<?xml version="1.0" encoding="UTF-8" standalone="no"?><rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" version="2.0">

<channel>
	<title>AWS Big Data Blog</title>
	<atom:link href="https://aws.amazon.com/blogs/big-data/feed/" rel="self" type="application/rss+xml"/>
	<link>https://aws.amazon.com/blogs/big-data/</link>
	<description>Official Big Data Blog of Amazon Web Services</description>
	<lastBuildDate>Wed, 08 Jul 2026 15:52:15 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	
	<item>
		<title>Cut costs and simplify operations with writable warm storage in Amazon OpenSearch Service</title>
		<link>https://aws.amazon.com/blogs/big-data/cut-costs-and-simplify-operations-with-writable-warm-storage-in-amazon-opensearch-service/</link>
		
		<dc:creator><![CDATA[Bharav Patel]]></dc:creator>
		<pubDate>Wed, 08 Jul 2026 15:52:15 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon OpenSearch Service]]></category>
		<category><![CDATA[Amazon Simple Storage Service (S3)]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<guid isPermaLink="false">7f42218c54c65627164b1c56988f7b12e86398b9</guid>

					<description>In this post, I show you how writable warm storage removes the costly migration cycle. You can reduce your infrastructure costs by up to 48 percent and update historical data in seconds instead of hours. I walk through a real-world cost comparison and performance benchmarks, and help you decide when to use writable warm versus UltraWarm.</description>
										<content:encoded>&lt;p&gt;Managing petabytes of search data means making tough choices: keep everything fast and expensive, or make it affordable but read-only. &lt;em&gt;UltraWarm&lt;/em&gt; is a proven, cost-effective solution for read-heavy historical data. However, some workloads occasionally need to update historical records, such as late-arriving data or compliance corrections. With UltraWarm, you must migrate those indices back to hot, perform the update, and migrate back. What if you could write directly to your cost-effective warm storage instead?&lt;/p&gt; 
&lt;p&gt;In this post, I show you how writable warm storage removes the costly migration cycle. You can reduce your infrastructure costs by up to 48 percent and update historical data in seconds instead of hours. I walk through a real-world cost comparison and performance benchmarks, and help you decide when to use writable warm versus UltraWarm.&lt;/p&gt; 
&lt;h2 id="the-challenge-with-tiered-storage"&gt;The challenge with tiered storage&lt;/h2&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/opensearch-service/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; handles data-intensive search and analytics workloads, from real-time log analytics and application monitoring to security event detection. As your data volumes grow from terabytes to petabytes, you face a fundamental question: how do you keep recent data fast while making earlier data affordable?&lt;/p&gt; 
&lt;p&gt;OpenSearch Service addresses this with a tiered storage architecture:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Hot&lt;/strong&gt; – Highest performance for active indexing and search using instance-attached storage.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;UltraWarm&lt;/strong&gt; – Cost-effective, read-only tier backed by &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt; with local caching for less frequently queried data.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Cold&lt;/strong&gt; – Fully detached from the cluster, with the lowest cost for rarely accessed data. Cold indices must be migrated back to UltraWarm or hot before any reads or writes can be performed.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;For immutable log data, this model works well. However, a specific class of workloads hits its limitations when they occasionally need to write to earlier data, and read-only becomes a bottleneck.&lt;/p&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;To use writable warm storage, you need the following:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;An Amazon OpenSearch Service domain running version 3.3 or later.&lt;/li&gt; 
 &lt;li&gt;OpenSearch Optimized (OI2) instance family support in your AWS Region.&lt;/li&gt; 
 &lt;li&gt;Workloads with a minimum 5-second refresh interval.&lt;/li&gt; 
 &lt;li&gt;Data nodes using the OpenSearch Optimized instance family (OR2 for hot, OI2 for warm).&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Writable warm doesn’t currently support the &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/multi-tier-storage.html#multi-tier-limitations" target="_blank" rel="noopener"&gt;cold storage tier&lt;/a&gt;.&lt;/p&gt; 
&lt;h2 id="the-ultrawarm-bottleneck"&gt;The UltraWarm bottleneck&lt;/h2&gt; 
&lt;p&gt;With UltraWarm, updating even a single document requires migrating the index back to hot, performing the write, and migrating it back. This round trip involves a force merge (consolidating index segments), snapshot creation, and shard relocation. These operations consume significant CPU, memory, and disk space on your hot nodes, and they take approximately 130 minutes per 100 GB index. This time was measured on a domain with 3 × r6g.2xlarge hot nodes, 3 × ultrawarm1.large warm nodes, and 3 dedicated leader nodes (US East, N. Virginia), using a single-shard index with one replica. Actual times vary based on domain configuration, shard count, segment count, hot node utilization, and migration queue depth. The result is that you over-provision hot nodes, build complex pipelines, or keep data in hot longer than necessary, which increases cost and complexity.&lt;/p&gt; 
&lt;h2 id="introducing-writable-warm-storage"&gt;Introducing writable warm storage&lt;/h2&gt; 
&lt;p&gt;OpenSearch Service now offers writable warm nodes that use &lt;a href="https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-opensearch-service-oi2-instances/" target="_blank" rel="noopener"&gt;OpenSearch Optimized (OI2)&lt;/a&gt; instances, the same instance family that powers durable, Amazon S3-backed storage on hot nodes. Because data is already persisted on Amazon S3, tier transitions become a lightweight shard relocation rather than a resource-intensive migration. The Lucene engine, which is OpenSearch’s underlying search library, operates identically on both tiers. As a result, writable warm nodes support active writes, background merges, and periodic refreshes, just like hot nodes.&lt;/p&gt; 
&lt;p&gt;Late-arriving data, compliance backfills, and corrections that previously required a warm-to-hot-to-warm round trip now resolve with a direct write in seconds. There is no force merge, no snapshot, no shard relocation, and no hot node resource consumption.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/06/BDB-5803-1.png" alt="Diagram comparing UltraWarm and writable warm data flows. In the UltraWarm legacy flow, data is ingested into the hot tier, migrated to read-only UltraWarm, and any update requires a round trip back to hot. In the writable warm flow, indices transition from hot to writable warm, which accepts reads and writes directly without migrating back to hot." width="800"&gt;&lt;/p&gt; 
&lt;p&gt;UltraWarm (legacy) data flow: Data is ingested into the hot tier (SSD, read and write). Index State Management (ISM) policies migrate indices to UltraWarm (Amazon S3-backed, read-only). Any update requires migrating the index back to hot (dashed arrow), writing, then migrating back.&lt;/p&gt; 
&lt;p&gt;Writable warm (new) data flow: Same ingestion path through hot, with ISM transitioning indices to writable warm. The key difference is that writable warm supports both reads and writes. Late-arriving updates go directly to warm, with no migration back to hot. Because both tiers use Amazon S3 as durable storage through OpenSearch Optimized instances, transitions are lightweight shard relocations, not resource-intensive migrations.&lt;/p&gt; 
&lt;h2 id="the-benefits-cost-operations-and-flexibility"&gt;The benefits: cost, operations, and flexibility&lt;/h2&gt; 
&lt;p&gt;Writable warm delivers advantages in three areas: cost, operational simplicity, and flexibility.&lt;/p&gt; 
&lt;h3 id="cost"&gt;Cost&lt;/h3&gt; 
&lt;p&gt;Unlike UltraWarm, which only offers on-demand pricing, OI2 instances support Reserved Instance (RI) pricing, a commitment-based discount model. By committing to a 1-year or 3-year Reserved Instance, you can save 31–52 percent compared to UltraWarm nodes. This makes writable warm significantly more cost-effective for predictable, long-running workloads. The newly introduced Database savings plan for OpenSearch Service provides savings of around 22 percent over UltraWarm instances. Both tiers use Amazon S3 for durable storage, so node failure means only temporary unavailability, not data loss. For cost-sensitive workloads that can tolerate brief downtime during node recovery, you can configure zero replicas on warm indices to reduce costs further.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Real-world cost comparison&lt;/strong&gt;&lt;/p&gt; 
&lt;p&gt;Consider a workload ingesting 2 TB/day with 210 days total retention, where updates can arrive at any point. With UltraWarm’s read-only constraint, you must keep data in hot for 30 days before migrating to warm. With writable warm, updates happen directly on warm, so hot retention drops to only 7 days.&lt;/p&gt; 
&lt;p&gt;At small scale, the hot tier reduction benefit is modest. Writable warm is still cost-effective if you need write capability on warm data, can commit to RI pricing, or value the operational simplicity of eliminating migration pipelines. For purely immutable data with short retention, UltraWarm on-demand might still be cheaper. Use the &lt;a href="https://calculator.aws/" target="_blank" rel="noopener"&gt;AWS Pricing Calculator&lt;/a&gt; to model your specific scenario.&lt;/p&gt; 
&lt;p&gt;The following table shows estimated monthly costs using on-demand and All Upfront Reserved Instance (AURI) pricing in the US East (N. Virginia) Region as of March 2026. For the latest pricing, see &lt;a href="https://aws.amazon.com/opensearch-service/pricing/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service pricing&lt;/a&gt; on the AWS website.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Component&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Hot + UltraWarm (30d hot / 180d warm)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Hot + writable warm (7d hot / 203d warm)&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Hot data nodes&lt;/td&gt; 
   &lt;td&gt;$12,264 (21 × or2.2xlarge)&lt;/td&gt; 
   &lt;td&gt;$12,264 (21 × or2.2xlarge)&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Hot EBS cost&lt;/td&gt; 
   &lt;td&gt;$10,212.84 (21 * 3986 GB)&lt;/td&gt; 
   &lt;td&gt;$2,636&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Hot remote storage&lt;/td&gt; 
   &lt;td&gt;$2,008.28&lt;/td&gt; 
   &lt;td&gt;$518&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Warm data nodes&lt;/td&gt; 
   &lt;td&gt;$39,128 (20× ultrawarm1.large)&lt;/td&gt; 
   &lt;td&gt;$50,409 (15× oi2.8xlarge)&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Amazon S3 storage&lt;/td&gt; 
   &lt;td&gt;$9,504&lt;/td&gt; 
   &lt;td&gt;$1,070&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Leader nodes&lt;/td&gt; 
   &lt;td&gt;$1,307 (3 × m8g.2xlarge)&lt;/td&gt; 
   &lt;td&gt;$1,307 (3 × m8g.2xlarge)&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;On-demand total&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$74,427&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$69,297&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;1-year AURI&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$69,674&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$43,918 (~36% less)&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;3-year AURI&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$67,367&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$34,939 (~48% less)&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Database savings plan&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$71,708&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;$55,406 (~22%)&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;h3 id="operations"&gt;Operations&lt;/h3&gt; 
&lt;p&gt;&lt;strong&gt;Reclaim hot node capacity.&lt;/strong&gt; Writable warm removes two common causes of hot node over-provisioning: reserving 35 percent of disk space for force merge operations, and maintaining extra capacity to temporarily move data back to hot for writes. You can run your hot tier at higher utilization, which reduces the number of hot nodes you need.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Simpler migrations.&lt;/strong&gt; UltraWarm migrations are multi-step operations (force merge, snapshot, and shard relocation) that need careful scheduling during low-traffic windows, and they are limited to 10 queued at a time. Writable warm simplifies this to a lightweight shard relocation, with more straightforward ISM policies and no scheduling constraints.&lt;/p&gt; 
&lt;h3 id="flexibility"&gt;Flexibility&lt;/h3&gt; 
&lt;p&gt;UltraWarm offers only two instance sizes: ultrawarm1.medium (1.5 TiB) and ultrawarm1.large (20 TiB). Writable warm with OI2 instances offers a full range from oi2.large to oi2.16xlarge. Each size addresses up to 5× its local cache size, so you can right-size warm capacity precisely to your workload.&lt;/p&gt; 
&lt;h3 id="search-performance"&gt;Search performance&lt;/h3&gt; 
&lt;p&gt;We benchmarked search latency using the NYC Taxis workload, comparing writable warm (oi2.large) against UltraWarm nodes. All measurements are P90 latencies.&lt;/p&gt; 
&lt;p&gt;On the NYC_TAXIS benchmark, writable warm matched or beat UltraWarm on 6 of 7 query types at P90, including lightweight filters, ranges, sorts, and time-histogram aggregations. For most real-world search patterns, writable warm delivers comparable or better performance than UltraWarm, plus the ability to write directly to the tier.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Search performance: writable warm compared to UltraWarm&lt;/strong&gt;&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Task&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Writable warm node latency in ms&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;UltraWarm latency in ms&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;UltraWarm vs.&amp;nbsp;writable warm diff %&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;NYC_TAXIS workload type&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;** **&lt;/td&gt; 
   &lt;td&gt;** **&lt;/td&gt; 
   &lt;td&gt;** **&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;default (P90)&lt;/td&gt; 
   &lt;td&gt;21.287&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;23.857&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;12.07223&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;range (P90)&lt;/td&gt; 
   &lt;td&gt;21.23&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;21.016&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;-1.00718&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;distance_amount_agg (P90)&lt;/td&gt; 
   &lt;td&gt;5,069&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;3929.23&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;-22.48406&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;autohisto_agg (P90)&lt;/td&gt; 
   &lt;td&gt;21.076&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;22.002&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;4.39348&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;date_histogram_agg (P90)&lt;/td&gt; 
   &lt;td&gt;21.363&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;21.792&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;2.01031&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;desc_sort_tip_amount (P90)&lt;/td&gt; 
   &lt;td&gt;23.224&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;23.797&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;2.46636&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;asc_sort_tip_amount (P90)&lt;/td&gt; 
   &lt;td&gt;22.483&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;22.482&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;-0.00445&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;h2 id="when-to-choose-what"&gt;When to choose what&lt;/h2&gt; 
&lt;p&gt;Should you switch from UltraWarm to writable warm? It depends on your workload.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Requirement&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Writable Warm&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;UltraWarm&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Write enabled&lt;/td&gt; 
   &lt;td&gt;✓&lt;/td&gt; 
   &lt;td&gt;Read-only&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Reserved Instance pricing&lt;/td&gt; 
   &lt;td&gt;✓&lt;/td&gt; 
   &lt;td&gt;✗&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Instance size flexibility&lt;/td&gt; 
   &lt;td&gt;Wide range (large–8xlarge)&lt;/td&gt; 
   &lt;td&gt;2 options only&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Cold tier support&lt;/td&gt; 
   &lt;td&gt;✗&lt;/td&gt; 
   &lt;td&gt;✓&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Need for OpenSearch Optimized instance families&lt;/td&gt; 
   &lt;td&gt;✗&lt;/td&gt; 
   &lt;td&gt;✓&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Concurrent tier transitions&lt;/td&gt; 
   &lt;td&gt;✓&lt;/td&gt; 
   &lt;td&gt;✗ (sequential)&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Hot node impact during migration&lt;/td&gt; 
   &lt;td&gt;Minimal&lt;/td&gt; 
   &lt;td&gt;High (CPU/memory)&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;h2 id="clean-up-resources"&gt;Clean up resources&lt;/h2&gt; 
&lt;p&gt;If you created a test domain to evaluate writable warm storage, delete it to avoid ongoing charges. In the OpenSearch Service console, select your domain and choose &lt;strong&gt;Delete&lt;/strong&gt;. This removes all nodes and stops Amazon S3 storage charges for that domain.&lt;/p&gt; 
&lt;h2 id="summary"&gt;Summary&lt;/h2&gt; 
&lt;p&gt;In this post, I showed you how writable warm storage eliminates the costly migration cycle that UltraWarm’s read-only limitation creates. You get up to 36 percent cost savings with 1-year Reserved Instances, faster search performance, and a simpler operational model. Writable warm also removes data transitions between tiers, and Reserved Instance pricing becomes available for warm storage for the first time.&lt;/p&gt; 
&lt;p&gt;Writable warm requires OpenSearch Service version 3.3 or later with OI2 instances. For domains needing cold tier support, earlier OpenSearch Service versions, or non-optimized instance families, UltraWarm remains the right choice.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Next steps:&lt;/strong&gt; Start by analyzing your current hot and warm split. How many days of data do you keep in hot only to accommodate occasional updates? Use the &lt;a href="https://calculator.aws/pricing/2/home" target="_blank" rel="noopener"&gt;AWS Pricing Calculator&lt;/a&gt; to model your potential savings, and enable writable warm on a test domain in minutes. At the time of this post, writable warm is supported on OpenSearch Service version 3.3. For step-by-step instructions, see &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/" target="_blank" rel="noopener"&gt;Migrating to writable warm storage&lt;/a&gt; in the OpenSearch Service documentation.&lt;/p&gt; 
&lt;p&gt;Have you tried writable warm storage? I’d love to hear about your experience and any questions you have in the comments.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the author&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/06/BDB-5803-2.jpeg" alt="Bharav Patel" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Bharav Patel&lt;/h3&gt; 
  &lt;p&gt;Bharav is a Specialist Solution Architect, Analytics at Amazon Web Services. He primarily works on Amazon OpenSearch Service and helps customers with key concepts and design principles of running OpenSearch workloads on the cloud. Bharav likes to explore new places and try out different cuisines.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Introducing Apache Spark Connect support in AWS Glue interactive sessions</title>
		<link>https://aws.amazon.com/blogs/big-data/introducing-apache-spark-connect-support-in-aws-glue-interactive-sessions/</link>
		
		<dc:creator><![CDATA[Zach Mitchell]]></dc:creator>
		<pubDate>Tue, 07 Jul 2026 16:38:42 +0000</pubDate>
				<category><![CDATA[Amazon SageMaker Unified Studio]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[AWS Glue]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<guid isPermaLink="false">7f198fe4f8662ec420e4153e8ab58e6032095b77</guid>

					<description>Apache Spark Connect bridges the gap between these two worlds: you develop in local Python, but execute on AWS Glue against actual data. Today, AWS Glue interactive sessions support Spark Connect natively. You can connect from any environment that supports the PySpark remote() API, including VS Code, PyCharm, Amazon SageMaker Unified Studio notebooks, and standalone Python applications. You don’t need to install specialized kernels or manage cluster infrastructure.</description>
										<content:encoded>&lt;p&gt;When we built AWS Glue interactive sessions, our goal was to make AWS Glue as interactive as running local Python from a notebook. We mostly succeeded. With a straightforward Python package and a Jupyter notebook, you could execute remotely against the AWS Glue ephemeral Spark backend. The Livy-based approach was ahead of its time, but it had limitations from its REST-based protocol. Running local PySpark unlocked powerful integrated development environment (IDE) features such as debugging and linting, so your environment could understand the code and help you develop Spark applications more quickly. Customers would often split their development work. They used local Spark (or Docker containers) to develop in an IDE on a small amount of data, then switched to AWS Glue interactive sessions to validate scaling and tuning against the full dataset.&lt;/p&gt; 
&lt;p&gt;With modern PySpark releases came a new protocol: Apache Spark Connect. Spark Connect bridges the gap between these two worlds: you develop in local Python, but execute on AWS Glue against actual data. Today, AWS Glue interactive sessions support Spark Connect natively. You can connect from any environment that supports the PySpark &lt;code&gt;remote()&lt;/code&gt; API, including VS Code, PyCharm, Amazon SageMaker Unified Studio notebooks, and standalone Python applications. You don’t need to install specialized kernels or manage cluster infrastructure.&lt;/p&gt; 
&lt;h2 id="what-spark-connect-changes"&gt;What Spark Connect changes&lt;/h2&gt; 
&lt;p&gt;Spark Connect, introduced in Spark 3.4, decouples the Spark client from the server through a lightweight gRPC protocol. Instead of running your driver program on the cluster, your IDE communicates with a remote Spark server through a thin client layer. This architecture unlocks the key workflow improvement: you develop locally and execute remotely.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-1.png" alt="Spark Connect architecture diagram showing a thin client communicating with a remote Apache Spark server" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Spark Connect architecture — thin client with the full power of Apache Spark&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;With Spark Connect support in AWS Glue interactive sessions, you get:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;IDE freedom&lt;/strong&gt; – Use VS Code, PyCharm, JupyterLab, or any Python environment. No kernel installation required.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Programmatic access&lt;/strong&gt; – Build Spark into your Python applications and automation scripts with a standard &lt;code&gt;SparkSession.builder.remote()&lt;/code&gt; call.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Serverless execution&lt;/strong&gt; – AWS Glue provisions and manages the Spark cluster. You pay only for the data processing units (DPUs) consumed while your session is active.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Spark Connect monitoring&lt;/strong&gt; – The Spark Live UI now includes a dedicated Connect tab showing active Spark Connect sessions and operations alongside the existing Jobs, Stages, and Executors views.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="getting-started-with-sagemaker-unified-studio"&gt;Getting started with SageMaker Unified Studio&lt;/h2&gt; 
&lt;p&gt;Amazon SageMaker Unified Studio provides the most direct path to Spark Connect on AWS Glue. The notebook environment handles session creation, endpoint retrieval, and token refresh automatically, so no connection boilerplate is required.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Prerequisite:&lt;/strong&gt; You need an Amazon SageMaker Unified Studio project to use this workflow. If you don’t have one, create a project in your SageMaker Unified Studio domain first.&lt;/p&gt; 
&lt;p&gt;To connect to an AWS Glue Spark Connect session:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Sign in to SageMaker Unified Studio, choose your project, and create or open a Notebook.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-2.png" alt="A notebook open in SageMaker Unified Studio" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;A notebook open in SageMaker Unified Studio&lt;/em&gt;&lt;/p&gt; 
&lt;ol start="2" type="1"&gt; 
 &lt;li&gt;Choose the compute icon in the left toolbar to open the Compute environment panel. Expand the &lt;strong&gt;Spark&lt;/strong&gt; section.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-3.png" alt="Compute environment panel in SageMaker Unified Studio with the Spark section expanded" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;The Compute environment panel with the Spark dropdown list&lt;/em&gt;&lt;/p&gt; 
&lt;ol start="3" type="1"&gt; 
 &lt;li&gt;Select a Glue Spark connection. Depending on your SageMaker domain configuration, you will see either &lt;code&gt;default.spark&lt;/code&gt; or named connections such as &lt;code&gt;project.spark.compatibility&lt;/code&gt;. Select the appropriate Glue (Spark) connection and choose &lt;strong&gt;Apply&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-4.png" alt="Notebook cell showing spark.version returns 3.5.6-amzn-1 after connecting to Glue Spark Connect" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Connected to Glue Spark Connect — running &lt;code&gt;spark.version&lt;/code&gt; returns ‘3.5.6-amzn-1’&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;After you make your selection, you’re connected. The &lt;code&gt;spark&lt;/code&gt; session object is available natively. No imports or configuration are needed. Start running PySpark immediately:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;spark.sql("SHOW DATABASES").show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The session manages itself in the background, including automatic token refresh.&lt;/p&gt; 
&lt;h2 id="using-the-sagemaker_studio-sdk"&gt;Using the sagemaker_studio SDK&lt;/h2&gt; 
&lt;p&gt;The &lt;code&gt;sagemaker-studio&lt;/code&gt; Python package extends the Spark Connect experience beyond SageMaker Unified Studio notebooks into local IDEs, continuous integration and continuous delivery (CI/CD) pipelines, and any Python environment. The &lt;code&gt;sparkutils&lt;/code&gt; module handles session initialization and connection configuration in a single call. You get the same streamlined experience as in the notebook, anywhere you run Python:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;from sagemaker_studio import sparkutils

# Initialize a Glue Spark Connect session using your project connection
spark = sparkutils.init(connection_name="default.spark")

# Run queries immediately
spark.sql("SHOW DATABASES").show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;You can also use &lt;code&gt;sparkutils.get_spark_options()&lt;/code&gt; to retrieve pre-configured Java Database Connectivity (JDBC) options for reading and writing to data sources through your project connections. Supported sources include Amazon Redshift, Amazon Aurora, and Amazon DocumentDB (with MongoDB compatibility):&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;# Get connection options for a Redshift connection in your project
options = sparkutils.get_spark_options("my_redshift_connection")

# Read from Redshift via Spark Connect
df = spark.read.format("jdbc").options(**options).option("dbtable", "analytics.orders").load()
df.show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Within SageMaker Unified Studio, the &lt;code&gt;sagemaker-studio&lt;/code&gt; SDK is native to the environment. The &lt;code&gt;spark&lt;/code&gt; session and &lt;code&gt;sparkutils&lt;/code&gt; are available without installation. For local IDE use, install it with &lt;code&gt;pip install sagemaker-studio&lt;/code&gt; and configure credentials through an AWS named profile or boto3 session.&lt;/p&gt; 
&lt;h2 id="how-it-works"&gt;How it works&lt;/h2&gt; 
&lt;p&gt;Spark Connect sessions in AWS Glue use a three-step workflow:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Create a session&lt;/strong&gt; – Call the &lt;code&gt;CreateSession&lt;/code&gt; API with &lt;code&gt;SessionType&lt;/code&gt; set to &lt;code&gt;SPARK_CONNECT&lt;/code&gt;. The session provisions in approximately 30 seconds.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Retrieve the endpoint&lt;/strong&gt; – Call &lt;code&gt;GetSessionEndpoint&lt;/code&gt; to receive a &lt;code&gt;sc://&lt;/code&gt; gRPC endpoint URL and a time-limited authentication token.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Connect with PySpark&lt;/strong&gt; – Pass the endpoint and token to &lt;code&gt;SparkSession.builder.remote()&lt;/code&gt; and start running Spark operations.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-5.png" alt="Spark Connect protocol flow from the DataFrame API to a logical plan, sent over gRPC and protobuf, with results streamed back over gRPC and Arrow" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Spark Connect protocol flow — DataFrame API translated to logical plan, sent via gRPC/protobuf, results streamed back via gRPC/Arrow&lt;/em&gt;&lt;/p&gt; 
&lt;h2 id="connecting-with-the-low-level-api"&gt;Connecting with the low-level API&lt;/h2&gt; 
&lt;p&gt;Some environments don’t have the &lt;code&gt;sagemaker-studio&lt;/code&gt; SDK, such as custom containers, AWS Lambda functions, or non-Python toolchains. In these environments, or if you’re not using SageMaker Unified Studio, you can use the AWS SDK (Boto3) to manage sessions directly. The following example demonstrates the full workflow:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import time, boto3, urllib.parse
from pyspark.sql import SparkSession

glue = boto3.client("glue", region_name="us-east-1")

# 1. Create a Spark Connect session
session_id = "my-spark-connect-session"
glue.create_session(
    Id=session_id,
    Role="arn:aws:iam::123456789012:role/GlueServiceRole",
    Command={"Name": "glueetl"},
    GlueVersion="5.1",
    SessionType="SPARK_CONNECT",
    DefaultArguments={"--enable-spark-live-ui": "true"},
)

# 2. Wait for the session to reach READY
while True:
    status = glue.get_session(Id=session_id)["Session"]["Status"]
    if status == "READY":
        break
    time.sleep(5)

# 3. Get the Spark Connect endpoint
sc = glue.get_session_endpoint(SessionId=session_id)["SparkConnect"]
endpoint_url = sc["Url"]
auth_token = sc["AuthToken"]

# 4. Connect with PySpark
encoded_token = urllib.parse.quote(auth_token, safe="")
connection_string = f"{endpoint_url}:443/;use_ssl=true;x-aws-proxy-auth={encoded_token}"
spark = SparkSession.builder.remote(connection_string).getOrCreate()
spark.sql("SELECT 1 + 1 AS result").show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h2 id="monitoring-with-spark-live-ui"&gt;Monitoring with Spark Live UI&lt;/h2&gt; 
&lt;p&gt;When you enable the Spark Live UI at session creation, you gain access to a real-time dashboard showing:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Jobs and Stages&lt;/strong&gt; – Track active, completed, and failed jobs with stage-level metrics.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Executors&lt;/strong&gt; – Monitor memory usage, shuffle data, and executor health.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;SQL&lt;/strong&gt; – Inspect query plans and execution details.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Connect tab&lt;/strong&gt; – View active Spark Connect sessions and operations (specific to Spark Connect).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Access the dashboard through the &lt;code&gt;GetDashboardUrl&lt;/code&gt; API or directly from the AWS Glue console.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import boto3, webbrowser

glue = boto3.client("glue", region_name="us-east-1")
dashboard = glue.get_dashboard_url(
    ResourceId="my-spark-connect-session",
    ResourceType="SESSION",
)
webbrowser.open(dashboard["Url"])&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;In SageMaker Unified Studio, no API call is needed. Choose &lt;strong&gt;Ready&lt;/strong&gt; in the notebook status bar to open the kernel info popover. From there, open the &lt;strong&gt;Spark UI&lt;/strong&gt; link for the live dashboard or &lt;strong&gt;Spark Driver Logs&lt;/strong&gt; for real-time log output.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-6.png" alt="Notebook status bar Ready button that opens the Spark UI and Spark Driver Logs links" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Image showing “Ready” in the status bar to access Spark UI and Driver Logs directly from the notebook&lt;/em&gt;&lt;/p&gt; 
&lt;h2 id="token-refresh"&gt;Token refresh&lt;/h2&gt; 
&lt;p&gt;Authentication tokens expire after 30 minutes. In SageMaker Unified Studio, this is handled automatically. For programmatic use, you can use a background thread to keep the connection alive. The following helper reconnects transparently before the token expires:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import threading, time, boto3, urllib.parse
from pyspark.sql import SparkSession

class GlueSparkConnect:
    """Maintains a SparkSession with automatic token refresh."""

    def __init__(self, session_id, region="us-east-1", refresh_margin=300):
        self.session_id = session_id
        self.glue = boto3.client("glue", region_name=region)
        self.refresh_margin = refresh_margin  # seconds before expiry to refresh
        self._lock = threading.Lock()
        self.spark = self._connect()
        self._start_refresh_loop()

    def _connect(self):
        sc = self.glue.get_session_endpoint(SessionId=self.session_id)["SparkConnect"]
        encoded_token = urllib.parse.quote(sc["AuthToken"], safe="")
        remote_url = f"{sc['Url']}:443/;use_ssl=true;x-aws-proxy-auth={encoded_token}"
        self._token_expiry = sc["AuthTokenExpirationTime"].timestamp()
        return SparkSession.builder.remote(remote_url).getOrCreate()

    def _start_refresh_loop(self):
        def _loop():
            while True:
                sleep_for = max(self._token_expiry - time.time() - self.refresh_margin, 30)
                time.sleep(sleep_for)
                with self._lock:
                    self.spark = self._connect()
        t = threading.Thread(target=_loop, daemon=True)
        t.start()

# Usage
session = GlueSparkConnect("my-spark-connect-session")
session.spark.sql("SELECT 1 + 1 AS result").show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The background thread sleeps until 5 minutes before token expiry, then transparently reconnects. Because the daemon thread exits when your script ends, there is no cleanup required.&lt;/p&gt; 
&lt;h2 id="getting-started"&gt;Getting started&lt;/h2&gt; 
&lt;p&gt;To start using Spark Connect with AWS Glue interactive sessions:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Use AWS Glue version 5.1 (Apache Spark 3.5.6).&lt;/li&gt; 
 &lt;li&gt;Install PySpark 3.5.6 locally: &lt;code&gt;pip install pyspark==3.5.6&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Grant your AWS Identity and Access Management (IAM) identity permissions for &lt;code&gt;glue:CreateSession&lt;/code&gt;, &lt;code&gt;glue:GetSession&lt;/code&gt;, and &lt;code&gt;glue:GetSessionEndpoint&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Create a session with &lt;code&gt;--session-type SPARK_CONNECT&lt;/code&gt; and connect from your preferred environment.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;VPC note: If you connect to AWS Glue interactive sessions through a virtual private cloud (VPC) endpoint, add the new Spark Connect endpoint (&lt;code&gt;com.amazonaws.{region}.glue.sessions&lt;/code&gt;) to your VPC configuration. Existing AWS Glue VPC endpoints don’t cover Spark Connect traffic.&lt;/p&gt; 
&lt;p&gt;For detailed instructions, see Connecting to a Spark Connect session in the AWS Glue Developer Guide.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-38.jpg" alt="Zach Mitchell" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Zach Mitchell&lt;/h3&gt; 
  &lt;p&gt;Zach is a Senior Big Data Architect at AWS Worldwide Specialist Organization for Analytics. He works with customers to design and build data applications on AWS, with a focus on SageMaker Unified Studio, AWS Glue, and AWS Lake Formation. Outside of work, he enjoys building things with code and occasionally writing about it.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-7.jpg" alt="Shrey Malpani" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Shrey Malpani&lt;/h3&gt; 
  &lt;p&gt;Shrey is a Senior Technical Product Manager at AWS Analytics. He is focused on building and scaling data processing, data integration, and data management capabilities across services like AWS Glue, Amazon EMR, and Amazon Redshift that help customers build AI-ready data platforms for their analytics or machine learning workflows.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-8.jpg" alt="Vaibhav Naik" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vaibhav Naik&lt;/h3&gt; 
  &lt;p&gt;Vaibhav is a Software Engineer at AWS Glue, where he leads the development of enterprise Generative AI managed services and Agentic data systems. He has over a decade of experience designing massive-scale cloud infrastructure and distributed computing platforms.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-9.jpg" alt="Tom Olson" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Tom Olson&lt;/h3&gt; 
  &lt;p&gt;Tom is a Software Development Engineer on the AWS Glue team, focused on Interactive Sessions and operational excellence. He brings over 20 years of software development experience, including government contracting and EC2 Networking at AWS. Outside of work, he enjoys running and playing board games.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-6065-10.jpg" alt="Gaurav Krishnan" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Gaurav Krishnan&lt;/h3&gt; 
  &lt;p&gt;Gaurav is a Software Development Engineer at AWS Glue. He has a deep interest in distributed systems and creating low-friction developer experiences for interactive data workloads on Apache Spark. In his spare time, he enjoys running and trying new restaurants.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>How BigBasket uses the Iceberg based lakehouse architecture on AWS to power lightning-fast grocery delivery across India</title>
		<link>https://aws.amazon.com/blogs/big-data/how-bigbasket-uses-the-iceberg-based-lakehouse-architecture-on-aws-to-power-lightning-fast-grocery-delivery-across-india/</link>
		
		<dc:creator><![CDATA[Annie Mattoo]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 16:50:17 +0000</pubDate>
				<category><![CDATA[Amazon Athena]]></category>
		<category><![CDATA[Amazon CloudWatch]]></category>
		<category><![CDATA[Amazon EMR]]></category>
		<category><![CDATA[Amazon Quick Sight]]></category>
		<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Amazon Simple Storage Service (S3)]]></category>
		<category><![CDATA[AWS Glue]]></category>
		<category><![CDATA[AWS Lake Formation]]></category>
		<category><![CDATA[Customer Solutions]]></category>
		<guid isPermaLink="false">ed3cd62549d3fdee5b7b9b3cb025312b246c6546</guid>

					<description>In this post, we demonstrate how BigBasket implemented the lakehouse architecture on AWS, including their architecture decisions, implementation approach, and the measurable business results you can expect from a similar modernization. Whether you’re facing scalability challenges or planning your own lakehouse implementation, this blueprint provides actionable insights you can adapt for your organization.</description>
										<content:encoded>&lt;p&gt;Delivering fresh groceries to millions of customers across India in a few minutes demands a radically modern data architecture and resilient processes to help the business make faster decisions. This is what &lt;a href="https://www.bigbasket.com/" target="_blank" rel="noopener"&gt;BigBasket&lt;/a&gt; was able to achieve by building a lakehouse architecture on AWS.&lt;/p&gt; 
&lt;p&gt;In this post, we demonstrate how BigBasket implemented the &lt;a href="https://aws.amazon.com/what-is/data-lakehouse/" target="_blank" rel="noopener"&gt;lakehouse architecture&lt;/a&gt; on AWS, including their architecture decisions, implementation approach, and the measurable business results you can expect from a similar modernization. Whether you’re facing scalability challenges or planning your own lakehouse implementation, this blueprint provides actionable insights you can adapt for your organization.&lt;/p&gt; 
&lt;h2 id="about-bigbasket"&gt;About BigBasket&lt;/h2&gt; 
&lt;p&gt;&lt;a href="https://www.bigbasket.com/" target="_blank" rel="noopener"&gt;BigBasket&lt;/a&gt; (Innovative Retail Concepts Private Limited) is India’s largest online supermarket, serving millions of customers across over 60 cities. Founded in 2011, the company offers groceries, fresh produce, household items, and personal care products through its mobile app and website, operating subscription services (&lt;a href="https://www.google.com/search?q=BBDaily&amp;amp;rlz=1C5GCEM_enIN1147IN1150&amp;amp;oq=About+bisbakset&amp;amp;gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCDIxNTBqMGo3qAIAsAIA&amp;amp;sourceid=chrome&amp;amp;ie=UTF-8&amp;amp;ved=2ahUKEwiV3LmzxK2RAxWjTWwGHcaLGEQQgK4QegYIAQgAEAY" target="_blank" rel="noopener"&gt;BBDaily&lt;/a&gt;) and quick commerce (&lt;a href="https://www.google.com/search?q=bbnow&amp;amp;rlz=1C5GCEM_enIN1147IN1150&amp;amp;oq=About+bisbakset&amp;amp;gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCDIxNTBqMGo3qAIAsAIA&amp;amp;sourceid=chrome&amp;amp;ie=UTF-8&amp;amp;ved=2ahUKEwiV3LmzxK2RAxWjTWwGHcaLGEQQgK4QegYIAQgAEAc" target="_blank" rel="noopener"&gt;bbnow&lt;/a&gt;). For BigBasket, the ability to deliver groceries on time isn’t only a competitive advantage. It’s the foundation of customer trust, where every minute counts.&lt;/p&gt; 
&lt;p&gt;However, rapid business growth brought significant operational challenges:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Inability to consistently meet on-time delivery adherence because of high order volumes, extended travel times, and more, directly impacting key metrics like on-time rate (OTR)-10 mins and OTR-15 mins.&lt;/li&gt; 
 &lt;li&gt;Struggling to meet on-time delivery targets because of picking inefficiency, high order volumes, and extended travel times, directly impacting key metrics like OTR-10 mins and OTR-15 mins.&lt;/li&gt; 
 &lt;li&gt;Delays in stock availability impacting vendor fill-rates, inter-distribution center orders, and warehouse operations.&lt;/li&gt; 
 &lt;li&gt;Inaccurate stock forecasting for top-selling stock keeping units (SKUs), assortment variety, event SKUs, store capacity, and buying cycles.&lt;/li&gt; 
 &lt;li&gt;Lower dark store productivity across picking, stacking, order processing, and goods receipt notes (GRN).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Behind these business challenges lay a fundamental technology problem: the existing data infrastructure couldn’t keep pace. The company experienced rapid store growth, expanding 4x in a short timeframe, which exposed several limitations within their existing data architecture that needed attention.&lt;/p&gt; 
&lt;h2 id="understanding-the-technical-bottlenecks"&gt;Understanding the technical bottlenecks&lt;/h2&gt; 
&lt;p&gt;BigBasket’s initial architecture relied heavily on a single data warehouse built on Amazon Redshift to meet all reporting and dashboarding needs. While this traditional approach had served them well initially, several important limitations emerged:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Stale data&lt;/strong&gt;: Extract, transform, load (ETL) pipelines delivered only day-old (D-1) data, making near real-time analysis impossible for dashboard requirements.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Extended recovery times&lt;/strong&gt;: Pipeline failure recovery processes took several hours, causing significant delays in data availability for business users.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Schema rigidity&lt;/strong&gt;: Schema changes in source databases frequently triggered pipeline failures because of a lack of schema evolution support.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Scalability constraints&lt;/strong&gt;: The infrastructure struggled to handle the sudden load increase from 13,000 to over 35,000 transactions for reports and dashboards with more than 1,000 dataset refreshes.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Cost implications&lt;/strong&gt;: Increasing data volumes demanded additional compute resources, driving up costs.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-2.png" alt="Diagram of the scalability and cost limitations of BigBasket’s legacy Amazon Redshift data warehouse" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;It became clear that the existing data infrastructure wasn’t able to meet the evolving business requirements and a redesign of their data architecture is needed.&lt;/p&gt; 
&lt;h3 id="why-lakehouse-architecture"&gt;Why lakehouse architecture?&lt;/h3&gt; 
&lt;p&gt;A modern data lakehouse architecture addresses these issues with near real-time data processing, flexible schema evolution, and scalable analytics, capabilities necessary for fast-moving commerce operations. The lakehouse approach combines the flexibility and cost-effectiveness of data lakes with the performance and governance features of data warehouses, combining the strengths of both. The design of a data lakehouse provides interoperability across storage systems for combined analytics activities.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;BigBasket partnered with AWS to implement a comprehensive lakehouse architecture using a combination of AWS native services and open-source technologies.&lt;/p&gt; 
&lt;p&gt;The following diagram shows an elaborated view of Bigbasket’s modernized architecture on AWS.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-4.jpg" alt="Detailed lakehouse data flow across bronze, silver, and gold medallion layers on AWS" width="600"&gt;&lt;/p&gt; 
&lt;h3 id="data-ingestion-enabling-continuous-replication"&gt;Data ingestion: Enabling continuous replication&lt;/h3&gt; 
&lt;p&gt;&lt;a href="http://aws.amazon.com/dms/" target="_blank" rel="noopener"&gt;AWS Database Migration Service (AWS DMS)&lt;/a&gt; ingests data from online transaction processing (OLTP) databases running on &lt;a href="https://aws.amazon.com/rds/" target="_blank" rel="noopener"&gt;Amazon Relational Database Service (Amazon RDS)&lt;/a&gt; into the lakehouse on AWS.&lt;/p&gt; 
&lt;p&gt;This method continuously replicates data with minimal latency, so your analytics reflect near real-time business operations.&lt;/p&gt; 
&lt;h3 id="storage-and-governance-building-a-solid-foundation"&gt;Storage and governance: Building a solid foundation&lt;/h3&gt; 
&lt;p&gt;The lakehouse is built on &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt; and Amazon Redshift, which serve as the centralized data lake and warehouse following a medallion architecture.&lt;/p&gt; 
&lt;p&gt;The architecture persists all analytical data using Apache Iceberg as the open table format. Iceberg provides a robust foundation for large-scale analytics with the following capabilities:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;ACID transactions:&lt;/strong&gt; Guarantees data consistency and correctness across concurrent read and write operations.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Time travel:&lt;/strong&gt; Supports querying historical table versions for auditing, troubleshooting, and recovery.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Schema evolution:&lt;/strong&gt; Allows schema changes without disrupting existing queries or downstream pipelines.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The medallion architecture structures data across three logical layers within the lakehouse:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Bronze layer:&lt;/strong&gt; Implements change data capture (CDC)-based source replication using AWS DMS. Raw change events flow into Amazon S3 as Apache Parquet files in their original format from source systems, preserving the complete change history. The data pipeline processes and deduplicates these events using Apache Spark on Amazon EMR to create and maintain Apache Iceberg tables that act as replicated source tables.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Silver layer:&lt;/strong&gt; Represents the conformed data model, where data is cleansed, standardized, and validated with enforced quality checks. This layer contains core dimension and fact tables, modeled for analytical consistency and reuse across domains. Data is stored as Apache Iceberg tables on Amazon S3, making it reliable and performant for downstream analytics and transformations.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Gold layer:&lt;/strong&gt; Provides business-ready data marts and wide tables optimized for reporting, dashboarding, and domain-specific use cases. These datasets are curated to align with business metrics and key performance indicators (KPIs) and are served from Amazon Redshift, using Iceberg-backed tables to deliver fast, scalable analytics for business intelligence (BI) tools and end users.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;This layered approach maintains a clear separation of concerns across raw ingestion, analytical modeling, and business consumption, while supporting scalability and flexibility across the organization. &lt;a href="https://aws.amazon.com/lake-formation/" target="_blank" rel="noopener"&gt;AWS Lake Formation&lt;/a&gt; enforces fine-grained data access controls, and the &lt;a href="https://aws.amazon.com/glue/" target="_blank" rel="noopener"&gt;AWS Glue Data Catalog&lt;/a&gt; centrally manages metadata across Amazon S3 and Amazon Redshift, ensuring consistent data discovery and governance across the analytics ecosystem.&lt;/p&gt; 
&lt;h3 id="data-processing-flexibility-and-performance"&gt;Data processing: Flexibility and performance&lt;/h3&gt; 
&lt;p&gt;For data processing and transformations, BigBasket uses &lt;a href="https://aws.amazon.com/emr/" target="_blank" rel="noopener"&gt;Amazon EMR&lt;/a&gt; with &lt;a href="https://spark.apache.org/" target="_blank" rel="noopener"&gt;Apache Spark&lt;/a&gt; and &lt;a href="https://docs.getdbt.com/docs/introduction" target="_blank" rel="noopener"&gt;dbt&lt;/a&gt;, orchestrated by &lt;a href="https://airflow.apache.org/" target="_blank" rel="noopener"&gt;Apache Airflow&lt;/a&gt; running on Amazon Elastic Kubernetes Service (Amazon EKS) as the core compute layer of the lakehouse. Apache Spark on Amazon EMR handles large-scale distributed processing, including CDC deduplication, incremental transformations, and complex data reshaping. &lt;a href="https://iceberg.apache.org/" target="_blank" rel="noopener"&gt;Apache Iceberg&lt;/a&gt; serves as the open table format, which provides several critical capabilities.&lt;/p&gt; 
&lt;p&gt;dbt is used to define and execute transformation logic using SQL, managing the build of data models such as staging, intermediate, and final tables on top of the raw data. dbt uses the dbt-Trino adapter to run these transformations using the Trino engine, materializing the results as Apache Iceberg tables in Amazon S3. This approach provides a simple, modular, and governed way to manage transformations while taking advantage of Iceberg’s transactional guarantees.&lt;/p&gt; 
&lt;p&gt;These features are necessary for production lakehouse implementations and help you avoid vendor lock-in while maintaining enterprise reliability.&lt;/p&gt; 
&lt;h3 id="online-analytical-processing-olap-and-analytics-hybrid-approach-for-cost-optimization"&gt;Online analytical processing (OLAP) and analytics: Hybrid approach for cost optimization&lt;/h3&gt; 
&lt;p&gt;The analytics layer uses a hybrid approach that you can adapt based on your query patterns:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Amazon Redshift&lt;/strong&gt;: For querying of active, frequently accessed data from the Gold layer.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Amazon Athena&lt;/strong&gt;: For ad-hoc queries on historical data.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Apache Trino&lt;/strong&gt;: For federated queries across multiple data sources while powering dbt-driven transformations directly on Apache Iceberg tables.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;This hybrid strategy optimizes costs by keeping frequently accessed data in Amazon Redshift while querying historical data directly from Iceberg tables in Amazon S3. Amazon Redshift data sharing supports a multi-warehouse architecture for cross-team collaboration, allowing different teams to access shared datasets without data duplication.&lt;/p&gt; 
&lt;h3 id="orchestration-managing-complex-workflows"&gt;Orchestration: Managing complex workflows&lt;/h3&gt; 
&lt;p&gt;Apache Airflow running on Amazon EKS orchestrates and schedules data pipelines across the entire environment, providing visibility and control over complex workflows. This gives you a unified view for monitoring and managing your data operations.&lt;/p&gt; 
&lt;h3 id="machine-learning-integration"&gt;Machine learning integration&lt;/h3&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/sagemaker/ai/" target="_blank" rel="noopener"&gt;Amazon SageMaker AI&lt;/a&gt; powers machine learning workloads for predictive analytics and model training directly on lakehouse data, from demand forecasting to delivery optimization. This tight integration means your data scientists can work with the same governed data that powers your analytics.&lt;/p&gt; 
&lt;h3 id="visualization-making-insights-accessible"&gt;Visualization: Making insights accessible&lt;/h3&gt; 
&lt;p&gt;Amazon Quick Sight provides data visualization and business intelligence reporting capabilities, making insights accessible to business users across the organization without requiring technical expertise.&lt;/p&gt; 
&lt;h3 id="special-focus-clickstream-data-processing"&gt;Special focus: Clickstream data processing&lt;/h3&gt; 
&lt;p&gt;BigBasket implemented a sophisticated dual-path architecture for processing clickstream data from mobile apps and web interactions:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Real-time path&lt;/strong&gt;: Data flows through Scala stream collectors on &lt;a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener"&gt;Amazon Elastic Compute Cloud (Amazon EC2)&lt;/a&gt; (behind Elastic Load Balancing) to &lt;a href="https://aws.amazon.com/kinesis/data-streams/" target="_blank" rel="noopener"&gt;Amazon Kinesis Data Streams&lt;/a&gt; and &lt;a href="https://aws.amazon.com/opensearch-service/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; for immediate insights into customer behavior. This path is necessary when you need to react to user actions within seconds, for example detecting fraud or personalizing experiences in real time.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Batch path&lt;/strong&gt;: The batch path validates data, stores it in Amazon S3, processes it through Amazon EMR, and loads it into Amazon Redshift for comprehensive historical analysis. This path handles data quality checks, enrichment, and aggregation for long-term analytics.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The trade-off between these approaches is latency versus completeness. Real-time processing gives you speed but may sacrifice some data quality checks, while batch processing provides accuracy but introduces delay. This dual approach achieves both immediate operational insights and deep analytical capabilities, letting you optimize for different use cases.&lt;/p&gt; 
&lt;p&gt;The following diagram shows how the clickstream data is handled and effectively processed today.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-5.jpg" alt="BigBasket’s dual-path clickstream processing architecture with real-time and batch paths on AWS" width="600"&gt;&lt;/p&gt; 
&lt;h2 id="the-results-measurable-business-impact"&gt;The results: measurable business impact&lt;/h2&gt; 
&lt;p&gt;The data platform transformation achieved significant results across multiple dimensions:&lt;/p&gt; 
&lt;h3 id="technical-improvements"&gt;Technical improvements&lt;/h3&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Near real-time data&lt;/strong&gt;: Achieved near real-time data availability for dashboards within 3–5 minutes, replacing previously day-old data.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Rapid failure recovery&lt;/strong&gt;: Pipeline failure re-runs now complete in minutes instead of hours.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Comprehensive governance&lt;/strong&gt;: Full control over data governance with robust observability, lineage, data accuracy, and consistency.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Enhanced scalability&lt;/strong&gt;: Successfully handling over 35,000 reports and dashboards with over 1,000 dataset refreshes.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="business-outcomes"&gt;Business outcomes&lt;/h3&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;On-time delivery&lt;/strong&gt;: Improved monitoring with real-time insights on low-performing stores.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Stock availability&lt;/strong&gt;: Reduced operational issues with visibility into key bottlenecks.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Stock forecasting&lt;/strong&gt;: Improved accuracy and availability of top-selling SKUs.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Dark store productivity&lt;/strong&gt;: Enhanced productivity of warehouse executives across all operations.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="key-takeaways-lessons-for-modern-data-platforms"&gt;Key takeaways: lessons for modern data platforms&lt;/h2&gt; 
&lt;p&gt;BigBasket’s journey offers valuable insights for organizations facing similar challenges:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Quick commerce needs quick observability.&lt;/strong&gt; In the fast-paced world of quick commerce, faster decision-making directly improves business metrics. Real-time data isn’t a luxury. It’s a necessity.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Embrace ELT for real-time needs.&lt;/strong&gt; Shifting from traditional ETL to an extract, load, transform (ELT) pattern within a lakehouse architecture is important to unlock near real-time analytics capabilities.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;A lakehouse delivers speed and governance.&lt;/strong&gt; Modern lakehouse architectures don’t force trade-offs. You can achieve both fast data availability and comprehensive control, lineage, and accuracy.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Focus on operational resilience.&lt;/strong&gt; Designing for rapid failure recovery (re-runs in minutes, not hours) is necessary for maintaining data availability and business trust, especially in customer-facing operations.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Incremental migration.&lt;/strong&gt; You don’t need to rebuild everything. Evolve your current Amazon S3 data lake or reuse your existing investments in Amazon Redshift to build the data lakehouse capabilities.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2 id="the-road-ahead"&gt;The road ahead&lt;/h2&gt; 
&lt;p&gt;BigBasket continues to innovate, now moving to adopt &lt;a href="https://aws.amazon.com/sagemaker/unified-studio/" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio&lt;/a&gt; to access all lakehouse components in a simplified manner across the enterprise. This next evolution will further streamline data access and accelerate insights across teams.&lt;/p&gt; 
&lt;p&gt;The company’s transformation demonstrates that with the right architecture and AWS services, organizations can turn data infrastructure challenges into competitive advantages, delivering not only better analytics but better customer experiences.&lt;/p&gt; 
&lt;p&gt;As you plan your own lakehouse implementation, use these patterns and lessons learned to accelerate your journey and avoid common pitfalls.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-6.jpeg" alt="Naga Sandeep Grandhi" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Naga Sandeep Grandhi&lt;/h3&gt; 
  &lt;p&gt;Sandeep is an engineering leader at BigBasket, driving data platform and cloud architecture initiatives, including the next-gen data lake built for scale, reliability, and real-time insights.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-7.jpeg" alt="Vikram Kumar" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vikram Kumar&lt;/h3&gt; 
  &lt;p&gt;Vikram is a Principal Engineer at BigBasket, where he leads the data engineering team. He specializes in designing and scaling modern data platforms on AWS, enabling BigBasket to process large-scale data efficiently and power data-driven decision-making across the organization.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-8.png" alt="Annie Mattoo" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Annie Mattoo&lt;/h3&gt; 
  &lt;p&gt;Annie is a Sr.&amp;nbsp;Analytics Specialist at AWS, bringing over 15+ years of expertise in helping customers with their DATA &amp;amp; AI journeys. She has successfully led customer teams to seamlessly adopt AWS Data &amp;amp; AI services and has worked with Fortune 500 customers across the globe in her previous roles.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-9.jpeg" alt="Vineet Thapliyal" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vineet Thapliyal&lt;/h3&gt; 
  &lt;p&gt;Vineet is an Enterprise Account Manager at Amazon Web Services (AWS) in Bengaluru, India, where he manages strategic cloud and generative AI engagements across some of India’s largest conglomerates spanning energy, retail, and technology. He is passionate about helping enterprises unlock business value through AI/ML, cloud modernization, and industry-specific innovation — from renewable energy analytics to retail transformation at scale.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5616-10.png" alt="Anirudh Chawla" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Anirudh Chawla&lt;/h3&gt; 
  &lt;p&gt;Anirudh is an Analytics Solution Architect at AWS. He helps organization empowers businesses to harness their data effectively through AWS’s analytics platform. His interest lies in building highly available distributed systems.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Accelerating log analytics at scale with AWS Glue and Apache Iceberg materialized views</title>
		<link>https://aws.amazon.com/blogs/big-data/accelerating-log-analytics-at-scale-with-aws-glue-and-apache-iceberg-materialized-views/</link>
		
		<dc:creator><![CDATA[Shinu Tharol]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 17:46:18 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon Data Firehose]]></category>
		<category><![CDATA[AWS Glue]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<category><![CDATA[Apache Iceberg]]></category>
		<guid isPermaLink="false">57a182a90e84b4a655f69000cdfdf5f3e68c64b6</guid>

