You know what’s wild? AWS is almost twenty years old now. That’s both cool and kind of terrifying at the same time. I’ve been working with AWS for a while, and honestly, I still catch myself thinking about things the way they used to be, not how they actually work today.

The problem is that AWS changes constantly, but a lot of the foundational stuff has evolved in ways that aren’t super obvious. Plus, there’s a ton of outdated blog posts and documentation floating around that’ll lead you down the wrong path. I’ve definitely been burned by this more than once.

So I figured I’d write down some of the things that have changed that might trip you up. These are the gotchas that have bitten me or people I know.

EC2 - It’s Not 2015 Anymore

Remember when you had to stop an instance to change its security group? Yeah, you don’t need to do that anymore. Same with IAM roles - you can swap those out on a running instance now.

EBS volumes? You can resize them, attach them, detach them - all while the instance is running. No more “oh crap, I need to take this down for maintenance” moments.

And here’s one I just learned about recently: you can actually force stop or terminate instances without waiting around for that annoying timeout. Super useful when you know you’re never spinning something back up and you just want it gone.

They also added live migration between physical hosts, which means those “instance degradation” notices are way less common than they used to be. Instances are just… more reliable now. Like, actually reliable. Not “AWS reliable” from 2015, but actually reliable.

Spot instances used to be this weird bidding war thing where prices would jump around like crazy. Now the changes are way more gradual and predictable. You don’t feel like you’re day trading anymore.

Oh, and dedicated instances? You almost never need them. It’s been like a decade since they were required for HIPAA stuff. Most people I talk to still think they need them for compliance, but nope.

One more thing - AMI Block Public Access is now default for new accounts. They turned it on automatically back in 2023 for any accounts that hadn’t owned a public AMI in 90 days. Good move, AWS.

S3 - The Eventually Consistent Myth

This one still trips people up: S3 isn’t eventually consistent anymore. It’s read-after-write consistent. I know, I know, you learned in your AWS cert that it was eventually consistent. That was true once, but it’s not anymore.

You also don’t need to randomize the first part of your object keys anymore. That whole “spread your keys around to avoid hotspots” thing? Not really necessary these days.

ACLs are deprecated and off by default on new buckets. Block Public Access is enabled by default too. And new buckets are transparently encrypted at rest - you don’t even have to think about it.

Glacier used to be its own separate service, which is wild to think about now. If you dig into your billing data you can still see traces of how it used to work before S3 absorbed it as storage classes.

And those Glacier restore fees? They used to be genuinely terrifying and impossible to predict. AWS fixed that a while ago, but the horror stories stuck around. I still meet people who think Glacier restores are expensive and confusing. They’re not - and they’re not painfully slow anymore either.

Networking - VPCs and All That Jazz

EC2-Classic is long gone, obviously. But here’s something that catches people: public IPv4 addresses aren’t free anymore. They cost the same as Elastic IPs now. That one hurt when I first found out.

VPC peering used to be annoying, but now you’ve got way better options. Transit Gateway, VPC sharing between accounts, resource sharing, Cloud WAN - there’s a whole ecosystem of better ways to connect things.

VPC Lattice exists now, which is basically AWS’s way of saying “here, use this and ignore all the networking gotchas.” It’s pretty neat. Tailscale works too if you want to go that route.

CloudFront isn’t really networking, but it’s been in the networking section forever so I’ll mention it here. Updates used to take like 45 minutes, which was absolutely brutal. Now it’s closer to 5 minutes - which still feels like 45 when you’re waiting for CloudFormation to finish, but it’s progress.

Classic Load Balancers (the “classic” means “deprecated” in AWS-speak) used to charge you for cross-AZ data transfer on top of the load balancer fees. ALBs with automatic zone balancing don’t charge extra for cross-AZ traffic anymore, just their LCU fees. Same with Classic Load Balancers, but watch out - Network Load Balancers still charge cross-AZ fees!

Network Load Balancers didn’t support security groups originally, but they do now. That was a weird limitation.

Availability Zones used to be randomized between accounts - my us-east-1a was your us-east-1c. You can now use Resource Access Manager to get zone IDs and make sure you’re aligned across accounts. Super useful for multi-account setups.

