Good Morning!

Welcome to issue number 150 of Last Week in AWS. My apologies for any intermittent 403 links last week; my email provider let me into a private beta, and we learned why it wasn’t GA yet. Oops.

You should check out Whiteboard Confessional, a new podcast series from me that explores how whiteboard architecture diagrams might look pretty but rarely work as designed in production.

To kick off the series, we’re taking a look at everyone’s favorite database, AWS Route 53, while touching upon many topics, including:

  • What data centers used to look like
  • The emergence of virtualization and the impact it had
  • Configuration management databases and how they differ from configuration management tools like Chef and Puppet
  • Why using DNS as a configuration management database is inherently an awful idea

And more.
​Listen to the first episode (“Whiteboard Confessional: Route 53 DB”) right here.
​Or subscribe to Whiteboard Confessional as part of the AWS Morning Brief in your podcast app of choice:

From the Community

This issue is sponsored in part by my friends at CHAOSSEARCH! You know, Mom always said “Log analytics shouldn’t break the bank!” and finally someone has listened! CHAOSSEARCH is a fully managed log analytics platform that leverages your AWS S3 as a data store. Their revolutionary technology radically lowers costs for analyzing log data at scale, and they pass those savings on to you! If you are tired of your ELK Stack falling over, or tired of paying over-the-top prices to the current litany of ho-hum log analytics vendors out there, try CHAOSSEARCH today! So check them out and tell them Corey sent you so they can sigh exasperatedly and ask you what I said this time… Sponsored

An in-depth dive into AWS’s managed Apache Cassandra service.

Should you use GitHub Actions or AWS CodePipeline? This arti–why are we even talking about this!? GitHub Actions. You should use GitHub Actions over AWS’s equivalent every day of the week and twice on Sundays. GitHub Actions.

A walkthrough of how to securely access RDS via SSH over AWS SSM.

How do you detect data exfiltration from S3? If you’re made of money, you can supposedly use Amazon Macie. For the rest of us, check out this simple solution.

AWS acquired Datarow due to their product’s threat to AWS’s ecosystem. Specifically, a web-based client for an Amazonian database that wasn’t complete garbage. On a serious note, congratulations to everyone involved; I’m hoping for great things.

It’s nice to know that I’m not the only person who finds the current state of Cognito to be complete crap.

Forrest Brazeal talks about why cloud migrations get stuck. I would remind the good sir that they never “get stuck;” they simply get called “a successful transition to Hybrid Cloud.”

A success story of how someone implemented CI/CD for Redshift without burning the GDP of a small country in cash.

A tale of beating the crap out of MongoDB with AWS Lambda.

A fantastic thread that exposes some of the ways you can use S3’s compliance-centric object lock.

I finally snapped and did my own Downfall parody video in which you-know-who gets his AWS bill.

The PhotoSquared App wins one of our whatever-the-opposite-of-coveted-is S3 Bucket Negligence Awards for exposing over 100K customers’ photos.

A deep dive into the Jellyfish-Inspired Database that underlies EBS volumes.

An S3 Bucket Negligence Award goes to the leak of thousands of photos of plastic surgery patients. We’ll keep you abreast of any developments.


If you’re considering a job change, check out a position below. Regardless of where you find it, you should definitely negotiate your salary. If I were to magically become employable, I’d immediately head to and talk to Josh Doody about it before saying anything further. He’s done this many times before, with a special emphasis on engineering roles at FAANG companies. He’s an artist when it comes to getting the best compensation possible without seeming greedy or losing the offer. He offers coaching, free articles, an ebook, and other things along the way. Check him out–and tell him Corey’s talking about him again.

The EC2 Control Plane Platform team owns designing, building, provisioning and managing the platforms for all EC2 core services worldwide. Think magic like the provisioning backplane, the Time Sync Service, and many more. Join this storied team and see for yourself what it takes to run something of massive scale with interesting people.