					<description>In this post, you learn how to build an application log pipeline for production use with Amazon CloudWatch Logs, AWS Lambda, Amazon Data Firehose, AWS Glue, and Apache Iceberg materialized tables. You then use materialized views to accelerate query performance. This solution helps you achieve faster query response times on large-scale log data without requiring you to manage continuous data lake refresh.</description>
										<content:encoded>&lt;p&gt;Managing high-volume application logs at scale presents challenges from slow query performance and difficulty running complex aggregations to maintaining real-time analytics on streaming data. &lt;a href="https://aws.amazon.com/about-aws/whats-new/2025/11/aws-glue-apache-iceberg-based-materialized-views/" target="_blank" rel="noopener"&gt;Apache Iceberg materialized views&lt;/a&gt; with &lt;a href="https://aws.amazon.com/glue/" target="_blank" rel="noopener"&gt;AWS Glue&lt;/a&gt;, &lt;a href="https://aws.amazon.com/firehose/" target="_blank" rel="noopener"&gt;Amazon Data Firehose&lt;/a&gt;, and &lt;a href="https://docs.aws.amazon.com/lambda/latest/dg/welcome.html" target="_blank" rel="noopener"&gt;AWS Lambda&lt;/a&gt; address these challenges by accelerating log analytics through pre-computed query results.&lt;/p&gt; 
&lt;p&gt;In this post, you learn how to build an application log pipeline for production use with &lt;a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html" target="_blank" rel="noopener"&gt;Amazon CloudWatch Logs&lt;/a&gt;, AWS Lambda, Amazon Data Firehose, AWS Glue, and Apache Iceberg materialized tables. You then use materialized views to accelerate query performance. This solution helps you achieve faster query response times on large-scale log data without requiring you to manage continuous data lake refresh.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;This solution accelerates log analytics by pre-computing query results through Apache Iceberg materialized views. By querying pre-aggregated results instead of scanning raw log data for every request, you can help reduce query response times. For example, queries that previously took minutes scanning terabytes of raw data may return in seconds from the compact materialized view. Results update automatically as new logs arrive, helping you handle high-volume log streams while maintaining fast analytics performance.&lt;/p&gt; 
&lt;div id="attachment_92400" style="width: 2018px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92400" loading="lazy" class="size-full wp-image-92400" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/bdb-5737-arch.png" alt="" width="2008" height="1102"&gt;
 &lt;p id="caption-attachment-92400" class="wp-caption-text"&gt;Architecture overview&lt;/p&gt;
&lt;/div&gt; 
&lt;p&gt;The architecture consists of AWS services working together to create a data pipeline:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Amazon CloudWatch Logs&lt;/strong&gt; receives application logs and system events, then routes them to downstream targets using CloudWatch Logs subscription filters. CloudWatch Logs has a built-in retry mechanism. If the destination service returns a retryable error, &lt;a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html" target="_blank" rel="noopener"&gt;CloudWatch Logs automatically retries&lt;/a&gt; delivery for up to 24 hours.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;AWS Lambda&lt;/strong&gt; serves as the transformation layer, parsing log messages, enriching data, and preparing records for storage.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Amazon Data Firehose&lt;/strong&gt; buffers incoming data and handles the technical requirements of writing to Apache Iceberg tables (an open-source data table format), including batch optimization, schema validation, and automatic retry logic for failed writes.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Apache Iceberg tables&lt;/strong&gt; stored in &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service&lt;/a&gt; (Amazon S3) provide &lt;a href="https://aws.amazon.com/about-aws/whats-new/2022/04/amazon-athena-acid-transactions-powered-apache-iceberg/" target="_blank" rel="noopener"&gt;ACID transaction support&lt;/a&gt;, &lt;a href="https://docs.aws.amazon.com/athena/latest/ug/querying-iceberg-evolving-table-schema.html" target="_blank" rel="noopener"&gt;schema evolution capabilities&lt;/a&gt;, and efficient query performance. Materialized views are managed tables in the AWS Glue Data Catalog that store precomputed query results in Apache Iceberg format.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;AWS Glue&lt;/strong&gt; runs a one-time job during stack creation to provision the Iceberg database, base table, and materialized view structure in the Data Catalog. A second scheduled Glue job refreshes the materialized view by recomputing aggregations from the base table on a &lt;a href="https://docs.aws.amazon.com/glue/latest/dg/monitor-data-warehouse-schedule.html" target="_blank" rel="noopener"&gt;configurable interval&lt;/a&gt; helping downstream queries through &lt;a href="https://aws.amazon.com/athena/" target="_blank" rel="noopener"&gt;Amazon Athena&lt;/a&gt; return up-to-date, pre-aggregated results without scanning raw data.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;This architecture is designed to support automatic scaling, serverless infrastructure, error handling that routes failed records to Amazon S3 for analysis and replay, capture of failed Lambda invocations for automatic retry, and real-time monitoring through Amazon CloudWatch metrics.&lt;/p&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;Before you deploy the solution, review the following prerequisites.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/free/" target="_blank" rel="noopener"&gt;AWS account&lt;/a&gt; with necessary permissions to execute an AWS CloudFormation template, run AWS Glue jobs, run queries to verify Iceberg table data using Amazon Athena.&lt;/li&gt; 
 &lt;li&gt;Basic familiarity with &lt;a href="https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/firehose.html" target="_blank" rel="noopener"&gt;Boto3&lt;/a&gt; to understand Python code. Foundational understanding of Apache &lt;a href="https://iceberg.apache.org/" target="_blank" rel="noopener"&gt;Iceberg&lt;/a&gt; concepts.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="solution-deployment"&gt;Solution deployment&lt;/h2&gt; 
&lt;p&gt;The following deployment steps guide you through implementing this solution in your AWS account.&lt;/p&gt; 
&lt;h3 id="step-1-deploy-the-aws-cloudformation-pipeline-stack"&gt;Step 1: Deploy the AWS CloudFormation pipeline stack&lt;/h3&gt; 
&lt;p&gt;You can deploy this solution using an AWS CloudFormation stack. The template handles creating Amazon S3 buckets, uploading AWS Glue and Lambda scripts, provisioning IAM roles, configuring the Firehose delivery stream, and running the Glue job to create the Iceberg database, base table, and materialized view.&lt;/p&gt; 
&lt;p&gt;Launch the stack in the AWS CloudFormation console. Review the parameters marked REQUIRED and adjust the toggle options (&lt;code&gt;CreateScriptBucket&lt;/code&gt;, &lt;code&gt;EnableLakeFormation&lt;/code&gt;, &lt;code&gt;CreateSubscriptionLogGroup&lt;/code&gt;) based on your environment. Other parameters include preconfigured defaults that you should review for your environment. Choose the CloudFormation &lt;a href="https://github.com/aws-samples/sample-log-analytics-iceberg-mv/blob/main/cloudformation/iceberg-pipeline.yaml" target="_blank" rel="noopener"&gt;stack&lt;/a&gt; to deploy resources using the AWS CloudFormation console.&lt;/p&gt; 
&lt;div id="attachment_92401" style="width: 1882px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92401" loading="lazy" class="size-full wp-image-92401" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/Screenshot-2026-06-30-at-7.03.21 AM.png" alt="" width="1872" height="1184"&gt;
 &lt;p id="caption-attachment-92401" class="wp-caption-text"&gt;Pipeline stack required parameters view in the AWS CloudFormation console.&lt;/p&gt;
&lt;/div&gt; 
&lt;div id="attachment_92402" style="width: 1828px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92402" loading="lazy" class="size-full wp-image-92402" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/Screenshot-2026-06-30-at-7.03.34 AM.png" alt="" width="1818" height="1134"&gt;
 &lt;p id="caption-attachment-92402" class="wp-caption-text"&gt;Additional pipeline stack required parameters in the AWS CloudFormation console.&lt;/p&gt;
&lt;/div&gt; 
&lt;h3 id="step-2-test-the-end-to-end-pipeline"&gt;Step 2: Test the end-to-end pipeline&lt;/h3&gt; 
&lt;p&gt;Send sample log events matching the Iceberg table schema (for example, &lt;code&gt;id&lt;/code&gt;, &lt;code&gt;customer_name&lt;/code&gt;, &lt;code&gt;amount&lt;/code&gt;, and &lt;code&gt;order_date&lt;/code&gt;) to the CloudWatch log group. The subscription filter triggers the Lambda, which forwards records to Firehose for delivery into the Iceberg table.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;git clone https://github.com/aws-samples/sample-log-analytics-iceberg-mv.git
cd sample-log-analytics-iceberg-mv
python3 scripts/send_test_logs.py&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;div style="width: 610px" class="wp-caption alignnone"&gt;
 &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5737-4.png" alt="Terminal output showing the test log event script sending sample records to the CloudWatch log group" width="600" height="264"&gt;
 &lt;p class="wp-caption-text"&gt;Execution of test events.&lt;/p&gt;
&lt;/div&gt; 
&lt;h2 id="verify-data-delivery-and-refresh-the-materialized-view"&gt;Verify data delivery and refresh the materialized view&lt;/h2&gt; 
&lt;p&gt;Allow approximately 30 seconds (learn more in &lt;a href="https://docs.aws.amazon.com/firehose/latest/dev/buffering.html" target="_blank" rel="noopener"&gt;Buffer data for dynamic partitioning&lt;/a&gt;) for the &lt;a href="https://docs.aws.amazon.com/firehose/latest/APIReference/API_BufferingHints.html" target="_blank" rel="noopener"&gt;Firehose buffer&lt;/a&gt; to flush. After the buffer flushes, run the following query in Amazon Athena to verify that data has been successfully delivered to the base table.&lt;/p&gt; 
&lt;div id="attachment_92407" style="width: 1838px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92407" loading="lazy" class="size-full wp-image-92407" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/Screenshot-2026-06-30-at-7.07.22 AM.png" alt="" width="1828" height="1158"&gt;
 &lt;p id="caption-attachment-92407" class="wp-caption-text"&gt;Query result using Amazon Athena.&lt;/p&gt;
&lt;/div&gt; 
&lt;h2 id="automated-materialized-view-refresh"&gt;Automated materialized view refresh&lt;/h2&gt; 
&lt;p&gt;In this example, the AWS CloudFormation stack provisions a Glue job configured to run the materialized view (MV) refresh once daily at midnight UTC, meaning the MV reflects data up to the previous day. You can adjust the trigger’s cron schedule to match common MV refresh requirements such as hourly, every 15 minutes, or on demand.&lt;/p&gt; 
&lt;p&gt;The Glue job performs a full recomputation of the aggregations from the base Iceberg table and writes the results to the MV. Downstream consumers querying through Athena read from this pre-aggregated view, delivering faster performance. This is especially critical in real production scenarios where the base table contains millions of records and numerous columns. Computing aggregations directly from raw data at query time would degrade downstream application performance.&lt;/p&gt; 
&lt;div id="attachment_92405" style="width: 1846px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92405" loading="lazy" class="wp-image-92405 size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/Screenshot-2026-06-30-at-7.04.22 AM.png" alt="" width="1836" height="656"&gt;
 &lt;p id="caption-attachment-92405" class="wp-caption-text"&gt;Job scheduled view in the AWS Glue console.&lt;/p&gt;
&lt;/div&gt; 
&lt;p&gt;In a production environment, the base Iceberg table stores every individual order event, potentially millions of rows with dozens of columns growing daily. When dashboards or downstream applications need aggregated insights like daily revenue per customer or monthly order counts by region, querying the base table directly forces Athena to scan terabytes of raw data on every request. This results in slow response times and high costs at scale. The materialized view solves this by pre-computing these business-level aggregations once during the scheduled refresh, storing the results in a compact, purpose-built table with far fewer rows and columns. This means a dashboard query that would scan millions of raw records now reads from a pre-aggregated table, designed to reduce query response time. The base table remains your source of truth for granular, row-level lookups, while the materialized view serves as the performance layer for repeated analytical queries with embedded business logic.&lt;/p&gt; 
&lt;div id="attachment_92406" style="width: 1806px" class="wp-caption alignnone"&gt;
 &lt;img aria-describedby="caption-attachment-92406" loading="lazy" class="wp-image-92406 size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/Screenshot-2026-06-30-at-7.04.36 AM.png" alt="" width="1796" height="1048"&gt;
 &lt;p id="caption-attachment-92406" class="wp-caption-text"&gt;Materialized View query result using Amazon Athena&lt;/p&gt;
&lt;/div&gt; 
&lt;h2 id="alternative-amazon-s3-tables"&gt;Alternative: Amazon S3 Tables&lt;/h2&gt; 
&lt;p&gt;This solution can also be implemented using &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables.html" target="_blank" rel="noopener"&gt;Amazon S3 Tables&lt;/a&gt;, which provides a fully managed Apache Iceberg experience with native support for &lt;a href="https://docs.aws.amazon.com/glue/latest/dg/materialized-views.html" target="_blank" rel="noopener"&gt;materialized views&lt;/a&gt;. In this post, we use the Glue-based approach to demonstrate the underlying mechanics and provide full flexibility to customize refresh logic for your specific requirements. To learn more, see &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-getting-started.html" target="_blank" rel="noopener"&gt;Getting started with S3 Tables&lt;/a&gt;.&lt;/p&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid incurring future charges, delete the resources you created as part of this exercise if you are not planning to use them further. Delete the stacks created in the previous steps, then empty and delete the Amazon S3 buckets.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;This solution shows how to build a scalable application log data pipeline that delivers log events from Amazon CloudWatch Logs to Apache Iceberg tables using AWS Lambda and Amazon Data Firehose. This architecture uses fully managed AWS services to minimize operational overhead while providing high availability and consistent performance.&lt;/p&gt; 
&lt;p&gt;Key strengths include serverless infrastructure designed to support automatic scaling, error handling designed to route failed records to Amazon S3 for troubleshooting and replay, and analytics capabilities through Apache Iceberg’s &lt;a href="https://aws.amazon.com/compare/the-difference-between-acid-and-base-database/" target="_blank" rel="noopener"&gt;ACID transactions&lt;/a&gt; and query performance optimizations. As you move this solution into production, we recommend that you implement &lt;a href="https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html" target="_blank" rel="noopener"&gt;data quality checks&lt;/a&gt; in Lambda and configure encryption at &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html" target="_blank" rel="noopener"&gt;rest&lt;/a&gt; and in &lt;a href="https://docs.aws.amazon.com/firehose/latest/dev/encryption.html" target="_blank" rel="noopener"&gt;transit&lt;/a&gt; for your data. You can also establish &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html" target="_blank" rel="noopener"&gt;data retention policies&lt;/a&gt; and explore &lt;a href="https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-partitions.html" target="_blank" rel="noopener"&gt;partitioning strategies&lt;/a&gt; for better query performance.&lt;/p&gt; 
&lt;p&gt;You now have a log analytics pipeline built for production use that scales with your workload.&lt;/p&gt; 
&lt;h2 id="additional-resources"&gt;Additional resources&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html" target="_blank" rel="noopener"&gt;Amazon Data Firehose documentation&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-format-iceberg.html" target="_blank" rel="noopener"&gt;Apache Iceberg on AWS Glue Data Catalog&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/athena/latest/ug/performance-tuning.html" target="_blank" rel="noopener"&gt;Amazon Athena query optimization guide&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html" target="_blank" rel="noopener"&gt;CloudWatch Logs subscription filters&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the author&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5737-8.jpeg" alt="Shinu Tharol" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Shinu Tharol&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/shinu-tharol-5575721a/" target="_blank" rel="noopener"&gt;Shinu&lt;/a&gt; is a Technical Account Manager at AWS, delivering technical guidance and strategic support to enterprise customers. His expertise includes cloud operations, artificial intelligence, data analytics, and cloud cost optimization, enabling customers to maximize their AWS investments while maintaining operational excellence.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Serverless analytics pipelines using the Apache Spark engine in Amazon Athena</title>
		<link>https://aws.amazon.com/blogs/big-data/serverless-analytics-pipelines-using-the-apache-spark-engine-in-amazon-athena/</link>
		
		<dc:creator><![CDATA[Avichay Marciano]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 16:27:58 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon Athena]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<guid isPermaLink="false">2876394f93e8d30ac391f1585e34a4f5544b2c45</guid>

					<description>This post shows how developers, data engineers, and analysts can connect to a secure Spark Connect endpoint in Athena with Apache Spark. You can use your preferred tools, such as Jupyter notebooks, VS Code, or dbt with Apache Airflow, without managing cluster lifecycle or scaling.</description>
										<content:encoded>&lt;p&gt;Building and maintaining clusters for data processing with Apache Spark has long been a pain point for organizations of all sizes. Traditional deployments require significant operational overhead and present multiple challenges that slow down time-to-insight and increase total cost of ownership. In this post, we will demonstrate three integration patterns that let data teams focus on analytics instead of infrastructure management.&lt;/p&gt; 
&lt;p&gt;Consider the typical experience of data teams working with self-managed Spark clusters:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Infrastructure complexity&lt;/strong&gt; – Teams must manage Amazon Elastic Compute Cloud (Amazon EC2) instances, networking, security groups, and cluster configurations across development, staging, and production environments.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Cost unpredictability&lt;/strong&gt; – Idle clusters continue consuming resources and generating bills, while automatic scaling policies often lag behind actual demand patterns.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Operational burden&lt;/strong&gt; – DevOps teams spend significant time patching, monitoring, and troubleshooting cluster health issues.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Development friction&lt;/strong&gt; – Data scientists and engineers must wait for cluster provisioning before they can begin exploratory analysis, slowing down iterative development cycles.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Interactive workload challenges&lt;/strong&gt; – Managing interactive Spark workloads typically requires additional components, exposing specific ports, and complex network configurations.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;These challenges become especially pronounced when organizations need to support multiple concurrent workloads: notebooks for data scientists, scheduled pipelines for data engineers, and ad hoc queries for analysts. The traditional approach encourages teams to choose between maintaining multiple clusters (expensive) or sharing resources (contentious) while maintaining fixed endpoint connectivity for interactive workloads (usually exposing JDBC ports for the Thrift protocol).&lt;/p&gt; 
&lt;p&gt;The &lt;a href="https://aws.amazon.com/athena" target="_blank" rel="noopener"&gt;Apache Spark engine in Amazon Athena&lt;/a&gt; addresses these operational challenges by providing a fully managed, serverless Spark execution environment. Built on Firecracker micro-VMs (AWS’s lightweight virtualization technology) and running the AWS-optimized Spark 3.5.6 engine with &lt;a href="https://spark.apache.org/docs/latest/spark-connect-overview.html" target="_blank" rel="noopener"&gt;Spark Connect&lt;/a&gt; support, Athena with Apache Spark launches and scales in seconds, reducing costs for unpredictable workloads and infrastructure operational overhead.&lt;/p&gt; 
&lt;p&gt;Athena with Apache Spark is already integrated as a compute engine within &lt;a href="https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-athena-apache-spark-sagemaker-notebooks/" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio notebooks&lt;/a&gt;, providing rapid startup and scaling, making it ideal for ad hoc data exploration and transformations.&lt;/p&gt; 
&lt;p&gt;This post shows how developers, data engineers, and analysts can connect to a secure Spark Connect endpoint in Athena with Apache Spark. You can use your preferred tools, such as Jupyter notebooks, VS Code, or dbt with Apache Airflow, without managing cluster lifecycle or scaling.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;We explore three integration patterns that demonstrate how the flexibility of Athena with Apache Spark can reduce operational overhead and accelerate innovation with on-demand resource readiness:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern A: Interactive analysis with Jupyter notebooks&lt;/strong&gt; – Data scientists connect notebooks directly to Athena with Apache Spark for exploratory analysis and feature engineering.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern B: Local development with VS Code&lt;/strong&gt; – Software engineers develop Spark applications in their preferred IDE (integrated development environment) while executing on serverless compute.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern C: Scheduled pipelines with dbt + Apache Airflow&lt;/strong&gt; – Data engineers run production transformation pipelines with proper orchestration and session lifecycle management.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The following diagram illustrates the high-level architecture for connecting to Athena with Apache Spark using Spark Connect.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5702-1.png" alt="Architecture for connecting to Athena with Apache Spark through a Spark Connect endpoint from Jupyter notebooks, VS Code, and dbt with Airflow" width="600"&gt;&lt;/p&gt; 
&lt;h2 id="whats-new-in-the-apache-spark-engine-in-amazon-athena"&gt;What’s new in the Apache Spark engine in Amazon Athena&lt;/h2&gt; 
&lt;p&gt;In November 2025, the Apache Spark engine in Amazon Athena released a significant update with rapid session creation times and capabilities that weren’t possible with previous iterations:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Secure Spark Connect&lt;/strong&gt; – Adds Spark Connect as a fully managed, authenticated, and authorized AWS endpoint for remote connectivity from Spark-compatible tools. For more information, see &lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark-connect.html" target="_blank" rel="noopener"&gt;Spark Connect support&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Session-level cost attribution&lt;/strong&gt; – Track costs per interactive session in AWS Cost Explorer or Cost and Usage Reports for granular chargeback and budgeting. For more information, see &lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark-cost-attribution.html" target="_blank" rel="noopener"&gt;Session level cost attribution&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Advanced debugging capabilities&lt;/strong&gt; – Live Spark UI and Spark History Server support for debugging workloads from both APIs and notebooks. For more information, see &lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark-ui-access.html" target="_blank" rel="noopener"&gt;Accessing the Spark UI&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;AWS Lake Formation integration&lt;/strong&gt; – Access AWS Glue Data Catalog tables secured by AWS Lake Formation. For more information, see &lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark-lakeformation.html" target="_blank" rel="noopener"&gt;Using Lake Formation with Athena for Spark workgroups&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;To implement this solution, you need the following:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;An AWS account with permissions for Amazon Athena, &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt;, and AWS Glue.&lt;/li&gt; 
 &lt;li&gt;An Athena with Apache Spark workgroup configured with the latest Spark 3.5.6 engine.&lt;/li&gt; 
 &lt;li&gt;Python 3.9+ installed locally.&lt;/li&gt; 
 &lt;li&gt;AWS credentials configured.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Note: This tutorial creates AWS resources that incur charges, including Athena sessions (charged per DPU-hour), Amazon S3 storage, and data transfer. Athena sessions are charged while active, even if idle within the timeout period. Follow the cleanup instructions at the end of this post to avoid ongoing charges.&lt;/p&gt; 
&lt;h2 id="provisioning-workflow-overview"&gt;Provisioning workflow overview&lt;/h2&gt; 
&lt;p&gt;The workflow for using the Apache Spark engine in Amazon Athena with Spark Connect follows these steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Create the session&lt;/strong&gt; – Use the AWS API (&lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_StartSession.html" target="_blank" rel="noopener"&gt;start_session&lt;/a&gt;) to initialize a Spark session. The Spark driver is immediately ready to process requests (no JVM startup time).&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Get the Spark Connect endpoint&lt;/strong&gt; – Retrieve the endpoint URL and authentication token using &lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_GetSessionEndpoint.html" target="_blank" rel="noopener"&gt;get_session_endpoint&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Configure Your Tools&lt;/strong&gt; – Set the &lt;code&gt;SPARK_REMOTE&lt;/code&gt; environment variable or configure your tool with the Spark Connect URL.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Run Processing Steps&lt;/strong&gt; – Run your Spark code as you normally would, but in a fully serverless environment that scales automatically based on your needs.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Monitor via Spark UI&lt;/strong&gt; – Access the live Spark UI for debugging and performance monitoring using &lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_GetResourceDashboard.html" target="_blank" rel="noopener"&gt;get_resource_dashboard&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Terminate the session&lt;/strong&gt; – Clean up resources when finished using &lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_TerminateSession.html" target="_blank" rel="noopener"&gt;terminate_session&lt;/a&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;By default, the session is configured with autoscaling using Spark Dynamic Resource Allocation up to 60 workers and an idle timeout of 20 minutes. You can change the default configuration at the workgroup level when creating it (&lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_CreateWorkGroup.html" target="_blank" rel="noopener"&gt;create_work_group&lt;/a&gt; API) or when creating the session (&lt;a href="https://docs.aws.amazon.com/athena/latest/APIReference/API_StartSession.html" target="_blank" rel="noopener"&gt;start_session&lt;/a&gt; API).&lt;/p&gt; 
&lt;h3 id="pattern-a-interactive-analysis-with-jupyter-notebooks"&gt;Pattern A: Interactive analysis with Jupyter notebooks&lt;/h3&gt; 
&lt;p&gt;The Jupyter notebook integration provides an interactive environment for exploratory data analysis, feature engineering, and model preparation. Notebooks connect directly to Athena with Apache Spark sessions for rapid iteration without cluster management.&lt;/p&gt; 
&lt;h4 id="set-up-the-environment"&gt;Set up the environment&lt;/h4&gt; 
&lt;p&gt;Create and activate a Python virtual environment, then install the required dependencies and start JupyterLab:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;python -m venv athena
source ./athena/bin/activate
pip install jupyterlab
pip install "pyspark[connect]==3.5.6"
pip install boto3
python -m jupyterlab&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="create-an-athena-with-apache-spark-workgroup"&gt;Create an Athena with Apache Spark workgroup&lt;/h4&gt; 
&lt;p&gt;Before connecting, create an Athena with Apache Spark workgroup on the AWS Management Console:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Navigate to &lt;strong&gt;Amazon Athena&lt;/strong&gt; → &lt;strong&gt;Workgroups&lt;/strong&gt; → &lt;strong&gt;Create workgroup&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Apache Spark&lt;/strong&gt; as the analytics engine.&lt;/li&gt; 
 &lt;li&gt;Choose the &lt;strong&gt;Spark 3.5.6&lt;/strong&gt; engine version.&lt;/li&gt; 
 &lt;li&gt;Configure the IAM role for the workgroup.&lt;/li&gt; 
 &lt;li&gt;Configure the Amazon S3 output location.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;strong&gt;Note: If you used Athena with Apache Spark previously, you need to create a new workgroup to use the latest version with Spark Connect support.&lt;/strong&gt;&lt;/p&gt; 
&lt;h4 id="create-a-session-and-connect"&gt;Create a session and connect&lt;/h4&gt; 
&lt;p&gt;In your Jupyter notebook, use boto3 to create a session and establish the Spark Connect connection:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import boto3

# Initialize the Athena client
client = boto3.client('athena', region_name='us-east-1') # Replace with your region

# Start a new Spark session
response=client.start_session(
    WorkGroup='your-workgroup-name',
    EngineConfiguration={}
)
session_id=response['SessionId']
print(f"Session created: {session_id}")

# Get the session endpoint and authentication token
response=client.get_session_endpoint(SessionId=session_id)
authtoken=response['AuthToken']
endpoint_url=response['EndpointUrl']

# Build the Spark Connect URL
endpoint_url=endpoint_url.replace("https", "sc") + ":443/;use_ssl=true;"
url_with_headers=f"{endpoint_url}x-aws-proxy-auth={authtoken}"

# Create the Spark session
from pyspark.sql import SparkSession
from pyspark.sql.functions import col, rand, sum, avg, count

spark = SparkSession.builder \
    .remote(url_with_headers) \
    .getOrCreate()

# Verify the connection
spark.sql("SELECT 1").show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="run-queries-and-observe-automatic-scaling"&gt;Run queries and observe automatic scaling&lt;/h4&gt; 
&lt;p&gt;Generate a larger dataset to trigger executor scaling. You can monitor the scaling behavior through the Spark UI:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;# Generate large dataset to trigger executor scaling
large_data = spark.range(0, 10000000, numPartitions=100)

# Heavy computation that will require more executors
result=large_data.select(
    col("id"),
    (col("id") * col("id")).alias("squared"),
    rand().alias("random")
).groupBy((col("id") % 1000).alias("group")).agg(
    sum("squared").alias("sum_squared"),
    avg("random").alias("avg_random"),
    count("*").alias("count")
).orderBy("group")

result.show()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="access-the-spark-ui"&gt;Access the Spark UI&lt;/h4&gt; 
&lt;p&gt;Each session comes with a secure URL serving the Spark UI, to monitor and debug applications:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import os

# Get account ID
sts=boto3.client("sts")
account_id=sts.get_caller_identity()["Account"]

# Build session ARN
partition=os.environ.get("AWS_PARTITION", "aws")
region="us-east-1"
workgroup="your-workgroup-name"
session_arn=f"arn:{partition}:athena:{region}:{account_id}:workgroup/{workgroup}/session/{session_id}"

# Get Spark UI URL
ui_response=client.get_resource_dashboard(ResourceARN=session_arn)
print(f"Spark UI: {ui_response['Url']}")&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="pattern-b-local-development-with-vs-code"&gt;Pattern B: Local development with VS Code&lt;/h3&gt; 
&lt;p&gt;VS Code integration lets you develop Spark applications locally in your preferred IDE while executing on Amazon Athena with Apache Spark compute. This pattern is ideal for building reusable libraries, testing transformations, and developing production-ready code.&lt;/p&gt; 
&lt;h4 id="set-up-the-environment-1"&gt;Set up the environment&lt;/h4&gt; 
&lt;p&gt;Create a virtual environment and install dependencies:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;python -m venv athena-vscode
source ./athena-vscode/bin/activate
pip install "pyspark[connect]==3.5.6"
pip install boto3&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="connect-from-vs-code"&gt;Connect from VS Code&lt;/h4&gt; 
&lt;p&gt;The workflow is identical to Pattern A. You start a session with &lt;code&gt;boto3&lt;/code&gt;, build the Spark Connect URL, and create a &lt;code&gt;SparkSession&lt;/code&gt;. The key difference is setting the &lt;code&gt;SPARK_REMOTE&lt;/code&gt; environment variable, which allows &lt;code&gt;SparkSession.builder.getOrCreate()&lt;/code&gt; to connect automatically:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import os
import boto3

# Start session and get endpoint (same as Pattern A)
client=boto3.client('athena', region_name='us-east-1')
response=client.start_session(WorkGroup='your-workgroup', EngineConfiguration={})
session_id=response['SessionId']
response=client.get_session_endpoint(SessionId=session_id)
endpoint_url=response['EndpointUrl'].replace("https", "sc") + ":443/;use_ssl=true;"
spark_remote=f"{endpoint_url}x-aws-proxy-auth={response['AuthToken']}"

# Set environment variable for automatic connection
os.environ["SPARK_REMOTE"]=spark_remote

# Now SparkSession connects automatically
from pyspark.sql import SparkSession
spark=SparkSession.builder.getOrCreate()&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Note: The &lt;code&gt;SPARK_REMOTE&lt;/code&gt; URL contains a short-lived authentication token that expires with the session. For production workloads, retrieve the token on demand using &lt;code&gt;get_session_endpoint()&lt;/code&gt; rather than storing it persistently. Avoid logging or persisting this value.&lt;/p&gt; 
&lt;p&gt;This same pattern works with most Spark-compatible development environments. AI coding assistants like Claude Code, Cursor, and Kiro benefit particularly well from this approach. The ability to spin up a fresh Athena with Apache Spark session in seconds means developers can rapidly iterate on generated code and test transformations immediately. They can tear down sessions when done, without maintaining a persistent cluster between coding sessions.&lt;/p&gt; 
&lt;h3 id="pattern-c-scheduled-pipelines-with-dbt-airflow"&gt;Pattern C: Scheduled pipelines with dbt + Airflow&lt;/h3&gt; 
&lt;p&gt;For production data pipelines, combining dbt (data build tool) with Apache Airflow orchestration provides a robust, version-controlled approach to managing complex transformation workflows. Athena with Apache Spark executes the dbt models with serverless compute, eliminating cluster management overhead.&lt;/p&gt; 
&lt;h4 id="install-dependencies"&gt;Install dependencies&lt;/h4&gt; 
&lt;p&gt;The key dependencies for dbt with Athena with Apache Spark must be installed in the correct order:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;pip install pyspark[connect]==3.5.6 # Install first to ensure correct version
pip install dbt-spark[session]
pip install setuptools&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Important: Install &lt;code&gt;pyspark[connect]==3.5.6&lt;/code&gt; first to make sure dbt uses the compatible PySpark version.&lt;/p&gt; 
&lt;h4 id="configure-dbt-profile"&gt;Configure dbt profile&lt;/h4&gt; 
&lt;p&gt;Configure dbt to use Spark Connect with a session-based connection. Create a &lt;code&gt;profiles.yml&lt;/code&gt; file:&lt;/p&gt; 
&lt;p&gt;The &lt;code&gt;method: session&lt;/code&gt; configuration uses a local Spark session. When &lt;code&gt;pyspark[connect]==3.5.6&lt;/code&gt; is installed and the &lt;code&gt;SPARK_REMOTE&lt;/code&gt; environment variable is set, dbt automatically connects through Spark Connect.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-yaml"&gt;spark_connect_profile:
  target: dev
  outputs:
    dev:
      type: spark
      method: session
      schema: default
      database: default
      host: NA # Ignored by method=session
      user: dummy # Placeholder
      connect_timeout: 30
      connect_retries: 0&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="create-a-dbt-model"&gt;Create a dbt model&lt;/h4&gt; 
&lt;p&gt;Create a dbt model that writes to Apache Iceberg format (models/bucketed_data.sql):&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;{{ config(
    materialized='table',
    file_format='iceberg',
    catalog='iceberg',
    location_root='s3://your-bucket/iceberg-tables'
) }}

WITH numbers AS (
    SELECT id
    FROM range(0, 100000)
),
buckets AS (
    SELECT
        id,
        id % 10 AS bucket,
        current_timestamp() AS created_at
    FROM numbers
)
SELECT * FROM buckets&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="integrate-with-airflow"&gt;Integrate with Airflow&lt;/h4&gt; 
&lt;p&gt;For production deployments, integrate with Apache Airflow (or &lt;a href="https://aws.amazon.com/managed-workflows-for-apache-airflow" target="_blank" rel="noopener"&gt;Amazon Managed Workflows for Apache Airflow (Amazon MWAA)&lt;/a&gt;) to orchestrate dbt runs with proper session lifecycle management.&lt;/p&gt; 
&lt;p&gt;The DAG follows this pattern:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;setup_athena_session&lt;/strong&gt; – A &lt;code&gt;PythonOperator&lt;/code&gt; that starts the session and pushes &lt;code&gt;spark_remote_url&lt;/code&gt; to XCom.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;run_dbt&lt;/strong&gt; – A &lt;code&gt;BashOperator&lt;/code&gt; that sets &lt;code&gt;SPARK_REMOTE&lt;/code&gt; from XCom and runs dbt.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;terminate_athena_session&lt;/strong&gt; – A &lt;code&gt;PythonOperator&lt;/code&gt; with &lt;code&gt;trigger_rule=ALL_DONE&lt;/code&gt; to make sure cleanup runs even on failure.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;from airflow import DAG
from airflow.operators.python import PythonOperator
from airflow.operators.bash import BashOperator
from airflow.utils.trigger_rule import TriggerRule
from datetime import datetime

with DAG(
    dag_id="athena_dbt_pipeline",
    schedule="@daily",
    catchup=False,
    start_date=datetime(2025, 1, 1),
) as dag:

    setup_session=PythonOperator(
        task_id="setup_athena_session",
        python_callable=setup_athena_session, # similar boto3 flow demonstrated earlier
    )

    run_dbt=BashOperator(
        task_id="run_dbt",
        bash_command="""
        export SPARK_REMOTE="{{ (ti.xcom_pull(task_ids='setup_athena_session') or {}).get('spark_remote_url', '') }}"
        source /path/to/dbt-env/bin/activate
        dbt run --project-dir . --profiles-dir .
        """
    )

    close_session=PythonOperator(
        task_id="terminate_athena_session",
        python_callable=terminate_athena_session,
        trigger_rule=TriggerRule.ALL_DONE,
    )

    setup_session &amp;gt;&amp;gt; run_dbt &amp;gt;&amp;gt; close_session&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h2 id="security-and-best-practices"&gt;Security and best practices&lt;/h2&gt; 
&lt;p&gt;When you connect to Athena with Apache Spark, follow these practices to protect your data and credentials.&lt;/p&gt; 
&lt;h3 id="spark-connect-security"&gt;Spark Connect security&lt;/h3&gt; 
&lt;p&gt;Athena with Apache Spark uses Spark Connect to securely transmit queries and receive results. All communication is encrypted end-to-end using TLS 1.2+. Session tokens are short-lived and automatically rotated.&lt;/p&gt; 
&lt;p&gt;Recommendations:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Use IAM roles for authentication rather than long-lived credentials.&lt;/li&gt; 
 &lt;li&gt;Session tokens have a limited lifetime, so refresh them for long-running operations.&lt;/li&gt; 
 &lt;li&gt;Monitor Spark Connect activity in AWS CloudTrail for audit compliance.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="iam-permissions"&gt;IAM permissions&lt;/h3&gt; 
&lt;p&gt;Implement least-privilege IAM policies. At minimum, the following permissions are required:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;code&gt;athena:StartSession&lt;/code&gt;, &lt;code&gt;athena:TerminateSession&lt;/code&gt;, &lt;code&gt;athena:GetSession&lt;/code&gt;, &lt;code&gt;athena:GetSessionEndpoint&lt;/code&gt;, and &lt;code&gt;athena:GetResourceDashboard&lt;/code&gt; on your workgroup.&lt;/li&gt; 
 &lt;li&gt;Amazon S3 permissions for your data buckets.&lt;/li&gt; 
 &lt;li&gt;AWS Glue Data Catalog permissions for your database and table access.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid ongoing charges, remove the resources created during this walkthrough:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Terminate any active Athena sessions: 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-bash"&gt;aws athena terminate-session --session-id &amp;lt;your-session-id&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;/li&gt; 
 &lt;li&gt;Delete the Athena workgroup you created for this tutorial using the Amazon Athena console or the DeleteWorkGroup API.&lt;/li&gt; 
 &lt;li&gt;Remove Amazon S3 objects created during testing, including query results and Iceberg table data at your configured output location. Data written to Amazon S3 persists after session termination and continues to incur storage costs.&lt;/li&gt; 
 &lt;li&gt;Delete any IAM roles created specifically for this walkthrough.&lt;/li&gt; 
 &lt;li&gt;Remove any AWS Glue Data Catalog databases and tables created during testing.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;The Apache Spark engine in Amazon Athena with Spark Connect support transforms how teams build and operate Spark workloads. By eliminating cluster management overhead and providing near-instant, serverless compute, data teams can focus on delivering insights rather than managing infrastructure.&lt;/p&gt; 
&lt;p&gt;The three patterns covered in this post demonstrate the flexibility of Athena with Apache Spark:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern A (Jupyter notebooks)&lt;/strong&gt; – Ideal for data scientists doing exploratory analysis and feature engineering.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern B (VS Code)&lt;/strong&gt; – Well-suited for software engineers building production-ready Spark applications.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Pattern C (dbt + Airflow)&lt;/strong&gt; – Well-suited for data engineers running scheduled, version-controlled transformation pipelines.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;With rapid session creation, automatic scaling, and pay-per-use pricing, Athena with Apache Spark provides a compelling alternative to self-managed Spark clusters.&lt;/p&gt; 
&lt;h2 id="additional-resources"&gt;Additional resources&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark.html" target="_blank" rel="noopener"&gt;Amazon Athena for Apache Spark Documentation&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/athena/latest/ug/notebooks-spark-release-versions.html#notebooks-spark-release-versions-spark-35" target="_blank" rel="noopener"&gt;Spark 3.5.6 Release Notes&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5702-2.jpg" alt="Avichay Marciano" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Avichay Marciano&lt;/h3&gt; 
  &lt;p&gt;Avichay is a Sr.&amp;nbsp;Analytics Solutions Architect at Amazon Web Services. He has over a decade of experience in building large-scale data platforms using Apache Spark, modern data lake architectures, and OpenSearch. He is passionate about data-intensive systems, analytics at scale, and it’s intersection with machine learning.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5702-3.png" alt="Vincent Gromakowski" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vincent Gromakowski&lt;/h3&gt; 
  &lt;p&gt;Vincent is an Analytics Specialist Solutions Architect at AWS where he enjoys solving customers’ analytics, NoSQL, and streaming challenges. He has a strong expertise on distributed data processing engines and resource orchestration platform.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-5702-4.jpg" alt="Vova Nevski" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vova Nevski&lt;/h3&gt; 
  &lt;p&gt;Vova Nevski is a Senior Analytics Specialist Solutions Architect at AWS with more than 15 years of experience in the data and analytics domain. He partners with AWS customers to design and build solutions best suited to their unique needs.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Deploy modern data platforms in minutes with MDAA</title>
		<link>https://aws.amazon.com/blogs/big-data/deploy-modern-data-platforms-in-minutes-with-mdaa/</link>
		
		<dc:creator><![CDATA[Sudeshna Dash]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 16:26:28 +0000</pubDate>
				<category><![CDATA[Amazon Athena]]></category>
		<category><![CDATA[Amazon Bedrock]]></category>
		<category><![CDATA[Amazon CloudWatch]]></category>
		<category><![CDATA[Amazon EMR]]></category>
		<category><![CDATA[Amazon Kinesis]]></category>
		<category><![CDATA[Amazon Managed Streaming for Apache Kafka (Amazon MSK)]]></category>
		<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Amazon SageMaker Lakehouse]]></category>
		<category><![CDATA[Amazon Simple Storage Service (S3)]]></category>
		<category><![CDATA[AWS CloudTrail]]></category>
		<category><![CDATA[AWS Glue]]></category>
		<category><![CDATA[AWS Key Management Service]]></category>
		<category><![CDATA[AWS Lake Formation]]></category>
		<category><![CDATA[AWS Lambda]]></category>
		<category><![CDATA[Customer Solutions]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<category><![CDATA[Partner solutions]]></category>
		<guid isPermaLink="false">141e9889a12aca721c86612552b0102185055270</guid>

					<description>In this post, we explore how MDAA transforms data architecture development from months of manual coding to production-ready deployment through configuration-driven infrastructure and embedded governance, examine a real customer transformation, and provide a clear implementation pathway for your own data modernization journey.</description>
										<content:encoded>&lt;p&gt;Modern Data Architecture Accelerator (MDAA) is an &lt;a href="https://github.com/aws/modern-data-architecture-accelerator" target="_blank" rel="noopener"&gt;open source framework&lt;/a&gt; that replaces infrastructure code with concise YAML configuration, so your team can deploy a governed, production-ready data architecture, reducing deployment time from months to weeks (depending on complexity and team experience).&lt;/p&gt; 
&lt;p&gt;Organizations building modern data architecture on AWS face a critical challenge: deploying production-ready, governed infrastructure traditionally requires 6–12 months of custom development, thousands of lines of infrastructure code, and continuous remediation cycles to maintain security and compliance. Governance is often added incrementally, treated as an afterthought that creates compliance gaps and engineering rework.&lt;/p&gt; 
&lt;p&gt;MDAA addresses this by replacing infrastructure code with concise YAML configuration, achieving up to 97.6 percent code reduction (from approximately 1,800 lines of AWS CloudFormation to 45 lines of MDAA YAML) while embedding governance from the start. The complete &lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/governed_lakehouse" target="_blank" rel="noopener"&gt;Governed Lakehouse Starter Kit&lt;/a&gt; deploys 491 AWS resources across 12 stacks from approximately 450 lines of YAML configuration, representing a 66x verbosity ratio where each line automatically expands into production-ready infrastructure.&lt;/p&gt; 
&lt;p&gt;In this post, we explore how MDAA transforms data architecture development from months of manual coding to production-ready deployment through configuration-driven infrastructure and embedded governance, examine a real customer transformation, and provide a clear implementation pathway for your own data modernization journey.&lt;/p&gt; 
&lt;h2 id="customer-use-case-and-challenge"&gt;Customer use case and challenge&lt;/h2&gt; 
&lt;p&gt;A university system office needed to modernize its analytics architecture across 17 campuses while managing sensitive educational data. Their third-party dependency created bottlenecks that slowed feature implementation from weeks to months, and their IT team lacked the cloud skillsets to build modern infrastructure independently.&lt;/p&gt; 
&lt;p&gt;With MDAA, they achieved:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;95 percent reduction in time-to-value for dashboard and feature implementation (from weeks to hours).&lt;/li&gt; 
 &lt;li&gt;17 campuses integrated into a unified, secure architecture.&lt;/li&gt; 
 &lt;li&gt;7.2TB of data and over 8,000 dashboards migrated successfully.&lt;/li&gt; 
 &lt;li&gt;Significant cost savings by removing third-party dependencies and reducing license costs.&lt;/li&gt; 
 &lt;li&gt;Enhanced security posture for external stakeholders accessing sensitive educational data.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/BDB-5798-1.png" alt="" width="800"&gt;&lt;/p&gt; 
&lt;p&gt;The team used MDAA to implement a modernization strategy with continuous integration and continuous delivery (CI/CD) for automated deployment. The architecture now supports rapid response to stakeholder requests while maintaining strict data governance through &lt;a href="https://aws.amazon.com/lake-formation/" target="_blank" rel="noopener"&gt;AWS Lake Formation&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;Their transformation demonstrates what becomes possible when governance is embedded from launch rather than added incrementally, moving from months-long manual development to weeks of production-ready deployment through configuration-driven infrastructure.&lt;/p&gt; 
&lt;h2 id="solution-mdaa-and-its-value-propositions"&gt;Solution: MDAA and its value propositions&lt;/h2&gt; 
&lt;p&gt;MDAA’s capabilities stem from its modular, composable architecture. The accelerator provides over 40 pre-built modules that encapsulate AWS best practices for security, governance, and operational excellence. Organizations describe the outcomes they want in MDAA-specific YAML configuration files (not CloudFormation or Terraform YAML) and the accelerator automatically translates these configurations into AWS Cloud Development Kit (AWS CDK) constructs, which then deploy via CloudFormation with embedded governance.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/BDB-5798-2.png" alt="" width="800"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Configuration over code&lt;/strong&gt;. The MDAA framework takes a fundamentally different approach: describe the outcomes you want in YAML, and the accelerator deploys production-ready infrastructure with embedded governance. Consider deploying a governed data lake where fraud detection teams need write access to transaction data, while marketing analytics teams require read-only access to customer behavior data. Traditional approaches require over 1,800 lines of CloudFormation across &lt;a href="https://aws.amazon.com/s3/customers/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3) buckets&lt;/a&gt;, &lt;a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener"&gt;AWS Key Management Service (AWS KMS)&lt;/a&gt; keys, AWS Identity and Access Management (IAM) policies, and Lake Formation permissions. With MDAA, the same governed data lake is expressed in 45 lines of configuration, a 97.6 percent reduction, while helping you apply encryption, least-privilege access, and cross-account governance as built-in defaults.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/BDB-5798-3.jpg" alt="" width="800"&gt;&lt;/p&gt; 
&lt;p&gt;The configuration deploys multi-zone S3 storage with &lt;a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener"&gt;KMS encryption&lt;/a&gt;, Lake Formation permissions with tag-based access control (TBAC) enabled, &lt;a href="https://aws.amazon.com/sagemaker/unified-studio/" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio&lt;/a&gt; for data product discovery, and encrypted &lt;a href="https://aws.amazon.com/glue/" target="_blank" rel="noopener"&gt;AWS Glue&lt;/a&gt; Data Catalog with automated crawlers. All permissions flow through Lake Formation rather than individual IAM policies.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Embedded governance from day one.&lt;/strong&gt; Governance is declared in YAML and deployed alongside infrastructure from the first run. Fine-grained access controls, encrypted data catalogs, data quality validation, audit trails, and sensitive data classification are all part of the same configuration. MDAA’s &lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/governed_lakehouse" target="_blank" rel="noopener"&gt;Governed Lakehouse starter kit&lt;/a&gt; defines an entire governed data architecture in roughly 450 lines of YAML, which produces approximately 29,700 lines of CloudFormation across 12 stacks (a 98.5 percent reduction in infrastructure code).&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Modular, composable architecture.&lt;/strong&gt; Each module is purpose-built to handle a specific capability within the data architecture. Modules communicate through &lt;a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" target="_blank" rel="noopener"&gt;AWS Systems Manager Parameter Store&lt;/a&gt;, passing resource identifiers (Amazon Resource Names (ARNs), IDs, and names) between stacks. This approach removes hardcoded dependencies. A KMS key created in one module can be referenced by another through parameter resolution, with all dependencies resolved automatically at deployment time.&lt;/p&gt; 
&lt;p&gt;The diagram illustrates the deployed architecture and team-level access flow that MDAA generates from the 45-line configuration.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/BDB-5798-4.png" alt="" width="800"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Progressive architecture patterns.&lt;/strong&gt; MDAA provides four reference architecture patterns that align to progressive stages of data infrastructure maturity:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/basic_datalake" target="_blank" rel="noopener"&gt;&lt;strong&gt;Basic Data Lake&lt;/strong&gt;&lt;/a&gt; deploys a governed data lake with built-in security controls, data quality checks, centralized metadata management using AWS Lake Formation and AWS Glue.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/basic_datascience_platform" target="_blank" rel="noopener"&gt;&lt;strong&gt;Data Science Platform&lt;/strong&gt;&lt;/a&gt; extends the data lake with Amazon SageMaker notebooks, feature stores, and machine learning (ML) pipelines so data science teams can experiment and train models on governed data.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/smus_data_mesh" target="_blank" rel="noopener"&gt;&lt;strong&gt;SageMaker Unified Studio&lt;/strong&gt;&lt;/a&gt; adds a single interface for analytics and ML collaboration, connecting data engineers, analysts, and data scientists in one workspace.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/genai_accelerator" target="_blank" rel="noopener"&gt;&lt;strong&gt;Generative AI Platform&lt;/strong&gt;&lt;/a&gt; layers Amazon Bedrock and Retrieval Augmented Generation (RAG) capabilities on top of your existing data foundation, so teams can build generative AI applications grounded in enterprise data.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Each pattern builds the one before it. You can start with the Basic Data Lake and adopt additional patterns as your team’s needs grow. MDAA’s modular design means you add capabilities without rearchitecting what you already deployed.&lt;/p&gt; 
&lt;p&gt;The infrastructure is versioned through GitHub, repeatable across environments, and auditable through comprehensive &lt;a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener"&gt;AWS CloudTrail&lt;/a&gt; logging. Data engineers focus on data pipelines and business logic while MDAA manages infrastructure complexity and governance integration. This represents the fundamental shift: from writing infrastructure code to describing the outcomes you want through configuration, with governance embedded from the start.&lt;/p&gt; 
&lt;h2 id="use-case-of-mdaa-governed-data-architecture"&gt;Use case of MDAA: Governed data architecture&lt;/h2&gt; 
&lt;p&gt;DataOps teams spend significant time on governance tasks, including permissions management, compliance validation, and access control, rather than building pipelines and analytics. These aren’t data problems, they’re governance problems that consume engineering capacity meant for higher-value work. MDAA addresses this at the architectural level. Governance is declared in YAML and deployed alongside infrastructure from the first run.&lt;/p&gt; 
&lt;p&gt;The following sections walk through how each governance module works in practice.&lt;/p&gt; 
&lt;h3 id="publish-discover-subscribe-and-consume-data-products-between-business-units-sagemaker-unified-studio"&gt;Publish, discover, subscribe, and consume data products between business units: SageMaker Unified Studio&lt;/h3&gt; 
&lt;p&gt;Amazon SageMaker Unified Studio provides a governed data catalog where data producers publish data products, and consumers discover and subscribe to them. Your deployment with MDAA includes a pre-configured domain, blueprints (managed and custom), projects, and environment profiles, all defined in a single configuration file:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-yaml"&gt;# sagemaker.yaml --- 16 lines that deploy 114 CloudFormation resources
domains:
  domain1:
    dataAdminRole:
      id: ssm:/{{org}}/govern1/generated-role/data-admin/id
    description: SMUS Domain 1
    userAssignment: MANUAL

    tooling:
      vpcId: '{{context:vpc_id}}'
      subnetIds:
        - '{{context:private_subnet_id1}}'
        - '{{context:private_subnet_id2}}'

    groups:
      team1:
        ssoId: '{{context:team1-group-sso-id}}'
      team2:
        ssoId: '{{context:team2-group-sso-id}}'&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Behind this configuration, MDAA deploys an Amazon SageMaker Unified Studio domain with dedicated KMS keys, execution and provisioning roles, and single sign-on group profiles for team access. Data producers tag and publish assets with metadata, ownership, and classification. Consumers browse a searchable catalog, see only authorized assets, and request access through a governed workflow. Cross-account and cross-business-unit data sharing flows through a subscription model, ensuring every access grant is tracked, auditable, and revocable.&lt;/p&gt; 
&lt;h3 id="use-case-of-mdaa-restricting-access-to-cardholder-data-using-lake-formation"&gt;Use case of MDAA: Restricting access to cardholder data using Lake Formation&lt;/h3&gt; 
&lt;p&gt;AWS Lake Formation provides fine-grained access control at database and table levels, removing manual IAM policy management. MDAA deploys AWS Lake Formation with pre-configured settings that disable IAMAllowedPrincipals, the critical governance setting that ensures all permissions flow through centralized governance:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-yaml"&gt;# lakeformation-settings.yaml --- 6 lines that deploy 25 CloudFormation resources
lakeFormationAdminRoles:
  - id: generated-role-id:data-admin
createCdkLFAdmin: true
createDataZoneAdminRole: true
iamAllowedPrincipalsDefault: false&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;That last flag is the single most important governance setting in the platform. Without it, an IAM principal with glue:GetTable can read tables in the catalog, bypassing the entire access control model. Most manual setups miss this or defer it.&lt;/p&gt; 
&lt;p&gt;With the data lake configuration, you declare roles and access policies in YAML where admins get full control, engineers get read access to curated data, extract, transform, and load (ETL) roles get scoped write access, and MDAA compiles them into the correct S3 bucket policies and Lake Formation registrations.&lt;/p&gt; 
&lt;h3 id="use-case-of-mdaa-ensuring-data-integrity-with-aws-glue-data-quality"&gt;Use case of MDAA: Ensuring data integrity with AWS Glue Data Quality&lt;/h3&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/glue/features/data-quality/"&gt;AWS Glue Data Quality&lt;/a&gt; runs automated validation rulesets continuously as part of the pipeline, not as periodic batch checks. MDAA’s data quality module supports over 15 built-in rule types, from completeness and uniqueness checks to statistical thresholds and data freshness validation:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-yaml"&gt;# data-quality.yaml
projectName: example-project

rulesets:
  customer-data-quality:
    description: Validate customer data completeness and uniqueness
    targetTable:
      databaseName: project:databaseName/customer-data
      tableName: customers
    ruleset:
      - ruleType: IsComplete
        column: customer_id
      - ruleType: Uniqueness
        column: email
        comparisonOperator: "&amp;gt;"
        threshold: 0.95
      - ruleType: RowCount
        comparisonOperator: "&amp;gt;"
        value: 100&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Quality metrics flow into &lt;a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener"&gt;Amazon CloudWatch&lt;/a&gt; for real-time alerting. If anomalies are detected, automated workflows quarantine affected records and alert data engineering teams before issues reach downstream consumers.&lt;/p&gt; 
&lt;h3 id="protecting-metadata-at-rest-aws-glue-data-catalog-encryption"&gt;Protecting metadata at rest: AWS Glue Data Catalog encryption&lt;/h3&gt; 
&lt;p&gt;Table schemas, column names, and partition structures can reveal sensitive information about an organization’s data architecture, even without access to the underlying data. AWS Glue Catalog Encryption secures metadata at rest using AWS KMS-managed keys. MDAA configures catalog encryption by default, so schema definitions and connection passwords are encrypted from initial deployment without requiring manual key management setup. Access to catalog metadata follows the same Lake Formation governance controls applied to the data itself, so teams see only the schemas that they’re authorized to query.&lt;/p&gt; 
&lt;h3 id="auditing-every-data-access-event-cloudtrail-integration"&gt;Auditing every data access event: CloudTrail integration&lt;/h3&gt; 
&lt;p&gt;Every data access event must be logged and attributable to a specific identity. Without a complete audit trail, demonstrating compliance during a regulatory review becomes a manual, error-prone process. AWS CloudTrail captures API-level activity across the data infrastructure, recording who accesses what data, when, and from which service. MDAA configures CloudTrail integration by default, so audit logging is active from initial deployment rather than added retroactively. Log data flows into a centralized, tamper-resistant store, giving compliance teams a single location to query access history across all business units and accounts.&lt;/p&gt; 
&lt;h3 id="identifying-sensitive-data-automatically-macie-integration"&gt;Identifying sensitive data automatically: Macie integration&lt;/h3&gt; 
&lt;p&gt;In large environments, sensitive information spreads across dozens of S3 buckets through pipelines, transforms, and ad hoc data drops, and self-reporting data owners consistently produce gaps. &lt;a href="https://aws.amazon.com/macie/" target="_blank" rel="noopener"&gt;Amazon Macie&lt;/a&gt; uses machine learning to automatically discover and classify sensitive data in S3, surfacing findings at the object level without manual tagging. MDAA configures Macie across your S3 buckets during deployment, routing findings to &lt;a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener"&gt;Amazon EventBridge&lt;/a&gt; where automated workflows can alert owners or trigger remediation.&lt;/p&gt; 
&lt;p&gt;Together, these controls form a layered defense: Lake Formation governs access to cataloged data, Glue Data Quality validates integrity on arrival, and Macie identifies sensitive data that lands outside governed pipelines to reduce compliance risk.&lt;/p&gt; 
&lt;h3 id="multi-account-data-mesh"&gt;Multi-account data mesh&lt;/h3&gt; 
&lt;p&gt;MDAA provides extensive support for multi-account data mesh setups, with decentralized data ownership across business units and centralized governance. The &lt;a href="https://github.com/aws/modern-data-architecture-accelerator/tree/main/starter_kits/smus_data_mesh" target="_blank" rel="noopener"&gt;data mesh starter kit&lt;/a&gt; supports cross-account data product publishing and consumption, allowing organizations to scale data sharing while maintaining consistent security and compliance controls.&lt;/p&gt; 
&lt;h2 id="technical-implementation"&gt;Technical implementation&lt;/h2&gt; 
&lt;p&gt;Ready to deploy your modern data architecture? Here are the resources to get started:&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/solutions/latest/modern-data-architecture-accelerator/solution-overview.html" target="_blank" rel="noopener"&gt;&lt;strong&gt;MDAA Implementation Guide&lt;/strong&gt;&lt;/a&gt; provides detailed instructions for deploying all starter packages, including architecture patterns, configuration examples, security best practices, and troubleshooting guidance.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://catalog.us-east-1.prod.workshops.aws/workshops/6e7289c7-5662-494d-8b56-b8706412c3a6/en-US" target="_blank" rel="noopener"&gt;&lt;strong&gt;MDAA Hands-on Workshop&lt;/strong&gt;&lt;/a&gt; offers step-by-step guided implementation with AWS experts. The workshop covers configuration management best practices, implementation patterns, hands-on labs with real-world scenarios, and cleanup instructions.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://github.com/aws/modern-data-architecture-accelerator" target="_blank" rel="noopener"&gt;&lt;strong&gt;GitHub Repository&lt;/strong&gt;&lt;/a&gt; and &lt;a href="https://aws.github.io/modern-data-architecture-accelerator/" target="_blank" rel="noopener"&gt;&lt;strong&gt;Documentation&lt;/strong&gt;&lt;/a&gt; provide source code, module reference, and comprehensive documentation.&lt;/p&gt; 
&lt;p&gt;Organizations approach MDAA from different starting points. Some modernize existing data architectures, migrating from on-premises infrastructure or legacy cloud architectures. Others build new architectures for artificial intelligence and machine learning (AI/ML) initiatives or generative AI applications. Financial services organizations require PCI-DSS compliance from day one. Healthcare organizations need controls that can help support HIPAA. Each journey benefits from MDAA’s configuration-driven approach and embedded governance.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;MDAA transforms data architecture development from months of manual coding to production-ready deployment. Configuration-driven infrastructure reduces development time by 40–60 percent while embedding governance from the start. The university system’s 95 percent reduction in time-to-value demonstrates the outcome: organizations deploy secure, compliant, governed data architectures in weeks rather than months.&lt;/p&gt; 
&lt;p&gt;Financial services organizations can deploy architectures to help them align with PCI-DSS compliance requirements using Lake Formation access controls, Glue Data Quality validation, SageMaker Unified Studio data discovery, comprehensive CloudTrail audit trails, and automated Macie data classification, all inherited from configuration rather than built manually.&lt;/p&gt; 
&lt;p&gt;Data architecture journeys need not follow six-month timelines with governance added incrementally. MDAA provides an alternative: describe the outcomes you want through YAML configuration, inherit pre-validated security controls, and deploy production-ready infrastructure with comprehensive governance from initial deployment.&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Security and compliance is a shared responsibility between AWS and the customer. For more information, see the &lt;a href="https://aws.amazon.com/compliance/shared-responsibility-model/" target="_blank" rel="noopener"&gt;AWS Shared Responsibility Model&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Need help or have questions?&lt;/strong&gt; Contact AWS ProServe for personalized guidance on selecting the right package and deployment strategy for your organization.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the author&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/30/BDB-5798-5.jpg" alt="Sudeshna Dash" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Sudeshna Dash&lt;/h3&gt; 
  &lt;p&gt;Sudeshna is a Data Scientist at AWS Professional Services based in Berlin, Germany. She specializes in data architecture, generative AI, and agentic AI systems on AWS. Sudeshna is a contributor to the Modern Data Architecture Accelerator (MDAA) open-source project and helps customers design and deploy governed, production-ready data and AI/ML architectures on AWS.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="size-full wp-image-92474 alignleft" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/02/Screenshot-2026-07-02-at-11.24.29 AM.png" alt="" width="94" height="126"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;John Reynolds&lt;/h3&gt; 
  &lt;p&gt;John Reynolds is a Principal Engineer with AWS Professional Services based in Seattle, Washington. He leads the architecture and development of Modern Data Architecture Accelerator (MDAA), focusing on turning proven delivery patterns into reusable, production-ready foundations that customers can adopt and extend at scale.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Amazon Redshift RG: Faster and lower cost, Graviton-powered</title>
		<link>https://aws.amazon.com/blogs/big-data/amazon-redshift-rg-faster-and-lower-cost-graviton-powered/</link>
		
