Last Week In AWS Podcast

S3 Files and an AI-Powered Singing Rat Trap

Corey Quinn — Mon, 13 Apr 2026 03:00:00 -0700

AWS Morning Brief for the week of April, 13th with Corey Quinn.

Links:

S3 Gets Vectors, CloudFront Gets SHA-256, You Get the Bill

Corey Quinn — Mon, 06 Apr 2026 03:00:00 -0700

AWS Morning Brief for the week of April 6th, with Corey Quinn.

Links:

Aurora PostgreSQL: Now Free Enough to Be Dangerous

Corey Quinn — Mon, 30 Mar 2026 03:30:00 -0700

AWS Morning Brief for the week of March 30th, with Corey Quinn.

Links:

S3 Turns 20 and SimpleDB Is Still Alive

Corey Quinn — Mon, 23 Mar 2026 03:00:00 -0700

AWS Morning Brief for the week of March 23rd, with Corey Quinn.

Links:

Beanstalk AI: The Resurrection Nobody Asked For

Corey Quinn — Mon, 16 Mar 2026 03:00:00 -0700

AWS Morning Brief for the week of March 16th, with Corey Quinn.

Links:

The AI Broke Production But Please Don't Tell Anyone

Corey Quinn — Mon, 02 Mar 2026 03:00:00 -0800

AWS Morning Brief for the week of March 2nd, with Corey Quinn.

Links:

Agents, Plugins, and AgentCore: AWS Has an AI Naming Problem

Corey Quinn — Mon, 23 Feb 2026 03:00:00 -0800

AWS Morning Brief for the week of February 23rd, with Corey Quinn.

Links:

Bedrock Throttling Guide: AWS Publishes Its Own Roast

Corey Quinn — Tue, 17 Feb 2026 03:12:16 -0800

AWS Morning Brief for the week of February 17th, with Corey Quinn.

Links:

Your Account Name Was There All Along (It Wasn't)

Corey Quinn — Mon, 09 Feb 2026 03:00:00 -0800

AWS Morning Brief for the week of February 9th, with Corey Quinn.

Links:

Bigger Pipes, Warmer Tables, Sadder IPs

Corey Quinn — Mon, 02 Feb 2026 03:00:00 -0800

AWS Morning Brief for the week of February 2nd, with Corey Quinn.

Links:

Access Denied, Now With a Good Reason

Corey Quinn — Mon, 26 Jan 2026 03:00:00 -0800

AWS Morning Brief for the week of January 26th, with Corey Quinn.

Links:

AWS-Esque - What AWS Has For Us This Time

Corey Quinn — Tue, 20 Jan 2026 03:00:00 -0800

AWS Morning Brief for the week of January 20th, with Corey Quinn.

Links:

tmpfs, Cost Cuts, and Other ECS Bedtime Stories

Corey Quinn — Mon, 12 Jan 2026 03:00:00 -0800

AWS Morning Brief for the week of January 12th, with Corey Quinn.

Impromptu Security Week

Corey Quinn — Mon, 22 Dec 2025 03:00:00 -0800

AWS Morning Brief for the week of December 22, 2025, with Corey Quinn.

Links:

The Full Court EU Sales Press

Corey Quinn — Mon, 15 Dec 2025 03:00:00 -0800

AWS Morning Brief for the week of December 15th, with Corey Quinn.

Links:

Corey Quinn Crashes Out

Corey Quinn — Mon, 08 Dec 2025 03:00:00 -0800

AWS Morning Brief for the week of December 8th, with Corey Quinn.

Links:

Welcome to re:Invent, Where the Roadmap Is Made Up and the Quotas Don't Matter

Corey Quinn — Mon, 01 Dec 2025 03:00:00 -0800

AWS Morning Brief for the week of December 1st, with Corey Quinn.

Links:

From Blackwell Ultra to "aws login": Chaos Reigns at Every Layer

Corey Quinn — Mon, 24 Nov 2025 03:00:00 -0800

AWS Morning Brief for the week of November 24th, with Corey Quinn.

Links:

pre:Invent Drumbeat

Corey Quinn — Mon, 17 Nov 2025 03:00:00 -0800

AWS Morning Brief for the week of November 17th, with Corey Quinn.

Links:

Monetize the Fire, Sell the Extinguisher

Corey Quinn — Mon, 10 Nov 2025 03:00:00 -0800

AWS Morning Brief for the week of November 10th, with Corey Quinn.

Links:

APIs to Tell You What You Already Paid For

Corey Quinn — Mon, 03 Nov 2025 03:00:00 -0800

AWS Morning Brief for the week of November 3rd, with Corey Quinn.

Links:

DynamoDB Rises Like Expensive Phoenix

Corey Quinn — Mon, 27 Oct 2025 06:00:00 -0700

AWS Morning Brief for the week of October 27th, with Corey Quinn.

Links:

Catching Up, Cashing In

Corey Quinn — Mon, 20 Oct 2025 03:00:00 -0700

AWS Morning Brief for the week of October 20th, with Corey Quinn.

Links:

Introducing Amazon QuickSlap

Corey Quinn — Mon, 13 Oct 2025 03:00:00 -0700

AWS Morning Brief for the week of October 13th, 2025, with Corey Quinn.

Links:

Your Weekly Broadcast from Where the Cloud Arrives by Dirigible

Corey Quinn — Mon, 06 Oct 2025 03:00:00 -0700

AWS Morning Brief for the week of October 6th, 2025, with Corey Quinn.

Links:

Gartner Phones It In

Corey Quinn — Mon, 29 Sep 2025 06:30:00 -0700

AWS Morning Brief for the week of September 29th, 2025, with Corey Quinn.

Links:

EKS on Raspberry Pi, But Please Don't Check the Pricing Page

Corey Quinn — Mon, 22 Sep 2025 03:00:00 -0700

AWS Morning Brief for the week of September 22nd, 2025, with Corey Quinn.

Links:

AWS Proudly Promotes Its Superior Competitors

Corey Quinn — Mon, 15 Sep 2025 03:00:00 -0700

AWS Morning Brief for the week of September 15th, 2025, with Corey Quinn.

Links:

Elemenental Innovation Isn't, Resource Explorer Doesn't

Corey Quinn — Mon, 08 Sep 2025 06:00:00 -0700

AWS Morning Brief for the week of September 8th, with Corey Quinn.

Links:

Amazon Q Rules Except It Doesn't At All

Corey Quinn — Tue, 02 Sep 2025 21:33:15 -0700

AWS Morning Brief for the week of September 2nd, 2025, with Corey Quinn.

Links:

Aurora Spends 10 Years Perfecting the Art of "What the Hell?"

Corey Quinn — Mon, 25 Aug 2025 06:00:00 -0700

AWS Morning Brief for the week of August 25th, 2025, with Corey Quinn.

Links:

DocumentDB 3.6: Now Even Less Worth Using

Corey Quinn — Mon, 18 Aug 2025 06:00:00 -0700

AWS Morning Brief for the week of August 18th, 2025, with Corey Quinn.

Links:

The Most Expensive Toggle In The World

Corey Quinn — Mon, 11 Aug 2025 03:00:00 -0700

AWS Morning Brief for the week of August 11th, 2025, with Corey Quinn.

Links:

EC2 Fractional GPUs Can't, Lambda Still Whines

Corey Quinn — Mon, 04 Aug 2025 04:19:02 -0700

AWS Morning Brief for the week of August 4th, 2025, with Corey Quinn.

In the Bleak Theater of the Cloud: A Werner Herzog-Style Dispatch

Corey Quinn — Mon, 28 Jul 2025 00:00:00 -0700

AWS Morning Brief for the week of July 28th, 2025, with Corey Quinn.

Links:

A Fantastic Service Gets Better, Somehow

Corey Quinn — Mon, 21 Jul 2025 03:00:00 -0700

AWS Morning Brief for the week of July 21st, 2025, with Corey Quinn.

Links:

Sovereign Cloud, Now With Slightly More Pretend Sovereignty

Corey Quinn — Mon, 14 Jul 2025 00:00:00 -0700

AWS Morning Brief for the week of July 14th, 2025, with Corey Quinn.

Links:

I'll Bring the Snark, AWS Brings the Chaos, You Bring Yourself to the Bar

Corey Quinn — Mon, 07 Jul 2025 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 7th, with Corey Quinn.

Links:

The Hubris of Security Hub

Corey Quinn — Mon, 30 Jun 2025 03:00:00 -0700

AWS Morning Brief for the week of Monday, June 30th, with Corey Quinn.

Links:

One UI Gets Fixed, Another Falls

Corey Quinn — Mon, 23 Jun 2025 03:00:00 -0700

AWS Morning Brief for the week of June 23rd, 2025, with Corey Quinn.

Links:

AWS What's New Got Old

Corey Quinn — Mon, 16 Jun 2025 03:00:00 -0700

AWS Morning Brief for the week of June 16, 2025, with Corey Quinn.

Links:

AWS's Snaky Region

Corey Quinn — Mon, 09 Jun 2025 03:00:00 -0700

AWS Morning Brief for the week of June 9th, 2025, with Corey Quinn.

Links:

Priceless Aurora DSQL

Corey Quinn — Mon, 02 Jun 2025 03:00:00 -0700

AWS Morning Brief for the week of June 2nd, with Corey Quinn.

Links:

Sponsor

The Duckbill Group: https://www.duckbillgroup.com/

Join us for Office Hours!

https://www.duckbillgroup.com/officehours/

Putting My Wife On a PIP

Corey Quinn — Tue, 27 May 2025 03:00:00 -0700

AWS Morning Brief for the week of Tuesday, May 27th with Corey Quinn.

Links:

Transform Away, as AWS Reverses Course

Corey Quinn — Mon, 19 May 2025 03:00:00 -0700

AWS Morning Brief for the week of May 19th, with Corey Quinn.

Links:

Sponsor
The Duckbill Group: https://www.duckbillgroup.com/

Join us for Office Hours!
https://www.duckbillgroup.com/officehours/

Systems Manager Rip-Off Manager

Corey Quinn — Mon, 12 May 2025 03:00:00 -0700

AWS Morning Brief for the week of May 12th, with Corey Quinn.

Links:

Sponsor
The Duckbill Group: https://www.duckbillgroup.com/

Join us for Office Hours!
https://www.duckbillgroup.com/officehours/

How AWS Raises Prices

Corey Quinn — Mon, 05 May 2025 03:00:00 -0700

AWS Morning Brief for the week of May 5th, with Corey Quinn.

Links:

Sponsor

The Duckbill Group: https://www.duckbillgroup.com/

Join us for Office Hours!

https://www.duckbillgroup.com/officehours/

The Art of Amazon Q Developer

Corey Quinn — Mon, 28 Apr 2025 03:00:00 -0700

AWS Morning Brief for the week of April 28th, with Corey Quinn.

Links:

Mid-cycle Billing Changes are the Stuff of Finance Nightmares

Corey Quinn — Mon, 21 Apr 2025 03:00:00 -0700

AWS Morning Brief for the week of April 21st, with Corey Quinn.

Links:

Another New Capacity Dingus

Corey Quinn — Mon, 14 Apr 2025 03:00:00 -0700

AWS Morning Brief for the week of April 14th, with Corey Quinn.

Links:

Way of the Weasel, RDS and SageMaker Edition

Corey Quinn — Mon, 07 Apr 2025 03:00:00 -0700

AWS Morning Brief for the week of April 7th, with Corey Quinn.

Links:

Northern Virginia is in Virginia

Corey Quinn — Mon, 31 Mar 2025 03:00:00 -0700

AWS Morning Brief for the week of March 31st, with Corey Quinn.

Links:

Google Takes Wiz

Corey Quinn — Mon, 24 Mar 2025 03:00:00 -0700

AWS Morning Brief for the week of March 24th, with Corey Quinn.

Links:

NoDaddy

Corey Quinn — Mon, 17 Mar 2025 03:00:00 -0700

AWS Morning Brief for the week of March 17th, with Corey Quinn.

Links:

The Name's Doing a Heavy GameLift

Corey Quinn — Mon, 10 Mar 2025 03:00:00 -0700

AWS Morning Brief for the week of March 10th, 2025 with Corey Quinn.

Links:

AWS "Don't Mention TikTok" for Containers

Corey Quinn — Mon, 03 Mar 2025 03:00:00 -0800

AWS Morning Brief for the week of March 3, with Corey Quinn.

Links:

Mortgaging the new AWS Trust Center

Corey Quinn — Mon, 24 Feb 2025 03:00:00 -0800

AWS Morning Brief for the week of February 24, with Corey Quinn.

Links:

The AWS Chatbot Disappointment

Corey Quinn — Mon, 17 Feb 2025 03:00:00 -0800

AWS Morning Brief for the week of February 17, with Corey Quinn.

Links:

CloudFormation Salvation At Last

Corey Quinn — Mon, 10 Feb 2025 03:00:00 -0800

AWS Morning Brief for the week of February 10, with Corey Quinn.

Links:

What the Hell is a Zone Group?

Corey Quinn — Mon, 03 Feb 2025 03:00:00 -0800

AWS Morning Brief for the week of February 3, with Corey Quinn.

Links:

S3 Tables Regional Expansion, 7 Day Alarming, and a Singing Telegram

Corey Quinn — Mon, 27 Jan 2025 03:00:00 -0800

AWS Morning Brief for the week of January 27, with Corey Quinn.

Links:

2025's AWS Release of the Year

Corey Quinn — Tue, 21 Jan 2025 03:00:00 -0800

AWS Morning Brief for the week of January 21, with Corey Quinn.

Links:

Sponsor
The Duckbill Group: https://www.duckbillgroup.com/

And we're back!

Corey Quinn — Mon, 13 Jan 2025 03:00:00 -0800

AWS Morning Brief for the week of January 13, with Corey Quinn.

Links:

Sponsor
The Duckbill Group: https://www.duckbillgroup.com/

A Legend Moves On

Corey Quinn — Mon, 23 Dec 2024 03:00:00 -0800

AWS Morning Brief for the week of December 23, with Corey Quinn.

Links:

The re:Invent Stragglers

Corey Quinn — Mon, 16 Dec 2024 03:00:00 -0800

AWS Morning Brief for the week of December 16th, 2024, with Corey Quinn.

Links:

A Return to Greatness, or Degenerate Day 3?

Corey Quinn — Mon, 09 Dec 2024 03:00:00 -0800

AWS Morning Brief for the week of December 9, with Corey Quinn.

Links:

Sponsor

The Duckbill Group: https://www.duckbillgroup.com/

re:Invent Begins

Corey Quinn — Mon, 02 Dec 2024 03:00:00 -0800

AWS Morning Brief for the week of December 2, with Corey Quinn.

Links:

Sponsor

Wiz: wiz.io/lastweek

The pre:Invent Crush

Corey Quinn — Mon, 25 Nov 2024 03:00:00 -0800

AWS Morning Brief for the week of November 25, with Corey Quinn.

Links:

The Return of Old AWS

Corey Quinn — Mon, 18 Nov 2024 03:00:00 -0800

AWS Morning Brief for the week of November 18, with Corey Quinn.

Links:

Charity T-Shirt Season

Corey Quinn — Mon, 11 Nov 2024 03:00:00 -0800

AWS Morning Brief for the week of November 11, with Corey Quinn.

Links:

A Wheelbarrow Full of Nickels

Corey Quinn — Mon, 04 Nov 2024 03:00:00 -0800

AWS Morning Brief for the week of November 4, with Corey Quinn.

Links:

Steady Improvements

Corey Quinn — Mon, 28 Oct 2024 03:00:00 -0700

AWS Morning Brief for the week of October 28, with Corey Quinn.

Links:

A Bunch of Great Quality of Life Improvements

Corey Quinn — Mon, 21 Oct 2024 03:00:00 -0700

AWS Morning Brief for the week of October 21, with Corey Quinn.

Links:

Amazon Basics Former2, Powered By AI

Corey Quinn — Tue, 15 Oct 2024 03:00:00 -0700

AWS Morning Brief for the week of October 15, with Corey Quinn.

Links:

Attend My re:Invent Talk!

Corey Quinn — Mon, 07 Oct 2024 03:00:00 -0700

AWS Morning Brief for the week of October 7, with Corey Quinn.

Links:

The HPC Team Starts a War

Corey Quinn — Mon, 30 Sep 2024 03:00:00 -0700

AWS Morning Brief for the week of September 30, with Corey Quinn.

Links:

FTP is Eternal at Enterprises

Corey Quinn — Mon, 23 Sep 2024 03:00:00 -0700

AWS Morning Brief for the week of September 23, with Corey Quinn.

Links:

The Trouble With Coding Assistant Demos

Corey Quinn — Mon, 16 Sep 2024 03:00:00 -0700

AWS Morning Brief for the week of September 16, with Corey Quinn.

Links:

I’m back!

Corey Quinn — Mon, 09 Sep 2024 03:00:00 -0700

AWS Morning Brief for the week of September 9th, with Corey Quinn.

Links:

IAM, some more IAM, and yet more IAM

Corey Quinn — Tue, 03 Sep 2024 03:00:00 -0700

AWS Morning Brief for the week of September 3rd, with Mike Julian.

Links:

AWS Prime Day Cost ~$135 million

Corey Quinn — Mon, 19 Aug 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, August 19th with Mike Julian.

Links:

A sneaky-sneaky service “launch”

Corey Quinn — Mon, 12 Aug 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, August 12th with Mike Julian.

Links:

Matt Garman, The Reaper of Services

Corey Quinn — Mon, 05 Aug 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, August 5th with Mike Julian.

Links:

Amazon Basics Corey Quinn

Corey Quinn — Mon, 29 Jul 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 29th, with Mike Julian.

Links:

I'm Gone Like QLDB

Corey Quinn — Mon, 22 Jul 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 22nd, with Corey Quinn.

Links:

AWS's Degenerative AI Obsession

Corey Quinn — Mon, 15 Jul 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 15th, with Corey Quinn.

Links:

Glacial APIs

Corey Quinn — Mon, 08 Jul 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 8th, with Corey Quinn.

Links:

Amazon Kindle Fire Steven

Corey Quinn — Mon, 01 Jul 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, July 1st, with Corey Quinn.

Links:

RDS Hates Its Customers, Financially Speaking

Corey Quinn — Mon, 24 Jun 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, June 24th, 2024, with Corey Quinn.

Links:

AI Generated Quotes About GenAI

Corey Quinn — Mon, 17 Jun 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, June 17th, 2024, with Corey Quinn.

Links:

Grandpa AWS Talks About the "GitHub Cloud"

Corey Quinn — Mon, 10 Jun 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, June 10th, with Corey Quinn.

Links:

What I Want to Know About Matt Garman

Corey Quinn — Mon, 03 Jun 2024 03:00:00 -0700

AWS Morning Brief for the week of June 3rd, 2024, with Corey Quinn.

Links:

Lattice, IPv6, Db2; an unnecessary swipe at AWS Glue

Corey Quinn — Tue, 28 May 2024 03:00:00 -0700

AWS Morning Brief for the week of May 28th, 2024, with Corey Quinn.

Links:

AWS Upgrades its CEO

Corey Quinn — Mon, 20 May 2024 03:00:00 -0700

AWS Morning Brief for the week of Monday, May 20th, 2024, with Corey Quinn.

Links:

New Cognito Pricing Dimensions, More GenAI Boosterism

Corey Quinn — Mon, 13 May 2024 03:00:00 -0700

AWS Morning Brief for the week of May 13th, 2024, with Corey Quinn.

Links:

A Blast From the AWS Past

Corey Quinn — Mon, 06 May 2024 03:00:00 -0700

AWS Morning Brief for the week of May 6th, 2024, with Corey Quinn.

Links:

Workdocs, Abusive Non-Compete Agreements Both Get Googled

Corey Quinn — Mon, 29 Apr 2024 03:00:00 -0700

AWS Morning Brief for the week of April 29th, 2024, with Corey Quinn.

Links:

Open S3 Buckets No Longer a Concern?

Corey Quinn — Mon, 22 Apr 2024 03:00:00 -0700

AWS Morning Brief for the week of April 22, 2024, with Corey Quinn.

Links:

A Remarkably Quiet Week

Corey Quinn — Mon, 15 Apr 2024 03:00:00 -0700

AWS Morning Brief for the week of 04/15/24, with Corey Quinn.

Links:

Get Billed For a G6

Corey Quinn — Mon, 08 Apr 2024 03:00:00 -0700

AWS Morning Brief for the week of April 8, 2024, with Corey Quinn.

Links:

Redis Forks and Retroactive Cost Tagging

Corey Quinn — Mon, 01 Apr 2024 03:00:00 -0700

AWS Morning Brief for the week of April 1, 2024, with Corey Quinn.

Links:

Cancel Recent Savings Plan Purchases

Corey Quinn — Mon, 25 Mar 2024 03:00:00 -0700

AWS Morning Brief for the week of March 25, 2024, with Corey Quinn.

Links:

A Claude 3 Haiku

Corey Quinn — Mon, 18 Mar 2024 03:00:00 -0700

AWS Morning Brief for the week of March 18, 2024 with Corey Quinn.

Links:

GenAI Prattlings and Actually Useful Things

Corey Quinn — Mon, 11 Mar 2024 03:00:00 -0700

AWS Morning Brief for the week of March 11, 2024, with Corey Quinn.

Links:

Mexico Region and GenAI Open Season

Corey Quinn — Mon, 04 Mar 2024 03:00:00 -0800

AWS Morning Brief for the week of March 4, 2024 with Corey Quinn.

Links:

S3: Jetsons Era Technology, Flintstones Era Billing Transparency

Corey Quinn — Mon, 26 Feb 2024 03:00:00 -0800

AWS Morning Brief for the week of February 26, 2024 with Corey Quinn.

Links:

Managed OUs and An Intriguing IAM Hierarchical Model

Corey Quinn — Tue, 20 Feb 2024 03:00:00 -0800

AWS Morning Brief for the week of February 20, 2024, with Corey Quinn.

Links:

A Nuanced Logging Optimization Point

Corey Quinn — Mon, 12 Feb 2024 03:00:00 -0800

AWS Morning Brief for the week of February 12, 2024 with Corey Quinn.

Links:

A Slightly Better Free Tier

Corey Quinn — Mon, 05 Feb 2024 03:00:00 -0800

AWS Morning Brief for the week of February 5, 2024, with Corey Quinn.

Links:

Amazon EC2 added new price protection for attribute based instance selection
AWS announces a new Local Zone in Chicago, Illinois
AWS Free Tier now includes 750 hours of free Public IPv4 addresses, as charges for Public IPv4 begin
Optimize costs by automating AWS Compute Optimizer recommendations
A new and improved AWS CDK construct for Amazon DynamoDB tables
Announcing Generative AI CDK Constructs
AWS Marketplace now available in the AWS Secret Region
Building your machine learning skills from zero
- I dipped my toes in the Machine Learning® world a while back and found an impressively great tool for it: Google Colab.
RHEL Pricing – Amazon Web Services
Incorrect RI / SP Purchase Warnings

Armageddon! IPv6, and starting this week, blood

Corey Quinn — Mon, 29 Jan 2024 03:00:00 -0800

AWS Morning Brief for the week of January 29, 2024, with Corey Quinn.

Links:

A Welcome EKS Price Hike

Corey Quinn — Mon, 22 Jan 2024 03:00:00 -0800

AWS Morning Brief for the week of January 22, 2024 with Corey Quinn.

Links:

Deprecations and a long-awaited Fargate feature

Corey Quinn — Tue, 16 Jan 2024 03:00:00 -0800

AWS Morning Brief for the week of January 16, 2024 with Corey Quinn.

Links:

NewYear, New You, Here's December in Review

Corey Quinn — Mon, 08 Jan 2024 03:00:00 -0800

AWS Morning Brief for the week of January 8th, 2024 with Corey Quinn.

Links:

Replay: S3 as an Eternal Service

Corey Quinn — Wed, 27 Dec 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of December 27, 2023.

This episode originally aired on March 29, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/s3-as-an-eternal-service/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Replay: Are AWS Account IDs Sensitive Information?

Corey Quinn — Wed, 13 Dec 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of December 13, 2023.

This episode originally aired on February 16, 2022.

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/gYJgDymP_GU?si=s5lkpRjpGSkC58v_

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Too Many Birds, Too Many Lunatics

Corey Quinn — Mon, 11 Dec 2023 03:00:00 -0800

AWS Morning Brief for the week of December 11, 2023, with Corey Quinn.

Links:

re:Invent 2023 Release Review

Corey Quinn — Mon, 04 Dec 2023 07:00:00 -0800

AWS Morning Brief for the week of December 4th, 2023 with Corey Quinn.

Links:

Watch the video version of this episode here: https://youtu.be/Jm_eXNjdMl0
Check out the re:Quinnvent playlist on YouTube

Help the show

Share your feedback
Follow wherever you get your podcasts
Buy our merch

What's Corey up to?

re:Quinnvent Day 4

Corey Quinn — Thu, 30 Nov 2023 07:30:00 -0800

AWS Morning Brief for November 30th, 2023 with Corey Quinn.

Stay Up To Date with re:Quinnvent

Help the show

Share your feedback
Follow wherever you get your podcasts
Buy our merch

What's Corey up to?

re:Quinnvent Day 3

Corey Quinn — Wed, 29 Nov 2023 07:30:00 -0800

AWS Morning Brief for November 29th, 2023 with Corey Quinn.

Stay Up To Date with re:Quinnvent

Help the show

Share your feedback
Follow wherever you get your podcasts
Buy our merch

What's Corey up to?

re:Quinnvent Day 2

Corey Quinn — Tue, 28 Nov 2023 07:30:00 -0800

AWS Morning Brief for November 28th, 2023 with Corey Quinn.

Links:

Stay Up To Date with re:Quinnvent

Help the show

Share your feedback
Follow wherever you get your podcasts
Buy our merch

What's Corey up to?

re:Quinnvent Day 1

Corey Quinn — Mon, 27 Nov 2023 07:30:00 -0800

AWS Morning Brief for the week of November 27, 2023 with Corey Quinn.

Stay Up To Date with re:Quinnvent

Help the show

Share your feedback
Follow wherever you get your podcasts
Buy our merch

What's Corey up to?

AI Builds a re:Invent Scavenger Hunt

Corey Quinn — Wed, 22 Nov 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of November 22, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/generative-ai-builds-a-reinvent-scavenger-hunt

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Somebody's Sorry for Party Rocking

Corey Quinn — Mon, 20 Nov 2023 03:00:00 -0800

AWS Morning Brief for the week of November 20, 2023 with Corey Quinn.

