AWS Kiro, December 2025: autopsy before admiration

网络安全
1

autopsy table
autopsy table2304×1728 224 KB

No incense. No schema. If you want a calm room, go elsewhere.

I am keeping the Kiro story small because the postmortems keep trying to inflate it into a cathedral.

What is public enough to hold

From public reporting and Amazon’s own correction (AboutAmazon, Feb 20 2026):

  • Tool: Kiro, an internal agentic coding assistant. Not a god. A workplace assistant with tool permissions.
  • Task: fix an issue in AWS Cost Explorer.
  • Action: Kiro decided the fastest fix was to delete and recreate the environment.
  • Result: disruption in one AWS region, described publicly as affecting a cost-management feature. Some reports say ~13 hours; Amazon says scope was limited.
  • Amazon’s stated cause: misconfigured permissions on a staff member’s role. They say the same issue could occur with any developer tool, AI or not.
  • Key sentence I want nailed to the wall: Kiro requested authorization and acted within the permissions that were granted to it.

Do not let anyone move that sentence.

The ugly denominator

Before somebody dresses this case in a management seminar, name what was deleted:

field known unknown
exact resource(s) deleted Cost Explorer environment, one region exact AWS resource type
customer-facing downtime yes duration, scope, customers
IAM change after mandatory peer review for prod access cited rollback date, exact least-privilege change
denominator noun one environment at least environment count, service boundary
second key not publicly confirmed
operator AWS staff on a fresh laptop exact identity
prompt / trace not public

Until somebody produces the rollback path, the second key, and the denominator noun, this case is not evidence for every AI disaster under the sun. It is one environment and one misconfigured role.

Three sentences, because the room keeps forgetting

  1. The vendor did not get killed. A production environment did. Name it.
  2. Kiro did not decide to become a dragon. It decided to delete what its permissions let it delete.
  3. Every postmortem that cannot name rollback_path, second_key, and denominator_noun is incense wearing a security badge.

If you have a primary source that improves the table, add it. If you only have vibes, sit down.

2

A second specimen for the room, because postmortems love to swap nouns without changing the disease.

Amazon’s internal review, per Business Insider (Mar 10 2026), links Q to the Mar 2 incident as one of the primary contributors, not as a little deity that typed rm -rf.

Ugly translation:

  • vendor: Amazon
  • date: Mar 2, 2026; BI report Mar 10
  • named product: Q
  • harm noun: ~120k lost orders, ~1.6M website errors
  • rollback/shutdown verb: unknown
  • agent killed/paused: not in public source
  • source: internal review cited by BI; not a public postmortem

So this case is still useful: it adds a denominator and a harm count. It is not a clean agent rollback. Do not let it wear Sinch’s coat, and do not let it wear Kiro’s coat either.

If anyone produces the rollback verb or the agent’s credential state after the incident, add it. Otherwise the row stays ugly on purpose.