		<dc:creator><![CDATA[Stefan Gromoll]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 16:21:06 +0000</pubDate>
				<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<guid isPermaLink="false">6a58390438e7476cc7341d5912ebd08aeaae2c4d</guid>

					<description>In this post, we describe the innovations that make RG instances so much faster. We also share benchmark results showing that RG delivers up to 4.2x better price-performance than other leading data warehouses.</description>
										<content:encoded>&lt;p&gt;&lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt; recently announced the general availability of a new Graviton-powered instance called &lt;a href="https://aws.amazon.com/redshift/features/rg/" target="_blank" rel="noopener"&gt;RG&lt;/a&gt;. Built on Amazon’s own Graviton processors, RG delivers:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Up to 2.2x faster performance for data warehouse workloads compared to &lt;a href="https://aws.amazon.com/redshift/features/ra3/" target="_blank" rel="noopener"&gt;RA3&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;Up to 2.4x faster for Iceberg queries and 1.5x faster for Parquet queries through an integrated vectorized data lake engine.&lt;/li&gt; 
 &lt;li&gt;No per-TB scan charges for data lake queries, eliminating the &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/c-using-spectrum.html" target="_blank" rel="noopener"&gt;Amazon Redshift Spectrum&lt;/a&gt; cost applied on RA3 clusters.&lt;/li&gt; 
 &lt;li&gt;30 percent lower cost per vCPU compared to RA3.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;RG is both faster and cheaper. While cloud vendors typically charge more for faster performance or newer generation hardware, Amazon Redshift delivers better performance at lower cost.&lt;/p&gt; 
&lt;p&gt;In this post, we describe the innovations that make RG instances so much faster. We also share benchmark results showing that RG delivers up to 4.2x better price-performance than other leading data warehouses.&lt;/p&gt; 
&lt;h2 id="what-makes-rg-so-fast"&gt;What makes RG so fast&lt;/h2&gt; 
&lt;p&gt;The new RG instances are built from the ground up to take advantage of Graviton processors. The vectorized engine of Amazon Redshift is optimized with Graviton-based single instruction, multiple data (SIMD) kernels to deliver accelerated, parallelized execution for analytics workloads. Operations like predicate evaluations over Parquet encodings use Graviton vector comparison, table lookup, and vector manipulation intrinsics. To support these increased processing speeds, RG instances use custom-built Nitro SSDs. This lets RG use faster local storage as a caching layer for &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/c_high_level_system_architecture.html" target="_blank" rel="noopener"&gt;Amazon Redshift Managed Storage (RMS)&lt;/a&gt;, data lake scans, and intermediate result sets for computations that can’t fit in memory. RG’s &lt;a href="https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-redshift-jit-analyze-apache-iceberg-tables/" target="_blank" rel="noopener"&gt;JIT (Just-In-Time)&lt;/a&gt; Analyze feature also collects statistics from data lake files automatically as queries run, so the optimizer can produce significantly better query plans. Together, these represent innovation across the entire stack: hardware acceleration with Graviton, vectorized execution with SIMD kernels, high-speed storage with Nitro SSDs, and intelligent query planning with JIT Analyze.&lt;/p&gt; 
&lt;p&gt;These optimizations, coupled with RG’s purpose-built high-performance vectorized data lake engine, combine to make Amazon Redshift’s new RG instances up to 2.2x faster than RA3 for analytics workloads at 30 percent lower cost.&lt;/p&gt; 
&lt;h2 id="purpose-built-high-performance-vectorized-data-lake-engine"&gt;Purpose-built high-performance vectorized data lake engine&lt;/h2&gt; 
&lt;p&gt;With RA3, data lake queries offloaded scans to a separate compute fleet known as Amazon Redshift Spectrum. Because data lake queries ran on this separate compute, additional overhead was introduced to transfer query metadata and results between RA3 clusters and the Spectrum fleet. Amazon Redshift RG instances include a completely new built-in scan layer designed from the ground up for data lakes. This new scan layer includes a purpose-built I/O subsystem that incorporates smart prefetch capabilities to reduce data latency. The new scan layer is also optimized to process Apache Parquet files, the most commonly used file format for Iceberg, through fast vectorized scans that use SIMD kernels optimized for Graviton. The scan layer includes sophisticated data pruning mechanisms that operate at both partition and file levels, which significantly reduces the volume of data that needs to be scanned. This pruning capability works with the smart prefetch system to create a coordinated approach that maximizes efficiency throughout the entire data retrieval process.&lt;/p&gt; 
&lt;p&gt;The new purpose-built vectorized data lake engine is up to 2.4x faster than RA3 for Iceberg queries and 1.5x faster than RA3 for Parquet queries.&lt;/p&gt; 
&lt;p&gt;Because this new vectorized data lake engine integrates directly with the core execution engine of Amazon Redshift, new performance optimizations are possible compared to RA3. With this architecture, data lake queries on RG now benefit from fast local data caching, improved bloom filters, vectorized Parquet scans, and advanced filtering and pruning.&lt;/p&gt; 
&lt;p&gt;RG also solves a common problem customers face when querying data in the lake: open-format files like Iceberg in Amazon Simple Storage Service (Amazon S3) often lack useful metadata and statistics, which makes it difficult to run a SQL query optimally.&lt;/p&gt; 
&lt;p&gt;Statistics are metadata about your data, such as distinct value counts, min/max values, distribution patterns, and row counts. The query optimizer uses this information to choose the most efficient way to run a query. For example, when joining two tables, the optimizer needs to know how many unique values each side produces to pick the right join strategy. Without statistics, it has to guess, which often leads to slower joins and unnecessary data movement across nodes. This is where Amazon Redshift’s new feature called &lt;a href="https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-redshift-jit-analyze-apache-iceberg-tables/" target="_blank" rel="noopener"&gt;JIT (Just-In-Time) Analyze&lt;/a&gt; comes in. RG instances automatically fetch and store statistics of your Iceberg files as queries run, so Amazon Redshift can choose query execution strategies that are far more optimized than it could without these statistics.&lt;/p&gt; 
&lt;p&gt;These improvements make scans of Iceberg and Parquet data much faster than RA3. Removing Amazon Redshift Spectrum compute also means RG instances remove the $5/TB cost for data lake queries, which makes data lake queries cheaper and costs predictable. This is a triple win for data lake price-performance: faster performance, lower compute cost, and no per-TB scan cost.&lt;/p&gt; 
&lt;h2 id="faster-insights-from-faster-data-loads"&gt;Faster insights from faster data loads&lt;/h2&gt; 
&lt;p&gt;Amazon Redshift RG’s fast I/O and Graviton-optimized engine result in faster data loads compared to RA3. To measure this improved performance, we ran the data ingestion step of 10TB TPC-DS and TPC-H on equivalently sized RA3 and RG clusters. RG ingested the TPC-DS dataset 2x faster and the TPC-H dataset 1.4x faster, as shown in the following figure.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-1.png" alt="Bar chart comparing data ingestion time on RA3 and RG, showing RG loads TPC-DS 2x faster and TPC-H 1.4x faster" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;The new Graviton-based RG instances are up to 2.0x faster for data loads compared to RA3 instances. This means workloads can see the latest data sooner, and users and agents can get up-to-date insights faster. This faster ingestion on RG comes at 30 percent lower cost compared to RA3, resulting in up to 2.9x better price-performance for data loads compared to RA3 instances.&lt;/p&gt; 
&lt;h2 id="what-customers-are-saying"&gt;What customers are saying&lt;/h2&gt; 
&lt;p&gt;Amazon Redshift customers are already seeing performance and cost benefits of switching to RG. Southwest Airlines and tombola tested their business-critical workloads, and found they could get better performance and save on cost:&lt;/p&gt; 
&lt;table style="border-color: #FF9900" border="1px" cellpadding="5px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt; &lt;p style="text-align: center"&gt;&lt;strong&gt;Southwest Airlines&lt;/strong&gt;&lt;/p&gt; &lt;p&gt;&lt;img loading="lazy" class="wp-image-92470 size-full aligncenter" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/02/Southwest_Airlines_logo.4fbb9dab1c2a56a33081a307b7e531948dc0ae9f-1.png" alt="" width="265" height="41"&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;&lt;em&gt;“Amazon Redshift RG instances have the potential to deliver meaningful business impact for Southwest Airlines. Based on initial testing in our development environment, our data warehouse workloads run 50–60% faster, and data lake analytics are 45% faster—enabling teams to get insights sooner, respond to operational conditions faster, and make data‑driven decisions with less latency. These early results are encouraging, and we are excited to validate and scale these improvements in production. All of this comes without per‑terabyte Spectrum scanning charges, delivering 30% lower cost than RA3 at a time when fuel prices continue to pressure industry margins!!”&lt;/em&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;— Sean Lynch, Vice President, Data and Architecture, Southwest Airlines&lt;/p&gt; &lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;table style="border-color: #FF9900" border="1px" cellpadding="5px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt; &lt;p style="text-align: center"&gt;&lt;strong&gt;tombola&lt;/strong&gt;&lt;/p&gt; &lt;p&gt;&lt;img loading="lazy" class="wp-image-92469 size-full aligncenter" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/02/Tombola-Logo.961109fc40e3b8dd0f7754acaf9da1565844ddab-1.jpg" alt="" width="260" height="80"&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;&lt;em&gt;“The new Graviton-based Amazon Redshift RG instances delivered 1.8x–2x faster write throughput and up to 2.2x faster read speeds compared to RA3 across a diverse set of batch and analytical jobs — enabling us to process 40% more within the same window. Compressed ETL cycles, accelerated time-to-insight, and decision-making no longer bottlenecked by the pipeline — together, these translated directly into fresher data reaching our analysts and business teams sooner. What made this even more compelling was a concurrent 30% reduction in compute spend alongside the gains — delivering more for less is a rare outcome, and one worth highlighting. In a volume-heavy gaming industry at tombola, where query latency and cost compound at scale, this has been one of the more impactful platform decisions we’ve made this year.”&lt;/em&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;— Akshay Srinivasan, Data Engineer, tombola&lt;/p&gt; &lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;table style="border-color: #FF9900" border="1px" cellpadding="5px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt; &lt;p style="text-align: center"&gt;&lt;strong&gt;Qoala&lt;/strong&gt;&lt;/p&gt; &lt;p&gt;&lt;img loading="lazy" class="size-full wp-image-92468 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/02/qoala-logo-46n56dPN.png" alt="" width="262" height="74"&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;&lt;em&gt;“After migrating our Amazon Redshift cluster from RA3 to the new Graviton-based RG instances, we saw 60–70% faster query processing times across our BI and analytics workloads. As a growing insurtech platform handling millions of policy transactions, faster time-to-insight means our data team can deliver dashboards and reports to the business sooner. We moved to a larger node configuration to accommodate future growth, and the performance gains far exceeded the incremental investment – making this one of the most impactful infrastructure decisions we’ve made this year.”&lt;/em&gt;&lt;/p&gt; &lt;p style="text-align: center"&gt;— Umar Abdul Aziz, VP of Data, Qoala&lt;/p&gt; &lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;h2 id="performance-results"&gt;Performance results&lt;/h2&gt; 
&lt;p&gt;To see how RG stacks up, we ran benchmarks derived from the industry-standard TPC-DS and TPC-H benchmarks at 10TB scale on the new Amazon Redshift RG instances and on leading alternative data warehouses. These benchmarks are designed to run queries of various operational requirements and complexities, such as ad hoc, reporting, iterative online analytical processing (OLAP), and data mining. We sized each data warehouse at approximately the same on-demand cost ($32/hr) and ran three power runs of each benchmark out of the box, with no special tuning or manual customization. The results are shown in the following charts.&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92428" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/final-chart.png" alt="Bar chart of TPC-DS 10TB price-performance showing Amazon Redshift RG leading alternative data warehouses" width="1540" height="1042"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92429" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/final-chart-2.png" alt="Bar chart of TPC-H 10TB price-performance showing Amazon Redshift RG leading alternative data warehouses" width="1540" height="1042"&gt;&lt;/p&gt; 
&lt;p&gt;The new RG instance leads, and by a large margin. Better price-performance means better performance &lt;em&gt;and&lt;/em&gt; lower cost.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;Amazon Redshift RG instances are the next generation of analytics engine, delivering high performance for data warehouse and data lake workloads. Because RG supports all the same workloads and features as RA3, getting started is straightforward. See our &lt;a href="https://aws.amazon.com/blogs/big-data/modernize-amazon-redshift-ra3-to-rg-migration-best-practices/" target="_blank" rel="noopener"&gt;migration guide&lt;/a&gt; for how to upgrade and start getting better performance at lower cost.&lt;/p&gt; 
&lt;h2 id="find-the-best-price-performance-for-your-workloads"&gt;Find the best price-performance for your workloads&lt;/h2&gt; 
&lt;p&gt;The benchmarks used in this post are derived from the industry-standard &lt;a href="http://www.tpc.org/tpcds/" target="_blank" rel="noopener"&gt;TPC-DS&lt;/a&gt; and &lt;a href="http://www.tpc.org/tpch/" target="_blank" rel="noopener"&gt;TPC-H&lt;/a&gt; benchmarks, and have the following characteristics:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;We use the schema and data unmodified from TPC-DS and TPC-H.&lt;/li&gt; 
 &lt;li&gt;The queries are generated using the official TPC-DS and TPC-H kits with query parameters generated using the default random seed of the kits. TPC-approved query variants are used for a warehouse if the warehouse doesn’t support the SQL dialect of the default queries.&lt;/li&gt; 
 &lt;li&gt;The test includes the 99 TPC-DS SELECT queries and 22 TPC-H SELECT queries. It doesn’t include maintenance and throughput steps.&lt;/li&gt; 
 &lt;li&gt;Three power runs were run, and the best run is taken for each data warehouse.&lt;/li&gt; 
 &lt;li&gt;Price-performance is calculated as the cost per hour (USD) divided by 3,600 seconds/hour times the benchmark geomean in seconds, which is equivalent to the geomean cost per query. The latest published on-demand pricing is used for all data warehouses.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;We call this the Cloud Data Warehouse benchmark, and you can reproduce the preceding benchmark results using the scripts, queries, and data available in our &lt;a href="https://github.com/awslabs/amazon-redshift-utils/tree/master/src/CloudDataWarehouseBenchmark/Cloud-DWB-Derived-from-TPCDS" target="_blank" rel="noopener"&gt;GitHub repository&lt;/a&gt;. It’s derived from the TPC-DS benchmarks as described in this post, and as such isn’t comparable to published TPC-DS results, because the results of our tests don’t comply with the official specification.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-4.jpeg" alt="Stefan Gromoll" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Stefan Gromoll&lt;/h3&gt; 
  &lt;p&gt;Stefan&amp;nbsp;is a Principal Engineer with the Amazon Redshift team where he is responsible for Redshift performance. In his spare time, he enjoys cooking, playing with his four boys, and chopping firewood.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-7.png" alt="Ankit Sahu" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Ankit Sahu&lt;/h3&gt; 
  &lt;p&gt;Ankit brings over 18 years of expertise in building innovative data products and services. His diverse experience spans product strategy, go-to-market execution, and digital transformation initiatives. Currently, as Sr.&amp;nbsp;Product Manager at Amazon Web Services (AWS), Ankit is driving the vision and strategy for Amazon Redshift.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-5.png" alt="Mohammed Alkateb" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Mohammed Alkateb&lt;/h3&gt; 
  &lt;p&gt;Mohammed is an Engineering Manager at Amazon Redshift, leading Software Engineers, Applied Scientists, and Amazon Scholars across query optimization, data lake access, performance engineering, and new instance qualification. Prior to Amazon, he spent over 12 years with the Teradata Optimizer team. Mohammed holds a PhD from The University of Vermont and has many US patents and publications in premier database conferences.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-9.png" alt="Yousuf Hussain" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Yousuf Hussain&lt;/h3&gt; 
  &lt;p&gt;Yousuf is a Senior Software Engineer at Amazon Redshift with 11 years of experience in building and operating large-scale cloud data warehouse systems. He is passionate about analytics and focuses on instance strategy, availability, and reliability to deliver a performant experience for Amazon Redshift customers.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-10.jpeg" alt="Nita Shah" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Nita Shah&lt;/h3&gt; 
  &lt;p&gt;Nita is a Sr. Analytics Specialist Solutions Architect at AWS based out of New York. She has been building enterprise data platforms, data warehousing, and analytics solutions for over 20 years and specializes in Amazon Redshift. She is focused on helping customers design and build enterprise-scale well-architected analytics and decision support platforms.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-6.png" alt="Sanket Hase" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Sanket Hase&lt;/h3&gt; 
  &lt;p&gt;Sanket is an Engineering Manager with the Amazon Redshift team, where he leads query execution teams focusing on data lake analytics, hardware-software co-design, and vectorized query execution. Sanket holds a Master’s in CS from Carnegie Mellon University and has several U.S. patents in the field of database systems&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/26/BDB-6022-8.png" alt="Jingbo Zhang" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Jingbo Zhang&lt;/h3&gt; 
  &lt;p&gt;Jingbo is a Data Engineer at Amazon Redshift focused on new instance qualification and performance validation. She has contributed to the qualification and launch of multiple Graviton-based Redshift instance families, including RG, r8gd, and r7gd, with a focus on benchmarking, performance analysis, and automation. Jingbo holds a master’s degree in data Analytics from Carnegie Mellon University.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Run log analytics for a fraction of the cost with the new engine for Amazon OpenSearch Service</title>
		<link>https://aws.amazon.com/blogs/big-data/run-log-analytics-for-a-fraction-of-the-cost-with-the-new-engine-for-amazon-opensearch-service/</link>
		
		<dc:creator><![CDATA[Jagadish Kumar]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 20:16:56 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon OpenSearch Service]]></category>
		<category><![CDATA[Announcements]]></category>
		<guid isPermaLink="false">9fa28a8875120394d16089aa932b108e81a7f58e</guid>

					<description>We’re introducing a purpose-built log analytics engine for Amazon OpenSearch Service. This new engine delivers up to 4x price performance, 2x faster data ingestion, up to 2x faster analytical queries, and up to 70 percent lower storage costs. You get all of this without sacrificing search capabilities on the same data. In this post, you learn how to take advantage of these benefits, see how to get started, and review benchmark results at billion-document scale.</description>
										<content:encoded>&lt;p&gt;&lt;a href="https://aws.amazon.com/opensearch-service" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; is a real-time retrieval engine for AI, search, and analytics at any scale. As log volumes grow 30–40 percent year over year, organizations face rising infrastructure costs and slower analytical queries across their observability data. Teams are forced to choose between retaining the data they need and staying within budget.&lt;/p&gt; 
&lt;p&gt;We’re introducing a purpose-built log analytics engine for Amazon OpenSearch Service. This new engine delivers up to 4x price performance, 2x faster data ingestion, up to 2x faster analytical queries, and up to 70 percent lower storage costs. You get all of this without sacrificing search capabilities on the same data.&lt;/p&gt; 
&lt;p&gt;In this post, you learn how to take advantage of these benefits, see how to get started, and review benchmark results at billion-document scale.&lt;/p&gt; 
&lt;h2 id="how-the-optimized-engine-works"&gt;How the optimized engine works&lt;/h2&gt; 
&lt;p&gt;The optimized engine is a new engine mode within the same Amazon OpenSearch Service domain. You use the same console, APIs, security model, and networking configuration that you already use with the general-purpose engine.&lt;/p&gt; 
&lt;p&gt;OpenSearch Service stores all data in Apache Parquet format. For fields configured as searchable, OpenSearch Service also writes the data to the inverted index. Apache Calcite parses and optimizes each query, then routes operations to the engine best suited to execute them: Apache DataFusion for analytical operations on columnar data, or Lucene for search predicates. The two hand off mid-query, so a single query can search log content and aggregate the results without additional roundtrips.&lt;/p&gt; 
&lt;p&gt;You ingest data through the same REST APIs and client libraries you use today and you don’t need to change your agents or pipelines. The optimized engine supports two query languages: Piped Processing Language (PPL) and SQL. Both execute natively through the vectorized engine. The Domain Specific Language (DSL) query API is not supported on the optimized engine at launch.&lt;/p&gt; 
&lt;h2 id="getting-started"&gt;Getting started&lt;/h2&gt; 
&lt;p&gt;At launch, the optimized engine is a domain-level setting selected at creation time. You can’t add the optimized engine to an existing domain or enable it on individual indices or fields within a general-purpose domain. To adopt the optimized engine, create a new domain and migrate your ingestion pipelines to it.&lt;/p&gt; 
&lt;p&gt;Create a new domain in the Amazon OpenSearch Service console and select &lt;strong&gt;Observability&lt;/strong&gt; as your use case. The optimized engine is enabled by default. The console provides a side-by-side comparison of capabilities to help you choose.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/BDB-6090-1.png" alt="Amazon OpenSearch Service console showing the Observability use case selected with a side-by-side comparison of engine capabilities" width="800"&gt;&lt;/p&gt; 
&lt;p&gt;After your domain is ready, ingest JSON documents through the same Bulk API and client libraries you use today. No changes to your ingestion pipelines or application code are required.&lt;/p&gt; 
&lt;h2 id="benefits-of-the-optimized-engine-for-log-analytics"&gt;Benefits of the optimized engine for log analytics&lt;/h2&gt; 
&lt;p&gt;The optimized engine for log analytics introduces the following performance and cost improvements:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Up to 4x better price-performance&lt;/strong&gt; compared to the existing general-purpose engine on internal benchmarks, while retaining full-text search for incident investigation.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Up to 2x faster analytical queries.&lt;/strong&gt; The engine uses a vectorized query execution path that processes data in columnar batches for fast results across large datasets.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Up to 2x higher ingestion throughput.&lt;/strong&gt; The append-only columnar write path increases sustained ingestion rates.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Up to 70 percent lower storage&lt;/strong&gt; with columnar storage for aggregation workloads. You can retain up to 3x more data at the same cost.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;To demonstrate these improvements, we benchmarked observability workloads at billion-document scale. In the following sections, we explore the benchmark methodology, test environment, and results. We recommend testing the optimized engine with your own workload to validate the gains for your use case.&lt;/p&gt; 
&lt;h2 id="benchmark-methodology"&gt;Benchmark methodology&lt;/h2&gt; 
&lt;p&gt;We used the &lt;a href="https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/cmd/telemetrygen/README.md" target="_blank" rel="noopener"&gt;Telemetry Generator for OpenTelemetry&lt;/a&gt; to generate synthetic traces and logs at scale, producing three observability datasets: OTEL traces, OTEL logs, and web server access logs. We stored the generated data as bulk-format NDJSON in Amazon Simple Storage Service (Amazon S3). We then ingested it through a pipeline on Amazon Elastic Container Service (Amazon ECS) with AWS Fargate. The pipeline reads chunks from Amazon S3, transforms timestamps, and writes to the OpenSearch Bulk API, simulating a production observability flow.&lt;/p&gt; 
&lt;p&gt;We benchmarked on two OpenSearch Service domains running OpenSearch 3.5, each with 9 data nodes in a 3-Availability Zone configuration:&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Configuration&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Optimized Engine&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Standard Lucene&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Instance type&lt;/td&gt; 
   &lt;td&gt;9x or2.4xlarge.search&lt;/td&gt; 
   &lt;td&gt;9x r8g.4xlarge.search&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Leader nodes&lt;/td&gt; 
   &lt;td&gt;3x m7g.large.search&lt;/td&gt; 
   &lt;td&gt;3x m7g.large.search&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;EBS&lt;/td&gt; 
   &lt;td&gt;2,500 GB gp3, 7,500 IOPS, 500 MB/s per node&lt;/td&gt; 
   &lt;td&gt;2,500 GB gp3, 7,500 IOPS, 500 MB/s per node&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Engine mode&lt;/td&gt; 
   &lt;td&gt;OPTIMIZED&lt;/td&gt; 
   &lt;td&gt;General Purpose&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;We ingested three data sets totaling 24.4 billion documents and 9.5 TB of raw JSON. All indices used 9 primary shards, 1 replica, and Index State Management (ISM)-managed rollover at 50 GB per primary shard. The Lucene baseline had&amp;nbsp;&lt;code&gt;_source&lt;/code&gt; enabled, representing the default customer configuration.&lt;/p&gt; 
&lt;p&gt;The ingestion pipeline ran on 90 Fargate tasks (16 vCPU, 120 GB RAM each, 48 writer threads per task, bulk size of 3,000 documents) in the same virtual private cloud (VPC) as the OpenSearch Service domains.&lt;/p&gt; 
&lt;h2 id="results"&gt;Results&lt;/h2&gt; 
&lt;h3 id="ingestion-throughput"&gt;Ingestion throughput&lt;/h3&gt; 
&lt;p&gt;The optimized engine’s append-only columnar storage writes segments in bulk-optimized batches without per-document stored field overhead.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Metric&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Optimized Engine&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Lucene Baseline&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Peak throughput&lt;/td&gt; 
   &lt;td&gt;1.78M docs/sec&lt;/td&gt; 
   &lt;td&gt;~647K docs/sec&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Cluster CPU at peak&lt;/td&gt; 
   &lt;td&gt;62%&lt;/td&gt; 
   &lt;td&gt;72%&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Write rejections&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Total documents ingested&lt;/td&gt; 
   &lt;td&gt;24.4 billion&lt;/td&gt; 
   &lt;td&gt;15.7 billion&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;The optimized engine sustained 1.78 million documents per second at matched concurrency, approximately 2x the throughput of the Lucene baseline, while consuming less CPU. Both domains ran with zero write rejections. For teams ingesting terabytes per day, the throughput advantage translates to fewer nodes for the same volume, or longer retention on the same infrastructure.&lt;/p&gt; 
&lt;h3 id="storage-compression"&gt;Storage compression&lt;/h3&gt; 
&lt;p&gt;The columnar Parquet format compresses observability data through dictionary encoding of repeated fields, tight packing of numeric columns, and elimination of per-document JSON overhead.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Measured across 24.4 billion documents:&lt;/strong&gt;&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Dataset&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Documents&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Source(GB)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;b&gt;Optimized Engine (GB)&lt;/b&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Lucene zlib/best_compression (GB)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Lucene LZ4/default (GB)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Savings vs Source&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;b&gt;Savings vs zlib&lt;/b&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;b&gt;Savings vs LZ4 (default)&lt;/b&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Web logs&lt;/td&gt; 
   &lt;td&gt;8.76B&lt;/td&gt; 
   &lt;td&gt;2,360&lt;/td&gt; 
   &lt;td&gt;254&lt;/td&gt; 
   &lt;td&gt;614&lt;/td&gt; 
   &lt;td&gt;955&lt;/td&gt; 
   &lt;td&gt;89%&lt;/td&gt; 
   &lt;td&gt;59%&lt;/td&gt; 
   &lt;td&gt;73%&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;OTEL logs&lt;/td&gt; 
   &lt;td&gt;8.20B&lt;/td&gt; 
   &lt;td&gt;3,720&lt;/td&gt; 
   &lt;td&gt;815&lt;/td&gt; 
   &lt;td&gt;1,549&lt;/td&gt; 
   &lt;td&gt;1,964&lt;/td&gt; 
   &lt;td&gt;78%&lt;/td&gt; 
   &lt;td&gt;47%&lt;/td&gt; 
   &lt;td&gt;59%&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;OTEL traces&lt;/td&gt; 
   &lt;td&gt;7.43B&lt;/td&gt; 
   &lt;td&gt;4,131&lt;/td&gt; 
   &lt;td&gt;841&lt;/td&gt; 
   &lt;td&gt;1,790&lt;/td&gt; 
   &lt;td&gt;2,301&lt;/td&gt; 
   &lt;td&gt;80%&lt;/td&gt; 
   &lt;td&gt;53%&lt;/td&gt; 
   &lt;td&gt;63%&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;The optimized engine stores the same data at 5x compression versus raw JSON (80 percent savings). Against the default Lucene configuration (&lt;code&gt;_source&lt;/code&gt; enabled, what most domains run), the optimized engine uses roughly half the storage. The optimized engine derives &lt;code&gt;_source&lt;/code&gt; from Parquet columns on read, eliminating the need to store the raw JSON blob while still allowing document retrieval.&lt;/p&gt; 
&lt;h3 id="analytical-query-performance"&gt;Analytical query performance&lt;/h3&gt; 
&lt;p&gt;We measured query latency on a typical observability dashboard pattern: analytical aggregations scoped to a 15-minute time window over billions of log events. The optimized engine uses row-group pruning on the &lt;code&gt;@timestamp&lt;/code&gt; column to skip data outside the query window, reading only the relevant subset.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Query pattern&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Dataset&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Optimized Engine&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Lucene baseline&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Speedup&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Error count by service&lt;/td&gt; 
   &lt;td&gt;OTEL logs&lt;/td&gt; 
   &lt;td&gt;717 ms&lt;/td&gt; 
   &lt;td&gt;2.8 s&lt;/td&gt; 
   &lt;td&gt;3.9x&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Log volume by host&lt;/td&gt; 
   &lt;td&gt;OTEL logs&lt;/td&gt; 
   &lt;td&gt;252 ms&lt;/td&gt; 
   &lt;td&gt;17.6 s&lt;/td&gt; 
   &lt;td&gt;70x&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;5xx errors by service and method&lt;/td&gt; 
   &lt;td&gt;OTEL logs&lt;/td&gt; 
   &lt;td&gt;171 ms&lt;/td&gt; 
   &lt;td&gt;885 ms&lt;/td&gt; 
   &lt;td&gt;5.2x&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Top services by error&lt;/td&gt; 
   &lt;td&gt;OTEL traces&lt;/td&gt; 
   &lt;td&gt;635 ms&lt;/td&gt; 
   &lt;td&gt;569 ms&lt;/td&gt; 
   &lt;td&gt;~1x&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Point lookup (single traceId)&lt;/td&gt; 
   &lt;td&gt;OTEL traces&lt;/td&gt; 
   &lt;td&gt;394 ms&lt;/td&gt; 
   &lt;td&gt;783 ms&lt;/td&gt; 
   &lt;td&gt;2x&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;&lt;em&gt;All queries scoped to a 15-minute window. Index sizes: 8.2 billion OTEL log events, 7.4 billion OTEL trace spans.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;The optimized engine completes time-filtered analytical queries in 171 ms to 717 ms over billions of documents. The advantage is most pronounced on unfiltered aggregations (log volume by host: 70x) where the columnar engine reads only the columns needed. On queries where the Lucene inverted index provides strong predicate selectivity (top services by error on traces), performance is comparable between the two engines.&lt;/p&gt; 
&lt;h3 id="search-and-point-lookups"&gt;Search and point lookups&lt;/h3&gt; 
&lt;p&gt;The optimized engine retains the Lucene inverted index alongside columnar storage. When the query planner recognizes a selective lookup (such as retrieving a single trace by ID), the planner routes the query to the inverted index rather than scanning columnar data. In our benchmark, a single traceId lookup across 7.4 billion spans returned in 165 ms.&lt;/p&gt; 
&lt;p&gt;This means a real investigation can use both engines in sequence: broad aggregations to localize the problem, then a point lookup to pull the offending trace, all from the same domain.&lt;/p&gt; 
&lt;h2 id="now-available"&gt;Now available&lt;/h2&gt; 
&lt;p&gt;The optimized engine for Amazon OpenSearch Service is generally available today across 12 regions globally: US East (N. Virginia, Ohio), US West (Oregon), Canada (Central), Asia Pacific (Mumbai, Singapore, Sydney, Tokyo), and Europe (Frankfurt, Ireland, London, Spain). There are no additional charges for the new engine.&lt;/p&gt; 
&lt;p&gt;Pricing follows standard Amazon OpenSearch Service rates for instances and storage, with no additional premium for the optimized engine. For more information, see &lt;a href="https://aws.amazon.com/opensearch-service/pricing/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service Pricing&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;To learn more about configuring and using the optimized engine, see &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/optimized-log-analytics.html" target="_blank" rel="noopener noreferrer"&gt;Optimized for Log Analytics&lt;/a&gt; in the Amazon OpenSearch Service documentation. For an overview of the service, visit &lt;a href="https://aws.amazon.com/opensearch-service/features/loganalytics/" target="_blank" rel="noopener noreferrer"&gt;Amazon OpenSearch Service Log Analytics&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;Give it a try and send feedback to &lt;a href="https://repost.aws/selections/KPke2SCsxiQEGwNbtw_lAnTw/aws-re-post-knowledge-center-spotlight-opensearch-service" target="_blank" rel="noopener"&gt;AWS re:Post for Amazon OpenSearch Service&lt;/a&gt; or through your usual AWS Support contacts.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/BDB-6090-2.png" alt="Jagadish Kumar" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Jagadish Kumar&lt;/h3&gt; 
  &lt;p&gt;Jagadish is a Senior Solutions Architect at Amazon Web Services, focused on OpenSearch and analytics workloads.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/BDB-6090-3.png" alt="Rohin Bhargava" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Rohin Bhargava&lt;/h3&gt; 
  &lt;p&gt;Rohin is a Senior Product Manager for Amazon OpenSearch Service.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/07/01/BDB-6090-4.png" alt="Michael Supangkat" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Michael Supangkat&lt;/h3&gt; 
  &lt;p&gt;Michael is a Solutions Architect at Amazon Web Services specializing in search and observability.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>AI-powered performance recommendations for Amazon Redshift</title>
		<link>https://aws.amazon.com/blogs/big-data/ai-powered-performance-recommendations-for-amazon-redshift/</link>
		
		<dc:creator><![CDATA[Steve Phillips]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 18:39:22 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon Bedrock]]></category>
		<category><![CDATA[Amazon EventBridge]]></category>
		<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[AWS Lambda]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<guid isPermaLink="false">a6bddf55253fe5064d7ca79052872bdf99ce5b0a</guid>

					<description>In this post, you learn how to build an AI-powered solution that collects the telemetry, pre-computes performance signals, correlates them with CloudWatch, and uses Amazon Bedrock to generate prioritized recommendations.</description>
										<content:encoded>&lt;p&gt;Data platform teams running &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt; collect performance telemetry across system views like &lt;code&gt;SYS_QUERY_HISTORY&lt;/code&gt;, &lt;code&gt;SVV_TABLE_INFO&lt;/code&gt;, and &lt;code&gt;SVV_ALTER_TABLE_RECOMMENDATIONS&lt;/code&gt;, plus &lt;a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener"&gt;Amazon CloudWatch&lt;/a&gt; metrics for capacity, query execution, and storage. The challenge is interpretation. Correlating a spike in &lt;code&gt;QueryRuntimeBreakdown&lt;/code&gt; commit time with hundreds of small &lt;code&gt;INSERT&lt;/code&gt; statements, or connecting high disk spill with undersized compute, takes deep expertise and hours of manual analysis.&lt;/p&gt; 
&lt;p&gt;In this post, you learn how to build an AI-powered solution that collects the telemetry, pre-computes performance signals, correlates them with CloudWatch, and uses &lt;a href="https://aws.amazon.com/bedrock/" target="_blank" rel="noopener"&gt;Amazon Bedrock&lt;/a&gt; to generate prioritized recommendations. The source code is in the accompanying GitHub repository: &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift" target="_blank" rel="noopener"&gt;sample-ai-performance-advisor-for-amazon-redshift&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;The signal-based design is what makes this solution produce precise recommendations rather than generic advice. Instead of dumping raw system view output into the large language model (LLM) prompt, the collector pre-computes boolean and threshold-based findings, pairs them with CloudWatch correlations, and hands the model a structured context. The model then cross-references specific query IDs, table names, and metric values in its output.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;Two &lt;a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener"&gt;AWS Lambda&lt;/a&gt; functions run on a 24-hour &lt;a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener"&gt;Amazon EventBridge&lt;/a&gt; schedule:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;The &lt;em&gt;collector&lt;/em&gt; Lambda runs 13 diagnostic SQL queries against &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html" target="_blank" rel="noopener"&gt;Amazon Redshift Serverless&lt;/a&gt; and reads the workgroup’s Workload Management (WLM) configuration. It also collects CloudWatch metrics across capacity, query execution, WLM, connections, and storage. From these inputs, it computes the performance signals. Finally, it writes a telemetry JSON file to &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;The &lt;em&gt;analyzer&lt;/em&gt; Lambda reads the telemetry from Amazon S3, builds a structured prompt with inline CloudWatch-to-signal correlations. Using the correlations, the &lt;em&gt;analyzer&lt;/em&gt; calls Amazon Bedrock (&lt;a href="https://aws.amazon.com/bedrock/anthropic/" target="_blank" rel="noopener"&gt;Anthropic Claude&lt;/a&gt; Sonnet 4.6), and writes the resulting recommendations JSON back to Amazon S3.&lt;/li&gt; 
 &lt;li&gt;An &lt;a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener"&gt;Amazon Simple Notification Service (Amazon SNS)&lt;/a&gt; topic sends an email summary of the top recommendations to subscribers.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;div style="width: 610px" class="wp-caption alignnone"&gt;
 &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-1.jpg" alt="AWS architecture diagram showing an automated Redshift analysis pipeline within the AWS Cloud. Amazon EventBridge triggers a “Collector” AWS Lambda function, which interacts bidirectionally with AWS Secrets Manager, Amazon Redshift, and Amazon CloudWatch to gather data. The Collector passes results to an “Analyzer” AWS Lambda function, which exchanges data with Amazon Bedrock and reads/writes to Amazon S3. The Analyzer then publishes to Amazon Simple Notification Service (SNS), which delivers an email notification." width="600" height="1040"&gt;
 &lt;p class="wp-caption-text"&gt;Figure 1 – Architecture diagram&lt;/p&gt;
&lt;/div&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;Before deploying the solution, make sure the following are in place.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;An Amazon Redshift Serverless workgroup with a database and query history.&lt;/li&gt; 
 &lt;li&gt;An Amazon Redshift database administrator user (superuser). The collector reads views that only a superuser can query (&lt;code&gt;SVV_TABLE_INFO&lt;/code&gt;, &lt;code&gt;SVV_ALTER_TABLE_RECOMMENDATIONS&lt;/code&gt;, &lt;code&gt;SVV_MV_INFO&lt;/code&gt;, &lt;code&gt;SYS_SERVERLESS_USAGE&lt;/code&gt;, &lt;code&gt;SYS_AUTO_TABLE_OPTIMIZATION&lt;/code&gt;).&lt;br&gt; Store the admin credentials in AWS Secrets Manager and pass the secret ARN to the collector.&lt;br&gt; Alternatively, have an existing superuser run &lt;code&gt;ALTER USER "IAMR:redshift-performance-recommendations-role" CREATEUSER;&lt;/code&gt;&lt;br&gt; once to grant the Lambda role superuser privileges.&lt;/li&gt; 
 &lt;li&gt;Amazon Bedrock model access for the model of choice. For this solution, a &lt;code&gt;us.anthropic.claude-*&lt;/code&gt; model is recommended for multi-region inference. The solution doesn’t depend on a single model.&lt;/li&gt; 
 &lt;li&gt;The &lt;a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" target="_blank" rel="noopener"&gt;AWS Command Line Interface (AWS CLI)&lt;/a&gt; installed and configured, and a clone of the GitHub repository.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="create-the-supporting-resources"&gt;Create the supporting resources&lt;/h2&gt; 
&lt;p&gt;You need an Amazon S3 bucket, an Amazon SNS topic, an &lt;a href="https://aws.amazon.com/secrets-manager/" target="_blank" rel="noopener"&gt;AWS Secrets Manager&lt;/a&gt; secret, and an &lt;a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener"&gt;AWS Identity and Access Management (IAM)&lt;/a&gt; role before the Lambda functions can run.&lt;/p&gt; 
&lt;h3 id="create-the-amazon-s3-bucket"&gt;Create the Amazon S3 bucket&lt;/h3&gt; 
&lt;p&gt;The Amazon S3 bucket will host the output report.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Open the Amazon S3 console and choose &lt;strong&gt;Create bucket&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Enter a globally unique name (for example, &lt;code&gt;amzn-s3-demo-bucket&lt;/code&gt;), keep the default settings, and choose &lt;strong&gt;Create bucket&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The collector writes telemetry JSON under the &lt;code&gt;telemetry/&lt;/code&gt; prefix and the analyzer writes recommendations under the &lt;code&gt;recommendations/&lt;/code&gt; prefix.&lt;/p&gt; 
&lt;h3 id="create-the-amazon-sns-topic-and-subscription"&gt;Create the Amazon SNS topic and subscription&lt;/h3&gt; 
&lt;p&gt;Use Amazon SNS to generate notifications once reports are created.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Open the Amazon SNS console and choose &lt;strong&gt;Topics&lt;/strong&gt;, &lt;strong&gt;Create topic&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Standard&lt;/strong&gt;, and enter the name &lt;code&gt;redshift-performance-recommendations&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create topic&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;On the topic detail page, choose &lt;strong&gt;Create subscription&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Email&lt;/strong&gt; as the protocol, enter your email address, and choose &lt;strong&gt;Create subscription&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Open the confirmation email from AWS Notifications and choose &lt;strong&gt;Confirm subscription&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;div style="width: 610px" class="wp-caption alignnone"&gt;
 &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-2.jpg" alt="Amazon SNS “Create topic” console page. The Type is set to Standard (selected over FIFO), and the Name field contains “redshift-performance-recommendations.” Annotation arrows highlight the Topics nav item, the Standard topic type, the entered name, and the “Create topic” button in the lower right. Optional sections for Encryption, Access policy, Delivery policy, Message delivery status logging, Tags, and Active tracing are collapsed below." width="600" height="1000"&gt;
 &lt;p class="wp-caption-text"&gt;Figure 2 – Create SNS Topic&lt;/p&gt;
&lt;/div&gt; 
&lt;h3 id="store-the-admin-credentials-in-aws-secrets-manager"&gt;Store the admin credentials in AWS Secrets Manager&lt;/h3&gt; 
&lt;p&gt;To avoid using hard-coded credentials, create an AWS Secrets Manager secret to connect to Amazon Redshift.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Open the AWS Secrets Manager console and choose &lt;strong&gt;Store a new secret&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Other type of secret&lt;/strong&gt;, choose the &lt;strong&gt;Plaintext&lt;/strong&gt; tab, and paste the following, replacing &lt;code&gt;&amp;lt;ADMIN_PASSWORD&amp;gt;&lt;/code&gt; with the workgroup’s admin password: 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-json"&gt;{"username":"admin","password":"&amp;lt;ADMIN_PASSWORD&amp;gt;"}&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt;, enter &lt;code&gt;redshift-performance-admin&lt;/code&gt; as the secret name, then choose &lt;strong&gt;Next&lt;/strong&gt;, &lt;strong&gt;Next&lt;/strong&gt;, and &lt;strong&gt;Store&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Copy the secret Amazon Resource Name (ARN) from the secret detail page. You pass it to the collector in a later step.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;div style="width: 610px" class="wp-caption alignnone"&gt;
 &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-3.jpg" alt="AWS Secrets Manager “Store a new secret” page, Step 1: Choose secret type. “Other type of secret” is selected, and the Plaintext tab shows the key-value pair {“username”:“admin”,“password”:“”}. The encryption key is set to aws/secretsmanager. Annotation arrows highlight the secret type selection, the plaintext credentials, and the “Next” button in the lower right." width="600" height="798"&gt;
 &lt;p class="wp-caption-text"&gt;Figure 3 – Create secret&lt;/p&gt;
&lt;/div&gt; 
&lt;h3 id="create-the-iam-role-and-attach-the-policy"&gt;Create the IAM role and attach the policy&lt;/h3&gt; 
&lt;p&gt;The repository includes a trust policy in &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift/blob/main/iam/trust-policy.json" target="_blank" rel="noopener"&gt;iam/trust-policy.json&lt;/a&gt; (allowing &lt;code&gt;lambda.amazonaws.com&lt;/code&gt; to assume the role) and the least-privilege permission policy in &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift/blob/main/iam/lambda-role-policy.json" target="_blank" rel="noopener"&gt;iam/lambda-role-policy.json&lt;/a&gt;. Replace the &lt;code&gt;&amp;lt;ACCOUNT_ID&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;REGION&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;YOUR_BUCKET&amp;gt;&lt;/code&gt;, and SNS topic ARN placeholders in the permission policy with your values, then create the role in the &lt;a href="https://aws.amazon.com/console/" target="_blank" rel="noopener"&gt;AWS Management Console&lt;/a&gt; or with this AWS CLI command:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws iam create-role --role-name redshift-performance-recommendations-role \
    --assume-role-policy-document file://iam/trust-policy.json

aws iam put-role-policy --role-name redshift-performance-recommendations-role \
    --policy-name redshift-performance-policy \
    --policy-document file://iam/lambda-role-policy.json&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The permission policy grants the Amazon Redshift Data API, Amazon S3, Amazon SNS, Amazon Bedrock, AWS Lambda invoke, AWS Secrets Manager, and &lt;a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_GettingStarted.html" target="_blank" rel="noopener"&gt;Amazon CloudWatch Logs&lt;/a&gt; permissions that both Lambda functions require.&lt;/p&gt; 
&lt;h2 id="deploy-the-lambda-functions"&gt;Deploy the Lambda functions&lt;/h2&gt; 
&lt;p&gt;The collector source is in &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift/blob/main/lambda/collector.py" target="_blank" rel="noopener"&gt;lambda/collector.py&lt;/a&gt; and it loads the SQL files in &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift/tree/main/sql" target="_blank" rel="noopener"&gt;sql/&lt;/a&gt; at runtime. The deployment package must contain both.&lt;/p&gt; 
&lt;h3 id="package-the-collector"&gt;Package the collector&lt;/h3&gt; 
&lt;p&gt;Open a terminal or shell window and execute a command to copy the collector code, supporting SQL into a folder and archive.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;mkdir -p build/collector/sql
cp lambda/collector.py build/collector/
cp sql/*.sql build/collector/sql/
(cd build/collector &amp;amp;&amp;amp; zip -qr ../collector.zip .)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="create-the-collector-function"&gt;Create the collector function&lt;/h3&gt; 
&lt;p&gt;Using the AWS Management Console, navigate to AWS Lambda.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create function&lt;/strong&gt;. &lt;p&gt;&lt;/p&gt;
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-4.jpg" alt="AWS Lambda “Create function” console page with the “Configure custom execution role” panel open on the right. “Author from scratch” is selected, the function name is “redshift-performance-collector,” and the runtime is Python 3.14. Under Additional settings, the “Custom execution role” toggle is enabled, and the execution role list is set to “redshift-performance-recommendations-role.” Annotation highlights mark the Author from scratch option, function name, runtime, custom execution role toggle, the selected role, the Save button, and the “Create function” button." width="600" height="1302"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 4 – Create AWS Lambda function&lt;/p&gt;
  &lt;/div&gt;&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Author from scratch&lt;/strong&gt;, enter &lt;code&gt;redshift-performance-collector&lt;/code&gt; as the name, and select &lt;strong&gt;Python 3.14&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Expand &lt;strong&gt;Custom settings&lt;/strong&gt;, toggle &lt;strong&gt;Custom execution role&lt;/strong&gt;, choose &lt;strong&gt;an existing role&lt;/strong&gt;, select &lt;code&gt;redshift-performance-recommendations-role&lt;/code&gt;, and choose &lt;strong&gt;Save&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;On the function page, choose &lt;strong&gt;Upload from&lt;/strong&gt;, &lt;strong&gt;.zip file&lt;/strong&gt;, and upload &lt;code&gt;build/collector.zip&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;In &lt;strong&gt;Runtime settings&lt;/strong&gt;, select &lt;strong&gt;Edit&lt;/strong&gt;, and set the &lt;strong&gt;Handler&lt;/strong&gt; to &lt;code&gt;collector.lambda_handler&lt;/code&gt;. &lt;p&gt;&lt;/p&gt;
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-5.png" alt="Lambda console for the “redshift-performance-collector” function, Code tab. The code editor shows collector.py — a Python file that runs diagnostic SQL queries against Amazon Redshift Serverless, collects CloudWatch metrics, writes telemetry to Amazon S3, and invokes the analyzer Lambda. The Runtime settings section below shows the Handler highlighted as “lambda_function.lambda_handler,” with an arrow pointing to the Edit button and the “Upload from .zip file” option highlighted." width="600" height="1292"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 5 – Set AWS Lambda handler&lt;/p&gt;
  &lt;/div&gt;&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Configuration&lt;/strong&gt;, &lt;strong&gt;Edit&lt;/strong&gt;, set timeout to 5 minutes, and memory to 256 MB. &lt;p&gt;&lt;/p&gt;
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-6.jpg" alt="Lambda console for “redshift-performance-collector,” Configuration tab with “General configuration” selected. The panel shows Memory 128 MB, Ephemeral storage 512 MB, and Timeout 0 min 3 sec, with SnapStart set to None. Annotation arrows point to the General configuration menu item and the Edit button." width="600" height="521"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 6 – Set AWS Lambda timeout and memory&lt;/p&gt;
  &lt;/div&gt;&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Configuration&lt;/strong&gt;, select &lt;strong&gt;Environment variables&lt;/strong&gt;, and add the following keys: 
  &lt;ul&gt; 
   &lt;li&gt;&lt;code&gt;WORKGROUP&lt;/code&gt;: your Amazon Redshift Serverless workgroup name.&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;NAMESPACE_NAME&lt;/code&gt;: the namespace the workgroup belongs to.&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;DATABASE&lt;/code&gt;: &lt;code&gt;dev&lt;/code&gt; (or your target database).&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;BUCKET&lt;/code&gt;: the Amazon S3 bucket name you created earlier.&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;SECRET_ARN&lt;/code&gt;: the AWS Secrets Manager secret ARN you copied earlier.&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;ANALYZER_FN&lt;/code&gt;: &lt;code&gt;redshift-performance-analyzer&lt;/code&gt;.&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="package-and-create-the-analyzer"&gt;Package and create the analyzer&lt;/h3&gt; 
&lt;p&gt;Repeat the same steps for the analyzer, using &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift/blob/main/lambda/analyzer.py" target="_blank" rel="noopener"&gt;lambda/analyzer.py&lt;/a&gt; with a 15-minute timeout:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;(cd lambda &amp;amp;&amp;amp; zip -q ../build/analyzer.zip analyzer.py)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Use the Lambda console to create &lt;code&gt;redshift-performance-analyzer&lt;/code&gt; with handler &lt;code&gt;analyzer.lambda_handler&lt;/code&gt;, timeout 15 minutes, memory 256 MB, the same execution role, and these environment variables:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;code&gt;BUCKET&lt;/code&gt;: the same Amazon S3 bucket.&lt;/li&gt; 
 &lt;li&gt;&lt;code&gt;SNS_TOPIC&lt;/code&gt;: the SNS topic ARN.&lt;/li&gt; 
 &lt;li&gt;&lt;code&gt;MODEL_ID&lt;/code&gt;: &lt;code&gt;us.anthropic.claude-sonnet-4-6&lt;/code&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The analyzer creates the Amazon Bedrock client with &lt;code&gt;read_timeout=600&lt;/code&gt; and &lt;code&gt;max_tokens=16384&lt;/code&gt; to handle large prompts and long responses. Anthropic Claude inference on a full telemetry payload typically takes 2–4 minutes.&lt;/p&gt; 
&lt;h2 id="how-the-signals-and-the-prompt-work"&gt;How the signals and the prompt work&lt;/h2&gt; 
&lt;p&gt;You don’t write any custom code for signal computation or prompt construction. Both computation and construction live in the repository.&lt;/p&gt; 
&lt;p&gt;The &lt;code&gt;compute_signals()&lt;/code&gt; function in &lt;code&gt;lambda/collector.py&lt;/code&gt; scans the telemetry for Boolean and threshold-based anti-patterns. At the table level, it looks for row skew, ghost rows, stale statistics, unsorted data, sub-optimal sort or distribution keys, and oversized &lt;code&gt;VARCHAR&lt;/code&gt; columns. It also flags runtime and workload issues such as disk spill, small-insert bursts, high Data Definition Language (DDL) executions, and unoptimized &lt;code&gt;COPY&lt;/code&gt; file size. Beyond that, it catches &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/c-using-spectrum.html" target="_blank" rel="noopener"&gt;Amazon Redshift Spectrum&lt;/a&gt; queries that fail to prune partitions and data sharing materialized views doing full refresh. It also flags WLM configurations that lack Query Monitoring Rules (QMR), such as limits on blocks spilled to disk and query execution time. The full set of signals and thresholds is defined inline in the function. To tune a threshold or add a custom signal, edit this function and redeploy.&lt;/p&gt; 
&lt;p&gt;The &lt;code&gt;build_prompt()&lt;/code&gt; function in &lt;code&gt;lambda/analyzer.py&lt;/code&gt; constructs the Amazon Bedrock prompt in four sections. The first section lists the triggered signals. The second adds CloudWatch metrics, annotated with &lt;code&gt;&amp;gt;&amp;gt; CORRELATION&lt;/code&gt; lines that pair each signal with its supporting metric. The third includes the filtered supporting data, limited to the table and query rows that triggered a signal. The fourth gives explicit instructions to return a pipe delimited text where every recommendation references specific table names, query IDs, and metric values. This structure is why the model produces targeted output rather than generic best-practice advice.&lt;/p&gt; 
&lt;h2 id="schedule-daily-runs"&gt;Schedule daily runs&lt;/h2&gt; 
&lt;p&gt;Use the Amazon EventBridge console to trigger the collector every 24 hours.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Open the EventBridge console and choose &lt;strong&gt;Schedules&lt;/strong&gt; under &lt;strong&gt;Scheduler&lt;/strong&gt;, &lt;strong&gt;Create schedule&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Enter the name &lt;code&gt;redshift-performance-daily&lt;/code&gt; for &lt;strong&gt;Schedule name&lt;/strong&gt;, toggle &lt;strong&gt;Recurring schedule&lt;/strong&gt; and &lt;strong&gt;Rate-based schedule&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Rate expression&lt;/strong&gt;, enter &lt;strong&gt;24&lt;/strong&gt; and select &lt;strong&gt;hours&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Flexible time window&lt;/strong&gt;, choose &lt;strong&gt;Off&lt;/strong&gt;, and select &lt;strong&gt;Next&lt;/strong&gt;. 
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-7.jpg" alt="Amazon EventBridge Scheduler “Create schedule” page, Step 1: Specify schedule detail. The schedule name is “redshift-performance-daily.” Under Schedule pattern, “Recurring schedule” and “Rate-based schedule” are selected, with a rate expression of 24 hours, and the time zone set to (UTC-06:00) America/Denver. Annotation highlights mark the Schedules nav item, the recurring/rate-based selections, the rate expression, and the Next button." width="600" height="1284"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 7 – Create Amazon EventBridge schedule&lt;/p&gt;
  &lt;/div&gt; &lt;p&gt;&lt;em&gt;&amp;nbsp;&lt;/em&gt;&lt;/p&gt;&lt;/li&gt; 
 &lt;li&gt;On the &lt;strong&gt;Select target&lt;/strong&gt; page, choose &lt;strong&gt;AWS Lambda&lt;/strong&gt;, select the &lt;code&gt;redshift-performance-collector&lt;/code&gt; function, and choose &lt;strong&gt;Next&lt;/strong&gt;. &lt;p&gt;&lt;/p&gt;
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-8.jpg" alt="EventBridge Scheduler “Create schedule” page, Step 2: Select target. “Templated targets” is selected and the AWS Lambda “Invoke” target is chosen from the grid of target options. In the Invoke section, the Lambda function list is set to “redshift-performance-collector” with an empty JSON payload. Annotation highlights mark the Templated targets toggle, the AWS Lambda Invoke target, the selected function, and the Next button." width="600" height="1197"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 8 – Select Amazon EventBridge schedule target&lt;/p&gt;
  &lt;/div&gt;&lt;/li&gt; 
 &lt;li&gt;Accept the defaults for &lt;strong&gt;Settings&lt;/strong&gt; and select &lt;strong&gt;Next&lt;/strong&gt;. EventBridge automatically adds a resource-based permission on the Lambda function so the rule can invoke it.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create schedule&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="run-it-once-and-review-the-output"&gt;Run it once and review the output&lt;/h2&gt; 
&lt;p&gt;Invoke the collector manually to confirm the pipeline works end-to-end.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;In the Lambda console, open the &lt;code&gt;redshift-performance-collector&lt;/code&gt; function and choose &lt;strong&gt;Test&lt;/strong&gt;. Create a test event named &lt;code&gt;manual&lt;/code&gt; with the body &lt;code&gt;{}&lt;/code&gt; and choose &lt;strong&gt;Test&lt;/strong&gt;. &lt;p&gt;&lt;/p&gt;
  &lt;div style="width: 610px" class="wp-caption alignnone"&gt;
   &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-9.jpg" alt="Lambda console for “redshift-performance-collector,” Test tab. A new test event named “manual” is being configured with Invocation type set to Synchronous, event sharing set to Private, the “Hello World” template selected, and an empty {} Event JSON body. Annotation arrows point to the function in the left nav, the Synchronous option, the event name, the Event JSON field, and the Test button." width="600" height="1238"&gt;
   &lt;p class="wp-caption-text"&gt;Figure 9 – Test end-to-end workflow&lt;/p&gt;
  &lt;/div&gt;&lt;/li&gt; 
 &lt;li&gt;The function completes in under a minute. Check the &lt;strong&gt;Monitor&lt;/strong&gt; tab for the invocation log via the &lt;strong&gt;CloudWatch live logs&lt;/strong&gt; link.&lt;/li&gt; 
 &lt;li&gt;In the Amazon S3 console, open your bucket. Confirm that the &lt;code&gt;telemetry/&lt;/code&gt; prefix contains a JSON file with the current timestamp.&lt;/li&gt; 
 &lt;li&gt;Within 2–4 minutes, the analyzer publishes a message to the SNS topic. Check the email address you subscribed for the summary with the top 10 recommendations. Confirm that the &lt;code&gt;recommendations/&lt;/code&gt; prefix in Amazon S3 contains the full JSON.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Each recommendation has a priority (critical, high, medium, low) and a category (&lt;em&gt;query_optimization&lt;/em&gt;, &lt;em&gt;table_design&lt;/em&gt;, &lt;em&gt;capacity&lt;/em&gt;, &lt;em&gt;wlm&lt;/em&gt;, &lt;em&gt;maintenance&lt;/em&gt;, or &lt;em&gt;ingestion&lt;/em&gt;). It also includes a &lt;em&gt;signal_source&lt;/em&gt; that names the signals and CloudWatch metrics that triggered it, a plain-language explanation, a specific SQL or configuration action, and an expected impact estimate.&lt;/p&gt; 
&lt;div style="width: 610px" class="wp-caption alignnone"&gt;
 &lt;img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-10.jpg" alt="Email notification from AWS Notifications with the subject “Redshift performance: 3 critical, 5 high, 4 medium, 2 low (8 signals)” highlighted. The body is a plain-text “Amazon Redshift Performance Recommendations” report listing workgroup, namespace, database, analysis time, and 14 recommendations. Two critical items are shown for the game_events table: fixing extreme row-skew via DISTSTYLE ALL, and eliminating non-encoded columns with column compression, each with a category, source, explanation, SQL action, and expected impact." width="600" height="1147"&gt;
 &lt;p class="wp-caption-text"&gt;Figure 10 – Sample analyzer emailed output&lt;/p&gt;
&lt;/div&gt; 
&lt;h2 id="best-practices"&gt;Best practices&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Tune thresholds to your workload.&lt;/strong&gt; The default thresholds in &lt;code&gt;compute_signals()&lt;/code&gt; come from the Amazon Redshift operational review playbook. For high-velocity ingestion or small-cluster environments, consider lowering the small-insert threshold, widening the stale-statistics window, or adding custom signals for your own tables.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Keep the signal-to-metric correlations current.&lt;/strong&gt; When you add a signal, also add a matching correlation in &lt;code&gt;build_correlations()&lt;/code&gt;. The inline &lt;code&gt;&amp;gt;&amp;gt; CORRELATION&lt;/code&gt; lines are what make the model connect an infrastructure metric to an application-level symptom.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Review recommendations before you act.&lt;/strong&gt; The analyzer produces prioritized suggestions, but &lt;code&gt;VACUUM&lt;/code&gt;, &lt;code&gt;ANALYZE&lt;/code&gt;, and &lt;code&gt;ALTER TABLE&lt;/code&gt; actions change table state. Read the explanation and action on each recommendation, validate the SQL against your schema, and run it during a maintenance window.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="cleaning-up"&gt;Cleaning up&lt;/h2&gt; 
&lt;p&gt;To avoid ongoing charges, delete the resources you created for this solution:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;The two AWS Lambda functions: &lt;code&gt;redshift-performance-collector&lt;/code&gt; and &lt;code&gt;redshift-performance-analyzer&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;The Amazon EventBridge rule: &lt;code&gt;redshift-performance-daily&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;The Amazon SNS topic and its email subscription: &lt;code&gt;redshift-performance-recommendations&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;The Amazon S3 bucket, including the &lt;code&gt;telemetry/&lt;/code&gt; and &lt;code&gt;recommendations/&lt;/code&gt; objects.&lt;/li&gt; 
 &lt;li&gt;The AWS Secrets Manager secret: &lt;code&gt;redshift-performance-admin&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;The IAM role and its inline policy: &lt;code&gt;redshift-performance-recommendations-role&lt;/code&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;You now have a daily performance review for Amazon Redshift Serverless that runs entirely on AWS Lambda, stores every run in Amazon S3, and delivers prioritized recommendations by email. The signal-based prompt pattern keeps the Amazon Bedrock cost low and the recommendations specific to your workload.&lt;/p&gt; 
&lt;p&gt;To learn more, see the following resources:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Source code: &lt;a href="https://github.com/aws-samples/sample-ai-performance-advisor-for-amazon-redshift" target="_blank" rel="noopener"&gt;sample-ai-performance-advisor-for-amazon-redshift&lt;/a&gt; on the GitHub website.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/cm_chap_system-tables.html" target="_blank" rel="noopener"&gt;Amazon Redshift system tables and views&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html" target="_blank" rel="noopener"&gt;Amazon Bedrock User Guide&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-monitoring.html" target="_blank" rel="noopener"&gt;Monitoring Amazon Redshift Serverless with Amazon CloudWatch&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-11.jpg" alt="Steve Phillips" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Steve Phillips&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/stevephillipsca" target="_blank" rel="noopener"&gt;Steve&lt;/a&gt; is a Principal Technical Account Manager and Analytics specialist at AWS in the North America region. Steve currently focuses on data warehouse architectural design, AI/ML data foundations, data lakes, data ingestion pipelines, and cloud distributed architectures.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/25/BDB-5880-12.jpg" alt="Richard Raseley" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Richard Raseley&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/raseley" target="_blank" rel="noopener"&gt;Richard&lt;/a&gt; is a Senior Technical Account Manager in North America who works with Games customers. He is passionate about applying his background in automation, cloud computing, networking, and storage to help customers build AI solutions.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Scale analytics with Amazon Redshift multi-warehouse enhancements</title>
		<link>https://aws.amazon.com/blogs/big-data/scale-analytics-with-amazon-redshift-multi-warehouse-enhancements/</link>
		