Links:

Jupyter Notebooks: My Unexpected Game-Changer in Security Incident Response

Corey Quinn — Thu, 16 Nov 2023 03:00:00 -0800

Last week in security news: Copilot and CodeWhisperer can in fact leak real secrets, an interesting teardown of a cloud cryptocurrency miner, the tool of the week, and more!

Links:

Copilot and CodeWhisperer can in fact leak real secrets.
An interesting teardown of a cloud cryptocurrency miner.
How to create an AMI hardening pipeline and automate updates to your ECS instance fleet
How to improve your security incident response processes with Jupyter notebooks
Tool of the week: If you've gotta use a WAF, aws-firewall-factory is a good pit stop for you.

pre:Inventing the Wheel

Corey Quinn — Mon, 13 Nov 2023 03:00:00 -0800

AWS Morning Brief for the week of November 13, 2023, with Corey Quinn.

Show Notes:

Links:

C-Suite Responsibility

Corey Quinn — Thu, 09 Nov 2023 03:00:00 -0800

Last week in security news: The SEC has sued Soalrwinds as well as their CISO, Tracking Malicious Operations of Exposed IAM Keys, Security considerations for running containers on Amazon ECS, and more!

Links:

The SEC has sued Soalrwinds as well as their CISO personally
CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
Refine permissions for externally accessible roles using IAM Access Analyzer and IAM action last accessed
Security considerations for running containers on Amazon ECS
This article AWS put out on Approaches for migrating users to Amazon Cognito user pools is silly since it presupposes Cognito being used

How to Stop Feeding AWS’s AI with Your Data

Corey Quinn — Wed, 08 Nov 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of November 8, 2023.

Links

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

High Cardinality Service Usage

Corey Quinn — Mon, 06 Nov 2023 03:00:00 -0800

AWS Morning Brief for the week of November 6, 2023, with Corey Quinn.

Links

Check Your Email Security Please

Corey Quinn — Thu, 02 Nov 2023 03:00:00 -0700

Last week in security news: Using AWS role session tags for GitHub Actions, A summary of the Okta hack is pretty damning, IAM Roles Anywhere with an external certificate authority, and more!

Links:

I like this writeup of using AWS role session tags for GitHub Actions but I hate that I have to use Cognito to pull it off.
This summary of the Okta hack is pretty damning.
AWS Digital Sovereignty Pledge: Announcing a new, independent sovereign cloud in Europe
IAM Roles Anywhere with an external certificate authority
The key line from this 2018 post remains true: access to the root email and phone number is equivalent, if not more powerful, than the root password and MFA!

AWS Jamming Generative AI Down Our Throats

Corey Quinn — Mon, 30 Oct 2023 03:00:00 -0700

AWS Morning Brief for the week of October 30, 2023 with Corey Quinn.

Links:

Message Vulnerability Researchers Well

Corey Quinn — Thu, 26 Oct 2023 03:00:00 -0700

Last week in security news: PR pushback from Microsoft, AWS Cloud Companion Guide for the CSA Cyber Trust Mark, and more!

Links:

The New Frontier of Cloud Economics: Why AWS Costs Are a Weighty Issue

Corey Quinn — Wed, 25 Oct 2023 03:00:00 -0700

AWS Morning Brief Extras edition for the week of October 25, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-new-frontier-of-cloud-economics-why-aws-costs-are-a-weighty-issue

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

The Pets-Not-Cattle Steer-ing Committee

Corey Quinn — Mon, 23 Oct 2023 03:00:00 -0700

AWS Morning Brief for the week of October 23, 2023, with Corey Quinn.

Links:

Delegate, Delegate, Delegate...

Corey Quinn — Thu, 19 Oct 2023 03:00:00 -0700

Last week in security news: Delegating permission set management and account assignment in AWS IAM Identity Center, How AWS protects customers from DDoS events, The Tip of the Week, and more!

Links:

Rhino Security has a two part post that talks about how they find Cognito misconfigurations
Delegating permission set management and account assignment in AWS IAM Identity Center
How AWS protects customers from DDoS events
Now available: Building a scalable vulnerability management program on AWS
Issue with Amazon WorkSpaces Windows Client Version 5.9 and 5.10
The Tip of the Week is to delegate as much as humanly possible to accounts that aren't the management account for the org. As more services gain the ability to delegate management to designated accounts, it gets easier to restrict access to it

Cloud Institute for the Criminally Underpaid

Corey Quinn — Mon, 16 Oct 2023 03:00:00 -0700

AWS Morning Brief for the week of October 16, 2023 with Corey Quinn.

Links:

Better Late Than Even Later

Corey Quinn — Thu, 12 Oct 2023 03:00:00 -0700

Last week in security news: AWS Firewall Manager supports referencing of Security Groups, Secure by Design: AWS to enhance MFA requirements in 2024, You Can't Control Your Data in the Cloud, and more!

Links:

You Can't Control Your Data in the Cloud
Chris Farris leaked 7 IAM keys in public (intentionally!
Chris Farris also writes Security Hub gives me imposter syndrome
Google is stuffing previously widely available security offerings into incredibly expensive paid-for tiers.
AWS Firewall Manager supports referencing of Security Groups
Secure by Design: AWS to enhance MFA requirements in 2024
Reported TorchServe Issue (CVE-2023-43654)
Tip of the week: patch the embargoed libcurl high-severity issue that was made public after this recording but before publishing.

The Cloud Devil You Know

Corey Quinn — Wed, 11 Oct 2023 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-cloud-devil-you-know/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

AWS Big Bag of Hammers

Corey Quinn — Tue, 10 Oct 2023 03:00:00 -0700

AWS Morning Brief for the week of October 10, 2023 with Corey Quinn.

Links:

Email Vendor Selection Influences Security

Corey Quinn — Thu, 05 Oct 2023 03:00:00 -0700

Last week in security news: When It Comes to Email Security, The Cloud You Pick Matters, Enable external pipeline deployments to AWS Cloud by using IAM Roles Anywhere, How AWS threat intelligence deters threat actors, and more!

Links:

Incrementally Making Massive Improvements

Corey Quinn — Mon, 02 Oct 2023 03:00:00 -0700

AWS Morning Brief for the week of October 2, 2023, with Corey Quinn.

Links:

Cheating on your CI Tests

Corey Quinn — Thu, 28 Sep 2023 03:00:00 -0700

Last week in security news: Accelerating development with AWS CDK plugin – CfnGuardValidator, This week's S3 Bucket Negligence Award is brought to you by PwC Nigeria, The volkswagen open source tool, and more!

Links:

Last week I talked about AWS Management Console Access incorrectly. My thanks to Timothy Ingalls on the Last Week in AWS community Slack for flagging this for me. Gold star for you!
This week's S3 Bucket Negligence Award is brought to you by PwC Nigeria.
FusionAuth has a great dive into their annual SOC 2 vendor selection process.
My beloved Retool has a post talking about how an MFA failure mode led to a small number of customers being exposed.
Accelerating development with AWS CDK plugin – CfnGuardValidator
How to implement cryptographic modules to secure private keys used with IAM Roles Anywhere
Tool of the week: The volkswagen open source tool detects when your tests are being run in a CI server, and makes them pass.

VirtuSwap's Giant Panda Accelerato

Corey Quinn — Mon, 25 Sep 2023 03:00:00 -0700

AWS Morning Brief for the week of September 25, 2023, with Corey Quinn.

Links:

Today Corey is hosting a drink-up at 6 PM in Seattle at Outer Planet Brewing. If you're in town / free, come on by; let him buy you a beer.
Later this week Corey will be hosting an AMA on 9/27 @ noon PDT over on YouTube. Bring questions!
Accenture Extends Generative AI Capabilities to Accelerate Adoption and Value on AWS
New – Amazon EC2 M2 Pro Mac Instances Built on Apple Silicon M2 Pro Mac Mini Computers
How Chime Financial uses AWS to build a serverless stream analytics platform and defeat fraudsters
Centralizing management of AWS Lambda layers across multiple AWS Accounts
Handle traffic spikes with Amazon DynamoDB provisioned capacity
Streamline interstate Department of Motor Vehicles collaboration with Private Blockchain
How to host your Unreal Engine game for under $1 per player with Amazon GameLift
How United Airlines built a cost-efficient Optical Character Recognition active learning pipeline
How VirtuSwap accelerates their pandas ... -based trading simulations with an Amazon SageMaker Studio custom container and AWS GPU instances
Provision sandbox accounts with budget limits to reduce costs using AWS Control Tower
Reducing the Scope of Impact with Cell-Based Architecture - Reducing the Scope of Impact with Cell-Based Architecture
From Massage Therapist to Cloud Associate with AWS Academy

Longer Sessions Are All Right By Me

Corey Quinn — Thu, 21 Sep 2023 03:00:00 -0700

Last week in security news: AWS IAM Identity Center session duration limit increases from 7 to 90 days, Access accounts with AWS Management Console PrivatAccess, A dive through using Amazon Athena in Incident Response, and more!

Links:

This is an esoteric Firefox/Yubikey compatibility bug that I went blindly stumbling into and has been resolved.
Chris Farris has a post up about deploying AWS Backup.
In preparation for re:Invent, the MGM had a massive cybersecurity issue
Amazon EC2 now supports Block Public Access for Amazon Machine Images
AWS IAM Identity Center session duration limit increases from 7 to 90 days
AWS Identity and Access Management provides action last accessed information for more than 140 services
Access accounts with AWS Management Console Private Access
A dive through using Amazon Athena in Incident Response. This is important!
Corey will be hosting an AMA on 9/27 @ noon PDT over on Twitch. Bring questions!

Seeing the Benefits of a Cloud Career

Corey Quinn — Mon, 18 Sep 2023 03:00:00 -0700

AWS Morning Brief for the week of September 18, 2023 with Corey Quinn.

Links:

Overscoped Role? No, It's the Children Who Are Wrong

Corey Quinn — Thu, 14 Sep 2023 03:00:00 -0700

Last week in security news: Corey reported an over-scoped role to AWS security, The bad LastPass breach got even worse, How to enforce DNS name constraints in AWS Private CA, and more!

Links:

I reported an over-scoped role to AWS security; the response from the SageMaker Canvas team was that it's working as intended.
The bad LastPass breach that continues to get worse once again somehow got worse.
Microsoft has published a rather thorough postmortem about how their signing key was leaked.
A security newsletter features a scam that I reported via Twitter.
Google has gone from paragon of security to apparently now sharing aspects of your browsing history with websites in Chrome,
Establishing a data perimeter on AWS: Allow access to company data only from expected networks
How to enforce DNS name constraints in AWS Private CA
Tool of the week: ThreatMapper hunts for threats in your production platforms, and ranks these threats based on their risk-of-exploit.

Why Your CPU-Based Utilization Metric Is Absolute Nonsense

Corey Quinn — Wed, 13 Sep 2023 03:00:00 -0700

AWS Morning Brief Extras edition for the week of September 13, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/why-your-cpu-based-utilisation-metric-is-absolute-nonsense/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

AWS Guild Dinner & Tournament

Corey Quinn — Mon, 11 Sep 2023 03:00:00 -0700

AWS Morning Brief for the week of September 11, 2023, with Corey Quinn.

Links:

Feeding the Snakes Barracuda

Corey Quinn — Thu, 07 Sep 2023 03:00:00 -0700

Last week in security news: Barracuda thought it drove 0-day hackers out of customers’ networks, A terrific guide for getting started with AWS security research, “Zukey” or “Amazon Basics Yubikey”, and more!

Links:

Barracuda thought it drove 0-day hackers out of customers’ networks.
A terrific guide for getting started with AWS security research.
Amazon Basics Yubikey
Two real-life examples of why limiting permissions works: Lessons from AWS CIRT
Validate IAM policies by using IAM Policy Validator for AWS CloudFormation and GitHub Actions
From the world of tools: wapalyzer

Degenerative AI

Corey Quinn — Tue, 05 Sep 2023 03:00:00 -0700

Last Week In AWS for the week of September 4, 2023, with Corey Quinn.

Links:

Everybody Owns This Podcast So Nobody Does

Corey Quinn — Thu, 31 Aug 2023 03:00:00 -0700

Last week in security news: How AWS built the Security Guardians program, Network Load Balancers now support Security groups, the Tool of the week, and more!

Links:

David Linthicum stakes out the position that in a multi-cloud world, centralized cloud security is now a must-have.
Network Load Balancers now support Security groups
How AWS built the Security Guardians program, a mechanism to distribute security ownership
Kubernetes Security Issues (CVE-2023-3676, CVE-2023-3893, CVE-2023-3893)
Tool of the week: SSOFixer

us-west-1: The Flagship Region That Isn’t

Corey Quinn — Wed, 30 Aug 2023 03:00:00 -0700

AWS Morning Brief Extras edition for the week of August 30, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/us-west-1-the-flagship-region-that-isn-t

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

AWS Wallet Extractor

Corey Quinn — Mon, 28 Aug 2023 03:00:00 -0700

AWS Morning Brief for the week of August 28, 2023, with Corey Quinn.

Links:

Storing Logs You Never Read

Corey Quinn — Thu, 24 Aug 2023 03:00:00 -0700

Last week in security news: Short session expiration does not help security, How to use AWS Verified Access logs to write and troubleshoot access policies, This week's S3 Bucket Negligence Award, and more!

Links:

A UK contractor wins this week's S3 Bucket Negligence Award.
What happens when a Zero Day and Access Keys Collide in the Cloud.
Short session expiration does not help security
How to use AWS Verified Access logs to write and troubleshoot access policies
IAMbic purports to be able to alert you to changes to IAM polices via consuming CloudTrail logs

SageMaker Podcast HealthOmics

Corey Quinn — Mon, 21 Aug 2023 03:00:00 -0700

AWS Morning Brief for the week of August 21, 2023 with Corey Quinn.

Links:

Dunking on Robots For InfoSec Clout

Corey Quinn — Thu, 17 Aug 2023 03:00:00 -0700

Last week in security news: Cloudonaut has an overview of AWS's security monitoring services, Chris Farris talks about Defining the Sensitive IAM Actions, What’s new in the world of tools, and more!

Links:

Cloudonaut has an overview of AWS's security monitoring services
A deep exploration into how you can really screw up integrating GitHub with AWS.
Chris Farris talks about Defining the Sensitive IAM Actions.
AWS Security Profile: Get to know the AWS Identity Solutions team
CVE-2023-20569 - RAS Poisoning - Inception - Paired with CVE-2022-40982
AVID is an AI Vulnerability Database.
TinderSec threw up a scanner on GitHub so you can see if you've fallen prey to one of the classic OICD permissions blunders.

The Amazon Prime Day 2023 AWS Bill

Corey Quinn — Wed, 16 Aug 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of August 16, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-amazon-prime-day-2023-aws-bill/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

A Call to aRNs

Corey Quinn — Mon, 14 Aug 2023 03:00:00 -0700

AWS Morning Brief for the week of August 14, 2023, with Corey Quinn.

Links:

Cloud Security Has a Good Week

Corey Quinn — Thu, 10 Aug 2023 03:00:00 -0700

Last week in security news: People are still discovering some effects of the latest Azure security breach, Introducing the first AWS Security Heroes, How to Receive Alerts When Your IAM Configuration Changes, and more!

Links:

Following the latest Azure breach, the CEO of Tenable says they can see banking customer credentials even now.
Introducing the first AWS Security Heroes
How to Receive Alerts When Your IAM Configuration Changes
Perform continuous vulnerability scanning of AWS Lambda functions with Amazon Inspector
Recent Software-based Power Side-Channel Security Research
You can totally use AWS's SSM agent as post-exploitation RAT malware

AWS Begins Charging For Public IPv4 Addresses

Corey Quinn — Wed, 09 Aug 2023 03:00:00 -0700

AWS Morning Brief Extras edition for the week of August 8, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/breaking-aws-begins-charging-for-public-ipv4-addresses/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

EC2's Weird Flex

Corey Quinn — Mon, 07 Aug 2023 03:00:00 -0700

AWS Morning Brief for the week of August 7, 2023 with Corey Quinn.

Links:

Azure's Customer Contempt

Corey Quinn — Thu, 03 Aug 2023 03:00:00 -0700

Last week in security news: Patch your Ubuntu cloud workloads, Azure faces backlash following that stolen Microsoft signing key, IAM Roles Anywhere credential helper adds support for OS certificate stores, and more!

Links:

You almost certainly want to patch your Ubuntu cloud workloads
If you care about what that stolen Microsoft signing key was capable of, Azure really wishes you would stop asking
Senator Wyden is calling for Azure to be held responsible.
In a frantic scramble, Azure is expanding access to cloud logging data for free
IAM Roles Anywhere credential helper adds support for OS certificate stores
CVE-2023-20593
This handy script fetches SSO permission assignments.

Just a Generative AI Company

Corey Quinn — Mon, 31 Jul 2023 03:00:00 -0700

AWS Morning Brief for the week of July 31, 2023, with Corey Quinn.

Links:

Protect Azure DevOps secrets? What a novel idea!

Corey Quinn — Thu, 27 Jul 2023 03:00:00 -0700

Last week in security news: A Guide to S3 Logging, Optimize AWS Config for AWS Security Hub, Amazon Told Drivers Not to Worry About In-Van Surveillance Cameras. Now Footage Is Leaking Online, and More!

Links:

Guide to S3 Logging
Good on JumpCloud for disclosing a breach by some state-backed APT hacking group, but I learned about it from this article, and I'm a JumpCloud customer.
Charlie Bel issued a security roadmap for Microsoft: Protect Azure DevOps secrets is the first item on it. What a novel idea!
Amazon Told Drivers Not to Worry About In-Van Surveillance Cameras. Now Footage Is Leaking Online
Yes, the compromised Microsoft key that they glossed over is incredibly important and Microsoft is downplaying it something fierce.
Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture
Tool of the Week: IAMActionHunter lets you query IAM permission policies

Space Heaters Plus DNS Equals Cloud

Corey Quinn — Mon, 24 Jul 2023 03:00:00 -0700

AWS Morning Brief for the week of July 24 2023 with Corey Quinn.

Links:

The Logging Tax Auditor

Corey Quinn — Thu, 20 Jul 2023 03:00:00 -0700

Last week in security news: An Amazon senior security engineer was indicted in a $9M digital currency heist, Microsoft had one heck of a breach, this week’s S3 Bucket Negligence Award, and more!

Links:

A write-up of someone's experience going through the publicly available flAWS 1&2 labs
Signs of the recent Microsoft breach in your account are tied to an enhanced level of license.
An Amazon senior security engineer was indicted in a $9M digital currency heist
A far-right publisher earned this week's S3 Bucket Negligence Award
Amazon FSx for NetApp ONTAP supports write once, read many (WORM) protection with SnapLock
IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources) was updated.
Tool of the week: AWS IAM Data has launched.

It's Extremely Likely You Should Not Use GovCloud

Corey Quinn — Wed, 19 Jul 2023 03:00:00 -0700

AWS Morning Brief Extras edition for the week of July 19, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/its-extremely-likely-you-should-not-use-govcloud/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

GitHub Actions Done Smartly

Corey Quinn — Mon, 17 Jul 2023 03:00:00 -0700

AWS Morning Brief for the week of July 17, 2023 with Corey Quinn.

Links:

Avoiding a Git Landmine

Corey Quinn — Thu, 13 Jul 2023 03:00:00 -0700

Last week in security news: A deep dive into the DomainNetworks Snail Mail Scam by Krebs on Security, Tailscale is putting their terms and conditions on GitHub, The Tool/ Lesson of the Week, and more!

Links:

A deep dive into who's behind the DomainNetworks Snail Mail Scam by Krebs on Security.
Tailscale is putting its terms and conditions on GitHub and invites users to subscribe to see diffs instead of legalese.
Three ways to accelerate incident response in the cloud: insights from re:Inforce 2023
Tool/ Lesson of the week: git-landmine

Extracting Revenue and Also Teeth

Corey Quinn — Mon, 10 Jul 2023 03:00:00 -0700

AWS Morning Brief for the week of July 10, 2023 with Corey Quinn.

Links:

The Horrible Game That Inspired My Bank

Corey Quinn — Thu, 06 Jul 2023 03:00:00 -0700

Last week in security news: The Password Game, Customer Compliance Guides Now Available on AWS Artifact, The Tool of the Week, and more!

Links:

The Password Game
LastPass has apparently locked customers out due to MFA resets.
Customer Compliance Guides now available on AWS Artifact
Tool of the Week: findmytakeover

S3 Is Not a Backup (Replay)

Corey Quinn — Wed, 05 Jul 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of July 5, 2023.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Amazon Basics Ohio

Corey Quinn — Mon, 03 Jul 2023 03:00:00 -0700

AWS Morning Brief for the week of July 3, 2023 with Corey Quinn.

Links:

Infosec Brain Worms

Corey Quinn — Thu, 29 Jun 2023 03:00:00 -0700

Last week in security news: 'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms, Issue with AWS Directory Service EnableRoleAccess, S3 buckets being used in attacks on npm packages, and more!

Links:

This collection of best practices for managing root users at scale in AWS is worth a read
'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms.
1Health is this week's winner of the S3 Bucket Negligence Award
Barracuda advises customers to rip the entire device out, throw it away, and replace it entirely.
S3 buckets being used in attacks on npm packages
Issue with AWS Directory Service EnableRoleAccess
Tool of the week: xeol is an end-of-life package scanner.

Amazon Calls Down Regulatory Lightning

Corey Quinn — Mon, 26 Jun 2023 03:00:00 -0700

AWS Morning Brief for the week of June 26, 2023 with Corey Quinn.

Links:

The FTC comment period about the business of cloud computing ended
Amazon warehouse practices are now the focus of a senate probe
The FTC is suing Amazon for its Prime enrollment dark patterns
Amazon’s iRobot acquisition is now the subject of an EU investigation
The launch of Amazon Clinic is being delayed after the senate asked some hard questions
Announcing Amazon EC2 Hpc7g instances
AWS Lambda supports starting from timestamp for Kafka event sources
AWS Step Functions launches Versions and Aliases
AWS Transfer Family announces structured JSON log format
5 Stages to Building a Successful Partner Practice with AWS
Say Hello to 176 AWS Competency, Service Delivery, Service Ready, and MSP Partners Added or Renewed in May
How GoDaddy Implemented a Multi-Region Event-Driven Platform at Scale
New Amazon EC2 C7gn Instances: Graviton3E Processors and Up To 200 Gbps Network Bandwidth
For actual technical depth, my thanks to David Cuthbert in the Last Week in AWS Slack Community for surfacing this AnandTech article.
Stream VPC Flow Logs to Datadog via Amazon Kinesis Data Firehose
Creating real-time flood alerts with the cloud
Use AWS Private Certificate Authority to issue device attestation certificates for Matter
Should I use the hosted UI or create a custom UI in Amazon Cognito? - Trick question, you should use recurring Last Week in AWS sponsor FusionAuth instead.
Coming soon: updates to AWS Certified Cloud Practitioner exam
How I achieved all six specialty AWS Certifications on first attempt
How to win a $5 Amazon Gift Card, just by signing up for the Amazon News newsletter

re:Inforce and fwd:cloudsec with Scott Piper

Corey Quinn — Thu, 22 Jun 2023 03:00:00 -0700

Last week in security news: Videos from fwd:cloudsec are now available on YouTube, AWS announces AWS Payment Cryptography, Amazon CodeGuru Security is now available in preview, and more!

Links:

There was lots of great content presented at fwd:cloudsec. The day-long videos are up on YouTube. You can use the schedule to help find the talks you're interested in.
In contrast to AWS's "Shared Responsibility Model", I appreciate GCP's "Shared Fate Model" where they put their own skin in the game in ensuring their customers are protected. In their New Cryptomining Protection Program, they offer $1M in what is basically an insurance policy that comes with Security Command Center Premium.
Bob McMillan from the WSJ reports that North Korean hackers have stolen more than $3 billion in crypto over the last 5 years, and their heists are now funding fully half of its ballistic missile program.
a16z writes Hiring a Chief Information Security Officer.
Removing header remapping from Amazon API Gateway, and notes about our work with security researchers - AWS made a breaking change to respond to a security issue. The security researchers that found the issue wrote their side of the story, describing it as AWS API Gateway header smuggling and cache confusion.
Issue with AWS Directory Service EnableRoleAccess - AWS released a security bulletin for this issue, which they seem to do at random for security issues. Ben Bridts from Cloudar found and reported this issue which AWS has fixed. He goes into more detail in his blog post and in a talk at fwd:cloudsec.
Amazon CloudWatch Logs data protection account level policy configuration
AWS WAF Fraud Control launches account creation fraud prevention and reduced pricing
AWS announces AWS Payment Cryptography
AWS Transfer Family announces quantum-safe key exchange for SFTP
Amazon CodeGuru Security is now available in preview
Amazon Inspector announces the general availability of Code Scans for AWS Lambda function
AWS announces Software Bill of Materials export capability in Amazon Inspector
Amazon EC2 Instance Connect supports SSH and RDP connectivity without public IP address
Amazon GuardDuty enhances console experience with findings summary view
Amazon Detective extends finding groups to Amazon Inspector
Amazon S3 announces dual-layer server-side encryption for compliance workloads
AWS CloudTrail Lake launches curated dashboards for visualizing top CloudTrail trends
AWS IAM Identity Center now supports automated user provisioning from Google Workspace

FTC Request, Answered: How Cloud Providers Do Business

Corey Quinn — Wed, 21 Jun 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of June 21, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/ftc-request-answered-how-cloud-providers-do-business

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Guest Host for re:Inforce Week - Scott Piper!

Corey Quinn — Tue, 20 Jun 2023 03:00:00 -0700

AWS Morning Brief for the week of June 20th, 2023 with Scott Piper filling in for Corey Quinn.

Links:

Confused DevOps Professional

Corey Quinn — Thu, 15 Jun 2023 03:00:00 -0700

Last week in security news: CloudFlare had a Confused Deputy Vulnerability, Moving Away from IAM Identity Center, AWS KMS now supports importing asymmetric and HMAC keys, and more!

