Customer Update: May 2026

May has a little bit of something for everyone: security teams get findings mapped back to Atmos components, platform teams get sharper Native CI workflows, reviewers get better GitHub-native automation, and Atmos AI now shows up where the work is already happening — in issues, PR comments, and the Atmos Pro UI. Paid Atmos Pro subscriptions are rolling out too, including AWS Marketplace as a procurement path.

Reference Architecture

Map Security Hub Findings to Your Atmos Components

The security baseline we rebuilt in February gave you Config, CloudTrail, GuardDuty, Security Hub, and six other AWS services on a unified delegated-administrator pattern. That's the foundation. The missing piece has been the analysis layer on top: when Security Hub flags a finding, you still had to navigate the console, identify the resource, and cross-reference it back to the Terraform component that manages it. That's slow, and it requires deep AWS and Terraform expertise to do well.

A new command closes that gap:

atmos aws security analyze --stack prod-us-east-1

Atmos pulls findings from Security Hub, maps each one to the Atmos component and stack that manages the affected resource (via the tags your reference architecture already applies), and shows which code is responsible. Add --ai and you get concrete remediation suggestions with specific code changes and deploy commands.

Configuration is a small block in atmos.yaml:

aws:
  security:
    enabled: true
    identity: "security-readonly"
    region: "us-east-2"
    tag_mapping:
      stack_tag: "atmos:stack"
      component_tag: "atmos:component"

See the changelog post for the full setup walkthrough.

Coming soon — stay on top of them with Atmos Pro. The CLI is great for an audit on-demand. The harder problem is the one your compliance framework actually cares about: showing every finding gets resolved inside the SLA — typically 30 days for critical, 60 or 90 for high, depending on whether you're under SOC 2, ISO 27001, PCI DSS, or FedRAMP. That requires continuous tracking from first-surfaced through remediated, an owner per finding, and audit-ready evidence on demand — not a snapshot you re-run before each control review. We're building that on top of atmos aws security analyze in Atmos Pro: continuous Security Hub tracking mapped to your stacks, status and ownership per finding, SLA timers per severity, and exportable reports your auditor can read without an introduction. If continuous compliance tracking is on your roadmap, reply to this email — we're lining up the early-access cohort now.

Atmos

Native CI: The First Month's Refinements

Native CI has been shipping for a couple of months now (we announced it in last month's newsletter), and customer feedback has driven a steady stream of improvements since. Four worth highlighting this month:

• A separate token for CI vs. Terraform — ATMOS_CI_GITHUB_TOKEN. If you're using a GitHub App token to manage GitHub resources with Terraform, that App token usually doesn't have statuses: write — so commit statuses fail with a cryptic 404. Set ATMOS_CI_GITHUB_TOKEN to your workflow's default token and Atmos uses it for CI operations while keeping your App token for Terraform. Token precedence is now ATMOS_CI_GITHUB_TOKEN > GITHUB_TOKEN > GH_TOKEN. (changelog)
• "Re-run with debug logging" just works — GitHub Actions has a built-in Re-run with debug logging button that sets ACTIONS_RUNNER_DEBUG / ACTIONS_STEP_DEBUG for the next run. The intent is one click to make everything verbose, but most tools ignore the signal and force you back into a per-tool env-var dance. Atmos now picks it up automatically — when the runner reports debug mode, Atmos flips its own log level to Debug for the run. Click the button, get the logs, fix the problem. No ATMOS_LOGS_LEVEL=Debug edits to your workflow YAML. (changelog)
• Matrix output auto-routes to $GITHUB_OUTPUT — drop the explicit --output-file flag from atmos describe affected --format=matrix. When ci.enabled: true and you're on GitHub Actions, the matrix JSON goes to $GITHUB_OUTPUT automatically — matching the behavior already shipped for atmos list instances --format=matrix. (changelog)
• Full-fleet matrix with atmos list instances --format=matrix — describe affected gives you a matrix of changed components for targeted CI; list instances --format=matrix gives you a matrix of all components for scheduled drift detection, compliance scans, or full-fleet operations. Same JSON shape, plug straight into strategy.matrix. (changelog)

Server-Side Commits Without a PAT — atmos pro commit

Commits made with GITHUB_TOKEN don't trigger downstream workflows. That's a deliberate GitHub limitation to prevent infinite loops, but it blocks the most common autofix pattern: run tofu fmt -recursive, commit the result, and let CI verify the change. Until now, working around it meant minting a PAT (insecure and static), provisioning a separate GitHub App token (tedious — you have to put the credentials somewhere), or paying for a third-party service like autofix.ci.