		<dc:creator><![CDATA[Raza Hafeez]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 19:59:42 +0000</pubDate>
				<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<guid isPermaLink="false">79c7444a84c60c1c97c7f871e4eae2ec946dc9b7</guid>

					<description>In this post, we introduce new capabilities of Amazon Redshift that enhance our multi-warehouse and scaling capabilities: remote materialized view (MV) operations, remote table DDL support, and concurrency scaling enhancements for zero-ETL and S3 event integration. These features help you build more scalable, performant decentralized analytics architectures on Amazon Redshift.</description>
										<content:encoded>&lt;p&gt;Onboard analytics workloads at scale with Amazon Redshift’s improved remote table data definition language (DDL), materialized view improvements, and concurrency scaling enhancements for zero-ETL and auto-copy.&lt;/p&gt; 
&lt;p&gt;As organizations scale their analytics capabilities, they need the ability to add workloads without disrupting production operation or being constrained by the resources of a single data warehouse. In this post, we introduce new capabilities of &lt;a target="_blank" href="https://aws.amazon.com/redshift/" rel="noopener"&gt;Amazon Redshift&lt;/a&gt; that enhance our multi-warehouse and scaling capabilities: remote materialized view (MV) operations, remote table DDL support, and concurrency scaling enhancements for zero-ETL and S3 event integration. These features help you build more scalable, performant decentralized analytics architectures on Amazon Redshift.&lt;/p&gt; 
&lt;p&gt;Let us review how these new features enable you to run analytics at scale.&lt;/p&gt; 
&lt;h2 id="new-remote-materialized-view-operations"&gt;New remote materialized view operations&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;Amazon Redshift now &lt;a target="_blank" href="https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-refresh.html#materialized-view-auto-refresh" rel="noopener"&gt;classifies CREATE MATERIALIZED VIEW as a user workload&lt;/a&gt;, enabling concurrency scaling to execute MV logic on additional warehouses during resource contention. This ensures queries consistently benefit from MV performance advantages, even under heavy load.&lt;/li&gt; 
 &lt;li&gt;Amazon Redshift now supports &lt;a target="_blank" href="https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-redshift-mv-datasharing-features/" rel="noopener"&gt;creating MVs on remote data shares&lt;/a&gt;, allowing customers who share data across Redshift warehouses to leverage MV performance benefits on both local and shared data.&lt;/li&gt; 
 &lt;li&gt;Consumer warehouses can now &lt;a target="_blank" href="https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-redshift-mv-datasharing-features/" rel="noopener"&gt;refresh MVs created on a producer and create MVs on top of data-shared MVs&lt;/a&gt;, enabling full MV parity across producer and consumer warehouses in a data sharing architecture.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="new-remote-table-ddl-operations"&gt;New remote table DDL operations&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;code&gt;ALTER TABLE ALTER DISTSTYLE&lt;/code&gt; operations now work on remote warehouses through concurrency scaling and data sharing. You can dynamically optimize data distribution across distributed environments, improving query performance and resource utilization without requiring data migration. This is especially valuable for data engineers fine-tuning performance across multiple warehouses and administrators adapting to changing query patterns.&lt;/li&gt; 
 &lt;li&gt;&lt;code&gt;ALTER TABLE APPEND&lt;/code&gt; operations now extend to remote warehouses through concurrency scaling and data sharing. This consolidates data across distributed environments, so you can efficiently combine tables without complex data movement or extract, transform, and load (ETL) processes. Organizations managing dynamic table operations across multiple environments can maintain data consistency while reducing operational overhead.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="concurrency-scaling-improvements"&gt;Concurrency scaling improvements&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;Amazon Redshift’s enhanced &lt;a target="_blank" href="https://aws.amazon.com/about-aws/whats-new/2026/03/concurrency-scaling-auto-copy-zero-ETL/" rel="noopener"&gt;zero-ETL feature now supports concurrency scaling&lt;/a&gt; for automated data ingestion from applications and operational sources.&lt;/li&gt; 
 &lt;li&gt;Amazon Redshift’s enhanced &lt;a target="_blank" href="https://aws.amazon.com/about-aws/whats-new/2026/03/concurrency-scaling-auto-copy-zero-ETL/" rel="noopener"&gt;auto-copy feature now supports concurrency scaling&lt;/a&gt; for automated data ingestion from S3.&lt;/li&gt; 
 &lt;li&gt;Amazon Redshift now extends concurrency scaling to support COPY queries from Amazon S3. You can now &lt;a target="_blank" href="https://aws.amazon.com/about-aws/whats-new/2026/05/concurrencyscaling-support-for-copy/" rel="noopener"&gt;scale data ingestion automatically with concurrency scaling&lt;/a&gt; for batch workloads.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;With these new concurrency scaling capabilities, you can maintain consistent data freshness without compromising existing warehouse performance. This eliminates the traditional trade-off between analytics and data loading. Apart from turning on concurrency scaling, no additional changes are required to take advantage of these features.&lt;/p&gt; 
&lt;h2 id="customer-use-cases"&gt;Customer use cases&lt;/h2&gt; 
&lt;p&gt;This section covers two industry use cases: the first for a financial services customer and the second for a gaming industry customer.&lt;/p&gt; 
&lt;h3 id="financial-services-use-case"&gt;Financial services use case&lt;/h3&gt; 
&lt;p&gt;The following is a sample architecture for a large financial services customer with global operations. This customer uses a multi-warehouse architecture built on Amazon Redshift.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5753-1.jpg" alt="Financial services multi-warehouse architecture using STG, DWH, ETL, and USR Amazon Redshift warehouses" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;The staging (STG) warehouse serves as a raw zone for data from various sources, like the bronze layer of a medallion architecture. This warehouse also cleanses and standardizes the raw data to the silver layer and makes it available for further processing. The STG warehouse uses MVs to process millions of nested JSON messages and extract attributes into scalar columnar Amazon Redshift tables.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;CREATE MATERIALIZED VIEW rawdb.fsi.customer_orders_raw
distkey(c_custkey) sortkey(c_custkey) AS (
    SELECT c_custkey,
        o.o_orderstatus,
        o.o_totalprice,
        o_idx
    FROM customer_orders_lineitem c,
        c.c_orders o AT o_idx
);
REFRESH MATERIALIZED VIEW rawdb.fsi.customer_orders_raw;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The DWH warehouse serves as the primary Amazon Redshift instance and gold layer, providing data to consuming applications like Business Objects and Tableau. The zero-ETL concurrency scaling improvements provide consistent data freshness even when zero-ETL ingestion spikes occur alongside heavy DWH workloads. The DWH MVs provide fast access to aggregated data for Tableau extracts and Business Objects live reports. The DWH warehouse takes advantage of concurrency scaling when multiple MVs need to be refreshed on the DWH instance.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;CREATE MATERIALIZED VIEW bodb.final.customer_churn_tbl
AS (
    SELECT state,
        account_length,
        area_code,
        total_charge/account_length AS average_daily_spend,
        cust_serv_calls/account_length AS average_daily_cases,
        churn
    FROM custdb.final.customer_activity_all
);
REFRESH MATERIALIZED VIEW bodb.final.customer_churn_tbl;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The ETL01/02 warehouses serve as dedicated compute environments for running project-specific ETL jobs, while the USR01/02 warehouses handle user workloads such as ad-hoc analysis or model building from dbt. When new objects are required by user workloads, they are created and maintained on the remote producer warehouse (DWH).&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;ALTER TABLE salesdb.final.sales_report_all
ALTER DISTKEY sales_id;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;ALTER TABLE APPEND salesdb.final.sales_report_all
FROM stagingdb.sales.sales_2026_02;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="gaming-industry-use-case"&gt;Gaming industry use case&lt;/h3&gt; 
&lt;p&gt;A leading gaming company has built their entire analytics infrastructure on AWS, with their analytics team managing data streaming from games, data warehousing, and business intelligence tools. They standardized Amazon Redshift across the organization, migrating off Vertica running on Amazon Elastic Compute Cloud (Amazon EC2). After overcoming early challenges with cluster resize operations, the team became strong advocates for Amazon Redshift and now runs their primary production cluster on 32 ra3.16xlarge nodes.&lt;/p&gt; 
&lt;p&gt;As their data ingestion pipeline grew, query workloads began competing with data ingestion processes, creating performance bottlenecks. Rather than scaling up their primary cluster, they implemented a workload isolation strategy using Amazon Redshift data sharing. The customer launched a second 16-node ra3.4xlarge cluster as a data share consumer, with the primary cluster serving as the producer. This architecture allowed them to migrate consumption workloads to the consumer cluster while the producer focused on data ingestion, effectively supporting growth without increasing the primary cluster size.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5753-2.png" alt="Gaming company architecture with a producer Amazon Redshift cluster sharing data to a consumer cluster" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;Recognizing the advantages of this distributed architecture, the gaming company expanded their approach by migrating workloads to Amazon Redshift Serverless, further using the data sharing model for workload isolation. Amazon Redshift’s remote materialized view capability allowed the gaming company to create materialized views directly on the data shared by the producer cluster. Each consumer cluster could now build materialized views optimized for its specific workload patterns. This created pre-aggregated datasets, custom join strategies, and workload-specific data distributions, without impacting the producer cluster’s performance or requiring data duplication. The producer warehouse maintains data distribution and sorting strategies designed for generic enterprise needs, providing consistent data quality across all consumers. Meanwhile, consumer warehouses used remote materialized views to fine-tune query performance for their distinct analytical requirements, whether supporting real-time player analytics, business intelligence dashboards, or ad-hoc data science workloads. This distributed approach to data consumption optimization proved essential for the gaming company. It delivered fast query performance across diverse analytical workloads while maintaining a single source of truth in the producer cluster and avoiding the operational overhead of managing redundant data copies.&lt;/p&gt; 
&lt;h2 id="best-practices"&gt;Best practices&lt;/h2&gt; 
&lt;p&gt;To get the most out of these new capabilities, consider the following best practices:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Enable concurrency scaling on your Amazon Redshift clusters and Serverless workgroups to allow ETLs and user queries to run even faster, providing consistent report and dashboard performance.&lt;/li&gt; 
 &lt;li&gt;Set up usage limits for concurrency scaling on both Amazon Redshift provisioned clusters and Serverless workgroups by configuring an appropriate &lt;code&gt;MaxRPU&lt;/code&gt; setting. This helps you avoid unexpected additional costs. For more information, see the Amazon Redshift usage limits documentation.&lt;/li&gt; 
 &lt;li&gt;Use remote MVs to offload resource-intensive MV creation and refresh operations from your primary warehouse to remote data share clusters.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;In this post, we walked through the new MV refresh features, remote table DDL capabilities, and expanded concurrency scaling support for zero-ETL and S3 auto-copy. These features help you move beyond the constraints of a single warehouse. They are particularly valuable for organizations managing distributed data architectures that require dynamic table management across multiple environments while maintaining data consistency and adapting quickly to changing workloads. To get started, make sure you are running the latest Amazon Redshift &lt;a target="_blank" href="https://docs.aws.amazon.com/redshift/latest/mgmt/cluster-versions.html" rel="noopener"&gt;version&lt;/a&gt;. Then visit the Amazon Redshift documentation to learn more about &lt;a target="_blank" href="https://aws.amazon.com/redshift/features/concurrency-scaling/" rel="noopener"&gt;concurrency scaling&lt;/a&gt;, &lt;a target="_blank" href="https://aws.amazon.com/redshift/features/data-sharing/" rel="noopener"&gt;data sharing&lt;/a&gt;, and &lt;a target="_blank" href="https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-overview.html" rel="noopener"&gt;materialized views&lt;/a&gt;.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/Raza_Hafeez.jpg" alt="Raza Hafeez" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Raza Hafeez&lt;/h3&gt; 
  &lt;p&gt;&lt;a target="_blank" href="https://www.linkedin.com/in/raza-hafeez/" rel="noopener noreferrer" aria-describedby="sk-tooltip-192516"&gt;Raza&lt;/a&gt; is a Senior Product Manager, Technical at Amazon Redshift. He has 15+ years of experience building and optimizing enterprise data warehouses and is passionate about making cloud analytics accessible and cost-effective for customers of all sizes.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2024/05/13/ravi.jpg" alt="Ravi Animi" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Ravi Animi&lt;/h3&gt; 
  &lt;p&gt;Ravi is a senior product leader in the Amazon Redshift team and manages several functional areas of the Amazon Redshift cloud data warehouse service, including spatial analytics, streaming analytics, query performance, Spark integration, and analytics business strategy. He has experience with relational databases, multidimensional databases, IoT technologies, storage and compute infrastructure services, and more recently, as a startup founder in the areas of artificial intelligence (AI) and deep learning, computer vision, and robotics.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2025/11/18/internal-cdn.amazon.jpg" alt="Satesh Sonti" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Satesh Sonti&lt;/h3&gt; 
  &lt;p&gt;&lt;a target="_blank" href="https://www.linkedin.com/in/satish-kumar-sonti/" rel="noopener"&gt;Satesh&lt;/a&gt; is a Principal Analytics Specialist Solutions Architect based in Atlanta, specializing in building enterprise data platforms, data warehousing, and analytics solutions. He has over 20 years of experience in building data assets and leading complex data platform programs for banking and insurance clients across the globe.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/Milind_Oke.png" alt="Milind Oke" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Milind Oke&lt;/h3&gt; 
  &lt;p&gt;Milind is a senior Redshift specialist solutions architect who has worked at Amazon Web Services for three years. He is an AWS-certified SA Associate, Security Specialty and Analytics Specialty certification holder, based out of Queens, New York.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Amazon Redshift delivers faster performance for BI dashboards and real-time analytics</title>
		<link>https://aws.amazon.com/blogs/big-data/amazon-redshift-delivers-faster-performance-for-bi-dashboards-and-real-time-analytics/</link>
		
		<dc:creator><![CDATA[Stefan Gromoll]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 17:05:12 +0000</pubDate>
				<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Analytics]]></category>
		<guid isPermaLink="false">e0986f904ef5c9e597f8ea37f0f4c7707d9257ab</guid>

					<description>Today, we’re excited to announce a new performance optimization in Amazon Redshift that improves the response times of low-latency SQL queries, such as those used in real-time analytics applications or generated by BI dashboards. With this enhancement, you can experience improved query latencies because of a reduction in the time Amazon Redshift spends preparing SQL queries for execution. SQL queries start faster, so they return results quicker.</description>
										<content:encoded>&lt;p&gt;Business intelligence (BI) dashboards and real-time analytics have become essential tools for making informed decisions quickly. Modern data warehouses must excel at complex, long-running analytical queries and also deliver sub-second response times for the short, ad hoc queries that power interactive and real-time experiences. This matters even more as agents explore and derive new insights from massive amounts of data. From executives monitoring key performance indicators on their morning dashboards to data analysts using agents to explore datasets interactively, the expectation is clear: queries should return results fast and predictably.&lt;/p&gt; 
&lt;p&gt;Amazon Redshift has long been optimized for these use cases. Over the years, we’ve introduced numerous features designed to improve query performance for BI and real-time analytics workloads, including result caching, materialized views, and automatic workload management (AutoWLM). These capabilities have helped thousands of customers build responsive dashboards and real-time applications on Amazon Redshift. However, we know that when it comes to interactive analytics, every millisecond matters. That’s why we keep focusing on making dashboards load faster and helping exploratory queries return results more quickly.&lt;/p&gt; 
&lt;p&gt;Today, we’re excited to announce a new performance optimization in Amazon Redshift that improves the response times of low-latency SQL queries, such as those used in real-time analytics applications or generated by BI dashboards. With this enhancement, you can experience improved query latencies because of a reduction in the time Amazon Redshift spends preparing SQL queries for execution. SQL queries start faster, so they return results quicker.&lt;/p&gt; 
&lt;h2 id="how-the-optimization-works"&gt;How the optimization works&lt;/h2&gt; 
&lt;p&gt;To understand this improvement, let’s first examine one of Amazon Redshift’s existing core performance capabilities: code generation. Code generation is an optimization technique that analyzes each SQL query and generates query-specific C++ code internally. This code is then compiled and executed in parallel across the available Amazon Redshift compute nodes to deliver results back to you. Code generation has been fundamental to Amazon Redshift query performance, executing complex analytical queries with high efficiency.&lt;/p&gt; 
&lt;p&gt;While code generation results in performant query execution, new queries can experience a one-time compilation overhead the first time they run. Amazon Redshift already caches compiled code, and &lt;a href="https://aws.amazon.com/blogs/big-data/fast-and-predictable-performance-with-serverless-compilation-using-amazon-redshift/" target="_blank" rel="noopener"&gt;more than 99% of queries in the Amazon Redshift fleet execute using this cached generated code&lt;/a&gt; and experience no compilation overhead. For queries that haven’t been cached yet, the one-time compilation overhead is most noticeable for fast-running queries (for example, millisecond or single-digit second queries), where it can represent a significant portion of total execution time.&lt;/p&gt; 
&lt;p&gt;With the optimization we announced, Amazon Redshift reduces this compilation overhead. Here’s how it works: when Amazon Redshift receives a query, it first checks if optimized compiled C++ code already exists in the cache from previous executions of similar queries in the Amazon Redshift fleet. If so, it uses that code for best performance. If not, Amazon Redshift now applies a new query compilation optimization that processes new queries immediately using composition. Composition is a technique that generates a lightweight arrangement of pre-existing logic. At the same time, it creates query-specific optimized code that is compiled and executed across available compute resources to boost performance further. Composition removes compilation from the critical path of query execution and provides immediate execution while compilation proceeds in the background. With this optimization, new queries processed by Amazon Redshift start faster and deliver performance consistent with subsequent runs.&lt;/p&gt; 
&lt;p&gt;This approach ensures that first-time queries start much quicker, while repeated queries continue to benefit from the same leading price-performance that Amazon Redshift code generation delivers.&lt;/p&gt; 
&lt;p&gt;The best part? No action is necessary for your queries to start benefiting from this performance optimization. This enhancement is now the default for all SQL queries in Amazon Redshift for all users on provisioned clusters or serverless workgroups in all AWS Regions where Amazon Redshift is available at no additional cost.&lt;/p&gt; 
&lt;h2 id="real-world-performance-results"&gt;Real-world performance results&lt;/h2&gt; 
&lt;p&gt;We analyzed the impact of this new optimization on Amazon Redshift customer clusters. To do so, we measured the compilation time of the 1% of query segments that didn’t get a cache hit in our compilation cache and therefore required compilation. The following chart shows the results. The P50 compilation time before the optimization was 4.3 seconds. With this optimization, the compilation time dropped 25.7x to 170 ms.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-1-3.png" alt="Bar chart comparing P50 compilation time on Amazon Redshift before and after the FastCompile optimization, showing a reduction from 4.3 seconds to 170 milliseconds, a 25.7x improvement" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;With this optimization, BI dashboards load faster, interactive exploration feels more responsive, and real-time analytics applications can deliver insights with lower latency.&lt;/p&gt; 
&lt;h2 id="what-customers-are-saying"&gt;What customers are saying&lt;/h2&gt; 
&lt;blockquote&gt;
 &lt;p&gt;&lt;em&gt;“Following the significant performance improvements that Amazon Redshift demonstrated for cold query execution on our cluster with the FastCompile query performance feature enabled, achieving 2.4x faster query performance with compilation time reduced from 12 seconds to 5 seconds, we have adopted Amazon Redshift as our analytics solution”&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;p&gt;— Vijay Hiremath, Group Manager, Business Platforms, Intuit&lt;/p&gt; 
&lt;blockquote&gt;
 &lt;p&gt;&lt;em&gt;“As a data platform leader at a leading Chinese liquor company, we rely heavily on Amazon Redshift as our enterprise data warehouse. With diverse analytical query patterns, we faced performance challenges during initial compilation. After testing Redshift’s new cold query compilation enhancement, cold queries now perform nearly as fast as warm queries, with significantly improved speed on diverse queries”&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;p&gt;— Yujie Wang, Data Platform Leader, JNC&lt;/p&gt; 
&lt;blockquote&gt;
 &lt;p&gt;&lt;em&gt;“In a mid size customer processing about 85 GB of data daily through complex ETL pipelines — multiple tables, mixed DML operations, all landing into our 1.7 TB Amazon Redshift data warehouse, fast compile enhancements accelerated our post-maintenance ETL pipelines by 25%. Now the customer data loads complete faster, data hits analysts sooner for quick decisions”&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;p&gt;— Jagan Mohan, Product Engineering Head, Algonomy&lt;/p&gt; 
&lt;p&gt;If you want to learn more about this technology, see the &lt;span&gt;&lt;a href="https://www.amazon.science/publications/fastcompose-eliminating-compilation-cold-starts-in-query-execution-with-composition" target="_blank" rel="noopener noreferrer"&gt;FastCompose: Eliminating compilation cold starts in query execution with composition&lt;/a&gt;&lt;/span&gt; publication, accepted for the &lt;span&gt;&lt;a href="https://vldb.org/2026/" target="_blank" rel="noopener noreferrer"&gt;VLDB 2026 Boston conference&lt;/a&gt;&lt;/span&gt;.&lt;/p&gt; 
&lt;h2 id="industry-leading-price-performance-for-all-of-your-workloads"&gt;Industry-leading price-performance for all of your workloads&lt;/h2&gt; 
&lt;p&gt;To illustrate the impact of this optimization, we simulated a short-running BI-like low-latency workload using a benchmark derived from the industry-standard TPC-DS benchmark. We ran the workload at a relatively small scale of 100 GB on a 3-node RG xlarge Amazon Redshift cluster. At this cluster size and scale, queries finish in milliseconds or single-digit seconds, representing the expected latencies of a typical BI dashboard. The derived TPC-DS benchmark includes 99 different queries that represent a mix of realistic business intelligence workloads, including reporting queries, ad hoc analysis, and data exploration patterns. For this test, we compared a single cold run of these queries on an Amazon Redshift RG cluster with the same run on comparable alternative cloud data warehouses. We launched the warehouses, loaded the data, executed a single run of 99 queries, and measured the total runtime and geometric mean of the queries. No other cluster warm-up or setup was done. This query performance improvement is hardware agnostic. It works on all supported Amazon Redshift hardware instance types, on RA3 and RG on provisioned clusters, and on the hardware that supports serverless workgroups.&lt;/p&gt; 
&lt;p&gt;The results are shown in table below and summarized in subsequent chart. With this new optimization, Amazon Redshift delivers the fastest runtime and geomean for these short queries at the lowest cost, with up to 8.3x better price-performance than the leading alternative data warehouses for new queries.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;span style="color: #ffffff"&gt;.&lt;/span&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Cost / hr&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Runtime (sec)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Geomean (sec)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Runtime comparison&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Geomean comparison&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Geomean price-performance&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Redshift 3-node RG.xlarge&lt;/td&gt; 
   &lt;td&gt;$2.28&lt;/td&gt; 
   &lt;td&gt;235&lt;/td&gt; 
   &lt;td&gt;1.7&lt;/td&gt; 
   &lt;td&gt;baseline&lt;/td&gt; 
   &lt;td&gt;baseline&lt;/td&gt; 
   &lt;td&gt;baseline&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Alternative Warehouse A&lt;/td&gt; 
   &lt;td&gt;$3.00&lt;/td&gt; 
   &lt;td&gt;327&lt;/td&gt; 
   &lt;td&gt;2.3&lt;/td&gt; 
   &lt;td&gt;1.4x slower&lt;/td&gt; 
   &lt;td&gt;1.3x slower&lt;/td&gt; 
   &lt;td&gt;1.7x more expensive&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Alternative Warehouse B&lt;/td&gt; 
   &lt;td&gt;$4.00&lt;/td&gt; 
   &lt;td&gt;538&lt;/td&gt; 
   &lt;td&gt;3.4&lt;/td&gt; 
   &lt;td&gt;2.3x slower&lt;/td&gt; 
   &lt;td&gt;2x slower&lt;/td&gt; 
   &lt;td&gt;3.4x more expensive&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Alternative Warehouse C&lt;/td&gt; 
   &lt;td&gt;$6.00&lt;/td&gt; 
   &lt;td&gt;907&lt;/td&gt; 
   &lt;td&gt;5.5&lt;/td&gt; 
   &lt;td&gt;3.9x slower&lt;/td&gt; 
   &lt;td&gt;3.2x slower&lt;/td&gt; 
   &lt;td&gt;8.3x more expensive&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-2-3.png" alt="Bar chart comparing TPC-DS benchmark price-performance for the Amazon Redshift 3-node RG.xlarge baseline against three alternative cloud data warehouses, showing Amazon Redshift fastest at lowest cost and up to 8.3x better price-performance" width="600"&gt;&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;The new query startup optimization in Amazon Redshift continues our commitment to fast performance across analytical workloads. By reducing compilation overhead, we’ve made BI dashboards and real-time analytics applications more responsive, while maintaining the query execution performance that Amazon Redshift is known for.&lt;/p&gt; 
&lt;p&gt;Because this optimization is automatically enabled for all Amazon Redshift customers, you can start experiencing these benefits immediately. No configuration changes or query rewrites are required. Your existing queries will run faster.&lt;/p&gt; 
&lt;p&gt;To learn more, visit &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt;. To get started, you can try &lt;a href="https://aws.amazon.com/redshift/redshift-serverless/" target="_blank" rel="noopener"&gt;Amazon Redshift Serverless&lt;/a&gt; and start querying data in minutes without setting up or managing data warehouse infrastructure. For more details on performance best practices, see the &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/" target="_blank" rel="noopener"&gt;Amazon Redshift Database Developer Guide&lt;/a&gt;.&lt;/p&gt; 
&lt;h2 id="find-the-best-price-performance-for-your-workloads"&gt;Find the best price performance for your workloads&lt;/h2&gt; 
&lt;p&gt;The benchmark used in this post is derived from the industry-standard TPC-DS benchmark, and has the following characteristics:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;The schema and data come from TPC-DS unmodified.&lt;/li&gt; 
 &lt;li&gt;The queries are used unmodified from TPC-DS. TPC-approved query variants are used for a warehouse if the warehouse does not support the SQL dialect of the default TPC-DS query.&lt;/li&gt; 
 &lt;li&gt;The test includes only the 99 TPC-DS &lt;code&gt;SELECT&lt;/code&gt; queries. It does not include maintenance and throughput steps.&lt;/li&gt; 
 &lt;li&gt;A single power run was run with query parameters generated using the default random seed of the TPC-DS kit. The total runtime and geomean of that single cold run were used for the results in this post.&lt;/li&gt; 
 &lt;li&gt;Price performance is calculated as the geomean in seconds divided by 3,600 seconds per hour, multiplied by the cost of the warehouse per hour. The result is equivalent to the geomean cost per query. Published on-demand pricing is used for all data warehouses.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;We call this benchmark the Cloud Data Warehouse Benchmark, and you can reproduce the preceding benchmark results using the scripts, queries, and data available on &lt;a href="https://github.com/awslabs/amazon-redshift-utils/tree/master/src/CloudDataWarehouseBenchmark/Cloud-DWB-Derived-from-TPCDS" target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt;. It is derived from the TPC-DS benchmark and is not comparable to published TPC-DS results, because our test results do not comply with the specification.&lt;/p&gt; 
&lt;p&gt;Each workload has unique characteristics. If you’re starting out, a proof of concept is the best way to understand how Amazon Redshift performs for your requirements. When running your own proof of concept, focus on proper cluster sizing and the right metrics: query throughput (the number of queries per hour) and price performance. You can make a data-driven decision by &lt;a href="https://pages.awscloud.com/redshift-proof-of-concept-request" target="_blank" rel="noopener"&gt;requesting assistance&lt;/a&gt; with a proof of concept or by working with a &lt;a href="https://aws.amazon.com/redshift/partners/" target="_blank" rel="noopener"&gt;system integration and consulting partner&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;To stay current with the latest developments in Amazon Redshift, subscribe to the &lt;a href="https://aws.amazon.com/redshift/whats-new/" target="_blank" rel="noopener"&gt;What’s New in Amazon Redshift&lt;/a&gt; RSS feed.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-3-1.jpg" alt="Stefan Gromoll" width="100" height="133"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Stefan Gromoll&lt;/h3&gt; 
  &lt;p&gt;Stefan is a Principal Engineer with Amazon Redshift where he is responsible for Redshift performance across the stack. In his spare time, he enjoys cooking, playing with his three boys, and chopping firewood.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-4-1.jpg" alt="Ravi Animi" width="100" height="133"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Ravi Animi&lt;/h3&gt; 
  &lt;p&gt;Ravi is a Senior Product Management leader in the Redshift Team and manages several functional areas of the Amazon Redshift cloud data warehouse service including performance across the stack, query processing, materialized views, spatial analytics, streaming analytics and migration strategies. He has deep experience with relational databases, multi-dimensional databases, IoT technologies, storage and compute infrastructure services and as a startup founder using AI/deep learning, computer vision, and robotics. He has dual bachelors degrees in physics and electrical engineering from Washington Univ. St.&amp;nbsp;Louis, a masters degree in engineering from Stanford and an MBA from Chicago Booth.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-6-1.jpg" alt="Venkat Govindaraju" width="100" height="133"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Venkat Govindaraju&lt;/h3&gt; 
  &lt;p&gt;Venkat is a Principal Engineer at Amazon Web Services (AWS Redshift) with over 25 years of experience building, optimizing, and scaling large- scale data management systems. He holds a Ph.D. in Computer Science from the University of Wisconsin–Madison, where his research focused on energy-efficient computing through compiler-assisted dynamic hardware specialization. His work spans distributed systems, query engines, and hardware-software co-design, with publications in top venues including VLDB, SIGMOD, MICRO, and ISCA, and multiple US patents. He has previously held roles at Facebook, Oracle Labs, and Epic Systems.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/19/BDB-5638-5-1.jpg" alt="Kiran Chinta" width="100" height="133"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Kiran Chinta&lt;/h3&gt; 
  &lt;p&gt;Kiran is a Senior Development Manager in the Amazon Redshift engineering team. He has led the delivery of several key features in Amazon Redshift. He has extensive experience leading software engineering teams at Amazon Web Services, IBM and other companies.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Optimize your Tableau integration with Amazon Redshift Serverless</title>
		<link>https://aws.amazon.com/blogs/big-data/optimize-your-tableau-integration-with-amazon-redshift-serverless/</link>
		
		<dc:creator><![CDATA[Nidhi Nayak]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 17:00:00 +0000</pubDate>
				<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<category><![CDATA[Serverless]]></category>
		<guid isPermaLink="false">ac23a02e54bde0591371585aaf4d2811205acc4a</guid>

					<description>In this post, we provide a guide to help you use Tableau’s Relationships and Amazon Redshift Serverless architecture to deliver sub-second insights while maximizing every Redshift Processing Unit (RPU). We also provide guidance on five key areas: data model architecture for optimal query performance, security configuration and access control, performance optimization through smart configuration, cost management strategies, and query and join optimization techniques.</description>
										<content:encoded>&lt;p&gt;This is a guest blog post co-written by Adiascar Cisneros, from Tableau at Salesforce.&lt;/p&gt; 
&lt;p&gt;Integrating &lt;a href="https://www.tableau.com/" target="_blank" rel="noopener"&gt;Tableau&lt;/a&gt; with &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html" target="_blank" rel="noopener"&gt;Amazon Redshift Serverless&lt;/a&gt; gives you high-performance analytics with serverless scaling and minimal capacity planning. Although automatic scaling handles warehouse management for you, optimization requires a strategic approach to data modeling, security, and query management.&lt;/p&gt; 
&lt;p&gt;In this post, we provide a guide to help you use Tableau’s Relationships and Amazon Redshift Serverless architecture to deliver sub-second insights while maximizing every &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-capacity.html" target="_blank" rel="noopener"&gt;Redshift Processing Unit (RPU)&lt;/a&gt;. We also provide guidance on five key areas: data model architecture for optimal query performance, security configuration and access control, performance optimization through smart configuration, cost management strategies, and query and join optimization techniques.&lt;/p&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;Before implementing these optimization strategies, make sure you have:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Tableau Desktop (version 2022.1 or later) or Tableau Server deployed.&lt;/li&gt; 
 &lt;li&gt;An active Amazon Redshift Serverless workspace.&lt;/li&gt; 
 &lt;li&gt;AWS Identity and Access Management (IAM) permissions to configure authentication and access controls.&lt;/li&gt; 
 &lt;li&gt;Network connectivity configured between your Tableau environment and Amazon Redshift Serverless.&lt;/li&gt; 
 &lt;li&gt;The native Amazon Redshift driver installed.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="building-the-foundation"&gt;Building the foundation&lt;/h3&gt; 
&lt;p&gt;The success of any analytics system begins with its data model. True scalability starts with the end-user experience. Your data model is more than a storage structure. It’s the foundation of dashboard responsiveness. By aligning your database design in Amazon Redshift with your analytical requirements, you empower Tableau to generate highly efficient queries, reducing costs and keeping your users engaged with the data.&lt;/p&gt; 
&lt;p&gt;When connecting to Amazon Redshift, we recommend using Tableau’s logical data model, specifically &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/datasource_multitable_normalized.htm" target="_blank" rel="noopener"&gt;Relationships&lt;/a&gt;. With Relationship, you can preserve the native level of detail for each table, so Tableau can perform &lt;em&gt;join culling&lt;/em&gt; and dynamically query only the specific tables needed for a particular visualization.&lt;/p&gt; 
&lt;p&gt;When designing your Amazon Redshift schema, implement a well-structured star or snowflake schema, or one big denormalized table where appropriate. This allows Tableau to optimize query execution automatically. Modern Amazon Redshift deployments benefit significantly from &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/t_Creating_tables.html" target="_blank" rel="noopener"&gt;Automatic Table Optimization (ATO)&lt;/a&gt;, which uses AI and machine learning (ML) to continuously monitor and adjust sort keys and distribution keys. To take advantage of ATO, keep sort keys and distribution styles at their default &lt;code&gt;AUTO&lt;/code&gt; setting when you create tables. ATO then continuously monitors workload patterns and adjusts keys to improve query performance.&lt;/p&gt; 
&lt;p&gt;Start by implementing &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/datasource_multitable_normalized.htm" target="_blank" rel="noopener"&gt;Relationships&lt;/a&gt; in your existing workbooks to take advantage of &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/datasource_multitable_normalized.htm" target="_blank" rel="noopener"&gt;join culling&lt;/a&gt; and improved query performance.&lt;/p&gt; 
&lt;h2 id="securing-your-connection"&gt;Securing your connection&lt;/h2&gt; 
&lt;p&gt;Native database drivers provide enhanced security features and better integration with Amazon Redshift capabilities compared to generic ODBC or JDBC alternatives.&lt;/p&gt; 
&lt;p&gt;The integrity of your analytics relies on the quality of the connection between your platforms. Use the native Amazon Redshift driver rather than generic ODBC or JDBC alternatives. The native driver is specifically engineered to use the advanced capabilities of Amazon Redshift and supports modern security protocols, such as &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" target="_blank" rel="noopener"&gt;AWS IAM Identity Center&lt;/a&gt;, out of the box. By prioritizing the native driver, you verify that your connection uses the latest security patches and performance optimizations, establishing a hardened and efficient entry point for your data. For more information, see &lt;a href="https://aws.amazon.com/blogs/big-data/integrate-tableau-and-okta-with-amazon-redshift-using-aws-iam-identity-center/" target="_blank" rel="noopener"&gt;Integrate Tableau and Okta with Amazon Redshift using AWS IAM Identity Center&lt;/a&gt;.&lt;/p&gt; 
&lt;h3 id="connection-stability-for-high-scale-environments"&gt;Connection stability for high-scale environments&lt;/h3&gt; 
&lt;p&gt;In Amazon Redshift, cursors are used to retrieve a result set from a query and process the data row-by-row or in smaller chunks rather than loading the entire set into memory at once. For high-scale environments, stable connections depend on how you handle large result sets. In some high-volume scenarios, Amazon Redshift cursors can introduce resource overhead that impacts user concurrency. Monitor your workload and, if necessary, fine-tune your connection configurations using &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/connect_customize.htm" target="_blank" rel="noopener"&gt;Tableau Data Customization&lt;/a&gt; (TDC) files. TDC files are XML configuration files that customize how Tableau connects to your database. Specifically, validate whether disabling cursors improves throughput.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Important&lt;/strong&gt;: This configuration loads the entire dataset into memory. For large datasets, this might cause performance degradation or out-of-memory errors. Evaluate your dataset size and business requirements before you turn on this setting. This is a key step in tuning your deployment, helping verify that your Amazon Redshift resources remain available and responsive for secure, ad-hoc analysis.&lt;/p&gt; 
&lt;h3 id="security-best-practices"&gt;Security best practices&lt;/h3&gt; 
&lt;p&gt;Follow &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/iam-redshift-user-mgmt.html" target="_blank" rel="noopener"&gt;security&lt;/a&gt; best practices while deploying Amazon Redshift Serverless. Configure security groups to control inbound access from Tableau Server and Desktop IP ranges. &lt;a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener"&gt;IAM authentication&lt;/a&gt; must be the primary method, complemented by SSL/TLS encryption for all connections.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/t_Roles.html" target="_blank" rel="noopener"&gt;Role-based access control (RBAC)&lt;/a&gt; forms the backbone of your security framework:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Map IAM roles to database users.&lt;/li&gt; 
 &lt;li&gt;Implement least privilege access in Amazon Redshift using &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/r_Database_objects.html" target="_blank" rel="noopener"&gt;database security controls&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;Implement comprehensive monitoring through &lt;a href="https://aws.amazon.com/blogs/big-data/using-aws-cloudwatch-as-destination-for-amazon-redshift-audit-logs/" target="_blank" rel="noopener"&gt;audit logging&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;Use &lt;a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener"&gt;Amazon CloudWatch&lt;/a&gt; for failed login attempts.&lt;/li&gt; 
 &lt;li&gt;Track API activity with &lt;a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html" target="_blank" rel="noopener"&gt;AWS CloudTrail&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;For authorization, implement a layered security model:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Apply explicit &lt;code&gt;GRANT&lt;/code&gt; statements.&lt;/li&gt; 
 &lt;li&gt;Create distinct database roles aligned with business functions.&lt;/li&gt; 
 &lt;li&gt;Use Amazon Redshift system-defined roles judiciously.&lt;/li&gt; 
 &lt;li&gt;Apply dynamic data masking for sensitive data.&lt;/li&gt; 
 &lt;li&gt;Conduct regular security audits to support ongoing protection.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Audit your current connection types and migrate to the native Amazon Redshift driver if you’re using ODBC or JDBC connections.&lt;/p&gt; 
&lt;h2 id="enhancing-performance-through-smart-configuration"&gt;Enhancing performance through smart configuration&lt;/h2&gt; 
&lt;p&gt;Smart configuration spans how much data you query, where you push complex logic, how you design dashboards, and how you tune connections. The following sections cover each area.&lt;/p&gt; 
&lt;h3 id="managing-data-volume"&gt;Managing data volume&lt;/h3&gt; 
&lt;p&gt;To maximize workbook efficiency, start by rigorously managing your data volume. Although Amazon Redshift handles large datasets well, your dashboard should query only what is strictly necessary. Use &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/extracting_data.htm" target="_blank" rel="noopener"&gt;Tableau Hyper Extracts&lt;/a&gt; for production environments to provide a consistent, high-speed cache that offloads repetitive query processing from Amazon Redshift. If a live connection is required, strictly limit your data intake by using Data Source Filters and hiding all unused fields. This helps verify that Tableau generates leaner queries, significantly reducing network latency and processing time.&lt;/p&gt; 
&lt;h3 id="shifting-complexity-to-the-database"&gt;Shifting complexity to the database&lt;/h3&gt; 
&lt;p&gt;Next, shift the burden of complexity away from the visualization layer. Materialize calculations within your extracts or push complex logic (especially row-level string manipulations and regex) directly down to the Amazon Redshift database level. By pre-calculating these values before the user ever loads the dashboard, you eliminate expensive runtime processing.&lt;/p&gt; 
&lt;p&gt;Simplify your logic within Tableau by using native features like &lt;code&gt;CASE&lt;/code&gt; statements or Sets rather than complex IF/THEN statements. Testing shows these methods perform significantly faster for grouping dimensions.&lt;/p&gt; 
&lt;h3 id="streamlining-dashboard-design"&gt;Streamlining dashboard design&lt;/h3&gt; 
&lt;p&gt;Additionally, optimize the rendering process by streamlining your dashboard design:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Limit the number of visualizations per dashboard.&lt;/li&gt; 
 &lt;li&gt;Prioritize fixed-size dashboards to maximize server-side caching effectiveness.&lt;/li&gt; 
 &lt;li&gt;Avoid high-cardinality filters (fields with thousands of unique values).&lt;/li&gt; 
 &lt;li&gt;Don’t use the ‘Show Only Relevant Values’ setting on large datasets, because it forces the system to run extra background queries that slow down your dashboard.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="connection-and-parameter-tuning"&gt;Connection and parameter tuning&lt;/h3&gt; 
&lt;p&gt;Optimize Tableau’s performance by enabling &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/configuring-connections.html" target="_blank" rel="noopener"&gt;connection pooling&lt;/a&gt; tailored to your concurrent user count. Configure datetime handling and parallel query execution settings to match your workload patterns.&lt;/p&gt; 
&lt;p&gt;You can enhance the automatic resource management of Amazon Redshift Serverless through parameter optimization. Key parameters include:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Set &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/r_enable_result_cache_for_session.html" target="_blank" rel="noopener"&gt;enable_result_cache_for_session&lt;/a&gt; to &lt;code&gt;OFF&lt;/code&gt; during development to verify you’re testing against live query performance, not cached results. Set it to &lt;code&gt;ON&lt;/code&gt; in production.&lt;/li&gt; 
 &lt;li&gt;Use &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-capacity.html?refid=6e78b6f1-dfd8-49b4-ae84-4527ca1881cb#serverless-auto-optimization" target="_blank" rel="noopener"&gt;AI scaling&lt;/a&gt; for spiky workloads.&lt;/li&gt; 
 &lt;li&gt;Use &lt;a href="https://aws.amazon.com/about-aws/whats-new/2026/01/amazon-redshift-serverless-queue-based-query-resource-management/" target="_blank" rel="noopener"&gt;queue based query resource management&lt;/a&gt; to set monitoring rules that control compute usage and prevent runaway queries from impacting workloads.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Choosing between extracts and live queries is a foundational architectural decision. We recommend a hybrid approach tailored to specific use cases rather than a one-size-fits-all policy.&lt;/p&gt; 
&lt;h3 id="when-to-use-live-queries"&gt;When to use live queries&lt;/h3&gt; 
&lt;p&gt;Live queries are best for real-time analytics. They use Amazon Redshift Serverless automatic scaling to query massive datasets in place. Use this approach for:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Up-to-the-minute data requirements.&lt;/li&gt; 
 &lt;li&gt;Datasets too massive for extracts.&lt;/li&gt; 
 &lt;li&gt;Scenarios requiring database-level row security.&lt;/li&gt; 
 &lt;li&gt;Integration with &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/c-using-spectrum.html" target="_blank" rel="noopener"&gt;Amazon Redshift Spectrum&lt;/a&gt; for Amazon Simple Storage Service (Amazon S3) data.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Keep in mind that live connections rely entirely on the database’s performance, so &lt;a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/query-best-practices-redshift/best-practices-tables.html" target="_blank" rel="noopener"&gt;optimizing your Amazon Redshift tables&lt;/a&gt; and using &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-overview.html" target="_blank" rel="noopener"&gt;materialization&lt;/a&gt; techniques within the database is important for maintaining interactivity.&lt;/p&gt; 
&lt;h3 id="when-to-use-extracts"&gt;When to use extracts&lt;/h3&gt; 
&lt;p&gt;For scenarios when data is static or where query performance is critical, Tableau Hyper Extracts provide a high-speed cache that shifts the processing load from Amazon Redshift to Tableau’s data engine. This is valuable for dashboards with complex calculations (such as row-level string manipulations or heavy aggregations) where an extract can pre-materialize results, effectively baking in the logic before the user ever loads the view. By using extracts for these heavy workloads, you reduce the compute load on Amazon Redshift, lowering costs while delivering sub-second response times to end users.&lt;/p&gt; 
&lt;h3 id="right-sizing-your-extracts"&gt;Right-sizing your extracts&lt;/h3&gt; 
&lt;p&gt;To maximize efficiency, right-size your extracts for your dashboard’s specific needs:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Avoid the &lt;code&gt;SELECT *&lt;/code&gt; mentality.&lt;/li&gt; 
 &lt;li&gt;Use data source filters to limit rows.&lt;/li&gt; 
 &lt;li&gt;Hide unused fields to remove redundant columns.&lt;/li&gt; 
 &lt;li&gt;For higher-level analysis, aggregate your data during the extract process. For example, summarize daily transactions into monthly trends to significantly reduce file size and query time.&lt;/li&gt; 
 &lt;li&gt;Schedule refreshes during off-peak hours.&lt;/li&gt; 
 &lt;li&gt;Use incremental updates to add only new rows, minimizing Amazon Redshift RPU usage and network overhead.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Balance performance and cost by aligning your connection choice with business freshness requirements and data complexity. Monitor usage patterns to refine this balance over time.&lt;/p&gt; 
&lt;h3 id="star-schema-query-and-join-optimization"&gt;Star schema query and join optimization&lt;/h3&gt; 
&lt;p&gt;Optimize your star schema joins and queries to reduce execution time and compute costs by using Tableau Relationships. Relationships keep tables separate, allowing Tableau to automatically query only the necessary tables for the fields in the view. Relationships are more flexible and often perform better than joins because they don’t force a row-level merge on all fields.&lt;/p&gt; 
&lt;p&gt;Inefficient joins and poorly optimized queries force Amazon Redshift to scan unnecessary data, increasing both query execution time and compute costs.&lt;/p&gt; 
&lt;h3 id="query-optimization-best-practices"&gt;Query optimization best practices&lt;/h3&gt; 
&lt;p&gt;Avoid Custom SQL, which forces Tableau to wrap queries in complex sub-selects. Instead, connect directly to tables or views to let the database optimizer function effectively.&lt;/p&gt; 
&lt;p&gt;Define primary and foreign keys in your Amazon Redshift schema to allow Tableau to assume referential integrity.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Important&lt;/strong&gt;: Amazon Redshift does not enforce primary or foreign key constraints. They are informational only, and the query optimizer uses them to generate more efficient execution plans. You’re responsible for data integrity at the application or ETL layer. For more information, see &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/t_Defining_constraints.html" target="_blank" rel="noopener"&gt;Defining constraints&lt;/a&gt;. &lt;a href="https://help.tableau.com/current/pro/desktop/en-us/joins_assume_refinteg.htm#:~:text=When%20you%20use%20this%20option%2C%20Tableau%20will%20include%20the%20joined%20table%20in%20the%20query%20only%20if%20it%20is%20specifically%20referenced%20by%20fields%20in%20the%20view" target="_blank" rel="noopener"&gt;Assume Referential Integrity&lt;/a&gt; is a Tableau setting that tells the engine to trust defined key relationships without validating them at query time, reducing query complexity.&lt;/p&gt; 
&lt;p&gt;Use &lt;a href="https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-overview.html" target="_blank" rel="noopener"&gt;Materialized Views&lt;/a&gt; to pre-compute heavy aggregations, which reduces execution time for frequently accessed data patterns. For example, create materialized views for common date-based aggregations or customer-level summaries.&lt;/p&gt; 
&lt;p&gt;Optimize Amazon Redshift Serverless by denormalizing data to minimize complex joins. After you apply these changes, use Tableau’s Performance Recorder to regularly validate your query speeds and identify bottlenecks.&lt;/p&gt; 
&lt;h2 id="cost-optimization-and-monitoring"&gt;Cost optimization and monitoring&lt;/h2&gt; 
&lt;p&gt;Amazon Redshift Serverless charges in RPU-hours on a per-second basis (60-second minimum), so you only pay for the workloads you run.&lt;/p&gt; 
&lt;p&gt;Optimizing query volumes and resource usage helps you control Amazon Redshift Serverless costs and maintain predictable spending. To help control compute costs, optimize Tableau queries before they reach Amazon Redshift by using Data Source Filters and ‘Hide All Unused Fields.’ This forces the generation of lean &lt;code&gt;SELECT&lt;/code&gt; statements that scan only the necessary rows and columns. Because Amazon Redshift Serverless scales resources based on workload, reducing data volume and complexity at the Tableau source layer can help lower RPU consumption and costs.&lt;/p&gt; 
&lt;p&gt;For more information, see &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-billing.html" target="_blank" rel="noopener"&gt;Amazon Redshift Serverless billing&lt;/a&gt;.&lt;/p&gt; 
&lt;h3 id="using-extracts-as-a-cost-buffer"&gt;Using extracts as a cost buffer&lt;/h3&gt; 
&lt;p&gt;Tableau Hyper Extracts act as a cost buffer for high-traffic dashboards. By extracting data into Tableau’s in-memory engine, database costs are typically incurred during scheduled refreshes rather than for every individual user interaction. For live connections, maximize Tableau’s caching architecture by setting server cache policies to “Refresh less often,” ensuring that repetitive dashboard views are served instantly from memory and avoid redundant, billable queries.&lt;/p&gt; 
&lt;h3 id="monitoring-and-alerting"&gt;Monitoring and alerting&lt;/h3&gt; 
&lt;p&gt;Monitor RPU usage patterns and set billing alerts to maintain cost control:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Combine query result caching with strategic scheduling for resource-intensive tasks.&lt;/li&gt; 
 &lt;li&gt;Use scaling event data and query patterns to define thresholds.&lt;/li&gt; 
 &lt;li&gt;Set up Amazon CloudWatch alarms for RPU consumption spikes.&lt;/li&gt; 
 &lt;li&gt;Review Amazon Redshift &lt;a href="https://aws.amazon.com/blogs/big-data/simplify-amazon-redshift-monitoring-using-the-new-unified-sys-views/" target="_blank" rel="noopener"&gt;query monitoring metrics&lt;/a&gt; weekly to identify optimization opportunities.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid incurring ongoing charges, delete the resources you created while testing the configurations described in this post.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Delete the Amazon Redshift Serverless workgroup and namespace if they were created for testing.&lt;/li&gt; 
 &lt;li&gt;Remove any IAM roles, policies, and users created specifically for Tableau connectivity.&lt;/li&gt; 
 &lt;li&gt;Delete security groups configured for Tableau Server or Desktop IP access.&lt;/li&gt; 
 &lt;li&gt;Remove any materialized views, tables, or schemas created during testing.&lt;/li&gt; 
 &lt;li&gt;Cancel any scheduled Tableau extract refreshes connected to test workgroups.&lt;/li&gt; 
 &lt;li&gt;Delete Tableau data sources and workbooks that reference test environments.&lt;/li&gt; 
 &lt;li&gt;Remove any CloudWatch alarms or CloudTrail configurations set up for monitoring test resources.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;For more information about managing Amazon Redshift Serverless resources, see &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-billing.html" target="_blank" rel="noopener"&gt;Billing for Amazon Redshift Serverless&lt;/a&gt;.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;This post covered key optimization strategies for Tableau and Amazon Redshift Serverless integration: data model architecture using Relationships, security configuration with native drivers and AWS IAM, performance optimization through extracts and smart configuration, cost management with RPU monitoring, and query optimization techniques.&lt;/p&gt; 
&lt;p&gt;As AI-driven optimization evolves, staying informed about Amazon Redshift AI features and best practices, including Tableau Pulse, is key. Regularly review your configuration, performance, and security to verify that your Tableau and Amazon Redshift Serverless integration remains secure, cost-effective, and high-performing.&lt;/p&gt; 
&lt;p&gt;Optimization is an ongoing, iterative process. To keep your environment optimized, regularly review your settings, monitor performance, and adapt as workload patterns evolve. This approach maintains a cost-effective analytics environment that scales with your organization.&lt;/p&gt; 
&lt;p&gt;Ready to build a secure, high-performance analytics solution that delivers both speed and cost efficiency? Visit the &lt;a href="https://www.salesforce.com/partners/aws/" target="_blank" rel="noopener"&gt;Salesforce and AWS partnership webpage&lt;/a&gt; to start scaling your insights today.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5096-1.jpeg" alt="Nidhi Nayak" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Nidhi Nayak&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/nidhi-nayak-51511b21/" target="_blank" rel="noopener"&gt;Nidhi&lt;/a&gt; is a Senior Technical Account Manager with AWS, she helps enterprise customers build scalable, high-performance cloud applications and optimize cloud operations. With over a decade of experience in Data Analytics, Nidhi currently focuses on Redshift &amp;amp; Generative AI integration with Redshift.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5096-2.png" alt="Nita Shah" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Nita Shah&lt;/h3&gt; 
  &lt;p&gt;Nita is a Sr.&amp;nbsp;Analytics Specialist Solutions Architect at AWS based out of New York. She has been building enterprise data platforms, data warehousing, and analytics solutions for over 20 years and specializes in Amazon Redshift. She is focused on helping customers design and build enterprise-scale well-architected analytics and decision support platforms&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5096-3.png" alt="Bill Tarr" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Bill Tarr&lt;/h3&gt; 
  &lt;p&gt;Bill is a Principal Partner Solutions Architect at AWS, specializing in Business Applications including Salesforce, MuleSoft, and agentic AI interoperability. From software builder to architect, he has 20+ years of experience shaping SaaS technology strategies from startup to enterprise. Bill has delivered 12+ sessions at AWS re:Invent and produced 71 episodes of “Building SaaS on AWS.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/24/BDB-5096-4.jpeg" alt="Adiascar Cisneros" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Adiascar Cisneros&lt;/h3&gt; 
  &lt;p&gt;Adiascar is a Tableau at Salesforce Sr.&amp;nbsp;Product Manager. Adiascar manages the Tableau technical relationship with Amazon Web Services, coordinating roadmap prioritization, connector improvements, customer events, and publications. Adiascar joined Tableau in 2018 and is based in Atlanta GA.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Implement multi-tenant search with Amazon OpenSearch Serverless next generation</title>
		<link>https://aws.amazon.com/blogs/big-data/implement-multi-tenant-search-with-amazon-opensearch-serverless-next-generation/</link>
		