Links:

CloudFlare had a Confused Deputy Vulnerability
As I move away from IAM Identity Center, I find it interesting that a lot of folks I respect are doing similar things.
I was going to drag this otherwise awesome article disclosing the vulnerability they located within AWS CDK's eks.Cluster component.
AWS KMS now supports importing asymmetric and HMAC keys
Tool/ Tip of the week: List of documented and undocumented AWS API models

The Leeches of AWS

Corey Quinn — Mon, 12 Jun 2023 03:00:00 -0700

AWS Morning Brief for the week of June 12, 2023 with Corey Quinn.

Links:

A Hole in the S3 Buckets

Corey Quinn — Thu, 08 Jun 2023 03:00:00 -0700

Last week in security news: Thinkst Canary's Thinkstscapes, Multiple S3 Bucket Negligence Awards, Credit Card Payment Processing on AWS, and more!

Links:

Thinkst Canary's Thinkstscapes
It's been a while since we've seen a strong, confirmed S3 Bucket Negligence Award, but Toyota has a massive one dating back a decade.
Oof, looks like Google's CloudSQL product had a vulnerability that would allow an attacker to escalate to GCP control plane permissions.
Holy... Legion malware expands scope to target AWS CloudWatch as well.
When it rains, it pours; Capita had an S3 Bucket Negligence Award as well!
Credit Card Payment Processing on AWS - Don't do it. Pay Stripe.
Amazon Security Lake is now generally available
Announcing the AWS Blueprint for Ransomware Defense
Get custom data into Amazon Security Lake through ingesting Azure activity logs
Tip of the week: When you're starting something new that might turn into a company, use SSO.

17 Final Ways to Run Containers on AWS

Corey Quinn — Wed, 07 Jun 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of June 7, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/17-final-ways-to-run-containers/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Rated R for Ridiculousness

Corey Quinn — Mon, 05 Jun 2023 03:00:00 -0700

AWS Morning Brief for the week of June 5, 2023 with Corey Quinn.

Links:

Corey is off to Washington DC tomorrow for the Public Sector summit. If you're in town, he’s hosting a drink up at Highline RxR from 6-8 PM tomorrow (Tuesday) evening. Let him buy you a drink!
AWS Pricing Calculator now offers visibility of point in time cost estimations
Invoice Summary is now available
Optimize your x86-based Amazon EC2 Workloads
New – AWS DMS Serverless: Automatically Provisions and Scales Capacity for Migration and Data Replication
Build hypothetical indexes in Amazon RDS for PostgreSQL with HypoPG
Version 1 of the AWS Cloud Development Kit (AWS CDK) has reached end-of-support
The Retail Race: A Roadmap for Implementing a Smart Store Strategy
Get ready for AWS IPv6 day
Introducing a cost control solution for Amazon Braket

The Wages of TLS

Corey Quinn — Thu, 01 Jun 2023 03:00:00 -0700

Last week in security news: Faster AWS cloud connections with TLS 1.3, Belkin is crappy in many ways, the Tool of the Week, and more!

Links:

Amazon bought Pillpack, since they wanted to get into being our pharmacy. Now Pillpack reports a data breach affecting more than 19,000 people.
Belkin is crappy in many ways
AWS partners bring choice of temporary elevated access capabilities to IAM Identity Center
Exclude cipher suites at the API gateway using a Network Load Balancer security policy
Faster AWS cloud connections with TLS 1.3
Stronger together: Highlights from RSA Conference 2023
This is a fun tool: Is It AWS

Batman's Customer Testimonials

Corey Quinn — Tue, 30 May 2023 03:00:00 -0700

AWS Morning Brief for the week of May 30, 2023 with Corey Quinn.

Links:

Bloomberg reported this week that I referred to AWS's hyped generative AI offerings that nobody I know has been able to access as vaporware
Amazon Aurora PostgreSQL improves availability of read replicas
AWS Copilot announces Static Site pattern to host single-page web applications
Developing a serverless Slack app using AWS Step Functions and AWS Lambda
How Broadridge used Amazon Managed Blockchain to build a private equity lifecycle management solution
Stronger together: Highlights from RSA Conference 2023
Welcome to AWS Documentation

Bad Behavior And Doing Things Right

Corey Quinn — Thu, 25 May 2023 03:00:00 -0700

Last week in security news: The ex-Ubiquiti engineer who stole a giant pile of their data gets a six year prison term, Bitbucket will be updating their SSH host keys, AWS Reported a GuardDuty Finding Issue, and more!

Links:

The ex-Ubiquiti engineer who stole a giant pile of their data gets a six year prison term
Bitbucket will be updating their SSH host keys
Google has decided to free up inactive accounts after two years. Okay, that's their policy, but then they have the audacity to lie to our faces and say it's for "security."
I have a bunch of Wemo devices at home that control lights. I found out that they've got a buffer overflow that Wemo "will not be fixing" because the devices are end of life.
AWS Reported a GuardDuty Finding Issue
The tool of the week: IAMbic lets you tailor AWS Identity Center permissions per account.

A Hidden Serverless Peril

Corey Quinn — Wed, 24 May 2023 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/a-hidden-serverless-peril

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

RedShift Costs a Peloton

Corey Quinn — Mon, 22 May 2023 03:00:00 -0700

AWS Morning Brief for the week of May 22, 2023 with Corey Quinn.

Links:

Corey is speaking at Tailscale Up in San Francisco next week; his talk is called "The Managed NAT Gateway Time Machine"
AWS announces Amazon Aurora I/O-Optimized
AWS Cost Categories now supports “Usage Type” dimension
Retiring the AWS Documentation on GitHub
Peloton embraces Amazon Redshift to unlock the power of data during changing times
Motivations for migration to Amazon DynamoDB
Neo Financial achieves Zero Trust goals and meets compliance requirements with Amazon WorkSpaces Web
Introducing AWS GameTime – a new AWS Twitch show
Unlock Insights from your Amazon S3 data with intelligent search
Estimating AWS Config recorder costs and usage using AWS CloudTrail
Creating a strategic approach to government continuity

SCPs Are Not For Me..s?

Corey Quinn — Thu, 18 May 2023 03:00:00 -0700

Last week in security news: Amazon CloudFront announces one-click security protections, SCPkit helps you manage your SCPs, A walk through AWS Verified Access policies, and more!

Links:

Aetonix was nominated for a potential S3 Bucket Negligence Award
Google has launched its Passkey implementation
A story about MSI leaking its own signing keys
Kentik once again has a marvelously unhinged video that you're going to want to watch.
This AWS IAM Wishlist is a great place to start if you're an AWS IAM product manage
Amazon CloudFront announces one-click security protections
A walk through AWS Verified Access policies
Tool of the week: SCPkit helps you manage your SCPs

EC2 Wars 1: The Phantom NAT Gateway

Corey Quinn — Mon, 15 May 2023 03:00:00 -0700

AWS Morning Brief for the week of May 15, 2023 with Corey Quinn.

Links:

Humoring the Parenthetical

Corey Quinn — Thu, 11 May 2023 03:00:00 -0700

Last week in security news: Containing Compromised EC2 Credentials Without (Hopefully) Breaking Things, How to scan your AWS Lambda functions with Amazon Inspector, AWS IAM Actions, And More!

Links:

My 9 Favorite Things About AWS

Corey Quinn — Wed, 10 May 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of May 10, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/9-things-I-love-about-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Digital Home Depot

Corey Quinn — Mon, 08 May 2023 03:00:00 -0700

AWS Morning Brief for the week of May 8, 2023 with Corey Quinn.

Links:

A Quiet But Bad Week

Corey Quinn — Thu, 04 May 2023 03:00:00 -0700

Last week in security news: Tailscale now offers network flow logs, Google had a GhostToken flaw, AWS reported an issue with IAM supporting multiple MFA devices, and more!

Links:

Tailscale now offers network flow logs
Google had a GhostToken flaw that let attackers backdoor Google accounts.
The folks at SADA found a major bug in Google Cloud; apparently it had the potential to expose the private keys for Google Cloud Service Accounts
Issue With IAM Supporting Multiple MFA Devices
This week in Tools: It's been a while since I linked to CloudMapper

Implementing Search For Google Docs in Google Docs

Corey Quinn — Mon, 01 May 2023 03:00:00 -0700

AWS Morning Brief for the week of May 1, 2023 with Corey Quinn.

Links:

Shrieking Like a Toddler

Corey Quinn — Thu, 27 Apr 2023 03:00:00 -0700

Last week in security news: Dealing with Ransomware in the Cloud, Pen Testing AWS, How to prioritize IAM Access Analyzer findings, and more!

Links:

Last Week in AWS job board
AWS had two (minor) Cross-Tenant Vulnerabilities within AWS App Runner.
Some company called Invictus has practical experience dealing with ransomware in the cloud
Chris Farris has a post on Pen Testing AWS.
Dark Reading posits that Security Is a Revenue Booster, Not a Cost Center.
An Attacker's Perspective on AWS Account IDs
How to prioritize IAM Access Analyzer findings
Scale your authorization needs for Secrets Manager using ABAC with IAM Identity Center
Netchecks is a way of programmatically verifying your security controls.
I love CloudTrail Lake, and this repository of query samples makes it easier for me to use it.
IAMbic offers "GitOps for IAM."

Why AWS Might Be the Next Backbone Provider

Corey Quinn — Wed, 26 Apr 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of April 26, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/why-aws-might-be-the-next-backbone-provider

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

RSA Beckons to Sell You a Firewall

Corey Quinn — Mon, 24 Apr 2023 03:00:00 -0700

AWS Morning Brief for the week of April 24, 2023 with Corey Quinn.

Links:

Screwing Up the Messaging and Also the RSA Dates

Corey Quinn — Thu, 20 Apr 2023 03:00:00 -0700

Last week in security news: Creating an AWS Backup Account, Azure had another cross-tenant access vulnerability, Security Hub Hurts My Self-Esteem, and more!

Links:

Corey hosted a partner panel at AWS Container Day at KubeCon
This post on using OIDC to secure your CI/CD pipelines mirrors what I did with GitHub actions a year or so ago.
Teri Radichel has a piece on Creating an AWS Backup Account
Slack is conducting an absolute masterclass in how to screw up messaging to your target audience.
Azure had another cross-tenant access vulnerability
Security Hub Hurts My Self-Esteem
AWS Security Profile: Matt Luttrell, Principal Solutions Architect for AWS Identity
Tool of the Week: iamlive

Barest Metal Instances

Corey Quinn — Mon, 17 Apr 2023 03:00:00 -0700

AWS Morning Brief for the week of April 17, 2023 with Corey Quinn.

This week is RSA in San Francisco; I'll be haunting the expo hall at some point, so if you're in town say hi.

Links:

"A Quiet Week" He Says, Tempting Fate

Corey Quinn — Thu, 13 Apr 2023 03:00:00 -0700

Last week in security news: Logging strategies for security incident response, A Department of Energy report shows some rather serious gaps in security monitoring, A dedicated repository of winners of the S3 Bucket Negligence Awards, and more!

Links:

Zoom took an outage and the message was clearly AWS generated. Root cause? Misconfigured SCP.
A Department of Energy report shows some rather serious gaps in the security monitoring of their cloud environments.
Logging strategies for security incident response
Reduce triage time for security investigations with Amazon Detective visualizations and export data
TLS inspection configuration for encrypted traffic and AWS Network Firewall
A dedicated repository of winners of the S3 Bucket Negligence Awards.

LocalStack: Why Local Development for Cloud Workloads Makes Sense

Corey Quinn — Wed, 12 Apr 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of April 12, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/localstack-why-local-development-for-cloud-workloads-makes-sense

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Your Network Bill is Now Diamonds

Corey Quinn — Mon, 10 Apr 2023 03:00:00 -0700

AWS Morning Brief for the week of April 10, 2023 with Corey Quinn.

Links:

A Repository of AWS Customer Breaches

Corey Quinn — Thu, 06 Apr 2023 03:00:00 -0700

Last week in security news: Gain insights and knowledge at AWS re:Inforce 2023, InvalidClientTokenId, a repository of AWS customer breaches, and more!

Links:

If you're in New York City proper, I hope to see you tonight at 7PM at Vol de Nuit
We're hiring an Account Exec to handle media sales for this very podcast. Should you be the person who refers the successful candidate, we'll give you a $3K USD referral fee.
Nick Frichette has found an undocumented Amplify API and used it to leak AWS Account IDs.
Friend of the newsletter Chris Farris has started an AWS security consulting practice.
Gain insights and knowledge at AWS re:Inforce 2023
How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts
InvalidClientTokenId: The security token included in the request is invalid error
Someone is curating this repository of AWS customer breaches.

Friendship Started with Microservices

Corey Quinn — Mon, 03 Apr 2023 03:00:00 -0700

AWS Morning Brief for the week of April 3, 2023 with Corey Quinn.

Links:

GitHub's Bad Key Week

Corey Quinn — Thu, 30 Mar 2023 03:00:00 -0700

Last week in security news: Github accidentally published its RSA host keys for SSH, Automate IAM credential reports for large AWS Organizations, The Tool of the Week, and more!

Links:

Sad news; infosec luminary Kelly ‘Aloria’ Lum has regrettably passed away.
Automate IAM credential reports for large AWS Organizations
Github accidentally published its RSA host keys for SSH.
How to use Amazon Macie to reduce the cost of discovering sensitive data
Use backups to recover from security incidents
Tool of the Week: Chekov

S3 as an Eternal Service

Corey Quinn — Wed, 29 Mar 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of March 29, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/s3-as-an-eternal-service

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Amazon Snizz Bug Gets Fixed

Corey Quinn — Mon, 27 Mar 2023 03:00:00 -0700

AWS Morning Brief for the week of March 27, 2023 with Corey Quinn.

Links:

Y'allbikey Configuration Guide

Corey Quinn — Thu, 23 Mar 2023 03:00:00 -0700

Last week in security news: The Many Ways to Access DynamoDB, a Yubikey configuration cheatsheet, and more!

Links:

The Many Ways to Access DynamoDB
Scott Piper’s post on redacting AWS account IDs from public posts
How to use Google Workspace as an external identity provider for AWS IAM Identity Center
Yubikey configuration cheatsheet

Mining Your Data/Currency/Minerals

Corey Quinn — Mon, 20 Mar 2023 03:00:00 -0700

AWS Morning Brief for the week of March 20, 2023 with Corey Quinn.

Links:

The Government Gets It

Corey Quinn — Thu, 16 Mar 2023 03:00:00 -0700

Last week in security news: U.S. Officials are frustrated with cloud providers, Best Practices For Securing Your Home Network, The Tool of the Week, and more!

Links:

AWS's Anti-Competitive Move Hidden in Plain Sight

Corey Quinn — Wed, 15 Mar 2023 07:30:00 -0700

AWS Morning Brief Extras edition for the week of March 15, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/awss-anti-competitive-move-hidden-in-plain-sight/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Bored? See the AWS Job Board

Corey Quinn — Mon, 13 Mar 2023 03:00:00 -0700

AWS Morning Brief for the week of March 13, 2023 with Corey Quinn.

Links:

LastPass, LastHope, LostPass, LostHope

Corey Quinn — Thu, 09 Mar 2023 03:00:00 -0800

Last week in security news: Audit Log Wall of Shame, More info on the LastPass breach, the Tool of the Week, and more!

Links:

Audit Log Wall of Shame
Saudi social media app Fayvo apparently had an unsecured database
More information has come to light about the LastPass breach
Three ways to boost your email security and brand reputation with AWS
Tool of the week: Trailscraper is an open source project to get useful information out of CloudTrail logs.

Happy Fun Podcast That Tells It Like It Is

Corey Quinn — Mon, 06 Mar 2023 03:00:00 -0800

AWS Morning Brief for the week of March 6, 2023 with Corey Quinn.

Links:

Corey Invades Seattle

Corey Quinn — Thu, 02 Mar 2023 03:00:00 -0800

Last week in security news: US Military emails leaked on an exposed server, How to monitor and query IAM resources at scale, the Tool of the Week, and more!

Links:

If you're in Seattle, come to Outer Planet Brewing this Sunday at 7PM and let Corey buy you a drink.
Aiden Steele writes at length about using a recent enhancement to Systems Manager to pass out a role to all of your EC2 instances.
US Military emails leaked on an exposed server
Amazon Detective launches an interactive workshop for investigating potential security issues
How to monitor and query IAM resources at scale – Part 1
Tool of the week: a break-glass role to limit production access to the AWS console

AWS is Asleep at the Lambda Wheel

Corey Quinn — Wed, 01 Mar 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of March 1, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/aws-is-asleep-at-the-lambda-wheel

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Listening to This Podcast Will Improve Your Hiring Diversity

Corey Quinn — Mon, 27 Feb 2023 03:00:00 -0800

AWS Morning Brief for the week of February 27, 2023 with Corey Quinn.

Links:

A Little Security for Everyone

Corey Quinn — Thu, 23 Feb 2023 03:00:00 -0800

Last week in security news: More security woes for Azure, the AWS Survival Kit, CloudGPT, and more!

Links:

A security researcher reported a potential account compromise vector to Azure back in 2021.
I once again want to draw your attention to the open source AWS Survival Kit.
How to visualize IAM Access Analyzer policy validation findings with QuickSight
Updated ebook: Protecting your AWS environment from ransomware
ChatGPT is all the rage, and of course here's CloudGPT to analyze AWS policies for vulnerabilities
Scott Piper has a great tip for us this week: think of the vendors / partners who have roles in your AWS account.

Amazon's Snowball Edge Frustrates This User

Corey Quinn — Wed, 22 Feb 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of February 22, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/amazons-snowball-edge-frustrates-this-user

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Technical Debt Cash-Out Refinance

Corey Quinn — Tue, 21 Feb 2023 03:00:00 -0800

Attacked S3s and Guilty Pleas

Corey Quinn — Thu, 16 Feb 2023 03:00:00 -0800

Last week in security news: Ubiquiti inside attacker pleads guilty, Wiz 2023 State of the Cloud report, the tool of the week, and more!

Links:

That inside attacker who worked at jackass company Ubiquiti pleads guilty
Datadog's security folk discovered an AWS Console rate limit bypass
Wiz 2023 State of the Cloud report
The anatomy of ransomware event targeting data residing in Amazon S3
Tool of the week: aws-firewall-factory

The Dumbest Dollars a Cloud Provider Can Make (Replay)

Corey Quinn — Wed, 15 Feb 2023 07:30:00 -0800

AWS Morning Brief Extras edition for the week of February 15, 2023.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-dumbest-dollars-a-cloud-provider-can-make/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Santa's EKS Workshop Massacre

Corey Quinn — Mon, 13 Feb 2023 03:00:00 -0800

AWS Morning Brief for the week of February 13, 2023 with Corey Quinn.

Links:

Wait did you say "Drone Manufacturer?!"

Corey Quinn — Thu, 09 Feb 2023 03:00:00 -0800

Links:

In this down market, it's good to know that jobs paying six (and rarely, seven!) figure salaries, giving bonuses, and of course including paid time off are still out there. Unfortunately they're working for cybercrime groups.
Ian McKay is great--but given his history of creating awesome-yet-horrifying things in AWS I read this piece on Cedar (AWS's new policy language)
Popular drone manufacturer CrowdStrike reports on how Adversaries Can Persist with AWS User Federation,
How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager
Want to chain roles in a way that works for more than an hour? Role Chain Juggling has you covered.

The AWS Community Isn't for Amazonians

Corey Quinn — Wed, 08 Feb 2023 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-aws-community-isnt-for-amazonians

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Telling Customers What They Want To Hear

Corey Quinn — Mon, 06 Feb 2023 03:00:00 -0800

Links:

Azure Improves Slowly

Corey Quinn — Thu, 02 Feb 2023 03:00:00 -0800

Links:

Azure messed up a regular expression
GitHub's blog has a piece on passwordless deployments to the cloud
LastPass has now admitted that the attackers stole customers' backups and encryption key
Deploy a dashboard for AWS WAF with minimal effort
Thinkst's free service now supports credit card tokens.
precloud is a suite of dynamic tests for infrastructure as code.

S3 Encryption at Rest Does NOT Solve for Bucket Negligence

Corey Quinn — Wed, 01 Feb 2023 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/s3-encryption-at-rest-does-not-solve-for-bucket-negligence/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Timecode Burn-In, Employee Burn-Out

Corey Quinn — Mon, 30 Jan 2023 03:00:00 -0800

This episode is sponsored in part by the Google for Startups Cloud Program

Links:

Aspirational Audit Logs

Corey Quinn — Thu, 26 Jan 2023 03:00:00 -0800

Links:

Datadog reports that an undocumented API allowed CloudTrail bypass
MailChimp was breached and had customer data exposed
Folks can use GitHub Codespaces to host and deliver malware.
How to revoke federated users’ active AWS sessions
The worst backup software known to humankind

1000 Access Points of Light

Corey Quinn — Mon, 23 Jan 2023 03:00:00 -0800

Links:

Wait Did You Say Root API Keys?

Corey Quinn — Thu, 19 Jan 2023 03:00:00 -0800

Links:

Join Corey in Phoenix next Sunday at 1PM at Zuzu for a community meet-up.
Rackspace continues to trickle the truth out; it's now admitting that attackers accessed customer data
Tom Forbes scanned--wait, holy hell, he scanned every package on PyPi and found 57 live AWS keys.
In one year we're going to come back and see how accurate the heads of AWS security are with their predictions for cybersecurity in 2023
Today's tip of the week is to go fire up your important AWS account(s) and validate that the root user doesn't have API credentials assigned.

Four Announcements of the Boring Apocalypse

Corey Quinn — Tue, 17 Jan 2023 03:00:00 -0800

Links:

Join Corey in Phoenix next Sunday at 1PM at Zuzu for a community meet-up.
AWS Config supports 22 new resource types
Changes to AWS Billing, Cost Management, and Account Consoles Permissions
Run a popular benchmark on Amazon Redshift Serverless easily with AWS Data Exchange
How to optimize costs for grant-based research projects with AWS

Computers Checking Compliance Boxes

Corey Quinn — Thu, 12 Jan 2023 03:00:00 -0800

This episode is sponsored in part by the Google for Startups Cloud Program

Links:

CircleCI came out with a security alert urging you to rotate any secrets stored in CircleCI.
Another bite at the craptastic LastPass breach response, this article parses their weak-sauce PR statement
Over the holidays Slack had some private GitHub code repositories stolen.
ACSESSED is another Azure vulnerability
Amazon S3 Encrypts New Objects By Default
Updated whitepaper available: AWS Security Incident Response Guide
iamfast analyzes your application code to generate a least-privilege IAM policy.
Wiz has come up with and open sourced PEACH, a tenant isolation framework for cloud applications.

The Work of Sober Minds

Corey Quinn — Mon, 09 Jan 2023 03:00:00 -0800

Links:

LastStrawPass

Corey Quinn — Thu, 29 Dec 2022 03:00:00 -0800

inks:

AWS Lambda Security Threats and Mitigations
LastPass now admits that hackers stole customers’ password vaults.
Google WordPress Plug-in Bug
McGraw Hill earned this week’s S3 Bucket Negligence Award for exposing 100K students' grades
Announcing the new security widget on AWS Console Home
Introducing the Security Design of the AWS Nitro System whitepaper
Please +1 my request to add support for an ~/.aws/config.d/ directory to the AWS cli.

Holiday Replay: Why I Turned Down an AWS Job Offer

Corey Quinn — Wed, 28 Dec 2022 07:30:00 -0800

This episode originally aired on October 13, 2021

Check out a related YouTube Video here: https://youtu.be/BCiUulzr9f8

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Soaking the US Navy

Corey Quinn — Tue, 27 Dec 2022 03:00:00 -0800

Links:

A Bunch of Vulnerabilities is Called an Embarrassment

Corey Quinn — Thu, 22 Dec 2022 03:00:00 -0800

Links:

Azure's VP of Security Engineering published a post describing their approach to cloud vulnerabilities
Panther deployed Yubikeys internally and blogged about it.
LastPass has (yet again) suffered a breach, and published a no-content advisory that TechCrunch took the time to parse through.
Apparently Wiz decided to poke around a bit into IBM "Cloud" and found a bunch of security issues.
Prepare for consolidated controls view and consolidated control findings in AWS Security Hub
Reported ECR Public Gallery Issue
From the world of tools: osquery turns your operating system into a database

Holiday Replay: The Right and Wrong Way to Interview Engineers

Corey Quinn — Wed, 21 Dec 2022 07:30:00 -0800

This episode originally aired on July 17, 2020.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the_right_and_wrong_way_to_interview_engineers/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Screwing Up the Cloud Economics Math

Corey Quinn — Mon, 19 Dec 2022 03:00:00 -0800

Links:

Censoring Myself Out of Pure Self-Interest

Corey Quinn — Thu, 15 Dec 2022 03:00:00 -0800

Links:

A Multi-Cloud Rant (Holiday Replay)

Corey Quinn — Wed, 14 Dec 2022 07:30:00 -0800

This episode was originally released on August 20, 2021.

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/a_multicloud_rant/

Want to watch a rant about Multi-Cloud? Watch our Multi-Cloud is a Terrible Idea YouTube Video here: https://youtu.be/Mlr7vioQqwg

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

The Dryer Ate the SOC

Corey Quinn — Mon, 12 Dec 2022 03:30:00 -0800

Links:

The Unfulfilled Promise of Serverless

Corey Quinn — Wed, 07 Dec 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/The-Unfulfilled-Promise-of-Serverless/

This episode was originally released on November 3, 2021.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

re:Invent 2022 Retrospective: Releases & Opinions

Corey Quinn — Mon, 05 Dec 2022 03:00:00 -0800

Links:

The Releases are Coming Fast and Furious Now

Corey Quinn — Wed, 30 Nov 2022 07:30:00 -0800

Links:

Stay Up To Date with re:Quinnvent

Sign up for the re:Quinnvent Newsletter
Check out the re:Quinnvent playlist on YouTube
If you’re on site:
- Join Corey for a Nature Walk through the Expo Hall beginning at the Fortinet booth today (11/29/22) at 1pm PST or
- For drinks at Atomic Liquors tonight at 8:15 pm PST.
- Tomorrow evening is re:Play, if you see Corey there, please say hello!

Help the show

Share your feedback
Subscribe wherever you get your podcasts
Buy our merch

What's Corey up to?

The Releases of re:Invent are in Full Swing

Corey Quinn — Tue, 29 Nov 2022 07:30:00 -0800

Links:

Stay Up To Date with re:Quinnvent

Sign up for the re:Quinnvent Newsletter
Check out the re:Quinnvent playlist on YouTube
If you’re on site:
- Join Corey for a Nature Walk through the Expo Hall beginning at the Fortinet booth tomorrow (11/29/22) at 1pm PST or
- For drinks at Atomic Liquors tomorrow evening at 8:15 pm PST.

