AWS Lambda MicroVMs: The Sandbox AI Agent Builders Have Been Waiting For AWS announced the general availability of Lambda MicroVMs on June 22, 2026, a new service that provides dedicated Firecracker virtual machines for each user session or AI agent, enabling secure execution of untrusted code with full state preservation for up to eight hours. The service launches in seconds, costs nothing while suspended, and offers VM-level isolation without the provisioning burden of EC2, addressing a key security challenge for AI agent builders. Every developer building an AI agent that executes code runs into the same wall: you don’t control what the model generates, and you can’t run untrusted code in a shared environment without eventually regretting it. Containers share a kernel. Standard Lambda functions are stateless and share a kernel too. EC2 is too slow to provision per session. This is the trust boundary problem — and it has been quietly limiting what AI agent builders can safely ship. AWS Lambda MicroVMs, which reached general availability on June 22, 2026, is the primitive that closes this gap. It gives each user session or AI agent its own dedicated Firecracker virtual machine — no shared kernel, no shared resources — that launches in seconds, preserves full state for up to eight hours, and costs nothing while suspended. The same hypervisor technology that already powers 15 trillion Lambda invocations per month is now exposed directly to developers who need it. What Lambda MicroVMs Actually Is Lambda MicroVMs is not a new variant of Lambda Functions. It is a separate resource type — think of it as Firecracker-as-a-Service with snapshot lifecycle management included. The execution model differs fundamentally from request/response Lambda: - You supply a Dockerfile and a code artifact in S3 - Lambda initializes your application and snapshots the running memory and disk state via Firecracker - Each run-microvm call returns a dedicated HTTPS endpoint with your application already running - When idle, the MicroVM auto-suspends — no compute charges, full state preserved - On the next request, it resumes from snapshot with installed packages, loaded models, and file state intact The isolation guarantee is the key differentiator: each MicroVM has its own kernel. A container escape inside one session cannot reach another session or the host. That is the security contract you need when users or AI models are writing and running the code. The Isolation Hierarchy Most developers working with multi-tenant compute know the trade-off exists but are fuzzy on where each technology sits. Here is the hierarchy that matters for 2026 AI workloads: | Tier | Technology | Kernel | Use When | |---|---|---|---| | Containers | Docker / OCI | Shared | Trusted code, fast horizontal scale | | Sandboxed containers | gVisor | Intercepted | Moderate trust requirements | | MicroVMs | Firecracker | Dedicated | AI-generated code, user scripts | | Full VMs | KVM / EC2 | Dedicated | Compliance-grade, max isolation | Lambda MicroVMs sits at the correct tier for most AI agent workloads in 2026: VM isolation without EC2 provisioning burden. The tradeoff is cost and manual fleet management — covered below. Specs and Getting Started MicroVMs run ARM64 the only architecture at GA , with up to 16 vCPUs, 32 GB of RAM, and 32 GB of disk per instance. They support HTTP/2, gRPC, and WebSocket — appropriate for agent streaming workloads. Regions at launch: US East N. Virginia, Ohio , US West Oregon , Europe Ireland , and Asia Pacific Tokyo . Creating and launching a MicroVM takes two commands: Step 1: Build the MicroVM image from your Dockerfile and S3 artifact aws lambda-microvms create-microvm-image \ --code-artifact uri=s3://your-bucket/app.zip \ --name my-agent-sandbox \ --base-image-arn arn:aws:lambda:us-east-1:aws:microvm-image:al2023-1 Step 2: Launch and get a dedicated HTTPS endpoint aws lambda-microvms run-microvm \ --image-identifier arn:aws:lambda:us-east-1:123456789:microvm-image:my-agent-sandbox \ --idle-policy '{"maxIdleDurationSeconds":900,"suspendedDurationSeconds":300}' No load balancers, no VPC configuration, no infrastructure management required. Lambda assigns a dedicated endpoint with short-lived token authentication via the X-aws-proxy-auth header. Build logs stream to CloudWatch at /aws/lambda/microvms/