Good Morning!

Welcome to issue 199 of Last Week in AWS. My article on AWS’s compensation model has gotten a fair bit of notice; there are a few things I’ve learned that I’ll be working into an update at some point; thanks to all who reached out; I hope it’s helpful.

The world continues to turn, AWS continues to… AWS, and for once the only atrocities worth mentioning last week involved hedge funds, Reddit, and GameStop in what I can only presume was a weird preorder scheme gone awry. Onward!

From the Community

This issue is sponsored in part by my friends at ChaosSearch! As you know, log analytics at scale with an ELK Stack can be expensive, unstable, and relentlessly time-sucking. Now try ChaosSearch – a fully managed log analytics platform that delivers the Elasticsearch API you love, but with absolutely NO Elasticsearch under the hood! ChaosSearch leverages your own Amazon S3 as a data store, which means no data movement, no data retention limits and savings of up to 80% vs an ELK Stack. In fact with ChaosSearch, you just Store, Connect & Analyze to start experiencing insights at scale from ALL of your data (tell them Corey Quinn sent you)! Sponsored

Every time Forrest Brazeal writes an article I get irritated and sad that I didn’t write it instead. The career-changing art of reading the docs continues this depressing (to me) tradition.

Someday I might use SES; a dive into how to write AWS SES email templates using MJML is a step closer to that very, very strange day.

On the one hand, I love the idea of using Serverless to build an app that lets you rediscover liked tweets. On the other hand, I’ve liked 63.7K tweets so it’s useless for the way I abuse Twitter.

“The Simpsons” once had a bit about a deep fryer that could flash-fry a buffalo in 45 seconds. “45 seconds?” moaned Homer. “But I’m hungry now!” For all of the folks for whom that resonated, Firecracker is for you.

There are a lot of dives into the CDK. What makes this one stand out is that it’s not written by an AWS employee.

This comic is the best explainer I’ve seen yet on VPC networking. It’s amazing.

This Bloomberg article (paywalled) talks about how Amazon Game Studios Struggles to Find a Hit. What’s the AWS angle? Merely that they dunk on Amazon via its own Leadership Principles just like I do, and they talk about what a clownshow Lumberyard apparently is.

There are whispers afoot that Pixlr is our latest S3 Bucket Negligence Award winner.


If you’ve got an interesting job for this newsletter’s eminently employable subscribers, get in touch!

Perhaps you’ve had trouble with the Amplify framework. Perhaps you’d like to help others avoid the challenges you’ve overcome. Consider applying to become a Developer Support Engineer for the Amplify Framework. Work directly with open source users via GitHub issues – help reproduce customer issues, and answer their questions. Work with developers where they hang out, including Discord, Twitter, GitHub (as always it’s pronounced Jith-Ubb), Stack Overflow, and more. Note that this is a highly technical role – you should ideally have some front end knowledge (JS + 1 framework (React, vue, flutter, react native, etc..) is preferred. Note that this is NOT a typical “support” role–it reports through the Amplify service team itself.

Choice Cuts

Download today: Kubernetes security ebook – tips, tricks, best practices

The rapid adoption of Kubernetes to manage containerized workloads is driving great efficiencies in application development, deployment, and scalability. However, when security becomes an afterthought, you risk diminishing the greatest gain of containerization – agility. Download this ebook to learn how to (1) build secure images and prevent untrusted/vulnerable code, (2) configure RBAC, network policies, and runtime privileges, (3) detect unauthorized runtime activity, and (4) secure your Kubernetes infrastructure components such as the API server. Sponsored

Amazon EBS announces CloudWatch metrics with 1-minute granularity on all EBS volume types – This is at no additional cost. When your monitoring systems starts querying these once a minute? That’s where the giant additional cost comes in…

Amazon Elastic File System triples read throughput – I have a hard time envisioning a situation where you both opt to use EFS and have read throughput concerns, but if that’s you then this is your lucky week I guess?