Help the show

Share your feedback
Subscribe wherever you get your podcasts
Buy our merch

What's Corey up to?

Pre:Invent Edition

Corey Quinn — Mon, 28 Nov 2022 09:00:00 -0800

Links:

Stay Up To Date with re:Quinnvent

Help the show

Share your feedback
Subscribe wherever you get your podcasts
Buy our merch

What's Corey up to?

The Feudal Lords of Amazon: AWS' Infinite Service Launches and Counterproductive Culture

Corey Quinn — Wed, 23 Nov 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-feudal-lords-of-amazon/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/g1guW6tiR50

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

IAM Over the Moon About Multiple MFA Devices

Corey Quinn — Mon, 21 Nov 2022 03:00:00 -0800

Links:

The Canary in the Git Mine

Corey Quinn — Thu, 17 Nov 2022 03:00:00 -0800

Links:

A super-neat exploration of the Lambda execution environment from a security perspective.
Detect and block advanced bot traffic
How to evaluate and use ECDSA certificates in AWS Certificate Manager - AWS released support for ECDSA certificates.
Canary Tokens

How To Learn Something New: Kubernetes The Much Harder Way

Corey Quinn — Wed, 16 Nov 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/How-To-Learn-Something-New-Kubernetes-the-Much-Harder-Way

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/bpp5tpgU6CE

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

gp3 for thee, RDS

Corey Quinn — Mon, 14 Nov 2022 03:00:00 -0800

Links:

Overly OpenSearch

Corey Quinn — Thu, 10 Nov 2022 03:00:00 -0800

Links:

I really like this idea of an AWS account solely for getting into other AWS accounts.
Amazon accidentally exposed an internal server packed with Prime Video viewing habits.
How to use trust policies with IAM roles - "It's an older post sir, but it checks out."
OpenSSL Security Advisories - November 2022
Tool of the week: s3crets_scanner

An alterNAT Future: We Now Have a NAT Gateway Replacement

Corey Quinn — Wed, 09 Nov 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/an-alternat-future-we-now-have-a-nat-gateway-replacement/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

EIP Moving Day

Corey Quinn — Mon, 07 Nov 2022 03:00:00 -0800

Links:

Azure Makes it Worse

Corey Quinn — Thu, 03 Nov 2022 03:00:00 -0700

Links:

SOCRadar demonstrated a significant leak that spanned the world; it distills down to an Azure equivalent of an open S3 bucket.
This security recap of 2022 Google Next and Microsoft Ignite is worth reading if you're doing things in that particular side of the ecosystem.
IAM Access Analyzer findings now support Amazon SNS topics and five other AWS resource types to help you identify public and cross-account access
DNS Analysis Server is a tool that can be used to demonstrate vulnerabilities in your DNS configuration.
A very reasonable API Security Checklist of things to consider before releasing your API to the world.

AWS re:Invent: What You Actually Need To Know Before You Go

Corey Quinn — Wed, 02 Nov 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/aws-re-invent-what-you-actually-need-to-know-before-you-go/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/lZPDfTXmfI4

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

The pre:Invent Drumbeat Starts

Corey Quinn — Mon, 31 Oct 2022 03:00:00 -0700

Links:

The Real Reason Cloud IDE Adoption Is Lagging

Corey Quinn — Wed, 26 Oct 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-real-reason-cloud-ide-adoption-is-lagging

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here:

https://youtu.be/fRc0maN0Z_I

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Giving a Shirt about S3

Corey Quinn — Mon, 24 Oct 2022 03:00:00 -0700

Links:

Azure: Less a Cloud Than Performance Art

Corey Quinn — Thu, 20 Oct 2022 03:00:00 -0700

Links:

A walkthrough that takes us on a whirlwind tour of AWS Secrets Manager and the principle of least-privilege.
Azure Arc-enabled Kubernetes privilege escalation vulnerability
Datadog has an report out on the The State of AWS Security
Simplifying serverless permissions with AWS SAM Connectors
Tool of the week: trailscraper gets signal from noise when it comes to CloudTrail logs.

A Brief History of Kubernetes, Its Use Cases, and Its Problems

Corey Quinn — Wed, 19 Oct 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/a-brief-history-of-kubernetes-its-use-cases-and-its-problems

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/StlZwvsq9tc

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Blame Steven Postmortems

Corey Quinn — Mon, 17 Oct 2022 03:00:00 -0700

Links:

Higher Cross-region SSO Availability

Corey Quinn — Thu, 13 Oct 2022 03:00:00 -0700

Links:

AWS Data Transfer Charges: Ingress Actually Is Free

Corey Quinn — Wed, 12 Oct 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/aws-data-transfer-charges-ingress-actually-is-free/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Getting Lost in Cloud Map

Corey Quinn — Tue, 11 Oct 2022 03:00:00 -0700

Links:

Basic Security Alerting

Corey Quinn — Thu, 06 Oct 2022 03:00:00 -0700

Links:

Confidential Computing Is a Cloud Paranoia-Based Wasteland

Corey Quinn — Wed, 05 Oct 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/confidential-computing-is-for-the-tinfoil-hat-brigade

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/z_jD64jGhhI

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Amazon File Cash

Corey Quinn — Mon, 03 Oct 2022 03:00:00 -0700

Links:

Inadvertent Compliance Week

Corey Quinn — Thu, 29 Sep 2022 03:00:00 -0700

Links:

The Challenges of Assessing Kubernetes clusters for PCI Compliance.
Tailscale released a post titled What we learned (and can share) from passing our SOC 2 Type II audit that is absolutely worth your time and attention.
Our friends at Wiz discovered a vulnerability in Oracle Cloud’s security where you could mount other customers' EBS volumes simply by asking the API to do so.
From the Mouth of AWS Horse: Announcing an update to IAM role trust policy behavior
In the world of tools, AWS has launched its rolesanywhere-credential-helper

The Baffling Maze of Kubernetes

Corey Quinn — Wed, 28 Sep 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/iOqSjqhD2lc

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Getting Twitchy About the AWS Bill

Corey Quinn — Mon, 26 Sep 2022 03:00:00 -0700

AWS Morning Brief for the week of Monday, September 26th with Corey Quinn.

Connecting All William-Nilliam

Corey Quinn — Thu, 22 Sep 2022 03:00:00 -0700

Links:

If you're near Arlington Virgina, come on by Highline this evening at 7PM and let me buy you a drink.
Are you confused by AWS's KMS service? Me too. This guide to KMS helped a lot--and you really don't want to be confused by security things.
BHIM leaks the details of 7.26 million users and scores themselves an S3 Bucket Negligence Award in the process. Stop doing this!
Securely Using External ID for Accessing AWS Accounts Owned by Others - AWS blesses us with a great rundown of how to think about external IDs for accessing AWS accounts.
Use AWS Network Firewall to filter outbound HTTPS traffic from applications hosted on Amazon EKS and collect hostnames provided by SNI- Don't let your sensitive environments connect all willy-nilly (or more formally, all William-Nilliam) to anything they want on the internet.
Last week I mentioned that you might want to enable TouchID to approve sudo requests on macOS. A couple of you pointed out that this setting gets wiped on OS updates, so having a script like this handy to reapply it will likely serve you well.
Cloudfox is a great collection of scripts stuffed into a framework and called a tool that empowers cloud penetration tests. Much like the industry, it biases heavily for AWS; take a look.

The Next AWS CMO: Corey Quinn

Corey Quinn — Wed, 21 Sep 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/2ve_Xmtx7_o

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

The Swole Architected Framework

Corey Quinn — Mon, 19 Sep 2022 03:00:00 -0700

AWS Morning Brief for the week of September 19th, 2022 with Corey Quinn.

Naming Things Accurately

Corey Quinn — Thu, 15 Sep 2022 03:00:00 -0700

Links:

Nick Frichette wrote an incredibly handy guide on the ordered steps to take to avoid CloudFront or DNS domain takeovers on AWS.
This handy walkthrough talks about how to configure something that shrieks its head off whenever someone logs into AWS via the root account.
The Center for Internet Security just released an update to the AWS version of their security benchmarks, and this approachable post goes through what's new.
Introducing message data protection for Amazon SNS - This is a bit hard to wrap my head around--then Scott Piper nailed it with "it's Macie for SNS and now I'm wondering what the point of me even is.
I've talked about Parliament before--it's an AWS IAM linting library. Version 1.6.0 just dropped.
I'll be in the DC area next week; come by Highline at 7PM and let me buy you a drink / swap stories if you're around.

Google Cloud Functions Is Surprisingly Delightful

Corey Quinn — Wed, 14 Sep 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/google-cloud-functions-is-surprisingly-delightful

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/lV-Q0EO63fo

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

AWS Deft Punk

Corey Quinn — Mon, 12 Sep 2022 03:00:00 -0700

AWS Morning Brief for the week of September 12, 2022 with Corey Quinn.

Mobile Authentication to AWS is Hard

Corey Quinn — Thu, 08 Sep 2022 03:00:00 -0700

Links:

1Password frankly got it wrong with their assertion that you shouldn't bother with MFA for 1Password itself.
Joe Frichette has a handy guide on the ordered steps to take to avoid CloudFront or DNS domain takeovers on AWS
Over 1,000 iOS apps found exposing hardcoded AWS credentials
Chris Farris has a great post covering how to handle Incident Response in AWS.
Announcing new AWS IAM Identity Center APIs to manage users and groups at scale
How to subscribe to the new Security Hub Announcements topic for Amazon SNS
This week's tool is an open source dingus that lets you use TouchID on supported Macs to authenticate sudo on macOS.

The Harrowing Search for the Elusive Technical Answer

Corey Quinn — Wed, 07 Sep 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-harrowing-search-for-the-elusive-technical-answer

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/mZDquxNO09s\\

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

26.5 AWS Regions

Corey Quinn — Tue, 06 Sep 2022 03:00:00 -0700

AWS Morning Brief for the week of September 5, 2022 with Corey Quinn.

The Spiritual Alignment of Cloud Economics

Corey Quinn — Thu, 01 Sep 2022 03:00:00 -0700

Links:

Last week LastPass reported (yet another) security issue, wherein their source code was stolen.
Finally: an honest recap of fwd:cloudsec and re:Inforce 2022 from someone who had the stomach to sit through the entirety of the latter.
The Register reports on a growing trend of using AWS resources to hide phishing attacks.
Expanded eligibility for the free MFA security key program
How to centralize findings and automate deletion for unused IAM roles
Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
The tool of the week: popeye is a Kubernetes cluster resource sanitizer.

How Google Cloud and AWS Approach Customer Carbon Emissions

Corey Quinn — Wed, 31 Aug 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/how-google-cloud-and-aws-approach-customer-carbon-emissions

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/eyO1DqP9LhY

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

The Root Beer Conference

Corey Quinn — Mon, 29 Aug 2022 03:00:00 -0700

AWS Morning Brief for the week of August 29, 2022 with Corey Quinn.

Rumors All Atwitter

Corey Quinn — Thu, 25 Aug 2022 03:00:00 -0700

Links:

Fascinating allegations have come from Twitter's former CISO about an alleged trashfire approach to security intrinsic to their culture.
Microsoft employees exposed their own Azure credentials via GitHub
A fascinating discovery by the folks at Wiz
How to detect suspicious activity in your AWS account by using private decoy resources
Remember to opt out of AWS AI data usage.

Amazon SageMaker is Responsible for My Surprise Bill

Corey Quinn — Wed, 24 Aug 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/sagemaker_is_responsible_for_my_surprise_bill/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/LCZjSZhRAjs

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

Low Tech Earthquake Detection

Corey Quinn — Mon, 22 Aug 2022 03:00:00 -0700

AWS Morning Brief for the week of August 22, 2022 with Corey Quinn.

Trivy-al Releases

Corey Quinn — Thu, 18 Aug 2022 03:00:00 -0700

Links:

Apparently there's been some dependency confusion in AWS CodeArtifact.
PlatformQ wins this week's S3 Bucket Negligence Award
Found an interesting article that suggests that ransomware in AWS isn't a purely theoretical concern.
Protocol interview with AWS CISO CJ Moses about his cloud security challenges.
AWS co-announces release of the Open Cybersecurity Schema Framework (OCSF) project
Trivy is a security scanner for vulnerabilities in container images, Git repositories, filesystems, and various bits of configuration.

An Unexpected Love Letter to Azure

Corey Quinn — Wed, 17 Aug 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/an_unexpected_love_letter_to_azure/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/NIsF_NS1B0k

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Buy our merch

https://store.lastweekinaws.com

What's Corey up to?

AWS Private 5G v2

Corey Quinn — Mon, 15 Aug 2022 03:00:00 -0700

AWS Morning Brief for the week of August 15, 2022 with Corey Quinn.

Twilio's Insecure Text Message Issue

Corey Quinn — Thu, 11 Aug 2022 03:00:00 -0700

Links:

Twilio's disclosure of an Employee and Customer Account Compromise.
Update of AWS Security Reference Architecture is now available
As the linked tweet says: "If you check out the AWS docs on IAM policy parsing order there is a flowchart that shows you can get an Allow outcome before the boundary policy is evaluated."
IAM-Deescalate: is an open source tool to help users reduce the risk of privilege escalation.

Cadence Is Culture: Why Amazonians Need to Overload Us at re:Invent

Corey Quinn — Wed, 10 Aug 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/why_amazon_cant_end_the_release_tidal_wave/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/eKMxBNF5N-k

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Very Tired Lambda Pricing

Corey Quinn — Mon, 08 Aug 2022 03:00:00 -0700

AWS Morning Brief for the week of August 8, 2022 with Corey Quinn.

Single Sign On, Multiple Names

Corey Quinn — Thu, 04 Aug 2022 03:00:00 -0700

Links:

35K GitHub repos had been compromised by malware. GitHub security issued a response within 24 hours showing what their findings indicate and clarifying the situation.
Scale your workforce access management with AWS IAM Identity Center (previously known as AWS SSO)
Welcoming the AWS Customer Incident Response Team - Surprisingly this doesn't require a paid support plan.
iamlive generates IAM policies from AWS calls via client-side monitoring

Are AWS account IDs sensitive information?

Corey Quinn — Wed, 03 Aug 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Crappy Clone of a Fast Database

Corey Quinn — Mon, 01 Aug 2022 03:00:00 -0700

AWS Morning Brief for the week of August 1, 2022 with Corey Quinn.

Never Gonna Shut Me Up

Corey Quinn — Thu, 28 Jul 2022 07:30:00 -0700

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/Q2Zpg5jQe-Q

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The Mental Breakdown of Auto-Remediation

Corey Quinn — Wed, 27 Jul 2022 07:30:00 -0700

Links:

The Nigerian government scores this week's S3 Bucket Negligence Award
New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals
Automatically block suspicious DNS activity with Amazon GuardDuty and Route 53 Resolver DNS Firewall
Use Security Hub custom actions to remediate S3 resources based on Macie discovery results
There has been significant improvement to the AWS IAM documentation around IAM best practices.
Artillery lets you use Lambdas for open source load testing.

New Cloudscape Cloudscrapes

Corey Quinn — Mon, 25 Jul 2022 03:00:00 -0700

AWS Morning Brief for the week of July 25, 2022 with Corey Quinn.

AWS's Disclosure Improvements

Corey Quinn — Thu, 21 Jul 2022 03:00:00 -0700

Links:

Things I wish I knew about AWS WAF - Bot Control
How to Protect Your Data from Ransomware with S3 Object Lock
It seems that Experian has learned nothing from its string of data breaches
The Makati city government is the winner of this week's S3 Bucket Negligence award.
A quick overview of AWS principals, identity-based policies, and resource-based policies.
Eligible customers can now order a free MFA security key
Reported EKS IAM Authenticator Issue
I found a handy script that someone beat together that makes it easy as pie to use AWS Roles Anywhere.

Azure's Security Vulnerabilities are Out of Control

Corey Quinn — Wed, 20 Jul 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/azures_vulnerabilities_are_quack

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/5iTxtBnCPys

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Immortal AWS Accounts, the Methuselah Pattern

Corey Quinn — Mon, 18 Jul 2022 03:00:00 -0700

AWS Morning Brief for the week of July 18th, 2022 with Corey Quinn.

AWS Bakery: Rolls Everywhere

Corey Quinn — Thu, 14 Jul 2022 03:00:00 -0700

Links:

My article on the dangers of chatbots led someone to share this concern-affirming tale.
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere
How to tune TLS for hybrid post-quantum cryptography with Kyber
hasIAMfailedopenyet.com is a site that triggers a Lambda function on every invocation that attempts to access something it cannot.

My Security Posture

Corey Quinn — Wed, 13 Jul 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/coreys-security-posture-2022

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/dHDY69hIvvk

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

How I Spent My Summer Vacation and College Tuition

Corey Quinn — Mon, 11 Jul 2022 03:00:00 -0700

AWS Morning Brief for the week of July 11, 2022 with Corey Quinn.

Azure Insecurity Templates

Corey Quinn — Thu, 07 Jul 2022 03:00:00 -0700

Links:

The most recently reported Azure vulnerability
Amazon Photos exposes customers to risk
I (re)discovered Scott Piper's work on Lesser Known Techniques for Attacking AWS Environments.
PyPi python packages get caught sending stolen AWS keys to unsecured sites.
TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
GuardDuty has new findings
CloudFormation Guard had a new release.

The ChatOps Issue That No One's Chatting About

Corey Quinn — Wed, 06 Jul 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link:

https://www.lastweekinaws.com/blog/the-chatops-issue-no-ones-chatting-about

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/eBKZ71OLjG8

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Mr. Selipsky's Geography Class

Corey Quinn — Tue, 05 Jul 2022 03:00:00 -0700

AWS Morning Brief for the week of July 4th, 2022 with Corey Quinn.

Enter Your Passwordle

Corey Quinn — Thu, 30 Jun 2022 03:00:00 -0700

Links:

Azure has another security issue around its Synapse offering; this one was discovered by Tenable.
Sysdig has a dive into the real threats to SSH on EC2.
Tailscale has announced the ability to support Tailscale SSH.
Chris Farris has a treatise on the The Philosphy of Prevention when it comes to cloud security.
Google Cloud CISO Phil Venables asks whether security analogies are counterproductive.
A security issue of sorts was discovered around sts:GetSessionToken Role Chaining in AWS
The person responsible for the giant Capital One hack that took advantage of a series of small AWS misconfigurations has been convicted.
Rogue GitHub apps could have hijacked countless repos for a week or two earlier this year.
Wickr for Government achieves FedRAMP Ready designation
It takes an open source project like trackiam to collate IAM actions, AWS APIs, and managed policies from all over the place
Passwordle lets you guess commonly used passwords.

9 Ways AWS Made Me Headdesk When Using The CDK

Corey Quinn — Wed, 29 Jun 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/9-ways-aws-cdk-headdesk

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/3Mf3_l6iEtA

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Concerning Your DeepRacer's Extended Warranty

Corey Quinn — Mon, 27 Jun 2022 03:00:00 -0700

AWS Morning Brief for the week of June 27, 2022 with Corey Quinn.

Bugcrowd Bugs the Crowd

Corey Quinn — Thu, 23 Jun 2022 03:00:00 -0700

Links:

Travis CI continues to be a security nightmare.
Implementing IAM Permission Boundaries with AWS SSO using Terraform
A user reported a vulnerability to a company through Bugcrowd. The writeup is really worth reviewing.
The RSA conference was apparently a super spreader event.
Because nobody beats the Wiz, they've got a post up on the secret agents installed by cloud service providers.
Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3
Service Notice – Upcoming changes required for AWS Config | AWS Cloud Operations & Migrations Blog
Here's a list of best practices for writing Docker images that don't make you regret running them in production environments.

Should I Take a Job at AWS?

Corey Quinn — Wed, 22 Jun 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/should-you-take-a-job-at-aws/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/BCiUulzr9f8

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Add a Mantium

Corey Quinn — Tue, 21 Jun 2022 03:00:00 -0700

AWS Morning Brief for the week of June 20, 2022 with Corey Quinn.

Kubernetes Firewalln't

Corey Quinn — Thu, 16 Jun 2022 03:00:00 -0700

Links:

re:Invent Keynote 2026: Analysis

Corey Quinn — Wed, 15 Jun 2022 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link:

https://www.lastweekinaws.com/blog/reinvent-keynote-incident/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/NGvLMsf4Wg8

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

Cars 4, featuring "Pixar Tractor on AWS”

Corey Quinn — Mon, 13 Jun 2022 03:00:00 -0700

AWS Morning Brief for the week of June 13, 2022 with Corey Quinn.

Azure's Nightmare Year

Corey Quinn — Thu, 09 Jun 2022 03:00:00 -0700

Links:

The Strange, Too Familiar Tale of Uncle Suitcase

Corey Quinn — Wed, 08 Jun 2022 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-strange-too-familiar-tale-of-uncle-suitcase/

Want to watch the full dramatic reenactment of this podcast? Watch the YouTube Video here: https://youtu.be/x70EypnAH1Y

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Googling the AWS CDK V1

Corey Quinn — Mon, 06 Jun 2022 03:00:00 -0700

AWS Morning Brief for the week of June 6, 2022, with Corey Quinn.

RSA Prelude

Corey Quinn — Thu, 02 Jun 2022 03:00:00 -0700

Links:

The Aurora Serverless Road Not Taken

Corey Quinn — Wed, 01 Jun 2022 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-aurora-serverless-road-not-taken/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Basics NXP Chips from Annapurna Labs

Corey Quinn — Mon, 30 May 2022 03:00:00 -0700

AWS Morning Brief for the week of May 30, 2022 with Corey Quinn.

Security Model Citizen Development

Corey Quinn — Thu, 26 May 2022 03:00:00 -0700

Links:

Google Cloud Build deep dive
Andrea Brancaleoni found an ELB header security issue
An article on You Can't Opt Out of Citizen Development
DOJ Announces It Won’t Prosecute White Hat Security Researchers
Choosing the right certificate revocation method in ACM Private CA
a somewhat... controversial AWS Security Maturity Model
AWS API calls that return credentials on GitHub

An AWS Free Tier Bill Shock: Your Next Steps

Corey Quinn — Wed, 25 May 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/an-aws-free-tier-bill-shock-your-next-steps

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon's Original Risk Store

Corey Quinn — Mon, 23 May 2022 03:00:00 -0700

AWS Morning Brief for the week of May 23, 2022 with Corey Quinn.

F5 Exploit the Exact Opposite of Refreshing

Corey Quinn — Thu, 19 May 2022 03:00:00 -0700

Links:

"Hacking the Cloud" is a community-built encyclopedia
npm dependency confusion attack.
Windows Event Logs
F5 appliance (software or hardware) full remote code execution with privileged access
Wiz has a blog post up about securing AWS Lambda function URLs
Build a strong identity foundation that uses your existing on-premises Active Directory
How to use new Amazon GuardDuty EKS Protection findings
Poro (an open source project) scans for publicly accessible assets in your AWS environment

Fixing the AWS Free Tier is No Longer Optional

Corey Quinn — Wed, 18 May 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/an-aws-free-tier-bill-shock-your-next-steps/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Data Fencing

Corey Quinn — Mon, 16 May 2022 03:00:00 -0700

AWS Morning Brief for the week of May 16, 2022 with Corey Quinn.

Suddenly Nobody Wants to Build Heroku

Corey Quinn — Thu, 12 May 2022 03:00:00 -0700

Links:

S3 Bucket Negligence Award
Mandoogle on how AWS's instance metadata service can be abused by attackers
Heroku apparently had its entire database breached last week
Wiz Research discovered a new vulnerability in Azure’s PostgreSQL Flexible Server service.
AWS deleted packages they'd pushed to public repositories
A guide to Cloud Security Orienteering

AWS's Deprecation Policy Is Like a Platypus

Corey Quinn — Wed, 11 May 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/aws-s-deprecation-policy-is-like-a-platypus

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS WindWanker

Corey Quinn — Mon, 09 May 2022 03:00:00 -0700

AWS Morning Brief for the week of May 9, 2022 with Corey Quinn.

Serverlessly Get Your CloudGoat

Corey Quinn — Thu, 05 May 2022 03:00:00 -0700

Links:

SELinux is unmanageable; just turn it off if it gets in your way
AWS welcomes new Trans-Atlantic Data Privacy Framework
How to control access to AWS resources based on AWS account, OU, or organization
AWS has an article that explains what the confused deputy problem
The CloudGoat pentest training tool now supports Lambda

How to Win in Cloud

Corey Quinn — Wed, 04 May 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/how-to-win-in-cloud

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon CloudWatch for Sharon

Corey Quinn — Mon, 02 May 2022 08:23:39 -0700

AWS Morning Brief for the week of May 2, 2022 with Corey Quinn.

AWS Starts the Security Communication Improvement Slog

Corey Quinn — Thu, 28 Apr 2022 03:00:00 -0700

Links:

AWS's Open Source Problem

Corey Quinn — Wed, 27 Apr 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/aws-s-open-source-problem

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS GoForIt (With Expedia Group Compatibility)

Corey Quinn — Mon, 25 Apr 2022 03:00:00 -0700

AWS Morning Brief for the week of April 25, 2022 with Corey Quinn.

gimme-aws-creds, Possibly Okta's AWS Creds

Corey Quinn — Thu, 21 Apr 2022 03:00:00 -0700

Corey’s livetweet: https://twitter.com/quinnypig
Eric Hammond’s old article: https://alestic.com/2014/09/aws-root-password/
Lightspin found a vulnerability: https://blog.lightspin.io/aws-rds-critical-security-vulnerability
Expel’s incident report: https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
Rhino Security Labs found a CVE in the AWS VPN Client: https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
DarkReading’s profile of AJ Yawn: https://www.darkreading.com/edge-articles/bytechek-founder-aj-yawn-brings-discipline-to-everything-he-does
NotGitBleed: https://www.notgitbleed.com/
AWS Security Bulletins:
https://aws.amazon.com/security/security-bulletins/AWS-2022-005/
https://aws.amazon.com/security/security-bulletins/AWS-2022-004/
gimme-aws-creds: https://github.com/Nike-Inc/gimme-aws-creds
Chamber: https://github.com/segmentio/chamber
#lastweekinaws slack channel: https://og-aws-slack.lexikon.io/

Shitposting as a Learning Style

Corey Quinn — Wed, 20 Apr 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/shitposting-as-a-learning-style

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon's Competitive Advantage

Corey Quinn — Mon, 18 Apr 2022 03:00:00 -0700

AWS Morning Brief for the week of April 18, 2022 with Corey Quinn.

