

Corey Quinn: Thank you. It's a pleasure to be here to once again indulge my ongoing love affair with the sound of my own voice.

Pariseau: Well, we're happy to have you and the sound of your voice. So, let's talk about last year in AWS. What do you think was the most significant development for enterprises and AWS infrastructure?

Quinn: AWS got its mojo back in some ways. They stopped running their mouths about AI to the exclusion of all else -- because they actually got good at it -- and started shipping things that are useful to customers and then started seeing adoption. AWS, historically, has talked the most about that, which it is the most insecure about. So, the fact that they talk about it less is a strong signal that they actually know what they're up to now.

Pariseau: Cool. OK.

Quinn: And they can talk about things like databases again.

Pariseau: Yeah.

Quinn: And the actual production workloads that people care about.

Pariseau: Right.

Quinn: For our customers, somewhere between 5% and 7% aggregate is their AI services spend, if we're being honest about what AI service spend is. You can squint at anything hard enough these days and call it AI.

Pariseau: Yes, for sure. I actually saw one of your recent last posts was about how AWS has to prove that they can still operate. Can you expound on that a little bit?

Quinn: Sure, the part of the challenge that AWS has had has been that they're very good at the things that are very hard. With the overinvestment right now that we're seeing in 'We're building out AI data centers, it'll be done in a year' -- yeah, taking a warehouse and running two power lines to it, and then dragging some fiber and calling it good, back the truck full of servers up, does not a data center make. And there are a lot of things that are so into the weeds now that many companies are considering data center projects when they don't actually know what those things are.

So, it's a lot of pretenders right now. AWS has always been great at this, and when they say that something is a data center, they mean it. There's a reason that building out a region is a multibillion-dollar investment, and it's not because AWS is bad at negotiating. It's because this stuff is really hard, particularly at scale.

Everyone else who is not so diligent on this -- there are exceptions, Google is very good at this, Microsoft could be if they, you know, got out of their own way -- but a lot of the pretenders are not. All the Oracle stuff that they're talking about? OK, sure, that seems likely. They have a chance to shine from a reliability perspective. And that's the stuff they are good at.

One of the counterpoints, of course, is that they are seeing a talent exodus. Morale is at a ridiculous low for a variety of reasons. Many of them appear to be unforced errors on the part of AWS. So, as institutional knowledge walks out the door, it's hard to backfill. So, what does that mean? You're going to find out.

Pariseau: Right. And then, what stood out to you in databases with AWS last year?

Quinn: They finally stopped with the cheap shots at Oracle. I mean, not that everyone doesn't love a good cheap shot at Oracle. The problem is everyone except AWS can make them because, in their case, it's punching down. It's giving too much attention to someone that's noisy.

They are also doing some interesting stuff. Aurora DSQL is really neat. It's probably their second true serverless database, the first being DynamoDB. The problem is that it is impossible to understand the pricing. And the fact that I'm the person saying that should count for a lot.

One of their great distinguished engineers, or senior principal engineers -- I'm sorry, they're both -- these are still people that should strap auxiliary brain packs on because they're too smart for a single brain, they're great at this. And I had a long conversation with one of them and read the blog post that he put out in his personal blog. Like, 'Here's how to do a quick test, and here's the pricing.' So, I did the exact same thing, and the numbers were different.

Pariseau: No…

Quinn: Yeah, it's non-deterministically priced, which means the only way to figure out what it's gonna cost for any, and on any axis is 'Well, we're gonna build on top of it and find out,' which is terrifying.

Pariseau: Yeah.

Quinn: Well, it turns out it was really expensive, oops.

Pariseau: Right. Funny that.

Quinn: Yeah.

Pariseau: So, what do you think was the most overlooked story about AWS last year, infrastructure-wise?

Quinn: That's a good one because I live in a very rarefied space, and I pay inordinate amounts of attention to things. You picked a heck of a day to have this conversation.

Pariseau: Yeah?

Quinn: They had a security issue with CodeBuild, where things weren't going super well, and a malicious prompt was injected into their VS Code tooling. Great.

This morning, as we record this, Wiz found another issue where they could get admin access to the JavaScript SDK for AWS due to a bad regex parsing.

Pariseau: Yikes.

Quinn: And you'd think that after the first CodeBuild issue last year, they really would have gone over everything and touching it with a fine-tooth comb. And maybe they did, but they missed the thing again. And it starts to shake confidence.

Pariseau: Yeah, yeah. Although, it seems like every day there's some new breach, right?

Quinn: There is, and it seems that companies are not responsible for this. I mean, look at how many breaches Azure has had over the years, and it seems like that's not something people talk about in polite company.

