Last Week in AWS Logo

Good morning!

Welcome to issue number 71 of Last Week in AWS.

What a week! AWS themselves exposed an S3 bucket, DEFCON came and went, Aurora Serverless went GA, and Lambda GM left AWS to go work at Coinbase. Let's dive in...

Scalyr continues to surprise me. Despite authoring whitepapers that sound like they'd be a brand ad for what they're selling... they're really not. This paper on Five Best Practices for Kubernetes Monitoring is well researched, gives great insight into what you should be thinking about, and only lightly mentions that they offer one possible implementation. If you're running Kubernetes and worried about monitoring it, check this out; I'd not steer you wrong. Thanks again to Scalyr for their sponsorship of this newsletter.

Events

The inaugural REdeploy conference (exploring the intersections of resilient technology, organizations, and people) is coming to San Francisco this week! Last Week in AWS is proud to be a media sponsor. Coupon code LASTWEEK will get you 10% off of any ticket.

I'll be in Anaheim next week to speak at the AWS Summit. If you'll be around, let me know-- I'm there all day!

There's an upcoming AWS Community Day Bay Area next month on September 12th. Sadly I'll be in Boston making fun of AWS bills instead, but it's well worth attending. It's free to attend, and it's at the Computer History Museum in Mountain View.

Your CI/CD pipeline is broken. How do I know? Either I'm Nostradamus, or this is a very common problem. This week's issue is sponsored by GoCD, from ThoughtWorks. It's free and open-source, integrates natively with the most popular cloud infrastructures, and has both a broad community *and* enterprise support options for those of you who're into either end of that very broad spectrum. Tools don't solve issues, but GoCD eases your continuous delivery pains. Thanks to GoCD for their support.

Community Contributions

Adroll's engineering blog posts about running large batch processing pipelines on AWS Batch. I've never used Batch myself, despite having friends in the product team, for one simple reason: my data sets are relatively tiny. If you're using Batch and think there's something I should know about it, hit reply; customer stories are always interesting to hear.

Arcentry talks about their (not so smooth) journey productising a serverless app on AWS. It's not a hit piece, nor is it a PR win for AWS. Instead, it's a very honest and very relatable story of their journey. I adore writing like this.

This week's issue is once again sponsored by DigitalOcean. In what's almost completely unprecedented in the cloud space, they not only disclose what they've done so far this year, but also give a glimpse into upcoming releases. Note-- this isn't of the form "X family of instances will be released sometime between now and when the Earth crashes into the Sun," but also tidbits such as "We're going to be launching a managed database." It's worth a look just to see how different roadmap communications could be. Thanks again to DigitalOcean for their continued support.

I tripped over this last week as I was trying to figure out the best way to do something complex with an assumed role from my laptop, in somebody else's AWS account. A Comprehensive Guide to Authenticating to AWS on the Command Line is timely, relevant, and well worth the read.

Being able to restrict access to EC2 Instances Based on Tags is a fascinating idea, and so obvious in retrospect that I wonder why I never tried to do it. Cloudonaut has a knack for coming up with things like this.

If you think the AWS service icons make a lick of sense, I invite you to take this AWS icon quiz. I spend entirely too much time in these weeds, and I got 6 of 20 correct. The results will apparently be sent to an AWS product team, though it's not clear whether the goal is "for them to improve the icons" or merely "to make them feel bad about their work." I'm hoping for the former.

A revision to an old article on Centralised logging for AWS Lambda, REVISED (2018) – Hacker Noon, Yan Cui talks again about how to properly aggregate logs for serverless environments.

From the department of "That's Not How We Do It At Netflix" comes the tale of Detecting Credential Compromise in AWS. Handy tools and workflows are included. It's worth a pass, but remember that just because someone else does it this way doesn't make it the right fit for you.

Charity Majors was interviewed by A Cloud Guru's Serverless Superheroes feature, in Why you can’t effectively debug your modern systems with dashboards. This may astound some of you, but Charity has strong opinions about observability...

After working with CloudFormation for two years, Sander Knape somehow retained enough sanity to write this blog post and email me about it before presumably expiring. His sacrifice will be remembered.

At ServerlessConf I was interviewed by SiliconANGLE on theCUBE about my thoughts on AWS's advantage in serverless computing. Best of all, they even took my self-granted job title of "Cloud Economist" at face value: AWS holds the advantage in serverless computing, says cloud economist

Summit Route has a decent write-up this week that disambiguates between AWS CloudTrail vs CloudWatch Events vs Event History. You won't convince me that I'm the only person who was confused.

The irrepressible Kevin Kuchta has turned a Markov generator loose on the corpus of AWS announcements going back a decade. Please be responsible with this; it's not kind to automate Jeff Barr out of a job.

AWS has released its template re:Invent justification letter. I took their advice and sent it to my wife for her approval. I forgot I married a corporate attorney. If anyone needs help writing their trip report this year, let me know...

General Manager of AWS Lambda Tim Wagner is leaving to join Coinbase as their VP of Engineering. It makes sense, I suppose; if you're looking to build out a platform for painfully complex financial transactions, someone who knows how AWS bills get made is a great option. He will be missed-- after all, even if he's not dead, he's probably dead to us. .

This week's S3 Bucket Negligence Award goes (finally!) to AWS themselves. You can argue endlessly about which side of the Shared Security Model S3 bucket permissions should properly land on, but when an AWS employee screws up and exposes price modeling about 31,000 GoDaddy servers, there's no two ways about it-- this is AWS's mistake.

