Good morning!

Welcome to issue number 116 of Last Week in AWS.

I’ll be in New York next week for the summit, but also to bother people. If you’re in NYC and want to catch up, or hear me rant about some technology or other to folks in your office, let me know. I’m always up to meet folks with interesting AWS environments, as well as pass out Billie the Platypus stickers, pins, and drink umbrellas.

Last week was the inaugural reinforce, AWS’s security conference. I gave a session which went well, and was mentioned in the keynote by Amazon’s CISO Steve Schmidt, which is unreal to me. Someone probably got fired for letting that slip into the final version, but I’m grateful just the same.

From the Community

I have fun with titles, but I can’t improve on the Annoying State of Lambda Observability.

Com MacCárthaigh once again has a Twitter thread worth reading–this time about how VPC encryption works. Pack an extra 40 IQ points; this one goes deeper than I can follow.

Noted code terrorist Ian McKay returns, this time with a terrifying series of hacks in service of automating AWS account deletion. The fact that he has to go to these lengths to achieve a very useful pattern should be taken as an incredibly strong indicator that there’s a feature request here.

Not AWS specific, but an overview of how HTTPS works is well worth the time to brush up on.

I livetweeted the re:Inforce keynote. Much to my surprise, I was mentioned in it. My apologies to whoever got fired over that one…

Werner has a blog post about automated reasoning as applied to security; worth the read.

An S3 Bucket Negligence Award to MGET, for exposing apprentices’ passport details and employment agreements.

The story of how Quantas (“You’re the reason we fly!”) leverages AWS Systems Manager (“You’re the reason we drink!”) to run over 250 applications with a platform team of only twelve people. This is an impressive story of a company that has a business in the real world leverages cloud technologies to achieve large scale things without hurling people at the problem.

This S3 Bucket Negligence Award is shared between Netflix, Ford, TD Bank, and others–all for trusting the wrong vendor with crappy security controls. As a reminder, you can outsource work but never responsibility.

This issue is sponsored in part by Site24x7, a full-stack monitoring service by Zoho.

Site24x7’s powerful features not only enables you to gain insight into the resource usage of your AWS hosted infrastructure but can also tell you how much they are costing your organization. So you get to kill two birds in one stone, without blowing your IT budget. Give it a try.

This week’s issue is sponsored in part by LightStep.

With distributed systems, the current state of most monitoring rounds down to “Observerless.” Meet LightStep. LightStep offers complex APM for modern applications. Designed with modern, high-scale, high-traffic architectures in mind, LightStep makes it easy to spot, diagnose, and solve performance issues.


If you’ve got an interesting job for this newsletter’s eminently employable subscribers, get in touch!

Once upon a time, I wrote a not-particularly-flattering article about Amazon CloudWatch. As a result of that article, I got to meet Bob Wilkinson, the CloudWatch GM. He demonstrated exactly what Amazon means by “customer obsession” via thanking me for my feedback instead of punching me in the face as I oh so very richly deserved–and then fixing the things I’d pointed out! The entire team is like that–and despite what you may think, I’d endorse working on Amazon Cloud Watch if massively scaled time-series problems are up your alley. Interesting problems, empathetic leadership, and the best perk of all: when the cloud catches fire, your tools are how the world watches it burn.

X-Team is hiring for a fully remote team, anywhere on the planet. The work is interesting, they partner with companies you’ve heard of, and you can work from wherever you care to be. Now before you wind up getting cynical, let me save you some time–I already did, and hopped on a phone call to chat with them and then berate them for their crappy culture. Instead I was pleasantly surprised: they invest in their people (including a personal development stipend), they have distributed community events (both online and in person around the world), and actually work with their employees; this isn’t a “send us a postcard if you ever get there” body shop. They’re looking for folks with AWS skills, as well as a wide variety of other technical abilities; this is legit. Take my word for it; check out X-Team and see for yourself. Tell them Corey sent you…

Choice Cuts

Amazon CloudWatch Events Now Supports Amazon CloudWatch Logs as a Target and Tagging of CloudWatch Events Rules – Hooray! A CloudWatch component now supports another CloudWatch component! It’s impossible to read this as anything other than “two quarreling team members have resolved their differences,” so I just want to congratulate the two of them on burying the hatchet.

Amazon Connect Launches Contact Flow Versioning – This is a very elegant rephrasing of “we installed an Undo button.”

Amazon DynamoDB now supports up to 25 unique items and 4 MB of data per transactional request – Now shove more and more data into a transactionally aware NoSQL database. There’s no way this ends poorly once I get my grubby paws on this for my next terrible architecture…

Announcing Amazon VPC Traffic Mirroring for Amazon EC2 Instances – We’ve been asking for this for a long time–now we get it, years after we all collectively found ways around it. You’ll still need something else to parse the packet flow; you don’t want to do this yourself.

AWS Control Tower is now generally available – I spent some time trying to get this up and running. It’s better than Landing Zone was, but would still benefit from a step by step tutorial. Please don’t make me build it myself…

AWS Marketplace now integrates with your procurement systems – This is huge, and one of the primary reasons you’d want to use Marketplace in the first place.

AWS Security Hub is now generally available – This is a wrap-up service for humans to strain through the raw sewage of security events to extract valuable signal.

Introducing Amazon EC2 Instance Connect – EC2 Connect lets you connect to instances without having to either manage your own SSH keys or tolerate the terrible naming of Systems Manager Session Manager.

Network Load Balancer Now Supports UDP Protocol – “What, so now I can load balance DNS” say sarcastic people with stunted imaginations. This is huge; UDP is used in a lot of applications (streaming media, mosh, NTP, VOIP). This feels like the last brick to fall into place for a lot of folks clinging to ELB classic load balancers. I’m very glad to see this release.

Introducing Service Quotas: View and manage your quotas for AWS services from one central location | AWS Management Tools Blog – This tool lets you manage your increase requests for service limits–wait, sorry, they’re called Service Quotas. We’ve never heard it called that way until now, but we’re going to studiously ignore that.

AWS Security Profiles: Mark Ryland, Director, Office of the CISO | AWS Security Blog – Surprisingly, an interview with someone who works in security that isn’t just a bunch of answers consisting of variations on “Sorry, I can’t tell you that.”

Introducing the AWS Security Incident Response Whitepaper | AWS Security Blog – A well-crafted dive into how other, how to say, lesser companies might consider responding to security incidents. AWS themselves has no security incidents to report at this time or any other. The whitepaper is suspiciously good for folks with nothing to report themselves–ignore my snark, go read it…

Re:Inforce 2019 wrap-up and session links | AWS Security Blog – The AWS Security Blog’s wrap-up of re:Inforce is for some reason not entirely about me, but it does link to my session, so that’s nice.


Revisiting an old tool, graffiti-monkey tags everything in an AWS environment rather well.

A CLI to build and deploy microservices in AWS, which I posit you should never do unless forced.

I pondered about a way to run arbitrary shell commands on Lambda rather than on my local machine, and someone actually built it.

This issue is sponsored in part by Postmark.

Postmark provides lightning fast delivery for your application emails. Our mission is to deliver your transactional email to customers on time, every time. It’s incredibly easy to integrate with our API, and we give you unparalleled insight into each and every email and recipient. Our hope is that you can just forget about your email and focus on building your app — but if you do need us, a helpful human is always just an email away. Try us out, and use the code AWS20 to get 20% off for 3 months.

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.