Welcome to issue number 43 of Last Week in AWS.
Speaking season is starting up again. If you’d like to catch me in person, I’m keynoting DevOps Days Charlotte on February 21–22; I’ll get a discount code for tickets for you folks next week. I’ll also be speaking (which is a lofty term for “ranting about serverless”) in March at SCaLE; discount code is “LAST”.
My ridiculous sense of humor; coming soon to a coast near you.
This week’s issue is sponsored by MongoDB.
This map of big data on AWS from AWSgeek is incredible– but I maintain it needs more snark. How did Jerry not include such gems as “the wastes of Athena,” “the arid desert of Kibana,” or “the dire straits of DirectConnect?!”
Amazon has acquired security startup Sqrrl, a security company founded by former NSA staff. They’ve apparently taken the lessons learned from the War on Terror and brought them now to the War on Vowels.
This post on publishing a blog via AWS is very close to how this newsletter’s website gets published. Swap out Hugo for Pelican and Terraform for “irresponsibly doing it all by hand” and you’re mostly there.
AWSgeek goes in a bit of a new direction. Not just a visual service summary this time (though you get a beautiful one of those, too)– a full on exploration of Amazon ElastiCache is in store for you.
Three AWSgeek posts in one week? Jerry’s been busy! In this one he takes us through SageMaker visually.
There are now apparently seven different ways to run containers on AWS. Seems a bit excessive to me, but what do I know?
Choice Cuts From the AWS Blog
Amazon EC2 Spot Now Lets you Pause and Resume Your Workloads on C5 and M5 Instances - I’m not sure why this is a big deal. Anything with burst credits (the t2 family primarily), Java apps that garbage collect, or conducted over a Comcast connection have been pausing and resuming workloads on you for ages.
Amazon EC2 Spot Two-Minute Warning is Now Available via Amazon CloudWatch Events - Holy crap– now Spot instances tell you that they’re about to go away (a CloudWatch event), rather than quietly whispering to themselves in the dark (changing a value in the node’s metadata endpoint). This is a genius idea that could only have come from someone who had used Spot instances at least once. Or had heard about Spot instances before. Or had the idea vaguely explained to them in a crowded bar three drinks in.
Announcing Encrypted Snapshot Import for Amazon Aurora PostgreSQL - This means you can now keep your data encrypted as you migirate it from RDS (Postgres) to Aurora. Until now you had to decrypt the snapshot and loudly read the dump into a bad cell phone connection on a municipal bus at rush hour– oh, I’m sorry. My mistake– that’s the Database Migration Service.
Announcing Network Performance Improvements for Amazon EC2 Instances - Whoa. It’s now up to five times faster to get data from your modern EC2 instance to your insecure S3 bucket…
AWS Key Management Service now Supports AWS PrivateLink - The key management system that nobody can understand now works via the internal VPC endpoint service that nobody can afford.
New Quick Start: Build a Data Lake on the AWS Cloud with Informatica Data Lake Management and AWS Services - “Someday, 7th-grade Corey, one of the largest companies in the world is going to write an article on building a lake in a cloud without a trace of humor or sarcasm.” “…I need a grown-up.”
View and monitor your amortized reservation costs using AWS Cost Explorer, AWS Cost & Usage Reports, and AWS Budgets - I specialize in helping fix the horrifying AWS bill. Releases like this one highlight a stark divide between folks like me, who squeal with delight at changes like this, and other people who know what happiness feels like.
New – Inter-Region VPC Peering | AWS News Blog - As Jeff Barr digs out from re:Invent, this week he tells us in depth about inter-region VPC peering. This is the implementation of the thing that for years we all referred to as “cross-region VPC peering.” Don’t we all feel silly now…
AWS Adds 16 More Services to Its PCI DSS Compliance Program | AWS Security Blog - ♪ ♫ ♬ If you’re having PCI audits, I feel bad for you, son / AWS has 58 compliant services, but Athena ain’t one. ♪ ♫ ♬
How to Create an AWS IAM Policy to Grant AWS Lambda Access to an Amazon DynamoDB Table | AWS Security Blog - While this article is relatively benign, I’d said the day before that I needed to do this precise thing. Now my Lambda function is working nicely, and my Echo is sitting at the bottom of a bucket full of water as a safety precaution.
This is clever; detect API queries against S3 “honey buckets” named enticingly with your company’s name. Of course, the false positives are likely to be high, and I’m not sure how actionable these alerts are, but it’s worth considering.
From the “what the hell do you mean this requires a third party tool” department, a tool that lists your Lambda functions across all regions, along with the last time they were both modified and invoked. Output to text or CSV, sort by chosen column, filter by inactivity– this is an incredibly useful tool.
This python library expands wildcard IAM policies to show the entire permission set that you’re about to grant. Very handy when you’re not sure whether you’re about to make a very understandable yet risky mistake.
…and that’s what happened Last Week in AWS.
I’m Corey Quinn. I help people significantly reduce and understand their AWS bills and speak broadly on the conference circuit. I advise companies doing interesting things in the cloud space, such as ReactiveOps.
If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.
List archives are always available at https://snarkive.lastweekinaws.com/