Good Morning!

Welcome to issue 154 of Last Week in AWS.

I’m brushing up on my video skills lately; it seems we’ll doing a lot of webinars as an industry this year. If you’re interested in my dulcet tones and dry wit gracing your event, please get in touch.

From the Community

This issue is sponsored in part by my friends at CHAOSSEARCH! You know, Mom always said “Log analytics shouldn’t break the bank!” and finally someone has listened! CHAOSSEARCH is a fully managed log analytics platform that leverages your AWS S3 as a data store. Their revolutionary technology radically lowers costs for analyzing log data at scale, and they pass those savings on to you! If you are tired of your ELK Stack falling over, or tired of paying over-the-top prices to the current litany of ho-hum log analytics vendors out there, try CHAOSSEARCH today! So check them out and tell them Corey sent you so they can sigh exasperatedly and ask you what I said this time… Sponsored

A very even-handed review of GCP vs. AWS. Having been using a bit of both lately, it’s nice to know my impressions aren’t just my own shortcomings manifesting as complaints about cloud services.

Some advanced AWS networking pitfalls that you’d best avoid.

Cloudonaut writes about how to seamlessly monitor EC2 instances with the CloudWatch agent. The monitoring may be seamless, but the process of getting the CloudWatch Agent installed on an existing fleet of Ubuntu instances is molten garbage.

There are so many service meesh you can choose from–but what the hell is a service mesh in the first place? I can’t improve on this title at all, so go read The Service Mesh: What Every Software Engineer Needs to Know about the World’s Most Over-Hyped Technology.

The IEEE has a post up about how scientists are working from home via labs in the cloud.

Current Duckbill Group client and all around great place to work Scribd figured out how to enable read-only ECR access for the entire AWS Organization and then wrote down instructions for everyone else.

I opine at length about AWS Redshift Billing’s overhaul. “Wait, you mean that was on the record?”

AWS has committed $20 million to Coronavirus: Amazon AWS commits $20 million to COVID-19 research. A common refrain is that this is too paltry of a sum, or that Amazon should be doing way more. I don’t have a formal opinion on this, but I will say that one of the hardest things I have to do is find a non-controversial charity to donate t-shirt proceeds to every year. It seems that St. Jude is about the only thing that qualifies (the only person on the other side of curing children’s cancer is allegedly Larry Ellison); virtually every other issue is going to upset an awful lot of people. And that’s for 1000 times less money than Amazon is giving initially! It’s harder than it looks, and it takes time to be diligent about donations. We’ll see what unfolds in the weeks to come.

The fine folks at Honeycomb put the new Graviton2 ARM processor based instances through their paces and share the results with the rest of us.

Given how many folks are trying to rapidly learn how the cloud works in this time of uncertainty, I drafted some thoughts about how I’d reimagine the AWS free tier. Right now it’s a clumsy trap for the unwary, and reduces experimentation.

Someone forgot to account for S3 egress charges when designing NASA’s 247 petabyte data warehouse. I’m also a smidgen concerned that the audit report beats the crap out of NASA but never once mentions that requestor pays enabled on the S3 buckets in question drop the NASA data transfer costs to zero.

ThoughtWorks has a blog post about mitigating lock-in fears when using Serverless patterns.

In these troubled times, it’s nice to have some constancy to remind us that not everything is changing. For instance, financial companies can still leak 425GB of data to score themselves a S3 Bucket Negligence Award.


If you’ve got an interesting job for this newsletter’s eminently employable subscribers, get in touch!

No one likes managing EC2 instances, so you might like managing the team that replaces them with containers. That’s right, the Fargate team is hiring three Software Development Managers. People-focused servant-leaders are encouraged to apply. Help bring about an end to the Serverless vs. Containers war that doesn’t need to be fought in the first place. One last point: every team at AWS has internal principles that embody their culture, but this team publishes theirs on GitHub. I wonder how they’d take pull requests?

Choice Cuts

How many times have you configured and reconfigured your AWS alarms in CloudWatch? Wish you could get important alerts and anomaly detection without spending forever monitoring baselines, setting your thresholds, tweaking those thresholds over time, etc?

When you integrate Blue Matador with your AWS environment, you’ll get full monitoring coverage. If something goes wrong or is about to go wrong, it’ll tell you. No setup needed. If you’re tired of configuring and reconfiguring your CloudWatch alarms every time you scale, try Blue Matador free for 14 days. They’re so confident you’ll love it that they’re giving you $100 to try it. Sponsored

Amazon CloudWatch now provides more metric data, faster, with GetMetricData quota increase – This exciting quota increase now means that your misconfigured monitoring system can cost you as much as $13K per month in CloudWatch charges alone before you need to request a limit increase. That’s real math, incidentally–not snark. It used to be a fifth of that.

Amazon EC2 Hibernation now Lets you Pause and Resume Your Workloads on T2 Instance Types – It always takes me aback to see older generations gaining features. It further takes me aback to realize that the T3s aren’t covered under the free tier yet.