Amazon Elasticsearch Service extends encryption at rest and node-to-node encryption to existing domains – “It was awful, but I finally finished migrating all of our Elasticsearch data to a new cluster so that we could enable encryption at rest and between nodes. Now to take a big sip of coffee and read Last Week in AWS to see what happened last week.”

Amazon Timestream can now be used for workloads subject to HIPAA, ISO, and PCI DSS – What they lost in being slow to market they pick up by being quick to compliance attestation.

Amazon Transcribe Medical now provides automatic Protected Health Information (PHI) identification – This is going to be incredibly helpful to a lot of healthcare providers; it’s easy to see why unless you have ((FLAGGED: POTENTIAL PHI)))your head up your ass((END FLAG)).

Amazon GuardDuty introduces machine learning domain reputation model to expand threat detection and improve accuracy – “We made GuardDuty better, can we publish a blog post on it?” “Only if you claim that you did it via the magic of Machine Learning and use that phrase repeatedly. I’ve got a promotion riding on that…”

Finding savings from 2020 re:Invent announcements – These are handy tips that do work, but my favorite part is the multiple lines of SQL you’re supposed to shove into Athena. Apparently this wins the prize for “the most convoluted possible way to figure out how much you’re paying for gp2 volumes” over “arithmetic” and “Cost Explorer.”

How well do you know your data in AWS? Can you inventory it all? Are sensitive data where they shouldn’t be? Are there hidden data exposures? Can data flow across boundaries where it shouldn’t? For a limited time to qualified businesses, Open Raven offers a free assessment to find your data risks in AWS and improve your data security posture. Our data security visibility and compliance platform discovers, maps and monitors what others can’t see. Sign up today for a free data risk assessment on AWS. Sponsored

Making Artificial Intelligence Real – I love it when an Amazon blog post contains an admission of a point I’ve been making for years.

Performing anomaly detection on industrial equipment using audio signals – At last, there’s a machine-learning powered way to detect the dulcet tones of a $20 million laser cutter tearing itself apart from the inside out.

Extending AWS Control Tower to securely accelerate our customers – …into the side of a mountain, because Control Tower still needs an awful lot of work to be a responsible decision. Note: the cowards took it down, but there’s a mirror at this link.

On-the-fly video conversion with Amazon CloudFront, Lambda@Edge, and AWS Elemental MediaConvert – For something like this you have two options as a company: you can tell your customers to build it themselves, or you can charge them a lot of money to do it for them. Amazon chose to do both.

Access AWS GovCloud (US) through the CLI with Azure AD credentials – This is likely to scare the living hell out of an auditor, but I’m willing to be surprised.

Sudo Security Issue – “This isn’t an issue for AWS customers at all unless you’re running Linux yourself inside of an EC2 instance, but who on earth would do something like that, right?”

Security Overview of AWS Lambda – Overview-AWS-Lambda-Security.pdf – An update to the Lambda security whitepaper (PDF warning) highlights the latest security advances. You may continue to use Lambda to securely patch the gaps between AWS services and pay for the privilege.


We’ve been benchmarking AWS vs Azure vs GCP for three years now. This year, we tested 54 machines, ran 1,000+ benchmarks, and questioned innumerable assumptions. We do it all for you, dear reader. To help you evaluate the clouds and their machines, and to help you choose the right configuration for your app.On many of the benchmarks, the margins were razor thin. Nevertheless, trends emerged. GCP’s throughput? Can’t be matched. Amazon’s network latency? Unbeatable. Intel chips? Stumbled. Wait, what now?Read the 2021 Cloud Report — or skim the highlights. Sponsored

You may not have thought about Riot Games in a while, just as they haven’t through about cloud-inquisitor in a while past making it clear they won’t be accepting outside PRs anymore. Someone who’s good at things please fork this.

The internal DynamoDB Data Modeler that Amazon used for its own migration off of Oracle has now been turned into a webapp that others may use.

Using DNS as a database to store state is exactly what K8GB does. I’m incredibly proud.

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.