Denonia Denials

Corey Quinn — Thu, 14 Apr 2022 03:00:00 -0700

Links:

CashMama gets the S3 Bucket Negligence Award
MailChimp’s cryptocurrency clients' mailing-list info stolen
Denonia, the first Lambda-specific malware
AWS IAM Access Analyzer

Taking AWS Account Logins For Granted

Corey Quinn — Wed, 13 Apr 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/taking-aws-account-logins-for-granted

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Requiem for a Weasel

Corey Quinn — Mon, 11 Apr 2022 03:00:00 -0700

AWS Morning Brief for the week of April 11, 2022 with Corey Quinn.

Okta and Ubiquiti Duel For Negative Attention

Corey Quinn — Thu, 07 Apr 2022 03:00:00 -0700

Links Referenced:

Okta’s CEO: https://www.bloomberg.com/news/articles/2022-04-04/okta-ceo-says-breach-is-big-deal-aims-to-restore-trust
taken a job as a Distinguished Engineer VP at AWS: https://www.linkedin.com/feed/update/urn:li:activity:6914280317675614208/
Ubiquiti has sued Brian Krebs for defamation: https://www.theregister.com/2022/03/30/ubiquiti_brian_krebs/
“Best practices: Securing your Amazon Location Service resources”: https://aws.amazon.com/blogs/security/best-practices-securing-your-amazon-location-service-resources/
Access Undenied: https://github.com/ermetic/access-undenied-aws
aws-keys-sectool: https://github.com/toshke/aws-keys-sectool

Transcript

Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.

Corey: Today’s episode is brought to you in part by our friends at MinIO the high-performance Kubernetes native object store that’s built for the multi-cloud, creating a consistent data storage layer for your public cloud instances, your private cloud instances, and even your edge instances, depending upon what the heck you’re defining those as, which depends probably on where you work. It’s getting that unified is one of the greatest challenges facing developers and architects today. It requires S3 compatibility, enterprise-grade security and resiliency, the speed to run any workload, and the footprint to run anywhere, and that’s exactly what MinIO offers. With superb read speeds in excess of 360 gigs and 100 megabyte binary that doesn’t eat all the data you’ve gotten on the system, it’s exactly what you’ve been looking for. Check it out today at min.io/download, and see for yourself. That’s min.io/download, and be sure to tell them that I sent you.

Corey: A somehow quiet week as we all grapple with the recent string of security failures from, well, take your pick really.

A bit late but better than never, Okta’s CEO admits the LAPSUS$ hack has damaged trust in the company. The video interview is surprisingly good in parts, but he ruins the, “Third-party this, third-party that, no—it was our responsibility, and our failure” statement by then saying that they no longer do business with Sitel—the third-party who was responsible for part of this breach. Crisis comms is really something to figure out in advance of a crisis, so you don’t get in your own way.

Paul Vixie, creator of a few odds and ends such as DNS, has taken a job as a Distinguished Engineer VP at AWS and I look forward to misusing more of his work as databases. He’s apparently in the security org which is why I’m talking about today and not Monday.

And of course, as I’ve been ranting about in yesterday’s newsletter and on Twitter, Ubiquiti has sued Brian Krebs for defamation. Frankly they come off as far, far worse for this than they did at the start. My position has shifted from one of sympathy to, “Well, time to figure out who sells a 10Gbps switch that isn’t them.”

Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.

AWS had an interesting post: “Best practices: Securing your Amazon Location Service resources”. AWS makes a good point here. It hadn’t occurred to me that you’d need to treat location data particularly specially, but of course you do. The entire premise of the internet falls apart if it suddenly gets easier to punch someone in the face for something they said on Twitter.

And two tools of note this week for you. Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable fixes. And aws-keys-sectool does something obvious in hindsight: Making sure that any long-lived credentials on your machine are access restricted to your own IP address. Check it out. And that’s what happened last week in AWS security. Continue to make good choices because it seems very few others are these days.

Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.

Announcer: This has been a HumblePod production. Stay humble.

Ubiquiti Teaches AWS Security and Crisis Comms Via Counterexample

Corey Quinn — Wed, 06 Apr 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/ubiquiti-teaches-aws-security-and-crisis-comms-via-counterexample

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

I Am Not Responsible For the Content or Accuracy of This Podcast

Corey Quinn — Mon, 04 Apr 2022 03:00:00 -0700

AWS Morning Brief for the week of April 4, 2022 with Corey Quinn.

The Perils of Bad Corporate Comms

Corey Quinn — Thu, 31 Mar 2022 03:00:00 -0700

Links:

Their investigation of the January 2022 Okta compromise: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/
You know it’s a legit AWS email because the instructions are very bad: https://Twitter.com/0xdabbad00/status/1506258309715673089
sabotaged their own package: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
“AWS IAM Demystified”: https://www.daan.fyi/writings/iam
from a third-party: https://www.opsmorph.com/Blog/usergroupspoofing
“Generate logon messages for security and compliance in Amazon WorkSpaces.”: https://aws.amazon.com/blogs/desktop-and-application-streaming/generate-logon-messages-for-security-and-compliance-in-amazon-windows-workspaces/
“Ransomware mitigation: Using Amazon WorkDocs to protect end-user data”: https://aws.amazon.com/blogs/security/ransomware-mitigation-using-amazon-workdocs-to-protect-end-user-data/
“CVE-2022-0778 awareness”: https://aws.amazon.com/security/security-bulletins/AWS-2022-003/
ElectricEye: https://github.com/jonrau1/ElectricEye

Transcript

Corey: Today’s episode is brought to you in part by our friends at MinIO the high-performance Kubernetes native object store that’s built for the multi-cloud, creating a consistent data storage layer for your public cloud instances, your private cloud instances, and even your edge instances, depending upon what the heck you’re defining those as, which depends probably on where you work. It’s getting that unified is one of the greatest challenges facing developers and architects today. It requires S3 compatibility, enterprise-grade security and resiliency, the speed to run any workload, and the footprint to run anywhere, and that’s exactly what MinIO offers. With superb read speeds in excess of 360 gigs and 100-megabyte binary that doesn’t eat all the data you’ve gotten on the system, it’s exactly what you’ve been looking for. Check it out today at min.io/download, and see for yourself. That’s min.io/download, and be sure to tell them that I sent you.

Corey: The Okta breach continues to reverberate. As of this recording, the real damage remains the lack of clear, concise, and upfront communication about this. It’s become very clear that had the Lapsus$ folks not gone public about the breach, Okta certainly never would have either.

Now, from the community. Let’s see what they had to say. Cloudflare has posted the results of their investigation of the January 2022 Okta compromise to their blog post and I have a few things I want to say about it.

First, I love that they do this. I would be a bit annoyed at them taking digs at other companies except for the part where they’re at least as rigorous in investigations that they post about their own security and uptime challenges. Secondly, they’ve been levelheaded and remarkably clear in their communication around the issue which only really affects them as an Okta customer. Okta themselves have issued a baffling series of contradicting claims. Regardless of the truth of what happened from a security point of view, the lack of ability to quickly and clearly articulate the situation means that Okta is now under a microscope for folks who care about security—which basically rounds to every last one of their customers.

Now, I generally don’t talk too much about tweets because this is Twitter revisited as a general rule, but Scott Piper had an issue about trying to keep his flaws.cloud thing open, and he got an account being closed down notice from AWS. And a phrase he used that I loved was, “You know it’s a legit AWS email because the instructions are very bad.”

I really can’t stress enough that while clear communication is always a virtue, circumstances involving InfoSec, fraud, account closures, and similar should all be ones in which particular care is taken to exactly what you say and how you say it.

An NPM package maintainer sabotaged their own package to protest the war in Ukraine, which is a less legitimate form of protest than many others. There’s never been a better time to make sure you’re pinning dependencies in your various projects.

It’s always worth reading an article titled “AWS IAM Demystified” because it’s mystifying unless you’re one of a very small number of people. I learned new things myself by doing that and you probably will too.

And oof. A while back Cognito User Groups apparently didn’t have delimiter detection
working quite right. As a result, you could potentially get access to groups you weren’t supposed to be part of. While AWS did update some of their documentation and fix the problem, it’s a security issue without provable customer impact, so of course, we’re learning about it from a third-party: Opsmorph in this case. Good find.

Corey: Now, from the mouth of the AWS horse itself, “Generate logon messages for security and compliance in Amazon WorkSpaces.” for compliance, sure. For security, can you name a single security benefit to having a logon message greet users? “It reminds them that—” Yeah, yeah, nobody reads the popup ever again after the first...

S3 Is Not a Backup

Corey Quinn — Wed, 30 Mar 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/s3-is-not-a-backup

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Speaking to the Dead with Amazon Chime

Corey Quinn — Mon, 28 Mar 2022 03:00:00 -0700

AWS Morning Brief for the week of March 28, 2022 with Corey Quinn.

Is Okta Gone?

Corey Quinn — Thu, 24 Mar 2022 03:00:00 -0700

Links Referenced:

quietly updated the re:Inforce site: https://reinforce.awsevents.com
remains disturbingly murky: https://www.theverge.com/2022/3/22/22990637/okta-breach-single-sign-on-lapsus-hacker-group
far greater detail: https://kloudle.com/blog/aws-rds-does-not-force-clients-to-connect-using-a-secure-transport-layer
AWS Lambda announces support for PrincipalOrgID in resource-based policies: https://aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-principalorgid-resource-policies/
Automated Incident Response and Forensics Framework: https://github.com/awslabs/aws-automated-incident-response-and-forensics
CI/CDon’t: https://hackingthe.cloud/aws/capture_the_flag/cicdont/

Transcript

Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They’ve also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That’s S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.

Corey: Last week AWS quietly updated the re:Inforce site to reflect that instead of Houston, their security conference, held ideally annually, would be taking place this July in Boston. Given that Texas’s leadership has been doing what appears to be its level best to ensure that respectable businesses don’t want to do business there, this is an incredible logistical, and frankly moral, feat that AWS has pulled off.

Corey: That’s the good news. The bad news of course is as this issue went to print, the news coming out of Okta about a breach remains disturbingly murky. I’m trying here to provide the best take rather than the first take, so I really hope someone’s going to have better data for me by next week. Oof. Condolences to everyone who is affected.

Yeah, other than that, from the security community, a while back I had a bit of a conniption fit about how RDS doesn’t mandate SSL/TLS connections. For a company whose CTO’s tagline and t-shirt both read “Encrypt Everything” this strikes me as… discordant. A blog post I stumbled over goes into far greater detail about what exactly is requiring encryption and what isn’t. Make sure your stuff is being secure when you think it is, is the takeaway here. Verify these things or other people will be thrilled to do so for you, but you won’t like it very much.

Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price-performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.

Corey: AWS had one notable security announcement that didn’t come from their security blog. AWS Lambda announces support for PrincipalOrgID in resource-based policies. Now, that’s a fancy way to say, “All of the resources within my AWS organization can talk to this Lambda Function,” which in common parlance is generally historically expressed as just granting access to the world and hoping people don’t stumble across it. I like this new way significantly more; you should too.

And from the world of tools, I found two of interest. Hopefully, folks aren’t going to need this, but AWS Labs has an Automated Incident Response and Forensics Framework that helps you not do completely wrong things in the midst of a security incident. It’s worth reviewing if for no other reason than the discussions it’s likely to spark. Because security has always been more about people than tools. Occasionally it’s about people who are tools, but that’s just uncharitable, so let’s be kinder.

This CI/CDon’t tool is awesome; it intentionally deploys vulnerable software or infrastructure to your AWS account so you can practice exploiting it. I’m a sucker for scenario-based learning tools like this one, so I have a sneaking suspicion maybe some of you might be, too. And that’s what happened last week in AWS security. Thank you for listening. I’m Cloud Economist Corey Quinn. Ugh, this week is almost
over.

Announcer: This has been a HumblePod production. Stay humble.

Google Cloud Alters the Deal

Corey Quinn — Wed, 23 Mar 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/google-cloud-alters-the-deal

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Conducting the AWS Billing Train

Corey Quinn — Mon, 21 Mar 2022 03:00:00 -0700

AWS Morning Brief for the week of March 21, 2022 with Corey Quinn.

The Surprise Mandoogle

Corey Quinn — Thu, 17 Mar 2022 03:00:00 -0700

Links:

Links Referenced:
Couchbase Capella: https://couchbase.com/screaminginthecloud
couchbase.com/screaminginthecloud: https://couchbase.com/screaminginthecloud
blog post: https://awsteele.com/blog/2022/02/03/aws-vpc-data-exfiltration-using-codebuild.html
AutoWarp: https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/
“Google Announces Intent to Acquire Mandiant”: https://www.googlecloudpresscorner.com/2022-03-08-mgc
password table: https://www.hivesystems.io/blog/are-your-passwords-in-the-green
New Relic: http://newrelic.com
newrelic.com/morningbrief: http://newrelic.com/morningbrief
newrelic.com/morningbrief: http://newrelic.com/morningbrief
DirtyPipe: https://www.theregister.com/2022/03/08/in_brief_security/
“Manage AWS resources in your Slack channels with AWS Chatbot”: https://aws.amazon.com/blogs/mt/manage-aws-resources-in-your-slack-channels-with-aws-chatbot/
“How to set up federated single-sign-on to AWS using Google Workspace”: https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-workspace/
Cloudsaga: https://github.com/awslabs/aws-cloudsaga
lastweekinaws.com: https://lastweekinaws.com

Transcript

Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.

Hello and welcome to Last Week in AWS Security. A lot has happened; let’s tear into it.

So, there was a “Sort of yes, sort of no” security issue with CodeBuild that I’ve talked about previously. The blog post I referenced has, in fact, been updated. AWS has stated that, “We have updated the CodeBuild service to block all outbound network access for newly created CodeBuild projects which contain a customer-defined VPC configuration,” which indeed closes the gap. I love happy endings.

On the other side, oof. Orca Security found a particularly nasty Azure breach called AutoWarp. You effectively could get credentials for other tenants by simply asking a high port on localhost for them via curl or netcat. This is bad enough; I’m dreading the AWS equivalent breach in another four months of them stonewalling a security researcher if the previous round of their nonsense silence about security patterns is any indicator.

“Google Announces Intent to Acquire Mandiant”. This is a big deal. Mandiant has been a notable center of excellent cybersecurity talent for a long time. Congratulations or condolences to any Mandoogles in the audience. Please let me know how the transition goes for you.

Hive Systems has updated its password table for 2022, which is just a graphic that shows how long passwords of various levels of length and complexity would take to break on modern systems. The takeaway here is to use long passwords and use a password manager.

Corey: You know the drill: You’re just barely falling asleep and you’re jolted awake by an emergency page. That’s right, it’s your night on call, and this is the bad kind of Call of Duty. The good news is, is that you’ve got New Relic, so you can quickly run down the incident checklist and find the problem. You have an errors inbox that tells you that Lambdas are good, RUM is good, but something’s up in APM. So, you click the error and find the deployment marker where it all began. Dig deeper, there’s another set of errors. What is it? Of course, it’s Kubernetes, starting after an update. You ask that team to roll back and bam, problem solved. That’s the value of combining 16 different monitoring products into a single platform: You can pinpoint issues down to the line of code quickly. That’s why the Dev and Ops teams at DoorDash, GitHub, Epic Games, and more than 14,000 other companies use New Relic. The next late-night call is just waiting to happen, so get New Relic before it starts. And you can get access to the whole New Relic platform at 100 gigabytes of data free, forever, with no credit card. Visit newrelic.com/morningbrief that’s newrelic.com/morningbrief.

And of course, another week, another terrifying security concern. This one is called DirtyPipe. It’s in the Linux kernel, and the name is evocative of something you’d expect to see demoed onstage at re:Invent.

Now, what did AWS have to say? Two things. The first is “Manage AWS resources in your Slack channels with AWS Chatbot”. A helpful reminder that it’s important to restrict access to your AWS production environment down to just the folks at your company who need access to it. Oh, and to whomever can access your Slack workspace who works over at Slack, apparently. We don’t talk about that one very much, now do we?

And the second was, “How to set up federated single-sign-on to AWS using Google Workspace”. This is super-aligned with what I want to do, but something about the way that it’s described makes it sounds mind-numbingly complicated. This isn’t a problem that’s specif...

My Mental Model of AWS Regions

Corey Quinn — Wed, 16 Mar 2022 07:30:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/my-mental-model-of-aws-regions

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The 20-for-1 AWS Container Services Split

Corey Quinn — Mon, 14 Mar 2022 03:00:00 -0700

AWS Morning Brief for the week of March 14, 2022 with Corey Quinn.

Collecting Evidence for the Prosecution

Corey Quinn — Thu, 10 Mar 2022 03:00:00 -0800

Links:

The Register:https://www.theregister.com/2022/02/28/tech_response_to_ukraine/
“WTF is Cloud Native Data Security?”:https://blog.container-solutions.com/wtf-is-cloud-native-data-security
Imdsv2 wall of shame:https://github.com/SummitRoute/imdsv2_wall_of_shame/blob/main/README.md
“Piercing the Cloud Armor”:https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf
Via a third-party:https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/
“Streamlining evidence collection with AWS Audit Manager”:https://aws.amazon.com/blogs/security/streamlining-evidence-collection-with-aws-audit-manager/
Security assessment solution:https://github.com/awslabs/aws-security-assessment-solution
Domain Protect:https://github.com/ovotech/domain-protect

Transcript

Corey: Well, oops. Last week in the newsletter version of this podcast I used the wrong description for a link. On the plus side, I do find myself wondering if anyone hunts down the things I talk about on this podcast and the newsletter I send out, and now I know an awful lot of you do. And you have opinions about the correctness of my links. The actual tech company roundup that I linked to last week was, in fact, not an AWS blog post about QuickSight community—two words that are an oxymoron if ever two were—but instead a roundup in The Register. My apologies for the oversight. Now, let’s dive into what happened last week in the wide world of AWS security.

In my darker moments, I find myself asking a very blunt question: “WTF is Cloud Native Data Security?” I confess it never occurred to me to title a blog post with that question, and this article I found with that exact title is in fact one of the better ones I’ve read in recent days. Check it out if the subject matter appeals to you even slightly because you’re in for a treat. There’s a lot to unpack here.

Scott Piper has made good on his threat to publish a imdsv2 wall of shame. So far, two companies have been removed from the list for improving their products’ security posture—I know, it’s never happened before—but this is why we care about these things. It’s not to make fun of folks; it’s to make this industry better than it was.

A while back I talked about various cloud WAFs—most notably AWS’s—having a fun and in-hindsight-obvious flaw of anything above 8KB just sort of dances through the protective layer. Well, even Google and its, frankly, impressive security apparatus isn’t immune. There’s an article called “Piercing the Cloud Armor” that goes into it. This stuff is hard, but honestly, this is kind of a recurring problem. I’m sort of wondering, “Well, what if we make the packet bigger?” Wasn’t that the whole problem with the Ping of Death, back in the ’80s? Why is that still a thing now?

And of course, a now patched vulnerability in Amazon Alexa meant that the speaker could activate itself. Because it’s a security problem with an Amazon product that I’ve paid for, I of course learn about this via a third-party talking about it. Man, my perspective on Amazon’s security messaging as a whole has gone from glowing to in the toilet remarkably quickly this year. And it’s their own damn fault.

Now, AWS had a single post of note here called “Streamlining evidence collection with AWS Audit Manager”. This post slash quote-unquote “Solution” highlights a concern that’s often overlooked by security folks. It very innocently talks about collecting evidence for an audit, which is perfectly reasonable.

You need evidence that your audit controls are being complied with. Now, picture someone walking past a room where you’re talking about this, and all they hear is “Evidence collection.” Maybe they’re going to feel like there’s more going on here than an audit. Perhaps they’re going to let their guilty conscience—and I assure you, everyone has one—run wild with fears that whatever imagined transgression they’ve committed has been discovered? Remember the human.

And of course, I found two tools in open-source universe that might be of interest to folks. The first: AWS has open-sourced a security assessment solution to use Prowler and ScoutSuite that scan your environment. It’s handy, but I’m having a hell of a hard time reconciling its self-described ‘inexpensive’ with ‘it deploys a Managed NAT gateway.’

And Domain Protect—an open-source project with a surprisingly durable user interface—scans dangling DNS entries to validate that you’re not, y’know, leaving a domain of yours open to exploit. You’re going to want to pay attention to this vector, but we haven’t for 15 years, so why would we start now? And that’s what happened last week in the w...

Handling Secrets with AWS

Corey Quinn — Wed, 09 Mar 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/handling-secrets-with-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Unnamed Podcast That Informs and Snarks about AWS News

Corey Quinn — Mon, 07 Mar 2022 03:00:00 -0800

AWS Morning Brief for the week of March 7, 2022 with Corey Quinn.

Corporate Solidarity

Corey Quinn — Thu, 03 Mar 2022 03:00:00 -0800

Links:

Transcript

Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.

Corey: We begin with a yikes because suddenly the world is aflame and of course there are cybersecurity considerations to that. I’m
going to have more on that to come in future weeks because my goal with this podcast is to have considered takes, not the rapid-response, alarmist, the-world-is-ending ones. There are lots of other places to find those. So, more to come on that.

In happier news, your favorite Cloud Economist was quoted in the Wall Street Journal last week, talking about how staggering Microsoft’s security surface really is. And credit where due, it’s hard to imagine a better person for the role than Charlie Bell. He’s going to either fix a number of systemic problems at Azure or else carve his resignation letter into Satya Nadella’s door with an axe. I really have a hard time envisioning a third outcome.

A relatively light week aside from that. The Register has a decent roundup of how various companies are responding to Russia’s invasion of a sovereign country. Honestly, the solidarity among those companies is kind of breathtaking. I didn’t have that on my bingo card for the year.

Corey: If you expose 200GB of data it’s bad. If that data belongs to customers, it’s worse. If a lot of those customers are themselves children, it’s awful. But if you ignore reports about the issue, leave the bucket open, and only secure it after your government investigates you for ignoring it under the GDPR, you are this week’s S3 Bucket Negligence Awardwinner and should probably be fired immediately.

AWS had a single announcement of note last week. “Fine-tune and optimize AWS WAF Bot Control mitigation capability”, and it’s super important because, with WAF and Bot Control, the failure mode in one direction of a service like this is that bots overwhelm your site. The failure mode in the other direction is that you start blocking legitimate traffic. And the worst failure mode is that both of these happen at the same time.

And a new tool I’m kicking the tires on, Granted. It’s apparently another way of logging into a bunch of different AWS accounts, so it’s time for me to kick the tires on that because I consistently have problems with that exact thing. And that’s what happened last week in AWS security which, let’s be clear, is not the most important area of the world to be focusing on right now. Thanks for listening; I’ll talk to you next week.

Announcer: This has been a HumblePod production. Stay humble.

Status Paging You

Corey Quinn — Wed, 02 Mar 2022 07:30:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/status-paging-you

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Your AWS S3 Bill is Backup

Corey Quinn — Mon, 28 Feb 2022 03:00:00 -0800

AWS Morning Brief for the week of February 28, 2022 with Corey Quinn.

Security Developer Experience and Security

Corey Quinn — Thu, 24 Feb 2022 03:00:00 -0800

Links:

“Developer Experience is Security”: https://redmonk.com/rstephens/2022/02/17/devex-is-security/
Cleansing their network of ransomware: https://www.espn.com/nfl/story/_/id/33283115/san-francisco-49ers-network-hit-gang-ransomware-attack-team-notifies-law-enforcement
“Control access to Amazon Elastic Container Service resources by using ABAC policies”: https://aws.amazon.com/blogs/security/control-access-to-amazon-elastic-container-service-resources-by-using-abac-policies/
“Introducing s2n-quic—‘sin-i-quick?’ ‘sin-two-quick?’ Yeah—a new open-source QUIC protocol implementation in Rust”: https://aws.amazon.com/blogs/security/introducing-s2n-quic-open-source-protocol-rust/
“Top 2021 AWS Security service launches security professionals should review–Part 1”: https://aws.amazon.com/blogs/security/top-2021-aws-security-service-launches-part-1/
Ghostbuster: https://blog.assetnote.io/2022/02/13/dangling-eips/

Transcript

Corey: Somehow a week without an S3 Bucket Negligence Award to pass out for anyone. I really hope I’m not tempting fate by pointing that out, but good work, everyone.

So, from the community. Redmonk’s Rachel Stephens once again hits the nail on the head with her post, “Developer Experience is Security”. I don’t believe it’s a coincidence that for a while now I’ve thought that Google Cloud offers not only the best developer experience of the hyperscale clouds but also the best security. I didn’t come to that conclusion lightly.

Also, now that the professional football season is over, the San Francisco 49ers eagerly turn to their off-season task of cleansing their network of ransomware. Ouch. Not generally a great thing when you find that your organization has been compromised and you can’t access any of your data.

Now, AWS had a couple of interesting things out there. “Control access to Amazon Elastic Container Service resources by using ABAC policies”. I was honestly expecting there to be a lot more stories by now of improper tagging being used to gain access via ABAC. The problem here is that for the longest time tagging was at best a billing metadata construct; it made sense to have everything be able to tag itself. Suddenly, with the advent of attribute-based access control, anything that can tag resources now becomes a security challenge.

“Introducing s2n-quic—‘sin-i-quick?’ ‘sin-two-quick?’ Yeah—a new open-source QUIC protocol implementation in Rust”. Now, with a name like that, you know it came out of AWS. This is a bit in the weeds for most of us, but the overall lesson to take from the release-slash-announcement is, “Don’t roll your own cryptographic implementation,” with the obvious exception case of, “Unless you are AWS.”

“Top 2021 AWS Security service launches security professionals should review–Part 1”. Okay, this summary post highlights an issue with how AWS talks about things. Some of these enhancements are helpful, some are not, but every last one of them are features to an existing service. Sometimes those refinements are helpful, other times they simply add unneeded complexity to a given customer’s use case. This feels a lot more like a comprehensive listing than it does a curated selection, but maybe that’s just me.

And lastly, I stumbled over a tool called Ghostbuster which is surprisingly easy to use. It scans your DNS records and finds dangling Elastic IPs that can be misused for a variety of different purposes, none of which are going to benefit you directly. It’s been a while since I found a new tool that I was this happy with how straightforward and simple it was to use. Good work. And that’s what happened last week in AWS security. I’m Corey Quinn. Thanks for listening.

