Last Week in AWS Logo

Welcome to issue number 74 of Last Week in AWS.

We begin this week with a reader question-- is anyone using Aurora Serverless for production? It's an interesting service, but a lot of the wording around it feels like it's aimed more for dev usage. If you are, could you hit reply and let me know, please?

I spent last week at SREcon EMEA-- it was fantastic to talk to folks in Europe about a lot of cloudy topics. One thing that surprised me is that while multiple folks knew I write Last Week in AWS, they thought that this was my full time job. For clarity, this newsletter is something of a labor of love; food ends up on my table through my independant consulting business, wherein I only solve one problem: "I fix the horrifying AWS bill." The newsletter itself came out of that work--virtually everything AWS does has some form of economic impact, and there was no good weekly curated roundup where I could find out what had happened. The snark is purely there to keep myself interested--and the rest snowballed from there. So there you go-- the newsletter origin story you probably didn't ask for.

This week's issue is sponsored by OpsGenie. Their modern incident management for IT operations whitepaper is well worth a look. Having run ops groups myself, you're generally going to define an incident management policy on the fly mid-incident. This is a terrible idea, and is a great way to find yourself getting yelled at. This is the whitepaper I wish I'd had *before* being escorted sobbing from the building with my belongings in a box. The real-life stories from actual companies make this more than just a theoretical exercise--it's something you can start using today. Thanks to OpsGenie for their support of this newsletter.

Community Contributions

Authentication provider Auth0 talks about running in multiple cloud providers and regions. As comes as no great surprise to people who look into these things, they've decided to go all-in on one provider (AWS) rather than continue to work multi-cloud. There's an awful lot of sense to this approach.

I found asecure.cloud this week; it's a great roundup of AWS security solutions updated regularly.

Serverless observability ("Obsererless") company Epsagon weighs in with some best practices for Lambda timeouts.

It's neat to see people talking about doing a cloud migration not just for large enterprise applications-- but for home labs too.

You might think that running a monolith inside of Lambda is a bad idea; the author of Unconventional Lambdas may disagree with you.

It's neat to see a HackerOne bounty going to someone who realized that there was an unclaimed S3 bucket referenced in an installation script. It's less neat to see that the reward for the discovery was a "thanks!"

In a move that's sure to bother absolutely nobody, I wrote VMware Buys CloudHealth, Pushes Stupid Multi-Cloud Narrative for the Last Week in AWS blog. In related news, I'll be speaking at CloudHealth Connect in Boston next week. Feel free to say hello if you're around or otherwise in Boston!

Another deep dive into cold starts, in an article aptly titled "Cold Start War."

As someone who stays away from databases that aren't Secrets Manager, I was suprised to learn that not only does Redshift have vacuum issues, but that there's a post talking about how to fix it.

An interesting blog post about how working with AWS can change your team's culture. I particularly like the bits about the value of having frank conversations about your plans with your assigned Technical Account Manager.

Securing microservices is hard, so I make it a point not to. What're the odds someone will discover my endpoints?

Interesting that NIST has granted an AMI disclosure issue its own CVE.

IOpipe talks about the lessons they learned from building a serverless data pipeline with AWS Kinesis and Lambda.

A fascinating dive into information leakage via AssumeRole shows how fiendishly clever attackers can be.

This list of five AWS problems you didn’t know you could have is, unlike most listicles, comprised of useful information.

Colm MacCárthaigh just crossed the ten year mark at AWS. To celebrate, he launched a tweet thread about shuffle sharding. Ignoring that for a second, I want to say that I've had the privilege of chatting with Colm a couple of times over the past year--and when I've said "Amazon employs some of the best engineers in the world," I'm talking about Colm. Every time we chat I find myself learning a pile of new things to go home and dig into...

Last week I posted about a tool to get cost information from Kubernetes clusters. A couple of days ago I tried to show it to someone who had similar problems. It turns out he wrote the tool. I believe this is called "Codesplaining."

A nuanced and fair deep dive into serverless pricing.

If you don't know Ken Mugrage, you should remedy this immediately. He's an engaging conference speaker, a kind person, a DevOps Days core team member, and giving a webinar this Wednesday on driving DevOps culture that you should absolutely not miss. If you're free, pop in and take a listen-- and possibly learn why it's critically important that the key to a successful webinar lies in pre-screening who you let ask questions. Thanks to Ken and his employer ThoughtWorks for their ongoing support of this newsletter.