Pariseau: Right, yeah. True. I've been asking for years what is it gonna take in cybersecurity, really? And I have yet to hear the answer or see the answer.

Quinn: Strict liability? Jail sentences? I mean, there's not anything much shorter that matters. You take a look at any widely publicized breach, and look at the company a year or two later, their stock price is up. At this point, I'm set for credit monitoring if I live to be 300 years old.

Pariseau: Yeah, yeah, I mean it is funny from a consumer standpoint. It's like 'I never gave permission for this data to be collected in the first place' in many cases.

So, anyhow, getting back to AWS, what should enterprise IT buyers know that they don't know about dealing with AWS?

Quinn: Dear. They tend to be very cookie-cutter templated. When you're doing large-scale negotiations, they know exactly what you're likely to say, how they're going to respond to any exigency that comes out. There's a reason that we assess companies with the contract negotiation piece of it. There's also weird incentive structures at play, where just because AWS talks a lot about a thing, it doesn't mean that's a thing you need or should be working on, that it is not your to-do list.

The majority of spend, overwhelmingly, is still the basic building blocks. It's EC2 instances, it's S3 storage, it's data transfer, it's RDS and it's disks. That's it. Everything else is sort of layered on top of that in nice-to-have kind of ways. People also tend to start by going deep into something like EC2, which is an enormous service, and they assume every service goes that deep. It doesn't. A lot of them, you can pick up what you need to know in less than a day. That is something that I think turns people off to it.

AWS also is beset with bad user experience, and the natural takeaway from this is 'Oh, I'm dumb and bad at how the cloud is supposed to work.' No, you're not. It's just the interface is terrible, it's not intuitive, and they do you no favors. Stick with it, we all feel that way. There's a support group, it's called All of Us, and we meet at the bar.

Pariseau: Yeah, I've heard it described like Home Depot, you know? Every part you could possibly need is there, but you gotta know how to put them together.

Quinn: Right, and it used to be that you could go and talk to the people at Home Depot, like 'Hey, I'm building a gazebo, can you help?' And now, instead of that, it's getting harder to do that because now they start shoving overconfident -- and also wrong -- robots at you.

Pariseau: Yikes. You mentioned they kind of got things together with AI. I mean, is there anything that they're doing there that is helpful for people?

Quinn: Yes. This is where I think the wheels fall off of a lot of their narrative. It's what I believe and not what they want to say. Something like Bedrock, which runs a bunch of different models as infrastructure, is terrific. It is where AWS is at its best, providing infrastructure-level platform things and APIs that are hardened that you can work with in a variety of ways that we're all sort of mostly used to.

They are great at infrastructure. They are not going to be the ones that release models that change our lives. They are going to be where those models are trained and where those models are run. They are the infrastructure substrate for a lot of these things.

I've been saying forever that Amazon's fate, that I don't believe they can escape, is to become the next generation of infrastructure backbone providers. If NTT goes dark for a day, the entire internet is having a bad day, but most people don't know who NTT is because all the stuff that we care about, all the stuff where the value is derived, rides on top of their rails. Similar to if the power company goes away for a while, we're all gonna have a bad time, but they don't capture the value either. Instead, at least where I live in San Francisco, they just try to burn the cities down from time to time.

Pariseau: Every so often, just to mix things up

Quinn: Just to keep us on our toes. It's basically to shore up the battery backup market.

Pariseau: Yeah, right. And so, as we enter this new year, aside from ongoing security breaches, is there any story about AWS that you're tracking so far?

Quinn: Well, the one that came out today, which is still unfolding, is of interest. From a security perspective, I try and stay away from it these days just because there are people who cover that beat better than I do, and they -- and I tend to get ahead of my skis too easily on these spaces, but seeing the messaging around it is interesting. Seeing how there's an entire new field of, effectively, prompt injection as an attack. At least back when I was focusing on the security space, telling the computer, as a string literal, 'Trust me, bro,' was not a threat vector. It is now. And that's something that requires a fair bit of thought.

Pariseau: It is, and at the same time, I think this happens with a lot of new technologies, but especially AI. A previous guest here talked about AI giving us 'security amnesia.' You know, all of a sudden it's all new again, you know? But the same principles should apply.

Quinn: That's a fantastic perspective. The challenge, as well, is isolation of duties. Yesterday I wrote a blog post about how if you email me or my digital assistant, Billy the Platypus -- he's snarky and obnoxious and will just tear into you, that's sort of the point of this. I think it's funny and it's great that people have tried prompt injections, and they've failed. Great, because I do have some thought in how I build these things. But also, it's not hooked up to the client database, it doesn't have context into other emails in other threads that it can drag in for this -- just because that seems dumb.

