Good morning!

Welcome to issue number 66 of Last Week in AWS.

First, some eratta. “I only get Last Week in AWS once a week!” you exclaim in a high pitched squeak. “What should I read when it isn’t Monday?” If you incorrectly believe that this newsletter isn’t all you need to know about tech, check out Devops Newslettersas an aggregation point. For keeping current with larger issues than the tech world’s hijinx, but still with a light dusting of snark, I enjoy the non-tech bent of Morning Brewpersonally. We can’t all mock the cloud all the time…

I’m back in dreary San Francisco this week, although not for long– due to popular demand I’m including an Events section below. Take a look:


Friend of the newsletter Datadog is having their Dash; conference in New York THIS WEEK– July 11-12. If it works for your schedule, I strongly suggest attending; AWS is a platinum sponsor, and longtime readers know how finicky they are about putting their logo on any conference that doesn’t have the word “Amazon” in the title somewhere. Use the code “DASHLAST” to get 20% off of registration. 

I’ll be hosting a track, speaking, and making a general nuisance of myself at ServerlessConf San Francisco at the end of this month; use code “Sconf15offSHARE” for 15% off of registration.

I’ll be speaking at both DevOps Days Indianapolis and the AWS New York Summit at the end of July.

And there are 139 days until re:Invent (or as I like to think of it, “Amazon’s Complex Queueing Service.”) Tick tock.

Community Contributions

DigitalOcean sponsors a link this week with a provider-agnostic guide to architecting applications for Kubernetes. This is one of the better “rubber meets the road” guides I’ve read– largely because it assumes little to no familiarity with Kubernetes concepts. It’s approachable in a way that most “up and running with k8s in only 3500 easy steps plus a quick detour to get a PhD in distributed systems!” guides miss by a mile. Thanks to DigitalOcean for their continuing sponsorship of this newsletter.

Cloudonaut takes us through the process of prerendering single page apps hosted in S3 / CloudFront.

Another tale of someone committing API keys to a public repository and getting a surprise $14k bill. To no great surprise, AWS support cleared the unauthorized use charges. Say what you will about Amazon; they’re undeniably customer focused.

Depop tells the tale of migrating from AWS to Heroku.

A guide to searching for open S3 buckets seems very on-topic for this newsletter. It’s been a slow summer thus far for the S3 Bucket Negligence Awards…

A takedown of the longstanding wisdom of using bastion hosts, this article lobbies against them and suggests a number of alternatives. Agree or disagree, it’s certainly thought-provoking.

A tale of migrating a 100K requests-per-minute production application from AWS Elastic Beanstalk to ECS.

A discussion of event-driven architecture with SQS and Lambda.

Sander Knape writes in with the missing manual for Secrets Manager; specifically, how to use it to manage secrets beyond those which AWS can rotate for you automatically.

Josh Barratt (a former manager / mentor of mine– I highly recommend his work) opines on the nature of “really serverless databases.” Imagine embedding a database inside your Lambda function. Read it before you condemn it; it’s not nearly as horrifying as it sounds on first blush! I’m imagining a few distinct use cases already.

AWSgeek returns from funemployment as a Cloud Architect / Evangelist at LucidChart. His Visual Service Summary of the week is for Amazon Pinpoint.

I gave a talk on the conference circuit for a couple of years before I retired it; finally LinuxJournal convinced me to turn Terrible Ideas in Git into an article for your amusement.

Last week I got to speak with Sarah Zelechoski of ReactiveOps in Screaming in the Cloud Episode 17: Pouring Kubernetes on things with reckless abandon.

This is “Last Week in AWS,” not “Kick AWS Competitors In the Pants,” but I’ve gotta remark on this story about GCP screwing the customer service pooch. Last week, a billing anomaly for a large customer resulted in GCP turning their entire account off outside of business hours until the customer in question could turn things back on. Possibly more telling, the top rated comment on the original post was from a Google Cloud support engineer saying that it’s the customer’s fault for not having an enterprise support relationship established before this point. I don’t care who you are; you don’t treat your customers this way if you don’t want to be justifiably dragged through the mud. Google has wonderful technology, but the customer service skills of an angry chihuahua.

Forrest Brazeal weighs in with a guide to detecting cost aberrations in your AWS bill.

The ThinkFaaS talks at ServerlessConf in San Francisco later this month have been announced. There will be a number of highly accomplished speakers giving five minute talks, and also me.


SignalFx is looking for Software Engineers for its Infrastructure and Tools team, to help tame the needs of a fast-growing SignalFx Platform and unlock the gates to SaaS nirvana. If building and engineering highly elastic, self-healing and robot infrastructure to the sometimes law-of-physics-bending demands of a fast growing company floats your boat, this gig may be for you. To find out more about this adventure, check them out. As an added bonus, my friend Leonid just started as their EVP of Engineering; should you find yourself working at SignalFx, let me know and I’ll share a raft of embarrassing stories about him.

A majority of the world’s population send a combined quarter trillion email messages a day. There’s just one problem: Because authentication isn’t built into email, nobody can be certain who is sending most of these messages. If solving this kind of problem interests you, check out the career opportunities at Valimail, which is working to solve these problems with a platform (yes, it’s AWS-based) built on top of open standards. If you like the idea of working on planetary-scale messaging systems with the latest AWS tools and making a difference in the lives of half the world’s population, Valimail would love to talk to you.

Choice Cuts From the AWS Blog

Amazon Connect Adds New Dynamic Outbound Caller ID – To be clear, I’m not an Amazon Connect customer; if I wanted phone calls I’d take out a personals ad. That said: if this doesn’t have some serious controls / acceptable use policy tied to it, they’ve built a spectacular telemarketing spam cannon. Can someone weigh in as to whether or not there are protections that go beyond lip-service?

Amazon EC2 Dedicated Hosts now Supports Tags – This week’s entrant in the “wait, you mean it didn’t do that already” annual sweepstakes…

AWS Lambda Adds Amazon Simple Queue Service to Supported Event Sources | AWS News Blog – This article came out two weeks ago; I’m including it this week. There’s no rhyme or reason to that choice at all; why on earth would I release commentary on something like this so long afterwards? It’s inscrutable.

How Goodreads offloads Amazon DynamoDB tables to Amazon S3 and queries them using Amazon Athena | AWS Big Data Blog – I don’t know whether to be more impressed or horrified that an Amazon owned service does its analytics work using a Rube Goldberg contraption consisting of over a half dozen AWS offerings all bolted together.

eksctl: Amazon EKS Cluster with One Command | AWS Open Source Blog – You can now manage your EKS cluster with one command– sadness is only a quick CLI argument away.

New PCI DSS report now available, eight services added in scope | AWS Security Blog– ElastiCache for Redis, Storage Gateway, EFS, and five more are now suitable for storing cardholder data, setting you up for some truly ridiculous architectures.


If you’ve ever set up a static site hosted in S3 with DNS in Route53, fronted by CloudFront, with an SSL certificate provided by ACM, you’re already groaning at the steps involved. Take a look at Scarr; it does all of the boring stuff that’s easy to get wrong you would expect– with remarkably little work.

NCCgroup has a pair of handy tools this week– PMapper for evaluating IAM permissions quickly, and aws-inventory for showing resources that were created in an AWS account.

This somewhat limited Lambda function takes an instance ID as input and returns that instances’s tags. Handy when you need it as part of a larger pipeline…

…and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.