Good morning!

Welcome to issue number 80 of Last Week in AWS.

Before we begin, a personal cry for help: Are you artistically inclined? Please hit reply; it’s time for a charity t-shirt run from Last Week in AWS, and I can’t draw a stick figure to save my life. Yes, it’s paid; people die of exposure.

In a refreshing and welcoming change from the S3 Bucket Negligence Awards, the Pokémon Company sat down with the Wall Street Journal to discuss not only how they secure their own data, but how they investigate business partners. A prospective vendor didn’t have adequate controls around their S3 buckets, so the company declined to proceed with a deal, resulting in the first ever S3 Bucket Responsibility Award(paywall warning) going to the Pokémon Company. Congratulations, and well done.

I’ll be speaking at the Kansas City AWS User group on Tuesday evening. Come by the Cerner Innovation Campus if you’ll be around and say hi.

Sponsor DigitalOcean is helping to run Hacktoberfest, now in its fifth year. Sign up by linking your GitHub profile, and make five or more Pull Requests by the end of this month, and they’ll send you a free shirt. If you’re looking for a repository to submit pull requests into, I’m partial to the Open Guide to AWS. If you know anything about AWS, share it with the rest of us! No coding ability is required… Thanks again to DigitalOcean for their continued support.

Community Contributions

AWS Serverless Hero Yan Cui talks about pricing pitfalls in AWS Lambda. Note that Lambda pricing almost always makes sense if you do the TCO calculations correctly, few places do. Lambda@Edge is… another matter.

Kyle Galbraith (whose work periodically finds its way here) writes again, this time about watching your AWS costs before it’s too late. Nothing groundshaking here, but it’s handy to have a refresher!

Cloudonaut returns with an analysis of T3 instance family network performance.

A Kubernetes showdown: Google GKE vs Microsoft AKS vs Amazon EKS. For what it’s worth, I find GKE to be the best of the lot today.

Ben Kehoe of iRobot opines on the current sad state of AWS service naming. With re:Invent on the horizon, we can expect a raft of new services, ideally without names like “AWS Systems Manager Session Manager.”

I love the title of Postcards from Lambda @ the Edge, and the content is even better.

Under the auspices of optimizing Kafka, this article goes into some depth on hardware selection within AWS. This feels so strongly like an anti-pattern that I can taste it, but we still see instance families and types proliferate, with no end in sight.

A deep dive into Global Transaction ID replication in RDS, now that their MySQL flavor supports it.

A story of consolidating AWS load balances via host-based routing to save money and architect more sensibly.

The AWS Heroes have put together a series of guides to re:Invent. My user submission of my own video guide was rejected as it missed some key points, including “the conference is ‘re:Invent,’ not ‘Amazon’s Complex Queueing Service,” “the unflattering comparisons to ASGs were just hurtful,” and “we didn’t ask you for this, we don’t want this, what is WRONG with you?” All of which are fair points.

I caught up with Sam Bashton of to talk about the joys of handling on-call responsiblity when you’re half asleep, in Screaming in the Cloud episode 31: Hey Sam, Wake Up! It’s 3AM and Time To Solve a Murder Mystery!

A quick dive into using CloudTrail to enhance serverless application security.

Continuing into another week of “ignorant posts about cloud computing,” Bloomberg talks about how Snapchat was dumb to not build its own cloud. Snapchat’s core business revolves around empowering teenagers to sext each other, not building and running datacenters. The economics rarely point to “build your own cloud,” and Snap realized this early on. I do think that committing to multi-billion dollar deals with multiple cloud providers was dumb, but that’s not what the article is about.

Millions of FitMetrix’s customers now have their data exposed via an insecure ElasticSearch database hosted on AWS. Infosec still matters, folks. The Shared Responsibility Model is very clear on this.

There’s a (much) longer linked article in this summary, but given that Medium is neither rare nor well done, I prefer to link to this more digestible version. A former Google Cloud product manager has left, and cited two reasons for GCP’s issues in the market–namely, it ignored startups and enterprises for too long.

