Good Morning!

Welcome to issue number 137 of Last Week in AWS. There were an obnoxious number of major AWS announcements last week, almost as if saving all of the big stuff up for a single week in December wasn’t the most customer obsessed thing they could be doing.

re:Invent is next week. I’ll be there making a nusiance out of myself! Hope to see you there.

From the Community

Automatic updates. Auto-generated code. Who would go back to the days of manual operations? Epsagon, an AWS Advanced Technology Partner, delivers automated, distributed tracing for monitoring and troubleshooting cloud microservices – containers and serverless. Get started today with a Free Trial to see how Epsagon provides flexibility with the convenience of a fully automatic solution that fixes issues in seconds with trace, log and payload visibility in a single interface. Save your developers 95% in troubleshooting time and reduce errors by 75%. Sponsored

NextRoll talks about how they make extensive use of AWS Batch.

Welcome to AWS Storage Day | AWS News Blog – A whole mess of storage updates, from S3 to FSx to Storage Gateway. Nothing hugely earth-shattering, and the fact that I didn’t know it was Storage Day until the day actually arrived speaks to something of a marketing issue, but past that? Good stuff.

Two of my favorite things come together: Lambda and VS Code.

I completely agree with this guidance about not using tags for IAM permissions management.

Convertkit (who powers this newsletter) discloses their $68K AWS bill and analyzes it for us. “We should see this bill decrease in the future as we begin our migration to Kubernetes” is what it sounds like when a company lies to itself.

A discussion of LetsEncrypt’s CT logging architecture. AWS makes an appearance.

Wizards of the Coast (that do not work at Amazon) have scored this week’s S3 Bucket Negligence Award, as does PayMyTab


If you’re considering a job change, check out a position below. Regardless of where you find it, you should definitely negotiate your salary. If I were to magically become employable, I’d immediately head to and talk to Josh Doody about it before saying anything further. He’s done this many times before, with a special emphasis on engineering roles at FAANG companies. He’s an artist when it comes to getting the best compensation possible without seeming greedy or losing the offer. He offers coaching, free articles, an ebook, and other things along the way. Check him out–and tell him Corey’s talking about him again.

Have you always wanted to improve and enhance the AWS console? Now you have a better way to get this done than just hitting the feedback button – the team behind Resource Groups & Tag Editor is hiring both engineers and a manager for their console team, based in Berlin, Germany. Please please please go fix their monstrosity for me.

X-Team is hiring Go developers with strong AWS skills, anywhere on the planet. The work is interesting, they partner with companies you’ve heard of, and you can work from wherever you care to be. Now before you wind up getting cynical, let me save you some time–I already did, and hopped on a phone call to chat with them and then berate them for their crappy culture. Instead I was pleasantly surprised: they invest in their people (including a personal development stipend), they have distributed community events (both online and in person around the world), and actually work with their employees; this isn’t a “send us a postcard if you ever get there” body shop. Take my word for it; check out X-Team and see for yourself. Tell them Corey sent you…

Choice Cuts

Did you know that in some regions, the INTERNET outperforms Global Accelerator? Or that in Asia, AWS performance predictability improved nearly 50% last year, but Azure and GCP still beat out AWS in performance predictability? Yeah, didn’t think you did. Those nuggets are just the tip of the iceberg. Read ThousandEyes’ fascinating Cloud Performance Benchmark report here. Sponsored

Amazon Aurora MySQL 5.7 Expands List of Supported Features to Improve Performance and Manageability – …in order to be more like the existing database it was touted as being compatible with at launch. I see.

Amazon Chime management APIs now allow you to manage chat rooms – I’ve messaged a few hundred people on Chime, but I’ve been in three chat rooms. I’m sure this matters to Amazon, the only other Chime customer.

Amazon Cognito now supports Sign in with Apple – This has everything to do with Apple’s requirement that “Sign in with Apple” be supported in mobile apps by February of next year. Without it, apps get booted from the app store, so without this feature nobody will use Cognito for authentication in mobile apps. No snark on this one–it’s necessary.

Amazon Connect Launches Web & Mobile Chat for a True Omnichannel Contact Center Experience – So Amazon launched an Intercom competitor and forgot to market it other than a small release announcement? Is there a blog post that missed my feed somewhere, or a keynote I forgot to attend?

Amazon EBS Fast Snapshot Restore (FSR) eliminates the need for pre-warming data into volumes created from snapshots – Neat feature, but the pricing is sarcastically high. If you leave it enabled on one snapshot for one month in one AZ it’ll cost you $500.

Amazon EC2 Auto Scaling Now Supports Maximum Instance Lifetime – Slowly age out your instances; when the maximum lifetime is reached the ASG replaces it. “Maximum Instance Lifetime” is the better name than the alternately proposed “ASG Ice Floe” or “ASG Logan’s Run.”

