AWS just handed platform teams a diagnostic that looks eerily like a compliance scanner — and that's exactly why it's useful. Upgrade Insights for Amazon EKS will automatically scan cluster audit logs for calls to deprecated Kubernetes APIs, show which resources are affected, and surface the callers. It then provides remediation guidance you can run against clusters before you flip the control plane to a newer Kubernetes version.
This is not a nicety. For large multi-team clusters, the hard part of upgrades isn't kubelet flags or API changes; it's answering two simple questions at scale: what resources still use old APIs, and who/what is creating them. Previously you found out only after nodes or controllers started failing. Upgrade Insights makes that discovery proactive — and in doing so it creates a new set of operational requirements.
First, the obvious upside: fewer surprise breakages during an upgrade. If Upgrade Insights tells you that a controller in namespace foo is still writing a deprecated CustomResource, you can triage ownership (controller image? operator? CI job?) and remediate before AWS begins an upgrade. The report mapping callers to resources is the feature that separates a noisy diff from an actionable plan.
But now the trade-offs. This tool depends on audit logs. If you’re trimming audit retention to a few days in CloudWatch or S3, or if audit-policy filters are dropping the very requests you need to inspect, Upgrade Insights will be blind. It also surfaces a new attack surface: callers. That means service accounts, IAM roles, external controllers, and GitOps bots are all weaponized telemetry. Teams that have RBAC sprawl, unmanaged cluster-level controllers, or ad-hoc service accounts will get a report that looks like a to-do list the size of a garage sale.
AWS also clarified lifecycle mechanics at the same time. Kubernetes versions on EKS have documented support timelines and AWS offers an Extended Support option that you must explicitly opt into. AWS describes conditions under which clusters on unsupported versions may require action; in practice that means you should not assume indefinite stability if you delay upgrades. Being explicit and mechanical about timelines is the right move; implicit, surprise upgrades were always going to be worse.
Two immediate operational directives follow. One: centralize and extend your audit log retention and review your audit-policy. Upgrade Insights is only as good as the data you feed it. Two: treat the Upgrade Insights report as an RBAC and ownership inventory. If a GitHub Actions runner or an old operator is listed as the caller for dozens of deprecated objects, you need a plan to replace or isolate that actor — not just a YAML sed.
The rest of the week's announcements fit the same theme: more automation, more observability, and thus more need for strong ownership. Amazon Bedrock got expanded model options, tighter agent tooling integration, and better observability hooks — useful if you're building multi-model agent pipelines that need tracing and runtime signals. AWS Lambda saw incremental wins: reduced cold-starts, finer-grained telemetry, and closer integrations with SQS and EventBridge for higher-throughput serverless patterns. None of those features eliminate ops work; they change which work you do.
If there's a single blunt lesson here: upgrades are now an inventory + people problem, not a purely technical compatibility exercise. Upgrade Insights is a necessary prod — platform teams should be thankful it's AWS doing the scanning and not a frantic post-upgrade pager. But it's also a yardstick. When that report lands in your console, it will mercilessly reveal whether you have cluster ownership, sane RBAC, and a retention policy that supports real analysis.
Expect the first wave of adoption to force a cleanup: longer audit retention, fewer cluster-wide controllers, and more explicit service-account ownership. The second wave will be uglier: teams that treat upgrades as vendor problems will get surprised. This feature won't save you from poor architecture, but it will make the cost of ignoring it impossible to hide.