Welcome to the 26th issue of Last Week in AWS. Hard to believe it’s been six months!
Last week I spoke at DevOps Days Boston, and hosted a meetup in Seattle. Apparently, I’ve got a “Fight Club” style sleep disorder, and spent the nights there setting up new CloudFront Edge locations.
Kate Turchin explains the Shared Responsibility Model via the power of song.
This newsletter is increasingly built from Lambda functions, I gave a talk on Lambda last week, but it wasn’t until I read this article that I felt I understood how Lambda versioning works.
Managing users more simply by example, via the awless shell.
A video of my SREcon EMEA talk on AWS Cost Control was posted. Feedback always welcome.
awsgeek does another amazing drawing, this time of Rekognition. I wish I had this kind of artistic ability…
Viacom gets to wear the S3 dunce cap this week. If this keeps up, “S3 Bucket Idiocy” is going to need its own newsletter section…
Choice Cuts From the AWS Blog
Amazon ECS Adds Support for Adding or Dropping Linux Capabilities to Containers – “Zzzzz… five more minutes, Mommy– I WASN’T SLEEPING!” ECS bursts awake, realizes 2017 is almost over, and frantically adds support for 2015 Docker features.
Catching Up on Some Recent AWS Launches and Publications – Jeff Barr drops a pile of miscellaneous service updates, some of which have been covered here in weeks past. I’m dreading the sheer volume of what’s likely coming soon.
AWS CloudTrail Enables Option to Add All Amazon S3 Buckets to Data Events – Instead of adding every bucket manually, you can now simply see events across all of your S3 buckets. Frantically clicking infosec people breathe a sigh of relief, wipe their brows, and then return to berating people for ridiculous S3 bucket permission blunders.
Elastic Load Balancing: Network Load Balancer now supports load balancing to IP addresses as targets for AWS and on-premises resources – I’m surprised this wasn’t in the initial NLB launch, but you can now point them to IP addresses as well as DNS entries. This allows you to load balance pretty much anything that holds still long enough.
Reset Your AWS Root Account’s Lost MFA Device Faster by Using the AWS Management Console | AWS Security Blog – It’s now marginally less awful to reset a lost MFA device for your root account– that said, the sensible fix here is generally to print out the QR code, and lock it in a safe with the rest of your Very Valuable credentials that shouldn’t be shared.
Greater Transparency into Actions AWS Services Perform on Your Behalf by Using AWS CloudTrail | AWS Security Blog – CloudTrail increments again towards being something that’s consumable by humans instead of third party tooling for which you pay a king’s ransom.
New – Stop & Resume Workloads on EC2 Spot Instances – You can now resume workloads on spot instances and fleets. As long as they checkpoint to disk, workloads that aren’t time sensitive just got a whole heck of a lot cheaper for you.
New – Per-Second Billing for EC2 Instances and EBS Volumes | AWS Blog – No longer are we forced to endure the tyranny of instances charging us for an entire hour when they’ve only run for two minutes. Our long international nightmare is over, as EC2 now bills by the second— albeit with a one minute minimum.
This script from last year’s re:Invent helps tune S3 concurrency settings for multipart uploads based upon your network connection. Handy in some cases.
Remember that you’re limited to a hard cap of 75GB of Lambda deployment packages. This blog post includes a tool to automatically clean them.
Another tool for profile management; this one is similar to virtualenv.
I love the idea of fake API tokens that alarm like crazy when someone attempts to use them. Canarytoken is a great implementation of a sneaky idea.
This Lambda functionn helps clean old images out of ECR repos. Handy as far as housekeeping tools go.
While I appreciate the idea of a remote location for SSH keys, but I can’t shake the feeling that this is reinventing LDAP.
Tip of the Week
It’s time to reevaluate spot instances / spot fleets. As of October 2nd, not only are you able to stop spot instances and resume them where they left off, but you’ll only be charged for the seconds in which they’re operating, rather than “rounding up to the nearest hour.”
If you’ve got a workload that isn’t time critical and can checkpoint itself to disk, Spot can knock ~70% off of your costs. It’s time to take a second look for many of us.
…and that’s what happened Last Week in AWS.