Amazon EC2 makes it easier for customers to discover and compare EC2 instance types – …and still doesn’t have nearly as functional an interface as, though I bet the API makes that site a lot easier to generate now.

Amazon EKS adds support for provisioning and managing Kubernetes worker nodes – No additional charge–this is a nice change except for the part where you’re still running Kubernetes.

Amazon Lex Now Supports Sentiment Analysis – And promptly segfaults on this newsletter due to the miracle of sarcasm.

Amazon Route 53 Now Supports Overlapping Namespaces For Private Hosted Zones – This makes some database schema work I’ve been struggling with far easier.

Announcing Amazon CloudWatch ServiceLens – This ties together Cloudwatch metrics and logs in one place, along with X-Ray once people actually start using it. Hope springs eternal!

AWS Cost Explorer monthly forecasts now include Support costs – A useful feature indeed, but if you missed this announcement and glance at Cost Explorer right now you might have a minor heart attack.

AWS Lambda now supports Node.js 12 – And Python 3.8, and Java 11. Time marches on, and progress comes for us all, except for the poor folks forced to still write Java.

AWS Marketplace Now Offers Syndicated Product Reviews – The AWS Marketplace now looks a lot more like Yelp. I look forward to reading poor reviews of excellent services as a hobby.

AWS X-Ray offers improved trace analysis and identification of service disruption – And all the while the AWS status page maintains its cheery green glow.

Longer Format Resource IDs are Now Available in Amazon EC2 – …in GovCloud. They dropped the “in GovCloud” from the headline.

Announcing CloudTrail Insights: Identify and Respond to Unusual API Activity | AWS News Blog – This is great! Now I can turn off my EC2 instance when I’m not using it. To turn it back on I’ll spam API Gateway with bad requests. CloudTrail Insights will notice this, and fire off an event to its S3 bucket. That event invokes a Lambda function that in turn turns my EC2 instance back on. It’s perfect!

AWS Systems Manager Explorer – A Multi-Account, Multi-Region Operations Dashboard | AWS News Blog – Systems Manager Explorer, not to be confused with Cost Explorer, or Systems Manager Task Manager, or any other confusingly similarly named thing, now exists. Please come up with a better mini-brand for these useful services, AWS. I’ve checked my bill from end to end–I don’t pay by the syllable unless we’re talking about AWS Transcribe.

CloudFormation Update – CLI + Third-Party Resource Support + Registry | AWS News Blog – So let me get this straight: the service that doesn’t support AWS services fully or at launch is now going to support third party services. Sure, Jan.

Improving Containers by Listening to Customers | AWS News Blog – Alternately, you can improve some customers by stuffing them into containers.

In The Works – New AMD-Powered, Compute-Optimized EC2 Instances (C5a/C5ad) | AWS News Blog – So compute optimized instances with AMD processors for less money? That’s going to kick Intel right in the marketshare.

New – Convert Your Single-Region Amazon DynamoDB Tables to Global Tables | AWS News Blog – Here be serious billing dragons, but it’s a great enhancement that doesn’t require you to rebuild your tables anymore.

New for Identity Federation – Use Employee Attributes for Access Control in AWS | AWS News Blog – Complicated identity management product grows far more complicated, and now your company barista has access to the payroll system. Whoops.

S3 Replication Update: Replication SLA, Metrics, and Events | AWS News Blog – You pay handsomely for this (1.25 cents per GB replicated in the primary regions), but it unlocks a way to meet contractual and regulatory requirements for those workloads that require it.

Migration to AWS CodeCommit, AWS CodePipeline and AWS CodeBuild From GitLab | AWS DevOps Blog – What part of the Dewey decimal system houses “how-to guides for things nobody is doing?”

AWS Security Profiles: Dan Plastina, VP of Security Services | AWS Security Blog – In a “wait, what did I just read” moment Dan mentions that he keeps up on AWS service releases via… this newsletter. Huh. People read this?!

Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service | AWS Security Blog – This incredibly carefully worded post distills down to “you have to PUT to get a token that you then use to GET the instance metadata.” It’s a security defense–or will be once you turn off the original metadata service. We can expect Amazon to deprecate the original version on the third of Neveruary.

Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog – You just know, deep within your cynical hearts, that AWS is only making it this easy to remove unused IAM roles because they don’t bill for them.


CHAOSSEARCH allows you to turn terabytes of raw data into actionable insights in minutes… literally. If you want to use Elasticsearch APIs but want to spare yourself the constant “my Elasticsearch cluster has fallen over and it won’t get up” moments, check them out. Your data lives in your own S3 bucket, while their magic provides incredibly responsive queries… and you never have to move your data. Reach out to CHAOSSEARCH and tell them I sent you, and also to turn off their caps-lock key.

Duo has released an IAM linter, called Parliament.

An example of using the CDK as a tech demo.

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.