Welcome to the 30th issue of Last Week in AWS.

In my home office, I have a wall map of all current (and pre-announced!) AWS regions and CloudFront Edge locations. It lets me reference AWS global coverage at a glance, and provides a conversation piece for visitors, such as my dog.

Today, CloudCheckr is launching a digital version of this called ZoneCheckr, spanning multiple cloud providers. It’s a great way to visualize what your chosen provider’s latency is likely to look like for your geographically distributed customers. I’m already peppering them with feature suggestions for version 2.

I’m speaking today and tomorrow at All Things Open in Raleigh, North Carolina. If you’re around, please come find me; I’ll give you a Last Week in AWS sticker.

If you have a message that you think would resonate with the technical, articulate, and well dressed readers of Last Week in AWS, check out the sponsorship page and get in touch.


This week’s issue is sponsored by DevOps’ish. I’m a sucker for newsletters with personality, and Chris Short’s is the best one I’ve found recently with a voice that comes across like a human wrote it instead of an algorithm. I’m looking forward to sharing a stage with him at the Lightning Talks tomorrow here in Raleigh.

Community Contributions

In a guide that seemingly talks more about gambling than AWS are hidden nuggets of wisdom about re:Invent next month. I strongly approve.

A useful writeup about the SNS / SQS fanout gotcha.

This is part 1 of a story about moving a ludicrous number of database tables to Aurora, while showcasing that DMS still remains unsuitable for any data migration project wherein you care about data integrity.

Cloudonaut highlights a little-known feature of AWS— namely, that you can use IAM credentials to authenticate to RDS instead of traditional database users.

This week’s S3 Bucket Negligence Award comes from the healthcare field. Stop it stop it stop it you’re ruining everything…

It never ceases to amaze me how people love to pile on to AWS’s strategic choices and call them out as complete nonsense. (Note that I instead pile on to AWS’s implementation choices and call them out as complete nonsense— this is a key distinction!) I’m joined in this viewpoint by CIO Magazine, who takes critics to task for failing to grasp AWS’s open source strategy.

Selling bitcoin and other Dunning-Krugerrands requires a high security bar. Coinbase grasps this, and opines on why you need more than one AWS account in this thought-provoking piece.

While I love the learning aspects of Linux From Scratch and appreciate the technical aspects of getting it working on EC2, I think running it in production is a bridge too far. It’s not a technical objection so much as a “what do you want to focus your paid efforts upon.” For me, that’s not “curating a Linux distro.” If that ever changes I’ll go work at RedHat.

“AWS must do what everyone else is doing!” bleats this piece on kubernetes that misses the forest for the trees completely.

iRobot’s Ben Kehoe (who is ostensibly not a robot) writes about how serverless AZs are the missing level of resiliency for AWS– specifically that if you had availability zones for Lambda functions you’d be more resilient. I’m tempted to agree, but I’m skeptical that AWS would successfully maintain a discrete control plane cross-AZ; the kind of issue that could take out Lambda feels to me like something that could cross AZ boundaries pretty easily…

Amazon has published a pile of Best Practices for Working with AWS Lambda Functions that goes beyond the single word answer of “Don’t.” Some of these were new to me– you may want to take a look and see what you’ve missed in this rapidly evolving space.

A decent step by step walkthrough for creating a serverless API using AWS API Gateway came out last week, and is proving helpful as I start messing around with DynamoDB myself. “Want to know how I got these scars” indeed…

This Stack Overflow answer goes into the byzantine Hollywood accounting of how T2 burst credits are calculated. It’s… non-obvious and feels slightly predatory.

Choice Cuts From the AWS Blog

Manage Amazon Simple Queue Service costs using Cost Allocation Tags – SQS now supports cost allocation tags. Why not, it’s only the oldest AWS service. No need to be hasty or anything…

Amazon EC2 Spot Can Now Encrypt your EBS volumes at launch time – Spot instances become more and more capable, while continuing to turn “this instance may disappear without warning” from a tragic and unfortunate reality into a headline feature.

Amazon Redshift announces Dense Compute (DC2) nodes with twice the performance as DC1 at the same price – Fun AWS fact of the week! “Dense Compute” nodes are only called that because of the overwhelmingly negative reaction to their original name of “Idiot Moron Compute” nodes.

AWS CloudHSM is now available in the US West (N. California), Canada (Central), EU (Frankfurt), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) Regions. – This is huge for some folks; CloudHSM is now available in a lot of places it wasn’t before. If this means nothing to you, please pause for a minute to appreciate just how ridiculously fortunate you are.

Amazon Elasticsearch Service announces support for Amazon Virtual Private Cloud (VPC) – After years where S3 was the only service with VPC endpoints enabled, we’re seeing a renaissance in VPC endpoints being rolled out to other services far after we’ve all had to architect around the lack. Better late than never…

Amazon Device Farm Launches Direct Device Access for Private Devices – Amazon adds impressive features to a service that I maintain doesn’t really exist, hoping one of their competitors will take the bait and build such a thing. I certainly appreciate their dedication to the joke.

Introducing Windows Server for Amazon Lightsail – Good news everyone! You can now run a bunch of unpatched attack platforms Windows machines in AWS Lightsail.

Switch the tenancy of your VPC from Dedicated to Default instantly – If you just finished a slow and painful migration out of a dedicated tenancy VPC last week, you’re probably furious as hell to find that all of that work was completely unnecessary. Once again, it pays to procrastinate.

AWS WAF Now Supports Geographic Match – ♪ ♫ ♬ Well from all around the world, bad traffic keeps on coming / exploits keep on pouring in from Duluth, wait now it’s Dubai / WAF finally woke up to the state of modern DoS vectors / tell me why in the world was it so hard to block China? ♪ ♫ ♬

AWS WAF Now Supports Regular Expressions (Regex) – Let’s say you have a problem. You use regular expressions, now you have— HTTP ERROR 500 Service Unavailable.

Optimize your Amazon Elasticsearch Service domains using slow logs – I don’t understand why this is news; all of AWS’s logs take freaking forever to show up in— wait, I think we may be talking about two different things.


This is a gorgeous tool for managing SSH keys across multiple AWS accounts.

Another week, another S3 bucket permissions auditor. You keep leaking bucket contents and I’ll keep posting these, in a Sisyphean task that will likely last until the end of days.

I’m not sure if Is the Cloud up gets its data directly from gaslighting.me or not, but it’s a great bird’s eye view for determining at a glance whether or not a provider’s having a widespread issue.

From the “why the hell isn’t this built in already” department comes a function that lets you delete snapshots of deregistered AMIs.

Tip of the Week

Last week’s introduction of cost allocation tags to SQS got me thinking; there’s been a lot of movement lately regarding what resources are taggable, and how tags work in general.

As a result, this week’s tip is more of a homework assignment. It’s a good time to go diving into Cost Explorer (hidden in the billing console) and see what your “untagged” resources look like. SQS queues, EBS snapshots, DynamoDB, and more have all gained cost allocation tagging as a feature over the past year. The AWS Tag Editor is a useful way of tagging resources in one fell swoop, and previous issues have highlighted tools such as Cloud Custodian and Graffiti Monkey that let you propagate tags from primary resources (such as an EC2 instance) to secondary (EBS volumes) and tertiary (EBS snapshots) resources automatically via Lambda.

Note as well that we’re now limited to 50 tags per resource instead of the original 10.

…and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.