Ian Mckay Profile picture
Dec 4, 2022 11 tweets 5 min read Read on X
I'm back home from #AWS #reInvent which means it's time to go through my top 10 favourite / most impactful announcements, in order. Let's begin!
#10. Amazon Inspector now supports scanning the packages of deployed Lambda functions for Java, Node and Python. Previously, scanning tools would have to be embedded into CI/CD, or forced via ECR Lambda deploys. A great addition to close the gap.
#9. AWS Verified Access is an identity-aware (ZTNA) HTTP/HTTPS proxy, which allows connections to an NLB, ALB or ENI within your VPC without a VPN or similar. Verified Access supports IAM Identity Center or OIDC for user-based, and Jamf or CrowdStrike for device-based access.
#8. Both Organizations and AWS Backup now support delegated administrative accounts. This is an enourmous step towards the goal of making the management account a "no touch" zone. I'm hoping we'll see stronger controls to restrict use of the management account soon.
#7. KMS now supports using external key stores for the keying material of CMKs. Though pitched as a regulatory/compliance feature, I can see use cases to help complex centralization of keying material. Official blog does warn against the risks of this though.
#6. We now have a number of solutions for getting data from S3, RDS, Kinesis and MSK through to Redshift without needing to roll your own pipelines, usually with near realtime consistency. This is a great reduction in operational overheads that data engineers used to endure.
#5. EventBridge Pipes allows for data pipelines between AWS services such as DDB, SQS, Kinesis, MSK etc. to destinations such as Lambda, Kinesis, and other 3rd parties - including field-level mapping/filter/enrichment support, suspiciously similar to the way AppFlow works.
#4. Amazon Verified Permissions is an upcoming authorization engine for your own applications. It uses a new syntax called Cedar for rule logic and is designed to replace your own custom authz code, for example in API Gateway Lambda Authorizers. I'm excited to see this one.
#3. Step Functions have added the Distributed Map step type which supports up to 10k concurrent child executions of a subflow and also comes with an S3 ListObjects iterator out of the box. This makes SFN far more powerful for new workload types, such as ETL.
#2. Everyone's talking about it...Lambda SnapStart. SnapStart is an opt-in feature which snapshots a functions memory post-invocation and uses that snapshot for future invocations to reduce cold start time, initially available for Java. Be careful of the nuances for this one!
#1. VPC Lattice. This thing is amazing 😍 Imagine exposing your HTTP(S)/gRPC services like PrivateLink, but instead of an ENI it's a link-local address right in your compute - just like how the metadata service works. Features include IAM auth, cross-account, advanced routing.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ian Mckay

Ian Mckay Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @iann0036

Dec 5
We're coming towards the end of #AWSreinvent 2024 and we've seen an impressive set of releases, so here is my top 10 announcements I find most impactful for this years #AWS re:Invent. Image
#10: S3 buckets now support a queryable metadata (Iceberg tables) functionality, allowing for a live queryable view of the creations, updates and deletions of objects using tools like Athena. Check pricing before usage, as the cost increase is non-trivial. aws.amazon.com/blogs/aws/intr…
#9: Perhaps long overdue, VPC Origins is a new feature for CloudFront which allows you to keep your resources within private subnets by dropping an ENI in your subnet that it will use to access origins at no extra cost. aws.amazon.com/about-aws/what…Image
Read 11 tweets
Jan 18, 2022
Have you ever used Cognito's Hosted UI and found it very limiting in its customization options? (drop shadows and plain backgrounds🤢)

Well today I've figured out a way to fully customize the CSS, so you can make beautiful looking pages like this: 😍

…auth.ap-southeast-2.amazoncognito.com/login?client_i…

1/
If you've ever attempted to use the old console for CSS customization, you'll notice that you can only enter details for the CSS classes that Cognito specifically allows you to change.

2/
In the new console, you can upload your CSS file directly. If you do this with the non-customizeable classes (e.g. body{}) on a fresh user pool however, you'll get this error:

3/
Read 7 tweets
Nov 9, 2021
Soo, AWS have added probably the worst CAPTCHA flow ever as a feature of AWS WAF (docs.aws.amazon.com/waf/latest/dev…). 1/
The flow opens with a useless prompt which causes more clicks than necessary 2/
The CAPTCHA challenge itself randomly selects 1 of the 2 types of visual challenges, click the end of the path or slide the puzzle to form the required shape. There is also a spoken audio alternative, which feels less noisy than the others, so probably more vulnerable. 3/
Read 12 tweets
Jul 21, 2021
S3 bucket squatting/sniping is alive and well. AWS Security reached out to me recently to politely ask to transfer some S3 buckets that the NICE DCV team requested, which I happily obliged. Here's a post for those unfamiliar with the issue onecloudplease.com/blog/s3-bucket…. 1/
The buckets in question were dcv-license.af-south-1 and 3 others in the same format, for active regions. Per the docs (docs.aws.amazon.com/dcv/latest/adm…), this is actually how they license the software for EC2-based deployments. 2/
The buckets contain a single object with the key "license.txt" and the text contents "hello check". Interestingly, this is actually the only time I've seen where the S3 ACL "Authenticated users group" would be of practical use and I believe this is what the team implements. 3/
Read 7 tweets
May 11, 2021
AWS Systems Manager Incident Manager *inhales* is one of the worst launches I've seen in quite some time. I think @pagerduty can breathe a sigh of relief.

Here's my initial experience with the service, so you can judge for yourself. 1/
We're first thrown into a wizard where we're asked to accept some charges and assign a key to the service. The service immediately contradicts itself by saying "the selection is permanent" / "you will not be able to change it" then goes on to say "to change the KMS key...". 2/
We then create our first contact. Despite what the first field tells you, spaces are allowed here. In fact, both the hint and error text are wrong. 3/
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(