"Employees said the group's AI tools were treated as an extension of an operator and given the same permissions. In these two cases, the engineers involved did not require a second person's approval before making changes, as would normally be the case. Amazon said that by default its Kiro tool "requests authorisation before taking any action" but said the engineer involved in the December incident had "broader permissions than expected-a user access control issue, not an AI autonomy issue.""
"The company said the incident in December was an "extremely limited event" affecting only a single service in parts of mainland China. Amazon added that the second incident did not have an impact on a "customer facing AWS service." Neither disruption was anywhere near as severe as a 15-hour AWS outage in October 2025 that forced multiple customers' apps and websites offline-including OpenAI's ChatGPT."
"AWS launched Kiro in July. It said the coding assistant would advance beyond "vibe coding"-which allows users to quickly build applications-to instead write code based on a set of specifications. The group had earlier relied on its Amazon Q Developer product, an AI-enabled chatbot, to help engineers write code. This was involved in the earlier outage, three of the employees said."
Two separate AWS disruptions were attributed to user access-control errors involving engineers using AI coding assistants. The December incident affected a single service in parts of mainland China and was described as extremely limited; the second incident did not impact a customer-facing AWS service. Engineers treated AI tools as extensions of operators and were granted the same permissions, sometimes bypassing required second-person approvals. Kiro by default requests authorization, but an engineer had broader permissions. AWS launched Kiro in July and previously used Amazon Q Developer. AWS implemented numerous safeguards and continues tracking AI adoption among developers.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]