Welcome to the eleventh issue of Last Week in AWS. We have a double issue this week, as I was out last week for the birth of my daughter. One correction from last week’s message: the discounted region to region pricing applies between Ohio and Virginia. Oregon wants nothing to do with those shenanigans, and I’ve learned a valuable lesson about not writing emails when I haven’t slept for three days.

Note that the AWS Community Day is in San Francisco this Thursday; I'll be speaking, and I hope to see some of you there.

First, we kick off today with a message from our sponsor:

Cloud-scale monitoring, from AWS to ZooKeeper - Ever wish you could graph all your AWS metrics, correlate them with 150+ other techs, and set up sophisticated alerts? There’s a monitoring service for that: It’s called Datadog. Here’s a free trial.

Community Contributions

How to create a functional VPC using CloudFormation - I’ve been looking for a barebones “build a VPC with CloudFormation” tutorial for a while now. I really like this one.

An object lesson in exactly why securing your AWS credentials is massively important, as demonstrated by OneLogin getting breached. I’m hard pressed to envision a more damaging incident to a company.

A nifty approach to managing billing your customers on a recurring basis. As an added bonus, it’s serverless.

A good discussion of lessons learned with a small scale AWS bill.

One of the most painful parts of any cloud bill is the bandwidth pricing. I’m not the only person who feels this way, as evidenced by The Ridiculous Bandwidth Costs of Amazon, Google and Microsoft Cloud Computing.

This is nothing short of amazing– someone managed to shove Docker containers into Lambda. I’m fascinated and horrified all at once. I’m probably going to build a talk around this sort of thing…

A company called NVTEH did a deep-dive into exactly why public EBS snapshots are of the Devil. Since this article came out, Amazon has integrated a check for this into Trusted Advisor.

A subject near and dear to my heart, take a dive into the art and science of Predicting AWS price reductions– because it’s no fun for anyone to be told you just spent far more money than you needed to on reserved instances.

We all get sloppy and leave things unprotected sometimes, but most of us don’t work for the Department of Defense.

An analysis of the various infrastructure spends of the three big cloud players. It’s worth pointing out that CapEx doesn’t always mean buildings– heck, there are ways to classify portions of your AWS bill as CapEx. See this week’s tip for more on this.

Cloud service mashups are always fun, so why not use Google’s offerings to analyze your AWS bill?

This entertainingly written guide to VPC subnetting and addressing takes me back to my networking days (and the therapy they necessitated).

Choice Cuts From the AWS Blog

Easily recognize famous individuals and celebrities using Amazon Rekognition - Now we get to figure out what Amazon considers famous. Does a verified Twitter account qualify?

Amazon ECS Now Supports Time and Event-Based Task Scheduling - Fresh from the “wait, you mean it didn’t do that already” department, ECS now supports time and event based task scheduling. This another salvo in the longstanding rivalry between AWS and its archnemesis, the cron daemon.

Getting Started: Follow Security Best Practices as You Configure Your AWS Resources - A timely reminder of AWS security best practices. Worth a review even for seasoned users.

Amazon RDS Supports Stopping and Starting of Database Instances - you can stop and start your RDS databases now. Note that this will still incur storage charges, but it’s handy to avoid spending large piles of money for off-hours development environments.

Amazon Aurora Can Export Data into Amazon S3 - You can now see the term “S3” appear in your SQL statements. Somewhere, Charity Majors is fuming right now.

AWS Greengrass is Now Generally Available - At long last, we have a way to execute arbitrary Python functions on our own equipment. Skeptics may point out that we’ve been able to do this for twenty years, and they’d be correct– but now we get to pay AWS for the privilege.

AWS CloudFormation now supports Amazon EMR security configuration, AWS Lambda & AWS X-Ray integration, Amazon CloudWatch percentile, Redshift resource tagging and other coverage updates - It’s always curious when AWS launches a service before CloudFormation supports it. This is another round of catch-up from the CloudFormation folks.

Tools

In this week’s episode of “Your Three Person Startup Pretends It’s Netflix,” Aardvark and Repokid) help you manage your IAM permissions models. This is promising– more so once the promised CloudTrail integration hits.

Smash Lambda and Batch together, and you wind up with the ability to run scheduled jobs that leverage containers instead of the prescribed Lambda runtimes, and exceed the five minute Lambda limitation. It’s a neat concept, and it comes packaged for use in via Terraform.

I’m amused by the idea of being able to launch various AWS service consoles from the MacOS dock. Makes for a more seamless experience than Amazon’s navigation page, to be sure.

A selection of free tools for auditing the security of an AWS account is worth a review, particularly in light of the above-linked OneLogin disaster.

An alternative AWS CLI is worth keeping an eye on.

Tip of the Week

It’s not common, but some large shops can classify portions of their AWS bill as capital expenditure (CapEx) instead of operational expenditure (OpEx). If your finance department so chooses, doing so requires three things:

  1. You want three year reserved instances.
  2. You need dedicated tenancy.
  3. Your auditors absolutely must be on board with this– talk to them sooner rather than later.

Amazon quietly supports this, but is quick to point you to your own auditors and finance folk. In fact, it’s probable that this is one of the driving reasons why the secondary reserved instance market exists despite the fact that nobody seems to be using it at any scale.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn, a consultant specializing in helping companies fix their horrifying AWS bills. If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.