Newsletter: Use new AWS re:Invent features today

AWS re:Invent brought a wave of powerful new serverless capabilities, and we’ve been working at record pace to bring them into the Serverless Framework. Many of the features announced at AWS re:Invent are already available for you to use today in Serverless Framework v4, and more are coming soon. Below is a rundown of the features we’ve implemented and practical guides on how to start using them in your serverless applications right now.

Join us on Monday, December 15th at 10 am Pacific on YouTube, Twitch, or X for a live stream as we show how you can use the major features from AWS re:Invent in your Serverless Framework services.

Are you interested in building, not just using the Serverless Framework? If so, we are hiring  full-time Serverless Framework developers - please apply here.

As always, we're accessible. You can chat with us anytime for support, feedback, or partnership inquiries. Email us or schedule a meeting.

Last chance - Offer Ends on Friday: 20% Discount

We’re offering 20% off all Serverless Framework Subscriptions for Reserved Credits when you sign up before Friday, December 12, 2025.

• Who qualifies: Available to new customers and renewing customers with Reserved Credits. Renewal customers qualify for this promotional discount if seeking a 2 or 3-year term.
• Discount persists upon renewal: The 20% discount automatically carries over to your first renewal for 2 and 3-year subscriptions.
• Budget flexibility: Secure your reduced rate now and choose to start your subscription and invoicing in January 2026, aligning with next year’s budget cycle.

If you're interested, email us at sales@serverless.com or book a meeting.

New regions & runtimes: New Zealand, Node.js 24, Python 3.14, Java 25

AWS re:Invent Announcements:

• Node.js 24 runtime now available on AWS Lambda
• Python 3.143 runtime now available in AWS Lambda
• AWS Lambda now supports Java 25
• Now Open - AWS Asia Pacific (New Zealand) Region

Docs: Providers

The Framework now ships first‑class support for nodejs24.x, python3.14, and java25 runtimes and adds support for the new ap-southeast-6 AWS region, so you can move production workloads onto the latest Lambda platforms closer to your users.

provider:
  name: aws
  region: ap-southeast-6
  runtime: nodejs24.x # or python3.14 or java25

HTTP response streaming for APIs

AWS re:Invent Announcement: Building responsive APIs with Amazon API Gateway response streaming

Docs:  Enabling response streaming for proxy integrations

Framework now supports response streaming for API Gateway HTTP APIs. Use it to stream logs, long‑running reports, or partial responses to the client without waiting for the full payload to be ready. This is perfect for streaming AI Agent responses without needing to use Lambda Function URLs.

functions:
  streamer:
    handler: handler.stream
    events:
      - http:
          path: stream
          method: get
          response:
            transferMode: STREAM

Lambda tenant isolation mode

AWS re:Invent Announcements:

• AWS Lambda announces new tenant isolation mode to simplify building tenant-aware applications
• Building multi-tenant SaaS applications with AWS Lambda’s new tenant isolation mode

Docs: Tenant Isolation

Running multi‑tenant workloads on AWS Lambda? You can now opt into the new AWS Lambda tenant isolation mode via the Framework to create distinct Lambda compute environments per tenant when appropriate, helping reduce noisy‑neighbor effects and isolating high‑traffic customers more cleanly.

functions:
  processTenant:
    handler: src/tenant.handler
    tenancy:
      mode: per_tenant

Richer API Gateway controls: security policy & endpoint access

AWS re:Invent Announcement: Enhancing API security with Amazon API Gateway TLS security policies

Docs: Security Policy

You can now configure API Gateway security policy (e.g., minimum TLS version) and endpoint access mode directly in serverless.yml. That means stricter defaults for internet‑facing endpoints and private endpoints that are reachable only from your VPC or private integrations.

provider:  
  name: aws  
  apiGateway:    
    endpoint:      
      securityPolicy: SecurityPolicy_TLS13_2025_EDGE
      accessMode: strict

AWS CLI Login & MFA

AWS re:Invent Announcement: Simplified developer access to AWS with ‘aws login’

Setting up AWS credentials is now much easier with the new aws login command. If you are using the Serverless Framework for the first time you'll now have the option to use this command instead of manual setup of credentials.