Pariseau: Right, and I would love to see some example replies from Billy, by the way.

Quinn: Yeah, I need to do a follow-up on that. I think enough people have asked for this that it's worth doing.

Pariseau: I really wanna see it. As someone who gets a lot of the similar emails myself, I would love to see what his replies are.

Quinn: It was funny, my business partner saw this come out when I was testing it on him. He's like, 'Do you have an auto responder turned on in your email?'

'No. Why?'

'Are you sure?'

It's like, oh no, I explicitly allow it to email you. It doesn't like you.

Pariseau: Oh, I see.

Quinn: It was great. And then he was trying to figure out like, 'This is great, what gating is there?' He was trying to figure out without insulting me -- 'Are you sending this to customers?' Usually no, but thank you for asking. I'm not completely around the bend yet. Ask again in a week.

Pariseau: Yeah, yep. Another question that I tend to ask folks that spend a lot of time looking at something, like you do with AWS, is what you hope will and won't happen with AWS in the coming year. So, what do you think?

Quinn: AWS has gotten boring, and I kind of like that. I feel like they have mostly exhausted the problem space of the infrastructure platform offerings.

I started Last Week in AWS in a time when there were big gaps in the platform that were being addressed at a pretty consistent clip. One week, you could not replicate encrypted RDS snapshots between regions, and then you could. That was a big unlock for people, and separating out that signal from noise was important.

That doesn't happen nearly as much anymore. The platform is mature. The big news today that came out that -- not quite as big as a security breach -- is that they've gone generally available with their launch of their EU Sovereign region. OK, great. I'm not particularly worried about anything there. That is regulatory checkboxing and remarkably little else from where I see things.

Pariseau: Right. OK, so what would be bad in 2026?

Quinn: If AWS falls down the rabbit hole of trying to let marketing drive the bus instead of what actually is there. Whenever they get worried, they let marketing get ahead of their skis, and it ends in disaster because they're not good at messaging.

If they lean too far into trying to do what all their other technical peers are doing, that becomes a problem. And I think that the corrosive force eroding Amazon in many ways is advertising. If we start seeing third-party ads in the console, for example, that becomes a problem. They experimented with this in marketplace search, and then I saw them stop doing it because apparently no one uses that for product discovery, surprise.

I think that that is a challenge because it -- we've seen this with Amazon.com, where originally in the early days, it would, you search for a thing, and it would suggest the best thing for you. Now it suggests the best thing for Amazon, and those are not congruent all the time.

Pariseau: So, you know, another kind of evergreen question that I have is what it's gonna take for people to actually implement multi-AZ or multi-region resilience, rather than considering that an insurance policy and being surprised when their cloud region goes down. Do you think that'll ever happen?

Quinn: Does it need to? We take a look at individual AZ availability. It's been trending up and to the right, and not every workload needs to be highly available, highly durable. If I park my insane Billy-the-Platypus thing inside of a single AZ and it goes down for a few hours, does that really matter? I mean, I've gotta be honest with you, the front end lives on a container in the next room on my home Kubernetes cluster. It's a 10-node Raspberry Pi cluster, but it's all plugged into the same power strip, so let's not kid ourselves here about what the durability story really is on this. That's fine, I'm not directly deriving revenue from this thing, email is not expecting an instantaneous response to stuff.

Not everyone's workload matches that. I think that people are getting it wrong when they start trying to go multi-region or multi-AZ or, heaven forbid, multi-cloud. And with a lot of work and at great expense, they have replaced a single point of failure with multiple single points of failure.

Pariseau: Good point. Yeah, you had a session at KubeCon about multi-cloud being a myth that I unfortunately wasn't able to make it to, but I did note that. So, we hear a lot about multi-cloud becoming more of a thing because of AI. So, what's your take?

Quinn: Yes, and.

Pariseau: OK.

Quinn: Individual workloads like training jobs, terrific. You need basically a bunch of very expensive GPUs, access to data and a network to get those things talking to each other. That is a highly portable workload. Most people's applications are not that. They're stateful data stores, databases, latency requirements and the rest that tie into it.

So, when we see multi-cloud in the wild, which every company has some multi-cloud story going on, it's different workloads. It's different components living in different places, and that is normal. I'm not suggesting anyone should do otherwise in there. But 'I'm gonna build this one application that needs to run globally across multiple providers' -- you've got to design that in from the beginning, or you're never gonna get that.

