Welcome to the sixth issue of Last Week in AWS.

Last week was quieter on the official AWS front, as they seem to have spent it recovering from their flurry of announcements in the previous week’s summit. That said, let’s forge ahead:

Community Contributions

There’s a great dive into how cost control was approached to reduce the cost of running a Kubernetes Cluster on AWS by 70%. As we’re hearing more and more about Kubernetes, it’s interesting to see various deployment strategies into AWS; I expect to see more articles like this cropping up over the next year or so.

A tale of migrating from Heroku to AWS shows some of the pains and pleasures of migrating from solutions someone else manages for you onto platforms that require more of your engineering focus.

Google talks about going multi-cloud between GCP and AWS. The solution is sound, but fails to emphasize that their proposed solution puts the data transfer costs almost entirely on the AWS side. As with many solutions, at scale this has the potential to do damage to your AWS bill.

Also on the topic of reducing Amazon bills, OlinData shares their story about a credential compromise cost an enormous pile of money. A lot of hard-learned lessons lie buried in this one, as they dig into a number of mistakes that are very easy to make.

Choice Cuts From the AWS Blog

New – Server-Side Encryption for Amazon Simple Queue Service (SQS) - SQS was AWS’s first publicly available service. Nice to see it gain encryption through KMS, which apparently nobody fully understands.

Announcing the Availability of Hardware Multi-Factor Authentication in the AWS GovCloud (US) Region - After a long wait, AWS now lets government employees lose not only their car keys, but their security clearances at the same time.

Amazon Inspector Update – Assessment Reporting, Proxy Support, and More - Amazon’s Inspector adds new features, helping it gain market share in the lucrative “generates a security report that you will ignore until it’s too late” space.

Manage access to your RDS for MySQL and Amazon Aurora databases using AWS IAM - Managing database users for MySQL just became more centralized. Postgres support for similar is rumored to be in the works, while Oracle database authentication is still accomplished via the transfer of money from designated accounts.


GitHub has open sourced OctoDNS to help manage split-authority DNS.

AutoSpotting helps automate use of the AWS spot market if your workload supports it. This is a great way to help reduce costs for your environment without making a pile of engineering changes.

Understanding IAM is difficult at the best of times– and the official AWS documentation doesn’t help. Cloudonaut’s IAM reference is a great help in quickly figuring out how to craft the policy you want.

Tip of the Week

Originally, the US Standard S3 region (us-east–1) had a weaker consistency model than other S3 regions– in other words, being able to access an object immediately after writing it would not be guaranteed to work due to a race condition. This was corrected in August of 2015, but many guides to AWS missed this detail. It may be worth validating that your S3 usage model’s assumptions make sense with S3’s current implementation.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn, a consultant specializing in helping companies fix their horrifying AWS bills. If you’ve enjoyed reading this, tell your friends (or post a link in your company Slack team) about it! As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way– just hit reply.