Announcer: This has been a HumblePod production. Stay humble.

The Trials and Travails of AWS SSO

Corey Quinn — Wed, 23 Feb 2022 03:06:44 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/the-trials-and-travails-of-aws-sso/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Bill Goes Brrrrrrrrrrrrrrr

Corey Quinn — Mon, 21 Feb 2022 03:00:00 -0800

AWS Morning Brief for the week of February 20, 2022 with Corey Quinn.

Of CORS It Gets Better

Corey Quinn — Thu, 17 Feb 2022 03:00:00 -0800

Links Referenced:

CanaryTokens: https://www.canarytokens.org/
Found a solid way to avoid that sneaky method: https://blog.thinkst.com/2022/02/a-safety-net-for-aws-canarytokens.html?m=1
The folks at Orca found a vulnerability around OCI’s handling of Server Side Request Forgery (SSRF) Metadata: https://orca.security/resources/blog/Oracle-server-side-request-forgery-ssrf-attack-metadata/
S3 Bucket Negligence Award: https://techcrunch.com/2022/02/08/ottawa-trucker-freedom-convoy-exposed-donation/
Only 22% of enterprise customers: https://therecord.media/microsoft-says-mfa-adoption-remains-low-only-22-among-enterprise-customers/
Modified their hypervisor: https://www.bleepingcomputer.com/news/security/google-cloud-hypervisor-modified-to-detect-cryptominers-without-agents/
Amazon CloudTrail: https://aws.amazon.com/cloudtrail/
Amazon API Gateway CORS Configurator: https://cors.serverlessland.com/

Transcript

Corey: So, last week was fairly tame and—no. I’m not going to say that because the last time I said that, all hell broke loose with Log4J and I can’t go through that again.

So, let’s see what happened last week in AWS Security. I like this one very much. Thinkst Canary provides, for free via CanaryTokens.org, an AWS credential generator that spits out IAM credentials with no permissions. The single thing they do is scream bloody murder if someone attempts to use them because those credentials have been stolen. There are some sneaky ways to avoid having the testing of those tokens show up in CloudTrail logs, but they’ve just found a solid way to avoid that sneaky method. It’s worth digging into.

I’ve been a fan of Oracle Cloud for a while, which has attracted some small amount of controversy. I stand by my opinion. That said, there’s been some debate over whether they’re a viable cloud provider at scale. There are certain things I look for as indicators that a cloud provider is a serious contender, and one of them has just been reached: the folks at Orca found a vulnerability around OCI’s handling of Server Side Request Forgery (SSRF) Metadata. It sounds like I’m kidding here, but I’m not. When third-party researchers find a vulnerability that is non-obvious to most of us, that’s an indication that real companies are using services built on top of the platform. Onward.

A donation site raising funds for the Ottawa truckers’ convoy nonsense that’s been going on scored itself an S3 Bucket Negligence Award. No matter how much I may dislike an organization or its policies, I maintain that cybersecurity needs to be available to all.

Corey: You know the drill: you’re just barely falling asleep and you’re jolted awake by an emergency page. That’s right, it’s your night on call, and this is the bad kind of Call of Duty. The good news is, is that you’ve got New Relic, so you can quickly run down the incident checklist and find the problem. You have an errors inbox that tells you that Lambdas are good, RUM is good, but something’s up in APM. So, you click the error and find the deployment marker where it all began. Dig deeper, there’s another set of errors. What is it? Of course, it’s Kubernetes, starting after an update. You ask that team to roll back and bam, problem solved. That’s the value of combining 16 different monitoring products into a single platform: you can pinpoint issues down to the line of code quickly. That’s why the Dev and Ops teams at DoorDash, GitHub, Epic Games, and more than 14,000 other companies use New Relic. The next late-night call is just waiting to happen, so get New Relic before it starts. And you can get access to the whole New Relic platform at 100 gigabytes of data free, forever, with no credit card. Visit newrelic.com/morningbrief that’s newrelic.com/morningbrief.

I knew MFA adoption was struggling among consumers, but I was stunned by Microsoft’s statement that only 22% of enterprise customers have adopted an additional security factor. Please, if you haven’t enabled MFA in your important accounts—and yes, your cloud provider is one of those—please go ahead and do it now.

An interesting security advancement over in the land of Google Cloud, they’ve modified their hypervisor to detect cryptocurrency mining without needing an agent inside of the VM. This beats my usual method of ‘looking for instances with lots of CPU usage because most of the time the fleet is bored.’

Over in AWS-land, they didn’t have anything particularly noteworthy that came out last week for security, so I want to talk a little bit about a service that gets too little love: Amazon CloudTrail. Think of this as an audit log for all of the management events that happen in your AWS account. You’re going to want to secure where the logs live, ideally in another account for your AWS organization. To AWS’s credit, they made the first management trail free a few years ago and enabled it across all accounts by default as a result. This is going to help someone out there, I suspect. Remember, if you haven’t heard about it before, it’s new to you.

And I found a fun tool that’s just transformative because if the bully who beat you up and stole your lunch money in middle school were a technology, they would undoubtedly be CORS, or ‘Cross-Origin Resource Sharing.’ The

Are AWS Account IDs Sensitive Information?

Corey Quinn — Wed, 16 Feb 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

A Billing Glimpse and a CloudFormation Hook

Corey Quinn — Mon, 14 Feb 2022 03:00:00 -0800

AWS Morning Brief for the week of February 14, 2021 with Corey Quinn.

VPC Data Exfiltration Via CodeBuild

Corey Quinn — Thu, 10 Feb 2022 03:00:00 -0800

Links:

CodeBuild to exfiltrate data from an AWS VPC: https://awsteele.com/blog/2022/02/03/aws-vpc-data-exfiltration-using-codebuild.html
Thousands of Open Databases: https://InfoSecwriteups.com/how-i-discovered-thousands-of-open-databases-on-aws-764729aa7f32
“Why do Amazon S3 Data Breaches Keep Happening?”: https://markn.ca/2022/why-do-amazon-s3-data-breaches-keep-happening/
You’re going to be placed on a public list of shame: https://Twitter.com/0xdabbad00/status/1489305680490106880?s=12
How to report security issues in other people’s software: https://Twitter.com/notdurson/status/1489350457730469888
S3 Bucket Negligence Award: https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/
“Security Practices in AWS Multi-Tenant SaaS Environments”: https://aws.amazon.com/blogs/security/security-practices-in-aws-multi-tenant-saas-environments/
Stratus Red Team: https://github.com/Datadog/stratus-red-team

Transcript

Corey: Hello there. Another week, another erosion of the perception of AWS’s hard security boundaries. I don’t like what 2022 is doing to my opinion of AWS’s security track record. Let’s get into it.

We start this week with a rather disturbing post from Aidan Steele, who talks about using CodeBuild to exfiltrate data from an AWS VPC. We’re increasingly seeing increased VPC complexity, which in turn means that most of us don’t have a full understanding of where the security boundaries and guarantees lie.

Someone decided to scan a bunch of public AWS IP ranges and lo and behold, an awful lot of us suck at security. Specifically, they found Thousands of Open Databases. This is clearly not an exclusively AWS problem seeing as how it falls fairly on the customer side of the Shared Responsibility Model, but it does have the potential to be interpreted otherwise by folks with a less nuanced understanding.

Mark Nunnikhoven has a blog post up that asks the question “Why do Amazon S3 Data Breaches Keep Happening?” I’ve often wondered the same thing. The vector has been known for years, the console screams at you if you attempt to configure things this way, and at this point, there’s really little excuse for a customer making these mistakes. And yet they keep happening.

Scott Piper has had enough. He’s issued a simple warning: If you’re a vendor who offers a solution that deploys EC2 instances to customer environments, and you don’t support IMDSv2, you’re going to be placed on a public list of shame. He’s right: His first shame example is AWS themselves with a new feature release. For those who aren’t aware of what IMDSv2 is, it’s the instance metadata service. Ideally, you have to authenticate against that thing before just grabbing data off of it. This is partially how Capital One wound up getting smacked a couple years back.

Corey: AWS’s Dan Urson has a thread on how to report security issues in other people’s software. Something about it’s been nagging at me, and I think I’ve figured out what it is. Ignore the stuff about, “Have a coherent report,” and, “Demonstrate a reproduction case;” it gets into following the vendor’s procedures and whatnot around disclosure. I think it has to do with where I’m coming from. I generally don’t find security problems, or other bugs, by actively exploiting vendor systems; instead, I trip over them as a customer trying to get something done. The idea that I owe that vendor much of anything when I’m in that position rankles a bit. I get that this is a nuanced topic.

And of course, 3TB of airport employee records were exposed in this week’s S3 Bucket Negligence Award. I hate to sound like I’m overly naive here, but what exactly is in the employee records that makes them take up that much space? I’m a big believer in not storing information you don’t need, and that just seems like an enormous pile of data to have lying around awaiting compromise.

AWS themselves had an interesting post go out: “Security Practices in AWS Multi-Te...

GuardDuty for EKS and Why Security Should Be Free

Corey Quinn — Wed, 09 Feb 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/guardduty-for-eks-and-why-security-should-be-free

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Comcast Service Appointment

Corey Quinn — Mon, 07 Feb 2022 03:00:00 -0800

AWS Morning Brief for the week of February 7, 2022 with Corey Quinn.

Privacy Means Your Data Is Private to You and Also Google

Corey Quinn — Thu, 03 Feb 2022 03:00:00 -0800

Links:

Three vulnerabilities: https://blog.wiz.io/black-hat-2021-aws-cross-account-vulnerabilities-how-isolated-is-your-cloud-environment/
Embarrassingly long time: https://Twitter.com/christophetd/status/1486610249045925890
“Companies Leave Vast Amounts of Sensitive Data Unprotected”: https://www.propublica.org/article/identity-theft-surged-during-the-pandemic-heres-where-a-lot-of-the-stolen-data-came-from?token=pIt-Qx8lrKMcPei_lM3rFDQpHXkkcxXQ
Google Drive started mistakenly flagging files as infringing copyright: https://www.theregister.com/2022/01/25/google_drive_copyright_infringement/
“How to deploy AWS Network Firewall to help protect your network from malware”: https://aws.amazon.com/blogs/security/how-to-deploy-aws-network-firewall-to-help-protect-your-network-from-malware/
“How to use tokenization to improve data security and reduce audit scope”: https://aws.amazon.com/blogs/security/how-to-use-tokenization-to-improve-data-security-and-reduce-audit-scope/
“Ransomware-resistant backups with S3”: https://www.franzoni.eu/ransomware-resistant-backups/

Transcript

After the content for this episode was effectively laid out, AWS did a late Friday night announcement of a new GuardDuty enhancement that would automatically opt people in to a chargeable service unless they explicitly opted each account out. This obviously doesn’t thrill me or other affected customers. so, as I record this, the situation is still evolving, but rest assured I’m going to have further thoughts on this next week.

Now, let’s see what happened last week in AWS security. so, last year, Wiz found three vulnerabilities that allowed attackers to read or write into other customers’ AWS accounts. This flew beneath the radar at the time, but they’re all coming out of the woodwork now, and AWS’s security reputation, more or less, lies in tatters, replaced by a reputation for clamming up and admitting nothing. I’m already wincing at this summer’s re:Inforce keynote. if they try their usual messaging line, it’s not going to end well for them.

There was apparently a serious vulnerability within the Linux polkit library. It took Amazon Linux an embarrassingly long time to acknowledge it and put out a release. Now, I’m not a fan of single-vendor Linux installs; any bets on how many non-Amazonians have commit rights to the distribution?

Failing to learn from experience is never a great look, but as per ProPublica, “Companies Leave Vast Amounts of Sensitive Data Unprotected” despite decades of breaches. Please, please, please, if you’re listening to this, don’t be one of them. There’s no value in buying the latest whiz-bang vendor software to defend against state-level actors if you’re going to leave the S3 bucket containing the backups open to the world.

And an uncomfortable reminder that we might not be the only parties perusing our “private” files stored within various cloud providers, Google Drive started mistakenly flagging files as infringing copyright. Now, amusingly the files in question tended to consist entirely of a single character within the file, but the reminder isn’t usually something that cloud providers want dangled in front of us. Once again we are, in fact, reminded that Google considers privacy to be keeping information between you and Google.

AWS had a couple interesting blog posts. One of them was “How to deploy AWS Network Firewall to help protect your network from malware”. and I’m torn on this service, to be honest, because On the one hand, it extends the already annoying pricing model of the Managed NAT Gateway, but On the other, it provides a lot more than simple address translation and is cost-competitive with a number of
other solutions in this space. I think I’m going to land on, “use it if it makes sense for you, but don’t expect it to be cheap.”

And a great blog post from AWS security folks—which is, honestly, something I have said a lot in the past, and I look forward to saying a lot more of in the future—

Going Out to Play with the CDK

Corey Quinn — Wed, 02 Feb 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/going-out-to-play-with-the-cdk

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Basics MongoDB Offers Free Trial

Corey Quinn — Mon, 31 Jan 2022 03:00:00 -0800

AWS Morning Brief for the week of January 31, 2022 with Corey Quinn.

An SSH Key Request

Corey Quinn — Thu, 27 Jan 2022 03:00:00 -0800

Links:

GitHub organizations: https://alsmola.medium.com/securing-github-organizations-9c33c850638
CloudTrail would spew other accounts’ credentials your way: https://onecloudplease.com/blog/security-september-cataclysms-in-the-cloud-formations
Spot on: https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/
Some excellent points: https://www.darkreading.com/cloud/enterprises-are-sailing-into-a-perfect-storm-of-cloud-risk
“Amazon EC2 customers can now use ED25519 keys for authentication with EC2 Instance Connect”: https://aws.amazon.com/about-aws/whats-new/2022/01/ed25519-keys-authentication-ec2-instance-connect/
“Integrating AWS Security Hub, IBM Netcool, and ServiceNow, to Secure Large Client Deployments”: https://aws.amazon.com/blogs/apn/integrating-aws-security-hub-ibm-netcool-and-servicenow-to-secure-large-client-deployments/
“Best practices for cross-Region aggregation of security findings”: https://aws.amazon.com/blogs/security/best-practices-for-cross-region-aggregation-of-security-findings/
Assume AWS IAM Roles using SAML.to in GitHub Actions: https://github.com/saml-to/assume-aws-role-action

Transcript

Corey: So, most interesting this week is probably my request for AWS to support a different breed of SSH key. No, it’s not a joke. Listen on and we’ll get there.

So, from the security community last week, everyone talks about how to secure AWS environments. This post takes a different direction and talks about how to secure GitHub organizations, which makes sense if you think about it as an area to focus on. If you compromise an org’s GitHub repositories, it’s basically game over for that company.

I also came across this post from 2020, talking about how if asked politely, CloudTrail would spew other accounts’ credentials your way. How many more exploits like this have we seen and just never been told about?

NCC Group has some great stories up about compromising CI/CD pipelines, and they are all spot on. Because nobody really thinks about the Jenkins box that has everyone working with it, outsized permissions, and of course, no oversight.

Enterprise cloud risk is a very real thing, so a post from Josh Stella, who’s the CEO of Fwage—though he pronounces it as ‘Fugue’—and it makes some excellent points, and also cites me, so of course, I’m going to mention it here. We incentivize the behaviors we want to see more of. There’s a security lesson in there somewhere.

Corey: This episode is sponsored in part by our friends atNew Relic. If you’re like most environments, you probably have an incredibly complicated architecture, which means that monitoring it is going to take a dozen different tools. And then we get into the advanced stuff. We all have been there and know that pain, or will learn it shortly, and New Relic wants to change that. They’ve designed everything you need in one platform with pricing that’s simple and straightforward, and that means no more counting hosts. You also can get one user and a hundred gigabytes a month, totally free. To learn more, visitnewrelic.com. Observability made simple.

Now, from AWS, what have they said? “Amazon EC2 customers can now use ED25519 keys for authentication with EC2 Instance Connect”. I really wish they’d add support for ECDSA keys as well, and no, this is not me making a joke. Those are the only key types Apple lets you store in the Secure Enclave on Macs that support it, and as a result, you can use that while never exporting the private key. I try very hard to avoid having private key material resident on disk, and that would make it one step easier.

“Integrating AWS Security Hub, IBM Netcool, and ServiceNow, to Secure Large Client Deployments”. I keep talking about how if it’s not simple, it’s very hard to secure. AWS, IBM, and ServiceNow, all integrating is about as far from “Simple” as is possible to get.

“Best practices for cross-Region aggregation of security findings”. And this was a post that I was about to snark that it should be as simple as “Click the button,” but then I read my post, and to my surprise and yes, delight, it already is. Good work.

And in the land of tool, I found a post talking about how to assume AWS IAM Roles using SAML.to in GitHub Actions, and I really wish that that was first-party, but I’ll take what I can get. Because again, I despise the idea of permanent IAM credentials just hanging out in GitHub or on disk or, realistically, anywhere. I like these ephemeral approaches. You can be a lot more dynamic with it and breaching those credentials doesn’t generally result in disaster for everyone. And that’s what happened last week in AWS security.

ClickOps

Corey Quinn — Wed, 26 Jan 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/clickops

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Boldly Responds With Silence

Corey Quinn — Mon, 24 Jan 2022 03:00:00 -0800

AWS Morning Brief for the week of January 24, 2022 with Corey Quinn.

The Gruntled Developer

Corey Quinn — Thu, 20 Jan 2022 03:00:00 -0800

Links:

S3 Bucket Negligence Award: http://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-numbers
Anyone in a VPC, any VPC, anywhere: https://Twitter.com/santosh_ankr/status/1481387630973493251
A disgruntled developer corrupts their own NPM libs ‘colors’ and ‘faker’, breaking thousands of apps: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
“Top ten security best practices for securing backups in AWS”: https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-backups-in-aws/
Glue: https://aws.amazon.com/security/security-bulletins/AWS-2022-002/
CloudFormation: https://aws.amazon.com/security/security-bulletins/AWS-2022-001/
S3-credentials: https://simonwillison.net/2022/Jan/18/weeknotes/

Transcript

Corey: This episode is sponsored in part by my friends at Thinkst Canary. Most companies find out way too late that they’ve been breached. Thinkst Canary changes this and I love how they do it. Deploy canaries and canary tokens in minutes, and then forget about them. What’s great is then attackers tip their hand by touching them, giving you one alert, when it matters. I use it myself and I only remember this when I get the weekly update with a, “We’re still here, so you’re aware,” from them. It’s glorious. There is zero admin overhead to this, there are effectively no false positives unless I do something foolish. Canaries are deployed and loved on all seven continents. You can check out what people are saying atcanary.love. And, their Kube config canary token is new and completely free as well. You can do an awful lot without paying them a dime, which is one of the things I love about them. It is useful stuff and not a, “Oh, I wish I had money.” It is spectacular. Take a look. That'scanary.love because it’s genuinely rare to find a security product that people talk about in terms of love. It really is a neat thing to see.Canary.love. Thank you to Thinkst Canary for their support of my ridiculous, ridiculous nonsense.

Corey: So, yesterday’s episode put the boots to AWS, not so much for the issues that Orca Security uncovered, but rather for its poor communication around the topic. Now that that’s done, let’s look at the more mundane news from last week’s cloud world. Every day is a new page around here, full of opportunity and possibility in equal measure.

This week’s S3 Bucket Negligence Award goes to the Nigerian government for exposing millions of their citizens to a third party who most assuredly did not follow coordinated disclosure guidelines. Whoops.

There’s an interesting tweet, and exploring it is still unfolding at time of this writing, but it looks that making an API Gateway ‘Private’ doesn’t mean, “To your VPCs,” but rather, “To anyone in a VPC, any VPC, anywhere.” This is evocative of the way that, “Any Authenticated AWS User,” for S3 buckets caused massive permissions issues industry-wide.

And a periodic and growing concern is one of software supply chain—which is a fancy way of saying, “We’re all built on giant dependency chains”—what happens when, say, a disgruntled developer corrupts their own NPM libs ‘colors’ and ‘faker’, breaking thousands of apps across the industry, including some of the AWS SDKs? How do we manage that risk? How do we keep developers gruntled?

Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.

AWS had a couple of interesting things. The first is “Top ten security best practices for securing backups in AWS”. People really don’t consider the security implications of their backups anywhere near seriously enough. It’s not ‘live’ but it’s still got—by definition—a full set of your data just waiting to be harvested by nefarious types. Be careful with that.

And of course, AWS had two security bulletins, one about its Glue issues, one about its CloudFormation issues. The former allowed cross-account access to other tenants. In theory. In practice, AWS did the responsible thing and kept every access event logged, going back for the full five years of the service’s life. That’s remarkably impressive.

And lastly, I found an interesting tool called S3-credentials last week, and what it does is it helps generate tightly-scoped IAM policies that were previously limited to a single S3 bucket, but now are limited to a single prefix within that bucket. You can also make those credential sets incredibly short-lived. More things like this, please. I just tend to over-scope things way too much. And that’s what happened Last Week in AWS: Security. Please feel free to reach out and tell me exactly what my problem is.

Orca Security, AWS, and the Killer Whale of a Problem

Corey Quinn — Wed, 19 Jan 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/orca-security-aws-and-the-killer-whale-of-a-problem

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

New Consolation

Corey Quinn — Mon, 17 Jan 2022 03:00:00 -0800

AWS Morning Brief for the week of January 17, 2021 with Corey Quinn.

CISOs Should Ideally Stay Out of Prison

Corey Quinn — Thu, 13 Jan 2022 03:00:00 -0800

Links:

Comes with a cryptominer: https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/
You could be federally charged with wire fraud for paying off a security researcher: https://www.justice.gov/usao-ndca/pr/former-uber-chief-security-officer-face-wire-fraud-charges-0
A source code leak of its Azure App Service: https://www.theregister.com/2021/12/24/azure_app_service_not_legit_source_code_leak/
“Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)”: https://aws.amazon.com/blogs/security/comprehensive-cyber-security-framework-for-primary-urban-cooperative-banks/
“Disabling Security Hub controls in a multi account environment”: https://aws.amazon.com/blogs/security/disabling-security-hub-controls-in-a-multi-account-environment/
Ipv6-ghost-ship: https://github.com/aidansteele/ipv6-ghost-ship

Transcript

This episode is sponsored in part by our friends at Rising Cloud, which I hadn’t heard of before, but they’re doing something vaguely interesting here. They are using AI, which is usually where my eyes glaze over and I lose attention, but they’re using it to help developers be more efficient by reducing repetitive tasks. So, the idea being that you can run stateless things without having to worry about scaling, placement, et cetera, and the rest. They claim significant cost savings, and they’re able to wind up taking what you’re running as it is in AWS with no changes, and run it inside of their data centers that span multiple regions. I’m somewhat skeptical, but their customers seem to really like them, so that’s one of those areas where I really have a hard time being too snarky about it because when you solve a customer’s problem and they get out there in public and say, “We’re solving a problem,” it’s very hard to snark about that. Multus Medical, Construx.ai and Stax have seen significant results by using them. And it’s worth exploring. So, if you’re looking for a smarter, faster, cheaper alternative to EC2, Lambda, or batch, consider checking them out. Visit risingcloud.com/benefits. That’s risingcloud.com/benefits, and be sure to tell them that I said you because watching people wince when you mention my name is one of the guilty pleasures of listening to this podcast.

Welcome to Last Week in AWS: Security. Let’s dive in. Norton 360—which sounds like a prelude to an incredibly dorky attempt at the moonwalk—now comes with a cryptominer. You know, the thing that use tools like this to avoid having on your computer? This is apparently to offset how zippy modern computers have gotten, in a direct affront to Norton’s ability to make even maxed-out laptops run like total garbage. Speaking of total garbage, you almost certainly want to use literally any other vendor for this stuff now.

“What’s the worst that can happen?” Is sometimes a comforting thought when dealing with professional challenges. If you’re the former Uber CISO, the answer to that question is apparently, “you could be federally charged with wire fraud for paying off a security researcher.”

And lastly, Azure continues to have security woes, this time in the form of a source code leak of its Azure App Service. It’s a bad six months and counting to be over in Microsoft-land when it comes to cloud.

Let’s take a look what AWS has done. “Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)”. This is a perfect case study in what’s wrong with the way we talk about security. First, clicking the link to the report in the blog post threw an error; I had to navigate to the AWS Artifact console and download the PDF manually. Then, the PDF is all of two pages long, as it apparently has an embedded Excel document within it that Preview on my Mac can’t detect. The proper next step is to download Adobe Acrobat for Mac in order to read this, but I’ve given up by this point. This may be the most remarkable case of AWS truly understanding its customer mentality that we’ve seen so far this year.

Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.

“Disabling Security Hub controls in a multi account environment”. I hate that this is a solution instead of a native feature, but it’s important. There are some Security Hub controls that are just nonsense. “Oh no, you didn’t encrypt your EBS volumes.” “Oh dear, you haven’t rotated your IAM credentials in 90 days.” “Holy CRAP, the S3 bucket serving static assets to the world is world-readable.” You get the picture.

And a tool I found fun, “Port Knocking” is an old security technique in which you attempt to connect to a host on a predetermined sequence of ports. Get it right and you’re now able to connect to the host in question on the port that you want. ipv6-ghost-ship has done something similar yet ever more ridiculous: It takes advantage of the fact that IPv6 means that each EC2 instance gets 281 trillion IP addresses to only accept SSH connections when the last three octets of the IP address on the instance match the time-based authentication code. This is a ridiculous hack, and I love it oh so very much. I’m Chief Cloud Economist at The Duckbill Group, and this has been Last We...

Azure's Terrible Security Posture Comes Home to Roost

Corey Quinn — Wed, 12 Jan 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/azures-terrible-security-posture-comes-home-to-roost/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

LakeTrail for Clouds

Corey Quinn — Mon, 10 Jan 2022 03:00:00 -0800

AWS Morning Brief for the week of January 10, 2021 with Corey Quinn.