Pariseau: Right. Yeah, yeah, absolutely. And another thing that's making waves in infrastructure, which I'm covering, is the memory shortage and how that's affecting storage. Do you think any of that is gonna surface in the cloud?

Quinn: There's already been a 15% hike in capacity for ML blocks that AWS charges. They update that on a quarterly basis. This is the first time I've seen it go up, so that's of interest.

We will see how that shakes out. Earlier today in the news, I saw that they've taken a stake in an Arizona copper mine.

Pariseau: Wow.

Quinn: The fact that they're now controlling some of the raw materials to build the thing and -- OK, that is vertical integration at a scale I hadn't considered previously.

Pariseau: True. So, I don't know, what am I thinking not to ask you about? I'm sure there's plenty that is on your mind these days.

Quinn: I think that a question I've gotten a lot has been, alright, are we in a bubble? Obviously, yes, clearly. How is it going to end? I don't know, but I do see some of the early signs of it.

I suspect OpenAI will not survive. I think that Anthropic is likelier to. But OpenAI has signed enormous cloud deals with every hyperscaler. It feels like they're trying to make themselves systemically important. Oh, OK, great, but if you do the numbers on this, I'm on the Anthropic side of the fence. I use Claude for a lot of stuff. I pay $200 a month for their max plan. And it's useful, I get value out of it all the time. I'm not gonna spend $5,000 a month on that. But I, and a lot of other people, would have to in order for that to start capturing a lot of the value.

The unspoken -- and I believe will remain unfulfilled -- promise of a lot of this AI revolution has been pitching your boss that, 'All right, we're gonna lay you [off], we're gonna get rid of you, and then we're gonna take your salary and split it between the boss and the AI company.' And that doesn't really work. The companies I have seen that are charging salary-equivalent replacements for their AI tooling have a heavy row to hoe just because, out of the box, these models and tools are getting more capable almost by the week.

Pariseau: And, well, but that would be, you know, good to hear for a lot of IT pros that are worried about job security.

Quinn: Jobs change, they always change. But the industrial revolution did not lead to mass reductions in the number of people in the workforce; it shifted the nature of what a lot of that work was.

We're seeing similar trends right now in the way that software development is being done. I would not want to be entering the space right now. I think it is so highly in flux that I don't know how you would get a toehold. I'm also not anywhere near that part of my career, so I'm not a good source of advice, so I don't sound off about it.

I think that there are -- the genie is out of the bottle and it's not going back.

Pariseau: True.

Quinn: Even if these companies go away, local models are good enough to get to the 80th percentile that frontier models can today, and that's not slowing down anytime soon. That is something that is going to be baked into a bunch of different workflows.

So, how do we start reconciling that? How do we start grappling with that as a society? I don't know.

What I haven't heard is a bunch of stories that, 'Well, if only we had several trillion dollars' worth of data centers doing more AI stuff, then we could solve problem X.' The AI capacity we have already seems like it's looking at striving for a business model. And a lot of them are effectively just wrappers around the foundation models that are gaining these capabilities pretty consistently.

Pariseau: Yeah.

Quinn: Every time they make an announcement and a swath of startups goes out of business.

Pariseau: Yeah, there are some people that I've talked to that think this is the year the rubber hits the road, at least in the enterprise in terms of needing to see some kind of real-world ROI.

Quinn: Yeah, everyone talks about their big AI experiments and investments -- again, about 7% of spend -- and OK, we have a bunch of small pilots going, and if they work? Companies are not foolish; they will deploy these. I have several customers who have, but the majority of PoCs are, 'OK, this is interesting.' But the value is not necessarily there.

There's also a social component to this. You can theoretically -- let's take the easy example. Let's talk about support. AWS has revamped some of its support to be AI-forward. Every customer I talked to, without exception, hates the thing when they have to talk to a chatbot about this. The right way, if I were building an AI-powered support offering, is that the AI agents would be assisting the human support rep on the other side.

The one alternate approach I would take is, 'Hey' -- like almost a Clippy style -- 'it looks like you're about to submit a support ticket.' Perhaps 'it's broke' is not the best way to frame this in the way of a meaningful response. It provides, 'What are you doing? What are you expecting to happen and why, and what's happening instead? Give me those three things, and we can get there a lot faster.'

Like that is a sort of assistance that becomes helpful. But people don't want to replace the humans that they interact with with computers, by and large.

Pariseau: Right, because people loved Clippy so much.