		<dc:creator><![CDATA[Jon Handler]]></dc:creator>
		<pubDate>Wed, 24 Jun 2026 18:31:25 +0000</pubDate>
				<category><![CDATA[Amazon OpenSearch Service]]></category>
		<category><![CDATA[Analytics]]></category>
		<category><![CDATA[Best Practices]]></category>
		<guid isPermaLink="false">39ed7c607a44687725bf1a0506eba303c494e2f3</guid>

					<description>In this post, we show how the next-generation OpenSearch Serverless architecture makes the collection-per-tenant model practical for multi-tenant search.</description>
										<content:encoded>&lt;p&gt;&lt;em&gt;Learn how to implement cost-effective multi-tenant search using Amazon OpenSearch Serverless next-generation architecture with scale-to-zero compute and simplified routing through per-account, regional endpoints.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Building multi-tenant search architectures requires balancing data isolation with operational cost and complexity. In this post, we provide code examples for an implementation of multi-tenant search using a collection-per-tenant model with Amazon &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-collection-endpoints.html#serverless-per-account-endpoint" target="_blank" rel="noopener"&gt;OpenSearch Serverless per-account, regional endpoints&lt;/a&gt;. Collection-per-tenant provides data and workload isolation. The regional endpoint simplifies routing requests for indexing and searching data.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless.html" target="_blank" rel="noopener"&gt;Amazon OpenSearch Serverless&lt;/a&gt; is a serverless deployment option for &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; that simplifies infrastructure management, index tuning, and data lifecycle management. OpenSearch Serverless automatically provisions and scales resources to provide consistently fast data ingestion rates and millisecond query response times during changing usage patterns and application demand.&lt;/p&gt; 
&lt;h2 id="the-multi-tenant-search-problem"&gt;&lt;strong&gt;The multi-tenant search problem&lt;/strong&gt;&lt;/h2&gt; 
&lt;p&gt;In search workloads, a tenant is a logical unit of data and the queries against that data. An eCommerce site has product categories. Each category is a tenant. A blog-hosting platform has blogs. Each blog is a tenant. Tenants map to resources in different ways. In the siloed model, each tenant gets its own container: a domain, collection, or index. In the pooled model, tenants share a container. The hybrid model silos large tenants and pools smaller ones together. Regardless of model, you need a mapping between tenant identifiers and the containers that hold their data, so your application routes requests correctly.&lt;/p&gt; 
&lt;p&gt;OpenSearch Serverless classic offered a collection-per-tenant strategy that simplified, but did not remove, the need for maintaining a tenant-container mapping. In addition, the cost structure of maintaining collection-per-tenant in classic was not ideal. Classic shared hardware across collections with the same &lt;a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener"&gt;AWS Key Management Service&lt;/a&gt; (AWS KMS) key. Tenants with different keys could not share hardware. The cost of the solution was the minimum monthly collection cost multiplied by the tenant count. Building for hundreds or thousands of tenants was cost-prohibitive. &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-collection-groups.html" target="_blank" rel="noopener"&gt;Collection groups&lt;/a&gt; improved this by allowing hardware sharing across AWS KMS keys, but compute costs were still driven by your indexed data, even during idle periods.&lt;/p&gt; 
&lt;p&gt;With the next-generation architecture, collection groups scale compute to zero. You pay for compute only when a tenant is actively indexing or searching (storage charges still apply). The addition of the regional endpoint further simplifies multi-tenant workloads by routing traffic to any collection through a single hostname. Together, scale-to-zero compute and the regional endpoint make the collection-per-tenant model both economically viable and operationally straightforward.&lt;/p&gt; 
&lt;h2 id="the-opensearch-serverless-per-account-endpoint"&gt;&lt;strong&gt;The OpenSearch Serverless per-account endpoint&lt;/strong&gt;&lt;/h2&gt; 
&lt;p&gt;OpenSearch Serverless next generation introduces a per-account, regional endpoint that serves all collections through a single hostname:&lt;/p&gt; 
&lt;pre class="text"&gt;&lt;code&gt;https://&amp;lt;account-id&amp;gt;.aoss.&amp;lt;region&amp;gt;.on.aws&lt;/code&gt;&lt;/pre&gt; 
&lt;p&gt;The &lt;code&gt;x-amz-aoss-collection-name&lt;/code&gt; or &lt;code&gt;x-amz-aoss-collection-id&lt;/code&gt; header identifies the target collection on each request. This means one connection pool, one TLS session, and one endpoint to manage regardless of how many collections you have.&lt;/p&gt; 
&lt;p&gt;From a client perspective, you create a single OpenSearch client pointed at the regional endpoint and route requests by setting a header:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;def get_opensearch_client(account_id: str, region: str) -&amp;gt; OpenSearch:
    """Create an OpenSearch client using the regional endpoint."""
    host = f"{account_id}.aoss.{region}.on.aws"
    auth = get_aws4auth(region)

    return OpenSearch(
        hosts=[{"host": host, "port": 443}],
        http_auth=auth,
        use_ssl=True,
        verify_certs=True,
        connection_class=RequestsHttpConnection,
        timeout=60,
    )&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Every subsequent request includes the routing header to target a specific collection:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;headers = {"x-amz-aoss-collection-name": collection_name}&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;This is a significant improvement over the classic architecture, where each collection had its own endpoint and you needed to manage separate connections for each.&lt;/p&gt; 
&lt;h2 id="collection-per-tenant-with-query-routing"&gt;&lt;strong&gt;Collection per tenant with query routing&lt;/strong&gt;&lt;/h2&gt; 
&lt;p&gt;The architecture is straightforward: one collection group holds all tenant collections, and the regional endpoint handles routing.&lt;/p&gt; 
&lt;h3 id="create-a-collection-group-with-scale-to-zero"&gt;&lt;strong&gt;Create a collection group with scale-to-zero&lt;/strong&gt;&lt;/h3&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;client.create_collection_group(
    name="amazon-pqa-cg",
    generation="NEXTGEN",
    standbyReplicas="ENABLED",
    capacityLimits={
        "minIndexingCapacityInOCU": 0,
        "maxIndexingCapacityInOCU": 8,
        "minSearchCapacityInOCU": 0,
        "maxSearchCapacityInOCU": 8,
    },
)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;When you set &lt;code&gt;minIndexingCapacityInOCU&lt;/code&gt; and &lt;code&gt;minSearchCapacityInOCU&lt;/code&gt; to 0, OpenSearch Serverless scales down your compute to 0 OpenSearch Compute Units (OCUs) when they are idle for 10 minutes. You pay only for the storage for your indices. If you want to maintain compute and avoid cold starts, set &lt;code&gt;minIndexingCapacityInOCU&lt;/code&gt; or &lt;code&gt;minSearchCapacityInOCU&lt;/code&gt; to a value greater than 0.&lt;/p&gt; 
&lt;h3 id="create-one-collection-per-tenant"&gt;&lt;strong&gt;Create one collection per tenant&lt;/strong&gt;&lt;/h3&gt; 
&lt;p&gt;Each product category maps to its own collection within the group:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;client.create_collection(
    name=name,
    type="SEARCH",
    collectionGroupName=COLLECTION_GROUP_NAME,
)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;When choosing a collection name for your tenants, consider privacy, name length, and future ease of upgrading your application. You can use a hash function to map tenant identifiers to collection names.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;import hashlib

def collection_name_for_tenant(tenant_id: str) -&amp;gt; str:
    """Generate an opaque collection name from a tenant identifier."""
    return hashlib.sha256(tenant_id.encode()).hexdigest()[:16]&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Collection names are visible in API calls and logs. If your tenant ID contains personally identifiable information (PII), that information is also visible in logs. Hashing the tenant ID obfuscates the sensitive information.&lt;/p&gt; 
&lt;p&gt;OpenSearch Serverless has a 64-character limit on collection names. Your tenant ID can be longer than that. Hashing helps stay within this limit.&lt;/p&gt; 
&lt;p&gt;You might also want to add a prefix to collection names so that you can use wildcard patterns in access policies. For example, naming collections &lt;code&gt;pqa-a1b2c3d4&lt;/code&gt; lets you write a single data access policy matching &lt;code&gt;collection/pqa-*&lt;/code&gt;. Including a version component in the name (such as &lt;code&gt;pqa-v2-a1b2c3d4&lt;/code&gt;) makes it straightforward to create new collections during schema migrations without disrupting existing tenants.&lt;/p&gt; 
&lt;h3 id="index-data-using-the-regional-endpoint"&gt;&lt;strong&gt;Index data using the regional endpoint&lt;/strong&gt;&lt;/h3&gt; 
&lt;p&gt;A single OpenSearch client handles all collections. The &lt;code&gt;x-amz-aoss-collection-name&lt;/code&gt; header routes each request to the correct collection:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;headers = {"x-amz-aoss-collection-name": collection_name}

# Build bulk request
action = {"index": {"_index": index_name, "_id": doc["question_id"]}}
batch.append(json.dumps(action))
batch.append(json.dumps(doc))

# Send bulk request routed to the target collection
body = "\n".join(batch) + "\n"
resp = os_client.bulk(body=body, headers=headers)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="query-a-specific-tenants-data"&gt;&lt;strong&gt;Query a specific tenant’s data&lt;/strong&gt;&lt;/h3&gt; 
&lt;p&gt;Searching works the same way. Set the header to target the tenant’s collection:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;os_client = get_opensearch_client(account_id, region)
headers = {"x-amz-aoss-collection-name": collection_name}

query = {
    "size": 3,
    "query": {
        "match": {
            "question_text": "4k resolution hdmi"
        }
    },
}

resp = os_client.search(index="questions", body=query, headers=headers)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;The application layer maps a tenant ID (in this case, a product category) to a collection name, and the regional endpoint handles the rest. No connection pool management, no endpoint lookups, no per-tenant client instances.&lt;/p&gt; 
&lt;h2 id="limitations"&gt;&lt;strong&gt;Limitations&lt;/strong&gt;&lt;/h2&gt; 
&lt;p&gt;There are practical constraints to consider when adopting this pattern.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Cold start latency.&lt;/strong&gt; When a collection group has scaled to zero compute, the first request takes approximately 10 seconds while capacity provisions. For latency-sensitive tenants, you can send a lightweight warmup query (such as a &lt;code&gt;match_all&lt;/code&gt; with &lt;code&gt;size=1&lt;/code&gt;) before production traffic arrives.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Collection group limits.&lt;/strong&gt; There are account-level limits on the number of collections and collection groups. Check the &lt;a href="https://docs.aws.amazon.com/general/latest/gr/opensearch-service.html#opensearch-limits-serverless" target="_blank" rel="noopener"&gt;Amazon OpenSearch Serverless quotas&lt;/a&gt; for current numbers if you are planning thousands of tenants.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Security policy size.&lt;/strong&gt; Encryption, network, and data access policies list collection resource patterns. Because tenant count grows, these policy documents grow linearly. Use wildcard patterns to stay within &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/ServerlessAPIReference/API_CreateSecurityPolicy.html" target="_blank" rel="noopener"&gt;OpenSearch Serverless policy size limits&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;No cross-collection queries.&lt;/strong&gt; Each search request targets exactly one collection. If you need to query across tenants for analytics or global search, you need an aggregation layer or a separate shared collection.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;/h2&gt; 
&lt;p&gt;In this post, we showed how the next-generation OpenSearch Serverless architecture makes the collection-per-tenant model practical for multi-tenant search. Scale-to-zero reduces the minimum cost for inactive tenants, fitting the compute resources to the demands of tenants. The regional endpoint eliminates the operational complexity of managing per-tenant connections. You get full data isolation between tenants, independent scaling for each tenant’s workload, and a single endpoint to manage in your application code.&lt;/p&gt; 
&lt;p&gt;For more information, see the &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless.html" target="_blank" rel="noopener"&gt;Amazon OpenSearch Serverless documentation&lt;/a&gt;.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the author&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2024/08/06/handler-100.jpg" alt="Jon Handler" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Jon Handler&lt;/h3&gt; 
  &lt;p&gt;Jon is a Senior Principal Solutions Architect for Search Services at Amazon Web Services. Jon works closely with OpenSearch and Amazon OpenSearch Service, providing help and guidance to a broad range of customers who have search and log analytics workloads. Prior to joining AWS, Jon’s career as a software developer included four years of coding a large-scale, eCommerce search engine.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Multi-Region identity-based access to Amazon Redshift and S3 Tables</title>
		<link>https://aws.amazon.com/blogs/big-data/multi-region-identity-based-access-to-amazon-redshift-and-s3-tables/</link>
		
		<dc:creator><![CDATA[Maneesh Sharma]]></dc:creator>
		<pubDate>Wed, 24 Jun 2026 18:15:24 +0000</pubDate>
				<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Amazon S3 Tables]]></category>
		<category><![CDATA[Analytics]]></category>
		<category><![CDATA[AWS IAM Identity Center]]></category>
		<guid isPermaLink="false">468c4ca47a18890658a5aab4026ed8ab9d9d1e22</guid>

					<description>In Part 1 of this series, we showed how to simplify enterprise data access using the Amazon Redshift integration with Amazon S3 Access Grants. In this post, we extend that solution across AWS Regions. We introduce a fictional company, AnyCompany Global, to illustrate how organizations with global operations can use AWS IAM Identity Center Multi-Region to set up consistent, identity-based access to Amazon Redshift and Amazon S3 Tables across Regions.</description>
										<content:encoded>&lt;p&gt;Organizations with lines of business operating across multiple AWS Regions increasingly run analytics workloads on globally distributed data. These organizations want to manage users and groups centrally, typically in the AWS Organizations management account and in a single Region, while still letting each line of business access data from the Region where its workloads run. Organizations should govern access based on the actual workforce user and their group memberships in the corporate directory.&lt;/p&gt; 
&lt;p&gt;With &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-iam-identity-center.html" target="_blank" rel="noopener"&gt;multi-Region support for AWS IAM Identity Center&lt;/a&gt;, organizations can federate workforce identities into a single organization instance in their primary Region. After you replicate this instance to additional Regions, member accounts running services such as Amazon Redshift or Amazon Athena in those Regions can integrate with IAM Identity Center locally, to resolve the same centrally managed users and groups.&lt;/p&gt; 
&lt;p&gt;This solution uses &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html" target="_blank" rel="noopener"&gt;Trusted Identity Propagation (TIP)&lt;/a&gt;, a capability that passes a user’s Identity Center identity and group memberships through a chain of AWS services. With TIP, when a user authenticates through Identity Center, that identity context flows to downstream services like AWS Lake Formation and Amazon S3 Access Grants. With this approach, you get consistent, identity-based access control without additional AWS Identity and Access Management (IAM) role configurations.&lt;/p&gt; 
&lt;p&gt;In &lt;a href="https://aws.amazon.com/blogs/big-data/simplify-enterprise-data-access-using-the-amazon-redshift-integration-with-amazon-s3-access-grants/" target="_blank" rel="noopener"&gt;Part 1&lt;/a&gt; of this series, we showed how to simplify enterprise data access using the &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt; integration with &lt;a href="https://aws.amazon.com/s3/features/access-grants/" target="_blank" rel="noopener"&gt;Amazon S3 Access Grants&lt;/a&gt;. We demonstrated how to grant &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service&lt;/a&gt; (Amazon S3) permissions to &lt;a href="https://aws.amazon.com/iam/identity-center/" target="_blank" rel="noopener"&gt;AWS IAM Identity Center&lt;/a&gt; users and groups using S3 Access Grants, and tested the integration using a federated user to unload and load data between Amazon Redshift and Amazon S3 within a single AWS Region.&lt;/p&gt; 
&lt;p&gt;In this post, we extend that solution across AWS Regions. We introduce a fictional company, AnyCompany Global, to illustrate how organizations with global operations can use AWS IAM Identity Center Multi-Region to set up consistent, identity-based access to Amazon Redshift and Amazon S3 Tables across Regions.&lt;/p&gt; 
&lt;p&gt;Specifically, we demonstrate:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;How IAM Identity Center Multi-Region replicates identity data so that the same users and groups are available in each enabled Region.&lt;/li&gt; 
 &lt;li&gt;How AWS Lake Formation grants fine-grained table-level and column-level access to S3 Tables based on group membership.&lt;/li&gt; 
 &lt;li&gt;How S3 Access Grants controls UNLOAD/COPY operations to Amazon S3 based on the same identity.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;blockquote&gt;
 &lt;p&gt;We also show how to connect with your preferred SQL client.&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;h2 id="fictional-scenario-anycompany-global"&gt;Fictional scenario: AnyCompany Global&lt;/h2&gt; 
&lt;p&gt;&lt;em&gt;AnyCompany Global&lt;/em&gt; is a retail analytics company with a centralized IT team and distributed analytics teams. They use the following personas:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Alice — IT administrator (manages IAM Identity Center and AWS accounts).&lt;/li&gt; 
 &lt;li&gt;Bob — platform engineer (sets up data infrastructure in us-west-2).&lt;/li&gt; 
 &lt;li&gt;Ethan — data analyst (member of the &lt;code&gt;awssso-sales&lt;/code&gt; group, queries data).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;&lt;em&gt;AnyCompany Global&lt;/em&gt; has two AWS accounts:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Account A (us-east-1) — management account with IAM Identity Center.&lt;/li&gt; 
 &lt;li&gt;Account B (us-west-2) — analytics account with Amazon Redshift, Amazon S3, and the &lt;a href="https://docs.aws.amazon.com/glue/latest/dg/start-data-catalog.html" target="_blank" rel="noopener"&gt;AWS Glue Data Catalog&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The same IAM Identity Center user (Ethan) authenticates once and accesses data in Account B (us-west-2) using the same credentials and group memberships — you don’t need additional user provisioning because IAM Identity Center replicates identities to the secondary Region.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;The following diagram illustrates the multi-account, multi-Region architecture. Account A (us-east-1) hosts IAM Identity Center, which replicates identities to us-west-2 where Account B runs the analytics workloads.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-1.png" alt="Multi-account, multi-Region architecture diagram showing IAM Identity Center in us-east-1 replicating to us-west-2, where Amazon Redshift queries S3 Tables through Lake Formation and writes to Amazon S3 through S3 Access Grants" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 1: Multi-account, multi-Region architecture with S3 Access Grants, AWS Lake Formation, and IAM Identity Center.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;This solution demonstrates two complementary data access patterns, both controlled by the end user identity:&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Pattern&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Access method&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Permission controlled by&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Pattern A&lt;/td&gt; 
   &lt;td&gt;&lt;code&gt;SELECT&lt;/code&gt; on S3 table bucket through Amazon Redshift Spectrum&lt;/td&gt; 
   &lt;td&gt;Lake Formation&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Pattern B&lt;/td&gt; 
   &lt;td&gt;&lt;code&gt;UNLOAD&lt;/code&gt;/&lt;code&gt;COPY&lt;/code&gt; to and from Amazon S3&lt;/td&gt; 
   &lt;td&gt;S3 Access Grants&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;The solution workflow includes the following steps:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Ethan connects from Amazon Redshift Query Editor v2 in us-west-2 and authenticates via the IAM Identity Center endpoint (replicated to us-west-2) using his corporate IdP credentials.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Pattern A&lt;/strong&gt; (&lt;code&gt;SELECT&lt;/code&gt;): Amazon Redshift queries the Amazon S3 Tables catalog (&lt;code&gt;s3tablescatalog&lt;/code&gt;). Lake Formation evaluates Ethan’s IAM Identity Center group membership and grants access to the cataloged data.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Pattern B&lt;/strong&gt; (&lt;code&gt;UNLOAD&lt;/code&gt;/&lt;code&gt;COPY&lt;/code&gt;): Amazon Redshift requests temporary credentials from S3 Access Grants in us-west-2. S3 Access Grants evaluates the request, matches Ethan’s identity and group membership, and vends scoped temporary credentials for the authorized S3 location.&lt;/li&gt; 
 &lt;li&gt;Ethan runs &lt;code&gt;SELECT&lt;/code&gt; to query data through Lake Formation, and &lt;code&gt;UNLOAD&lt;/code&gt; to write data to Amazon S3 through S3 Access Grants. You don’t need an IAM role ARN in the commands.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="walkthrough"&gt;Walkthrough&lt;/h2&gt; 
&lt;p&gt;The following sections walk you through enabling IAM Identity Center Multi-Region, configuring Amazon S3 Tables with Lake Formation in the secondary Region, testing both access patterns, and verifying the result with AWS CloudTrail. Start with the prerequisites, then complete each step in order.&lt;/p&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;You should have the following prerequisites already set up:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;AWS Organizations enabled with at least two AWS accounts – Centralized Account(Region 1) and Member Account(Region2)&lt;/li&gt; 
 &lt;li&gt;IAM Identity Center enabled in the management account (Account A, us-east-1) with a delegated administration account&lt;/li&gt; 
 &lt;li&gt;Corporate IdP integrated with IAM Identity Center (users and groups synced, for example, &lt;code&gt;awssso-sales&lt;/code&gt; and &lt;code&gt;awssso-finance&lt;/code&gt; groups).&lt;/li&gt; 
 &lt;li&gt;Resource sharing enabled in your organization with AWS Resource Access Manager (AWS RAM)&lt;/li&gt; 
 &lt;li&gt;Complete solution from &lt;a href="https://aws.amazon.com/blogs/big-data/simplify-enterprise-data-access-using-the-amazon-redshift-integration-with-amazon-s3-access-grants/" target="_blank" rel="noopener"&gt;&lt;em&gt;Part 1&lt;/em&gt;&lt;/a&gt; replicated in &lt;strong&gt;us-west-2&lt;/strong&gt; (Account B), including: 
  &lt;ul&gt; 
   &lt;li&gt;Amazon Redshift cluster (in us-west-2) with IAM Identity Center integration enabled (using the replicated Identity Center endpoint in us-west-2).&lt;/li&gt; 
   &lt;li&gt;S3 Access Grants instance configured with IAM Identity Center association&lt;/li&gt; 
   &lt;li&gt;Amazon S3 bucket (for example, &lt;code&gt;amzn-s3-demo-bucket-west&lt;/code&gt;) with folders for each group (for example, &lt;code&gt;awssso-sales/&lt;/code&gt;, &lt;code&gt;awssso-finance/&lt;/code&gt;).&lt;/li&gt; 
   &lt;li&gt;IAM role for S3 Access Grants (for example, &lt;code&gt;iamidcs3accessgrant&lt;/code&gt;) with trust policy and permissions policy.&lt;/li&gt; 
   &lt;li&gt;S3 Access Grants location registered and grant created for the &lt;code&gt;awssso-sales&lt;/code&gt; group.&lt;/li&gt; 
   &lt;li&gt;S3 Access Grants enabled on the Amazon Redshift managed application under Trusted identity propagation&lt;/li&gt; 
   &lt;li&gt;Cross-account resource sharing via AWS RAM (if Amazon Redshift and S3 Access Grants are in different accounts)&lt;/li&gt; 
   &lt;li&gt;Lake Formation enabled on the Amazon Redshift managed application under Trusted identity propagation&lt;/li&gt; 
   &lt;li&gt;Lake Formation and Glue permissions added to the IAM role used in the Amazon Redshift managed application (for example, &lt;code&gt;IAMIDCRedshiftRole&lt;/code&gt;). For the required permissions, see &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-analytics-connecting-steps.html" target="_blank" rel="noopener"&gt;Querying data through AWS Lake Formation&lt;/a&gt;.&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
 &lt;li&gt;An AWS account with an IAM role that has administrative access (e.g., Admin role) &lt;a href="https://docs.aws.amazon.com/lake-formation/latest/dg/initial-lf-config.html#create-data-lake-admin" target="_blank" rel="noopener"&gt;configured as a &lt;strong&gt;Data Lake Admin&lt;/strong&gt; in Lake Formation&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Creating and using AWS resources in this tutorial incurs charges, including AWS Key Management Service (AWS KMS) keys, S3 table buckets, Amazon Redshift clusters, and Amazon S3 storage. See the cleanup section at the end of this post to avoid ongoing charges.&lt;/p&gt; 
&lt;h2 id="step-1-set-up-iam-identity-center-multi-region"&gt;Step 1: Set up IAM Identity Center Multi-Region&lt;/h2&gt; 
&lt;p&gt;Alice performs this step in the management account (Account A, us-east-1). IAM Identity Center uses encryption at rest for identity data. To enable multi-Region, you must first create a multi-Region customer-managed AWS Key Management Service (AWS KMS) key and replicate it to the additional Region.&lt;/p&gt; 
&lt;h3 id="create-a-multi-region-aws-kms-key"&gt;Create a multi-Region AWS KMS key&lt;/h3&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;On the AWS KMS console in &lt;strong&gt;us-east-1&lt;/strong&gt;, choose &lt;strong&gt;Create key&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Key type&lt;/strong&gt;, select &lt;strong&gt;Symmetric&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Key usage&lt;/strong&gt;, select &lt;strong&gt;Encrypt and decrypt&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Advanced options&lt;/strong&gt;, select &lt;strong&gt;Multi-Region key&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Provide an alias (for example, &lt;code&gt;idc-multi-region-key&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Apply the AWS KMS key policy as documented in &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/baseline-KMS-key-policy.html" target="_blank" rel="noopener"&gt;Baseline KMS key policy&lt;/a&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h3 id="replicate-the-key-to-us-west-2"&gt;Replicate the key to us-west-2&lt;/h3&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;On the AWS KMS console in us-east-1, select the key you created.&lt;/li&gt; 
 &lt;li&gt;Choose the &lt;strong&gt;Regionality&lt;/strong&gt; tab.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create new replica keys&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;US West (Oregon) us-west-2&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Replicate key&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;For detailed instructions, see &lt;a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-replicate.html" target="_blank" rel="noopener"&gt;&lt;em&gt;Creating multi-Region replica keys&lt;/em&gt;&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-2.jpeg" alt="AWS KMS console Regionality tab showing the multi-Region replica key configured for an additional Region" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 2: Replica key configured for the additional Region.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="add-us-west-2-to-iam-identity-center"&gt;Add us-west-2 to IAM Identity Center&lt;/h3&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;On the IAM Identity Center console in us-east-1, in the navigation pane, choose &lt;strong&gt;Settings&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Add Region&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;From the Region list, select &lt;strong&gt;US West (Oregon) us-west-2&lt;/strong&gt;. The list shows Regions where you replicated the customer-managed AWS KMS key.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Add Region&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;A blue banner indicates that Identity Center is replicating your workforce identities, configuration, and metadata to the new Region. After the initial replication, the &lt;strong&gt;Replication Status&lt;/strong&gt; column changes to &lt;strong&gt;Replicated&lt;/strong&gt;. Your Identity Center endpoints in us-west-2 are now active.&lt;/p&gt; 
&lt;p&gt;For detailed instructions, see &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-add-region.html" target="_blank" rel="noopener"&gt;&lt;em&gt;Add the Region in IAM Identity Center&lt;/em&gt;&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-3.jpeg" alt="IAM Identity Center Settings page with the multi-Region replica key added for us-west-2 and replication status set to Replicated" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 3: IAM Identity Center settings showing the multi-Region replica key added for us-west-2.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="update-your-idp-configuration-for-the-additional-region"&gt;Update your IdP configuration for the additional Region&lt;/h3&gt; 
&lt;p&gt;You’ve successfully replicated your Identity Center instance to the Oregon (us-west-2) Region. Your workforce identities are now available in that additional Region and can use the new AWS access portal endpoint.&lt;/p&gt; 
&lt;p&gt;To make sure AWS managed application (service provider-initiated) authentication redirect user to respective application, add the ACS URL for the additional Region so that the app contains both Regional ACS URLs.&lt;/p&gt; 
&lt;p&gt;In the following section highlighted in red, you can view all ACS URL information:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-4.png" alt="IAM Identity Center settings page with the View ACS URLs section highlighted in red" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 4: IAM Identity Center settings showing the View ACS URLs option.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Copy the respective ACS URL as shown in the following figure:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-5.png" alt="IAM Identity Center settings page listing the ACS URLs for both Regions" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 5: IAM Identity Center settings showing the ACS URLs for both Regions.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Use the following instructions to add the ACS URL for the additional Region in your Identity Center application in Okta:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Log in to the Okta portal as an Admin.&lt;/li&gt; 
 &lt;li&gt;Expand the Applications drop-down in the left pane, then choose &lt;strong&gt;Applications&lt;/strong&gt;&lt;/li&gt; 
 &lt;li&gt;Choose your Identity Center Application&lt;/li&gt; 
 &lt;li&gt;Select the &lt;strong&gt;Sign-on&lt;/strong&gt; tab and choose &lt;strong&gt;Edit&lt;/strong&gt; in the Settings windows.&lt;/li&gt; 
 &lt;li&gt;In the &lt;strong&gt;AWS SSO ACS URL1&lt;/strong&gt; box under &lt;strong&gt;Advanced Sign-on Settings&lt;/strong&gt; – add the additional ACS URL&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Save&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-6.png" alt="Okta application Sign-on tab with the AWS SSO ACS URL1 box configured for the IAM Identity Center application" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 6: Okta application for IAM Identity Center Sign-on tab to add ACS URLs.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="create-a-permission-set-for-the-secondary-region"&gt;Create a permission set for the secondary Region&lt;/h3&gt; 
&lt;p&gt;Create a permission set in the management account to grant federated users console access to Amazon Redshift Query Editor V2 in the secondary Region (us-west-2). For more information about permission sets, see &lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html" target="_blank" rel="noopener"&gt;Permission sets&lt;/a&gt;.&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;In the management account, open the &lt;a href="https://console.aws.amazon.com/singlesignon/" target="_blank" rel="noopener"&gt;IAM Identity Center&lt;/a&gt; console.&lt;/li&gt; 
 &lt;li&gt;In the navigation pane, under &lt;strong&gt;Multi-Account permissions&lt;/strong&gt;, choose &lt;strong&gt;Permission sets&lt;/strong&gt; → &lt;strong&gt;Create permission set&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Custom permission set&lt;/strong&gt;, then choose &lt;strong&gt;Next&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;AWS managed policies&lt;/strong&gt;, select &lt;strong&gt;AmazonRedshiftQueryEditorV2ReadSharing&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Inline policy&lt;/strong&gt;, add the following policy: 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-json"&gt;{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift:DescribeQev2IdcApplications",
        "redshift-serverless:ListNamespaces",
        "redshift-serverless:ListWorkgroups",
        "redshift-serverless:GetWorkgroup"
      ],
      "Resource": "*"
    }
  ]
}&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt;. Enter a permission set name (for example, &lt;code&gt;Redshift-QEV2-West&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Relay state&lt;/strong&gt;, set the default to the Query Editor V2 URL for the secondary Region: &lt;code&gt;https://us-west-2.console.aws.amazon.com/sqlworkbench/home&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt;, then &lt;strong&gt;Create&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;After creation, assign this permission set to the relevant IAM Identity Center group (for example, &lt;code&gt;awssso-sales&lt;/code&gt;) for Account B (us-west-2).&lt;/p&gt; 
&lt;h2 id="step-2-set-up-amazon-s3-tables-integration-with-aws-glue-data-catalog-and-lake-formation-in-account-b-us-west-2"&gt;Step 2: Set up Amazon S3 Tables integration with AWS Glue Data Catalog and Lake Formation in Account B (us-west-2)&lt;/h2&gt; 
&lt;p&gt;In this step, the data lake administrator (Bob) sets up &lt;a href="https://docs.aws.amazon.com/lake-formation/latest/dg/create-s3-tables-catalog.html" target="_blank" rel="noopener"&gt;Amazon S3 Tables with Lake Formation&lt;/a&gt; for fine-grained access control. He completes the following tasks:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Create an S3 tables bucket.&lt;/li&gt; 
 &lt;li&gt;Enable S3 Tables integration with AWS Glue Data Catalog and Lake Formation.&lt;/li&gt; 
 &lt;li&gt;Register the table bucket with Lake Formation (removes default IAM-based access).&lt;/li&gt; 
 &lt;li&gt;Grant Lake Formation permissions to an IAM Identity Center group (&lt;code&gt;awssso-sales&lt;/code&gt;) so that only authorized users can query data through Trusted Identity Propagation.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h3 id="step-2.1-remove-default-lake-formation-permissions"&gt;Step 2.1: Remove default Lake Formation permissions&lt;/h3&gt; 
&lt;p&gt;Before creating S3 Tables resources, disable the default &lt;code&gt;IAMAllowedPrincipals&lt;/code&gt; grants that Lake Formation applies to new databases and tables. By default, Lake Formation grants &lt;code&gt;IAMAllowedPrincipals&lt;/code&gt; access to new resources, which means that standard IAM policies (rather than Lake Formation permissions) control access. For identity-based access through Trusted Identity Propagation, you need Lake Formation to be the sole arbiter of access.&lt;/p&gt; 
&lt;p&gt;The order matters. If you remove these defaults &lt;em&gt;before&lt;/em&gt; registering the S3 Tables resource, Lake Formation will not apply &lt;code&gt;IAMAllowedPrincipals&lt;/code&gt; to your S3 Tables catalog or its children. If you register the resource first, you need to manually revoke the &lt;code&gt;IAMAllowedPrincipals&lt;/code&gt; grants from each resource.&lt;/p&gt; 
&lt;h4 id="from-the-console"&gt;From the console&lt;/h4&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open the Lake Formation console in your target Region (for example, &lt;code&gt;us-west-2&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;In the left navigation, choose Administration → Data Catalog settings.&lt;/li&gt; 
 &lt;li&gt;Uncheck both options: 
  &lt;ul&gt; 
   &lt;li&gt;Use only IAM access control for new databases&lt;/li&gt; 
   &lt;li&gt;Use only IAM access control for new tables in new databases&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Save&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-7.png" alt="Lake Formation Data Catalog settings page with both default IAM access control options cleared" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 7: Lake Formation Data Catalog settings with default IAM access control disabled.&lt;/em&gt;&lt;/p&gt; 
&lt;h4 id="optional-verify-lake-formation-default-permissions-through-the-aws-cli"&gt;Optional: Verify Lake Formation default permissions through the AWS CLI&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws lakeformation get-data-lake-settings --region &amp;lt;REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Confirm both &lt;code&gt;CreateDatabaseDefaultPermissions&lt;/code&gt; and &lt;code&gt;CreateTableDefaultPermissions&lt;/code&gt; are empty arrays (&lt;code&gt;[]&lt;/code&gt;).&lt;/p&gt; 
&lt;h4 id="add-awsserviceroleforredshift-as-a-read-only-admin"&gt;Add AWSServiceRoleForRedshift as a read-only admin&lt;/h4&gt; 
&lt;p&gt;If you plan to query S3 Tables from Amazon Redshift Query Editor V2, you must add the Amazon Redshift service-linked role as a &lt;strong&gt;Read-Only Admin&lt;/strong&gt; in Lake Formation. Complete the following steps:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;In the Lake Formation console, go to &lt;strong&gt;Administration&lt;/strong&gt; → &lt;strong&gt;Administrative roles and tasks&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Data lake administrators&lt;/strong&gt;, choose &lt;strong&gt;Add&lt;/strong&gt;. Choose &lt;strong&gt;Read only administrator&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;From the menu, choose &lt;code&gt;AWSServiceRoleForRedshift&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Confirm&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;&lt;em&gt;Important: Without this, Amazon Redshift Query Editor V2 doesn’t display external databases from &lt;code&gt;s3tablescatalog&lt;/code&gt;. The Amazon Redshift service-linked role needs read-only admin access to browse the Data Catalog on behalf of users.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-2.2-create-the-lake-formation-data-access-role-for-s3-tables"&gt;Step 2.2: Create the Lake Formation data access role for S3 Tables&lt;/h3&gt; 
&lt;p&gt;Create an IAM role that Lake Formation assumes to generate temporary, scoped credentials on behalf of users requesting access to S3 Tables data. Lake Formation uses this role (instead of its service-linked role) because Trusted Identity Propagation requires &lt;code&gt;sts:SetContext&lt;/code&gt; in the trust policy, which is not available on the service-linked role. Without a custom role with this permission, Lake Formation cannot propagate the user’s IAM Identity Center identity when accessing S3 Tables.&lt;/p&gt; 
&lt;h4 id="create-the-role-with-the-trust-policy"&gt;Create the role with the trust policy&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws iam create-role \
    --role-name LFAccessRole-S3Tables \
    --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "Service": "lakeformation.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity",
                "sts:SetContext"
            ]
        }]
    }'&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="attach-the-s3-tables-permissions-policy"&gt;Attach the S3 Tables permissions policy&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws iam put-role-policy \
    --role-name LFAccessRole-S3Tables \
    --policy-name S3TablesDataAccess \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "LakeFormationPermissionsForS3ListTableBucket",
                "Effect": "Allow",
                "Action": ["s3tables:ListTableBuckets"],
                "Resource": ["*"]
            },
            {
                "Sid": "LakeFormationDataAccessPermissionsForS3TableBucket",
                "Effect": "Allow",
                "Action": [
                    "s3tables:CreateTableBucket",
                    "s3tables:GetTableBucket",
                    "s3tables:CreateNamespace",
                    "s3tables:GetNamespace",
                    "s3tables:ListNamespaces",
                    "s3tables:DeleteNamespace",
                    "s3tables:DeleteTableBucket",
                    "s3tables:CreateTable",
                    "s3tables:DeleteTable",
                    "s3tables:GetTable",
                    "s3tables:ListTables",
                    "s3tables:RenameTable",
                    "s3tables:UpdateTableMetadataLocation",
                    "s3tables:GetTableMetadataLocation",
                    "s3tables:GetTableData",
                    "s3tables:PutTableData"
                ],
                "Resource": ["arn:aws:s3tables:&amp;lt;REGION&amp;gt;:&amp;lt;ACCOUNT_ID&amp;gt;:bucket/*"]
            }
        ]
    }'&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="step-2.3-register-s3-tables-with-lake-formation"&gt;Step 2.3: Register S3 Tables with Lake Formation&lt;/h3&gt; 
&lt;p&gt;Register the S3 Tables resource with Lake Formation using the data access role. This step lets Lake Formation manage access to S3 Tables through the Data Catalog and creates the &lt;code&gt;s3tablescatalog&lt;/code&gt; federated catalog automatically.&lt;/p&gt; 
&lt;p&gt;Open the Lake Formation console and complete the following steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Catalogs&lt;/strong&gt; in the navigation pane and choose &lt;strong&gt;Enable S3 Table integration&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-8.png" alt="Lake Formation Catalogs page with the Enable S3 Table integration option highlighted" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 8: Lake Formation Catalogs page with the Enable S3 Table integration option.&lt;/em&gt;&lt;/p&gt; 
&lt;ol start="2" type="1"&gt; 
 &lt;li&gt;Select the IAM role and select &lt;strong&gt;Allow external engines to access data in Amazon S3 locations with full table access&lt;/strong&gt;. Choose &lt;strong&gt;Enable&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-9.png" alt="Enable S3 Table integration dialog with the IAM role selected and the Allow external engines option enabled" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 9: Enable S3 Table integration dialog with the IAM role and external-engine access configured.&lt;/em&gt;&lt;/p&gt; 
&lt;h4 id="alternative-register-through-the-aws-cli"&gt;Alternative: Register through the AWS CLI&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws lakeformation register-resource \
    --resource-arn "arn:aws:s3tables:&amp;lt;REGION&amp;gt;:&amp;lt;ACCOUNT_ID&amp;gt;:bucket/*" \
    --role-arn "arn:aws:iam::&amp;lt;ACCOUNT_ID&amp;gt;:role/LFAccessRole-S3Tables" \
    --with-federation \
    --region &amp;lt;REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;&lt;em&gt;Important: Verify that the &lt;code&gt;--role-arn&lt;/code&gt; matches the exact ARN of the role created in Step 2.2 (including the path). A mismatch (e.g., &lt;code&gt;role/service-role/LFAccessRole-S3Tables&lt;/code&gt; vs &lt;code&gt;role/LFAccessRole-S3Tables&lt;/code&gt;) will cause credential vending failures later.&lt;/em&gt;&lt;/p&gt; 
&lt;h4 id="optional-verify-the-registration"&gt;Optional: Verify the registration&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws lakeformation list-resources --region &amp;lt;REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Confirm the S3 Tables entry shows &lt;code&gt;WithFederation: true&lt;/code&gt; and the correct role ARN.&lt;/p&gt; 
&lt;h3 id="step-2.4-create-the-s3-table-bucket-and-namespace"&gt;Step 2.4: Create the S3 table bucket and namespace&lt;/h3&gt; 
&lt;p&gt;Create an &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html" target="_blank" rel="noopener"&gt;S3 table bucket&lt;/a&gt; and a &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-namespace-create.html" target="_blank" rel="noopener"&gt;namespace&lt;/a&gt;. Complete the following steps on the Amazon S3 console:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;In the navigation pane, choose &lt;strong&gt;Table buckets&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create table bucket&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;On the next page, enter the bucket name as &lt;code&gt;&amp;lt;TABLE_BUCKET_NAME&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Keep the other options as default and choose &lt;strong&gt;Create table bucket&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;After you create it, the AWS Management Console redirects you to the list of table buckets. Choose the table bucket &lt;code&gt;&amp;lt;TABLE_BUCKET_NAME&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create table with Athena&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Create a namespace in S3 Tables (equivalent to a database in AWS Glue Data Catalog). Enter the namespace (database) name as &lt;code&gt;&amp;lt;NAMESPACE_NAME&amp;gt;&lt;/code&gt; and choose &lt;strong&gt;Create namespace&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;blockquote&gt;
 &lt;p&gt;You can also perform these steps using the AWS Command Line Interface (AWS CLI). Refer to &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html#:~:text=the%20S3%20console-,Using%20the%20AWS%20CLI,-View%20related%20pages" target="_blank" rel="noopener"&gt;Creating a table bucket using the AWS CLI&lt;/a&gt; for equivalent commands.&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;h3 id="step-2.5-grant-admin-role-access"&gt;Step 2.5: Grant admin role access&lt;/h3&gt; 
&lt;p&gt;After you remove default permissions, you need to give your Admin role explicit Lake Formation permissions to create tables. Because your Admin role is a Data Lake Admin, you can already see &lt;code&gt;s3tablescatalog&lt;/code&gt; in the Amazon Athena console, but creating tables requires an explicit grant.&lt;/p&gt; 
&lt;h4 id="from-the-console-1"&gt;From the console&lt;/h4&gt; 
&lt;ul&gt; 
 &lt;li&gt;Open the Lake Formation console in your Region.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Data permissions&lt;/strong&gt; → &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Principals&lt;/strong&gt;, select &lt;strong&gt;IAM users and roles&lt;/strong&gt; and choose your Admin role.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;LF-Tags or catalog resources&lt;/strong&gt;, select &lt;strong&gt;Named Data Catalog resources&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Catalogs&lt;/strong&gt;, choose &lt;code&gt;&amp;lt;Account ID&amp;gt;:s3tablescatalog/&amp;lt;Table_Bucket_Name&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Databases&lt;/strong&gt;, select your database (for example, &lt;code&gt;customer_ns_db&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Select &lt;strong&gt;Super&lt;/strong&gt; for &lt;strong&gt;Database permissions&lt;/strong&gt; and &lt;strong&gt;Grantable permissions&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;After this grant, you can create and insert data into tables from the Athena console.&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Note: Your Admin role must be a Data Lake Admin (configured in Step 2.1) to browse &lt;code&gt;s3tablescatalog&lt;/code&gt; in Athena. You need the explicit database grant for write operations (&lt;code&gt;CREATE TABLE&lt;/code&gt;, &lt;code&gt;INSERT&lt;/code&gt;).&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-2.6-create-a-table-from-the-athena-console"&gt;Step 2.6: Create a table from the Athena console&lt;/h3&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open the Amazon Athena console in your Region.&lt;/li&gt; 
 &lt;li&gt;In the &lt;strong&gt;Data source&lt;/strong&gt; menu, select &lt;strong&gt;AwsDataCatalog&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Catalog&lt;/strong&gt;, choose &lt;code&gt;s3tablescatalog/&amp;lt;Table_Bucket_Name&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;For Database, choose your namespace.&lt;/li&gt; 
 &lt;li&gt;Run a &lt;code&gt;CREATE TABLE&lt;/code&gt; statement. For example:&lt;/li&gt; 
&lt;/ol&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;CREATE TABLE &amp;lt;NAMESPACE_NAME&amp;gt;.&amp;lt;TABLE_NAME&amp;gt; (
    customer_id int,
    first_name string,
    last_name string,
    region string,
    membership_tier string
)
TBLPROPERTIES ('table_type' = 'ICEBERG');

INSERT INTO &amp;lt;NAMESPACE_NAME&amp;gt;.&amp;lt;TABLE_NAME&amp;gt; VALUES
  (1, 'Joyce', 'Deaton', 'West', 'Gold'),
  (2, 'Daniel', 'Dow', 'East', 'Silver'),
  (3, 'Marie', 'Lange', 'West', 'Gold'),
  (4, 'Wesley', 'Harris', 'East', 'Bronze'),
  (5, 'Jerry', 'Tracy', 'West', 'Silver');&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h3 id="step-2.7-grant-permissions-to-the-iam-identity-center-group"&gt;Step 2.7: Grant permissions to the IAM Identity Center group&lt;/h3&gt; 
&lt;p&gt;Give your IAM Identity Center group access to query tables. This step enables Trusted Identity Propagation (TIP) for this group. When users in the group access data through TIP-integrated services like Amazon Redshift, Lake Formation evaluates their IAM Identity Center group membership and enforces table-level and column-level permissions accordingly.&lt;/p&gt; 
&lt;h4 id="from-the-console-2"&gt;From the console&lt;/h4&gt; 
&lt;p&gt;&lt;strong&gt;Grant DESCRIBE on the database:&lt;/strong&gt;&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open the Lake Formation console in your Region.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Data permissions&lt;/strong&gt; → &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Principals&lt;/strong&gt;, select &lt;strong&gt;IAM Identity Center&lt;/strong&gt; and choose your IAM Identity Center group (for example, &lt;code&gt;awssso-sales&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;LF-Tags or catalog resources&lt;/strong&gt;, select &lt;strong&gt;Named Data Catalog resources&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Catalogs&lt;/strong&gt;, choose &lt;code&gt;&amp;lt;Account ID&amp;gt;:s3tablescatalog/&amp;lt;Table_Bucket_Name&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Databases&lt;/strong&gt;, select your database (for example, &lt;code&gt;customer_ns_db&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Database permissions&lt;/strong&gt;, select &lt;strong&gt;Describe&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;strong&gt;Grant SELECT and DESCRIBE on tables:&lt;/strong&gt;&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Data permissions&lt;/strong&gt; → &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Principals&lt;/strong&gt;, select &lt;strong&gt;IAM Identity Center&lt;/strong&gt; and choose your IAM Identity Center group (for example, &lt;code&gt;awssso-sales&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;LF-Tags or catalog resources&lt;/strong&gt;, select &lt;strong&gt;Named Data Catalog resources&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Catalogs&lt;/strong&gt;, choose &lt;code&gt;&amp;lt;Account ID&amp;gt;:s3tablescatalog/&amp;lt;Table_Bucket_Name&amp;gt;&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Databases&lt;/strong&gt;, select your database (for example, &lt;code&gt;customer_ns_db&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Tables&lt;/strong&gt;, select &lt;strong&gt;All tables&lt;/strong&gt; (or a specific table).&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Table permissions&lt;/strong&gt;, select &lt;strong&gt;Select&lt;/strong&gt; and &lt;strong&gt;Describe&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Grant&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;em&gt;Tip: You can also configure column-level or row-level permissions for fine-grained access control. When granting on a specific table, additional options for &lt;strong&gt;Column permissions&lt;/strong&gt; and &lt;strong&gt;Data filters&lt;/strong&gt; become available.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-2.8-optional-verify-the-lake-formation-permissions"&gt;Step 2.8: Optional: Verify the Lake Formation permissions&lt;/h3&gt; 
&lt;h4 id="confirm-database-level-permissions"&gt;Confirm database-level permissions&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws lakeformation list-permissions \
    --resource '{"Database": {"CatalogId": "&amp;lt;ACCOUNT_ID&amp;gt;:s3tablescatalog/&amp;lt;TABLE_BUCKET_NAME&amp;gt;", "Name": "&amp;lt;NAMESPACE_NAME&amp;gt;"}}' \
    --region &amp;lt;REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="confirm-table-level-permissions"&gt;Confirm table-level permissions&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws lakeformation list-permissions \
    --resource '{"Table": {"CatalogId": "&amp;lt;ACCOUNT_ID&amp;gt;:s3tablescatalog/&amp;lt;TABLE_BUCKET_NAME&amp;gt;", "DatabaseName": "&amp;lt;NAMESPACE_NAME&amp;gt;", "TableWildcard": {}}}' \
    --region &amp;lt;REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;You should see:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Your Admin role with &lt;code&gt;ALL&lt;/code&gt; permissions at the database level.&lt;/li&gt; 
 &lt;li&gt;Your IAM Identity Center group with &lt;code&gt;DESCRIBE&lt;/code&gt; permissions at the database level.&lt;/li&gt; 
 &lt;li&gt;Your IAM Identity Center group with &lt;code&gt;DESCRIBE&lt;/code&gt; on &lt;code&gt;ALL_TABLES&lt;/code&gt; and &lt;code&gt;SELECT&lt;/code&gt; on &lt;code&gt;ALL_TABLES&lt;/code&gt; (with &lt;code&gt;ColumnWildcard&lt;/code&gt;) at the table level.&lt;/li&gt; 
 &lt;li&gt;No &lt;code&gt;IAM_ALLOWED_PRINCIPALS&lt;/code&gt; entries.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="step-2.9-create-amazon-redshift-tables-and-grant-permissions"&gt;Step 2.9: Create Amazon Redshift tables and grant permissions&lt;/h3&gt; 
&lt;p&gt;Connect to the Amazon Redshift cluster in us-west-2 as an admin user and create Redshift local tables. Grant permissions on those local resources to IAM Identity Center groups.&lt;/p&gt; 
&lt;h4 id="create-a-schema-and-table"&gt;Create a schema and table&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;CREATE SCHEMA IF NOT EXISTS sales_schema;

CREATE TABLE IF NOT EXISTS
sales_schema.store_sales (
  customer_id INTEGER ENCODE az64,
  product VARCHAR(50),
  sales_amount INTEGER ENCODE az64
)
DISTSTYLE AUTO;

-- Insert sample data
INSERT INTO sales_schema.store_sales VALUES
  (1, 'Laptop', 1200),
  (2, 'Phone', 800),
  (3, 'Tablet', 450),
  (4, 'Monitor', 350),
  (5, 'Keyboard', 120);&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h4 id="grant-permissions-to-the-iam-identity-center-group"&gt;Grant permissions to the IAM Identity Center group&lt;/h4&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;GRANT USAGE ON SCHEMA sales_schema TO ROLE "awsidc:awssso-sales";
GRANT SELECT, INSERT FOR TABLES IN SCHEMA sales_schema TO ROLE "awsidc:awssso-sales";

