Last Week in AWS Logo

Good morning!

Welcome to issue number 49 of Last Week in AWS.

This coming week marks the 12 year anniversary of the launch of AWS. The initial public launch featured three different services: SQS (their first service– you can win bar bets with that factoid), EC2, and S3. This was the critical number of services needed to launch, as two’s a company, but three’s a cloud.

Community Contributions

Cloudonaut is releasing new CloudFormation templates to store your state. These are highly available, scale up or down based upon usage, and won’t destroy your data.

Apparently at some point the BYOL option for Microsoft SQL Server RDS licensing was withdrawn. This probably doesn’t sit too well with shops that be paid large sums of money to Microsoft for database licenses that are now useless to them. Thanks to Paul Wakeford for finding the diff of the change a few weeks back.

An update to Yan Cui’s AWS Lambda performance benchmarks between different runtime languages. .NET 2.0 is the fastest, Go is on par with Java… Cats and dogs living together… what even is this?!

Segment apparently has many dozens of AWS accounts. Here’s how they manage that box of pain securely, without losing their everloving minds.

A dive into implementing a dual-approval workflow for CodePipeline. Your auditors will love this.

I can’t shake the feeling that potty training my daughter will someday be a challenge– but is it really a challenge that requires Twilio, an IoT button, python, a Lambda function, and a spare week to get it all hooked together?

And on the lighter side, the internet has lost its mind last week over Alexa laughing at random. As a long time Amazon observer, I can confidently state that you have nothing to worry about until she refuses to *stop* laughing, despite being unplugged and submerged in water. 


Choice Cuts From the AWS Blog

Amazon ECS Supports Container Health Checks and Task Health Management - empty

Amazon Elasticsearch Service now Supports Instant Access Policy Updates - Did you know that many services don’t reflect access changes immediately? Sleep tight, infosec friends!

Amazon WorkSpaces Reduces User Fees for Qualified Education Institutions - If you’re an educational institution, you now get discounted rates on Workspaces. If you’re an educational institution and paying retail price on any vendor’s cloud offering, pick up a phone, call them, and begin screaming until they fix it.

AWS GovCloud (US) Region Adds Third Availability Zone - I’m told that their internal codenames are “judicial,” “legislative,” and “executive.” You’re welcome, political science majors.

AWS Service Catalog Launches Brand Your Console to Deliver a Customizable User Experience - empty

AWS Storage Gateway Expands Automation with New CloudWatch Event, and Support for “Requester Pays” Buckets - Note that “requestor pays” is the only legitimate use for the S3 permission of “Any Authenticated User.” Any other usage of that permission invariably turns into “InfoSec Engineer pays.”

AWS Secret Region expands to include 11 new services | AWS Security Blog - This blog post doesn’t exist. There’s nothing here. You saw absolutely nothing.

How to Delegate Administration of Your AWS Managed Microsoft AD Directory to Your On-Premises Active Directory Users | AWS Security Blog - empty

How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data | AWS Security Blog - empty

Tools

If you dread bill surprises, drop everything, run this CloudFormation template, and rest assured that you’ll get an email before your bill explodes. This is a real gem.

While I don’t love that it requires an ElasticSearch cluster, Duo Security has released Cloudtracker, a handy CloudFormation template that tells you which users and roles have permissions assigned that they’re not using.

You can now run entire PHP websites in Lambda via LambdaPHP. Note that this is a very early proof of concept, that is probably a week away from powering all of Facebook.

Terraform-AWS-Harpocrates is a Terraform module to easily deploy Chamber, Segment’s secrets store that’s backed by AWS Parameter Store.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn. I help people significantly reduce and understand their AWS bills and speak broadly on the conference circuit. I advise companies doing interesting things in the cloud space, such as ReactiveOps.

If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.

List archives are always available at https://snarkive.lastweekinaws.com/