Welcome to the first issue of Last Week in AWS, in which I filter through the firehose of AWS related content to bring you news, tools, tips, and case studies worth reading, without the dreck. I’m Corey Quinn (@QuinnyPig), and here’s what happened last week in AWS.
Community Contributions
A wide-ranging writeup by Segment’s engineering team covers how they solved a business issue and knocked a million dollars off of their annual AWS bill, in The Million Dollar Engineering Problem.
This week saw the release of a masterful walkthrough of a complex topic in a way human beings have a chance to understand, in AWS IAM Policies in a Nutshell.
Choice Cuts From the AWS Blog
EC2 Run Command is Now a CloudWatch Events Target – This gives an example of running a Linux shell command every time an autoscaling group adds an instance. I suggest picking cowsay; pets vs cattle indeed.
New – Amazon EMR Instance Fleets – Amazon lets you launch EMR fleets that combine on-demand and spot instances, for a more cost effective EMR solution without sacrificing capacity– albeit one that leaves you wondering where the hell your infrastructure lives at any given time.
Launch: Amazon ElastiCache Launches Enhanced Redis Backup and Restore with Cluster Resizing – You can now convert easily between ElastiCache and traditional Redis clusters, as well as resize/reshard Redis workloads on the fly. Sadly, you’re still running Redis.
S3 Storage Management Update – Analytics, Object Tagging, Inventory, and Metrics – You can now get a lot more insight into how you’re using S3 (spoiler: it’s bad), what your objects look like, and understand an area of AWS that we often try to handwave away.
New – Instance Size Flexibility for EC2 Reserved Instances – Reserved Instance Purchases and their closely-resembles-a-telephone-number upfront charges are now marginally less terrifying; you can apply reservations to different sized instances within the same family should your needs change.
Move Over JSON – Policy Summaries Make Understanding IAM Policies Easier – Succinct IAM policy descriptions now appear in the IAM console, in what appears to be a tacit admission that JSON may not be the best way to convey information about complex security configurations to human beings.
Tools
haldane comes to us from the folks at SeatGeek. While they’ve outgrown it, it has utility for a number of shops with different use cases. This is probably worth keeping half an eye on if you’re tired of piping AWSCLI commands to jq to perform basic tasks.
Cloud Custodian has been open sourced by Capital One. This automates a variety of policy enforcement actions, including tagging, spin up and spin down of environments on a schedule, and a boatload of compliance tasks. It’s particularly well worth checking out if you’re tired of chasing down untagged resources in larger environments.
Tip of the Week
Amazon has supported multi-factor authentication for console logins for a long time– but did you know that you can mandate MFA for API access as well (including the AWS CLI)? As an added bonus, you can pick and choose which API calls require a second factor– I posit that “the destructive ones” (think termination calls) are a good first pass! Your CISO may be interested to learn that particular tidbit…
…and that’s what happened Last Week in AWS.