Amazon ECS supports in Preview updating Placement Strategy and Constraints for existing ECS Services – This is important not as much for architectural and durability reasons as it is for cost reasons. Namely, this helps avoid the 2¢ per GB usurious data transfer charge between AZs.

Amazon GuardDuty Price Reduction – Not only is GuardDuty less money, but I also misunderstood last week’s feature enhancement. It’s not breaking your CSVs after all, but rather expanding its API with additional functionality. The management regrets the error.

Amazon Managed Cassandra Service now helps you manage access to your keyspaces and tables by using AWS IAM roles and federated identities – The straightforward simplicity you know and love from IAM now comes to their managed Cassandra service. This should be smooth sailing for everyone!

Amazon QuickSight launches image support on dashboards and more – And in typical AWS fashion, this post about making a visual dashboard more visually appealing contains no images.

Amazon VPC Flow Logs Now Support Resource Tagging and Tag-on-Create – …but still don’t support anything resembling a human readable output format, preferring instead to drive business to two notable AWS Emerald Tier Partners, ‘awk’ and ‘grep’.

AWS App Mesh launches support for end to end encryption – Remember, “Encrypt Everything, Unless It’s Hard.” The fact that services like this ship without encryption supported is a problem.

AWS Site-to-Site VPN now supports certificate authentication for connections to AWS Transit Gateway – There’s no direct cost to this if you’re already using a private CA, but there’s definitely an emotional one, as AWS will almost certainly email you incessantly about any pending certificate expirations happening over the next decade.

Introducing Customizations for AWS Control Tower solution – Only someone deranged would possibly want to set up a bunch of custom defaults that every new AWS account within their organization inherits automatically, but AWS is nothing if not Customer Obsessed, so that deranged loon now has a feature that works just for them.

Reduce ML inference costs on PyTorch with Amazon Elastic Inference – Or reduce it far further by realizing that ML lacks a business model in almost every case and mothballing the entire fruitless endeavor.

You now can update your Amazon DynamoDB global tables from version 2017.11.29 to the latest version with a few clicks in the DynamoDB Console – Why wouldn’t they just do it for us? Because, of course, they’ve buried the lede. There are a bunch of breaking changes that will cause your application to explode if you’re not aware of them. Read twice, THEN apply the change.

AWS Online Tech Talks for March 2020 | AWS News Blog – Trapped at home and going slowly mad? AWS has some online tech talks wherein they ask you to suspend your disbelief and pretend that using AWS services and only AWS services is how the real world works. Come watch and applaud their fan fiction…

Now Available: Amazon ElastiCache Global Datastore for Redis | AWS News Blog – This will be very handy for some folks. For others it’s going to cause screaming outages once the primary node flips to being the secondary and rejects all writes.

Working From Home? Here’s How AWS Can Help | AWS News Blog – Jeff Barr attempts to walk the razor’s edge. On one hand, an awful lot of AWS services are very helpful to a suddenly-remote workforce who’s grappling with remote services and a sudden crushing scale. On the other, it’s easy to be accused of attempting to profit from a pandemic. There’s no right answer; for what it’s worth I really liked this post.

Improving Transparency of AWS Elastic Beanstalk – What the hell good is a beanstalk I can see through!? Oh, wait–this is about the Elastic Beanstalk service, that thing that everyone forgets is there / wishes weren’t.

Duplicating infrastructure on AWS | AWS Management & Governance Blog – empty

How to execute Chef recipes using AWS Systems Manager | AWS Management & Governance Blog – In 2020, Configuration Management isn’t the way forward; ergo “executing Chef recipes” should translate to killing them.

15 additional AWS services authorized at DoD Impact Level 6 for the AWS Secret Region | AWS Security Blog – I will never understand the logic behind building something you call “The Secret Region” and then writing blog posts about it.

Top 10 security items to improve in your AWS account | AWS Security Blog – Talk about going the wrong direction! The right move is to reduce the security of your AWS account. Then you can plausibly use it however you want, run up a large bill, then sobbingly blame “the hackers” for the fact that you now have to pay a bill that’s roughly the GDP of Bolivia.


Running a business is hard. Your cloud doesn’t have to be. DigitalOcean is the cloud that offers transparent, predictable pricing – even for Kubernetes clusters, which you’d have thought was impossible! You also won’t need 12 weeks of cloud school to absorb a zillion ancillary services just to be able to SSH into an instance. Is this the kind of simplicity you need out of your cloud provider? Check out DigitalOcean today. Sponsored

I don’t think I’ve ever linked to Docker Hub (or frankly, used it in anger) before, so caveat emptor. This random sketchy container backs up your PostgreSQL databases to S3. Good luck!

… and that’s what happened Last Week in AWS.

Newsletter Footer

Sign up for Last Week in AWS

Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor a Newsletter Issue

Reach over 30,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon’s cloud ecosystems.