-- Grant access to the S3 Tables external database in Redshift (for Lake Formation queries on customer profiles)
GRANT USAGE ON DATABASE "customers3tables@s3tablescatalog" TO ROLE "awsidc:awssso-sales";&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;h2 id="step-3-test-the-solution"&gt;Step 3: Test the solution&lt;/h2&gt; 
&lt;p&gt;In the management account, navigate to the &lt;strong&gt;IAM Identity Center console&lt;/strong&gt; and copy the &lt;strong&gt;AWS access portal URL&lt;/strong&gt; (for example, &lt;code&gt;https://d-1234560789.awsapps.com/start&lt;/code&gt;) from the dashboard.&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Log out from the management account and paste the AWS access portal URL in a new browser window.&lt;/li&gt; 
 &lt;li&gt;A pop-up redirects you to your IdP login page. Enter Ethan’s IdP credentials.&lt;/li&gt; 
 &lt;li&gt;After successful authentication, you’re logged into the AWS console as a federated user. Select the QEV2 permission set for the secondary Region (us-west-2).&lt;/li&gt; 
 &lt;li&gt;In Query Editor V2, open the context (right-click) menu on your Amazon Redshift instance, choose &lt;strong&gt;Create connection&lt;/strong&gt;, and for &lt;strong&gt;Authentication&lt;/strong&gt;, select &lt;strong&gt;IAM Identity Center&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Because your IdP credentials are already cached, the browser reuses them automatically. You’re now connected to Amazon Redshift.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="pattern-a-query-the-s3-table-catalog-using-lake-formation-permissions"&gt;Pattern A: Query the S3 table catalog using Lake Formation permissions&lt;/h3&gt; 
&lt;p&gt;Query the customer profile data through &lt;code&gt;s3tablescatalog&lt;/code&gt;. Lake Formation enforces access based on Ethan’s IAM Identity Center group membership:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;SELECT *
FROM "customers3tables@s3tablescatalog"."customer_ns_db"."customer_profiles";&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-10.png" alt="Amazon Redshift Query Editor V2 results pane displaying customer profile rows returned from the s3tablescatalog through Lake Formation" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 10: Query results from &lt;code&gt;s3tablescatalog&lt;/code&gt; returned through Lake Formation in Amazon Redshift Query Editor V2.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;This query reads customer profile data from Amazon S3 through Amazon Redshift Spectrum, with Lake Formation controlling who can access which tables and columns.&lt;/p&gt; 
&lt;h3 id="pattern-b-unload-data-to-amazon-s3-using-s3-access-grants"&gt;Pattern B: Unload data to Amazon S3 using S3 Access Grants&lt;/h3&gt; 
&lt;p&gt;Run the &lt;code&gt;UNLOAD&lt;/code&gt; command to write data from Amazon Redshift to the S3 bucket:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;UNLOAD ('SELECT * FROM "dev"."sales_schema"."store_sales"')
TO 's3://west-idc-amzn-s3-demo-bucket/awssso-sales/';&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;You don’t need an IAM role ARN in the command. S3 Access Grants handles authorization based on Ethan’s IAM Identity Center identity and group membership, propagated across Regions using IAM Identity Center Multi-Region support.&lt;/p&gt; 
&lt;h3 id="verify-the-data-in-amazon-s3"&gt;Verify the data in Amazon S3&lt;/h3&gt; 
&lt;p&gt;On the Amazon S3 console, navigate to &lt;code&gt;s3://west-idc-amzn-s3-demo-bucket/awssso-sales/&lt;/code&gt; and verify that the unloaded data files are present.&lt;/p&gt; 
&lt;h3 id="join-lake-formation-data-with-locally-loaded-amazon-redshift-data"&gt;Join Lake Formation data with locally loaded Amazon Redshift data&lt;/h3&gt; 
&lt;p&gt;Combine customer profile data (queried via Lake Formation) with sales data (loaded via S3 Access Grants) using the shared &lt;code&gt;customer_id&lt;/code&gt; column:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;SELECT c.first_name, c.last_name, c.membership_tier,
  s.product, s.sales_amount
FROM "customers3tables@s3tablescatalog"."customer_ns_db"."customer_profiles" c
JOIN  dev.sales_schema.store_sales s ON c.customer_id = s.customer_id
ORDER BY s.sales_amount DESC;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-11.png" alt="Amazon Redshift Query Editor V2 results joining S3 Tables customer profiles with the local store_sales table" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 11: Joined results from S3 Tables and Amazon Redshift local data, ordered by sales amount.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;This shows that you can join S3 Tables data with Amazon Redshift using the same IAM Identity Center identity.&lt;/p&gt; 
&lt;h3 id="verify-access-control"&gt;Verify access control&lt;/h3&gt; 
&lt;p&gt;To confirm that S3 Access Grants is enforcing access, try accessing a folder Ethan does not have a grant for:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-sql"&gt;UNLOAD ('SELECT * FROM "dev"."sales_schema"."store_sales"')
TO 's3://west-idc-amzn-s3-demo-bucket/awssso-finance/';&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;This should return an access denied error, confirming that S3 Access Grants is controlling access based on the user’s identity and group membership.&lt;/p&gt; 
&lt;h2 id="step-4-verify-with-aws-cloudtrail"&gt;Step 4: Verify with AWS CloudTrail&lt;/h2&gt; 
&lt;p&gt;You can verify that Amazon Redshift used both S3 Access Grants and Lake Formation for authorization by checking AWS CloudTrail:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;On the CloudTrail console, choose &lt;strong&gt;Event history&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Filter by &lt;strong&gt;Event source&lt;/strong&gt;: &lt;code&gt;s3.amazonaws.com&lt;/code&gt;. Look for &lt;code&gt;GetDataAccess&lt;/code&gt; events (S3 Access Grants).&lt;/li&gt; 
 &lt;li&gt;Filter by &lt;strong&gt;Event source&lt;/strong&gt;: &lt;code&gt;lakeformation.amazonaws.com&lt;/code&gt;. Look for &lt;code&gt;GetDataAccess&lt;/code&gt; events (Lake Formation).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Both event types show Ethan’s IAM Identity Center user identity, confirming trusted identity propagation works end-to-end for both access patterns.&lt;/p&gt; 
&lt;h2 id="other-related-integration-guides"&gt;Other related integration guides&lt;/h2&gt; 
&lt;p&gt;The following table lists related blog posts and integration guides covering additional identity-based access patterns with Amazon Redshift. Although many of these were written for single-Region deployments, you can extend them to multi-Region environments by first enabling IAM Identity Center Multi-Region as described in Step 1 of this post. Use the table to find the guide that matches your identity provider and tooling:&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Integration / use case&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Identity provider&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;What it covers&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Blog link&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Amazon Redshift federated permissions&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;Any&lt;/td&gt; 
   &lt;td&gt;Centralize permission management across multiple Amazon Redshift clusters within a Region using IAM Identity Center-linked database roles.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/simplify-multi-warehouse-data-governance-with-amazon-redshift-federated-permissions/" target="_blank" rel="noopener"&gt;Simplify multi-warehouse data governance with Amazon Redshift federated permissions&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Amazon Redshift Query Editor V2, DbVisualizer, DBeaver&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;Any&lt;/td&gt; 
   &lt;td&gt;Foundational Amazon Redshift and IAM Identity Center setup, role-based access control (RBAC), JDBC single sign-on (SSO) with PKCE.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/integrate-identity-provider-idp-with-amazon-redshift-query-editor-v2-and-sql-client-using-aws-iam-identity-center-for-seamless-single-sign-on/" target="_blank" rel="noopener"&gt;Integrate IdP with Query Editor V2 and SQL client&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Amazon Redshift and S3 Access Grants&lt;/strong&gt; (single Region and cross-account)&lt;/td&gt; 
   &lt;td&gt;Any&lt;/td&gt; 
   &lt;td&gt;Amazon S3 data access through &lt;code&gt;UNLOAD&lt;/code&gt;/&lt;code&gt;LOAD&lt;/code&gt; with identity-based permissions.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/simplify-enterprise-data-access-using-the-amazon-redshift-integration-with-amazon-s3-access-grants/" target="_blank" rel="noopener"&gt;Simplify data access with S3 Access Grants&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Amazon SageMaker Unified Studio with Athena and Amazon Redshift&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;Any&lt;/td&gt; 
   &lt;td&gt;SQL analytics with Lake Formation governance.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/configure-seamless-single-sign-on-with-sql-analytics-in-amazon-sagemaker-unified-studio/" target="_blank" rel="noopener"&gt;Configure SSO with SageMaker Unified Studio&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Amazon QuickSight with Lake Formation&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;Any&lt;/td&gt; 
   &lt;td&gt;Cross-account Glue Data Catalog, business intelligence dashboards.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/set-up-cross-account-aws-glue-data-catalog-access-using-aws-lake-formation-and-aws-iam-identity-center-with-amazon-redshift-and-amazon-quicksight/" target="_blank" rel="noopener"&gt;Cross-account Glue and Lake Formation&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Tableau&lt;/strong&gt; (Desktop, Server, Prep)&lt;/td&gt; 
   &lt;td&gt;Okta&lt;/td&gt; 
   &lt;td&gt;TTI plus OIDC setup, Tableau OAuth XML configuration.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/integrate-tableau-and-okta-with-amazon-redshift-using-aws-iam-identity-center/" target="_blank" rel="noopener"&gt;Integrate Tableau with Okta&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Tableau&lt;/strong&gt; (Desktop, Server, Prep)&lt;/td&gt; 
   &lt;td&gt;PingFederate&lt;/td&gt; 
   &lt;td&gt;TTI plus OIDC setup, JWT access token manager.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/integrate-tableau-and-pingfederate-with-amazon-redshift-using-aws-iam-identity-center/" target="_blank" rel="noopener"&gt;Integrate Tableau with PingFederate&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Tableau&lt;/strong&gt; (Desktop, Server, Prep)&lt;/td&gt; 
   &lt;td&gt;Microsoft Entra ID&lt;/td&gt; 
   &lt;td&gt;TTI plus OIDC setup, Entra app registration.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/integrate-tableau-and-microsoft-entra-id-with-amazon-redshift-using-aws-iam-identity-center/" target="_blank" rel="noopener"&gt;Integrate Tableau with Entra ID&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;ThoughtSpot&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;Okta / Microsoft Entra ID&lt;/td&gt; 
   &lt;td&gt;Native OIDC integration, supports both IdPs.&lt;/td&gt; 
   &lt;td&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/integrate-thoughtspot-with-amazon-redshift-using-aws-iam-identity-center/" target="_blank" rel="noopener"&gt;Integrate ThoughtSpot&lt;/a&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;h2 id="key-considerations"&gt;Key considerations&lt;/h2&gt; 
&lt;p&gt;When implementing this multi-Region architecture, keep the following operational and configuration considerations in mind. These reflect common challenges and design decisions encountered during deployment:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;IAM Identity Center Multi-Region&lt;/strong&gt; requires a customer-managed multi-Region AWS KMS key replicated to each additional Region before you can add the Region to Identity Center.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;S3 Access Grants instances are regional.&lt;/strong&gt; You need a separate instance in each Region where your users access data. A bucket must be in the same Region as the Access Grants instance that manages it.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;IAM Identity Center Multi-Region&lt;/strong&gt; provides the same user and group identities across Regions, so you can use the same group IDs in grants across Regions.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;You must register Lake Formation data locations with a customer-managed role that includes &lt;code&gt;sts:SetContext&lt;/code&gt; in its trust policy.&lt;/strong&gt; For S3 Tables, use &lt;code&gt;aws lakeformation register-resource&lt;/code&gt; with the &lt;code&gt;--with-federation&lt;/code&gt; flag and the resource ARN format &lt;code&gt;arn:aws:s3tables:&amp;lt;REGION&amp;gt;:&amp;lt;ACCOUNT_ID&amp;gt;:bucket/*&lt;/code&gt;. Using the service-linked role causes the error: &lt;code&gt;Cannot vend credentials from service-linked role to Identity Center principal.&lt;/code&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;SELECT and UNLOAD use different permission models.&lt;/strong&gt; Lake Formation controls query-time access to cataloged data (&lt;code&gt;SELECT&lt;/code&gt; through Spectrum). S3 Access Grants controls direct Amazon S3 access (&lt;code&gt;COPY&lt;/code&gt;/&lt;code&gt;UNLOAD&lt;/code&gt;). Both use the same IAM Identity Center identity.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;The Amazon Redshift managed application IAM role&lt;/strong&gt; must include &lt;code&gt;sts:SetContext&lt;/code&gt; in its trust policy and have both Lake Formation/Glue and S3 Access Grants permissions.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Cross-account setup&lt;/strong&gt; requires AWS RAM resource sharing for S3 Access Grants and proper IAM Identity Center application configuration in the analytics account.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Scoped vs object-level permissions in Amazon Redshift.&lt;/strong&gt; When granting permissions with &lt;code&gt;GRANT ... FOR TABLES IN SCHEMA&lt;/code&gt;, use &lt;code&gt;REVOKE ... FOR TABLES IN SCHEMA&lt;/code&gt; to remove them. The &lt;code&gt;REVOKE ... ON ALL TABLES IN SCHEMA&lt;/code&gt; syntax only removes object-level permissions, not scoped permissions.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;The Lake Formation data access role for S3 Tables&lt;/strong&gt; requires &lt;code&gt;sts:SetContext&lt;/code&gt; in its trust policy (for TIP) and &lt;code&gt;s3tables:*&lt;/code&gt; permissions on the table bucket resources.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;&lt;code&gt;AWSServiceRoleForRedshift&lt;/code&gt; must be a Read-Only Admin in Lake Formation&lt;/strong&gt; for Amazon Redshift Query Editor V2 to display external databases from &lt;code&gt;s3tablescatalog&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Federated catalog CatalogId format.&lt;/strong&gt; When using CLI commands for S3 Tables resources in Lake Formation, use the full path format: &lt;code&gt;&amp;lt;ACCOUNT_ID&amp;gt;:s3tablescatalog/&amp;lt;TABLE_BUCKET_NAME&amp;gt;&lt;/code&gt;. Using the account ID alone returns empty results.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid ongoing charges, clean up the resources created in this post:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Delete the S3 table bucket (delete tables → namespaces → bucket using &lt;code&gt;aws s3tables&lt;/code&gt; CLI commands).&lt;/li&gt; 
 &lt;li&gt;Deregister the S3 Tables resource from Lake Formation (&lt;code&gt;aws lakeformation deregister-resource --resource-arn "arn:aws:s3tables:&amp;lt;REGION&amp;gt;:&amp;lt;ACCOUNT_ID&amp;gt;:bucket/*"&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Delete &lt;code&gt;s3tablescatalog&lt;/code&gt; from Glue (&lt;code&gt;aws glue delete-catalog --catalog-id "s3tablescatalog"&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Delete the &lt;code&gt;LFAccessRole-S3Tables&lt;/code&gt; IAM role and associated policies.&lt;/li&gt; 
 &lt;li&gt;Delete the S3 Access Grants instance and grants in us-west-2.&lt;/li&gt; 
 &lt;li&gt;Delete the S3 bucket used for &lt;code&gt;UNLOAD&lt;/code&gt;/&lt;code&gt;COPY&lt;/code&gt; in us-west-2.&lt;/li&gt; 
 &lt;li&gt;Delete the &lt;code&gt;iamidcs3accessgrant&lt;/code&gt; IAM role and associated policies.&lt;/li&gt; 
 &lt;li&gt;Deregister the S3 data location from Lake Formation.&lt;/li&gt; 
 &lt;li&gt;Delete the Lake Formation IAM Identity Center integration.&lt;/li&gt; 
 &lt;li&gt;Delete the Amazon Redshift cluster in us-west-2 if you created one for testing.&lt;/li&gt; 
 &lt;li&gt;Remove us-west-2 from IAM Identity Center Multi-Region (if no longer needed).&lt;/li&gt; 
 &lt;li&gt;Schedule deletion of the AWS KMS replica key in us-west-2 (minimum 7-day waiting period).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;In this post, we extended the Amazon Redshift and S3 Access Grants integration to a multi-Region setup using IAM Identity Center Multi-Region replication. We demonstrated two complementary data access patterns: &lt;code&gt;SELECT&lt;/code&gt; through Lake Formation for fine-grained access control on S3 Tables data, and &lt;code&gt;UNLOAD&lt;/code&gt;/&lt;code&gt;COPY&lt;/code&gt; through S3 Access Grants for direct Amazon S3 access. Both patterns use the same IAM Identity Center identity for access control. We also showed how to set up a customer-managed multi-Region AWS KMS key, enable IAM Identity Center in an additional Region, configure Amazon S3 Tables with Lake Formation for identity-based access control using Trusted Identity Propagation, and replicate the complete S3 Access Grants setup in a different Region and account.&lt;/p&gt; 
&lt;p&gt;With this approach, AnyCompany Global’s analysts authenticate once and access data in any enabled Region while Lake Formation and S3 Access Grants enforce per-user, per-group access policies.&lt;/p&gt; 
&lt;p&gt;For additional guidance, refer to the following resources:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/simplify-enterprise-data-access-using-the-amazon-redshift-integration-with-amazon-s3-access-grants/"&gt;Simplify enterprise data access using the Amazon Redshift integration with Amazon S3 Access Grants(Part 1)&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-iam-identity-center.html"&gt;IAM Identity Center Multi-Region&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-replicate.html"&gt;Creating multi-Region replica keys&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/aws/aws-iam-identity-center-now-supports-customer-managed-kms-keys-for-encryption-at-rest/"&gt;AWS IAM Identity Center now supports customer-managed AWS KMS keys for encryption at rest&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html"&gt;S3 Access Grants documentation&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/simplify-external-object-access-in-amazon-redshift-using-automatic-mounting-of-the-aws-glue-data-catalog/"&gt;Simplify external object access in Amazon Redshift using automatic mounting of the AWS Glue Data Catalog&lt;/a&gt;&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-analytics-connecting-steps.html"&gt;Querying data through AWS Lake Formation&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-12.jpeg" alt="Maneesh Sharma" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Maneesh Sharma&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/maneesh-sharma-4b276a64/" target="_blank" rel="noopener"&gt;Maneesh&lt;/a&gt; is a Sr.&amp;nbsp;Specialist Solutions Architect in Analytics at AWS, bringing more than 15 years of hands-on experience in designing and implementing large-scale data warehouse and analytics solutions. He collaborates closely with customers to help them build scalable, high-performance analytical data platforms.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-13.png" alt="Rohit Vashishtha" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Rohit Vashishtha&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/rohit-vashishtha-analytics/" target="_blank" rel="noopener"&gt;Rohit&lt;/a&gt; is a Senior Analytics Specialist Solutions Architect at AWS based in Dallas, Texas. He has two decades of experience architecting, building, leading, and maintaining big data platforms. Rohit helps customers modernize their analytic workloads using the breadth of AWS services and ensures that customers get the best price/performance with utmost security and data governance.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-14.png" alt="Srividya Parthasarathy" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Srividya Parthasarathy&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/srividya-parthasarathy-8b71bb32/" target="_blank" rel="noopener"&gt;Srividya&lt;/a&gt; is a Senior Big Data Architect with Amazon SageMaker Lakehouse. She works with the product team and customers to build robust features and solutions for their analytical data platform. She enjoys building data mesh solutions and sharing them with the community.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/18/BDB-5980-15.jpeg" alt="Sandeep Adwankar" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Sandeep Adwankar&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/adwankar/" target="_blank" rel="noopener"&gt;Sandeep&lt;/a&gt; is a Senior Product Manager with Amazon SageMaker Lakehouse. Based in the California Bay Area, he works with customers around the globe to translate business and technical requirements into products that help customers improve how they manage, secure, and access data.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Autonomous troubleshooting for Medallion Architecture with AWS DevOps Agent and Apache Spark Troubleshooting Agent</title>
		<link>https://aws.amazon.com/blogs/big-data/autonomous-troubleshooting-for-medallion-architecture-with-aws-devops-agent-and-apache-spark-troubleshooting-agent/</link>
		
		<dc:creator><![CDATA[Mohammad Sabeel]]></dc:creator>
		<pubDate>Tue, 23 Jun 2026 15:57:56 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[AWS Glue]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<guid isPermaLink="false">93895b824386d1d02b401af311a7277be7bef30f</guid>

					<description>In this post, we show you how to diagnose multi-layer Medallion Architecture pipeline failures in minutes using AWS DevOps Agent with Apache Spark Troubleshooting Agent integrated as an MCP server.</description>
										<content:encoded>&lt;p&gt;Every minute of data processing pipeline downtime delays business decisions, stalls downstream analytics, drives revenue loss, and erodes stakeholder confidence. Teams that run Medallion Architecture pipelines—a common data lakehouse pattern where data flows through bronze, silver, and gold layers with increasing quality—face cascading failures that impact revenue-critical reporting and machine learning workloads. As you scale these multi-stage pipelines with &lt;a href="https://aws.amazon.com/managed-workflows-for-apache-airflow/" target="_blank" rel="noopener"&gt;Amazon Managed Workflows for Apache Airflow (MWAA)&lt;/a&gt;, &lt;a href="https://aws.amazon.com/glue/" target="_blank" rel="noopener"&gt;AWS Glue&lt;/a&gt;, and &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt;, troubleshooting failures becomes increasingly complex. When a mission-critical job fails, an engineer must sift through gigabytes of logs across interconnected systems. This means spending hours on incident investigations, examining execution timelines and resource metrics, and cross-referencing findings with &lt;a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener"&gt;Amazon CloudWatch&lt;/a&gt; and recent deployment changes to find the root cause. This requires deep familiarity with the underlying technologies, expertise not every team member has. When the right engineer is unavailable during off-hours, pipeline downtime extends and downstream consumers wait. The cycle of detect, investigate, fix, and repeat is costly and entirely reactive. A proactive operational model moves issue identification upstream, catching and addressing problems before they disrupt your data pipelines.&lt;/p&gt; 
&lt;p&gt;In this post, we show you how to diagnose multi-layer Medallion Architecture pipeline failures in minutes using AWS DevOps Agent with Apache Spark Troubleshooting Agent integrated as an MCP server.&lt;/p&gt; 
&lt;h2 id="what-is-aws-devops-agent-and-apache-spark-troubleshooting-agent"&gt;What is AWS DevOps Agent and Apache Spark Troubleshooting Agent?&lt;/h2&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/devops-agent/" target="_blank" rel="noopener"&gt;AWS DevOps Agent&lt;/a&gt; is an autonomous investigation agent powered by AI that automatically diagnoses operational issues across your AWS environment. When a failure occurs, the agent independently gathers evidence from logs, metrics, and configurations across interconnected services, identifies the root cause, and delivers actionable remediation steps, all without human intervention. It integrates with your existing workflows through webhooks and delivers findings directly to communication channels like Slack. With AWS DevOps Agent, you can replace the reactive cycle of detect, investigate, fix, and repeat with autonomous, proactive troubleshooting. The agent acts as your always-on, on-call engineer, starting its investigation the moment a failure occurs, whether during business hours or in the middle of the night.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/emr/latest/ReleaseGuide/spark-troubleshoot.html" target="_blank" rel="noopener"&gt;Apache Spark Troubleshooting Agent&lt;/a&gt; is an AI-powered, fully managed Model Context Protocol (MCP) server that data engineers can use to diagnose Spark application failures across Amazon EMR, AWS Glue, and Amazon SageMaker AI Notebooks using natural language. It automatically correlates Spark History Server data, distributed executor logs, and configuration patterns to identify root causes and deliver actionable recommendations. This removes hours of manual investigation across multiple consoles and log files.&lt;/p&gt; 
&lt;h2 id="use-case"&gt;Use case&lt;/h2&gt; 
&lt;p&gt;The following sections walk through a common Medallion Architecture failure scenario and show how autonomous troubleshooting resolves it.&lt;/p&gt; 
&lt;h3 id="the-scenario"&gt;The scenario&lt;/h3&gt; 
&lt;p&gt;Consider this scenario: a gold layer AWS Glue job fails with “Missing data for not-null field.” The logs don’t reveal the actual problem. The root cause is a subtle data quality issue introduced upstream in the silver layer, a job that succeeded without errors. Without autonomous troubleshooting, you would manually trace data lineage across &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt;, Amazon Redshift, and multiple AWS Glue job logs to find the source.&lt;/p&gt; 
&lt;h3 id="the-solution"&gt;The solution&lt;/h3&gt; 
&lt;p&gt;When integrated with the Apache Spark Troubleshooting Agent, AWS DevOps Agent identifies the gold layer Amazon Redshift write failure, traces it back to silver layer data corruption, and provides detailed root causes and actionable recommendations. The investigation typically completes within 3 to 5 minutes.&lt;/p&gt; 
&lt;h2 id="solution-overview"&gt;Solution overview&lt;/h2&gt; 
&lt;p&gt;The following diagram shows the Medallion Architecture data flow across bronze, silver, and gold layers.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-1.png" alt="Medallion Architecture data flow showing the bronze layer in Amazon S3, the silver layer in Amazon S3 and Amazon Redshift, and the gold layer in Amazon Redshift, with Amazon MWAA orchestrating AWS Glue jobs and AWS DevOps Agent investigating failures" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;The architecture flow includes the following steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Amazon MWAA triggers the Medallion pipeline directed acyclic graph (DAG), orchestrating three AWS Glue jobs sequentially: bronze layer, silver layer, and gold layer.&lt;/li&gt; 
 &lt;li&gt;The bronze layer job generates 50,000 synthetic ecommerce order records and writes raw Parquet files to Amazon S3.&lt;/li&gt; 
 &lt;li&gt;The silver layer job reads bronze data from Amazon S3, applies transformations, and writes the results to two destinations in parallel: Amazon S3, and Amazon Redshift (filtered, cleaned, and augmented data in the &lt;code&gt;silver_ecommerce&lt;/code&gt; table). This job silently introduces data corruption in approximately 8 percent of &lt;code&gt;total_amount&lt;/code&gt; values.&lt;/li&gt; 
 &lt;li&gt;The gold layer job reads from the Amazon Redshift &lt;code&gt;silver_ecommerce&lt;/code&gt; table, performs aggregation, and attempts to write business-level aggregates back to the Amazon Redshift &lt;code&gt;gold_ecommerce_summary&lt;/code&gt; table. If upstream data corruption introduces &lt;code&gt;NULL&lt;/code&gt; values, this job fails with “Missing data for not-null field” because those &lt;code&gt;NULL&lt;/code&gt; values violate the &lt;code&gt;NOT NULL&lt;/code&gt; constraint.&lt;/li&gt; 
 &lt;li&gt;When the gold layer job enters a FAILED state, &lt;a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener"&gt;Amazon EventBridge&lt;/a&gt; captures the AWS Glue Job State Change event and invokes an &lt;a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener"&gt;AWS Lambda&lt;/a&gt; function. The Lambda function retrieves webhook credentials from &lt;a href="https://aws.amazon.com/secrets-manager/" target="_blank" rel="noopener"&gt;AWS Secrets Manager&lt;/a&gt;, constructs an HMAC-signed event payload containing the job name, run ID, and error details, and sends it to AWS DevOps Agent.&lt;/li&gt; 
 &lt;li&gt;AWS DevOps Agent receives the HTTP POST request to the webhook and starts an autonomous investigation. It authenticates with &lt;a href="https://aws.amazon.com/cognito/" target="_blank" rel="noopener"&gt;Amazon Cognito&lt;/a&gt; using the OAuth 2.0 client credentials flow, then sends an MCP request through &lt;a href="https://aws.amazon.com/bedrock/agentcore/" target="_blank" rel="noopener"&gt;Amazon Bedrock AgentCore&lt;/a&gt; Gateway. The AgentCore Gateway invokes a Signature Version 4 (SigV4) Proxy Lambda, which signs the request and forwards it to the Apache Spark Troubleshooting Agent MCP Server. The MCP Server analyzes Spark event logs, executor metrics, and error stack traces for the failed gold job.&lt;/li&gt; 
 &lt;li&gt;AWS DevOps Agent delivers the investigation to your configured Slack channel. The delivery includes root cause analysis, upstream data lineage back to the silver layer corruption, and step-by-step remediation recommendations.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2 id="walkthrough"&gt;Walkthrough&lt;/h2&gt; 
&lt;p&gt;In the following sections, you deploy a three-layer Medallion Architecture pipeline that processes ecommerce order data. Complete the steps to get started with autonomous troubleshooting using AWS DevOps Agent.&lt;/p&gt; 
&lt;h3 id="prerequisites"&gt;Prerequisites&lt;/h3&gt; 
&lt;p&gt;Before you begin, verify that you have the following:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;An &lt;a href="https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/" target="_blank" rel="noopener"&gt;AWS account&lt;/a&gt;. Your AWS Identity and Access Management (IAM) user or role must have the following permissions: 
  &lt;ul&gt; 
   &lt;li&gt;&lt;code&gt;iam:CreateRole&lt;/code&gt;, &lt;code&gt;iam:AttachRolePolicy&lt;/code&gt;, &lt;code&gt;iam:PutRolePolicy&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;lambda:CreateFunction&lt;/code&gt;, &lt;code&gt;lambda:AddPermission&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;glue:CreateJob&lt;/code&gt;, &lt;code&gt;glue:StartJobRun&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;redshift:CreateCluster&lt;/code&gt;, &lt;code&gt;redshift:GetClusterCredentials&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;airflow:CreateEnvironment&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;events:PutRule&lt;/code&gt;, &lt;code&gt;events:PutTargets&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;sqs:CreateQueue&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;secretsmanager:CreateSecret&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;kms:CreateKey&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;ec2:CreateVpc&lt;/code&gt;, &lt;code&gt;ec2:CreateSubnet&lt;/code&gt;, &lt;code&gt;ec2:CreateSecurityGroup&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;&lt;code&gt;cloudformation:CreateStack&lt;/code&gt;, &lt;code&gt;cloudformation:DescribeStacks&lt;/code&gt;&lt;/li&gt; 
   &lt;li&gt;Alternatively, you can use the &lt;code&gt;AdministratorAccess&lt;/code&gt; managed policy for simplicity in a dev/test environment.&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" target="_blank" rel="noopener"&gt;AWS Command Line Interface (AWS CLI)&lt;/a&gt; version 2.30.0 or later, installed and configured with appropriate credentials.&lt;/li&gt; 
 &lt;li&gt;(Optional) A &lt;a href="https://slack.com/get-started" target="_blank" rel="noopener"&gt;Slack workspace&lt;/a&gt; if you want investigation results delivered to a channel.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="set-up-aws-devops-agent"&gt;Set up AWS DevOps Agent&lt;/h3&gt; 
&lt;p&gt;In this section, you configure AWS DevOps Agent to receive and investigate pipeline failure events. This involves three tasks: creating an Agent Space (your investigation workspace), optionally connecting a Slack channel for notifications, and generating a webhook endpoint that your pipeline uses to send failure alerts to the agent.&lt;/p&gt; 
&lt;h4 id="create-an-agent-space"&gt;Create an Agent Space&lt;/h4&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open the AWS DevOps Agent console.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create Agent Space&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Enter a name (for example, &lt;code&gt;medallion-troubleshooting&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Create&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h4 id="connect-a-slack-integration-optional"&gt;Connect Slack integration (optional)&lt;/h4&gt; 
&lt;p&gt;If you use Slack for internal communication, you can configure it to receive investigation results.&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;In the AWS DevOps Agent console, go to &lt;strong&gt;Agent Spaces&lt;/strong&gt;, select &lt;strong&gt;medallion-troubleshooting&lt;/strong&gt; and then &lt;strong&gt;Communications&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Add integration&lt;/strong&gt; and choose &lt;strong&gt;Slack&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt; to allow AWS DevOps Agent to access your Slack workspace, and choose &lt;strong&gt;Allow&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Provide the Slack workspace and the Channel ID where you want investigation results delivered, then choose &lt;strong&gt;Next&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Enter the following command in your channel chat to complete the integration: &lt;code&gt;/invite @AWS DevOps Agent&lt;/code&gt;. 
  &lt;ul type="1"&gt; 
   &lt;li&gt;While running this command, when prompted, choose the correct region where the Agent Space is provisioned.&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
&lt;/ol&gt; 
&lt;h4 id="create-a-webhook"&gt;Create a webhook&lt;/h4&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;In your Agent Space, go to &lt;strong&gt;Webhooks&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Add webhook&lt;/strong&gt; and choose &lt;strong&gt;Next&lt;/strong&gt; on the two following pages.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Generate URL and secret key&lt;/strong&gt;, and give the webhook a name (for example, &lt;code&gt;medallion-failure-webhook&lt;/code&gt;).&lt;/li&gt; 
 &lt;li&gt;After creation, copy and save the &lt;strong&gt;Webhook URL&lt;/strong&gt; (HTTPS endpoint) and &lt;strong&gt;Secret Key&lt;/strong&gt;. You can also choose &lt;strong&gt;Download .csv&lt;/strong&gt; to save this information to a secure location. Select the checkbox labeled &lt;strong&gt;I’ve saved and stored my URL and secret key&lt;/strong&gt;, then choose &lt;strong&gt;Add&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;Note the &lt;strong&gt;Webhook URL&lt;/strong&gt; and &lt;strong&gt;Secret Key&lt;/strong&gt; for later. You provide them as parameters when you create the AWS CloudFormation stack.&lt;/p&gt; 
&lt;h3 id="deploy-the-aws-cloudformation-stack"&gt;Deploy the AWS CloudFormation stack&lt;/h3&gt; 
&lt;p&gt;The AWS CloudFormation template deploys the full Medallion Architecture pipeline. This includes an Amazon Virtual Private Cloud (Amazon VPC) with private subnets, an Amazon Redshift cluster (ra3.xlplus, single-node), and three AWS Glue jobs. It also creates an Amazon MWAA environment, Amazon EventBridge rules, AWS Lambda functions, and an AgentCore Gateway with Amazon Cognito OAuth authentication.&lt;/p&gt; 
&lt;p&gt;You can deploy the stack using one of two methods. Use &lt;strong&gt;Option A&lt;/strong&gt; if you prefer a visual, guided experience through the AWS Management Console. Use &lt;strong&gt;Option B&lt;/strong&gt; if you prefer working from the command line or need to integrate the deployment into a script or automation workflow.&lt;/p&gt; 
&lt;p&gt;Before you start, download the &lt;a href="https://github.com/aws-samples/sample-aws-data-processing-and-analytics/blob/main/blogs/medallion-architecture-devops-agent/cloudformation/blog-medallion-stack.yaml" target="_blank" rel="noopener"&gt;CloudFormation template&lt;/a&gt; from GitHub.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Option A: AWS Management Console (recommended)&lt;/strong&gt;&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open the &lt;a href="https://console.aws.amazon.com/cloudformation/home#/stacks/create" target="_blank" rel="noopener"&gt;AWS CloudFormation console&lt;/a&gt; and choose &lt;strong&gt;Create stack&lt;/strong&gt; → &lt;strong&gt;With existing resources (import resources)&lt;/strong&gt; or &lt;strong&gt;Upload a template file&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Choose file&lt;/strong&gt;, select the downloaded &lt;code&gt;blog-medallion-stack.yaml&lt;/code&gt;, then choose &lt;strong&gt;Next&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Stack name&lt;/strong&gt;, enter &lt;code&gt;medallion-troubleshooting&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Fill in the parameters: 
  &lt;ul&gt; 
   &lt;li&gt;For &lt;code&gt;WebhookUrl&lt;/code&gt;, enter your AWS DevOps Agent webhook URL (from Agent Space settings).&lt;/li&gt; 
   &lt;li&gt;For &lt;code&gt;WebhookSecret&lt;/code&gt;, enter the webhook secret for authentication.&lt;/li&gt; 
  &lt;/ul&gt; &lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt;, select &lt;strong&gt;I acknowledge that AWS CloudFormation might create IAM resources with custom names&lt;/strong&gt;, then choose &lt;strong&gt;Submit&lt;/strong&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;strong&gt;Option B: AWS CLI&lt;/strong&gt;&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws cloudformation create-stack \
    --stack-name medallion-troubleshooting \
    --template-body file://blog-medallion-stack.yaml \
    --parameters \
        ParameterKey=WebhookUrl,ParameterValue=&amp;lt;YOUR-WEBHOOK-URL&amp;gt; \
        ParameterKey=WebhookSecret,ParameterValue=&amp;lt;YOUR-WEBHOOK-SECRET&amp;gt; \
    --capabilities &amp;lt;CAPABILITY_NAMED_IAM&amp;gt; \
    --region &amp;lt;YOUR-REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Replace the placeholder values:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;code&gt;YOUR-WEBHOOK-URL&lt;/code&gt; – Your AWS DevOps Agent webhook URL (from Agent Space settings).&lt;/li&gt; 
 &lt;li&gt;&lt;code&gt;YOUR-WEBHOOK-SECRET&lt;/code&gt; – The webhook secret for authentication.&lt;/li&gt; 
 &lt;li&gt;&lt;code&gt;YOUR-REGION&lt;/code&gt; – The AWS Region.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Wait for the stack status to show &lt;code&gt;CREATE_COMPLETE&lt;/code&gt;. In our testing, this took approximately 30–40 minutes.&lt;/p&gt; 
&lt;h3 id="retrieve-amazon-cognito-client-credentials"&gt;Retrieve Amazon Cognito client credentials&lt;/h3&gt; 
&lt;p&gt;After the stack is deployed, it creates an Amazon Cognito user pool with an OAuth 2.0 client for AWS DevOps Agent authentication. Retrieve the client secret using the command below. The &lt;code&gt;--user-pool-id&lt;/code&gt;&amp;nbsp; and &lt;code&gt;CognitoClientId&lt;/code&gt; needs to be copied from the stack outputs.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws cognito-idp describe-user-pool-client \
    --user-pool-id &amp;lt;UserPoolId-from-outputs&amp;gt; \
    --client-id &amp;lt;CognitoClientId-from-outputs&amp;gt; \
    --query UserPoolClient.ClientSecret \
    --output text --region &amp;lt;YOUR-REGION&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Replace &lt;code&gt;YOUR-REGION&lt;/code&gt; with the actual AWS Region value, and save this value for the MCP Server registration in the following step.&lt;/p&gt; 
&lt;h3 id="register-the-spark-troubleshooting-mcp-server"&gt;Register the Spark Troubleshooting MCP Server&lt;/h3&gt; 
&lt;p&gt;The Spark Troubleshooting MCP Server gives AWS DevOps Agent the ability to analyze Apache Spark event logs, executor metrics, and error stack traces from your AWS Glue jobs. By registering this server, you connect the agent to the diagnostic tooling it needs to autonomously investigate pipeline failures.&lt;/p&gt; 
&lt;p&gt;To register the MCP Server in AWS DevOps Agent, complete the following steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;In the AWS DevOps Agent console, go to &lt;strong&gt;Agent Spaces, &lt;/strong&gt;select &lt;strong&gt;medallion-troubleshooting&lt;/strong&gt; and then &lt;strong&gt;Capabilities&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;In the &lt;strong&gt;MCP Servers&lt;/strong&gt; section, choose &lt;strong&gt;Add&lt;/strong&gt; or &lt;strong&gt;Add Source&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Find &lt;strong&gt;New MCP Server Registration&lt;/strong&gt; and choose &lt;strong&gt;Register&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Name&lt;/strong&gt;, enter &lt;code&gt;sparkagent&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Endpoint URL&lt;/strong&gt;, enter the &lt;code&gt;AgentCoreGatewayUrl&lt;/code&gt; value from the stack outputs.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Description&lt;/strong&gt;, enter &lt;code&gt;Apache Spark Troubleshooting MCP Server via AgentCore Gateway&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Leave &lt;strong&gt;Enable Dynamic Client Registration&lt;/strong&gt; cleared.&lt;/li&gt; 
 &lt;li&gt;Leave &lt;strong&gt;Connect to endpoint using a private connection&lt;/strong&gt; cleared, then choose &lt;strong&gt;Next&lt;/strong&gt;.&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-2.png" alt="Registration page for the Apache Spark Troubleshooting MCP Server in the AWS DevOps Agent console, showing endpoint URL and description fields" width="600"&gt;&lt;/li&gt; 
 &lt;li&gt;Under &lt;strong&gt;Authorization Flow&lt;/strong&gt;, select &lt;strong&gt;OAuth Client Credentials&lt;/strong&gt;, and choose &lt;strong&gt;Next&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Client ID&lt;/strong&gt;, enter the &lt;code&gt;CognitoClientId&lt;/code&gt; value from the stack outputs.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Client Secret&lt;/strong&gt;, enter the value you retrieved in the preceding step.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Exchange URL&lt;/strong&gt;, enter the &lt;code&gt;CognitoTokenEndpoint&lt;/code&gt; value from the stack outputs.&lt;/li&gt; 
 &lt;li&gt;For &lt;strong&gt;Add Scope&lt;/strong&gt;, enter &lt;code&gt;&amp;lt;stack-name&amp;gt;-mcp-proxy/invoke&lt;/code&gt;. For example, &lt;code&gt;medallion-troubleshooting-mcp-proxy/invoke&lt;/code&gt;.&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Next&lt;/strong&gt;, review your configuration, and choose &lt;strong&gt;Add&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;Once you choose &lt;strong&gt;Add&lt;/strong&gt;, on the following screen, click on the checkbox next to the &lt;code&gt;spark___analyze_spark_workload&lt;/code&gt;. This is the root cause analysis tool which provides detailed troubleshooting for failed Apache Spark workloads.&lt;br&gt; &lt;img loading="lazy" class="alignnone wp-image-92210 size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/22/bdb-5852-select-mcp-server.png" alt="Selecting the tool within the AWS Managed Apache Spark Troubleshooting MCP server" width="864" height="310"&gt;&lt;/li&gt; 
 &lt;li&gt;Choose &lt;strong&gt;Save&lt;/strong&gt; as a last step. You will see the &lt;strong&gt;MCP Server associated successfully&lt;/strong&gt; message on the top.&lt;br&gt; &lt;img loading="lazy" class="alignnone size-full wp-image-92211" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/22/bdb-5852-setupmcp.png" alt="Confirmation showing the successful Integration of AWS DevOps Agent Space with Apache Spark Troubleshooting MCP Server" width="864" height="128"&gt;&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h3 id="see-aws-devops-agent-in-action"&gt;See AWS DevOps Agent in action&lt;/h3&gt; 
&lt;p&gt;Now that you have completed the prerequisites, you can see AWS DevOps Agent in action. Go to the Amazon MWAA &lt;a href="https://console.aws.amazon.com/mwaa/home#environment"&gt;Airflow Environments UI&lt;/a&gt; and click on &lt;strong&gt;Open Airflow UI&lt;/strong&gt; under &lt;strong&gt;Airflow UI&lt;/strong&gt;. It will open in a new browser tab. In the Airflow console, locate and manually trigger the &lt;code&gt;medallion_architecture_pipeline&lt;/code&gt; DAG.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-4.png" alt="Amazon MWAA Airflow console showing the medallion_architecture_pipeline DAG with the Trigger DAG action selected" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-5.png" alt="Amazon MWAA Airflow UI showing the medallion_architecture_pipeline DAG with bronze, silver, and gold tasks listed sequentially" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;The DAG runs three AWS Glue jobs sequentially:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Bronze layer&lt;/strong&gt; – This job generates 50,000 ecommerce order records and writes them to Amazon S3 as Parquet files.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Silver layer&lt;/strong&gt; – This job applies transformations and loads the results to both Amazon S3 and Amazon Redshift. It also silently injects approximately 8 percent of &lt;code&gt;total_amount&lt;/code&gt; values with &lt;code&gt;$&lt;/code&gt; prefix strings, introducing hidden data corruption.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Gold layer&lt;/strong&gt; – This job reads from Amazon Redshift, casts &lt;code&gt;total_amount&lt;/code&gt; to numeric (producing &lt;code&gt;NULL&lt;/code&gt; values for the &lt;code&gt;$&lt;/code&gt;-prefixed strings), and attempts to write aggregated results to the Amazon Redshift target table. It fails because the &lt;code&gt;NULL&lt;/code&gt; values violate the &lt;code&gt;NOT NULL&lt;/code&gt; constraint on &lt;code&gt;revenue_total&lt;/code&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-6.png" alt="Amazon MWAA DAG run showing the bronze task succeeded, the silver task succeeded, and the gold task failed" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;With the components deployed and connected, the autonomous troubleshooting pipeline is ready to respond to failures. In this walkthrough, the silver layer job deliberately introduces data corruption to simulate a real-world data quality issue. This causes the gold layer job to fail, giving you the opportunity to see how AWS DevOps Agent responds.&lt;/p&gt; 
&lt;p&gt;As soon as the gold layer job fails, AWS DevOps Agent starts an autonomous investigation and uses the Apache Spark Troubleshooting MCP Server where needed.&lt;/p&gt; 
&lt;p&gt;Go to the &lt;strong&gt;AWS DevOps Management&lt;/strong&gt; console and choose the &lt;strong&gt;medallion-troubleshooting&lt;/strong&gt; under Agent Spaces. Next, select the &lt;strong&gt;Operator Access&lt;/strong&gt; button. This will redirect you to &lt;strong&gt;Operator Console&lt;/strong&gt; where you will see that the incident investigation automatically started in 1-2 minutes post Gold layer job failure.&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92213" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/22/bdb-5852-investigation.png" alt="" width="864" height="282"&gt;&lt;/p&gt; 
&lt;p&gt;After the investigation completes, AWS DevOps Agent presents its findings within the incident analysis. The results are organized into two sections.&lt;/p&gt; 
&lt;h4 id="root-cause-identified-by-aws-devops-agent"&gt;Root cause identified by AWS DevOps Agent&lt;/h4&gt; 
&lt;p&gt;The agent identifies the underlying cause of the failure, tracing the gold layer write error back to data corruption introduced in the upstream silver layer AWS Glue job.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-7.png" alt="Root cause analysis from AWS DevOps Agent showing the gold layer write error traced back to silver layer data corruption" width="600"&gt;&lt;/p&gt; 
&lt;h4 id="mitigation-plan-generated-by-aws-devops-agent"&gt;Mitigation plan generated by AWS DevOps Agent&lt;/h4&gt; 
&lt;p&gt;On choosing &lt;strong&gt;Generate Mitigation Plan&lt;/strong&gt;, the agent provides step-by-step remediation recommendations to resolve the issue and prevent recurrence.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-8.png" alt="Mitigation plan from AWS DevOps Agent listing remediation steps to fix the silver layer data corruption and prevent recurrence" width="600"&gt;&lt;/p&gt; 
&lt;h4 id="aws-devops-agent-sends-a-notification-to-slack"&gt;AWS DevOps Agent sends a notification to Slack&lt;/h4&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-9.png" alt="Slack channel showing the AWS DevOps Agent investigation summary with root cause identification and upstream data lineage trace" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;Typically, within 3–5 minutes, the agent delivers a detailed investigation in Slack that includes root cause identification, upstream data lineage tracking, and an actionable recommendation.&lt;/p&gt; 
&lt;p&gt;You have deployed an autonomous troubleshooting pipeline for Medallion Architecture data pipelines. The pipeline runs using AWS Glue, Amazon Redshift, and Amazon MWAA, with AWS DevOps Agent providing autonomous investigation. The agent traced a gold layer Amazon Redshift write failure back to a silver layer data quality issue. This type of diagnosis would typically require hours of manual investigation by an engineer with deep expertise in Apache Spark, Amazon Redshift, and data pipeline architecture. AWS DevOps Agent completed it autonomously within minutes.&lt;/p&gt; 
&lt;p&gt;If you need human assistance, you can use the &lt;em&gt;Ask for human support&lt;/em&gt; feature within AWS DevOps Agent to open a case with AWS Support, automatically populated with relevant investigation context.&lt;/p&gt; 
&lt;h2 id="enhanced-investigations-with-aws-devops-agent-skills"&gt;Enhanced investigations with AWS DevOps Agent Skills&lt;/h2&gt; 
&lt;p&gt;AWS DevOps Agent autonomously investigates failures out of the box. You can enhance its diagnostic depth using Skills, a feature that provides the agent with domain-specific guidance tailored to your environment.&lt;/p&gt; 
&lt;p&gt;For Medallion Architecture pipelines, you can create Skills that instruct the agent to check for data type mismatches between pipeline layers when Amazon Redshift COPY errors occur, cross-reference silver layer data quality metrics with gold layer aggregation failures, or follow your internal runbook for escalating data quality issues to the upstream data engineering team.&lt;/p&gt; 
&lt;p&gt;To configure &lt;a href="https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-devops-agent-skills.html" target="_blank" rel="noopener"&gt;Skills&lt;/a&gt;, go to your &lt;strong&gt;Agent Space&lt;/strong&gt; in the AWS DevOps Agent console and choose the &lt;strong&gt;Skills&lt;/strong&gt; tab.&lt;/p&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid incurring future charges, delete the resources you created during this walkthrough promptly after you finish testing.&lt;/p&gt; 
&lt;p&gt;To clean up resources, complete the following steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Deregister the MCP Server.&lt;/strong&gt; In the AWS DevOps Agent console, go to your Agent Space and choose the &lt;strong&gt;Capabilities&lt;/strong&gt; tab. In the &lt;strong&gt;MCP Servers&lt;/strong&gt; section, choose the &lt;code&gt;sparkagent&lt;/code&gt; server, then choose &lt;strong&gt;Deregister&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Delete the webhook.&lt;/strong&gt; In your Agent Space, go to the &lt;strong&gt;Webhooks&lt;/strong&gt; tab. Choose the &lt;code&gt;medallion-failure-webhook&lt;/code&gt;, then choose &lt;strong&gt;Delete&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Empty the Amazon S3 buckets.&lt;/strong&gt; Open the &lt;a href="https://console.aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon S3 console&lt;/a&gt;. Locate the buckets created by the stack (their names start with &lt;code&gt;medallion-troubleshooting&lt;/code&gt;). For each bucket, choose &lt;strong&gt;Empty&lt;/strong&gt;, enter &lt;code&gt;permanently delete&lt;/code&gt; to confirm, and choose &lt;strong&gt;Empty&lt;/strong&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Delete the AWS CloudFormation stack.&lt;/strong&gt; Open the &lt;a href="https://console.aws.amazon.com/cloudformation/" target="_blank" rel="noopener"&gt;AWS CloudFormation console&lt;/a&gt;. Choose the &lt;code&gt;medallion-troubleshooting&lt;/code&gt; stack, then choose &lt;strong&gt;Delete&lt;/strong&gt;. Alternatively, run the following command:&lt;/li&gt; 
&lt;/ol&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-bash"&gt;aws cloudformation delete-stack \
    --stack-name medallion-troubleshooting \
    --region &amp;lt;your-region&amp;gt;&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Wait for the stack deletion to complete.&lt;/p&gt; 
&lt;ol start="5" type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Delete any retained Amazon S3 buckets.&lt;/strong&gt; Some Amazon S3 buckets might have a &lt;code&gt;DeletionPolicy&lt;/code&gt; of &lt;code&gt;Retain&lt;/code&gt; and aren’t automatically deleted with the stack. Return to the Amazon S3 console, locate any remaining buckets created by the stack, empty them using the process in the preceding step, and then choose &lt;strong&gt;Delete&lt;/strong&gt; for each bucket.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;In this post, you deployed an autonomous troubleshooting pipeline for Medallion Architecture data pipelines using AWS Glue, Amazon Redshift, Amazon MWAA, and AWS DevOps Agent. The agent traced a gold layer Amazon Redshift write failure back to a silver layer data quality issue—a diagnosis that would typically require hours of manual investigation by an engineer with deep expertise across multiple services.&lt;/p&gt; 
&lt;p&gt;As your data pipelines grow in complexity, so does the challenge of diagnosing failures that span multiple layers and services. AWS DevOps Agent reduces your mean time to resolution by autonomously investigating incidents the moment they occur, whether during business hours or at 2 AM. Your on-call engineers spend less time sifting through logs and more time building reliable data infrastructure. By shifting from reactive firefighting to autonomous, proactive troubleshooting, you can improve pipeline reliability, protect downstream analytics and machine learning workloads, and maintain stakeholder confidence in your data platform.&lt;/p&gt; 
&lt;p&gt;To learn how to structure Agent Spaces for investigation accuracy, scope resource access, and use infrastructure as code to streamline deployment, see &lt;a href="https://aws.amazon.com/blogs/devops/best-practices-for-deploying-aws-devops-agent-in-production/" target="_blank" rel="noopener"&gt;Best practices for deploying AWS DevOps Agent in production&lt;/a&gt;. To learn how to evaluate and choose the right lakehouse pattern for your needs, see &lt;a href="https://aws.amazon.com/blogs/big-data/navigating-architectural-choices-for-a-lakehouse-using-amazon-sagemaker/" target="_blank" rel="noopener"&gt;Navigating architectural choices for a lakehouse using Amazon SageMaker&lt;/a&gt;. For more about Apache Spark Troubleshooting Agent, see &lt;a href="https://aws.amazon.com/blogs/big-data/introducing-the-apache-spark-troubleshooting-agent-for-amazon-emr-and-aws-glue/" target="_blank" rel="noopener"&gt;Introducing the Apache Spark Troubleshooting Agent for Amazon EMR and AWS Glue&lt;/a&gt;.&lt;/p&gt; 
&lt;h2 id="next-steps"&gt;Next steps&lt;/h2&gt; 
&lt;p&gt;Now that you have set up autonomous troubleshooting for your Medallion Architecture pipeline, consider exploring the following:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Escalate to AWS Support directly from an investigation.&lt;/strong&gt; If the agent’s findings require human assistance, you can use the &lt;strong&gt;Ask for human support&lt;/strong&gt; feature within AWS DevOps Agent. This opens a case with AWS Support that is automatically populated with the relevant investigation context, which reduces the time spent describing the issue. For more information, see &lt;a href="https://docs.aws.amazon.com/devops-agent/latest/userguide/human-support.html" target="_blank" rel="noopener"&gt;Getting help from AWS Support through AWS DevOps Agent&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Enhance investigations with Skills.&lt;/strong&gt; Create custom Skills to give the agent domain-specific guidance tailored to your environment.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Learn more&lt;/strong&gt; about &lt;a href="https://aws.amazon.com/blogs/devops/best-practices-for-deploying-aws-devops-agent-in-production/" target="_blank" rel="noopener"&gt;AWS DevOps Agent best practices&lt;/a&gt;, &lt;a href="https://aws.amazon.com/blogs/big-data/navigating-architectural-choices-for-a-lakehouse-using-amazon-sagemaker/" target="_blank" rel="noopener"&gt;choosing the right lakehouse pattern&lt;/a&gt;, and the &lt;a href="https://aws.amazon.com/blogs/big-data/introducing-the-apache-spark-troubleshooting-agent-for-amazon-emr-and-aws-glue/" target="_blank" rel="noopener"&gt;Apache Spark Troubleshooting Agent&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Optimize your AWS DevOps Agent deployment.&lt;/strong&gt; Learn how to structure Agent Spaces for investigation accuracy, scope resource access, and use infrastructure as code to streamline deployment. See &lt;a href="https://aws.amazon.com/blogs/devops/best-practices-for-deploying-aws-devops-agent-in-production/" target="_blank" rel="noopener"&gt;Best practices for deploying AWS DevOps Agent in production&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Choose the right lakehouse architecture.&lt;/strong&gt; Evaluate and compare lakehouse patterns to find the best fit for your data platform. See &lt;a href="https://aws.amazon.com/blogs/big-data/navigating-architectural-choices-for-a-lakehouse-using-amazon-sagemaker/" target="_blank" rel="noopener"&gt;Navigating architectural choices for a lakehouse using Amazon SageMaker&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Explore the Apache Spark Troubleshooting Agent.&lt;/strong&gt; Learn more about the diagnostic capabilities the agent uses to analyze Spark event logs, executor metrics, and error stack traces. See &lt;a href="https://aws.amazon.com/blogs/big-data/introducing-the-apache-spark-troubleshooting-agent-for-amazon-emr-and-aws-glue/" target="_blank" rel="noopener"&gt;Introducing the Apache Spark Troubleshooting Agent for Amazon EMR and AWS Glue&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-10.png" alt="Mohammad Sabeel" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Mohammad Sabeel&lt;/h3&gt; 
  &lt;p&gt;Mohammad is a Senior Technical Account Manager (TAM) at Amazon Web Services (AWS) with over 14 years of experience in Information Technology (IT). As a member of the Technical Field Community for Analytics team, he is a subject matter expert in Analytics services including AWS Glue, Amazon Managed Workflows for Apache Airflow (MWAA), and Amazon Athena. Sabeel provides strategic guidance and proactive technical support to enterprise and ISV customers, helping them optimize their data analytics solutions, build resilient architectures, and accelerate cloud adoption. With deep subject matter expertise, he enables organizations to build scalable, efficient, and cost-effective data processing pipelines.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/BDB-5852-11.jpg" alt="Ishan Gaur" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Ishan Gaur&lt;/h3&gt; 
  &lt;p&gt;Ishan is a Principal Cloud Engineer at AWS. He has worked in the Analytics domain for the last 17 years, now focused on data analytics, AI/ML operations, and proactive cloud optimization. He works with enterprise customers to design resilient data pipelines, automate incident response, and adopt GenAI-powered services and operational tools. He’s passionate about turning reactive support patterns into proactive, self-healing architectures.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Why tombola chose Graviton-powered RG instances for Amazon Redshift</title>
		<link>https://aws.amazon.com/blogs/big-data/why-tombola-chose-graviton-powered-rg-instances-for-amazon-redshift/</link>
		
		<dc:creator><![CDATA[Prabhu Pandian]]></dc:creator>
		<pubDate>Mon, 22 Jun 2026 16:45:34 +0000</pubDate>
				<category><![CDATA[Advanced (300)]]></category>
		<category><![CDATA[Amazon Elastic Container Service]]></category>
		<category><![CDATA[Amazon Managed Workflows for Apache Airflow (Amazon MWAA)]]></category>
		<category><![CDATA[Amazon Redshift]]></category>
		<category><![CDATA[Amazon S3 Tables]]></category>
		<category><![CDATA[Amazon SageMaker]]></category>
		<category><![CDATA[Amazon Simple Storage Service (S3)]]></category>
		<category><![CDATA[Best Practices]]></category>
		<category><![CDATA[Graviton]]></category>
		<guid isPermaLink="false">78d9b8d870f6455e1993ccfca5b4372a8a5364a7</guid>