While a terrible pattern for most use cases, lambda-git lets you install git inside of Lambda. “Manipulating Git repositories and their assorted issues and pull requests” is really the only use case I’ll greenlight here.

Sponsor ThoughtWorks is hosting a webinar next Tuesday on actionable CD metrics. The biggest challenge I’ve had with CD pipelines myself is that they throw off a lot of numbers that I never found good ways to make meaningful. If that resonates with you, I’d suggest checking them out. Thanks to Thoughtworks / GoCD for their continuing support

Choice Cuts From the AWS Blog

AWS Lambda Console Now Enables You to Manage and Monitor Serverless Applications – “Surprise, we redid the Lambda console” is the sort of statement that should rightly strike fear into all of our hearts, but I kinda like this redesign.

Amazon Aurora Databases Support up to Five Cross-Region Read Replicas – Still not the master-master cross-region that they’ve been teasing us with for months now, but “it’s closer than ever.”

AWS Systems Manager Launches Custom Approvals for Patching – If you need manual approval for patches, first know that you have my sympathies. Second, you can now add that manual step into your workflows.

Amazon RDS for MySQL now supports global transaction identifiers (GTIDs) – If you’re into databases, this is a big deal, or so I’m told. I’m not into databases.

Amazon EKS Enables Support for Kubernetes Dynamic Admission Controllers – EKS lurches ever closer to being a product recommended for use in production. Keep going folks; you’ve come a long way since launch!

Amazon RDS for Oracle Now Supports Database Storage Size up to 32TiB – Storage for which will cost you thousands a month, or “who gives a toss compared to your Oracle license fee.”

Amazon Athena adds support for Creating Tables using the results of a Select query (CTAS) – The bridge between relational databases and data lakes just got a bit shorter.

AWS Direct Connect now Supports Jumbo Frames for Amazon Virtual Private Cloud Traffic – The last Jumbo Frame announcement involving Amazon that we saw was Bloomberg BusinessWeek’s assertion that SuperMicro boards were compromised.

AWS Lambda enables functions that can run up to 15 minutes – This is exciting; it’ll enable thousands of terrible patterns and three useful ones.

AWS PrivateLink now supports access over Inter-Region VPC Peering – There were a bunch of networking related announcements this week, which tells me they were all either blocked by the same thing, or share a key feature that just went live.

Consulting Partners Can Now Resell Software Solutions Available in AWS Marketplace– This is big news for consulting partners, important news for enterprises with cumbersome vendor management processes, and lesser news for shops that don’t have vendor purchasing restrictions and are allowed to go direct to the source.

Introducing a New Size for Amazon EC2 G3 Graphics Accelerated Instances – Add one more to the… 146? instance family / size combinations you can now have in us-east-1, I suppose. Your RI choices are now provably wrong.

Network Load Balancer now supports Inter-Region VPC Peering – It’s nice to see a lot of the “you’d think you could do X but you can’t” stories around AWS networking start to disappear.

AWS Cost Explorer’s Reserved Instance Reports now Support Amazon Elasticsearch Reservations – Another service gets its own substandard recommendations for RI purchases.

How to rotate a WordPress MySQL database secret using AWS Secrets Manager in Amazon EKS | AWS Security Blog – While it’s handy to read through this, a few points jump out at me. First, Parameter Store does most of what Secrets Manager does, for far less money. Secondly, if you’re running WordPress inside of Kubernetes for anything other than a demo project, seriously question your choices. “Stupendous overkill” doesn’t really do it justice.


Check out this module; it lets you convert objects in S3 from CSV to JSON, and back again. This is a handy transform module if you need this done and don’t want to reinvent the wheel.

This handy tool lets you visualize your re:Invent calendar. I still can’t fathom why the official re:Invent app and website fall down so hard on things like this.

T-mobile has open sourced pacbot, which enforces policy as code.

…and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.