Good Morning!

Last week’s post on AWS’s security challenges kicked something of a beehive; go read it if you haven’t yet.

The fun thing about having a large audience is that folks respond when I say things! A bunch of folks hadn’t heard about the issue previously, which isn’t surprising (they were universally horrified). A much more disturbing revelation was that this isn’t the first incident publicly disclosed about cross-account security failures within AWS. Back in September 2020 it was apparently possible to get CloudTrail to spew random credentials from other accounts if you asked it nicely.

It’s become apparent that AWS does not disclose issues like this, and that what had formerly been perceived (at least by me) as a security posture that was otherworldly effective was instead a policy of “say nothing unless forced to do so.” I’m in the extremely uncomfortable position of having to reevaluate just how far I trust AWS; if my emails are any indication, I’m far from the only one.

From the Community

This issue is sponsored in part by my friends at ChaosSearch! As you know, running log analysis with Elasticsearch at scale can be unstable, relentlessly time-sucking and surprisingly expensive. Now try ChaosSearch – a fully managed log analytics platform that delivers the Elasticsearch API you love, with built-in Kibana, but with No ElasticSearch under the hood! ChaosSearch activates your Amazon S3 as a true data lake, for analytics at scale, with no data movement, no data retention limits and savings of up to 80% vs an ELK Stack. In fact with ChaosSearch, you can start with 3 easy steps: Store, Connect & Analyze. So start experiencing insights at scale from ALL of your data (and tell them I sent you)! Sponsored

Another week, another way to Securely Access Your AWS Resources From Github Actions that still requires an awful lot of work on the customer’s part. Please make this clickable.

I don’t know a lot about how AWS KMS Envelope Encryption works. Fortunately I found a post to rectify that.

Google is apparently getting serious about the cloud at long last and is looking to hire someone to help help move Google services to Google Cloud.

Nathan Peck has a great analysis of comparative concurrency between AWS Lambda, AWS App Runner, and AWS Fargate.

If you’re brand new to AWS there are a disturbing number of things that you should pay attention to.

James Governor of RedMonk talks about distributed work being the new normal. Even if I completely disagreed with him, James is thoughtful enough that I’d still talk about almost anything he writes here; that said, I agree completely. He’s a treasure.

If it were up to me I’d have avoided titling this article Documenting Gotchas in AWS’s WAF Offerings and instead gone with “the ways AWS WAF sucks.”

Mike Mackay (senior Solutions Architect at AWS) has sadly passed away. Condolences to the folks who knew him; he brightened any conversation he was a part of.


If you’ve got an interesting job for this newsletter’s eminently employable subscribers, get in touch!

Silk is Amazon’s Chromium based web browser used by millions of customers across Fire Tablet, TV, an Echo show. Our teams are looking for engineers to build the “next big thing” to make web browsing easier for our customers instead of the stale browser experience everyone knows today. We’re innovating with AWS ML to make browsing easier for customers. We have separate opportunities to grow your skills designing and releasing services at Amazon scale, delivering a customer obsessed Fire OS client experience, and managing the complexity of integrating open source Chromium with our own unique features. As a Silk engineer you will directly influence the technical design and vision of your team, positively impacting the experience of customers across the globe. Come join us as part of a fast-growing platform, with millions of users and a growing Amazon devices ecosystem!

Nebulaworks is a software engineering firm founded, built, and managed by engineers, for engineers. Our mission is to create high-performance engineering teams where members are inspired to collaborate openly, incentivized to gather new knowledge and skills, and value simplicity when solving difficult problems. We’re looking for individuals who are passionate about being a force multiplier, enabling our customers to unlock their high-performing team potential. If you love Linux, open-source, and value driving all changes through version control we’re currently hiring Sr. Software Engineers, come introduce yourself!

At Modern Treasury, we are building payments infrastructure to power $750 trillion in bank transfers every year. Before Modern Treasury there has never been a universal API into the global banking system. Our ambition is to be the de facto standard for money movement for the world’s most innovative and fastest growing companies. Our customers use our APIs to automate payouts, direct debits, balance tracking and other payments use cases at scale. Join our engineering team at Modern Treasury to help build the new foundation of business and finance.

Choice Cuts

Rising Cloud uses AI to help developers be more efficient by reducing repetitive tasks, plus you can also run your stateless apps currently running on AWS without modifying your code.Finally, Rising Cloud’s data centers (unlike any of the usual players in this space) span multiple regions at the same time, which means your app will always remain up.If you’re looking for a smarter, faster, cheaper alternative to EC2, Lambda, Fargate, or Batch, check them out.To learn more, check out Tell them I sent you and watch them flinch. Seriously, that’s the best part! Sponsored

This one isn’t going to cost you anything. Kubestack is an open source online tool that helps you generate a Kubernetes base platform in Terraform without having to spend months on being responsible about it — or else, having to go back and retrofit code to what you’ve already built through the miracle of ClickOps. It now features a “tell it what you want” configuration wizard around a whole bunch of different variables (cloud providers, whether you want single or multiple clusters, etc.) and spits out Terraform code that’s ready to throw into your environment — faster than you can write it yourself. Check it out and let me know what you think; remember, it doesn’t cost you anything! Sponsored

Amazon GuardDuty now detects EC2 instance credentials used from another AWS account – I would prefer a setting that denies the ability to use them from absolutely anywhere except the instance to which they were provisioned.

