Welcome to the eighteenth issue of Last Week in AWS.

For the first time, I guested on a podcast last week. It’s worth a listen if you’d like to hear me opine on data breaches in cloud environments, the shared responsibility model, and / or torture a chihuahua metaphor to death, on Head in the Cloud.

Community Contributions

A story of how a site cut their AWS bill by 90% by migrating to a serverless architecture.

A modernized writeup of how to host a website on S3 without getting drowned to death by trivia in the process. There have been a lot of these; this one is up to date, and goes step by step through doing this via the CLI.

There’s been a bit of conversation about this one this week– the post appears to blame AWS for the way their platform works. The author is correct insofar as there are a lot of edge cases to AWS services that greatly impact latency, but “understanding the tools you’re using” is generally preferable to writing a blog post that implies that the platform is garbage.

Within a day of StackSets being released, someone has a full blog post about how to use them to automate cross account or cross region deployments. That’s some fast turnaround!

Choice Cuts From the AWS Blog

Create a New Default VPC using AWS Console or CLI - While I’m not entirely sure why a relatively trivial feature warranted coverage on the AWS blog, I will admit that this likely significantly reduces the burden upon AWS Support. Be aware, many security compliance regimes insist you delete the default VPC for no discernible reason. Have fun playing on-again, off-again!

New – High-Resolution Custom Metrics and Alarms for Amazon CloudWatch - You can new get CloudWatch metrics with much higher resolution than you could historically; you can now ask “Are We There Yet” once a second, with three hour retention. You may wish to keep this tidbit well away from a few product managers. You know who they are.

AWS CloudFormation Supports Multiple Account and Region Provisioning with StackSet - StackSets greatly increase your ability to reuse CloudFormation work between regions and accounts. We got a sneak peek of this one a few hours early, when it started showing up in people’s accounts before the official unveil. Releases are hard.

Tag Your Spot Fleet EC2 Instances - You can now tag your spot fleet EC2 instances, which in turn means your cost reporting just got a lot more accurate if you’re using spot fleets at any kind of scale. Definitely worth including in any roundup with a title similar to “Wait, you mean it didn’t do this already?”


Need to instrument your Django app so you can trace it via X-Ray? Take a look at this github shim.

A terrific collection of tips, tricks, and tools for working with AWS’s ECS. If you’re managing containers with ECS, spend a bit of time reading through it. If you’re not managing containers with ECS, give yourself a pat on the back for avoiding a quagmire.

A great nominee for inclusion in my upcoming talk on AWS Lambda, Chromeless lets you use lambda functions for a variety of tasks, including screenshotting, testing, and automation of web based workflows.

If you’ve got multiple AWS accounts, it’s annoying to run Trusted Advisor manually across all of them, as well as aggregate health checks and AWS Support cases. Take a look at Trusted Overlord if this sounds like a problem you’ve got.

Tip of the Week

The past few weeks seem to have a theme of S3 bucket permissions.

The only real way to silence a lot of the automated checking around S3 bucket permissions is to remove global read access. This is great, but what if you want to use S3 to host a static site?

The “correct” way to do this is via CloudFront. Make a CloudFront distribution that points to the S3 bucket (as a bonus, you get free TLS for custom domains this way) and publish it. Once that’s done, repoint DNS to the CloudFront domain, and lock down the S3 bucket so that only the CloudFront distribution can access it.

It buys you remarkably little from a security perspective, but it does force all of your traffic through CloudFront– and it silences the audit alarms that otherwise need compensating controls.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn, a consultant specializing in helping companies fix their horrifying AWS bills. If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.

List archives are always available at https://snarkive.lastweekinaws.com/