Last Week in AWS Logo

Good morning!

Welcome to issue number 94 of Last Week in AWS.

We're confirmed for the evening 2/12 in Seattle; if you're there, I'll be doing Cloud Standup Comedy. Tickets are free but limited; RSVP now for Tonight in AWS! Thanks to Polyverse for helping with the logistics / sponsoring the bar tab.

This week's issue is sponsored by Scalyr. In case you were unaware, Nginx is still going strong since its initial release in 2004. Like any long-running software (or a small child), it can get into trouble if left completely unattended. Our “How to Monitor Nginx Guide” has best practices and recommendations for monitoring a production Nginx deployment. The guide, however, does not have recommendations for monitoring a small child, much to my chagrin. Read the guide here. Thanks to Scalyr for their continuing support of this newsletter. Now where has that toddler gotten to?

Community Contributions

A post diving into the rocky path to delete an AWS Organizations member account. Until now the best practice has been to quit and go work somewhere else, leaving the mess for your replacement to fret over.

The GoSquared engineering blog features a dive into the the T3 instance family. They're enthusiastic supporters, and I'm inclined to agree with their recommendations. Just be aware that Unlimited is enabled by default, which can lead to bill surprises at scale for some workloads.

A step-by-step guide to giving third parties limited access to your AWS account. If you're more towards the crappy side of the "hand someone a narrowly scoped role to assume <--> hand someone the root credentials" spectrum, give this one a read.

I caught up with the folks at Rubrik to chat about backup and recovery in last week's episode of my podcast, Screaming in the Cloud.

I'm a big fan of using aws-vault to switch between AWS accounts. If you're running Linux on the desktop, allow me to make your sad day a bit brighter with this guide to using aws-vault with Linux.

This week's issue is sponsored by GoCD from ThoughtWorks. GoCD's open source and free to use CD server is easy to get up and running--but don't take my word for it. You can run a local version with less than five minutes of work by following a few simple steps. This is incidentally a great example of the value of things like Docker for business reasons-- you're a docker compose away from having a working CI/CD demo running locally. Thanks again to GoCD for their continued support of this newsletter.

Jobs

My extortion-based jobs model continues: Job listings are free, unless you'd like me to use your copy, in which case I'll charge you. If you've got an interesting job for this newsletter's subscribers, please get in touch!

Are you in Rochester, New York? If so, let me first apologize; I grew up in New England myself. There's hope this winter though--CloudCheckr is hiring for a variety of roles ranging from "DevOps Engineer" to "Interns" to "replacing the person who thought advertising these jobs in this newsletter was a good idea." Fight the good fight against AWS's inscrutable billing practices; talk to CloudCheckr. CloudCheckr: "Anyone can put a random word after 'Cloud,' but it takes a special company to misspell that word."

Choice Cuts From the AWS Blog

Amazon EKS Achieves ISO and PCI Compliance - This is a big step forward for AWSECS4K8S(EKS) in gaining acceptance in regulated environments. Good work.

Amazon Elasticsearch Service doubles maximum cluster capacity with 200 node cluster support - ElasticSearch grows ever larger and more unwieldy!

AWS Config Increases Default Limits for AWS Config Rules - The limit for rules just tripled. I include things like this in the roundup just because it's super easy to miss, and certification exams love to nitpick these...

AWS Public Datasets Now Available from UK Meteorological Office, Queensland Government, University of Pennsylvania, Buildzero, and Others - More datasets abound for your use. One nitpick: it's not clear whether many of these datasets are in requester-pays buckets or not.

AWS Systems Manager State Manager Now Supports Management of In-Guest and Instance-Level Configuration - ...while I continue to not support using the same noun twice in a five word service name.

Introducing Amazon WorkLink - WorkLink brings you one-click access to intranet applications for your users. Don't confuse it with WorkMail, WorkDocs, or WorkSpaces.

Introducing AWS CloudFormation UpdateReplacePolicy Attribute - This is another step along CloudFormation's path as it attempts to UpdateReplaceTerraform.

Introducing Python Shell Jobs in AWS Glue - Python support comes to Glue; historically you could only use Spark for your ETL transforms. To be very clear-- this is Python 2.7.

Find And Update Access Keys, Password, And MFA Settings Easily Using The AWS Management Console - Aw, AWS broke my Console Scavenger Hunt. We had a good run, didn't we...

Network Load Balancer Now Supports TLS Termination - This is huge, and gives you a path to migrate some workloads off of ELB Classic ("Classic" of course being Amazon-speak for "If we were Google we'd have turned it off on you."). Having AWS manage certificate expiry, rotation, and revocation for you is super handy...

Thoughts on Recent Research Paper and Associated Article on Amazon Rekognition | AWS Machine Learning Blog - AWS has a problem, and it's largely one of messaging. There's a bit of a PR tone mismatch here between "We tried your facial recognition service and found it's got problems properly identifying people of color" and a response that reads exactly like what it is: a technically deep counterpoint from someone whose first name is "Doctor." This is a nuanced and delicate subject, and AI is still in its infancy, but this response misses the mark when it comes to being accessible to someone not steeped in the subject. Just as a quick example (there's a lot to delve into here), it makes much of the difference between "facial analysis" and "facial recognition." Uh... The service is called "Rekognition." If someone's viewing it as a tool for facial recognition, that's kinda on AWS and their ridiculous service naming. There's some scary stuff afoot here, and this future feels inevitable, but striking a balance is going to be essential--and that starts with clear and effective messaging. Those are my 2¢.

AWS awarded PROTECTED certification in Australia | AWS Security Blog - Congratulations to AWS--this is a rare honor. So far the only other things that Australia has awarded PROTECTED status to are pretty much "Azure" and "the wombat."

Tools

This lists seventeen major cloud providers and gives you a speed test for all of them. Curiously, Oracle Cloud didn't make the list of seventeen major cloud providers.

A GUI client for DynamoDB is great for helping people visualize the data model a bit more effectively. Not all of us think in abstractions the same way...

A couple of folks pointed me towards aws-rotate-key which does exactly what you'd expect it to. aws-vault also supports this natively.

"Build a Lambda layer from a Docker image" is fantastic--and AWS Lambda Container Image Converter does exactly that. I'm hugely enthusiastic about the possibilities here...

This well-written post introduces us to a tool that grabs an item from DynamoDB and tells us its size and consumed capacity. This is super handy for planning out reserved capacity / modeling application workload costs.

I'm not sure if awsme is a typo, a new thing the kids are texting each other, or a CloudWatch metrics library.

…and that’s what happened Last Week in AWS.

I’m Corey Quinn. I help people significantly reduce and understand their AWS bills and speak broadly on the conference circuit. In addition to this newsletter, I host the Screaming in the Cloud podcast about the business of cloud computing, featuring me talking to folks who are good at things; it's a nice contrast.

If you’ve enjoyed reading this, tell your friends to sign up at lastweekinaws.com (or post a link in your company Slack team!) about it. As always, if you’ve seen a blog post, a tool, or anything else AWS related that you think the rest of the community should hear about, send them my way. You can either hit reply– or join the #lastweekinaws channel on the og-aws Slack team.

List archives are always available at https://snarkive.lastweekinaws.com/