Amazon Rekognition improves accuracy of Content Moderation for Video – This update addresses “reduces false positive rates across all of the moderation categories, particularly ‘explicit nudity’.” I look forward to a conversation with my account manager about exactly what constitutes “explicit nudity” in a conversation that’s near-certain to make him long for the relative comfort of “the talk” with his parents.

AWS Elastic Disaster Recovery now supports failback automation – Okay, good: this is basically “one click failback.” Fully automated failback means that you have a primary and a secondary each seizing production from one another at a frantic pace, and taking down production way more than failures in the underlying systems ever could.

AWS Trusted Advisor now integrates with AWS Security Hub – I dislike that this requires a paid support agreement for every account you want these on, at Business tier or higher. In what is apparently a theme for 2022, “trusted” means something radically different to AWS than it does to the rest of us.

AWS Client VPN now supports banner text and maximum session duration – And if that text is an advertisement for something, chalk up another AWS service that displays banner ads.

Now DynamoDB can return the throughput capacity consumed by PartiQL API calls to help you optimize your queries and throughput costs – “Return” as in “display it.” It does not mean “gives it back,” boy is my face red, and I owe someone who’s on-call this week a massive apology.

Bring Your Own Public IP (BYOIP) Addresses to VMware Cloud on AWS – You can mix and match the words in this headline super well. My favorite is “Bring your own VMware to cloud on AWS.”

How Ribbon Communications Built a Scalable, Resilient Robocall Mitigation Platform – Yeah, robocalls suck. Hey AWS, this you? Automating outbound calling to customers using Amazon Connect (2019) You’re basically playing both sides like an arms dealer, and I’m unimpressed.

Securely share your data across AWS accounts using AWS Lake Formation – Or insecurely share your data across AWS accounts by using… which services? We don’t know! AWS has a pattern of not disclosing these things, apparently. Oh yes indeed; I spent the last four months dragging Azure for this same thing, and nobody from AWS reached out with a word in their defense. AWS friendos, at this rate you are not going to like how the rest of this year goes.

Introducing AWS Lambda batching controls for message broker services – If you implement this, it’ll save you money (usually). Thus the circle is complete, Lambda itself makes less money, and is then itself a broker service.

AWS Joins MACH Alliance – They’ve joined as an “Enabler.” If I remember my intro to psych course half a lifetime ago, the term “enabler” generally describes someone whose behavior allows a loved one to continue self-destructive patterns of behavior. Which, for a cloud native alliance is very much on the nose.

Ten Memorable Customer Moments from 10 Years of AWS re:Invent – The next post I want to see in this series is “Ten Memorable Partner Moments” wherein there are videos of the various spit-takes companies on the expo floor did at the moment they saw AWS had just launched a new service to compete with them.

How AWS is supporting Buy Now Pay Later (BNPL) – If you want to exploit people (particularly those who are financially insecure) then AWS is pleased to help by presenting you 30 services you get to tie together. You absolutely must pay for those services as you go, because what AWS empowers vs. what AWS does are two very different worlds. If you’re working on something like this, I want you to imagine explaining it to your kids in ~15 years or so. Will you feel ashamed? I sure would.

Simplify your commute with new Alexa public transit feature – I’m not saying that this feature (that tells you when the next bus shows up) should have been rolled out long before now. I am saying that I built a custom Alexa skill to solve this for me out of a Lambda function. I’m also saying that that Lambda function is still using the Node8.10 runtime, which went EOL in 2019. And I apparently last updated it four years ago.


If you’re anything like most AWS users, you’re tired of shelling out mountains of cash for average Big Tech cloud performance. That’s why scrappy developers and entrepreneurs are turning to Vultr. That’s V-U-L-T-R. Offering powerful cloud compute at a price that you can actually afford, they’re a no-brainer for those looking for a home for their next website or application. Now deploy in more than 20 locations in 60 seconds or less for as low as $2.50 per month. Vultr offers plans available for businesses of all sizes. And we have an exclusive offer for Screaming in the Cloud listeners! Sign up and receive $100 in credit for FREE. Ready to claim your credit? Visit – V-U-L-T-R-dot-com slash screaming Sponsored

Stacker is new to me. It handles management of multiple CloudFormation stacks, which has always been a challenge for me. It’s part of the reason I’ve evolved past CloudFormation into the world of ClickOps.

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.