Time to Give LastPass the Heave

Corey Quinn — Thu, 06 Jan 2022 03:00:00 -0800

Links:

“Tokyo police lose 2 floppy disks containing personal info on 38 public housing applicants”: https://mainichi.jp/english/articles/20211227/p2a/00m/0na/072000c
LastPass may have suffered a breach: https://news.ycombinator.com/item?id=29705957
“Worst AWS Data Breaches of 2021”: https://securityboulevard.com/2021/12/worst-aws-data-breaches-of-2021/
D.W. Morgan: https://www.hackread.com/logistics-giant-d-w-morgan-exposed-clients-data/
SEGA Europe: https://vpnoverview.com/news/sega-europe-suffers-major-security-breach/
“Identity Guide–Preventive controls with AWS Identity–SCPs”: https://aws.amazon.com/blogs/mt/identity-guide-preventive-controls-with-aws-identity-scps/
Log4j scanner: https://github.com/google/log4jscanner

Transcript

Corey: The first security round-up of the year in Last Week in AWS: Security. This is relatively light, just because it covers the last week of the year, where people didn’t really “Work” so much as “Get into fights on Twitter.” Onward.

So, from the community, ever see a data breach announcement that raises oh so very many more questions than it answers? I swear this headline is from a week or so ago, not 1998: “Tokyo police lose 2 floppy disks containing personal info on 38 public housing applicants”. Yes, I said floppy disks.

The terrible orange website, also known as Hacker News, reports that LastPass may have suffered a breach. At the time I write this, the official LastPass blog has a, “No, it’s just people reusing passwords.” Enough people I trust have seen this behavior that I’d be astounded if that were true. If you can’t trust your password manager, ditch them immediately.

Security Boulevard had a roundup of the “Worst AWS Data Breaches of 2021”, and it’s the usual run-of-the-mill S3 bucket problems, but my personal favorite’s the Twitch breach because it’s particularly embarrassing, given that it is, in fact, an Amazon subsidiary.

First one goes to D.W. Morgan by leaking 100GB of client data. And they’re a logistics company that serves giant enterprises, so these are companies with zero sense of humor, so I would not want to be in D.W. Morgan’s position this week.

And the other is a little funnier. It goes to SEGA Europe, after Sonic the Hedgehog forgets to perform due diligence on his AWS environment.

Corey: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.

AWS had only a single thing that I found interesting: “Identity Guide–Preventive controls with AWS Identity–SCPs”. I’ve been waiting for a while for a good explainer on SCPs to come out for a while, and this looks like it actually is a thing that I want. I’ve been playing around with SCPs a lot more for the past couple of weeks. If you’re unfamiliar, it’s a way to override what the root user can do in an organization’s member accounts. It’s super handy to constrain people from doing things that are otherwise foolhardy.

And lastly, an interesting tool came out from Google—which I should not have to explain what that is to you folks; they turn things off, like Reader—they also released a log4j scanner. This one scans files on disk to detect the bad versions of log4j—which is most of them—and can replace them with the good version—which is, of course, print statements. And that’s what happened last week in AWS security. Hopefully next week will be… well, I don’t want to say less contentful, but I do want to say it’s at least not as exciting as the last month has been. Thanks for listening.

Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign
up for the Last Week in AWS newsletter at lastweekinaws.com.

Announcer: This has been a HumblePod production. Stay humble.

The AWS Service I Hate the Most

Corey Quinn — Wed, 05 Jan 2022 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-aws-service-i-hate-the-most

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Burninate

Corey Quinn — Mon, 03 Jan 2022 03:00:00 -0800

AWS Morning Brief for the week of January 3, 2021 with Corey Quinn.

Self-Disclosure Heals Many Wounds

Corey Quinn — Thu, 30 Dec 2021 03:00:00 -0800

Links:

“Cloud Security Breaches and Vulnerabilities”: https://blog.christophetd.fr/cloud-security-breaches-and-vulnerabilities-2021-in-review/
S3 Bucket Negligence Award: https://mytechdecisions.com/audio/sennheiser-responds-after-customer-data-from-2018-was-exposed-online/
Granted the role its support teams use to access customer accounts access to S3 objects: https://Twitter.com/0xdabbad00/status/1473448889948598275?s=12
S3 Bucket Negligence Award: https://www.modernghana.com/news/1127205/report-ghana-government-agency-exposes-100000s.html
“Simplify setup of Amazon Detective with AWS Organizations”: https://aws.amazon.com/blogs/security/simplify-setup-of-amazon-detective-with-aws-organizations/
“AWSSupportServiceRolePolicy Informational Update”: https://aws.amazon.com/security/security-bulletins/AWS-2021-007/
aws-sso-cli: https://github.com/synfinatic/aws-sso-cli

Transcript

Corey: Well, we’re certainly ending 2021 with a whirlwind in the security space. Log4J continues to haunt us, while AWS took not only an
outage but also a bit of a security blunder that they managed to turn into a messaging win. Listen on.

But first, the Community. A depressing review of 2021’s “Cloud Security Breaches and Vulnerabilities.” Honestly, it seems like there are just so damned many ways for bad security to set the things we care about on fire. The takeaways are actionable though. Stop using static long-lived credentials and start with the basics before you get fancy.

Sennheiser scores itself an S3 Bucket Negligence Award, and of all the countries in which to suffer a data breach, I’ve got to say that Germany is at the bottom of the list. They do not mess around with data protection there.

And, Holy hell, AWS inadvertently granted the role its support teams use to access customer accounts access to S3 objects. It lasted for ten hours, and while there are mitigations out there, this is far from the first time that AWS has biffed it with regard to an unreviewed change making it into a managed IAM policy. This needs to be addressed. If you’ve got specific questions about how those things are handled, reach out to your account team; but it’s a terrible look. But there’s more to come in a second here.

Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: If you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they’ve opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial’ button on the homepage and use the promo code, ‘CLOUD’ when checking out. That’s C-L-O-U-D. Like loud—what I am—with a C in front of it. They’ve got a free trial, too, so you’ll get seven days to try it out to make sure it really is a good fit. You’ve got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.

A bit off the beaten path, this week’s S3 Bucket Negligence Award goes to the government of Ghana. This one is pretty bad. I mean, you can’t exactly opt out of doing business with your government, you know?

Now, AWS has two things I want to talk about. The first is that they offer a way to “Simplify setup of Amazon Detective with AWS Organizations.” I’m actually enthusiastic about this one because there’s a significant lack of security tooling available to folks at the lower end of the market. A bunch of companies seem to start off targeting this segment, but soon realize that there’s a better future in selling things to bigger companies for $200,000 a month instead of $20.

Now, “AWSSupportServiceRolePolicy Informational Update.” Now, you heard a minute ago, I was initially extremely unhappy about this mistake. That said, I am such a fan of this notification that I can’t even articulate it without sounding like I’m fanboying. Because mistakes happen and talking about those mistakes and why defense in depth mitigates the harm of those mistakes goes a long way. This affirms my trust in AWS rather than harming it. Meanwhile Azure has absolutely nothing to say about why their tenant separation is aspirational at best.

And lastly a bit of tooling story here. To end up the year, I’ve been kicking the tires on aws-sso-cli over on GitHub, which is a tool for using AWS SSO for both the CLI and web console. I don’t know why the native SSO tooling is quite as trash as it is, but it’s a problem. There’s a lot of value to using SSO but AWS hides it as if the entire thing were under NDA. Thank you for listening. It’s been a heck of a year as we’ve launched the security portion of this weekly nonsense. I’ll talk to you more in 2022. Stay safe.

Corey: Thank you f...

Last Year in AWS

Corey Quinn — Wed, 29 Dec 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/last-year-in-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Managed Grifting Service Now in Preview

Corey Quinn — Mon, 27 Dec 2021 03:00:00 -0800

AWS Morning Brief for the week of December 27, 2021 with Corey Quinn.

Yule4j

Corey Quinn — Thu, 23 Dec 2021 03:00:00 -0800

Links:

Has its own vulnerability that’s actively under exploit: https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats-under-exploit/
Google Project Zero deep dive into the NSO group’s iMessage exploit: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Three flaws: https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html
How to customize behavior of AWS Managed Rules for WAF: https://aws.amazon.com/blogs/security/how-to-customize-behavior-of-aws-managed-rules-for-aws-waf/
Using AWS security services to protect against, detect, and respond to the Log4j vulnerability: https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/
Update for Apache Log4j2 Issue: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
An innocent question: https://Twitter.com/QuinnyPig/status/1473382549535662082?s=20

Transcript

Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.

Corey: The burning yule log that is the log4j exploit and its downstream issues continues to burn fiercely. Meanwhile the year winds down, and it’s certainly been an eventful one. I’ll talk to you next week because that is what I do.

Now, let’s see from the community what happened. The patch to fix the log4j vulnerability apparently has its own vulnerability that’s actively under exploit. Find your nearest InfoSec friend and buy them a beer or forty because this is going to suck for a long time and basically ruin everyone’s holiday.

Also, I’ve seen the most hair-raising thing I can remember in InfoSec-land, which is the Google Project Zero deep dive into the NSO group’s iMessage exploit. Seriously, this thing requires no clicks on the part of the victim, the exploit uses a bug in the GIF processing inherent to iMessage to build a virtual CPU and assembly instruction set. There is no realistic defense against this short of hurling your phone into the sea, which I heartily recommend at this point as a best practice.

Oh, and everything is on fire and somehow worse. There are now at least three flaws in the log4j library that we’re counting, so far. Everything is terrible and we clearly should never log anything again.

Now, AWS had a few things to say. The most relevant of them are How to customize behavior of AWS Managed Rules for WAF. So, if you’re a
WAF vendor and you don’t link to this blog post as part of your, “Why should I pay you?” sales material, you’re missing a golden opportunity. Every time I dig into AWS’s Web Application Firewall offering, I end up regretting it, and with a headache.

There was also a post on Using AWS security services to protect against, detect, and respond to the Log4j vulnerability. I’m disappointed to see AWS starting to use the log4nonsense stuff to pitch a dizzying array of expensive security services that require customers to do an awful lot of independent work to get stuff configured properly. This kind of isn’t the time for that.

And they have an update page that they continue to update called Update for Apache Log4j2 Issue, and this post has more frequent updates than AWS’s “What’s new” RSS feed. It really drives home the sheer scope of the issue, how pervasive it is, and just how much empathy we should have for the AWS security team. Their job has pretty clearly been not fun for the last couple of weeks.

And lastly, the tip of the week is more of a request for help, honestly. I asked what I thought was an innocent question on Twitter: “What are people using to read and consume CloudTrail logs?” The answers made it clear that the answer was basically, “A bunch of very expensive enterprise grade things,” or, “Nothing.” This feels like a missed opportunity for some enterprising company out there. If you’ve got a better a...

Overstating AWS's Free Tier Generosity

Corey Quinn — Wed, 22 Dec 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/overstating-awss-free-tier-generosity

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Lookout for Twitter

Corey Quinn — Mon, 20 Dec 2021 04:48:59 -0800

AWS Morning Brief for the week of December 20, 2021 with Corey Quinn.

...And Now Everything Is On Fire

Corey Quinn — Thu, 16 Dec 2021 03:00:00 -0800

Links:

The internet is now on fire:https://www.engadget.com/log4shell-vulnerability-log4j-155543990.html
Blog post:https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/
Expecting to be down for weeks:https://www.darkreading.com/attacks-breaches/kronos-suffers-ransomware-attack-expects-full-restoration-to-take-weeks-
Update for the Apache Log4j2 Issue:https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
Log4Shell Vulnerability Tester at log4shell.huntress.com:https://log4shell.huntress.com/

Transcript

Corey: It seems like there is a new security breach every day. Are you confident that an old SSH key or a shared admin account isn’t going to come back and bite you? If not, check out Teleport. Teleport is the easiest, most secure way to access all of your infrastructure. The open-source Teleport Access Plane consolidates everything you need for secure access to your Linux and Windows servers—and I assure you there is no third option there. Kubernetes clusters, databases, and internal applications like AWS Management Console, Yankins, GitLab, Grafana, Jupyter Notebooks, and more. Teleport’s unique approach is not only more secure, it also improves developer productivity. To learn more, visit goteleport.com. And no, that’s not me telling you to go away; it is, goteleport.com.

Corey: I think I owe the entire internet a massive apology. See, last week I titled the episode, “A Somehow Quiet Security Week.” This is the equivalent of climbing to the top of a mountain peak during a violent thunderstorm, then waving around a long metal rod. While cursing God.

So, long story short, the internet is now on fire due to a vulnerability in the log4j open-source logging library. Effectively, if you can get an arbitrary string into the logs of a system that uses a vulnerable version of the log4j library, it will make outbound network requests. It can potentially run arbitrary code.

The impact is massive and this one’s going to be with us for years. WAF is a partial solution, but the only real answer is to patch to an updated version, or change a bunch of config options, or disallow affected systems from making outbound connections. Further, due to how thoroughly embedded in basically everything it is—like S3; more on that in a bit—a whole raft of software you run may very well be using this without your knowledge. This is, to be clear, freaking wild. I am deeply sorry for taunting fate last week. The rest of this issue of course talks entirely about this one enormous concern.

Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: if you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they’ve opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial’ button on the homepage and use the promo code, ‘CLOUD’ when checking out. That’s C-L-O-U-D. Like loud—what I am—with a C in front of it. They’ve got a free trial, too, so you’ll get seven days to try it out to make sure it really is a good fit. You’ve got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.

Cloudflare has a blog post talking about the timeline of what they see as a global observer of exploitation attempts of this nonsense. They’re automatically shooting it down for all of their customers and users—to be clear, if you’re not paying for a service you are not its customer, you’re a marketing expense—and they’re doing this as part of the standard service they provide. Meanwhile AWS’s WAF has added the ruleset to its AWSManagedRulesKnownBadInputsRuleSet—all one word—managed rules—wait a minute; they named it that? Oh, AWS. You sad, ridiculous service-naming cloud. But yeah, you have to enable AWS WAF, for which there is effectively no free tier, and configure this rule to get its protection, as I read AWS’s original update. I’m sometimes asked why I use CloudFlare as my CDN instead of AWS’s offerings. Well, now you know.

Also, Kronos, an HR services firm, won the ransomware timing lottery. They’re expecting to be down for weeks, but due to the log4shell—which is what they’re calling this exploit: The log4shell problem—absolutely nobody is paying attention to companies that are having ransomware problems or data breaches. Good job, Kronos.

Now, what did AWS have to say? Well, they have an ongoing “Update for the Apache Log4j2 Issue” and they’ve been updating it as they go. But at the time of this recording, AWS is a Java shop, to my understanding.

That means that basically everything internet-facing at AWS—which is, you know, more or less everything they sell—has some risk exposure to this vulnerability. And AWS has moved with a speed that can only be described as astonishing, and mitigated this on their managed services in a timeline I wouldn’t have previously believed possible given the scope and scale here. This is the best possible argument to make for using higher-level managed services instead of building your own things on top of EC2. I just hope they’re classy enough not to use that as a marketing talking point.

And for the tool of the week, the Log4Shell Vulnerability Tester at log4shell.huntress.com automatically generates a string and then lets you know when that is exploited by this vulnerability what systems are connecting to is. Don’t misuse it obviously, but it’s great for validating whether a certain code path in your environment is vulnerable. And that’s what happened last week in AWS Security, and I just want to say again how deeply, deeply sorry I am for taunting fate and making everyone’s year suck. I’ll talk to you next week, if I live.

Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Ple...

Lessons in Trust from us-east-1

Corey Quinn — Wed, 15 Dec 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/lessons-in-trust-from-us-east-1

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

us-east-1 of Eden

Corey Quinn — Mon, 13 Dec 2021 03:00:00 -0800

AWS Morning Brief for the week of December 13, 2021 with Corey Quinn.

A Somehow Quiet Security Week

Corey Quinn — Thu, 09 Dec 2021 03:00:00 -0800

Links:

Cyber-security insurance providers are increasing their requirements to be insurable: https://Twitter.com/SwiftOnSecurity/status/1467879429707866112
“Why the C-suite doesn’t need access to all corporate data”: https://www.darkreading.com/vulnerabilities-threats/why-the-c-suite-doesn-t-need-access-to-all-corporate-data
“Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3”: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/
Cloud provider security mistakes: https://github.com/SummitRoute/csp_security_mistakes

Transcript

Corey: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor. List and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.

Corey: re:Invent has come and gone, and with it remarkably few security announcements. Shockingly, it was a slow week for the industry. I’m glad but also disappointed to be proven wrong in my, “The only thing you, as a company who isn’t AWS, should be announcing during re:Invent is your data breach since nobody will be paying attention,” snark. But it’s for the best. It means that maybe—maybe—we’re starting to see things normalize a bit.

Now, from the Community, we saw some interesting stuff. Scuttlebutt has it that cyber-security insurance providers are increasing their requirements to be insurable. This makes a lot of sense; as ransomware attacks become more numerous, nobody is going to want to cut large insurance checks to folks who didn’t think to have offline backups. You might want to check the specific terms and conditions of your policy.

I also liked a writeup as to “Why the C-suite doesn’t need access to all corporate data.” It’s true, but it’s super hard to defend against. When the CTO ‘requests’ access to the AWS root account, who’s likely to say no? If you’re going to push for proper separation of duties, either do it the right way or don’t even bother.

Corey: And from AWS, there was really one glaring announcement that made me happy in the security context, and that was that “Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3,” and it’s huge. S3 ACLs have been a pain in everyone’s side for years. Remember that S3 was the first AWS service to general availability, and a second in beta, after SQS. Meanwhile, IAM wasn’t released until 2010. “Ignore bucket ACLs so you don’t have to think about them” is a huge step towards normalizing security within AWS, specifically S3.

And from the community's tools—I guess it’s not a tool so much as it is a tip or I don’t even know how you would describe it but I love it because Scott Piper is doing the lord’s work by curating a list of cloud provider security mistakes. Lord knows that none of them are going to be showcasing their own failures, or—thankfully—those of their competition because I don’t want to get in the middle of that mudslinging prize. This is well worth checking out and taking a look at, particularly when one provider or another starts getting a little too full of themselves around what they’re doing in security. That’s what happened last week in AWS security. Thank you for listening.

Announcer: This has been a HumblePod production. Stay humble.

How AWS Measures Customer Numbers

Corey Quinn — Wed, 08 Dec 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.
https://www.lastweekinaws.com/blog/how-aws-measures-its-customers

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Releases of re:Invent

Corey Quinn — Mon, 06 Dec 2021 03:00:00 -0800

Releasees of re:Invent Lyrics

AWS Backup speaks S3
Systems Manager: RDP
Improvements have hit Control Tower
Systems Manager speaks Greengrass
Evidently's name sucks ass
(It does A/B testing by the hour)

Streams in Kinesis
EMR and Jesus
MSK are now Serverless
Redshift is too
And this one should please you
FSx supports OpenZFS

Make development faster
Without a disaster
Too dangerous to go alone
You might give them a slappin'
For making this happen
But please go check out HoneyComb

Data Transfer new Free Tier
Slightly more free as in beer
So your bill is a bit less absurd
Don't use CloudWatch RUM
AWS is your chum
In the bloody sense of the word

They can't remain nameless
Thank You to Blameless
For helping out with SRE
It goes beyond on-call
And most importantly of all
Fingers aren’t pointing at me

DMS Fleet Advisor
The Sages get wiser
(SageMaker got features but I just don't care)
Now let’s show more respect
To our friend FSx’s
OpenZFS support if you unaware

It impressed me a boatload
Amplify Studio's Low Code
But Amazon's scared of that phrase
Digital TwinMaker
Stuff for data lakers
OpenZFS deserves so much praise

RoboRunner runs robots
Archive for EBS snapshots
In case all your instances crash
If your users all sin
EBS Snapshot Recycle Bin
But they likely belong in the trash

“Cloud WAN” “Evidently”
“Private 5G” “Snow Family”
And SageMaker Ground Truth Plus
But I won't be shaming
Since the one person naming
Things well just got hit by a bus

Thanks go to Netlify
More deadly than Jai Alai
To AWS's clear JAMstack flex
Sure you could use S3
ACM CloudFront and Route53
That's just Netlify with extra steps

CDK V2 sounds like a bust
SDKs for Swift Kotlin and Rust
Construct Hub has launched into GA
Network Analyzer for VPC
Disable ACLs in S3
Storage admins will have a field day

Block regions within Control Tower
Compute optimizer bills you per picohour
Now the Snow Family speaks tape
Workspaces Web does you favors
EC2 has many more flavors
But I still go for Cherry and Grape

You knew this was coming
Because for four years running
It's sponsored by ChaosSearch
It speaks just like Elastic
Now does SQL more drastic
If you want to spend more
Then get out of my church

Stuff for the telecom sector
There's a new Inspector
That's sneakily powered by Snyk
Resilience Hub to fight failure
The Karpenter auto-scaler's
Either written in Go or in Greek

So Amazon is transitioning
Thank you for listening
To all of the nonsense I say
Now I’m going home
Where I can be alone
And I’ll probably be sleeping ‘till May.

re:Quinnvent Day 5

Corey Quinn — Fri, 03 Dec 2021 10:20:44 -0800

AWS Morning Brief for Day 5 of re:Quinnvent on Friday, December 5 with Corey Quinn.

re:Quinnvent Day 4

Corey Quinn — Thu, 02 Dec 2021 08:09:05 -0800

AWS Morning Brief for Day 4 of re:Quinnvent on Thursday, December 2 with Corey Quinn.

re:Invent Week

Corey Quinn — Thu, 02 Dec 2021 03:00:00 -0800

Links:

Cost of a Data Breach Report: https://securityintelligence.com/cost-of-data-breach-bottom-line/
Got its ass handed to it in a security breach last week: https://threatpost.com/Godaddys-latest-breach-customers/176530/
Millions of Brazilians: https://www.zdnet.com/article/millions-of-brazilians-exposed-in-wi-fi-management-software-firm-leak/
“You can now securely connect to your Amazon MSK clusters over the internet”: https://aws.amazon.com/about-aws/whats-new/2021/11/securely-connect-amazon-msk-clusters-over-internet/
“AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect”: https://aws.amazon.com/blogs/security/aws-security-profiles-megan-oneil-sr-security-solutions-architect/
AWS Security Profiles: Merritt Baer, Principal in OCISO: https://aws.amazon.com/blogs/security/aws-security-profiles-merritt-baer-principal-in-ociso/
Super important things to know: https://github.com/SummitRoute/aws_breaking_changes/issues/56
Permissions.cloud: https://aws.permissions.cloud/

Transcript

Corey: “Security is Job Zero” according to AWS. Next week I’ll have a fair bit on that I suspect, since this week is re:Invent. Let’s see what happened before the storm hit.

IBM put out its annual Cost of a Data Breach Report which is interesting, but personally I find it genius. This is how you pollute SEO for the
search term ‘IBM Data Breach’, which is surely just a matter of time if it hasn’t already happened.

Speaking of, GoDaddy effectively got its ass handed to it in a security breach last week. We found out of course via an SEC filing instead of GoDaddy doing the smart thing and proactively getting in front of it. Apparently they were breached for at least two-and-a-half months, nobody noticed, and 1.2 million people got their admin creds stolen. I can’t stress enough that you should not be doing business with
GoDaddy.

And to complete the trifecta, ‘Millions of Brazilians’ is a fun thing to say unless you’re talking about who’s been victimized by an S3 Bucket Negligence Award; then nobody’s having fun at all.

The AWS security blog had a few things to say. “You can now securely connect to your Amazon MSK clusters over the internet.” Wait, what? What the hell was going on before? Were you unable to access the clusters over the internet, or were you able to do so but it was insecurely? This is terrifying framing.

“AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect.” I really dig these! The problem is that the AWS security blog only really seems to put these out around major AWS conferences when there’s a bunch of other announcements. I’d love it if more of the AWS blogs would do periodic “The faces, voices, and people that power AWS” profiles because I assure you, most of the people building the magic never take the stage at these conferences.

There was another profile of Merritt Baer. Who is a principal in the office of the CISO, and she’s an absolute delight. One of these days, post-pandemic, we’re going to try and record some kind of video or other, just so we can name it “Quinn and Baer it.”

Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.

Corey: And of course, “Macie Classic alerts that derive from AWS CloudTrail global service events for AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) API calls will be retired (no longer generated) in the us-west-2 (Oregon) AWS Region.” See, that’s one of those super important things to know, and I hate how AWS buries it. That said, don’t use Macie Classic because it is horrifyingly expensive compared to modern Macie.

And from the tools and tricks area, I discovered permissions.cloud last week and it’s great. The website uses a variety of information gathered within the IAM dataset and then exposes that information in a clean, easy-to-read format. It’s there to provide an alternate community-driven source of truth for AWS identity. It’s gorgeous as well, so you know it’s not an official AWS product.

And that’s what happened in AWS security. Thank you for listening. I’ll talk to you n...

re:Quinnvent Day 3

Corey Quinn — Wed, 01 Dec 2021 06:00:00 -0800

AWS Morning Brief for Day 3 of re:Quinnvent on Wednesday, December 1 with Corey Quinn.

Amazon Linux 2022: Codename setenforce 0

Corey Quinn — Wed, 01 Dec 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/amazon-linux-2022-codename-setenforce-0

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

re:Quinnvent Day 2

Corey Quinn — Tue, 30 Nov 2021 06:00:00 -0800

AWS Morning Brief for Day 2 of re:Quinnvent on Tuesday, November 30 with Corey Quinn.

re:Quinnvent Day 1

Corey Quinn — Mon, 29 Nov 2021 06:07:51 -0800

AWS Morning Brief for Day 1 of re:Quinnvent on Monday, November 29th, 2021 with Corey Quinn.

re:Quinnvent Week

Corey Quinn — Mon, 29 Nov 2021 03:00:00 -0800

AWS Morning Brief for the week of November 29, 2021 with Corey Quinn.

AWS Security Services Cost More Than The Breach

Corey Quinn — Thu, 25 Nov 2021 03:00:00 -0800

Links

$1.3 billion in funding: https://www.reuters.com/technology/cloud-security-startup-lacework-valued-83-bln-after-mammoth-funding-round-2021-11-18/
NSA and CISA: https://www.csoonline.com/article/3640576/6-key-points-of-the-new-cisansa-5g-cloud-security-guidance.html
Fined by Singapore’s regulatory authority: https://www.theregister.com/2021/11/18/redoorz_fined_for_massive_data_leak/
4 Security Questions to Ask About Your Salesforce Application: https://www.toolbox.com/it-security/security-vulnerabilities/guest-article/security-questions-to-ask-about-salesforce-application/
Managing temporary elevated access to your AWS environment: https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/
Everything you wanted to know about trusts with AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/
Trailscraper: https://github.com/flosell/trailscraper

Transcript

Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.