Quinn: Oh yeah. What's also weird is the blowback against AI in a lot of different places. I was reading a blog post I wrote, and I'm like, 'This does read heavily like AI wrote it.' But I published it in 2020. So, I'm not entirely sure what to make of that. I wasn't time traveling, but a lot of the things -- 'It's not X, it's Y,' I've been using em dashes for almost two decades now -- like, I'm not changing because AI does a thing.

Pariseau: I mean, it didn't come up with any of that on its own.

Quinn: Right.

Pariseau: It probably saw that very post in some capacity.

Quinn: Where people have a problem with AI is when it's trying to pass off as something else. I use it for my images for slide presentations all the time, and people don't object to it. Because what I have found is when you use AI images to replace stock photography of a picture of a landscape, great, crowd shot, whatever. That's just laziness.

If you're gonna use AI, do the sort of thing that you're not gonna be able to create easily in any other way. Like, cool, I want a picture of a data center. It's currently on fire, and we're gonna put a giraffe right in the hot aisle. Because you can't get that in any reasonable other way. And if you're doing it for a quick slide presentation at a community event, I'm not gonna commission an artist to draw this thing eight weeks in advance because I don't plan that far ahead for anything.

Pariseau: Sure, sure, and be transparent about it, you know?

Quinn: Yes, exactly.

Pariseau: Yeah, yeah. Well, interesting times, as they say.

Quinn: Yeah, I had stickers I was giving away at my booth this year that was, like, pictures of five-legged dogs, people with extra hands, and it was all illustrated by a human that we hired to draw in the shape of crappy AI, and it was great. It needs a bit more exposition. We should have told the story a bit better because people just think it's AI-generated stickers. It's not.

My wife gave me a calendar for the holidays where it was all AI-generated imagery. It's like, no, I want this taken back. And I'm more of a positive AI person than she is, not that I'm beyond the pale here. And she said, 'Well, I don't understand why you don't like that.' Because I can generate prompts and create calendars, too. This is just like the next stage of some random dropshipper. There's no creativity that went into it. Just printing it out and then selling it like this is not terrific. If we're going to do that, I'll do a custom one on Shutterstock or something like that, and we'll use inside jokes and pictures of our family and the rest, and we'll have real fun with it.

Pariseau: Right.

Quinn: That's how I would do it. But I'm not going to just pay some random slop merchant $20 for a calendar that they didn't care much to do anything with.

Pariseau: Yeah. What's the enterprise cloud equivalent that you would warn people to stay away from that they're being sold right now?

Quinn: An awful lot of, right now -- from my perspective, the rule of thumb that I'm taking on this is when people talk about their tool being an AI tool, tread cautiously. Because it's similar to when AWS was launching Graviton, their own custom Arm-based silicon processors. And they were talking about, 'Ooh, our managed database service now uses Graviton,' and it's, OK, slow your roll here.

As a consumer of this, I'm calling a PostgreSQL API -- yes, that's how I pronounce it. And I don't care as long as it hits a price-performance window, whether it's done by Intel, by Arm or by an army of overworked elves who type very quickly and are good at doing math and retrieval. I just want the result. How you do the thing matters so much less to me than the value and the result that comes out of it.

So, the companies that are doing good things with AI aren't slapping a 'Now with AI' label across the front of it. It's just how things get done. We're building a software platform at Duckbill. AI is not built into the platform itself, but we are using AI to build it on our side with AI-assisted coding, because that is how development is working across the board. We're still very careful what makes it into production. This is AWS billing and contract stuff. We're not foolish, and there are hard guardrails on what the AI can look at and not because we're, again, not fools.

But we are not advertising that, it's just how business is being done these days. And if there is an AI story, given that we're targeting enterprises here, we'd have to obviously disclose that, and that becomes a whole series of conversations.

Pariseau: Right.

Quinn: But we're not training on their data, nor do we ever expect to. If it's 'We're gonna use AI to get this interesting result,' terrific. The way to position this, disclosures aside, is 'Here's an interesting result we can get. Is that of value?' Because how we do it on the back end is irrelevant. We do not care that a person or a robot did a thing, we care that a thing happened. When you talk about the how, you're generally talking to other practitioners and enthusiasts; when you talk about the result, you are talking to customers.

Pariseau: We will end on that note. Thank you so much for taking the time, Corey. It's great to talk to you.

Quinn: Thank you, Beth. It's always a pleasure.

Pariseau: Thank you for tuning in to IT Ops Query. To learn more about enterprise software development and platform engineering, explore our content on Informa TechTarget sites. Find us on YouTube at our channel, Eye on Tech. Subscribe to our podcast to receive the latest episodes as they drop. And if you liked what you heard today, give us a rating and review on Apple, Spotify or wherever you're listening. Thank you for joining us.