Choice Cuts

How many times have you configured and reconfigured your AWS alarms in CloudWatch? Wish you could get important alerts and anomaly detection without spending forever monitoring baselines, setting your thresholds, tweaking those thresholds over time, etc?

When you integrate Blue Matador with your AWS environment, you’ll get full monitoring coverage. If something goes wrong or is about to go wrong, it’ll tell you. No setup needed. If you’re tired of configuring and reconfiguring your CloudWatch alarms every time you scale, try Blue Matador free for 14 days. We’re so confident you’ll love it that we’re giving $100 to try it. Sponsored

Amazon Managed Cassandra Service now enables you to optimize the price of throughput for predictable workloads – I maintain that this is functionally a more expensive DynamoDB with a different API.

Amazon Neptune provides an option to enforce SSL connections – Wow, how far it’s come in two years from going GA without supporting SSL connections at all.

Amazon Neptune Now Supports Stopping and Starting of Database Clusters – If you think this isn’t a big deal, YOU try stopping a runaway giraffe.

Amazon Pinpoint achieves HIPAA eligibility for the SMS channel – Sweet, my doctor can now text me my lab results at 3AM.

Amazon RDS on VMware can report disconnected status – …what the hell did it do before, just drop workloads on the floor?

AWS Console Mobile Application adds support for new services on iOS – The iOS app continues to improve, unfortunately. I’d rather see the AWS Console become responsive.

AWS Identity and Access Management (IAM) introduces a new control for requests that AWS services make on your behalf – This lets you, for instance, grant users access to create EC2 instances via CloudFormation, but not directly. Of course, this will break everyone’s favorite workflow of “using the console then lying about it.”

AWS Lambda now supports Ruby 2.7 – …but having spent some time last week trying and failing to launch a Ruby Lambda function, there’s a bigger problem: no matter what I’m trying to do with a Lambda function in Python or Javascript, there’s a lot of stuff out there I can copy and paste from Stack Overflow. With Ruby, I’m back to first principles like I’m Hacker News.

You can now receive notifications about pull request approvals in AWS CodeCommit – But first you should probably get a notification that someone in your org is using Code Commit in the first place. That’s likely a sign that your environment has been breached by someone who works at Amazon.

You can now restore Amazon DynamoDB table backups as new tables in other AWS Regions – I think this even gets around the “you eat write capacity while restoring backups” issue, and just charges a very reasonable 15¢ per GB restored in most regions.

Savings Plan Update: Save Up to 17% On Your Lambda Workloads | AWS News Blog – This is simultaneously a huge deal and a nothing release; let me explain. The dollar value of virtually everyone’s Lambda bill rounds towards zero; even shops that are spending thousands on Lambda are spending millions on EC2. The cost savings are negligible. The reason this release is nonetheless important is that it avoids the sunk cost fallacy of “we’d like to move this well-suited application to Serverless, but we can’t because we already bought Savings Plans for the instances it runs on top of.” It frees up architectural decisions from the constraints of discounted pricing decisions. This is wonderful; please do RDS and other higher level services next!

Extend a self-managed Active Directory to AWS Control Tower | AWS Management & Governance Blog – This wouldn’t have been in my top 40 feature requests for Control Tower, but at least it shows folks are still working on it. If you work on it and would like a basket of feedback, you know where to find me!


Running a business is hard. Your cloud doesn’t have to be. DigitalOcean is the cloud that offers transparent, predictable pricing – even for Kubernetes clusters, which you’d have thought was impossible! You also won’t need 12 weeks of cloud school to absorb a zillion ancillary services just to be able to SSH into an instance. Is this the kind of simplicity you need out of your cloud provider? Check out DigitalOcean today. Sponsored

SSH over AWS SSM is another entry in a list of tools that let you bodily rip SSH out of your environment.

awsprofile gives you an easy way to switch between various AWS profiles; I’m not sure why it wouldn’t operate on the config file instead of the credentials file, though.

A quick script that lets you replace on-demand instances with Spot.

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.