Good Morning!
Another week is upon us, and AWS has done some interesting things with it. Some great! Some terrible! Some expensive, so you should chat with me here at The Duckbill Group about fixing your AWS bill.
From the Community
I wanted to go into depth on this last week, but there was a production snafu on my end: 8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur. It turns out that if you snap up critical but retired S3 buckets, things that still point at them will blindly trust you. This is uh… terrifying.
I was reminded of this 2014 ChefConf (back then Chef was huge, whereas today it’s irrelevant) talk by Nathen Harvey: DevOps: No Horse Sh**
Datadog announces whoAMI: A cloud image name confusion attack, which I’m certain they’re mispronouncing.
Ooh, a DevOps Day Two HugOps fundraiser. All proceeds to benefit the Trevor Project. I’ve bought mine; what’re you waiting for?
I was on the GeekWire podcast last week to run my mouth about Amazon’s earnings call. I always love chatting with folks about these things…
Multi-session was great until AWS f***ed it up says a Reddit post and it brings me no pleasure to reluctantly agree. It needs to both display friendly names of accounts, as well as make sure its links are shareable.
Podcasts
Last Week In AWS: CloudFormation Salvation At Last
Choice Cuts
Amazon DynamoDB now supports auto-approval of quota adjustments – This turns the quota into less of "something you need to talk to AWS to pass through" and more of "a check to ensure you don’t inadvertently do something unsound." I like it!
Amazon Elastic Block Store (EBS) now adds full snapshot size information in Console and API – FINALLY! This is huge for those of us trying to figure out why that component of EC2-Other is so freaking high.
Amazon RDS for MySQL announces Extended Support minor 5.7.44-RDS.20250103 – Look forward to RDS prices skyrocketing soon in a prod environment near you.
Amazon Redshift Serverless announces reduction in IP Address Requirements to 3 per Subnet – Previously this thing required 27 IP addresses at a minimum, which is funny–that’s the same number of clowns that were in the car that showed up to the architecture review meeting to tell folks that this was anything other than an absurdity. There’s something deeply concerning about this service.
AWS Deadline Cloud now supports Adobe After Effects in Service-Managed Fleets – This was leaked a day early in, of all places, the AWS Service Terms. Yes, I watch that like a hawk. I’m pretty close to "being aware of an AWS product owner whispering a new feature in the dark" at this point.
AWS Network Load Balancer now supports removing availability zones – "Adding an AZ to an existing network load balancer" is no longer a one-way door.
AWS CloudTrail network activity events for VPC endpoints now generally available – 10¢ per 100K events delivered. Is that a good price? How many events will be delivered? Your guess is as good as mine.
Harness Amazon Bedrock Agents to Manage SAP Instances – Because if there’s one place where customers absolutely want an overconfident AI agent to f*ck around and find out, it’s the ERP system.
Timestamp writes for write hedging in Amazon DynamoDB – Implementing something like this would be a real feather in an engineer’s CAP theorem.
Updating AWS SDK defaults – AWS STS service endpoint and Retry Strategy – Two points here. 1. This is slated to go out July 31st, so mark your calendars now. That way you know what to look at when something that’s been behaving suddenly goes completely haywire. 2. Anyone wanna bet how many times the change will be delayed at the last minute?
Learning AWS best practices from Amazon Q in the Console – "Don’t use the AWS console" was basically a best practice from the Church of Infrastructure as Code for a while now, but it turns out they couldn’t shove AI into a CloudFormation template, so there you go.
Automating Cost Optimization Governance with AWS Config – The trouble here is that nobody actually does this. AWS Config comes along for the ride, with Control Tower or GuardDuty or Security Hub or whatnot–and it costs money every time a resource changes somehow. As a result, it’s an expensive proxy for how "cloudy" an environment is. If you have a bunch of instances sitting around like VMs that never scale up or down? Super low Config bill. If you have a highly dynamic environment that spins things up and down all the time? You have a vastly more cost-effective infrastructure, and Config wants a piece of the money you’re saving. Careful; it bites.
Amazon Q Developer in chat applications rename – Summary of changes – AWS Chatbot – AWS Chatbot is being renamed to "Amazon Q" because someone’s willing to throw Customer Obsession onto the pyre of their own promo packet. Sounds like Google, doesn’t it? You’re going to have a potentially workflow breaking change inflicted upon you at a time of AWS’s choosing, so they can make something that’s easily understood ("oh, it’s a chatbot!") into something vast and confusing. They claim nothing is changing but the name "today," but I know the thin end of a wedge when I see it. This is a disappointment.
Tools
Ooh, this Teraform dingus alerts you when actions are taken in the AWS Console.. I use something very similar to detect ClickOps in my environment. I’d suggest that you hook it up to AWS Chatbot, but since they’re renaming it to "Amazon Q Developer" the hell with that; it’s fine hitting Slack or MS Teams webhooks.
… and that’s what happened Last Week in AWS.