Jerry Hargrove / awsgeek has another visual service summary, this time of Amazon EKS.

The artistically gifted Jerry Hargrove is at it again, with a well-crafted Periodic Table of AWS Services. I love this more than I probably should-- note that its seemingly random placement is in fact derived from the console dropdown that AWS themselves provide.

I got to chat with Ho Ming Li, Lead Solutions Architect at Gremlin. We discussed his previous role as a TAM at AWS, and his new role doing Chaos Engineering. Screaming in the Cloud Episode 22: The Chaos Engineering experiment that is us-east-1.

The New Stack is running a survey around Serverless Technologies; please take it. While you're at it, please let me know what you liked or didn't like about the survey; I'm starting design work on the 2018 "Last Year in AWS" survey that I'll send out in December.

Jobs

If you're in Los Angeles, consider working at Fender Digital, of guitar fame. They're an AWS shop that's making a big move into Serverless; this role gets to write the Lambda functions that make the music happen. One caveat to bear in mind-- they'll buy you any Macbook you want, but you're going to have to provide... your own power chord.

Choice Cuts From the AWS Blog

AWS Secrets Manager - Delete and Recreate Secrets - "You can delete secrets" is now a headline feature of the secrets management service. The fact that it wasn't before is a head scratcher...

Amazon DynamoDB Accelerator (DAX) Adds Support for Encryption at Rest - This is a nice enhancement. I regret that I don't have a use case for DAX yet, since you people continue to fail to beat my site to death.

Amazon Inspector Now Supports Security Assessments for Debian - Both of the shops currently using Debian rejoice!

Amazon RDS for MySQL Now Supports Delayed Replication - As far as DR strategies go, "you have fifteen minutes from breaking something expensive to frantically authenticate to a system / look up how to break replication before your changes destroy your 'backups' and your career" isn't exactly my favorite pattern, but it does get the job done for some folks...

Amazon Rekognition Increases Accuracy of Text-in-Image - Ah good. This is absolutely the biggest problem with Rekognition right now. Thanks for sharpening the text detection!

Amazon VPC Flow Logs can now be delivered to S3 - It's good to know that the CloudWatch Logs team has finally run out of bribery money to keep their service between you and doing anything useful with VPC Flow Logs. Rejoice!

Automatically Create Amazon CloudFront Distributions for AWS Elemental MediaPackage Channels from the AWS Management Console - This is notable not because anyone cares about AWS Elemental (they don't (I know, I know there are dozens of you, don't @ me)), but because it's a "one click to create a previously painfully annoying to create CloudFront distribution. I'd love it if this came to the S3 console...

AWS CloudTrail Adds VPC Endpoint Support to AWS PrivateLink - AWS PrivateLink (a service that provides VPC endpoints to a bunch of AWS offerings) continues to expand, at a pace that can charitably be described as "glacial." (Glacier still needs the S3 endpoint.)

AWS Personal Health Dashboard Now Supports Fine-Grained Access Control Via IAM Policy Conditions - I've got to ask-- when you look at all of the feature enhancements AWS could make, who the hell puts "I don't want everyone in my organization to be able to see AWS-side outages that may impact their applications" anywhere on the list, let alone at the top?!

AWS Now Accepts Direct Debit ACH Payments - Wow. It took until 2018 to offer a payment method that doesn't cost AWS a transaction fee? This might be an opportune time to point out that the Amazon Prime credit card offers 5% back on Amazon purchases to prime members-- and that includes AWS payments. I'm not kidding.

Performance Insights is Available for Amazon Aurora with MySQL Compatibility - Performance Insights continues to expand its coverage. "Hey, your database performance is really crappy" is absolutely the sort of thing you had no idea existed without this tool.

Aurora Serverless MySQL Generally Available | AWS News Blog - This is really neat. A few caveats: you've gotta have at least 2 "Aurora Compute Units" whenever it's running (it scales down to zero), and when it's at zero it'll take 20-25 seconds to spin up and service requests. Other than that, this is a great start-- one of the more promising first day launches of an AWS service in a while.

Amazon sponsors R00tz at DEF CON 2018 - The least likely thing for Amazon to ever sponsor is this newsletter. Close behind it is DEFCON. Uh… who should I send a media kit to, Amazonians?

Linux Kernel SegmentSmack Issue - Well this isn't ominous in the least... At press time, the entire link reads as: "AWS is aware of a recently-disclosed security issue, commonly referred to as SegmentSmack, which affects the TCP processing subsystem of several popular operating systems including Linux. AWS services are operating normally. We will post a further update as soon as one is available. For more information, please see https://www.kb.cert.org/vuls/id/962459."

Tools

If you're looking to do pen-testing on AWS environments, I've got a treat for you today. Rhino Security has released pacu, their penetration testing toolkit. Please do remember to tell AWS that you're going to be pen-testing before you start.

Yet another tool to check whether you've exposed S3 buckets to the public, this one emails you every hour if you have one.

Some AWS API calls are logged to CloudTrail, but some aren't. You might think you could figure out which ones get logged by checking a master AWS list. You're adorably naive, but I want to live in the world you do. Instead, you get to find out yourself. Fortunately, trailblazer-aws has been open sourced to solve exactly that for you. Security folk, take notice.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn. I help people significantly reduce and understand their AWS bills and speak broadly on the conference circuit. I advise companies doing interesting things in the cloud space, such as ReactiveOps.

If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.

List archives are always available at https://snarkive.lastweekinaws.com/