Welcome to the 23rd issue of Last Week in AWS.
Happy Labor Day if you’re in the US; Happy Monday otherwise. I spent last week in Ireland for SREcon EMEA, where I spoke about managing AWS bills. It was a great trip– and I’ll be sure to link the video of my presentation when it gets posted.
This week’s issue is sponsored by GorillaStack’s CloudTrail Slack Integration – it’s completely free!
Define & manage real-time workflows to monitor AWS CloudTrail events right from within Slack. Use GorillaStack to get alerts into your Slack environment as soon as events hit your CloudTrail log. Apply your own rules so that the important events show up to the right user in the right channel!
Community Contributions
I couldn’t find a good resource about the Route53 exclusive features (health checks and traffic policies specifically) so I wrote one myself. Generously hosted by A Cloud Guru, this ideally makes these Route53 components slightly more clear.
With all of the noise lately about data exposure due to improperly secured S3 buckets, you might think it a good idea to double check that none of yours are exposed. You know how I can tell you don’t work for Time Warner Cable or a vendor to the Department of Defense?
Here’s a great tip for knocking a pile of money off of your AWS bill if you’re an EU customer. Please speak with an accountant first; I have no inkling as to the potential tax or legal consequences of this, as EU tax law is about as far from my wheelhouse as you can get.
AWS Principal Evangelist and all-around swell guy Julien Simon demos how ridiculously fast the I3 instances and their NVMe disks are– by building FreeBSD in under 11 minutes. For reference, that used to take “go out to lunch, stay for a movie, make it a double matinee, hey it’s quitting time, come back in the morning” time.
As companies start using Organizations to spin up and manage more AWS accounts (it’s a great organizational pattern), working cross-account becomes an increasing challenge. Here’s a handy way to run AWS Lambda functions in multiple accounts simultaneously.
This one’s near and dear to my heart, as I was one of the very early developers behind SaltStack. I was the initial Ubuntu packager (“if you want something done right, do it badly enough that skilled people are horrified enough to step in and take over for you”), and was a community advocate for the project. In this blog post, Ryan Lane of Lyft discusses using SaltStack instead of Terraform to orchestrate the creation and destruction of AWS resources. I don’t know that I’d go down this road in 2017, but it’s worth a read regardless if you think about orchestrating AWS resources at significant scale.
iPlayer walks us through their use of AWS Lambda– but the interesting bits are less in their specific use case, and more along how they get around Lambda’s strict package size limit.
One of these days I’m going to replace the sign-up page for Last Week in AWS with something that uses Lambda and API Gateway– what I have works, but is nowhere near complex enough to impress people with (after all, everyone’s most important project is “their resume”). When I do, this guide to using Lambda to create a contact form is likely the template I’ll follow.
“How would I write a Lambda function to remove my intrusion attempts from the CloudTrail logs” is a question that many pen testers / evil people have asked themselves. Here’s an example of exactly how that might look– and why taking care about how you manage and store your logs is critically important. If you’re a CISO who’s not going to sleep well tonight as a result, you’re welcome.
VMware Cloud is arcane and confusing. AWS is a different kind of arcane and confusing. As of last week, you can now run VMware Cloud on AWS, ensuring that absolutely nobody will be able to help you troubleshoot anything ever again. That sound you just heard was consultants everywhere making spontaneous cash register sounds involuntarily.
Segment returns, with a discussion of using Parameter Store (hidden away within EC2 Systems Manager, it’s a shining jewel in what has historically been an otherwise lackluster service) to manage secrets properly.
Cloudonaut takes us on a tour through integrating SQS and Lambda. Unfortunately, SQS isn’t (today) a Lambda trigger, so you get to jump through a couple of hoops to do it. If history is any guide, you can expect AWS to release SQS support in Lambda precisely 20 minutes after you finish implementing something like this yourself.
Choice Cuts From the AWS Blog
New – Application Load Balancing via IP Address to AWS & On-Premises Resources | AWS Blog – You can now extend your load balancer targets to include anything with a private IP space– across VPC peering, over Direct Connect, on the other side of a VPN, something 200 years ago, etc. This brings the AWS load balancing team one step closer to their eventual goal of load balancing death itself.
New – Descriptions for Security Group Rules – I started working with AWS in 2008. If you had told me back then that it would be nine years until you could tie an IP description to a security group, I would have been certain you were messing with me. Finally, you can tell at a glance whether that single whitelisted IP is “that coffee shop in Thailand whose wifi you used to troubleshoot an issue five years ago” or “your large banking partner.”
Amazon Virtual Private Cloud (VPC) now allows customers to expand their existing VPCs – Until now, if you hadn’t sized your VPCs properly, the only answer you got was along the lines of “you shouldn’t have done that.” Now, you can expand your existing VPCs instead of embarking on a “migrate everything to a new VPC” instead. This marks a victory in the ongoing war against sneering condescension.
Amazon EC2 Systems Manager Adds Configuration Compliance Reporting and Auto-Remediation – This opens up the doors for being able to see at a glance which of your EC2 instances are out of compliance with your organization’s policies without buying in to EC2 systems manager for actual management– which translates into “now your infosec group can automatically hurl remediation tickets at you by the dozen.”
Tools
Here’s a Lambda function that sends alerts for maintenance events to HipChat or Slack. “That’s great, but I already get emails about that” you may reply. That’s true– but this function handily includes the instance name instead of just a 16 character instance ID. Those can be tricky to memorize.
If you’re a Sublime Text user, firstly know that you’re wrong (vim or bust!). Secondly, check out this plugin for editing Lambda functions locally. It handles a lot of the annoying Lambda housekeeping work for you. If you’ve got a version for other editors, please send them my way.
Tip of the Week
I’ve mentioned before in a previous tip that AZs don’t map between accounts. My us-east–1a could be your us-east–1c. A number of folks have lamented this, and discussed how we might write a tool to match AZs across accounts (generally, for latency purposes). While we sat navel gazing, Mark Biesheuvel wrote one. Today it requires a cross-account role to function, but it’s well worth the time to run if you’ve got multiple accounts that naively assume consistent AZ naming.
…and that’s what happened Last Week in AWS.