I'm back home from #AWS#reInvent which means it's time to go through my top 10 favourite / most impactful announcements, in order. Let's begin!
#10. Amazon Inspector now supports scanning the packages of deployed Lambda functions for Java, Node and Python. Previously, scanning tools would have to be embedded into CI/CD, or forced via ECR Lambda deploys. A great addition to close the gap.
#9. AWS Verified Access is an identity-aware (ZTNA) HTTP/HTTPS proxy, which allows connections to an NLB, ALB or ENI within your VPC without a VPN or similar. Verified Access supports IAM Identity Center or OIDC for user-based, and Jamf or CrowdStrike for device-based access.
#8. Both Organizations and AWS Backup now support delegated administrative accounts. This is an enourmous step towards the goal of making the management account a "no touch" zone. I'm hoping we'll see stronger controls to restrict use of the management account soon.
#7. KMS now supports using external key stores for the keying material of CMKs. Though pitched as a regulatory/compliance feature, I can see use cases to help complex centralization of keying material. Official blog does warn against the risks of this though.
#6. We now have a number of solutions for getting data from S3, RDS, Kinesis and MSK through to Redshift without needing to roll your own pipelines, usually with near realtime consistency. This is a great reduction in operational overheads that data engineers used to endure.
#5. EventBridge Pipes allows for data pipelines between AWS services such as DDB, SQS, Kinesis, MSK etc. to destinations such as Lambda, Kinesis, and other 3rd parties - including field-level mapping/filter/enrichment support, suspiciously similar to the way AppFlow works.
#4. Amazon Verified Permissions is an upcoming authorization engine for your own applications. It uses a new syntax called Cedar for rule logic and is designed to replace your own custom authz code, for example in API Gateway Lambda Authorizers. I'm excited to see this one.
#3. Step Functions have added the Distributed Map step type which supports up to 10k concurrent child executions of a subflow and also comes with an S3 ListObjects iterator out of the box. This makes SFN far more powerful for new workload types, such as ETL.
#2. Everyone's talking about it...Lambda SnapStart. SnapStart is an opt-in feature which snapshots a functions memory post-invocation and uses that snapshot for future invocations to reduce cold start time, initially available for Java. Be careful of the nuances for this one!
#1. VPC Lattice. This thing is amazing 😍 Imagine exposing your HTTP(S)/gRPC services like PrivateLink, but instead of an ENI it's a link-local address right in your compute - just like how the metadata service works. Features include IAM auth, cross-account, advanced routing.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
If you've ever attempted to use the old console for CSS customization, you'll notice that you can only enter details for the CSS classes that Cognito specifically allows you to change.
2/
In the new console, you can upload your CSS file directly. If you do this with the non-customizeable classes (e.g. body{}) on a fresh user pool however, you'll get this error:
The flow opens with a useless prompt which causes more clicks than necessary 2/
The CAPTCHA challenge itself randomly selects 1 of the 2 types of visual challenges, click the end of the path or slide the puzzle to form the required shape. There is also a spoken audio alternative, which feels less noisy than the others, so probably more vulnerable. 3/
S3 bucket squatting/sniping is alive and well. AWS Security reached out to me recently to politely ask to transfer some S3 buckets that the NICE DCV team requested, which I happily obliged. Here's a post for those unfamiliar with the issue onecloudplease.com/blog/s3-bucket…. 1/
The buckets in question were dcv-license.af-south-1 and 3 others in the same format, for active regions. Per the docs (docs.aws.amazon.com/dcv/latest/adm…), this is actually how they license the software for EC2-based deployments. 2/
The buckets contain a single object with the key "license.txt" and the text contents "hello check". Interestingly, this is actually the only time I've seen where the S3 ACL "Authenticated users group" would be of practical use and I believe this is what the team implements. 3/
AWS Systems Manager Incident Manager *inhales* is one of the worst launches I've seen in quite some time. I think @pagerduty can breathe a sigh of relief.
Here's my initial experience with the service, so you can judge for yourself. 1/
We're first thrown into a wizard where we're asked to accept some charges and assign a key to the service. The service immediately contradicts itself by saying "the selection is permanent" / "you will not be able to change it" then goes on to say "to change the KMS key...". 2/
We then create our first contact. Despite what the first field tells you, spaces are allowed here. In fact, both the hint and error text are wrong. 3/