Welcome to the 27th issue of Last Week in AWS.
Last week was odd, and this one’s shaping up to be even stranger. Today per-second billing kicks in, as does a thus-far unannounced price cut to T2 instances. The drumbeat of re:Invent preparations is growing clearer, and security remains a distant afterthought in many shops. Onward!
Community Contributions
Remind gives a review of what they’ve done in the past month. Worth reading if for no other reason than a peek inside their operations group’s interaction with AWS.
Gartner’s new IaaS market share report is out, and it shows Alibaba beating out Google. Azure beats Alibaba, and (as should be no great surprise) AWS is lightyears ahead.
Cloudonaut posts about a simple way to use Cloudwatch to manage messages from containers.
AWSgeek once again has a great graphical summary, this time of the Application Load Balancer.
This tutorial comes up with a neat way of tying together EC2, Lambda, and API Gateway, all in the name of playing Factorio. Hey, it beats the usual WordPress examples.
The drumbeat continues on the march to re:Invent; here’s a round-up of guides to the event. This will be my first re:Invent– advice welcome!
This week’s S3 Bucket Negligence award goes to Verizon Wireless. At this point I’ve run out of snarky things to say about these companies, so I’m just going to go back to the idea that the companies, their security teams, and their security team members’ parents should all be very, very ashamed.
You may have a job that pays you to do actual work, and thus not particularly interested in a Youtube-To-Gif bot, but don’t let that fool you; this walkthrough takes you through a number of interesting aspects to building serverless environments sensibly.
A fun interview with the formidable Eric Hammond about Lambda, the power of code, Timercheck.io, and his long involvement with AWS.
Hackernoon publishes a post on the concept of correlation IDs in a microservices architecture, and how they become instrumental in determining just what the hell is going on in your murder-mystery of a serverless environment.
I was extremely disappointed to misread the title of “Streaming data with Kinesis on AWS”; hence the title of this newsletter this week. My disappointment aside, this is a solid article on how to work with Kinesis for large volumes of streaming data.
Improving SSH security in the cloud – Ofer – Medium –
Upguard talks about encountering a “whoops, that’s not a good failure mode” mode with tarpitting in AWS. I’m not sure I agree with their conclusion; telling an attacker that they’ve tripped a tarpit often renders the technique useless. Still, worth a look if you’re getting credential failures in AWS and can’t quite figure out why.
Eric Hammond discusses his experiences (along with tips and tricks) for using the CLI to create Organizations accounts. I suspect we’re going to see increased adoption of Organizations as it becomes more fully baked over the coming months.
Choice Cuts From the AWS Blog
AWS CodeBuild Now Supports Building GitHub Pull Requests – CodeBuild now supports both building of Github PRs, and the argument that CodeCommit is a crappy replacement for Github.
AWS Glue now supports Filter and Map transforms – You can now remove items from your dataset that Glue is processing if they don’t meet your standards based upon pattern filters. You could also remove AWS services that don’t meet a “ready for primetime” filter, but then we wouldn’t be talking about Glue…
Natural Language Processing at Clemson University – 1.1 Million vCPUs – Clemson saved a mountain of money by running large scale NLP job on Spot instances. How much money? Hah— why would AWS mention dollar figures at all? Just take it on faith that it was a lot.
AWS CloudFormation Now Provides Stack Termination Protection –
Chalice – 1.0.0 GA Release | AWS Developer Blog – This is fun– Chalice and SAM are both built by AWS, and compete functionally with one another. Rest easy, knowing that whichever one you choose is undoubtedly the wrong one.
In the Works – AWS Region in the Middle East – A new AWS region is planned for the Middle East (specifically Bahrain). More admirable than the technical accomplishments is the great pains Amazon has gone to in order to avoid mentioning anything even slightly political in relation to this announcement– it’s the only smart way to play this.
Tools
You may find it handy to get a Slack alert that goes off every time an IAM policy is changed. This is likely to be of interest to many security-focused teams, while completely ignored by the teams that could most use something like this. I look forward to seeing their upcoming S3 bucket permissions failures.
Wouldn’t it be great to be warned about keys accidentally posted to Github? Well now you can be.
Amazon S3 point in time restore – Madisoft S.p.A. –
This is apparently a good week for Slack notifiers; this one lets you know when your Elastic Beanstalk managed updates update a platform.
Tip of the Week
This week’s tip is less technical than some, but with the embarassment of breaches we’ve been seeing lately it seems timely. Take a look at your environment, and really think about what your risk exposure is. If you screw up S3 permissions, would you know? If someone changes IAM policies, how could you tell? If I see a URL request a team member makes, can I become them without needing to authenticate against something central? If I steal IAM keys from an engineer, how long will they be valid for / what kind of damage could I do? If an employee is terminated today, and has a combination of “seething rage” and “poor judgement,” how much damage could they do with their insider knowledge?
These aren’t easy questions to answer, and remediation is never painless– but it’s worth understanding where your risks lie so you don’t get blindsided when your company winds up on the front page of the New York Times.
I’ll do my best to include a more technical tip next week. In return, please do your best so I don’t have to go through this list again.
…and that’s what happened Last Week in AWS.
