Welcome to this week’s issue of Last Week in AWS. I’m your humble editor, Mike Julian, filling in for Corey while he’s off competing in for gold in the world’s saddest kazoo competition.
From the Community
An AWS IAM Security Tooling Reference [2024] – Third-party IAM tools to solve painful IAM issues. Excellent read and I learned about some I didn’t know about. HN comments are also a good read.
Industrial IAM Service Role Creation – I think this is all starting to underscore that while IAM is awesome, it’s perhaps a little overly-complex and we might need better native tooling.
Exposing Security Observability Gaps in AWS Native Security Tooling – This ia really great read on the existing deficiencies in IAM Access Analyzer and how to fix them. I hope the team that owns this reads this article!
Podcasts
Screaming in the Cloud: Battling Back Against Data Breaches with Maya Levine
Screaming in the Cloud: The Power of Networking in the Cloud with Tom Scholl
Choice Cuts
Amazon Braket adds support for Rigetti’s 84-Qubit Ankaa™-2 system, our largest gate-based superconducting device – The thing that’s inteesting here is the highly-constrained regional availability of Braket. Braket is only in five regions: us-east-1, us-west-1, us-west-2, eu-north-1, eu-west-2. That even extends to the QPUs and Simulators, with this Rigetti announcement being available in N. California (and only that!) and some other QPUs and Simulators only being available in specific regions. I wonder what’s driving the constraints?
Announcing general availability of Amazon EC2 G6e instances – I know a bunch of you do a lot of with GPU instances, so you’ll like this: "G6e instances deliver up to 2.5x better performance compared to G5 instances and up to 20% lower inference costs than P4d instances."
Sadly, only available in N. Virginia, Ohio, and Oregon regions for now.
Amazon EC2 status checks now support reachability health of attached EBS volumes – That you couldn’t do this before always bugged me, so really glad to see this change.
Amazon EMR support prioritized and capacity-optimized-prioritized allocation strategies for EC2 instances – Hell yeah. Opens the door to a lot of EMR cost optimization opportunities.
Amazon OpenSearch Service now supports Graviton3 (C7g, M7g, R7g, R7gd) instances – OpenSearch is one of those services that can safely be switched over to 100% Graviton for easy cost savings, and now we’ve got Graviton3 support for it.
AWS announces Amazon-provided contiguous IPv4 blocks – I’m not sure what the point of this really is. The announcement says, "Customers want to use Amazon-provided contiguous IPv4 blocks in their networking and security constructs like access control lists, route tables, security groups, and firewalls as opposed to using many individual discontiguous public IPv4 addresses that can be cumbersome to manage."
That’s a problem that you’d encounter with a whole heapin’ lot of addresses, while the pricing page gives examples for, at the very largest, a /29 block (8 addesses $46/mo). I could see this being a real problem once you start trying to handle /26 and larger (64 IPs).
Amazon S3 now supports conditional writes – I like this a lot, particularly because there’s no additional charge for the conditionals. I can foresee some cost reduction and performance optimizations for some patterns here through reducing API requests.
Amazon S3 adds additional context to HTTP 403 Access Denied error messages – The amount of hassle this saves all of us could be immense.
Amazon S3 no longer charges for several HTTP error codes – This intention was announced informally on Twitter some time ago, and this is the formal announcement that the changes have been implemented. The full list of error codes that are no longer billed is right here.
AWS CodeBuild now supports Mac builds – We’ve all had that mac in the server closet we conveniently forgot to tell the auditors about. Now you can turn it off and move on to wondering if the auditors are just literally clowns.
AWS Identity and Access Management now supports AWS PrivateLink in all commercial Regions – This seems like it’s important, but I’ll be honest, I’m not quite sure how exactly. That’s probably more due to two of the hardest things in AWS, IAM and AWS networking, just generally make me feel very dumb. 😅
AWS Network Firewall introduces GeoIP Filtering to inspect traffic based on geographic location – This seems really neat. I know a lot of folk use third-party systems for this, so native functionality is, I’m sure, very welcome.
Announcing AWS Parallel Computing Service – It feels like it’s been a while since we’ve seen a service launch outside of re:Invent/pre:Invent. I didn’t expect one, and I certainly didn’t expect it to be something for HPC!
Now open — AWS Asia Pacific (Malaysia) Region – and then there were 34
AWS Lambda introduces recursive loop detection APIs – Seems pretty handy.
Announcing AWS KMS Elliptic Curve Diffie-Hellman (ECDH) support – KMS gets some new encryption.
Tools
wut.dev: AWS Resource Explorer – The start of what could be a pretty useful tool for exploring AWS resources. Nice work, Matt!
… and that’s what happened Last Week in AWS.