Lambda - It’s Grown Up

Lambda used to have a 5 minute timeout and no container image support. Now you can run them for 15 minutes, use Docker images, mount EFS for shared storage, give them up to 10GB of RAM (CPU scales automatically), and give /tmp up to 10GB instead of that measly 512MB.

Invoking a Lambda in a VPC used to be dog-slow. Not anymore.

And cold starts? They’re still a thing, but they’re not the massive problem they used to be. The whole “Lambda is unusable because of cold starts” argument doesn’t really hold water anymore for most use cases.

EFS - The IOPS Problem

You used to have to fill up an EFS volume with useless data to get your IOPS allocation up to something usable. Now you can adjust IOPS separately from capacity. They added a second knob, basically. Much better.

EBS - Performance and Multi-Attach

New empty EBS volumes get full performance immediately. But if you create a volume from a snapshot, you’ll want to read the entire disk with dd or similar because it lazy-loads from S3. The first read of each block will be slow. If you’re in a hurry, there are more expensive options, but reading the whole thing usually works fine.

Oh, and EBS volumes can be attached to multiple EC2 instances at the same time now (if you’re using io1). But honestly, you probably don’t want to do this. It’s one of those “just because you can doesn’t mean you should” situations.

DynamoDB - Empty Fields and Pricing

You can have empty fields in DynamoDB items now. I know someone whose system still uses a field called empty because it predates this change. That’s how long this has been a thing.

Performance has gotten way more reliable. You don’t need those support-only tools locked behind NDAs to see your hot key problems anymore - there are better ways to diagnose issues.

With the pricing changes, you almost certainly want to run everything On Demand unless you’re in a very specific situation. The math just works out differently now.

Cost Stuff - Reserved Instances Are Dying

Reserved Instances are slowly going away. Savings Plans are the future. The savings rates have diverged though - they don’t offer as deep discounts as RIs used to, but they’re way more flexible. Pay attention to this, because the economics have changed.

EC2 charges by the second now, so spinning up instances for a few minutes doesn’t cost you a full hour anymore. That’s saved me a bunch of money on test workloads.

The Cost Anomaly Detector has gotten really good at flagging sudden spend changes. And it’s free! Use it.

Compute Optimizer now does EBS volumes and other things too. Its recommendations are actually trustworthy, unlike Trusted Advisor’s various… suggestions. Trusted Advisor is still kind of sketchy and self-contradictory, though some of their cost checks can route through Compute Optimizer now, which helps.

Authentication - IAM Users Are Legacy

IAM roles are where permissions should live. IAM users are for legacy applications, not humans. IAM Identity Center (the replacement for “AWS SSO”) is how humans should access AWS accounts. This causes friction sometimes, but it’s the right way to do things.

You can have multiple MFA devices on the root account now. And you don’t need root credentials configured for organization member accounts anymore.

Random Stuff That’s Changed

us-east-1 is no longer a dumpster fire. I mean, it’s still us-east-1, but it’s way more stable than it used to be. Actually, AWS in general is way more durable. Outages are noteworthy events now instead of “it’s another Tuesday afternoon.”

Deprecations are still rare, but they’re definitely happening more often. If a service sounds niche or goofy, maybe think about your exit strategy before building on top of it.

CloudWatch doesn’t have that weird thing where the last datapoint is super low due to data inconsistency. So if your graphs suddenly drop to zero, your app actually just broke. It’s not a CloudWatch quirk anymore.

You can close AWS accounts in your organization from the root account now, instead of having to log into each member account as root. Small thing, but super convenient.

Wrapping Up

AWS has changed a lot over the years, and it’s easy to get stuck thinking about things the old way. I’ve definitely made mistakes because I assumed something worked the way it did five years ago. Hopefully this helps you avoid some of those same pitfalls.

The platform keeps evolving, and that’s mostly good. But it does mean you have to stay on top of things, or at least be aware that your assumptions might be outdated.

What outdated AWS knowledge have you been holding onto? I’m sure there are more things I’m missing here.

Inspired by Last Week in AWS. Always check the official AWS documentation for the most current information.