? AWS Credentials Set-Up Method:
› Sign in with AWS CLI (Recommended)
  Save AWS Credentials in a Local Porfile
  Skip & Set Later (AWS SSO, ENV Vars)

The CLI now also supports MFA Prompting when using an AWS Profile:

serverless deploy --aws-profile my-mfa-profile

Serverless Framework improvements didn't stop with the AWS re:Invent announcements - we've added a range of new features like per-function IAM role mode, IPv6 dual-stack support,  Fn::ForEach intrinsic, and Built‑in API Gateway Service Proxy.

Per‑function IAM role mode

Docs: Per Function IAM Roles

Building on per‑function IAM roles, you can now switch the whole service into perFunction mode so the shared service‑wide execution role is not created and each function gets its own dedicated role. That makes it easier to enforce least privilege at scale and avoid service‑role policy size limits.

‍

provider:
  name: aws
  iam:
    role:
      mode: perFunction
      
functions: 
  ddbConsumer:
    handler: handler.ddbConsumer
    events:
      - stream:
          type: dynamodb
          arn: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/Orders/stream/2025-11-30T12:00:00.000   
    # Gets its own role with CloudWatch Logs permissions and
    # DynamoDB Streams permissions (GetRecords, GetShardIterator, etc.)
    # scoped to the configured stream ARN.
      
  queueWorker:
    handler: handler.queueWorker
    events:     
      - sqs:
          arn: arn:aws:sqs:${aws:region}:${aws:accountId}:user-events-queue
    # Gets a separate role with CloudWatch Logs permissions and
    # SQS permissions to receive messages, delete them, and read 
    # queue attributes from the configured queue.

‍

IPv6 dual‑stack support

Docs: VPC

VPC configuration now supports ipv6AllowedForDualStack, making it easier to embrace dual‑stack networking.

provider:
  vpc:
    ipv6AllowedForDualStack: true
    securityGroupIds:
      - securityGroupId1
      - securityGroupId2
    subnetIds:
      - subnetId1
      - subnetId2

‍

Fn::ForEach intrinsic for DRY CloudFormation

We’ve added support for the Fn::ForEach intrinsic so you can generate repeated resources (queues, topics, alarms, etc.) from arrays, without hand‑copying large sections of YAML. Use it to keep complex infrastructure layouts readable as they grow.

resources:
  Transform: AWS::LanguageExtensions
  Resources:    
    Fn::ForEach::TenantBucket:
      - TenantName
      - - tenant-a
        - tenant-b      
      - ${TenantName}Bucket:
          Type: AWS::S3::Bucket
          Properties:
            BucketName: !Sub '${TenantName}-${self:service}-${sls:stage}'

Built‑in API Gateway Service Proxy

Docs: API Gateway AWS Service Proxy Integration

The popular serverless-apigateway-service-proxy plugin is now part of core. Keep your existing API definitions and service proxy configuration - just remove the plugin from serverless.yml and package.json.

custom:
  apiGatewayServiceProxies:
    - sns:
        path: notifications
        topicName: user-updates

Improvements & Bug Fixes

Recent releases include a large set of fixes across usability, debugging, and platform support:

• Python improvements - On top of the November integration of serverless-python-requirements into core, we further improved Python packaging when used with Compose and Docker, including automatic uv installation in Docker‑based builds. If your service uses custom.pythonRequirements, you get these improvements automatically - no extra plugin required.
• Smarter AWS credentials with auto-refresh & MFA - The AWS credential provider now supports automatic refresh and optional MFA when you authenticate via AWS CLI or SSO. This reduces surprise expirations during long deploys and makes security‑hardened workflows (short sessions, MFA‑required roles) work smoothly with the Framework.
• Better error handling & SDK robustness - Across multiple releases we tightened error detection for AWS SDK failures, improved retry behavior, and reduced noisy stack traces — all to make the CLI fail more predictably with actionable messages instead of obscure errors.
• Dependency cleanups - reduced the surface area for supply‑chain issues and keep the CLI aligned with current ecosystem best practices.
• Continued improvement - input validation, error logging, and config handling help catch misconfigurations earlier in the lifecycle.

‍