Welcome to the twenty-first issue of Last Week in AWS.
Last Monday was a taste of what I’ve got in store for re:Invent, as AWS announced a flurry of new offerings at the NYC Summit. It’s going to be one heck of a firehose that I’m still debating the best way to handle. Daily emails for a week or one giant email the following week both sound terrible in different ways…
This week’s issue is sponsored by Marbot.
Are you part of a highly motivated DevOps team? Use marbot, a friendly chatbot, to forward all kind of alerts from your AWS infrastructure to Slack. Alerts are escalated across your team automatically allowing you to focus on your daily work. This lean incident management tool handles CloudWatch Alarm, CloudWatch Event, ElastiCache Notification, Auto Scaling Notification, Budget Notification, Elastic Beanstalk Notification, RDS Event as well as generic alerts via HTTPS or email. Start your 14-day free trial now!
Community Contributions
Metamarkets explores what going from solely AWS to AWS + GCP looked like for them. A thoughtful apples-to apples-comparison that shines light on how AWS concepts translate into Google terms.
A great demo of using Slackbots to help provide additional security controls. It’s a fun idea; looking forward to seeing more things like this.
\A great deep dive into how to work around CloudFormation’s habit of not supporting new features for a while, by making clever use of custom resources and Lambda functions. Unfortunately, this is the sort of thing that you finish and release just in time for CloudFormation to wake up and support the exact thing you just spent a week implementing yourself.
I’m a sucker for a good “we saved a pile of money by moving to AWS / Lambda” story, but when I see Morningstar talk about saving 97% via that migration, I start to suspect that their datacenter was located on the International Space Station and made of solid gold to boot.
A walkthrough of using Bayesian analysis to boost the results of AWS’s Rekognition (facial analysis) tooling. My only gripe is that they didn’t title the article “Beyond Rekognition.”
IAM took an outage early last week, instead becoming IWAS for a time. Provisioning / deprovisioning didn’t work consistently for several hours, making Tuesday a really bad time to fire someone.
Choice Cuts From the AWS Blog
Introducing the new AWS Cost Explorer – Cost Explorer got a facelift last week. If you logged into it and wondered why everything wasn’t quite where it used to be, rest assured you’re not alone.
New – SES Dedicated IP Pools – AWS is finally spending some time on SES; compared to other options (such as Sparkpost), SES is plainly… not terrific. With some badly needed attention, SES could be poised to become a serious contender for a raft of email tasks, but it’s got a long way to go– I’d be hard pressed to ever run this newsletter from SES in its current state.
Amazon Virtual Private Cloud (VPC) now allows customers to recover accidentally released EIPs – Screaming in frustration / at AWS support when you inadvertently drop the wrong Elastic IP is now a thing of the past if you catch it before it gets reassigned. “Oops, bring that IP back” is now available to all users.
New – VPC Endpoints for DynamoDB – AWS continues the glacial rollout of VPC endpoints for various services, this time with DynamoDB. It sounds ridiculous, but this stuff is seriously important for regulated / compliance heavy workloads that won’t permit data to transit the open internet. I for one got very, very tired of drafting compensating controls to work around this shortcoming.
New – Encryption of Data at Rest for Amazon Elastic File System (EFS) – EFS data is now encrypted at rest. Sadly, it’s still NFS– and thus it’s not encrypted in flight. While NFSv4 does indeed support encryption in flight via Kerberos, EFS’s implementation explicitly does not support any Kerberos variants at this time.
AWS Migration Hub – Migration Hub gathers a bunch of different migration assistant services, and centralizes them in one place for easy viewing. This is a great starting point to answer the question “so… how’s that multi-million dollar AWS migration going, Chris?”
AWS Config Update – New Managed Rules to Secure S3 Buckets – Presumably in an effort to stop seeing misconfigured S3 buckets dragging the company and its clients through the mud in the headlines every few weeks, AWS Config now has managed rules that alarm on buckets that permit global reads or writes.
AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive – CloudHSM has done away with its multi-thousand dollar upfront charge, and heavy management overhead. If you’re working in a regulated industry and concerned with key encryption logistics, you’ve arguably got precious little in your professional life to make you happy– but here’s a ray of sunshine just for you.
New – Amazon Web Services Extends CloudTrail to All AWS Customers – CloudTrail is now enabled by default, enabling you to play along at home with the always-entertaining “whodunnit” murder mystery outage scenarios.
Launch – AWS Glue Now Generally Available – Glue has become available to everyone in us-east–1; effectively what it does is looks at the data you’ve got stored in AWS, and provides a suite of tools to not only transform / normalize your data into a variety of different formats, but to generate code that will do it for you as well. This is worth paying attention to.
Amazon Aurora under the hood: quorums and correlated failure – Amazon gives a peek under the hood of one of the least understood aspects of Aurora: how to properly pluralize “quorum.”
Launch – Hello Amazon Macie: Automatically Discover, Classify, and Secure Content at Scale – Once you strip away the buzzwords, Macie looks at your data in S3, identifies which parts of it are sensitive, and flags abnormal access to those parts of it. But that’s not a story that attracts VC money, so add the term “machine learning” to what I just said.
Tools
GitHub – awslabs/goformation at stackshare – Do you want to work with CloudFormation templates and Go? It’s 2017; what kind of self-respecting trend follower would you be if you didn’t? Goformation gets you closer to realizing that dream.
Automatically leverage Spot instances for your existing autoscaling groups. Autospotting is a great idea, and a fantastic implementation.
ecsq makes working with ECS from the command line a lot more palatable. If you find yourself struggling to remember various flags or commands, take a look.
If you have a bunch of AWS keys, and aren’t sure what instances or usernames each go to, why not brute force it with a horrifying bash script? I expect the next version of this to try all of the keys and all of the usernames on all of the instances at once through the magic of Lambda.
This isn’t a traditional AWS tool, but it’s highly relevant to many folks. If I gain access to your laptop and get a copy of your AWS API credentials, how much damage can I do to your company with them? That’s why this practical guide to securing macOS is well worth a read. Sorry, Windows users; I have nothing for you here.
Tip of the Week
A reddit post told the story last week about a company that turned on Macie, pointed it at some data– and saw their bill skyrocket to 12x its normal monthly amount in a day. I’ve never heard a case wherein AWS Support didn’t go above and beyond to credit the overage back to the account, but that kind of shock can’t be good for your constitution.
Thus, today’s tip is to turn on billing alarms at various pricepoints that may sound silly. Right now, the AWS account I use to run Last Week in AWS costs roughly $8 a month. I have billing alarms set at $10, $20, and $100. None of those dollar figures will exactly break the bank here– but they’re great leading indicators that something strange is afoot. I’d rather get a few false alarms at the $10 mark than have to explain to support that yes, I am in fact a fool with respect to git, and did commit credentials that someone then used to spend $10,000 on bitcoin mining spot instances. Take ten minutes and set these alarms up today– Future You may be very glad you did.
…and that’s what happened Last Week in AWS.