Customer Update: February 2026

Welcome to the first Cloud Posse Customer Newsletter. Each month, we'll cover what shipped, what it means for you, and what's coming next. Here are the four things you should know this month.

Account Map Deprecated

The account-map component simplified looking up AWS account IDs and IAM roles for role assumption, enabling remote state lookups from within Terraform. The problem: it made every component dependent on a global account-map, which meant components only worked in environments that had one. That's a non-starter for brownfield environments where you need components to be pluggable. On top of that, role assumption inside Terraform means changing roles changes the plan — even when nothing else has changed — breaking the idempotency you expect from a plan.

The older components aren't going away, but new updates will go toward these simplified replacements as we consolidate. If you've been considering onboarding legacy accounts or consolidating AWS organizations, this change makes it much easier to leverage reference architecture components across all your organizations.

Review the deprecation announcement for full details, and if you need any help with this update, we're standing by — reply to this email or book directly.

Security Baseline — Rebuilt from the Ground Up

Our security components didn't take advantage of AWS's delegated administrator pattern, so configuring services like Config, CloudTrail, GuardDuty, and Security Hub meant wiring together each service's quirks individually across every account. With delegated admin, a single security account manages all of these services centrally — fewer moving parts, less configuration per account, and consistent behavior across your entire organization.

We've updated all nine security components (Config, CloudTrail, GuardDuty, Security Hub, Inspector 2, Macie, IAM Access Analyzer, Shield, and Audit Manager) to use a unified delegated administrator pattern. One security account controls everything centrally, configuration is simpler, and the components work together consistently.

Not using these components yet? If you're working toward SOC 2, HIPAA, or FedRAMP, they give you the evidence collection auditors expect. We offer fixed-price implementations to get you there fast.

Atmos DX Improvements & Roadmap

We've shipped a wave of improvements that eliminate common friction points:

• Source provisioning — Components are now vendored just-in-time from stack configuration. Declare a source block in your stack YAML and Atmos downloads the component on first use — no separate component.yaml or manual vendoring required.
• Toolchain management — Atmos now manages CLI tool versions natively using the Aqua registry. Pin Terraform, kubectl, helm, and hundreds of other tools in atmos.yaml so every developer and CI runner uses the same versions.
• Dev Containers — Native devcontainer support packages your entire toolchain into a reproducible container. New team members go from clone to productive in minutes, and local environments match CI exactly.

Coming this quarter: Beautiful Workflows (better formatting, typed inputs, improved error handling), Native CI/CD Support (first-class GitHub Actions integration), and Native Secrets Management (declarative secret declarations in YAML, multi-cloud backend support for AWS SSM, Secrets Manager, Vault, SOPS, and more, with simple CRUD commands and automatic masking in all CLI output). See the Atmos Roadmap for details.

Atmos Auth — The Leapp Alternative Built Into Your Workflow

If your team has been using Leapp to manage AWS credentials, you know the pain: a separate GUI application and onboarding steps that end up in a wiki nobody updates. Worse, the project is no longer maintained — so it's time to move on. We've published a migration guide to make the transition straightforward.

Atmos Auth replaces all of that with native cloud authentication built directly into the CLI. Your authentication configuration lives in atmos.yaml alongside your infrastructure — commit it once and everyone on the team gets the same setup. No extra apps, no manual credential juggling.

• AWS IAM Identity Center — Native SSO integration with automatic credential refresh
• OIDC & multi-cloud — Built-in support for GitHub OIDC, Azure, and GCP authentication
• Temporary credentials — Short-lived sessions that auto-expire, with optional OS keyring storage
• Component-level auth — Different infrastructure components can authenticate with different identities
• Works standalone — You don't need to adopt the full Atmos framework to use it

The workflow is simple: atmos auth login, verify your identity, and deploy. If you're currently using Leapp or manually managing AWS profiles, this is a drop-in improvement that your whole team benefits from on day one.

Stay in the Loop: Office Hours & Podcast

If your team hasn't been joining our weekly Office Hours, you're missing out on one of the easiest ways to stay current on what's changing and ask questions directly. Register here to get it on your calendar.

And if you can't make it live, Office Hours is now available as a podcast — subscribe at cloudposse.com/podcast so your team can listen on their own time.

Questions about any of these changes? Reply to this email or schedule time with us.