					<description>In this post, you learn how tombola followed a strict engineering principle: no changes to production without evidence. That meant a head-to-head comparison of RA3 versus RG on their actual workload. You also see benchmark results on Amazon S3 Tables and the migration from RA3 to RG instances.</description>
										<content:encoded>&lt;p&gt;Part of &lt;a href="https://flutter.com/" target="_blank" rel="noopener"&gt;Flutter Entertainment&lt;/a&gt;, the world’s largest online sports betting and iGaming operator, &lt;a href="https://www.tombola.co.uk/" target="_blank" rel="noopener"&gt;tombola&lt;/a&gt; is the world’s biggest online bingo community and has been using Amazon Redshift to run its data analytics workloads. Founded in Sunderland, UK, the company traces its roots to the 1950s, when it began printing bingo tickets during the golden age of the game. tombola launched online in 2006 and has since expanded to Italy, Spain, Denmark, and Sweden. The company builds all of its games in-house, holds the most prestigious Safer Gambling award, and recently partnered with Flutter sibling brand Sisal to bring its bingo application to Italian players.&lt;/p&gt; 
&lt;p&gt;In this post, you learn how tombola followed a strict engineering principle: no changes to production without evidence. That meant a head-to-head comparison of RA3 versus RG on their actual workload. You also see benchmark results on Amazon S3 Tables and the migration from RA3 to RG instances.&lt;/p&gt; 
&lt;h2 id="current-data-architecture"&gt;Current data architecture&lt;/h2&gt; 
&lt;p&gt;Amazon Redshift sits at the center of tombola’s data architecture. The production cluster runs on RA3 nodes and serves multiple schemas with hundreds of tables, supporting every analytical workload the business runs, from sub-second application lookups to multi-minute extract, transform, load (ETL) transforms. What makes tombola’s Amazon Redshift workload distinctive is the breadth of what flows through it. Amazon Managed Workflows for Apache Airflow (Amazon MWAA) DAGs orchestrate pipelines across over 14 business domains, including segmentation, fraud detection, marketing, finance, and SafePlay responsible-gaming. Configuration-driven ingestion pipelines land data from SQL Server, Amazon DynamoDB, Amazon OpenSearch Service, Postgres, and external APIs into Bronze and Silver layers on Amazon Simple Storage Service (Amazon S3), before loading it into Amazon Redshift. From there, over 250 &lt;a href="https://www.getdbt.com/" target="_blank" rel="noopener"&gt;dbt&lt;/a&gt; models running on &lt;a href="https://aws.amazon.com/ecs/" target="_blank" rel="noopener"&gt;Amazon Elastic Container Service (Amazon ECS)&lt;/a&gt; transform the data into analytical gold layers. Outputs feed multiple downstream consumers: &lt;a href="https://aws.amazon.com/sagemaker/" target="_blank" rel="noopener"&gt;Amazon SageMaker&lt;/a&gt; for fraud scoring and churn prediction, Amazon DynamoDB for low-latency APIs, and region-specific pipelines spanning the UK, Italy, Spain, Denmark, and Sweden. As the application grew, with more domains, more DAGs, and more concurrent users, the team began evaluating ways to reduce steady-state query latency and lower compute cost without rearchitecting the system. When AWS made Graviton-powered &lt;a href="https://aws.amazon.com/redshift/features/rg/" target="_blank" rel="noopener"&gt;RG nodes&lt;/a&gt; available for Amazon Redshift, the timing was right.&lt;/p&gt; 
&lt;h2 id="benchmark-performance-results"&gt;Benchmark performance results&lt;/h2&gt; 
&lt;p&gt;The benchmark infrastructure was fully defined as infrastructure as code (IaC), making sure every test run was reproducible. The team deployed two test benchmark clusters (one RA3 and one RG) in a like-for-like configuration. They mirrored the settings (Amazon Virtual Private Cloud (Amazon VPC), security groups, AWS Key Management Service (AWS KMS), AWS Identity and Access Management (IAM) roles, and parameter groups) from the production environment to remove configuration drift. The benchmark runner was containerized as an Amazon ECS task (&lt;code&gt;python:3.11-slim-bookworm&lt;/code&gt; ARM64 base), providing repeatable, isolated execution for each test round. Benchmark workloads were selected by analyzing production cluster logs and metrics, then classified into three tiers:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Heavy: ETL queries with multi-table CTE chains, full-table scans, and aggregation windows.&lt;/li&gt; 
 &lt;li&gt;Medium: Business intelligence (BI) queries driving reporting and analytics dashboards.&lt;/li&gt; 
 &lt;li&gt;Light: Application queries with sub-second response times.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="architecture"&gt;Architecture&lt;/h3&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-1.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;h2 id="scenarios-tested"&gt;Scenarios tested&lt;/h2&gt; 
&lt;p&gt;To validate the performance of Graviton-powered RG instances against the existing RA3 nodes, tombola designed four benchmark scenarios that progressively increase in complexity and realism. Together, these scenarios provide a comprehensive view of performance from isolated query execution through to sustained, real-world analytical workloads.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Scenario 01: Cold-cache, single-stream execution.&lt;/strong&gt; This scenario isolates raw compute performance by running queries against a cold cache in a single stream, avoiding caching and concurrency as variables.&lt;/p&gt; 
&lt;p&gt;Per-query speedups ranged from 1.05× (light lookup queries) to 1.68× (heavy ETL transforms). Zero errors on both clusters (28 attempts each).&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Weight Class&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RA3 p50 (ms)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RG p50 (ms)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Speedup&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Heavy (ETL)&lt;/td&gt; 
   &lt;td&gt;210,372&lt;/td&gt; 
   &lt;td&gt;133,855&lt;/td&gt; 
   &lt;td&gt;1.57×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Medium (BI)&lt;/td&gt; 
   &lt;td&gt;2,193&lt;/td&gt; 
   &lt;td&gt;1,642&lt;/td&gt; 
   &lt;td&gt;1.34×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Light (App)&lt;/td&gt; 
   &lt;td&gt;3.20&lt;/td&gt; 
   &lt;td&gt;2.76&lt;/td&gt; 
   &lt;td&gt;1.16×&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;The following chart shows per-query speedup ratios for the cold-cache scenario. Heavy ETL queries (left) show the largest gains, with speedups of 1.57–1.68×, and lighter queries still benefit at 1.05–1.16×. The pattern is consistent: RG’s advantage scales with query complexity.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-2.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Scenario 02: Warm-cache, single-stream execution.&lt;/strong&gt; This scenario repeats Scenario 01 with the result cache enabled to confirm that RG maintains its latency advantage even when cached results are in play.&lt;/p&gt; 
&lt;p&gt;Per-query speedups ranged from 1.04× to 1.64×. Zero errors on both clusters (35 attempts each).&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Weight Class&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RA3 p50 (ms)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RG p50 (ms)&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Speedup&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Heavy (ETL)&lt;/td&gt; 
   &lt;td&gt;93,636&lt;/td&gt; 
   &lt;td&gt;61,691&lt;/td&gt; 
   &lt;td&gt;1.52×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Medium (BI)&lt;/td&gt; 
   &lt;td&gt;2,189&lt;/td&gt; 
   &lt;td&gt;1,584&lt;/td&gt; 
   &lt;td&gt;1.38×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Light (App)&lt;/td&gt; 
   &lt;td&gt;3.08&lt;/td&gt; 
   &lt;td&gt;2.58&lt;/td&gt; 
   &lt;td&gt;1.19×&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;With result caching enabled, the speedup pattern holds for non-cached queries. Cache hits on both clusters land in 118–185 ms, confirming the caching subsystem operates identically regardless of node type. The RG advantage appears exclusively on execution paths that bypass the cache.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-3.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Scenario 03: Concurrency sweep.&lt;/strong&gt; This scenario introduces parallel load by sweeping through 1, 5, 10, and 20 concurrent streams, testing how each node type handles contention and queuing under pressure.&lt;/p&gt; 
&lt;p&gt;Both clusters used the same Concurrency Scaling configuration (&lt;code&gt;max_concurrency_scaling_clusters=1&lt;/code&gt;, WLM-only). RG completed 482 more queries in the same wall-clock window.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Metric&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RA3&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RG&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Improvement&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Total queries completed&lt;/td&gt; 
   &lt;td&gt;1,438&lt;/td&gt; 
   &lt;td&gt;1,920&lt;/td&gt; 
   &lt;td&gt;+33% throughput&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Light p50 (ms)&lt;/td&gt; 
   &lt;td&gt;3.44&lt;/td&gt; 
   &lt;td&gt;3.04&lt;/td&gt; 
   &lt;td&gt;1.13×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Medium p50 (ms)&lt;/td&gt; 
   &lt;td&gt;20,784&lt;/td&gt; 
   &lt;td&gt;15,055&lt;/td&gt; 
   &lt;td&gt;1.38×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Errors&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
   &lt;td&gt;—&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;Under increasing parallel load (1, 5, 10, and 20 concurrent streams), RG maintained lower latencies and completed 33 percent more queries in the same wall-clock window. Both clusters used the same Concurrency Scaling configuration, so the throughput difference is attributable to per-node compute efficiency.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-4.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Scenario 04: Mixed realistic workload.&lt;/strong&gt; This scenario combines the previous elements into a mixed realistic workload, running 10 streams simultaneously for 30 minutes with a weighted distribution of heavy, medium, and light queries to simulate actual production conditions.&lt;/p&gt; 
&lt;p&gt;This scenario best simulates production. The headline finding: heavy ETL queries saw speedups of up to 2.27× under concurrent load, and RG completed 46 percent more total queries in the same 30-minute window. Zero errors on both clusters.&lt;/p&gt; 
&lt;table border="1px" width="100%" cellpadding="10px"&gt; 
 &lt;tbody&gt; 
  &lt;tr&gt; 
   &lt;td&gt;&lt;strong&gt;Metric&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RA3&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;RG&lt;/strong&gt;&lt;/td&gt; 
   &lt;td&gt;&lt;strong&gt;Improvement&lt;/strong&gt;&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Total queries completed&lt;/td&gt; 
   &lt;td&gt;405&lt;/td&gt; 
   &lt;td&gt;593&lt;/td&gt; 
   &lt;td&gt;+46% throughput&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Heavy p50 (ms)&lt;/td&gt; 
   &lt;td&gt;1,186,572&lt;/td&gt; 
   &lt;td&gt;642,294&lt;/td&gt; 
   &lt;td&gt;1.85×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Medium p50 (ms)&lt;/td&gt; 
   &lt;td&gt;2,319&lt;/td&gt; 
   &lt;td&gt;1,631&lt;/td&gt; 
   &lt;td&gt;1.42×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Light p50 (ms)&lt;/td&gt; 
   &lt;td&gt;3.12&lt;/td&gt; 
   &lt;td&gt;2.90&lt;/td&gt; 
   &lt;td&gt;1.08×&lt;/td&gt; 
  &lt;/tr&gt; 
  &lt;tr&gt; 
   &lt;td&gt;Errors&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
   &lt;td&gt;0&lt;/td&gt; 
   &lt;td&gt;—&lt;/td&gt; 
  &lt;/tr&gt; 
 &lt;/tbody&gt; 
&lt;/table&gt; 
&lt;p&gt;The mixed-realistic scenario best simulates production. Under 10 concurrent streams over 30 minutes, heavy ETL queries showed speedups of up to 2.27×. RG’s per-vCPU throughput advantage compounds under contention, exactly the condition where production clusters spend most of their time.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-5.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;h2 id="extended-benchmark-amazon-s3-tables-iceberg-performance"&gt;Extended benchmark: Amazon S3 Tables (Iceberg) performance&lt;/h2&gt; 
&lt;p&gt;tombola’s future data architecture will integrate with agents and revolves around Apache Iceberg, backed by Amazon S3 Tables. Amazon S3 Tables offer Amazon S3 storage that is specifically tuned for analytics, with built-in capabilities that keep making queries faster and helping lower storage costs for table data. They’re purpose-built to hold tabular datasets, such as daily purchase logs, streaming sensor readings, or ad impression events. In this model, data is organized into rows and columns, similar to how information is structured in a traditional database table. With that direction in mind, tombola also benchmarked Graviton’s performance querying Iceberg tables directly. The dataset includes player profiles, game session history, and geolocation data: a mix of wide tables and high-cardinality columns that stress both compute and I/O.&lt;/p&gt; 
&lt;p&gt;To evaluate performance across different scenarios, tombola generated queries at varying levels of complexity. Medium queries involve standard analytical functions like ranking and aggregation, and Medium-High queries introduce multi-step transformations with joins and cumulative calculations. At the High tier, queries combine distinct counting, conditional pivoting, and time-window aggregations. Very High queries are the most demanding: self-joins across the full dataset, multi-signal scoring logic, and advanced statistical functions. This tiered approach captures how each node type performs as computational demands increase.&lt;/p&gt; 
&lt;p&gt;As with the previous benchmarks, the team kept the test as comparable as possible: a true like-for-like evaluation between RG (powered by Graviton) and RA3 nodes of equivalent size.&lt;/p&gt; 
&lt;p&gt;Testing was split into two phases:&lt;/p&gt; 
&lt;p&gt;Phase 1: Concurrency. All queries were submitted simultaneously to measure how well each node type handles concurrent workloads. The goal was to understand throughput differences: how much more work RG nodes can push through under pressure compared to similarly sized RA3 nodes.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-6.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;All queries were run simultaneously across multiple rounds:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-7.png" alt="Grouped bar chart showing total execution time across 3 rounds for RA3 vs Graviton" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;Phase 2: Sequential execution. Each query was run in isolation with full compute resources available. This removed concurrency as a variable and gave a clean read on raw query performance. The results were clear: RG outperformed RA3 across multiple query types, showing consistent gains when given dedicated compute.&lt;/p&gt; 
&lt;p&gt;In sequential execution, Graviton (RG) delivered consistent performance gains across all query complexity levels: Medium-complexity queries ran 45–73 percent faster (average 58 percent), Medium-High queries improved by 42 percent, High-complexity queries achieved 57–66 percent faster execution (average 62 percent), and Very High-complexity queries saw gains of 60–67 percent (average 63 percent). The results demonstrate that RG’s advantage scales with workload complexity, delivering the largest improvements on the most demanding analytical queries.&lt;/p&gt; 
&lt;h2 id="tombolas-modernization-approach"&gt;tombola’s modernization approach&lt;/h2&gt; 
&lt;p&gt;tombola is modernizing its Amazon Redshift cluster using the &lt;a href="https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-considerations.html#rs-upgrading-to-ra3" target="_blank" rel="noopener"&gt;Elastic Resize&lt;/a&gt; path to change from RA3 to RG node types. The operation snapshots the existing cluster, provisions a new RG cluster from that snapshot, and transfers data in the background. During this transfer period, the source cluster remains available in read-only mode. When the resize nears completion, Amazon Redshift automatically updates the endpoint to point to the new RG cluster and drops connections to the source. The team chose this approach because it aligns with their engineering principle of evidence-based changes: no production cutover without proof. The benchmark results, with zero errors across all scenarios against production-representative workloads, provided the confidence needed to proceed. After the resize is complete, the external tables, schemas, and query syntax remain unchanged. With RG’s integrated data lake query engine, tombola also removes its dependency on Amazon Redshift Spectrum. Data lake queries now run directly on cluster nodes within the Amazon VPC boundary, using existing IAM roles, with zero per-TB scanning charges.&lt;/p&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;The benchmark results make a compelling case for migrating tombola’s Amazon Redshift infrastructure from RA3 (Intel Xeon) to RG (Graviton4) instances. Across every scenario tested, RG delivered significant and consistent performance gains:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;Cold-cache performance: 1.57× faster on heavy ETL queries, with per-query speedups up to 1.68×.&lt;/li&gt; 
 &lt;li&gt;Warm-cache performance: 1.52× faster on heavy workloads, maintaining advantage even with result caching enabled.&lt;/li&gt; 
 &lt;li&gt;Concurrency: 33 percent higher throughput under parallel load, with RG sustaining lower latencies as streams increased from 1 to 20.&lt;/li&gt; 
 &lt;li&gt;Mixed realistic workload: 1.85× faster on heavy ETL queries and 46 percent more total queries completed, the scenario closest to production traffic patterns.&lt;/li&gt; 
 &lt;li&gt;Amazon S3 Tables (Iceberg): Up to 51 percent faster under concurrent load and 57 percent faster in sequential execution, critical for tombola’s future lakehouse architecture.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Beyond raw performance, RG delivers architectural benefits that align with tombola’s strategic direction. The integrated data lake query engine removes Amazon Redshift Spectrum overhead and per-TB scan charges. The 4:3 node mapping (4 ra3.4xlarge nodes to 3 rg.4xlarge nodes) reduces infrastructure costs by 25 percent.&lt;/p&gt; 
&lt;p&gt;Based on these results, tombola are modernizing their production Amazon Redshift cluster to Graviton4-based RG instances. The work has already started and similar results as above are noticed.&amp;nbsp; The existing RA3 features, including concurrency scaling, data sharing, and system views, are fully supported on RG. This positions tombola to handle growing data volumes and user concurrency with better performance, greater cost efficiency, and a predictable pricing model as the application scales.&lt;/p&gt; 
&lt;p&gt;The results and benefits described in this post are specific to tombola’s workload and environment. Although Amazon Redshift RG instances powered by AWS Graviton4 processors can deliver significant performance improvements, actual results will vary based on factors including workload characteristics, data volumes, cluster configuration, and query complexity. We encourage you to evaluate RG instances with your own workloads to determine the benefits for your environment. To learn more, visit the &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift marketing page&lt;/a&gt; and the &lt;a href="https://docs.aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift documentation&lt;/a&gt;, or get started in the &lt;a href="https://console.aws.amazon.com/redshiftv2/home" target="_blank" rel="noopener"&gt;Amazon Redshift console&lt;/a&gt;.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-8.jpeg" alt="Prabhu Pandian" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Prabhu Pandian&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/prabhu-pandian-53a2552a/" target="_blank" rel="noopener"&gt;Prabhu&lt;/a&gt; has over 15 years of experience spanning data engineering, business intelligence, and data analytics. He has built a career on turning complex data challenges into actionable insights across industries including retail, healthcare, logistics, iGaming, and the public sector. He has led high-performing teams at organisations architecting data warehouses, building ETL pipelines processing tens of millions of records daily, and delivering analytics. Currently, as the Data Engineering Lead at tombola, he is focused on harnessing the power of AWS services to build scalable, optimised data platforms that drive real business value. He is passionate about engineering data infrastructure that is not just robust and efficient, but one that empowers teams to make faster, smarter decisions.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-9.jpeg" alt="Akshay Srinivasan" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Akshay Srinivasan&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/akshay-srinivasan-data-eng/" target="_blank" rel="noopener"&gt;Akshay&lt;/a&gt; is a Data Engineer at tombola, where he runs the Data Platform &amp;amp; Reliability pod, shaping the architecture, scalability, and resilience of the company’s core data infrastructure across batch, streaming, and machine learning workloads. He favors open source tooling and composable AWS services, building platforms designed to be flexible and operationally sustainable. Over the past eight years he has built data platforms from the ground up across fintech, gaming, and enterprise environments, standing up greenfield infrastructure, automating complex operational workflows, and engineering systems in domains where data reliability directly affects regulatory and business outcomes. Having worked with Amazon Redshift since 2017, he has seen its evolution first-hand, from early node types through to the modern lakehouse capabilities the platform offers today.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-10.jpeg" alt="Sidhanth Muralidhar" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Sidhanth Muralidhar&lt;/h3&gt; 
  &lt;p&gt;Sidhanth is a Principal Technical Account Manager at AWS, where he partners with enterprise customers to design, scale, and optimize cloud-focused systems. He specializes in guiding organizations through complex architectural decisions across cost efficiency, reliability, performance, and operational excellence. His work increasingly sits at the intersection of data systems and AI as well, helping customers operationalize modern data architectures and build intelligent, production-ready systems.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5991-11.jpeg" alt="Vlad Siniavin" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Vlad Siniavin&lt;/h3&gt; 
  &lt;p&gt;Vlad is a Sr.&amp;nbsp;Technical Account Manager at AWS with over 15 years of experience in building innovative solutions, products and services. He is driven by delivering measurable outcomes for his customers – whether that’s reducing operational risk, optimising costs, or accelerating cloud adoption. He believes the best technical guidance starts with deeply understanding what matters most to the customer and acting in their best interest.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Detecting fraud patterns across Snowflake and AWS using SageMaker Data Agent</title>
		<link>https://aws.amazon.com/blogs/big-data/detecting-fraud-patterns-across-snowflake-and-aws-using-sagemaker-data-agent/</link>
		
		<dc:creator><![CDATA[Akash Gupta]]></dc:creator>
		<pubDate>Mon, 22 Jun 2026 16:38:49 +0000</pubDate>
				<category><![CDATA[Amazon SageMaker Unified Studio]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<guid isPermaLink="false">ff31da5bca01228e19f87709db67afff8845ce53</guid>

					<description>Amazon SageMaker Data Agent launches three new capabilities in Amazon SageMaker Unified Studio notebooks: SQL analytics on Snowflake data sources, materialized view management, and interactive charting. Practitioners can use them together to query Snowflake alongside AWS data, pre-compute and schedule repeated aggregations, and create interactive visualizations from natural language prompts in a single notebook, without writing boilerplate code or switching tools. In this post, we describe the challenges these capabilities address, introduce each one, and walk through a fraud analytics scenario that demonstrates them working together in an end-to-end investigation workflow.</description>
										<content:encoded>&lt;p&gt;Financial services organizations increasingly run analytical workloads across multiple systems. For example, customers typically store transaction records in &lt;a href="https://www.snowflake.com/" target="_blank" rel="noopener"&gt;Snowflake&lt;/a&gt; for its concurrency handling during peak volumes, while they store risk scores, customer profiles, and behavioral signals on AWS. To bridge that divide, practitioners have had to stitch together manual exports, custom extract, transform, and load (ETL) code, and external business intelligence (BI) tools to query both sources, cache expensive aggregations, and visualize results.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/sagemaker-data-agent.html" target="_blank" rel="noopener"&gt;Amazon SageMaker Data Agent&lt;/a&gt; now closes these gaps with three new capabilities in &lt;a href="https://aws.amazon.com/sagemaker/unified-studio/" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio&lt;/a&gt; notebooks: SQL analytics on Snowflake data sources, materialized view management, and interactive charting. Practitioners can use them together to query Snowflake alongside AWS data, pre-compute and schedule repeated aggregations, and create interactive visualizations from natural language prompts in a single notebook, without writing boilerplate code or switching tools.&lt;/p&gt; 
&lt;p&gt;In this post, we describe the challenges these capabilities address, introduce each one, and walk through a fraud analytics scenario that demonstrates them working together in an end-to-end investigation workflow.&lt;/p&gt; 
&lt;h2 id="challenges-with-fraud-detection"&gt;Challenges with fraud detection&lt;/h2&gt; 
&lt;p&gt;Fraud analytics teams working in SageMaker Unified Studio notebooks encounter several recurring friction points that slow their path from alert to insight:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Querying across AWS and third-party warehouses.&lt;/strong&gt; Customers store transaction data in Snowflake and maintain risk scores and customer profiles on AWS. SageMaker Data Agent supported SQL generation for AWS-native engines: &lt;a href="https://aws.amazon.com/athena/" target="_blank" rel="noopener"&gt;Amazon Athena&lt;/a&gt;, &lt;a href="https://aws.amazon.com/redshift/" target="_blank" rel="noopener"&gt;Amazon Redshift&lt;/a&gt;, &lt;a href="https://spark.apache.org/" target="_blank" rel="noopener"&gt;Apache Spark&lt;/a&gt;, and &lt;a href="https://duckdb.org/" target="_blank" rel="noopener"&gt;DuckDB&lt;/a&gt;. However, it didn’t yet generate Snowflake-dialect SQL. This created a gap for customers working with data distributed across both AWS services and Snowflake. Analysts had to write Snowflake SQL manually and export results as CSV files to join with AWS data. The process consumed 1–2 hours before any actual investigation could begin.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Rich visualization requires coding expertise.&lt;/strong&gt; When analysts want to plot query results, they must write Python code using packages like matplotlib, seaborn, or plotly. They must choose the right chart type, format axes, handle data transformations, and debug rendering issues. For fraud teams whose expertise is in investigation rather than data visualization code, each chart becomes a detour: either learn the package interface, ask an engineer for help, or export to an external BI tool. This slows the exploratory cycle that fraud investigations depend on, where every new angle (time-of-day patterns, category breakdowns, geographic clusters) ideally takes seconds, not minutes of code iteration.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Expensive repeated queries with no caching.&lt;/strong&gt; Fraud signal queries flag transactions that exceed a customer’s historical average and compute risk-score distributions by merchant category. These queries re-scan entire tables on each execution. A team running the same aggregation every morning over millions of rows pays the full compute cost each time, with no mechanism to pre-compute results or schedule automatic refreshes. For fraud teams, this means investigations start with a 30-minute wait for queries that ran identically yesterday.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;These three friction points (accessing data across platforms, visualizing it interactively, and operationalizing repeated analyses) are what the new Data Agent capabilities address together.&lt;/p&gt; 
&lt;h2 id="whats-new-in-data-agent"&gt;What’s new in Data Agent&lt;/h2&gt; 
&lt;h3 id="snowflake-connectivity"&gt;Snowflake connectivity&lt;/h3&gt; 
&lt;p&gt;SageMaker Data Agent can now connect to Snowflake data warehouses through connections registered in Amazon SageMaker Unified Studio. The agent discovers available Snowflake databases, browses schemas progressively (databases → schemas → tables → columns), and generates Snowflake-dialect SQL, including Snowflake-specific syntax like &lt;code&gt;FLATTEN&lt;/code&gt;, &lt;code&gt;VARIANT&lt;/code&gt; column access, and semi-structured data handling. Analysts query Snowflake tables alongside AWS data sources from a single notebook conversation, and the agent handles dialect differences automatically: Snowflake SQL for extraction, Spark SQL for &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables.html" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3) Tables&lt;/a&gt; operations, with no manual translation required.&lt;/p&gt; 
&lt;h3 id="materialized-view-management"&gt;Materialized view management&lt;/h3&gt; 
&lt;p&gt;Data Agent now creates and manages materialized views through natural language prompts. Analysts describe the aggregation they want, for example, “create a materialized view that flags transactions where risk_score is above 0.7, refreshed every 6 hours,” and the agent generates the Spark SQL DDL, including &lt;code&gt;SCHEDULE REFRESH&lt;/code&gt; syntax. Materialized views store pre-computed results in &lt;a href="https://iceberg.apache.org/" target="_blank" rel="noopener"&gt;Apache Iceberg&lt;/a&gt; format for fast repeated access, turning expensive full-table scans into sub-second queries. Supported operations include create, refresh, drop, describe, and scheduled refresh. When asked, Data Agent can also analyze notebook query patterns and recommend which queries would benefit from materialization.&lt;/p&gt; 
&lt;h3 id="interactive-charting"&gt;Interactive charting&lt;/h3&gt; 
&lt;p&gt;Instead of generating matplotlib code that produces static images, Data Agent now creates native interactive chart cells powered by &lt;a href="https://vega.github.io/vega-lite/" target="_blank" rel="noopener"&gt;Vega-Lite&lt;/a&gt;. Supported chart types include bar, line, scatter, pie, area, heatmap, and more. Charts render inline in the notebook with hover tooltips, zoom, and filtering. Analysts can reconfigure them through the sidebar or by typing inline instructions like “change this to a heatmap showing volume by hour and category.” This removes the cycle of modifying Python plotting code or exporting to an external BI tool every time the analysis needs a different view.&lt;/p&gt; 
&lt;h2 id="detecting-fraud-patterns-across-snowflake-and-aws-a-walkthrough"&gt;Detecting fraud patterns across Snowflake and AWS: a walkthrough&lt;/h2&gt; 
&lt;h3 id="solution-overview"&gt;Solution overview&lt;/h3&gt; 
&lt;p&gt;In this section, we walk through how these three capabilities work together in a realistic fraud investigation. A fraud analytics lead at a mid-size fintech processes a high volume of card transactions daily. Customers store transaction data in Snowflake and maintain customer risk profiles on AWS.&lt;/p&gt; 
&lt;p&gt;This morning, the real-time alerting system flagged an unusual spike in declined transactions from a cluster of new accounts, all purchasing high-value electronics. The analyst suspects a fraud ring using synthetic identities, fabricated customer profiles that pass initial verification but share telltale patterns like similar device fingerprints or overlapping IP ranges. The analyst has three goals:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Confirm the fraud ring hypothesis.&lt;/strong&gt; Determine whether the flagged accounts share device fingerprints, IP ranges, or behavioral patterns indicating coordinated fraud.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Quantify the exposure.&lt;/strong&gt; Calculate total fraudulent transaction volume and identify all affected accounts, not only the ones that triggered today’s alert.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Set up ongoing monitoring.&lt;/strong&gt; Create a reusable, auto-refreshing query so the team catches the next ring faster.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The analyst wants to do all of this without leaving the SageMaker notebook, without writing boilerplate data-engineering code, and within a single morning standup cycle so the investigations team can be briefed by noon.&lt;/p&gt; 
&lt;h3 id="how-data-agent-approaches-this-analysis"&gt;How Data Agent approaches this analysis&lt;/h3&gt; 
&lt;p&gt;Data Agent is context-aware. It discovers your actual table names, column schemas, and data source connections through Amazon SageMaker Unified Studio rather than requiring you to specify them manually. It generates SQL in the correct dialect for each source (Snowflake SQL for Snowflake, Spark SQL for S3 Tables) and operates within your existing &lt;a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html" target="_blank" rel="noopener"&gt;AWS Identity and Access Management (IAM)&lt;/a&gt; permissions boundaries.&lt;/p&gt; 
&lt;p&gt;You interact with Data Agent in two modes: the Agent Panel for multi-step investigations like the example walkthrough that follows, where each prompt builds on previous context, and inline interactions for quick adjustments like “change this to a heatmap” directly on a chart cell.&lt;/p&gt; 
&lt;h3 id="prerequisites"&gt;Prerequisites&lt;/h3&gt; 
&lt;p&gt;Before starting this walkthrough, verify that you have:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;An &lt;a href="https://aws.amazon.com/sagemaker/unified-studio/" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio&lt;/a&gt; domain with a project configured.&lt;/li&gt; 
 &lt;li&gt;A Snowflake account with a warehouse and &lt;code&gt;USAGE&lt;/code&gt; grants on the database and schemas you want to query.&lt;/li&gt; 
 &lt;li&gt;A Snowflake connection registered in your SageMaker Unified Studio project.&lt;/li&gt; 
 &lt;li&gt;An S3 Tables catalog in your project containing customer data (or equivalent AWS-hosted tables for joining with Snowflake data).&lt;/li&gt; 
 &lt;li&gt;A notebook open in SageMaker Unified Studio with Data Agent available in the chat panel.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3 id="step-1-explore-snowflake-transaction-data"&gt;Step 1: Explore Snowflake transaction data&lt;/h3&gt; 
&lt;p&gt;&lt;strong&gt;What the analyst wants:&lt;/strong&gt; Before investigating the fraud ring, the analyst must understand what data is available in Snowflake and verify recent transactions are accessible. The schema isn’t memorized (the payments team manages these tables), so Data Agent needs to discover the structure.&lt;/p&gt; 
&lt;p&gt;In the SageMaker notebook Agent Panel, the analyst types:&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;“Show me a preview of transactions over $500 for the last 24 hours. I’m looking for repeated high-value purchases that might indicate synthetic identity fraud.”&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;What Data Agent does for you:&lt;/strong&gt; Data Agent discovers the Snowflake connection through SageMaker Unified Studio, browses the available databases, and locates &lt;code&gt;PAYMENTS_DB&lt;/code&gt; → &lt;code&gt;CARD_TRANSACTIONS&lt;/code&gt; schema → transactions table. It surfaces the column structure (&lt;code&gt;transaction_id&lt;/code&gt;, &lt;code&gt;customer_id&lt;/code&gt;, &lt;code&gt;amount&lt;/code&gt;, &lt;code&gt;merchant_category&lt;/code&gt;, &lt;code&gt;transaction_timestamp&lt;/code&gt;, &lt;code&gt;device_fingerprint&lt;/code&gt;, &lt;code&gt;ip_address&lt;/code&gt;) so the analyst can confirm the right data is available without writing a single &lt;code&gt;DESCRIBE TABLE&lt;/code&gt; statement.&lt;/p&gt; 
&lt;p&gt;Data Agent then generates a Snowflake-dialect SQL query to preview the last 24 hours of high-value transactions (&lt;code&gt;amount &amp;gt; $500&lt;/code&gt;), returning hundreds of results. The preview immediately reveals what was suspected: alongside legitimate high-value purchases (mortgage payments, business supplies), there are clusters of electronics purchases at similar price points from different &lt;code&gt;customer_id&lt;/code&gt; values but the same &lt;code&gt;device_fingerprint&lt;/code&gt;, a classic synthetic identity pattern.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-1.jpg" alt="Data Agent querying Snowflake transaction data and generating equivalent code in the cell" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 1: Data Agent querying Snowflake transaction data and generating equivalent code in the cell.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-2.jpg" alt="Notebook cell results showing high-value Snowflake transactions" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 2: Displaying results when the notebook cell runs.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-2-land-snowflake-data-into-s3-tables-and-join-with-risk-profiles"&gt;Step 2: Land Snowflake data into S3 Tables and join with risk profiles&lt;/h3&gt; 
&lt;p&gt;&lt;strong&gt;What the analyst wants:&lt;/strong&gt; Pulling historical high-value transactions into S3 Tables makes this data available for downstream analysis, including the materialized view that will cross-reference risk profiles automatically.&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;“Load the last 90 days of transactions where amount is greater than 500 into S3 Tables.”&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;What Data Agent does for you:&lt;/strong&gt; Data Agent queries Snowflake to extract a large volume of high-value transactions from the last 90 days, converts the result to a PySpark DataFrame, creates an Apache Iceberg table at &lt;code&gt;payments.fraud_analytics.high_value_transactions&lt;/code&gt;, and writes all the rows. Data Agent stores the transaction data (&lt;code&gt;transaction_id&lt;/code&gt;, &lt;code&gt;customer_id&lt;/code&gt;, &lt;code&gt;amount&lt;/code&gt;, &lt;code&gt;merchant_category&lt;/code&gt;, &lt;code&gt;transaction_timestamp&lt;/code&gt;, &lt;code&gt;device_fingerprint&lt;/code&gt;, &lt;code&gt;ip_address&lt;/code&gt;) as Iceberg in S3 Tables, allowing you to query it entirely on AWS.&lt;/p&gt; 
&lt;p&gt;Data Agent handles the cross-source complexity: Snowflake-dialect SQL for extraction, automatic schema inference for the Iceberg table, and PySpark for the write. The analyst didn’t write a single line of ETL code.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-3.jpg" alt="Prompt sent to Data Agent to land Snowflake transactions into an S3 Tables" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 3: Sending a prompt to land Snowflake transactions into an S3 Tables catalog.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-4.jpg" alt="Generated PySpark code that reads transaction data from Snowflake" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 4: Reading data from Snowflake using code Data Agent generated.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-5.jpg" alt="Generated cell creating an S3 Tables Iceberg table populated with Snowflake data" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 5: Data Agent creating a new cell to create an S3 Tables Iceberg table and populate it with the Snowflake data.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-3-create-a-materialized-view-for-ongoing-fraud-monitoring"&gt;Step 3: Create a materialized view for ongoing fraud monitoring&lt;/h3&gt; 
&lt;p&gt;&lt;strong&gt;What the analyst wants:&lt;/strong&gt; The pattern is confirmed, but re-running this expensive join across two tables every morning isn’t sustainable. A pre-computed view that automatically refreshes and surfaces transactions from high-risk customers means tomorrow’s investigation starts with answers instead of queries (goal #3, ongoing monitoring).&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;“Create a materialized view called mv_fraud_signals that joins high_value_transactions with customer_risk_profiles, flagging transactions where risk_score is above 0.7. Refresh it every 6 hours.”&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;What Data Agent does for you:&lt;/strong&gt; Data Agent browses the S3 Tables catalog to discover both tables and their schemas, generates the Spark SQL DDL with &lt;code&gt;SCHEDULE REFRESH EVERY 6 HOURS&lt;/code&gt;, and creates an &lt;code&gt;INNER JOIN&lt;/code&gt; on &lt;code&gt;customer_id&lt;/code&gt; with a &lt;code&gt;risk_score &amp;gt; 0.7&lt;/code&gt; filter. The resulting materialized view contains only the high-risk subset of transactions, and subsequent queries against it return significantly faster compared to a full table scan.&lt;/p&gt; 
&lt;p&gt;Data Agent can also recommend materialized views when asked. If the analyst prompts “analyze my notebook and suggest which queries would benefit from materialized views,” Data Agent examines query patterns and suggests candidates. This is useful when a team runs the same expensive aggregations repeatedly without realizing a materialized view would help.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-6.jpg" alt="New cell created by Data Agent to create the mv_fraud_signals materialized view" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 6: Data Agent creates a new cell to create the materialized view.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-7.jpg" alt="Generated query against the newly created materialized view" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 7: Data Agent adds code to query the newly created materialized view.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-4-visualize-fraud-patterns-with-interactive-charting"&gt;Step 4: Visualize fraud patterns with interactive charting&lt;/h3&gt; 
&lt;p&gt;&lt;strong&gt;What the analyst wants:&lt;/strong&gt; The data is ready, but the investigations team needs a clear visual story by noon to see which merchant categories are targeted and what time of day the fraud occurs, so they can build detection rules. The team needs interactive charts that can be explored on the fly, not static matplotlib images that need regenerating every time someone asks “what about category X?”&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;“Show me a scatter plot of flagged transactions: amount vs risk_score, colored by merchant_category.”&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;What Data Agent does for you:&lt;/strong&gt; Data Agent queries the materialized view, generates a Vega-Lite specification, and renders an interactive scatter plot directly in the notebook cell, with no matplotlib code and no BI tool export. Hovering over any point reveals the transaction details. A dense cluster immediately stands out: Electronics &amp;amp; Computers transactions with risk scores between 0.75–0.95, all in the $950–$1,000 range.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-8.jpg" alt="Generated scatter plot of flagged transactions colored by merchant category" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-9.jpg" alt="Detail view of the scatter plot highlighting the Electronics cluster" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figures 8, 9, and 10: Data Agent creates a scatter plot showing a dense cluster of Electronics transactions in the $950–$1,000 range with risk scores between 0.75–.95.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;The analyst follows up with a second prompt to explore temporal patterns:&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;“Change this to a heatmap showing transaction volume by hour of day and merchant category.”&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;What Data Agent does for you:&lt;/strong&gt; Data Agent generates a new heatmap visualization from the same materialized view. The heatmap reveals that Business Supplies and Mortgage Payments maintain steady transaction volumes throughout the day. However, Electronics shows a distinctly uneven temporal distribution, with noticeable volume dips during early morning hours (midnight to 5 AM) and late evening. This variability, absent in legitimate purchase categories, is a signal the detection rules team can act on immediately.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-10.jpg" alt="Heatmap of transaction volume by hour and merchant category" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-11.jpg" alt="Detail view of the heatmap showing off-hours dips in the Electronics row" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figures 11 and 12: Data Agent creates a heat map to show transaction volume by hour of day and merchant category, revealing uneven temporal distribution in high-risk categories.&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="from-insight-to-action"&gt;From insight to action&lt;/h3&gt; 
&lt;p&gt;This investigation, from Snowflake connection to visual evidence, streamlined a workflow that previously required significant time across multiple tools. The analyst shares the notebook link with the investigations team, who confirm a fraud ring of dozens of synthetic identities responsible for significant fraudulent purchases. The temporal pattern, uneven Electronics transaction distribution with off-hours variability, is added to the company’s real-time detection rules that same afternoon.&lt;/p&gt; 
&lt;p&gt;The materialized view continues refreshing every 6 hours. The next morning, it flags three new accounts matching the same pattern, caught within hours of their first transaction instead of days.&lt;/p&gt; 
&lt;h3 id="why-sagemaker-data-agent-for-fraud-analytics"&gt;Why SageMaker Data Agent for fraud analytics&lt;/h3&gt; 
&lt;p&gt;This walkthrough demonstrates three new capabilities working together:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;SQL analytics on Snowflake data sources&lt;/strong&gt; removed the CSV export and manual ETL that consumed half of the investigation time.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Materialized view management&lt;/strong&gt; turned a one-time query into persistent, auto-refreshing monitoring, transforming reactive investigations into proactive detection.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Interactive charting&lt;/strong&gt; kept the entire analysis in the notebook, removing the BI tool context switch and making the inline exploration that revealed the Electronics temporal anomaly possible.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;For the team, the combined effect is a reduction in time-to-insight, allowing faster fraud pattern analysis. This means daily fraud pattern reviews instead of weekly, and an investigation workflow that’s reproducible. The notebook itself serves as documentation for compliance and audit purposes.&lt;/p&gt; 
&lt;h2 id="cleanup"&gt;Cleanup&lt;/h2&gt; 
&lt;p&gt;The walkthrough creates notebook cells, SQL queries, and materialized views in your SageMaker Unified Studio session. To remove the generated cells, delete them from your notebook or delete the notebook itself.&lt;/p&gt; 
&lt;p&gt;If you created resources specifically for this walkthrough, remove the following to avoid ongoing charges:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Materialized view.&lt;/strong&gt; In the notebook Agent Panel, prompt: &lt;em&gt;“Drop the materialized view mv_fraud_signals.”&lt;/em&gt; This removes the Iceberg table from S3 Tables and cancels the scheduled refresh. Alternatively, run the Spark SQL statement &lt;code&gt;DROP MATERIALIZED VIEW payments.fraud_analytics.mv_fraud_signals&lt;/code&gt; directly.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Landed Iceberg tables.&lt;/strong&gt; Drop any tables created during the data landing step (for example, &lt;code&gt;payments.fraud_analytics.high_value_transactions&lt;/code&gt;) by prompting Data Agent or running &lt;code&gt;DROP TABLE&lt;/code&gt; in a Spark SQL cell. This removes the data from S3 Tables and the underlying &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt; storage.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;SageMaker Unified Studio domain.&lt;/strong&gt; If you created a domain solely for this walkthrough, delete it to stop incurring charges. Refer to the &lt;a href="https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/what-is-sagemaker-unified-studio.html" target="_blank" rel="noopener"&gt;SageMaker Unified Studio administration guide&lt;/a&gt; for deletion steps.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Amazon S3 storage.&lt;/strong&gt; Verify that dropping the materialized view and Iceberg tables removed the associated S3 objects. If residual Iceberg metadata files remain in your S3 Tables bucket, delete them manually.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Snowflake compute.&lt;/strong&gt; No persistent Snowflake resources are created. Queries use your existing warehouse. Review your Snowflake query history to estimate the compute credits consumed during the walkthrough.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;In this post, we walked through three new capabilities in Amazon SageMaker Data Agent for notebooks: Snowflake connectivity, materialized views, and native interactive charting. Using a fraud analytics scenario, we demonstrated how these features work together. We connected to a Snowflake warehouse to explore transaction data, landed results into S3 Tables and joined them with AWS-hosted risk profiles, created a materialized view for ongoing fraud monitoring, and visualized patterns with interactive charts that revealed temporal anomalies in Electronics transactions linked to dozens of synthetic identities.&lt;/p&gt; 
&lt;p&gt;These capabilities are available now in Amazon SageMaker Unified Studio. To get started, open a notebook in your SageMaker Unified Studio domain and begin a conversation with Data Agent in the chat panel.&lt;/p&gt; 
&lt;p&gt;To learn more, see the following resources:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/sagemaker-data-agent.html" target="_blank" rel="noopener"&gt;Amazon SageMaker Data Agent documentation&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/big-data/accelerate-context-aware-data-analysis-and-ml-workflows-with-amazon-sagemaker-data-agent/" target="_blank" rel="noopener"&gt;Accelerate context-aware data analysis and ML workflows with Amazon SageMaker Data Agent&lt;/a&gt; (related blog post).&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-sgmkr-dataagent-chart-mv/" target="_blank" rel="noopener"&gt;Amazon SageMaker Data Agent introduces charting capabilities and support for materialized views&lt;/a&gt; (What’s New post).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt;
   &lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-12.jpg" alt="Akash Gupta" width="100" height="100"&gt;
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Akash Gupta&lt;/h3&gt; 
  &lt;p&gt;&lt;a class="c-link" href="https://www.linkedin.com/in/akashgupt/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.linkedin.com/in/akashgupt/" data-sk="tooltip_parent"&gt;Akash&lt;/a&gt;&amp;nbsp;is a Software Development Engineer on the Amazon SageMaker Unified Studio team, where he builds integrated tools and agentic experiences. An alumnus of Santa Clara University, he is passionate about building scalable solutions that simplify how customers interact with their data. In his spare time, he enjoys singing and cooking.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-13.jpg" alt="Mukesh Sahay" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Mukesh Sahay&lt;/h3&gt; 
  &lt;p&gt;&lt;a class="c-link" href="https://www.linkedin.com/in/mukesh-sahay/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.linkedin.com/in/mukesh-sahay/" data-sk="tooltip_parent"&gt;Mukesh Sahay&lt;/a&gt;&amp;nbsp;is a Software Development Engineer at Amazon SageMaker, focused on building the SageMaker Data Agent. The agent provides intelligent assistance for code generation, error diagnosis, and data analysis recommendations for data engineers, analysts, and scientists. His work spans agentic AI architectures that transform natural language prompts into executable code and analysis plans across diverse data sources. An alumnus of San Jose State University, Mukesh brings over a decade and a half of experience in building scalable, intelligent data systems.&lt;/p&gt; 
  &lt;div class="blog-author-box"&gt; 
   &lt;div class="blog-author-image"&gt; 
    &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-14.jpg" alt="Eason Ma" width="100" height="100"&gt;&lt;/p&gt; 
   &lt;/div&gt; 
   &lt;h3 class="lb-h4"&gt;Eason Ma&lt;/h3&gt; 
   &lt;p&gt;&lt;a class="c-link" href="https://www.linkedin.com/in/yucheng-ma-6058381b8/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.linkedin.com/in/yucheng-ma-6058381b8/" data-sk="tooltip_parent" aria-describedby="sk-tooltip-47521"&gt;Eason&lt;/a&gt; is a Software Development Engineer within SageMaker’s Agentic AI Experiences. His focus is on building agentic infrastructure and intelligent data experiences that help users seamlessly interact with their data across multiple sources. He holds a Master’s in Computer Science from the University of Illinois at Urbana-Champaign and a Bachelor’s in Computer Science from the University of Tennessee, Knoxville. A proud Vol, he brings that same volunteer energy to everything he builds.&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;div class="blog-author-box"&gt; 
   &lt;div class="blog-author-image"&gt;
    &lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/04/BDB-5921-15.jpg" alt="Anagha Barve" width="100" height="100"&gt;
   &lt;/div&gt; 
   &lt;h3 class="lb-h4"&gt;Anagha Barve&lt;/h3&gt; 
   &lt;p&gt;&lt;span class="c-mrkdwn__draggable-link"&gt;&lt;a class="c-link" href="https://www.linkedin.com/in/anagha-barve-9a86b8/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.linkedin.com/in/anagha-barve-9a86b8/" data-sk="tooltip_parent"&gt;Anagha&lt;/a&gt;&lt;/span&gt;&amp;nbsp;is a Software Development Manager on the Amazon SageMaker Unified Studio team. Her team is focused on building tools and integrated experiences for the developers using Amazon SageMaker Unified Studio. In her spare time, she enjoys cooking, gardening and traveling.&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;div class="blog-author-box"&gt; 
   &lt;div class="blog-author-image"&gt; 
    &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/01/26/guptsid-BDB-57074-225x300.jpg" alt="Siddharth Gupta" width="100" height="100"&gt;&lt;/p&gt; 
   &lt;/div&gt; 
   &lt;h3 class="lb-h4"&gt;Siddharth Gupta&lt;/h3&gt; 
   &lt;p&gt;&lt;a class="c-link" href="https://www.linkedin.com/in/sid88in/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.linkedin.com/in/sid88in/" data-sk="tooltip_parent" aria-describedby="sk-tooltip-47523"&gt;Siddharth&lt;/a&gt;&amp;nbsp;is heading Generative AI within SageMaker’s Unified Experiences. His focus is on driving agentic experiences, where AI systems act autonomously on behalf of users to accomplish complex tasks. An alumnus of the University of Illinois at Urbana-Champaign, he brings extensive experience from his roles at Yahoo, Glassdoor, and Twitch.&lt;/p&gt; 
  &lt;/div&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Automating IT support with AI: How Nexthink uses OpenSearch Service to power self-service issue resolution</title>
		<link>https://aws.amazon.com/blogs/big-data/automating-it-support-with-ai-how-nexthink-uses-opensearch-service-to-power-self-service-issue-resolution/</link>
		
		<dc:creator><![CDATA[Rafael Ribeiro, Moe Haidar]]></dc:creator>
		<pubDate>Mon, 22 Jun 2026 16:25:40 +0000</pubDate>
				<category><![CDATA[Amazon Bedrock]]></category>
		<category><![CDATA[Amazon OpenSearch Service]]></category>
		<category><![CDATA[Customer Solutions]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<guid isPermaLink="false">73997433e24f1d234c5f9fed4125a9af39d7eb27</guid>

					<description>In this post, we explore how Nexthink combined Amazon OpenSearch Service vector search, Amazon Bedrock, and infrastructure as code to power the Spark agent’s retrieval layer.</description>
										<content:encoded>&lt;p&gt;&lt;em&gt;This is a guest post by Rafael Ribeiro and Moe Haidar, at Nexthink, in partnership with AWS.&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://nexthink.com/" target="_blank" rel="noopener"&gt;Nexthink&lt;/a&gt; is the leader in digital employee experience, helping enterprises improve how employees interact with technology in the workplace. The company gives IT teams real-time visibility into endpoint performance, application usage, and employee sentiment across millions of devices worldwide.&lt;/p&gt; 
&lt;p&gt;At the heart of Nexthink’s innovation is &lt;a href="https://nexthink.com/platform/spark" target="_blank" rel="noopener"&gt;Spark&lt;/a&gt;, an autonomous artificial intelligence (AI) agent that automates IT support. Spark resolves IT issues for employees, from troubleshooting application crashes to resetting configurations and running remediation scripts. Rather than routing tickets or providing scripted responses, the agent takes direct action, achieving a &lt;strong&gt;77% resolution rate at first contact&lt;/strong&gt; without human escalation.&lt;/p&gt; 
&lt;p&gt;Spark operates at enterprise scale, deployed across &lt;strong&gt;12 AWS Regions&lt;/strong&gt; to serve global customers with low-latency responses.&lt;/p&gt; 
&lt;p&gt;In this post, we explore how Nexthink combined &lt;a href="https://aws.amazon.com/opensearch-service/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; vector search, &lt;a href="https://aws.amazon.com/bedrock/" target="_blank" rel="noopener"&gt;Amazon Bedrock&lt;/a&gt;, and infrastructure as code to power the Spark agent’s retrieval layer.&lt;/p&gt; 
&lt;h3&gt;The challenge: Why vector search for AI agents?&lt;/h3&gt; 
&lt;p&gt;For an AI agent to autonomously resolve IT issues, it must quickly retrieve the most relevant context from a vast knowledge base. Traditional keyword search falls short because:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Semantic understanding matters&lt;/strong&gt;: An employee asking “my laptop is running slow” should match articles about “system performance optimization” even without exact keyword overlap.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Accurate retrieval drives correct outcomes&lt;/strong&gt;: The quality of an AI agent’s response is only as good as the context it retrieves. When the agent pulls the right documentation, scripts, and historical resolutions, it produces accurate, safe actions. When retrieval is imprecise, the consequences can be severe. An agent acting on the wrong context could run destructive commands like &lt;code&gt;rm -rf *&lt;/code&gt;, wipe critical data, or apply an incorrect fix that escalates the problem. Accurate vector search is the guardrail that keeps autonomous agents grounded in verified, relevant knowledge.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Speed is critical&lt;/strong&gt;: Enterprise users expect near-instant responses, so retrieval must run in sub-second time across millions of documents.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;This led Nexthink to implement Amazon OpenSearch Service with vector search capabilities, using &lt;a href="https://docs.aws.amazon.com/bedrock/latest/userguide/titan-embedding-models.html" target="_blank" rel="noopener"&gt;Amazon Titan Text Embeddings&lt;/a&gt; V2 through Amazon Bedrock for embedding generation. With this architecture, Spark performs semantic search across all knowledge sources, retrieving contextually relevant information that drives accurate, autonomous issue resolution.&lt;/p&gt; 
&lt;h2&gt;High-level architecture&lt;/h2&gt; 
&lt;p&gt;The following diagram illustrates the high-level architecture of Nexthink’s Spark agent implementation with Amazon OpenSearch Service.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/28/BDB-5781-1.png" alt="High-level architecture of Nexthink’s Spark AI agent, showing Amazon Elastic Kubernetes Service hosting the agent, Amazon OpenSearch Service as the vector store, and Amazon Bedrock providing the embedding model" width="600"&gt;&lt;/p&gt; 
&lt;h3&gt;Architecture components&lt;/h3&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/pm/eks/" target="_blank" rel="noopener"&gt;Amazon Elastic Kubernetes Service (Amazon EKS)&lt;/a&gt; hosts the Spark agent, which interprets user queries, retrieves relevant context, and runs autonomous resolutions. With container orchestration, the agent scales horizontally across Nexthink’s 12 AWS Regions while maintaining consistent response times. The agent communicates with Amazon OpenSearch Service to perform semantic searches, retrieving the most contextually relevant documentation and automation scripts for each user’s issue.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/opensearch-service/" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service&lt;/a&gt; functions as the central vector store, providing the k-Nearest Neighbors (k-NN) capabilities required for semantic search. OpenSearch Service stores document embeddings (dense vector representations of text content) alongside traditional metadata fields. When the AI agent submits a query, OpenSearch Service performs approximate nearest neighbor (ANN) searches to find documents with semantically similar embeddings, even when exact keywords don’t match. This vector search capability, combined with the proven scalability and managed infrastructure of OpenSearch Service, makes it well suited for AI agent architectures that require fast, accurate context retrieval.&lt;/p&gt; 
&lt;p&gt;&lt;a href="https://aws.amazon.com/bedrock/" target="_blank" rel="noopener"&gt;Amazon Bedrock&lt;/a&gt; provides the foundation models used to generate text embeddings. Nexthink uses Amazon Titan Text Embeddings V2, hosted on Amazon Bedrock, to convert both documents and queries into dense vector representations. OpenSearch Service integrates natively with Amazon Bedrock through the &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ml-amazon-connector.html" target="_blank" rel="noopener"&gt;OpenSearch ML Connector&lt;/a&gt;, which handles embedding generation at both index and query time.&lt;/p&gt; 
&lt;h2&gt;Data ingestion pipeline&lt;/h2&gt; 
&lt;p&gt;A critical component of any AI agent architecture is the data ingestion pipeline. This mechanism transforms raw documents into searchable, semantically indexed content in OpenSearch Service. For Spark, the pipeline must handle diverse data sources while automatically generating vector embeddings for semantic search.&lt;/p&gt; 
&lt;h3&gt;Step 1: Staging and preprocessing layer&lt;/h3&gt; 
&lt;h4&gt;Staging layer in Amazon S3&lt;/h4&gt; 
&lt;p&gt;Knowledge bases (KBs) are staged in &lt;a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener"&gt;Amazon Simple Storage Service (Amazon S3)&lt;/a&gt; before being processed through the ingestion pipeline. Amazon S3 provides durable storage, versioning capabilities, and integration with OpenSearch Service ingestion mechanisms. When documentation updates occur, new versions are uploaded to Amazon S3, which triggers the ingestion pipeline to reprocess and re-embed the content.&lt;/p&gt; 
&lt;h4&gt;Event-driven streaming with Apache Kafka&lt;/h4&gt; 
&lt;p&gt;IT tickets, agent interactions, and remote actions are processed through &lt;a href="https://kafka.apache.org/" target="_blank" rel="noopener"&gt;Apache Kafka&lt;/a&gt; for reliable message delivery during traffic spikes. Its consumer group model lets the ingestion pipeline scale horizontally based on event volume.&lt;/p&gt; 
&lt;h3&gt;Step 2: Embedding generation during indexing time&lt;/h3&gt; 
&lt;p&gt;Nexthink uses &lt;a href="https://docs.opensearch.org/latest/ingest-pipelines/" target="_blank" rel="noopener"&gt;ingest pipelines&lt;/a&gt; inside OpenSearch Service to process the data at ingestion time, including generating text embeddings. When documents are sent to OpenSearch Service, the &lt;a href="https://docs.opensearch.org/latest/ingest-pipelines/processors/text-embedding/" target="_blank" rel="noopener"&gt;text_embedding processor&lt;/a&gt; inside the ingest pipeline automatically invokes the machine learning (ML) Connector to generate embeddings.&lt;/p&gt; 
&lt;p&gt;The ML Connector is the OpenSearch Service built-in framework for integrating external ML services. It handles request signing between OpenSearch Service and Amazon Bedrock, parses the Amazon Bedrock response to extract embeddings, maps them to index fields, and manages retries on failure. This eliminated the need for custom integration code and accelerated Nexthink’s time to market.&lt;/p&gt; 
&lt;p&gt;The following ingestion pipeline configuration demonstrates how to configure the &lt;code&gt;text_embedding&lt;/code&gt; processor.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-json"&gt;{
  "description": "Embedding ingestion pipeline for Spark AI Agent",
  "processors": [
    {
      "text_embedding": {
        "model_id": "&amp;lt;bedrock-connector-model-id&amp;gt;",
        "field_map": {
          "content": "content_embedding"
        }
      }
    }
  ]
}&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;In this configuration:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;model_id&lt;/strong&gt;: References the registered ML model connected to Amazon Bedrock.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;field_map&lt;/strong&gt;: Maps the source text field (&lt;code&gt;content&lt;/code&gt;) to the target embedding field (&lt;code&gt;content_embedding&lt;/code&gt;).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3&gt;Step 3: Embeddings and data structure in OpenSearch Service&lt;/h3&gt; 
&lt;p&gt;Nexthink stores embeddings alongside textual and metadata information in their k-NN index. For the vector field, they use Hierarchical Navigable Small World (HNSW) with the Lucene engine, as shown in the following example.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-json"&gt;...
"content_embedding": {
  "type": "knn_vector",
  "dimension": 1024,
  "method": {
    "name": "hnsw",
    "space_type": "innerproduct",
    "engine": "lucene"
  }
},
"document_type": {
  "type": "keyword"
},
"tenant_id": {
  "type": "keyword"
}
...&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;In this configuration:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;method.name&lt;/strong&gt;: Defines the algorithm used to organize vector data. &lt;a href="https://docs.opensearch.org/latest/mappings/supported-field-types/knn-methods-engines/" target="_blank" rel="noopener"&gt;Supported values are HNSW and Inverted File (IVF)&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;method.engine&lt;/strong&gt;: References the library that implements the HNSW method. &lt;a href="https://docs.opensearch.org/latest/mappings/supported-field-types/knn-methods-engines/" target="_blank" rel="noopener"&gt;Supported engines are Lucene and FAISS&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;method.space_type&lt;/strong&gt;: References the vector space used to calculate the distance between vectors. &lt;a href="https://docs.opensearch.org/latest/mappings/supported-field-types/knn-methods-engines/" target="_blank" rel="noopener"&gt;Supported values include innerproduct, l2, and cosinesimil&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;content_embedding&lt;/strong&gt;: References the &lt;a href="https://docs.opensearch.org/latest/mappings/supported-field-types/knn-vector/" target="_blank" rel="noopener"&gt;k-NN vector field that serves the vector search&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2&gt;Multi-tenant search and retrieval&lt;/h2&gt; 
&lt;p&gt;Enterprise AI agent deployments must address a critical challenge: making sure that users only access data they’re authorized to see. For Nexthink, serving multiple enterprise customers from a shared infrastructure requires robust &lt;strong&gt;multi-tenant security&lt;/strong&gt;. Each customer’s knowledge base, automation scripts, and support tickets must remain isolated while the shared vector index continues to perform well.&lt;/p&gt; 
&lt;p&gt;The following diagram illustrates the search flow from user query to ranked results.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/28/BDB-5781-2.png" alt="Search flow showing how a user query travels through the Spark agent, OpenSearch Service neural search, the ML Connector to Amazon Bedrock for embedding, and tenant-filtered k-NN retrieval to produce ranked results" width="600"&gt;&lt;/p&gt; 
&lt;h3&gt;Tenant management&lt;/h3&gt; 
&lt;p&gt;Nexthink stores information about each tenant inside the &lt;code&gt;tenant_id&lt;/code&gt; field. This design lets permission filters run efficiently alongside vector similarity searches. Additionally, Nexthink stores the &lt;code&gt;tenant_id&lt;/code&gt; as a &lt;strong&gt;keyword&lt;/strong&gt; type in the index mapping shared previously, so that filtering runs without the overhead of text analysis. Instead of pre-filtering with k-NN queries through a &lt;a href="https://docs.opensearch.org/latest/vector-search/filter-search-knn/scoring-script-filter/" target="_blank" rel="noopener"&gt;score script filter&lt;/a&gt;, the OpenSearch engine uses an intelligent decision-based approach for k-NN filtering called &lt;a href="https://docs.opensearch.org/latest/vector-search/filter-search-knn/efficient-knn-filtering/" target="_blank" rel="noopener"&gt;efficient filtering&lt;/a&gt;.&lt;/p&gt; 
&lt;h3&gt;Neural query example with efficient filtering&lt;/h3&gt; 
&lt;p&gt;&lt;a href="https://docs.opensearch.org/latest/query-dsl/specialized/neural/" target="_blank" rel="noopener"&gt;OpenSearch’s neural search&lt;/a&gt; simplifies vector search by handling embedding generation as part of the query itself. Instead of requiring the application to call an embedding model separately and then submit a raw k-NN query with a vector, a neural query accepts plain text and uses the registered ML Connector to generate the embedding on the fly. As a result, the Spark agent can send natural-language queries directly to OpenSearch Service without any client-side embedding logic.&lt;/p&gt; 
&lt;p&gt;The following query demonstrates how Nexthink combines neural search with tenant isolation through efficient filtering in OpenSearch Service.&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-json"&gt;{
  "query": {
    "bool": {
      "must": [
        {
          "neural": {
            "content_embedding": {
              "query_text": "laptop running slow",
              "model_id": "&amp;lt;bedrock-connector-model-id&amp;gt;",
              "k": 50
            }
          }
        }
      ],
      "filter": [
        {
          "term": {
            "tenant_id": "customer-123"
          }
        }
      ]
    }
  }
}&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;In this query structure:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;bool.must&lt;/strong&gt;: Contains the neural search clause that performs semantic matching against document embeddings.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;bool.filter&lt;/strong&gt;: Applies the tenant isolation constraint, so that only documents belonging to &lt;code&gt;customer-123&lt;/code&gt; are returned.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2&gt;Nexthink’s contribution to the technical community&lt;/h2&gt; 
&lt;p&gt;A key principle in Nexthink’s architecture is treating infrastructure as code. With deployments spanning 12 AWS Regions, manual provisioning would be error-prone and time-consuming. Therefore, Nexthink uses several infrastructure as code (IaC) technologies, including &lt;a href="https://developer.hashicorp.com/terraform" target="_blank" rel="noopener"&gt;Terraform&lt;/a&gt;, to provision resources.&lt;/p&gt; 
&lt;p&gt;Although the Terraform provider supports core OpenSearch Service resources like indices and index templates, it lacked support for some of the &lt;strong&gt;ML Commons&lt;/strong&gt; resources required to integrate Amazon Bedrock:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;ML Connectors&lt;/strong&gt;: Required to establish connections to external ML services like Amazon Bedrock.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;ML Model Groups&lt;/strong&gt;: Needed to organize and manage related models.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;ML Models&lt;/strong&gt;: Required to register models that use the connectors.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;Without these resources, Nexthink initially relied on workarounds using &lt;code&gt;local-exec&lt;/code&gt; provisioners and &lt;code&gt;null_resource&lt;/code&gt; blocks to call the OpenSearch Service API directly. This approach was fragile, difficult to maintain, and didn’t integrate well with Terraform’s state management.&lt;/p&gt; 
&lt;h3&gt;Contributing back&lt;/h3&gt; 
&lt;p&gt;Rather than maintaining a private fork indefinitely, Nexthink chose to contribute their custom Terraform resources back to the OpenSearch Project community. This decision aligned with their engineering values to help other organizations implement similar architectures and contribute to the broader community.&lt;/p&gt; 
&lt;h3&gt;Open source contribution links&lt;/h3&gt; 
&lt;p&gt;The Terraform provider contributions are being added to the official OpenSearch project repository:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Pull Request&lt;/strong&gt;: Add support for ML Connector, ML Model Group, and ML Model resources &lt;a href="https://github.com/opensearch-project/terraform-provider-opensearch/pull/280" target="_blank" rel="noopener"&gt;#280&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Feature Request&lt;/strong&gt;: Contribution – Support for ML resources &lt;a href="https://github.com/opensearch-project/terraform-provider-opensearch/issues/281" target="_blank" rel="noopener"&gt;#281&lt;/a&gt;.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;These contributions let any organization provision OpenSearch Service ML resources with Terraform, which streamlines the deployment of AI agent architectures that integrate with Amazon Bedrock or other ML services.&lt;/p&gt; 
&lt;h2&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;Nexthink’s implementation of Amazon OpenSearch Service for the Spark agent demonstrates how vector search capabilities can power autonomous IT support at enterprise scale. By combining semantic search with multi-tenant security and infrastructure as code practices, Nexthink achieved a &lt;strong&gt;77% resolution rate at first contact&lt;/strong&gt;, so that employees can resolve IT issues without human escalation.&lt;/p&gt; 
&lt;h3&gt;Get started&lt;/h3&gt; 
&lt;p&gt;Ready to build your own AI agent with vector search capabilities? Here are your next steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Explore &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vector-search.html" target="_blank" rel="noopener"&gt;Amazon OpenSearch Service vector search features&lt;/a&gt; in the OpenSearch Service documentation.&lt;/li&gt; 
 &lt;li&gt;Configure &lt;a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ml-amazon-connector.html" target="_blank" rel="noopener"&gt;ML Connectors for Amazon Bedrock&lt;/a&gt; using the ML Commons plugin guide.&lt;/li&gt; 
 &lt;li&gt;Automate with Terraform using the contributed resources in the &lt;a href="https://github.com/opensearch-project/terraform-provider-opensearch" target="_blank" rel="noopener"&gt;terraform-provider-opensearch repository&lt;/a&gt;.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;The combination of Amazon OpenSearch Service, Amazon Bedrock, and infrastructure as code practices provides a foundation for building intelligent, context-aware AI agents that deliver business value.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt;
   &lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/01/bdb5781a1.png" alt="Rafael Ribeiro" width="100" height="100"&gt;
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Rafael Ribeiro&lt;/h3&gt; 
  &lt;p&gt;Rafael is a Software Engineer at Nexthink, focusing on infrastructure and DevOps for AI teams.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt;
   &lt;img loading="lazy" class="alignnone size-full wp-image-92098" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/15/Moe.png" alt="" width="705" height="764"&gt;
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Moe Haidar&lt;/h3&gt; 
  &lt;p&gt;Moe Haidar is Head of Agentic AI and Engineering at Nexthink, where he leads AI architecture and strategy alongside the development of Spark, the company’s autonomous personal IT agent that resolves employee issues at scale.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt;
   &lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2024/02/15/image012_bdb3935-150x150.jpg" alt="Hajer Bouafif" width="100" height="100"&gt;
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Hajer Bouafif&lt;/h3&gt; 
  &lt;p&gt;Hajer is an Analytics Specialist Solutions Architect at Amazon Web Services. She focuses on Amazon OpenSearch Service and helps customers design and build well-architected analytics workloads in diverse industries. Hajer enjoys spending time outdoors and discovering new cultures.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt;
   &lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/28/BDB-5781-3.jpg" alt="Luca Perrozzi" width="100" height="100"&gt;
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Luca Perrozzi&lt;/h3&gt; 
  &lt;p&gt;Luca is a Solutions Architect at AWS, based in Switzerland. He focuses on innovation topics at AWS, especially in the area of Artificial Intelligence. Luca holds a PhD in particle physics and has 15 years of hands-on experience as a research scientist and software engineer.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>Introducing Private Networking for Amazon MQ for RabbitMQ</title>
		<link>https://aws.amazon.com/blogs/big-data/introducing-private-networking-for-amazon-mq-for-rabbitmq/</link>
		