The new atmos pro commit builds it into Atmos. Your workflow stages changes; atmos pro commit authenticates via GitHub OIDC, sends the staged file contents to Atmos Pro, and Atmos Pro creates the commit using its GitHub App installation. Because the commit comes from the App (not GITHUB_TOKEN), GitHub triggers downstream CI normally. Loop prevention is built in — the command detects when it's running in a workflow triggered by atmos-pro[bot] and exits early.

- run: atmos toolchain exec -- tofu fmt -recursive
- run: atmos pro commit -m "fmt"

That replaces the autofix-style wrapper entirely. Full setup details in the changelog.

Atmos AI Where the Work Already Happens

Atmos AI can now invoke your locally installed Claude Code, OpenAI Codex, or Gemini CLI directly as the backend. If your team already has Claude Max, ChatGPT Pro, or a Gemini subscription, that's all the auth Atmos needs — no separate API key to provision, no extra bill, no key rotation. Full MCP support is included, so any MCP servers you've configured for Claude Code or Codex are available to Atmos AI too.

ai:
  enabled: true
  default_provider: "claude-code"  # or "codex-cli" or "gemini-cli"

The bigger change for Atmos Pro customers is where that chat now lives. You can use Atmos AI from GitHub issues and PR comments, and from the Atmos Pro UI itself. That turns the normal review loop into ChatOps: ask about the thing in front of you instead of copying IDs between GitHub, Actions logs, the dashboard, and your terminal.

Try it on the next real workflow:

• On a PR — ask why a plan failed, which stack/component is blocking the merge, or where to inspect the relevant workflow logs.
• On an issue — ask which Atmos component owns a Security Hub finding and what code path should be reviewed first.
• In Atmos Pro — ask what changed, who deployed it, what failed, and what needs attention next.

If claude is on your PATH, atmos ai ask "what did we spend on EC2 last month?" still just works. Same for codex and gemini. Details on the CLI provider setup are in the changelog.

Smaller DX Wins

A handful of smaller improvements worth knowing about:

• Interactive profile suggestion + profiles.default — when --identity can't be resolved, Atmos now checks whether the identity lives in another profile and prompts you to switch (or hints at the exact re-run command). You can also pin a default profile in atmos.yaml via profiles.default. (changelog)
• Preserve directory hierarchy in state buckets — components.terraform.workspace.prefix_separator: "/" keeps / in auto-generated backend key prefixes, so services/consul writes to services/consul/... in S3 instead of being flattened to services-consul/.... (changelog)
• Consistent flags across atmos list — every atmos list subcommand now accepts --process-templates and --process-functions (with matching env vars), matching the flag surface of atmos describe affected and atmos describe stacks. (changelog)

Atmos Pro

Paid Subscriptions Are Rolling Out

We mentioned in April that paid subscriptions were opening up — they are, and we're continuing to onboard more this month. Two procurement paths are live:

• Direct billing for teams that prefer the straightforward path.
• AWS Marketplace — procure Atmos Pro through your existing AWS commitment or EDP. No separate vendor onboarding, no new payment relationship. If your finance team prefers (or requires) Marketplace procurement, this is the path.

If you're curious what pricing looks like or want to talk through which path fits your team, book a call — happy to walk through it.

Community

Three New Posts on Platform Engineering

A trilogy of long-form posts published this month — all three on the same theme of why a framework changes the math for production Terraform:

• Terraform the Hard Way — borrowed in spirit from Kelsey Hightower's Kubernetes the Hard Way. A guided walk through every implicit decision native Terraform leaves on your plate — layout, install, auth, registry credentials, state, runners, configuration, tagging, templating, module sourcing, change detection, decomposition, inventory, operator playbooks, CI, drift, and documentation — grouped into design, build, and operate. Not a recommendation; an education.
• Terraform the Easy Way — the companion piece. Same twenty-one crossroads, framed against what each looks like under a framework that's already made the decisions, with concrete Atmos snippets at every step.
• Build Your IDP Last — for teams thinking about an internal developer platform. The portal is the icing; the framework underneath is the cake. A portal exposes the inconsistencies underneath rather than smoothing them over, which is why most IDPs underdeliver on the promise.

If you've got someone on your team building the platform argument internally, these three together are a useful arc — start with Hard Way, follow with Easy Way, finish with IDP Last.

Office Hours

Office Hours continues weekly. If you have questions about any of these changes, it's the fastest way to get answers. Register here if you don't already have it on your calendar, or catch up via the podcast.

Questions about any of these changes? Reply to this email or schedule time with us.