Choice Cuts From the AWS Blog

Amazon GuardDuty Now HIPAA Eligible - Exciting news for healthcare, until you realize that GuardDuty is still in its infancy as a product and adds... little value, to many environments.

AWS Fargate Now Supports Time and Event-Based Task Scheduling - Cron jobs, AWS. You have reinvented cron jobs.

AWS IoT Core Adds New Endpoints Serving Amazon Trust Services (ATS) Signed Certificates to Help Customers Avoid Symantec Distrust Issues - It can't be a good thing for Symantec that large brands are talking about their certificates about to become worthless...

Use AWS Secrets Manager to Rotate Credentials for All Amazon RDS Database Types, Including Oracle - You can now use Secrets Manager to rotate your Oracle passwords, or use the Database Migration Service to rotate right the hell off of Oracle entirely.

AWS Serverless Application Repository Adds Sorting Functionality and Improves Search Experience - If you've ever looked at the Serverless Application Repo before this change, you'll wonder why the hell this took so long. "Here's a list of functions, with a broken search function and over 30 paginated pages. Good luck!" was the previous UI.

AWS WAF Launches New Comprehensive Logging Functionality - A small but significant step away from "trust us, we totally did everything you wanted us to and billed you accordingly," and towards being able to audit it effectively.

Introducing Amazon EKS Platform Version 2 - Introducing the "Amazon Elastic Container Service for Kubernetes Version Two," now with some bug fixes and extra words in its already sarcastically long name.

Performance Insights Supports Amazon Relational Database Service (RDS) for MySQL - This is exciting. Historically Performance Insights into RDS for MySQL was simply a Post-It note that had "Crappy" written on it.

Amazon DynamoDB – Features to Power Your Enterprise - Jeff Barr gives a round-up on DynamoDB's enterprise features, but conspicuously skips "the bill can resemble the GDP of a midsized nation if you misconfigure it" in the list. It's an amazing service, with a terrifying pricing model.

In the Works – Amazon RDS on VMware - Amazon RDS will soon be able to run on-premise in your datacenter on top of VMware--wait a second, did someone compromise my RSS feed reader again? How will this even work? Will AWS folks need access into my on-prem environment to manage it? Will I be able to replicate to Real AWS? How in the world is this going to be charged?

AWS CDK Developer Preview | AWS Developer Blog - Behold, an abstraction layer on top of the endless boilerplate that is CloudFormtion. Wait, I misspelled "CloudFormation;" it will now take 40 minutes for this newslettter to rebuild itself from scratch if I want to fix it...

AWS achieves FedRAMP JAB High and Moderate Provisional Authorization across 14 Services in the AWS US East/West and GovCloud Regions | AWS Security Blog - I'm not sure what "JAB High" is, thus I'm worried that mocking this achievement would in fact be "punching down."

I've always thought that Helm was something you wore on your head. It turns out it's also a package manager for Kubernetes. Last Week in AWS sponsor DigitalOcean teaches us today about how it works, why you should care, and why to never take me too seriously. Thanks again to DigitalOcean for their sustained yet inexplicable support of my ridiciulous nonsense.

Tools

A blog post on using an IOT button and Lambda to start + stop an EC2 instance has sent me down the rabbit hole of trying to build a more robust workstation-like node for development. I'm increasingly intolerant of having to have a local laptop with a dev environment for Lambda work...

"Cheap," "Kubernetes," and "AWS" all in one title means I'm pretty much guaranteed to link to a way to run a really cheap Kubernetes cluster on AWS with kubeadm.

If you want to use Discord to control an EC2 instance, this bot is probably a decent start. That said, I thought Discord was primarily used by angry gamers, so what do I know...

Sander Knape has written a few things I've included in this newsletter, but this might be my favorite-- a tool to test your AWS IAM credentials locally via AssumeRole. Anything that helps with implementing the principle of least privilege is a good thing in my book.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn. I help people significantly reduce and understand their AWS bills and speak broadly on the conference circuit. I advise companies doing interesting things in the cloud space, such as ReactiveOps.

If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.

List archives are always available at https://snarkive.lastweekinaws.com/