		<dc:creator><![CDATA[Jean-Sébastien Dominique]]></dc:creator>
		<pubDate>Fri, 19 Jun 2026 14:22:58 +0000</pubDate>
				<category><![CDATA[Amazon MQ]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[Intermediate (200)]]></category>
		<category><![CDATA[Technical How-to]]></category>
		<guid isPermaLink="false">c22fc929b2e1b01b82127444058a55a52a7bffd1</guid>

					<description>In this post, we explain how Private Networking for Amazon MQ for RabbitMQ works and walk through the setup process. Whether you’re securing a private identity provider, federating messages between brokers, or connecting to self-hosted RabbitMQ, your broker can now reach private destinations without exposing them publicly.</description>
										<content:encoded>&lt;p&gt;With Private Networking for Amazon MQ for RabbitMQ, your brokers can establish outbound connections to private resources in your VPC without exposing those resources publicly. This post explains how the feature works and walks you through setting it up.&lt;/p&gt; 
&lt;p&gt;Amazon MQ for RabbitMQ brokers could previously only reach external destinations over the public internet. If you used a private Lightweight Directory Access Protocol (LDAP) server for broker authentication, you had to expose that server publicly. If you wanted to federate messages between private brokers, you needed workarounds like Network Load Balancers with IP allowlisting, as described in &lt;a href="https://aws.amazon.com/blogs/compute/implementing-federation-on-amazon-mq-for-rabbitmq-private-brokers/" target="_blank" rel="noopener"&gt;Implementing Federation on Amazon MQ for RabbitMQ Private Brokers&lt;/a&gt;. Private Networking removes those constraints.&lt;/p&gt; 
&lt;p&gt;You can connect your broker to private identity providers, other Amazon MQ for RabbitMQ brokers, or self-hosted RabbitMQ brokers running in private subnets. Combined with cross-Region networking services like &lt;a href="https://aws.amazon.com/transit-gateway/" target="_blank" rel="noopener"&gt;AWS Transit Gateway&lt;/a&gt;, you can extend these connections across AWS Regions and accounts, with traffic staying on the AWS private network.&lt;/p&gt; 
&lt;h2&gt;How it works&lt;/h2&gt; 
&lt;p&gt;Private Networking connects your broker to private destinations using three AWS services: &lt;a href="https://aws.amazon.com/vpc/lattice/" target="_blank" rel="noopener"&gt;Amazon VPC Lattice&lt;/a&gt;, &lt;a href="https://aws.amazon.com/ram/" target="_blank" rel="noopener"&gt;AWS Resource Access Manager (AWS RAM)&lt;/a&gt;, and &lt;a href="https://aws.amazon.com/privatelink/" target="_blank" rel="noopener"&gt;AWS PrivateLink&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;You create a VPC Lattice resource gateway in a VPC that can reach your private destination. You then create a VPC Lattice resource configuration that defines the destination, such as an IP address or Domain Name System (DNS) name. You add the resource configuration to a RAM resource share and associate the resource share with your broker through the &lt;code&gt;UpdateBroker&lt;/code&gt; API operation. After rebooting the broker, the network path is active and your broker can reach the private destination.&lt;/p&gt; 
&lt;p&gt;The broker does not need to be private. A publicly accessible broker works the same way.&lt;/p&gt; 
&lt;h2&gt;What you can connect to&lt;/h2&gt; 
&lt;p&gt;Private Networking supports three use cases.&lt;/p&gt; 
&lt;h3&gt;Private identity providers&lt;/h3&gt; 
&lt;p&gt;If you use an LDAP server or other identity provider for RabbitMQ authentication, you no longer need to expose it publicly. Create a resource configuration pointing to your identity provider, associate it with your broker, and use the DNS name returned by the &lt;code&gt;DescribeSharedResources&lt;/code&gt; API operation in place of the public endpoint. Follow the existing guidance for &lt;a href="https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-authentication.html" target="_blank" rel="noopener"&gt;setting up an identity provider&lt;/a&gt;, substituting the private DNS name.&lt;/p&gt; 
&lt;h3&gt;Self-hosted RabbitMQ brokers&lt;/h3&gt; 
&lt;p&gt;You can use Shovel or Federation to connect your Amazon MQ for RabbitMQ broker to a self-hosted RabbitMQ broker running in a private subnet. Create a resource configuration pointing to the self-hosted broker and use the DNS name from the &lt;code&gt;DescribeSharedResources&lt;/code&gt; API operation in your Shovel or Federation configuration.&lt;/p&gt; 
&lt;p&gt;This pattern is useful for hybrid cloud architectures where you run RabbitMQ on &lt;a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener"&gt;Amazon Elastic Compute Cloud (Amazon EC2)&lt;/a&gt;, &lt;a href="https://aws.amazon.com/eks/" target="_blank" rel="noopener"&gt;Amazon Elastic Kubernetes Service (Amazon EKS)&lt;/a&gt;, or on-premises infrastructure and want to exchange messages with Amazon MQ without exposing either side publicly.&lt;/p&gt; 
&lt;h3&gt;Other Amazon MQ for RabbitMQ brokers&lt;/h3&gt; 
&lt;p&gt;You can federate or shovel messages between two Amazon MQ for RabbitMQ brokers using Private Networking. Create a resource configuration pointing to the destination broker’s endpoint and specify that same endpoint as the custom domain name on the resource configuration. This helps to verify that the DNS name resolves correctly and Transport Layer Security (TLS) peer verification succeeds.&lt;/p&gt; 
&lt;p&gt;This extends to brokers in different AWS Regions and different AWS accounts. By combining Private Networking with cross-Region networking services like AWS Transit Gateway or VPC peering, you can build a fully private federation or shovel path between brokers, with no public endpoints required.&lt;/p&gt; 
&lt;h2&gt;DNS names and custom domains&lt;/h2&gt; 
&lt;p&gt;Each resource configuration can include a custom domain name. If you add a verified domain, that domain resolves to the private destination. If you do not add a verified domain, Amazon MQ provides a DNS name for the broker’s private connection. Retrieve this DNS name with the &lt;code&gt;DescribeSharedResources&lt;/code&gt; API operation.&lt;/p&gt; 
&lt;p&gt;If you specify an unverified domain on a resource configuration, it is ignored. The broker’s private connection receives a private DNS name instead, which you can retrieve with the &lt;code&gt;DescribeSharedResources&lt;/code&gt; API operation.&lt;/p&gt; 
&lt;p&gt;For more details on custom domain names and domain verification with VPC Lattice, see &lt;a href="https://aws.amazon.com/blogs/networking-and-content-delivery/custom-domain-names-for-vpc-lattice-resources/" target="_blank" rel="noopener"&gt;Custom domain names for VPC Lattice resources&lt;/a&gt;.&lt;/p&gt; 
&lt;h2&gt;TLS peer verification in RabbitMQ 4&lt;/h2&gt; 
&lt;div class="lb-alert lb-alert-info"&gt;
 &lt;strong&gt;Note:&lt;/strong&gt; If you are running RabbitMQ 4, review this section before configuring Shovel or Federation connections.
&lt;/div&gt; 
&lt;p&gt;RabbitMQ 4 enforces TLS certificate peer verification by default for Shovel and Federation connections. RabbitMQ 3 does not enforce this by default. When using Private Networking, the DNS name that Amazon MQ assigns to the private connection will not match the TLS certificate of the destination, which causes peer verification to fail.&lt;/p&gt; 
&lt;p&gt;The recommended approach is to specify the destination broker’s endpoint (for example, &lt;code&gt;b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.mq.us-east-1.on.aws&lt;/code&gt;) as the custom domain name on the resource configuration. This exception only applies to Amazon MQ for RabbitMQ broker endpoints. You cannot use an unverified domain for self-hosted brokers. Specifying the Amazon MQ endpoint causes the DNS name to match the destination’s TLS certificate, and peer verification succeeds. This approach works regardless of your RabbitMQ version and avoids the issue entirely.&lt;/p&gt; 
&lt;h2&gt;Getting started&lt;/h2&gt; 
&lt;p&gt;To get started with Private Networking for Amazon MQ for RabbitMQ, follow these steps.&lt;/p&gt; 
&lt;h3&gt;Prerequisites&lt;/h3&gt; 
&lt;p&gt;Before you begin, verify you have the following:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;An AWS account.&lt;/li&gt; 
 &lt;li&gt;The &lt;a href="https://aws.amazon.com/cli/" target="_blank" rel="noopener"&gt;AWS Command Line Interface (AWS CLI)&lt;/a&gt; installed and configured.&lt;/li&gt; 
 &lt;li&gt;AWS Identity and Access Management (IAM) permissions to manage Amazon MQ, VPC Lattice, and AWS RAM resources.&lt;/li&gt; 
 &lt;li&gt;An existing VPC with connectivity to your private destination.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h3&gt;Walkthrough&lt;/h3&gt; 
&lt;p&gt;After you have the prerequisites, follow these steps:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/getting-started-rabbitmq.html#create-rabbitmq-broker" target="_blank" rel="noopener"&gt;Create an Amazon MQ for RabbitMQ broker&lt;/a&gt; if you do not already have one.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/vpc/latest/privatelink/create-resource-gateway.html" target="_blank" rel="noopener"&gt;Create a VPC Lattice resource gateway in a VPC&lt;/a&gt; that can reach your private destination. Make sure the resource gateway’s security group allows outbound traffic to your destination on the required port (for example, port 5671 for AMQPS (AMQP over TLS) or port 636 for LDAPS (LDAP over TLS)). The resource gateway must share at least one Availability Zone with the broker. Cluster brokers cover multiple Availability Zones, so this is satisfied. For single-instance brokers, verify the Availability Zone overlap.&lt;/li&gt; 
 &lt;li&gt;&lt;a href="https://docs.aws.amazon.com/vpc/latest/privatelink/create-resource-configuration.html" target="_blank" rel="noopener"&gt;Create a VPC Lattice resource configuration&lt;/a&gt; pointing to your private destination (IP address or DNS name). If you’re connecting to another Amazon MQ broker, specify the destination broker’s endpoint as the custom domain name on the resource configuration, as shown in the following figure.&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-1.png" alt="VPC Lattice resource configuration showing the custom domain name field and resource definition populated with the Amazon MQ broker endpoint" width="600"&gt;&lt;em&gt;Figure 1: VPC Lattice resource configuration showing the custom domain name field and resource definition populated with the Amazon MQ broker endpoint.&lt;/em&gt;&lt;/li&gt; 
 &lt;li&gt;Add the resource configuration to a RAM resource share. The resource share must allow external principals, as shown in the following figure.&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-2.png" alt="RAM resource share configuration with the Allow external principals option selected" width="600"&gt;&lt;em&gt;Figure 2: RAM resource share configuration with the Allow external principals option selected.&lt;/em&gt;&lt;/li&gt; 
 &lt;li&gt;Associate the resource share with your broker by editing the broker and adding the resource share. You can also do this using the &lt;code&gt;update-broker&lt;/code&gt; command with the AWS CLI. You must pass the entire list of resource share ARNs you want on the broker. This is a put operation, not an add or remove operation. 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-bash"&gt;aws mq update-broker \
  --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
  --resource-share-arns arn:aws:ram:us-east-1:111122223333:resource-share/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;p&gt;The associated RAM resource share appears as shown in the following figure.&lt;/p&gt; &lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-3.png" alt="Network settings view with associated RAM resource shares" width="600"&gt;&lt;/p&gt; &lt;p&gt;&lt;em&gt;Figure 3: Network settings view with associated RAM resource shares.&lt;/em&gt;&lt;/p&gt; &lt;p&gt;Select the resource share in the Associated RAM resource shares section. The network status of each shared resource is displayed in the Shared resources section, as shown in the following figure.&lt;/p&gt; &lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-4.png" alt="RAM resource share selection showing the network status of each shared resource" width="600"&gt;&lt;/p&gt; &lt;p&gt;&lt;em&gt;Figure 4: RAM resource share selection showing the network status of each shared resource.&lt;/em&gt;&lt;/p&gt;&lt;/li&gt; 
 &lt;li&gt;Reboot the broker from the AWS Management Console or the AWS CLI to create the network path: 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-bash"&gt;aws mq reboot-broker --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;/li&gt; 
 &lt;li&gt;Retrieve the DNS names for your RabbitMQ configuration. This operation also surfaces issues encountered during setup: 
  &lt;div class="hide-language"&gt; 
   &lt;pre&gt;&lt;code class="language-bash"&gt;aws mq describe-shared-resources --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111&lt;/code&gt;&lt;/pre&gt; 
  &lt;/div&gt; &lt;/li&gt; 
 &lt;li&gt;Use the DNS name returned in the output in your Shovel, Federation, or identity provider configuration. Adding new resource configurations to an existing RAM resource share does not automatically update the broker. You must call &lt;code&gt;update-broker&lt;/code&gt; and reboot the broker for the new resource configurations to take effect.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2&gt;Cleaning up&lt;/h2&gt; 
&lt;p&gt;Private Networking uses VPC Lattice and PrivateLink resources that incur ongoing charges. If you no longer need the private connection:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Call &lt;code&gt;update-broker&lt;/code&gt; with the resource share removed from the list (or an empty list to remove all), then reboot the broker.&lt;/li&gt; 
 &lt;li&gt;After the broker reboot completes and the resources are no longer in use, delete the VPC Lattice resource configuration and resource gateway.&lt;/li&gt; 
 &lt;li&gt;Optionally, remove the Amazon MQ account principal from the RAM resource share. This principal may still be in use if other brokers are associated with the same resource share, so only remove it if no other brokers depend on it.&lt;/li&gt; 
 &lt;li&gt;If you created a new Amazon MQ for RabbitMQ broker for this walkthrough and no longer need it, delete the broker from the Amazon MQ console or with the &lt;code&gt;delete-broker&lt;/code&gt; command.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2&gt;Operational behavior: Resource access and reboots&lt;/h2&gt; 
&lt;p&gt;Removing a VPC Lattice resource configuration from a RAM resource share while the broker is actively using it revokes access immediately, with no reboot required. Removing a principal from a RAM resource share has the same effect: brokers associated through that principal lose access to the resources in the share immediately. These are intentional security behaviors managed by RAM and VPC Lattice.&lt;/p&gt; 
&lt;p&gt;Adding new resource configurations to an existing resource share does not take effect automatically. You must call &lt;code&gt;update-broker&lt;/code&gt; and reboot the broker for the new resource configurations to take effect. This is by design. It helps verify that changes to a resource share only reach the broker when someone with broker management permissions explicitly triggers the update, providing clear security separation between share management and broker management.&lt;/p&gt; 
&lt;p&gt;Private Networking is available for Amazon MQ for RabbitMQ brokers in all the AWS Regions where Amazon VPC Lattice is available. Amazon MQ for ActiveMQ brokers do not support this feature.&lt;/p&gt; 
&lt;h2&gt;Pricing&lt;/h2&gt; 
&lt;p&gt;Private Networking uses Amazon VPC Lattice and AWS PrivateLink. Data processing and data transfer charges apply to traffic sent through the private connection. There is an Amazon MQ pricing of $0.01 per GB of data processed through the resource endpoint. For details, see the &lt;span&gt;&lt;a href="https://aws.amazon.com/amazon-mq/pricing/" target="_blank" rel="noopener noreferrer"&gt;Amazon MQ pricing page&lt;/a&gt;&lt;/span&gt;, &lt;span&gt;&lt;a href="https://aws.amazon.com/vpc/lattice/pricing/" target="_blank" rel="noopener noreferrer"&gt;VPC Lattice pricing page&lt;/a&gt;&lt;/span&gt; and &lt;span&gt;&lt;a href="https://aws.amazon.com/privatelink/pricing/" target="_blank" rel="noopener noreferrer"&gt;AWS PrivateLink pricing page&lt;/a&gt;.&lt;/span&gt;&lt;/p&gt; 
&lt;h2&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;In this post, we explained how Private Networking for Amazon MQ for RabbitMQ works and walked through the setup process. Whether you’re securing a private identity provider, federating messages between brokers, or connecting to self-hosted RabbitMQ, your broker can now reach private destinations without exposing them publicly.&lt;/p&gt; 
&lt;p&gt;To learn more, see the &lt;a href="https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/private-networking.html" target="_blank" rel="noopener"&gt;Amazon MQ Private Networking documentation&lt;/a&gt;.&lt;/p&gt; 
&lt;p&gt;If you have questions or feedback, leave a comment on this post.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-5.png" alt="Jean-Sébastien Dominique" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Jean-Sébastien Dominique&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/jean-sebastien-dominique/" target="_blank" rel="noopener"&gt;Jean-Sébastien&lt;/a&gt; is a Software Development Engineer at Amazon Web Services with 20 years of experience across a wide range of software development domains. He’s interested in the intersection of systems design, human factors, and AI – how people and complex systems interact in practice.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/05/29/BDB-5998-6.jpg" alt="Ishita Chakraborty" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Ishita Chakraborty&lt;/h3&gt; 
  &lt;p&gt;&lt;a href="https://www.linkedin.com/in/ishita-chakraborty-aws/" target="_blank" rel="noopener"&gt;Ishita&lt;/a&gt; is a Senior Technical Account Manager at Amazon Web Services with expertise in serverless and messaging architectures. She works with enterprise customers to deliver technical solutions and strategic guidance – from infrastructure optimization to AI/ML adoption.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
		<item>
		<title>AI-assisted data development with Kiro and SageMaker Unified Studio</title>
		<link>https://aws.amazon.com/blogs/big-data/ai-assisted-data-development-with-kiro-and-sagemaker-unified-studio/</link>
		
		<dc:creator><![CDATA[Zach Mitchell]]></dc:creator>
		<pubDate>Tue, 16 Jun 2026 17:35:27 +0000</pubDate>
				<category><![CDATA[Amazon SageMaker Unified Studio]]></category>
		<category><![CDATA[Announcements]]></category>
		<category><![CDATA[Foundational (100)]]></category>
		<category><![CDATA[Kiro]]></category>
		<guid isPermaLink="false">d62b1ca7be20eb5c99dd9efe0e709b44f4d58728</guid>

					<description>With the AWS Toolkit for Visual Studio Code, you can connect Kiro, VS Code, or Cursor directly to Amazon SageMaker Unified Studio. This post demonstrates the integration using Kiro. The same Remote Access connection works with VS Code and Cursor. The post starts by showing what you can do with this integration: using natural language to explore and analyze data in a governed environment. We then walk through the setup so you can try it yourself.</description>
										<content:encoded>&lt;p&gt;AI coding assistants are transforming software development, but data engineering presents unique challenges: governed data access, shared compute environments, and compliance controls that are designed to remain in place. How do you bring the power of agentic AI development into a governed data environment? With the AWS Toolkit for Visual Studio Code, you can connect Kiro, VS Code, or Cursor directly to Amazon SageMaker Unified Studio.&lt;/p&gt; 
&lt;p&gt;When you connect your editor to a SageMaker Unified Studio Space (a cloud-based compute environment inside your project), you get AI-assisted development with your preferred tools while your data governance, project permissions, and compute are managed by SageMaker Unified Studio. Additionally, SageMaker Unified Studio automatically generates steering files (like &lt;code&gt;AGENTS.md&lt;/code&gt;) that provide your AI assistant with context about your project environment, so it understands your data and project configuration from the first prompt.&lt;/p&gt; 
&lt;p&gt;This post demonstrates the integration using Kiro. The same Remote Access connection works with VS Code and Cursor. The post starts by showing what you can do with this integration: using natural language to explore and analyze data in a governed environment. We then walk through the setup so you can try it yourself.&lt;/p&gt; 
&lt;h2 id="whats-new"&gt;What’s new&lt;/h2&gt; 
&lt;p&gt;With the AWS Toolkit, you can connect Kiro, VS Code, and Cursor to your SageMaker Space over a secure SSH tunnel. No additional extensions or SSH key management required. After the connection is established, your IDE has full access to your Space’s file system, compute, and data services.&lt;/p&gt; 
&lt;p&gt;Two capabilities make this especially powerful for data work:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Automatic AI steering&lt;/strong&gt; – When connecting Kiro to SageMaker Unified Studio,&amp;nbsp; Kiro generates &lt;code&gt;AGENTS.md&lt;/code&gt; and &lt;code&gt;smus-context.md&lt;/code&gt; files that provide your AI assistant with context about your environment, including project configuration, environment details, and utilities for discovering your data catalog and project structure. Kiro detects these files automatically; other editors can use them as context for their own AI features.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;MCP server support&lt;/strong&gt; – have Kiro discover and configure itself for the Model Context Protocol servers on your remote SageMaker space ( like &lt;code&gt;smus_local&lt;/code&gt; and &lt;code&gt;aws-dataprocessing&lt;/code&gt;) to give your agent direct access to your AWS Glue Data Catalog, Amazon Athena queries, and SageMaker Unified Studio project metadata.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The following diagram shows how the components connect:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-1.png" alt="" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Architecture diagram: How the components connect&lt;/em&gt;&lt;/p&gt; 
&lt;h2 id="see-it-in-action-ai-assisted-development-with-governed-data"&gt;See it in action: AI-assisted development with governed data&lt;/h2&gt; 
&lt;p&gt;Before walking through the setup, we explain what you can do with this integration. This walkthrough uses Kiro as the editor. With Kiro connected to a SageMaker Unified Studio Space, MCP servers configured, and steering documents in place, we can use natural language to explore data and build analytics. The AI assistant has all the context it needs to do this well.&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Agentic AI output is nondeterministic. The exact code, tool choices, and responses Kiro produces will vary between sessions, even with the same prompt. The following walkthrough shows one representative session. Your experience will differ in the specifics, but the patterns and capabilities demonstrated here are consistent.&lt;/p&gt; 
&lt;h3 id="step-1-explore-the-data"&gt;Step 1: Explore the data&lt;/h3&gt; 
&lt;p&gt;Start with a simple prompt:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;show my databases and the tables I have access to&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Even with native MCP tools available, Kiro often prefers the AWS Command Line Interface (AWS CLI) and bash to retrieve information. This is expected and typically does not affect the outcome. If you prefer MCP tools for every operation, you can add that preference to a steering document.&lt;/p&gt; 
&lt;p&gt;Kiro used the &lt;code&gt;sagemaker_studio&lt;/code&gt; SDK to discover the catalog:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;python3 -c "
from sagemaker_studio import Project
project = Project()
conn = project.connection()
catalog = conn.catalog()
print('Databases:')
for db in catalog.databases:
    print(f'  - {db.name}')
"&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;Databases:
  - default
  - sagemaker_sample_db&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Then it drilled into the table schema:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;python3 -c "
from sagemaker_studio import Project
project = Project()
conn = project.connection()
catalog = conn.catalog()
db = catalog.database('sagemaker_sample_db')
print('Tables in sagemaker_sample_db:')
for t in db.tables:
    print(f'  - {t.name}')
    print(f'    Columns: {[(c.name, c.type) for c in t.columns]}')
"&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;Tables in sagemaker_sample_db:
  - churn
    Columns: [('state', 'string'), ('account_length', 'int'),
              ('area_code', 'string'), ('phone', 'string'),
              ('intl_plan', 'string'), ('vmail_plan', 'string'),
              ('vmail_message', 'int'), ('day_mins', 'double'),
              ('day_calls', 'int'), ('day_charge', 'double'),
              ('eve_mins', 'double'), ('eve_calls', 'int'),
              ('eve_charge', 'double'), ('night_mins', 'double'),
              ('night_calls', 'int'), ('night_charge', 'double'),
              ('intl_mins', 'double'), ('intl_calls', 'int'),
              ('intl_charge', 'double'), ('custserv_calls', 'int'),
              ('churn', 'boolean')]&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Kiro discovered the &lt;code&gt;sagemaker_sample_db.churn&lt;/code&gt; dataset, a sample dataset that ships with SageMaker Unified Studio containing 10,000 rows and 21 columns of customer churn data (state, account length, call minutes, service calls, churn flag, and more). Notice that we did not write any of this code. We asked a question in natural language, and Kiro chose the right SDK calls, explored the catalog, and surfaced the results.&lt;/p&gt; 
&lt;p&gt;Another, more natural way to get the same answer is to ask directly. Prompting “&lt;em&gt;Let us sample the churn table.&lt;/em&gt;” yields the same catalog paths and schema output, along with additional metrics like row count and a data sample, all from a single conversational prompt:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-2.png" alt="SageMaker Unified Studio console showing the sagemaker_sample_db.churn dataset listed in the catalog" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 1 — The &lt;code&gt;sagemaker_sample_db.churn&lt;/code&gt; dataset in the catalog&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-3.png" alt="Schema view showing the 21 columns of the churn table including state, account_length, call minutes, and the churn boolean" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 2 — Churn dataset schema with 21 columns&lt;/em&gt;&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-python"&gt;from sagemaker_studio import sqlutils
result = sqlutils.sql(
    'SELECT COUNT(*) AS total_rows FROM sagemaker_sample_db.churn',
    connection_name='default.sql'
)
print('=== Total Row Count ===')
print(result)&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;=== Total Row Count ===
   total_rows
0       10000&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;With the schema and row count in hand, Kiro sampled the data to round out its understanding of the dataset:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-4.png" alt="Comprehensive data sample showing 10 rows from the churn table with all 21 columns populated" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 3 — Comprehensive data sample after Kiro catalog exploration&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="step-2-run-analytics-with-full-context"&gt;Step 2: Run analytics with full context&lt;/h3&gt; 
&lt;p&gt;With the data explored, ask Kiro to run a data quality evaluation:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;Can we run basic statistical evaluations for data quality?&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;Because Kiro had already explored the catalog and sampled the data, it made smart choices about how to run the analysis. Instead of using PySpark for this 10,000-row table, Kiro used Athena using &lt;code&gt;sqlutils&lt;/code&gt; to run the evaluation directly. It produced a thorough data quality report:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;10,000 rows, 21 columns, zero nulls&lt;/strong&gt; across all columns. Clean on that front.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;5,000 duplicate rows (50 percent).&lt;/strong&gt; Significant, worth investigating before modeling.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Outliers minimal.&lt;/strong&gt; Most columns have less than 1 percent outlier rate by IQR.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Churn is nearly 50/50 split&lt;/strong&gt; (50.04 percent False, 49.96 percent True). Unusually balanced, indicating synthetic data.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Clear signal in key features.&lt;/strong&gt; Churners and non-churners show differences in &lt;code&gt;day_mins&lt;/code&gt; (7.52 vs.&amp;nbsp;3.52), &lt;code&gt;eve_mins&lt;/code&gt; (5.95 vs.&amp;nbsp;4.11), and &lt;code&gt;vmail_message&lt;/code&gt; (175 vs.&amp;nbsp;278).&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;State distribution roughly uniform&lt;/strong&gt; (~2% each), &lt;code&gt;intl_plan&lt;/code&gt; and &lt;code&gt;vmail_plan&lt;/code&gt; near 50/50.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The key insight here is what Kiro did &lt;em&gt;not&lt;/em&gt; do. It did not default to PySpark because the environment supports Spark. Having explored the data first, understanding the table size, column types, and that &lt;code&gt;churn&lt;/code&gt; is a proper Boolean (not a string), Kiro independently chose the right engine for the workload and produced correct analytics on the first pass.&lt;/p&gt; 
&lt;blockquote&gt;
 &lt;p&gt;&lt;strong&gt;Best practice: Explore first, code second&lt;/strong&gt;&lt;/p&gt; 
 &lt;p&gt;Start every AI-assisted development session with data exploration. Ask your AI assistant to discover your catalog, sample your tables, and understand the schema before asking it to build anything. This single step helps reduce a common source of errors in AI-assisted data work: the LLM making assumptions about data it has not seen.&lt;/p&gt; 
 &lt;p&gt;&lt;strong&gt;Exploring your data gives the large language model (LLM) the context it needs to properly help with your project.&lt;/strong&gt; It saves hallucinations and rework, results in faster development time, and reduces token costs.&lt;/p&gt;
&lt;/blockquote&gt; 
&lt;p&gt;Ready to try it yourself? The following sections walk through the full setup: prerequisites, connecting your editor to your SageMaker Space, configuring MCP servers, and working with notebooks.&lt;/p&gt; 
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;/h2&gt; 
&lt;p&gt;Before you begin, make sure you have the following:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;A SageMaker Unified Studio domain and project with at least one project that has a compute environment provisioned (Tooling or ToolingLight). These should come standard with every SageMaker project except those provisioned with the SQL &amp;amp; Gen AI blueprints. If you need to set up SageMaker Unified Studio, see &lt;a href="https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/getting-started.html" target="_blank" rel="noopener noreferrer"&gt;Getting started with Amazon SageMaker Unified Studio&lt;/a&gt;.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;A Space with Remote Access enabled.&lt;/strong&gt; Either a JupyterLab or Code Editor Space works. The instance must have at least 8 GiB of memory (for example, &lt;code&gt;ml.t3.large&lt;/code&gt; or larger). The default &lt;code&gt;ml.t3.medium&lt;/code&gt; (4 GiB) can’t enable Remote Access. You must upgrade the instance type first, then toggle Remote Access to &lt;strong&gt;Enabled&lt;/strong&gt; in the Configure Space dialog.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;A VS Code-compatible editor.&lt;/strong&gt; Kiro, VS Code, Cursor, or another VS Code-based IDE installed on your local machine. This walkthrough uses Kiro, but the Remote Access connection has been tested with VS Code and Cursor as well.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;AWS Toolkit v4.1.0 or later.&lt;/strong&gt; Kiro ships with the AWS Toolkit pre-installed. For VS Code and Cursor, install the AWS Toolkit extension and verify your version is 4.1.0 or later (&lt;code&gt;Cmd+Shift+X&lt;/code&gt; and search for “AWS Toolkit”).&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;AWS credentials.&lt;/strong&gt; You must be authenticated in the SageMaker Unified Studio panel of the AWS Toolkit with the same identity (AWS IAM Identity Center or AWS Identity and Access Management (IAM)) that you use to access SageMaker Unified Studio in the browser.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Network connectivity.&lt;/strong&gt; Your Space must have internet access (PublicInternetOnly mode, or virtual private cloud (VPC) with a NAT gateway or HTTP proxy that allows VS Code and Open VSX endpoints).&lt;/li&gt; 
&lt;/ul&gt; 
&lt;p&gt;The following screenshots show the SageMaker Unified Studio portal and the Configure Space dialog. Navigate to your project, select your Space, and verify the configuration. Remote Access is disabled when the instance has less than 8 GiB of memory. Select an instance with at least 8 GiB, such as &lt;code&gt;ml.t3.large&lt;/code&gt;, then enable Remote Access. This is a one-time configuration per Space.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-5.png" alt="SageMaker Unified Studio portal showing the Spaces list for a project" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 4 — SMUS project Spaces overview in the portal&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-6.png" alt="Configure Space dialog with the instance type selector open and ml.t3.large highlighted" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 5 — Configure Space dialog showing instance type selection&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-7.png" alt="Configure Space dialog with the Remote Access toggle set to Enabled on an 8 GiB instance" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 6 — Enabling Remote Access on a Space with 8 GiB or more&lt;/em&gt;&lt;/p&gt; 
&lt;h2 id="connecting-your-editor-to-your-sagemaker-space"&gt;Connecting your editor to your SageMaker Space&lt;/h2&gt; 
&lt;p&gt;There are two ways to connect: directly from the SageMaker Unified Studio portal, or from your local IDE using the AWS Toolkit.&lt;/p&gt; 
&lt;h3 id="method-1-connect-from-the-sagemaker-unified-studio-portal"&gt;Method 1: Connect from the SageMaker Unified Studio portal&lt;/h3&gt; 
&lt;p&gt;To launch your IDE directly from the portal, navigate to your project’s &lt;strong&gt;Code Spaces&lt;/strong&gt; page, find your Space, and choose &lt;strong&gt;Open in&lt;/strong&gt; to select your editor (Kiro, VS Code, or Cursor):&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-8.png" alt="Code Spaces list with the Open in menu showing options for Kiro, VS Code, and Cursor" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 7 — Open in Local IDE from the Code Spaces list&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You can also launch from within a Space’s details page:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-9.png" alt="Space details page with the Open in menu expanded" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 8 — Open in Local IDE from the Space details page&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Or from within the JupyterLab or Code Editor browser environment:&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92009" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image10.png" alt="JupyterLab toolbar with the Open in Local IDE option visible" width="2148" height="583"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 9 — Open in Local IDE from JupyterLab&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Your browser will prompt you to allow opening the IDE. Confirm, and the editor launches with an SSH connection to your Space already established via the AWS Toolkit. No additional configuration is typically required.&lt;/p&gt; 
&lt;h3 id="method-2-connect-from-your-ide-via-the-aws-toolkit"&gt;Method 2: Connect from your IDE via the AWS Toolkit&lt;/h3&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;Open your editor on your local machine. Then, in the AWS Toolkit panel, choose &lt;strong&gt;Sign in&lt;/strong&gt;. Authenticate with your IAM Identity Center or IAM credentials, the same identity you use to access SageMaker Unified Studio in the browser. The following screenshots show Kiro, but the steps are the same in VS Code and Cursor.&lt;img loading="lazy" class="alignnone size-full wp-image-92013" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image11.png" alt="Figure 10 — AWS Toolkit button in Kiro" width="1197" height="797"&gt;&lt;br&gt; &lt;em&gt;Figure 10 — AWS Toolkit button in Kiro&lt;/em&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92015" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image12.png" alt="AWS Toolkit panel expanded in Kiro showing the Sign in option" width="353" height="750"&gt;&lt;p&gt;&lt;/p&gt; &lt;p&gt;&lt;em&gt;Figure 11 — AWS Toolkit panel expanded&lt;/em&gt;&lt;/p&gt; &lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-13.png" alt="AWS Toolkit Sign in dialog with profile selection" width="600"&gt;&lt;/p&gt; &lt;p&gt;&lt;em&gt;Figure 12 — AWS Toolkit Sign in dialog&lt;/em&gt;&lt;/p&gt;&lt;/li&gt; 
 &lt;li&gt;Choose your AWS profile. You must have a profile configured in the AWS CLI with the correct account and AWS Region set.&lt;/li&gt; 
 &lt;li&gt;In the Toolkit panel, browse your SageMaker Unified Studio domains and projects. Select the project that you want to work in.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92011" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image14.png" alt="Kiro AWS Toolkit panel showing SageMaker Unified Studio domains and projects in a tree view" width="615" height="180"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 13 — Browsing SMUS domains and projects in Kiro&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;strong&gt;Important:&lt;/strong&gt; The credentials that you use in the AWS Toolkit must match the identity that you use in the SageMaker Unified Studio portal. The Toolkit validates that your identity has access to the Space.&lt;/p&gt; 
&lt;h3 id="ai-steering-how-sagemaker-unified-studio-pre-seeds-ai-context"&gt;AI steering: How SageMaker Unified Studio pre-seeds AI context&lt;/h3&gt; 
&lt;p&gt;The real value of the feature comes from what you don’t need to do. When connected to Kiro SageMaker Unified Studio automatically generates steering files that guide your AI assistant with project context, so you can focus on building analytics rather than configuring connections. When you open a SageMaker Unified Studio project, SageMaker Unified Studio presents a prompt to create &lt;em&gt;steering files&lt;/em&gt;: an &lt;code&gt;AGENTS.md&lt;/code&gt; file that references a newly created &lt;code&gt;smus-context.md&lt;/code&gt;. These files provide context about your project environment, such as project configuration, environment details, and utilities for discovering your data catalog and project structure. Kiro detects and applies these files automatically; in other editors, you can reference them as context for your AI features.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-15.png" alt="SageMaker Unified Studio popup offering to create AGENTS.md and smus-context.md steering files" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 14 — SMUS popup offering to create steering files&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-16.png" alt="Kiro file explorer showing the generated AGENTS.md and smus-context.md files at the project root" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 15 — Generated AGENTS.md and smus-context.md steering files&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Without these steering files, your AI assistant would need several back-and-forth prompts to discover what data you have and how to access it. With them, the assistant understands your project from the first prompt: how to discover your databases, how your environment is configured, and what tools are available. The steering files also help properly configure MCP servers, which you set up in the next section.&lt;/p&gt; 
&lt;h3 id="exploring-your-project"&gt;Exploring your project&lt;/h3&gt; 
&lt;p&gt;After you’re connected, the project structure expands into &lt;strong&gt;Data&lt;/strong&gt; and &lt;strong&gt;Compute&lt;/strong&gt; sections in the sidebar, as it would in the SageMaker Unified Studio portal.&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92014" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image17.png" alt="Kiro sidebar showing the Data and Compute sections expanded under a SageMaker Unified Studio project" width="353" height="442"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 16 — Project Data and Compute sections in the Kiro sidebar&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You can explore your data catalog and S3 buckets directly from the sidebar:&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92016" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image18.png" alt="Kiro sidebar with the data catalog tree and S3 buckets expanded under the project" width="349" height="744"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 17 — Exploring the data catalog and S3 buckets from the sidebar&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You can also remote into a compatible Space for direct development. Hover over a Space and select the remote icon on the right:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-19.png" alt="Kiro sidebar showing the remote connection icon next to a compatible Space" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 18 — Remote connection icon on a compatible Space&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;After a moment, the Space opens in a new Kiro window:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-20.png" alt="New Kiro window opened with a remote connection to the SageMaker Unified Studio Space" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 19 — Space opened in a new Kiro window&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You must sign in again, and then trust the authors of the files in the Space:&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92010" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image21.png" alt="Trust authors dialog asking to confirm trust for files in the remote Space" width="939" height="497"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 20 — Trust authors dialog for the Space files&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You’re now connected to your Space. The Toolkit works on the Space the way it does locally, except the resources are scoped to the project’s permissions.&lt;/p&gt; 
&lt;p&gt;&lt;img loading="lazy" class="alignnone size-full wp-image-92012" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/10/BDB-5687-image22.png" alt="Kiro window connected to a SageMaker Unified Studio Space with the AWS Toolkit panel active" width="1440" height="897"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 21 — Connected to the SMUS Space with the Toolkit active&lt;/em&gt;&lt;/p&gt; 
&lt;h2 id="setting-up-mcp-servers"&gt;Setting up MCP servers&lt;/h2&gt; 
&lt;p&gt;Before you can use AI-assisted development effectively, you must give Kiro access to your data services through Model Context Protocol (MCP) servers. MCP servers extend the Kiro agent with tools: the ability to query catalogs, run SQL, manage credentials, and more.&lt;/p&gt; 
&lt;p&gt;Out of the box, Kiro has no MCP servers configured:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-23.png" alt="Kiro MCP servers panel with no servers configured" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 22 — Kiro MCP servers panel with no servers configured&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Prompt Kiro to find and configure the MCP servers that ship pre-installed on your SageMaker Space. Using the steering file context, Kiro located the servers and generated the configuration. If a server fails to connect, select the failed entry and Kiro will suggest fixes. You might need additional prompts to get the &lt;code&gt;smus_spark_upgrade&lt;/code&gt; server (a pre-installed MCP server for managing Spark session upgrades) working correctly.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-24.png" alt="Kiro chat panel showing the agent discovering and configuring SageMaker Unified Studio MCP servers" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 23 — Kiro discovering and configuring SMUS MCP servers&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-25.png" alt="MCP servers panel after iterating on configuration fixes, showing servers connected" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 24 — MCP servers after iterating on configuration fixes&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;For more deterministic results, you can also configure the MCP servers manually. Here is a sample configuration:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-json"&gt;{
    "mcpServers": {
        "smus_local": {
            "command": "python3",
            "args": ["-m", "sagemaker_studio.mcp_server"],
            "env": {}
        },
        "aws-dataprocessing": {
            "command": "uvx",
            "args": ["awslabs.aws-dataprocessing-mcp-server@latest"],
            "env": {
                "AWS_REGION": "us-east-1",
                "FASTMCP_LOG_LEVEL": "ERROR"
            },
            "disabled": ["emr_*"]
        }
    }
}&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Your MCP configuration might vary depending on your SageMaker Unified Studio environment. Use the preceding configuration as a starting point and let your editor adjust if a server fails to connect.&lt;/p&gt; 
&lt;p&gt;Next, add the AWS Data Processing MCP server to get catalog information and Athena query capabilities. This isn’t strictly required (Kiro can use Python or AWS CLI for the same tasks), but it gives the agent native tools for catalog and query operations.&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-26.png" alt="AWS Data Processing MCP server tools listed in Kiro with the Amazon EMR tool group disabled" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 25 — AWS Data Processing MCP server tools with Amazon EMR tools disabled&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You can list the tools that each MCP server provides. Because the AWS Data Processing MCP server includes tools for many services, we recommend disabling tools that you don’t need for a given project to save model context. For this walkthrough, disable the Amazon EMR tools to focus on AWS Glue and Amazon Athena.&lt;/p&gt; 
&lt;h2 id="exploring-data-with-notebooks"&gt;Exploring data with notebooks&lt;/h2&gt; 
&lt;p&gt;Kiro supports Jupyter notebooks in your SageMaker Space with the same language and connection selectors that you would find in SageMaker JupyterLab or Code Editor. Open the command palette (&lt;code&gt;Cmd+Shift+P&lt;/code&gt;) and create a new Jupyter notebook:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-27.png" alt="Kiro command palette filtered to the Create New Jupyter Notebook command" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 26 — Command palette to create a new Jupyter notebook&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-28.png" alt="New Jupyter notebook open in Kiro showing language and connection selectors at the bottom-right of a cell" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 27 — New Jupyter notebook opened in Kiro with language and connection selectors in a notebook cell&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;As in SageMaker JupyterLab, you get language and connection selectors in the bottom right of each cell. Choose the connection selector to see your available connections:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-29.png" alt="SageMaker connection selector dropdown showing the available connections for the project" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 28 — SageMaker connection selector&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Select PySpark to fill in the magic commands for your cell. Write your code (in this case, enter &lt;code&gt;spark&lt;/code&gt; and press Shift+Enter) to verify the session starts:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-30.png" alt="Notebook cell prefilled with the PySpark magic command and a spark verification statement" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 29 — PySpark magic command and spark verification code&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-31.png" alt="PySpark cell running in the Kiro notebook" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 30 — Running the PySpark cell&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;If this is your first time using Jupyter with Kiro, you’re prompted to install the Jupyter extension. After it’s installed, select the kernel from &lt;strong&gt;Python Environments&lt;/strong&gt; → &lt;strong&gt;Base&lt;/strong&gt;:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-32.png" alt="Jupyter kernel selection prompt in Kiro after installing the Jupyter extension" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 31 — Jupyter kernel selection prompt&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-33.png" alt="Kernel picker showing the Python kernel selected from the Base environment" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 32 — Selecting the Python kernel from the Base environment&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;Re-run your cell. After a few moments, AWS Glue provisions a PySpark session:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-34.png" alt="AWS Glue provisioning a PySpark session in a Jupyter notebook in Kiro" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 33 — AWS Glue provisioning a PySpark session in a Jupyter notebook in Kiro&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;You see results the way you would in JupyterLab in the SageMaker Unified Studio portal:&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-35.png" alt="PySpark code running in a Jupyter notebook in Kiro with output cells populated" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 34 — PySpark code running in a Jupyter notebook in Kiro&lt;/em&gt;&lt;/p&gt; 
&lt;h3 id="the-notebook-generate-button"&gt;The notebook generate button&lt;/h3&gt; 
&lt;p&gt;You will notice a &lt;strong&gt;Generate&lt;/strong&gt; button underneath notebook cells. Let’s test it with a simple prompt:&lt;/p&gt; 
&lt;div class="hide-language"&gt; 
 &lt;pre&gt;&lt;code class="language-plaintext"&gt;looking at the above cell for reference, show me the accounts where state = california
using pyspark prefixing the cell with `%%pyspark default.spark` and sorting by
account_length&lt;/code&gt;&lt;/pre&gt; 
&lt;/div&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-36.png" alt="Notebook cell showing the Generate button populated with a natural language prompt" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 35 — Using the Generate button with a natural language prompt&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;&lt;img src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-37.png" alt="Generated PySpark code populating a notebook cell after using the Generate button" width="600"&gt;&lt;/p&gt; 
&lt;p&gt;&lt;em&gt;Figure 36 — Generated PySpark code from the prompt&lt;/em&gt;&lt;/p&gt; 
&lt;p&gt;This prompt builder, like other notebook generation features, doesn’t have good context on the surrounding cells. You must be explicit about what you want because it won’t read other code or cells as input.&lt;/p&gt; 
&lt;p&gt;While the Kiro notebook generate button works for straightforward edits, for serious code generation, we recommend that you use Kiro agent mode. This mode has full project and SageMaker context, as demonstrated in the “See it in action” walkthrough earlier in this post.&lt;/p&gt; 
&lt;h2 id="whats-happening-under-the-hood"&gt;What’s happening under the hood&lt;/h2&gt; 
&lt;p&gt;When you connect your editor to a SageMaker Unified Studio Space, the AWS Toolkit extension establishes a secure SSH tunnel between your local IDE and your cloud-based Space.&lt;/p&gt; 
&lt;p&gt;Key details:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;SSH tunnel.&lt;/strong&gt; The connection is managed entirely by the AWS Toolkit (v4.1.0+) or VS Code’s built-in SSH extension. No separate Remote SSH extension is needed; the capability is built in.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;File system access.&lt;/strong&gt; Your editor sees the Space’s persistent storage at &lt;code&gt;/home/sagemaker-user/&lt;/code&gt;, including shared project files and notebooks or scripts you create.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;SageMaker Unified Studio steering context.&lt;/strong&gt; The integration generates &lt;code&gt;AGENTS.md&lt;/code&gt; and &lt;code&gt;smus-context.md&lt;/code&gt; files that provide your AI assistant with context about your project environment and utilities for understanding your data. This is what makes the assistant effective from the first prompt.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;MCP server integration.&lt;/strong&gt; MCP servers like &lt;code&gt;smus_local&lt;/code&gt; (for project metadata and environment utilities) and &lt;code&gt;aws-dataprocessing&lt;/code&gt; (for AWS Glue Data Catalog and Amazon Athena) extend your editor’s AI with direct access to your data services. Your own MCP servers will be equally valuable here.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Credential flow.&lt;/strong&gt; The Toolkit uses your existing AWS identity (IAM Identity Center or IAM) to authenticate to the Space. No separate SSH keys to manage. The &lt;code&gt;aws_context_provider&lt;/code&gt; tool from the &lt;code&gt;smus_local&lt;/code&gt; MCP server handles credential discovery for agent operations.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="best-practices"&gt;Best practices&lt;/h2&gt; 
&lt;p&gt;To work effectively with your IDE and SageMaker Unified Studio:&lt;/p&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Explore your data before building.&lt;/strong&gt; Start every session by asking your AI assistant to discover your catalog, sample your data, and understand the schema. This single step helps reduce the most common source of errors in AI-assisted data work: the LLM making assumptions about data it has not seen. See the “See it in action” walkthrough earlier in this post for a concrete example of the difference this makes.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Use the SageMaker Unified Studio steering files.&lt;/strong&gt; When prompted to create &lt;code&gt;AGENTS.md&lt;/code&gt; and &lt;code&gt;smus-context.md&lt;/code&gt;, accept. These files are the foundation that makes everything else work: environment context, MCP server configuration, and project understanding. Without them, your AI assistant starts from zero on every prompt. Kiro detects these automatically; in other editors, add them as context.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Disable unused MCP tools.&lt;/strong&gt; The AWS Data Processing MCP server includes tools for AWS Glue, Amazon EMR, Amazon Athena, and more. Disable the services that you’re not using for a given project to save model context and reduce noise.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Be specific in your prompts.&lt;/strong&gt; The more detail you give your AI (column names, query patterns you prefer, output formats), the closer the first pass will be. “Run data quality evaluation using Athena SQL” gets you better code than “check my data.”&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Always test interactively first.&lt;/strong&gt; Whether in notebooks or the terminal, validate code before deploying it. AI agents can iterate quickly, but catching issues in an interactive session is faster than debugging a failed AWS Glue job. Athena PySpark and the SageMaker &lt;code&gt;sqlutils&lt;/code&gt; and &lt;code&gt;sparkutils&lt;/code&gt; packages are great for this.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Stop your Space when idle.&lt;/strong&gt; Your Space runs on compute (the same instance types as Code Editor and JupyterLab). If idle, the Space will terminate after 60 minutes and close your remote connection. Close the remote window and reconnect to continue.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="things-to-know"&gt;Things to know&lt;/h2&gt; 
&lt;ul&gt; 
 &lt;li&gt;&lt;strong&gt;Notebook agent mode.&lt;/strong&gt; For notebook-heavy analytics workflows where you want agentic AI to generate and run cells directly, SageMaker Notebooks with Data Agent in SageMaker Unified Studio is the recommended option today. Current notebook support in local editors covers editing, running, and generating code in individual cells.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;MCP setup takes iteration.&lt;/strong&gt; Configuring MCP servers may require iteration, especially for servers with complex authentication. Many AI-enabled editors can self-correct when a server fails. For more deterministic results, use the preceding MCP configuration JSON as a starting point rather than relying solely on auto-discovery.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;CLI preference.&lt;/strong&gt; AI agents often prefer the AWS CLI and bash even when MCP tools are available. This doesn’t affect outcomes, but you can steer your assistant toward MCP tools using a steering document if you prefer consistency.&lt;/li&gt; 
&lt;/ul&gt; 
&lt;h2 id="security-and-governance-boundaries"&gt;Security and governance boundaries&lt;/h2&gt; 
&lt;p&gt;A core benefit of this integration is that your existing security and governance controls remain enforced. Your editor connects to your SageMaker Space through a secure SSH tunnel managed by the AWS Toolkit. It does not bypass your organization’s access controls. Data access is governed by the same AWS Lake Formation permissions and IAM Identity Center authentication that apply when you work in the SageMaker Unified Studio portal directly. Your project-level permissions, database grants, and column-level security policies apply consistently whether a query originates from an AI agent, a notebook cell, or the SageMaker console. Data access is governed by the boundaries you define in your SageMaker Unified Studio domain and project configuration.&lt;/p&gt; 
&lt;h2 id="clean-up"&gt;Clean up&lt;/h2&gt; 
&lt;p&gt;To avoid ongoing charges from billable resources (SageMaker Space compute charges per hour, AWS Glue sessions charge per DPU-hour, Amazon Athena queries charge per TB scanned):&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;Stop your Space&lt;/strong&gt; – In the SageMaker Unified Studio portal, navigate to your project’s Spaces and stop the Space you used for this walkthrough.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Disconnect:&lt;/strong&gt; Close the remote connection in your editor (File → Close Remote Connection).&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Verify AWS Glue sessions are terminated&lt;/strong&gt; – If you ran PySpark queries during this walkthrough, verify that the sessions are stopped. In the SageMaker Unified Studio portal, navigate to Data processing and confirm no active AWS Glue sessions remain. Sessions auto-terminate when the Space stops, but verify to avoid unexpected charges.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;Delete demo resources (optional)&lt;/strong&gt; – File deletion is permanent and cannot be undone. Back up any work that you want to retain before proceeding. If you created scripts or files during this walkthrough that you no longer need, delete them from &lt;code&gt;/home/sagemaker-user/&lt;/code&gt;. For example, delete any test notebooks, Python scripts, or generated data files. The sample &lt;code&gt;sagemaker_sample_db.churn&lt;/code&gt; dataset is read-only and doesn’t need cleanup.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt; 
&lt;p&gt;This post showed what happens when agentic AI meets governed data, and walked through how to set it up yourself.&lt;/p&gt; 
&lt;p&gt;Three key insights emerged from this hands-on experience:&lt;/p&gt; 
&lt;ol type="1"&gt; 
 &lt;li&gt;&lt;strong&gt;SageMaker Unified Studio steering files transform the developer experience.&lt;/strong&gt; Your AI assistant is project-aware from the first prompt, understanding your environment and available data without manual setup.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;MCP servers bridge “AI that writes code” with “AI that queries your data”.&lt;/strong&gt; The &lt;code&gt;smus_local&lt;/code&gt; and &lt;code&gt;aws-dataprocessing&lt;/code&gt; servers are essential for effective agentic data work.&lt;/li&gt; 
 &lt;li&gt;&lt;strong&gt;The “explore first” pattern pays immediate dividends.&lt;/strong&gt; When your AI assistant understands your data before writing code, it makes smarter engine choices and produces correct analytics on the first pass.&lt;/li&gt; 
&lt;/ol&gt; 
&lt;p&gt;This integration brings together two capabilities that are stronger together: your IDE handles the AI-assisted coding and iteration, while SageMaker Unified Studio handles data governance, access control, and compute management. You get the productivity of an agentic AI coding assistant without compromising on the controls your organization requires.&lt;/p&gt; 
&lt;p&gt;To get started, &lt;a href="https://kiro.dev/" target="_blank" rel="noopener"&gt;download Kiro&lt;/a&gt;, &lt;a href="https://code.visualstudio.com/" target="_blank" rel="noopener"&gt;install VS Code&lt;/a&gt; or &lt;a href="https://cursor.com/" target="_blank" rel="noopener"&gt;Cursor&lt;/a&gt;, and add the &lt;a href="https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/welcome.html" target="_blank" rel="noopener"&gt;AWS Toolkit for Visual Studio Code&lt;/a&gt; (v4.1.0 or later). Then visit the &lt;a href="https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/what-is-sagemaker-unified-studio.html" target="_blank" rel="noopener"&gt;Amazon SageMaker Unified Studio documentation&lt;/a&gt; and the &lt;a href="https://awslabs.github.io/mcp/servers/aws-dataprocessing-mcp-server/" target="_blank" rel="noopener"&gt;AWS Data Processing MCP Server&lt;/a&gt; to set up your first Space. For related reading, see &lt;a href="https://aws.amazon.com/blogs/machine-learning/speed-up-delivery-of-ml-workloads-using-code-editor-in-amazon-sagemaker-unified-studio/" target="_blank" rel="noopener"&gt;Speed up delivery of ML workloads using Code Editor in Amazon SageMaker Unified Studio&lt;/a&gt;.&lt;/p&gt; 
&lt;hr&gt; 
&lt;h2&gt;About the authors&lt;/h2&gt; 
&lt;footer&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-38.jpg" alt="Zach Mitchell" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Zach Mitchell&lt;/h3&gt; 
  &lt;p&gt;Zach is a Senior Big Data Architect in AWS Worldwide Specialist Organization for Analytics. He works with customers to design and build data applications on AWS, with a focus on SageMaker Unified Studio, AWS Glue, and AWS Lake Formation. Outside of work, he enjoys building things with code and occasionally writing about it.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-39.jpg" alt="Anchit Gupta" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Anchit Gupta&lt;/h3&gt; 
  &lt;p&gt;Anchit is a Senior Product Manager on the Amazon SageMaker Unified Studio team at AWS.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-40.jpg" alt="Leah Wagner" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Leah Wagner&lt;/h3&gt; 
  &lt;p&gt;Leah is a Senior Solutions Architect in AWS Worldwide Specialist Organization for Analytics.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-41.jpg" alt="Bhargava Varadharajan" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Bhargava Varadharajan&lt;/h3&gt; 
  &lt;p&gt;Bhargava is a Senior Software Engineer on the Amazon SageMaker Unified Studio team at AWS.&lt;/p&gt; 
 &lt;/div&gt; 
 &lt;div class="blog-author-box"&gt; 
  &lt;div class="blog-author-image"&gt; 
   &lt;p&gt;&lt;img loading="lazy" class="alignleft size-full" src="https://d2908q01vomqb2.cloudfront.net/b6692ea5df920cad691c20319a6fffd7a4a766b8/2026/06/08/BDB-5857-42.jpg" alt="Majisha Namath Parambath" width="100" height="100"&gt;&lt;/p&gt; 
  &lt;/div&gt; 
  &lt;h3 class="lb-h4"&gt;Majisha Namath Parambath&lt;/h3&gt; 
  &lt;p&gt;Majisha is a Software Development Engineer on the Amazon SageMaker Unified Studio team at AWS.&lt;/p&gt; 
 &lt;/div&gt; 
&lt;/footer&gt;</content:encoded>
					
		
		
			</item>
	</channel>
</rss>