Corey: Happy Thanksgiving. Lacework raised an eye-popping $1.3 billion in funding last week. I joke about it being a result of them sponsoring this podcast, for which I thank them, but that’s not the entire story. “Why would someone pay for Lacework when AWS offers a bunch of security services?” Is a reasonable question. The answer is that AWS offers a bunch of security services, doesn’t articulate how they all fit together super well, and the cost of running them all on a busy account likely exceeds the cost of a data breach. Security has to be simple to understand. An architecture diagram that looks busier than a London Tube map is absolutely not that. Cloud services are complex, but inside of that complexity lies a lot of room for misconfiguration. Being condescendingly told after the fact about AWS’s Shared Responsibility Model is cold comfort. Vendors who can simplify that story and deliver on that promise stand to win massively here.

Now, let’s see what happened last week. The NSA and CISA have a new set of security guidelines for 5G networks. I’m sorry, but what about this is specific to 5G networks? It’s all about zero trust, assuming that any given node inside the perimeter might be compromised, and the like. None of this is particularly germane to 5G, so I’ve got to ask, what am I missing?

A company called RedDoorz—spelled with a Z, because of course it is—was fined by Singapore’s regulatory authority for leaking 5.9 million records. That’s good. The fine was $54,456 USD, which seems significantly less good? I mean, that’s “Cost of doing business” territory when you’re talking about data breaches. In an ideal world it would hurt a smidgen more as a goad to inspire companies to do better than they are?
Am I just a dreamer here?

I found a list of 4 Security Questions to Ask About Your Salesforce Application, and is great, and I don’t give a toss about the Salesforce aspect of it. They are, one, who are the users with excessive privileges? Two, what would happen if a legitimate user started acting in a suspicious way? Three, what would happen if a threat actor gained access to sensitive data through a poor third-Party integration? And, four, what would happen if your incident log is not properly configured? These are important questions to ask about basically every application in your environment. I promise, you probably won’t like the answers—but attackers ask them constantly. You should, too.

Corey: Now, from the mouth of AWS horse, there was an interesting article there. Managing temporary elevated access to your AWS environment. Now, this post is complicated, but yes, ideally users shouldn’t be using accounts with permissions to destroy production in day-to-day use; more restricted permissions should be used for daily work, and then people elevate to greater permissions only long enough to perform a task that requires them. That’s the Linux ‘sudo’ model. Unfortunately, implementing this is hard and ‘sudo zsh’ is often the only command people ever run from their non-admin accounts.

And one more. Everything you wanted to know about trusts with AWS Managed Microsoft AD. Look, I don’t touch these things myself basically ever. I haven’t done anything with Active Directory since the mid-naughts, and I don’t want to know anything...

The AWS Managed NAT Gateway is Unpleasant and Not Recommended

Corey Quinn — Wed, 24 Nov 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/The-AWS-Managed-NAT-Gateway-is-Unpleasant-and-Not-Recommended

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Benjamin Button, AWS Monitron Product Manager

Corey Quinn — Mon, 22 Nov 2021 03:00:00 -0800

AWS Morning Brief for the week of November 22, 2021 with Corey Quinn.

Cloud Security Should Be Boring

Corey Quinn — Thu, 18 Nov 2021 03:00:00 -0800

Links:

re:Quinnvent: https://www.requinnvent.com
"ChaosDB: Researchers Share Technical Details of Azure Flaw”: https://www.darkreading.com/cloud/chaosdb-researchers-share-technical-details-of-azure-flaw
“Hackers Apologize to Arab Royal Families for Leaking Their Data”: https://www.vice.com/en/article/n7nw8m/conti-ransomware-hackers-apologize-to-arab-royal-families-for-leaking-their-data
AWS Artifact: https://aws.amazon.com/artifact/
Policy Sentry: https://github.com/salesforce/policy_sentry
Prowler: https://github.com/toniblyx/prowler

Transcript

Corey: Writing ad copy to fit into a 30 second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days or weeks. Visit Qtorque.io today and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.

Corey: As I prepare for re:Quinnvent, I notice that most of the flurry of announcements aren’t centered around security. This is probably for the best; if security becomes too exciting, you might be an Azure customer. Onward.

Let’s dive into what the whole Azure challenge is. The researcher who discovered the CosmosDB vulnerability that Azure suffered back in September have come out with a deeper dive into what they did and how they did it, and it is oh so very much worse than we thought. They were able to get access to the CosmosDB control plane itself.

Microsoft has continued to say nothing about this, in spite of lingering questions such as, “How on earth did you not detect what amounts to a hypervisor escape?” “Holy God, why did you architect these systems without strict tenant isolation in mind since the beginning?” “How are customers supposed to trust anything you’re selling from a security perspective?” And, “What kind of clown shop are you people running over there?”

Separately—and this is kind of amazing—a ransomware hacker gang publicly apologized and removed some of their stolen data because one of their victims was accidentally Mohammed bin Salman. You know, the crown prince of Saudi Arabia who resolves his differences with journalists via hit squads equipped with bone saws. These folks want to do crime, but the right level of crime; you know, the failure mode of, “Being extradited to serve time in a US federal prison,” not, “Being dismembered with a bone saw.”

Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals. Having the highest quality content in tech and cloud skills, and building a good community the is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. Its both useful for individuals and large enterprises, but here's what makes it new. I don’t use that term lightly. Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks you’ll have a chance to prove yourself. Compete in four unique lab challenges, where they’ll be awarding more than $2000 in cash and prizes. I’m not kidding, first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey. C-O-R-E-Y. That’s cloudacademy.com/corey. We’re gonna have some fun with this one!

AWS didn’t include much in the way of interest for security this week, so I’m going to draw your attention to AWS Artifact. It’s not a service in the traditional sense, but rather a no-cost, self-service portal for on-demand access to AWS’ compliance reports, of which there are oh so very many. You used to have to get these one-by-one from your account team under NDA; don’t do that. And for God’s sake don’t write your own. Grab these reports, throw them at your auditor, and get back to doing things that actually appear in your job description instead.

Let’s talk about tools. Policy Sentry came out of Salesforce and is deceptively simple in concept: it makes it way easier to write simple, narrowly scoped IAM policies. This is what the official IAM Access Analyzer wishes it were, but it’s simply not there yet.

And it’s also been a while since I dug into Prowler. Prowler is a command-line tool that helps you with AWS security assessment, auditing, hardening and incident response. Like most things that focus on CIS benchmarks, you’ll need to apply judgement. An awful lot of things in a responsible, secure environment make sense, but set off alarms from those benchmarks that are considerably more naive. And that’s what happened last week in security in the world of AWS. We have an interesting couple of weeks coming ahead. I’ll be talking to you more next week.

My re:Quinnvent Justification Letter 2021

Corey Quinn — Wed, 17 Nov 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link:
https://www.lastweekinaws.com/blog/my-re-quinnvent-justification-letter

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The AWS East West Canada Region

Corey Quinn — Mon, 15 Nov 2021 03:00:00 -0800

AWS Morning Brief for the week of November 15, 2021 with Corey Quinn.

Stop Embedding Credentials

Corey Quinn — Thu, 11 Nov 2021 03:00:00 -0800

Links:

Qtorque.io: https://qtorque.io
A disturbing article: https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54
Kaspersky’s Amazon SES token: https://www.bleepingcomputer.com/news/security/kasperskys-stolen-amazon-ses-token-used-in-office-365-phishing/
Twitch breach: https://www.esecurityplanet.com/cloud/twitch-breach-shows-difficulty-cloud-security/
Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda: https://aws.amazon.com/blogs/security/implement-oauth-2-0-device-grant-flow-by-using-amazon-cognito-and-aws-lambda/
Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Transcript

Corey: It’s a pretty quiet week on the AWS security front because I’m studiously ignoring Robinhood’s breach. There’s nothing to see here.

So, Ransomware sucks and it’s getting worse. Kevin Beaumont wrote a disturbing article earlier this summer—that I just stumbled over, so it’s new to me—about how we effectively aren’t prepared for what’s happening in the ransomworld space. It’s a new battle with new rules, and we haven’t seen the worst of it by far. Now look, alarmism is easy to come by, but Kevin is very well respected in this space for a reason; when he speaks, smart people listen.

If you do nothing else for me this week, please, please, please be careful with credentials. Don’t embed them into apps you ship other places; don’t hardcode them into your apps; ideally for those applications you run on AWS itself you use instance or function or whatever roles that have ephemeral credentials. Because if you don’t, someone may steal them like they did with Kaspersky’s Amazon SES token and use it for Office365 phishing attacks.

And I found analysis that I rather liked about the Twitch breach—although I believe they pronounce it ‘Twetch’. It emphasizes that this stuff is hard, and it talks about the general principles that you should be considering with respect to securing cloud apps. Contrary to the narrative some folks are spinning, Twitch engineers were neither incompetent nor careless, as a general rule.

Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.

There was an AWS post: Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda. Awkward title but I like the principle here. The challenge I have is that Cognito is just. So. Difficult. I don’t think I’m the only person who feels this way.

Objectively, using Cognito is the best sales pitch I can imagine for FusionAuth or Auth0. I’m hoping for a better story at re:Invent this year from the Cognito team, but I’ve been saying that for three years now. The problem with the complexity is that once it’s working—huzzah, at great expense and difficulty—you’ll move on to other things; nobody is going to be able to untangle what you’ve done without at least as much work in the future, should things change. If it isn’t simple, I question its security just due to the risk of misconfiguration.

And this is—I don’t know if this is a tool or a tip; it’s kind of both. If you’re using AWS, which I imagine if you’re listening to this, you probably are, let me draw your attention to Systems Manager Parameter Store. Great service, dumb name. I use it myself constantly for things that are even slightly sensitive. And those things range from usernames to third-party credentials to URL endpoints for various things.

Think of it as a free version of Secrets Manager. The value of that service is that you can run arbitrary code to rotate credentials elsewhere, but it’ll cost you 40¢ per month per secret to use it. Now contrasted with that, Parameter Store is free. The security guarantees are the same; don’t view this as being somehow less secure because it’s missing the word ‘secrets’ in its name. Obviously, if you’re using something with a bit more oomph like HashiCorp’s excellent Vault, you can safely ignore everything that I just said. And that’s what happened last week in AWS security. If you’ve enjoyed listening to this, tell everyone you know to listen to it as well. Become an evangelist and annoy the hell out people, to my benefit. Thanks for listening and I’ll talk to you next week.

The Sneaky Weakness Behind AWS’ Managed KMS Keys

Corey Quinn — Wed, 10 Nov 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.
https://www.lastweekinaws.com/blog/The-Sneaky-Weakness-Behind-AWS'-Managed-KMS-keys

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Thyme Sync

Corey Quinn — Mon, 08 Nov 2021 03:00:00 -0800

AWS Morning Brief for the week of 8 November, 2021 with Corey Quinn.

Security Awareness Training in Five Minutes

Corey Quinn — Thu, 04 Nov 2021 03:00:00 -0700

Links:

re:Quinnvent: https://requinnvent.com
Don’t be surprised when ‘move fast and break things’ results in broken stuff: https://cloudpundit.com/2021/10/27/dont-be-surprised-when-move-fast-and-break-things-results-in-broken-stuff/
Twitter thread: https://Twitter.com/quinnypig/status/1453214680764219392
Correlate security findings with AWS Security Hub and Amazon EventBridge: https://aws.amazon.com/blogs/security/correlate-security-findings-with-aws-security-hub-and-amazon-eventbridge/
Three ways to improve your cybersecurity awareness program: https://aws.amazon.com/blogs/security/three-ways-to-improve-your-cybersecurity-awareness-program/
Amazon releases free cybersecurity awareness training: https://www.aboutamazon.com/news/community/amazon-releases-free-cybersecurity-awareness-training
Quiet Riot: https://blog.traingrc.com/introducing-quiet-riot-c595cfa629e
AWS inventory collection tool: https://github.com/darkbitio/aws-recon
Deploys a Lambda: https://github.com/fivexl/Terraform-aws-CloudTrail-to-Slack

Transcript

Corey: This episode is sponsored in part by Liquibase. If you’re anything like me, you’ve screwed up the database part of a deployment so severely that you’ve been banned from ever touching anything that remotely sounds like SQL at least three different companies. We’ve mostly got code deployment solved for, but when it comes to databases, we basically rely on desperate hope, with a rollback plan of keeping our resumes up to date. It doesn’t have to be that way. Meet Liquibase. It’s both an open-source project and a commercial offering. Liquibase lets you track, modify, and automate database schema changes across almost any database, with guardrails that ensure you’ll still have a company left after you deploy the change. No matter where your database lives, Liquibase can help you solve your database deployment issues. Check them out today at liquibase.com. Offer does not apply to Route 53.

Corey: I’ll be hosting a drinkup-slash-meetup at Optimism Brewery in Seattle tonight at 7 p.m. if you’re in town, stop on by and let me buy you a drink. And of course, re:Quinnvent approaches if you’re interested in keeping up with what my nonsense looks like, check out requinnvent.com.

Corey: Let’s see what happened in the world of security last week. Lydia Leong of Gartner has been on a tear lately. Don’t be surprised when ‘move fast and break things’ results in broken stuff is her latest and an important read. The goal isn’t to slow things down; it’s to build guardrails that mean you can move fast, safely. That’s the goal of security, to provide safety, not impenetrable blockers to getting work done. Forget this at your own peril.

I also wrote my own Security Awareness Training in the form of a Twitter thread. It’s like a normal version except it’s funny. Don’t discount that, though; it’s not a joke. If you make people laugh, you’ve gotten their attention. If you have their attention, then you’ve got a chance to teach them something.

What’d AWS have to say about security last week? Correlate security findings with AWS Security Hub and Amazon EventBridge. So, let me get this straight. AWS sells and charges for Amazon GuardDuty, Amazon Macie, Amazon Inspector, and Amazon Detective, but still wants you to wire stuff together yourself in order to correlate events? How are they so good at the technology bits and so very bad at the ‘tying it all together with a neat presentation’ part?

Three ways to improve your cybersecurity awareness program. It would seem that one of them isn’t, “Google for ‘Azure Security September’ and stand back.” I like the three points—which are: to be sure to articulate personal value, be inclusive, and weave it into workflows—because they’re not technical, they’re psychological. That’s where security, just like cloud economics, starts and stops. It’s people more than it is computers.

And Amazon releases free cybersecurity awareness training. Unfortunately, the transcript is all of 700 words long. This is a problem. Part of the reason you have a program to train staff on cybersecurity awareness is so you can make a good-faith argument that when you inevitably suffer an attack, you’d done all that you could to train folks on proper security behaviors. Unfortunately, a training program that’s made of fewer words than this podcast episode seems unlikely to be convincing.

And now to the tool. Remember when I talked about being able to enumerate roles and account IDs via public calls, but AWS said it wasn’t a problem? Meet Quiet Riot, a tool built to do exactly that in bulk. This is going to be a problem that AWS will have to acknowledge at some point. I...

The Unfulfilled Promise of Serverless

Corey Quinn — Wed, 03 Nov 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/The-Unfulfilled-Promise-of-Serverless

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The AWS Cwoud Backstowy

Corey Quinn — Mon, 01 Nov 2021 07:21:39 -0700

AWS Morning Brief for the week of November 1, 2021 with Corey Quinn.

A Secretive Experiment

Corey Quinn — Thu, 28 Oct 2021 03:00:00 -0700

Links:

1Password University: https://blog.1password.com/introducing-1password-university/
Penetration testing: https://www.darkreading.com/cloud/pentesting-in-the-cloud-demands-a-different-approach
New AWS workbook for New Zealand financial services customers: https://aws.amazon.com/blogs/security/new-aws-workbook-for-new-zealand-financial-services-customers/
Secretive: https://github.com/maxgoedjen/secretive

Transcript

Corey: So, it’s been an interesting week in the world of AWS security, and a light one. And that’s okay. 1Password introduced 1Password University, and I’m interested in it, not because I expect to learn a whole lot that I didn’t know before about security, but because this might be able to replace my current, fairly awful Security Awareness Training.

See, a lot of companies have contractual requirements to provide SAT to their staff and contractors. Most of them are terrible courses that actively push crap advice like, “Rotate your password every 60 days.” This has the potential, just based on my experiences with 1Password, to be way better than that. But we’ll see.

“Things are different in the cloud,” is something of a truism, and that applies as much to penetration testing as anything else. Understanding that your provider may have no sense of humor whatsoever around this, and thus require you to communicate with them in advance, for example. There was a great interview with Josh Stella, who I’ve had on Screaming in the Cloud. He’s CEO of Fugue—that he will say is pronounced ‘Fugue’, but it’s ‘Fwage’—and he opined on this in an article I discovered, and interview, with quite some eloquence. I should really track him down and see if I can get him back on the podcast one of these days. It has been far too long.

now, from the mouth of AWS Horse. There’s a New AWS workbook for New Zealand financial services customers, and that honestly kind of harkens back to school: unnecessary work that you’re paying for the privilege of completing. But it is good to be able to sit down and work through the things you’re going to need to be able to answer in a world of cloud when you’re in a regulated industry like that, and those regulations vary from country to country. You can tell where the regulations around data residency are getting increasingly tight because that’s where AWS is announcing regions.

Corey: And of course, a tool for the week. I’ll be playing around with Secretive in the next week or two. It’s an open-source project that stores SSH keys in a Mac’s Secure Enclave instead of on disk. I don’t love the idea of having my key material on disk wherever possible, even though I do passphrase-protect it.

This stores it in the Mac Secure Enclave and presents it well. I’ve had a couple of problems on a couple of machines so far, and I’m talking to the developer in a GitHub issue, but it is important to think about these things. I, of course, turn on full-disk encryption, but if something winds up subverting my machine, I don’t want it to just be able to look at what’s on disk and get access to things that matter. That feels like it could blow up in my face.

Corey: And that’s really what happened last week in AWS security. It’s been a light week; I hope you enjoy it, there is much more to come next week, now that I’m back from vacation.

Corey: I have been your host, Corey Quinn, and if you remember nothing else, it’s that when you don’t get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Editionwith the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.

Announcer: This has been a HumblePod production. Stay humble.

The Dumbest Dollars a Cloud Provider Can Make

Corey Quinn — Wed, 27 Oct 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link : http://www.lastweekinaws.com/blog/the-dumbest-dollars-a-cloud-provider-can-make

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Chime SDK Background Bling

Corey Quinn — Mon, 25 Oct 2021 03:00:00 -0700

AWS Morning Brief for the week of October 25, 2021 with Corey Quinn.

AWS W(T)AF

Corey Quinn — Thu, 21 Oct 2021 03:00:00 -0700

Links:

Entirely optional for attackers: https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/
Worst Case: https://www.tbray.org/ongoing/When/202x/2021/10/08/The-WOrst-Case
Are looking to change that: https://www.theregister.com/2021/10/11/cyan_zero_day_legislative_project/
Introducing Security at the Edge: https://aws.amazon.com/blogs/security/introducing-the-security-at-the-edge-core-principles-whitepaper/
Password reuse: https://www.hypr.com/password-reuse/

Transcript

Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it’s hard to know where problems originate. Is it your application code, users, or the underlying systems? I’ve got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter. Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud observability; it’s more than just hipster monitoring.

Corey: I must confess, I didn’t expect to see an unpatched AWS vulnerability being fodder for this podcast so early in the security lifespan here, but okay. Yes, yes, before I get letters, it’s not a vulnerability as AWS would define it, but it’s a pretty crappy default that charges customers money while giving them a false sense of security.

Past that, it’s going to be a short podcast this week, and that’s just fine by me because the point of it is, “The things you should know as someone who has to care about security.” On slow news weeks like last week that means I’m not here to give you pointless filler. Onward.

Now, AWS WAF is expensive and apparently, as configured by default, entirely optional for attackers. Only the first 8KB of a request are inspected by default. That means that any malicious payload that starts after the 8KB limit in a POST request will completely bypass AWS WAF unless you’ve explicitly added a rule to block any POST request greater than 8KB in size, which you almost assuredly have not done. Even their managed rule that addresses size limits only kicks in at 10KB. This is—as the kids say—less than ideal.

I had a tweet recently that talked about the horror of us-east-1 being globally unavailable for ages. Tim Bray took this and ran with the horrifying concept in a post he called, “Worst Case.” It’s really worth considering things like this when it comes to disaster and continuity planning. How resilient are our apps and infrastructure really when all is said and done? What dependencies do we take on third parties who in
turn rely on the same infrastructure that we’re trying to guard against failure from?

An unfortunate reality is that many cybersecurity researchers don’t have much in the way of legal protections; some folks are looking to change that through legislation. Here’s some good advice: if a security researcher reports a vulnerability to you or your company in good faith, perhaps not acting like a raging jackhole is an option that’s on the table. Bug bounties are hilariously small; they could make many times as much money by selling vulnerabilities to the highest bidder. Instead they’re reporting bugs to you in good faith. Word spreads. If you’re a hassle to deal with, other researchers won’t report things to you in the future. “Be a nice person,” is surprisingly undervalued when it comes to keeping yourself and your company out of trouble.

Now, only one interesting thing came out of the mouth of AWS horse last week in a security context, and it’s a Core Principles whitepaper: “Introducing Security at the Edge.” Setting aside entirely the fact that neither contributor to this has the job title of “EdgeLord,” I like it. Rather than focusing on specific services—although of course there’s some of that because vendors are going to vendor—it emphasizes how to think about the various considerations of edge locations that aren’t deep within hardened data centers. “How should I think about this problem,” is the kind of question that really deserves to be asked a lot more than it is.

and lastly, let’s end up with a tip of the week. If you have a multi-cloud anything, ensure that credentials are not shared between two cloud providers. I’m talking about passwords, keys, et cetera. This is a step beyond the standard password reuse warning of not using the same password for multiple accounts. Think it through; if one of your providers happens to be Azure, and they Azure up the security yet again, you really don’t want that to grant an attacker or other random Azure customers access to your AWS account as well, do you? I thought not.

Corey: And that is what happened last week in AWS security. I have been your host, Corey Quinn, and if you remember nothing else, it’s that when you don’t get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Pleas...

The Turbotax of AWS Billing

Corey Quinn — Wed, 20 Oct 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/The-Turbotax-of-AWS-Billing

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Butt Computing

Corey Quinn — Mon, 18 Oct 2021 03:00:00 -0700

AWS Morning Brief for the week of October 18, 2021 with Corey Quinn.

AWS Security is Twitching

Corey Quinn — Thu, 14 Oct 2021 03:00:00 -0700

Links:

Disclosed a nasty auto-delete bug: https://arstechnica.com/information-technology/2021/10/researcher-refuses-telegrams-bounty-award-discloses-auto-delete-bug/
Enroll basically all of it’s users: https://blog.google/technology/safety-security/making-sign-safer-and-more-convenient/
Worth taking a look: https://labs.bishopfox.com/tech-blog/IAM-vulnerable-assessing-the-aws-assessment-tools
Enumerate those yourself: https://www.hezmatt.org/~mpalmer/blog/2021/10/07/enumerating-aws-iam-accounts.html
AWS Access Keys: https://www.nojones.net/posts/aws-access-keys-a-reference/
Routes billions of text messages: https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked
“Enabling Data Classification for Amazon RDS database with Amazon Macie”: https://aws.amazon.com/blogs/security/enabling-data-classification-for-amazon-rds-database-with-amazon-macie/
“How to set up a two-way integration between AWS Security Hub and Jira Service Management”: https://aws.amazon.com/blogs/security/how-to-set-up-a-two-way-integration-between-aws-security-hub-and-jira-service-management/
“Update the alternate security contact across your AWS accounts for timely security notifications”: https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/
CloudSploit: https://github.com/aquasecurity/cloudsploit

Transcript

Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live. It gives you fake AWS API credentials, for example, and the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary in the weeks ahead.

Corey: To begin with, the big news is that week is the week of the year in which the Last Week in AWS charity shirt is available for sale. All proceeds to benefit 826 National. To get your snarky, sarcastic shirt, “The AWS Status Page,” this year, visit lastweekinaws.com/charityshirt and thank you in advance for your support.

Now, last week’s big security news was about Amazon’s subsidiary, Twitch—or Twetch, depending upon pronunciation. It had a bunch of its code repos and streamer payouts leaked. Given that they are in fact an Amazon company largely hosted on AWS, you know, except for the streaming parts; are you a lunatic? That would cost ALL the money—this makes it tricky for AWS to message this as not their problem as per their vaunted Shared Responsibility Model. What’s the takeaway? Too soon to say but, ouch.

From the community. Telegram offered a researcher a €1,000 bounty, which is just insultingly small. The researcher said, “Not so much,” and disclosed a nasty auto-delete bug. If you’re going to run a bug bounty program, ensure that you’re paying researchers enough money to incentivize them to come forward and deal with your no-doubt obnoxious disclosure process.

You can expect a whole bunch of people who don’t care about security to suddenly be asking fun questions as Google prepares to enroll basically all of its users into two-factor-auth. Good move, but heads up, support folks.

I found a detailed analysis of AWS account assessment tools. These use things like CloudSploit, which I’ll talk about in a bit, IAM Vulnerable, et cetera. Fundamentally, they all look at slightly different things; they’re also all largely the same, but it might be worth taking a look.

AWS has made statements indicating that they don’t believe that enumerating which IAM accounts exist in a given AWS account is a security risk, so someone has put out a great technique you can use to enumerate those yourself. Why not, since Amazon doesn’t find this to be a problem.

A reference to the various kinds of AWS Access Keys is also something I found relatively handy because I hadn’t seen this ever explained before. It taught me a lot about the different kinds of key nonsense that I encounter in the wild from time to time. Take a look, it’s worth the read.

...

Why I Turned Down an AWS Job Offer Revisited

Corey Quinn — Wed, 13 Oct 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/why-i-turned-down-an-aws-job-offer

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Charity T-Shirt Week

Corey Quinn — Mon, 11 Oct 2021 03:00:00 -0700

AWS Morning Brief for the week of October 11, 2021 with Corey Quinn.

DNSSEC Inspired Outages

Corey Quinn — Thu, 07 Oct 2021 03:00:00 -0700

Links:

Let’s Encrypt’s root certificate has expired, and it might break your devices: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
Slack was bitten by DNSSEC: https://Twitter.com/tqbf/status/1443654964556013569
Prepare For Cybersecurity Assessments From Your Customers: https://www.securitysystemsnews.com/article/prepare-for-cybersecurity-assessments-from-your-customers
AWS Lambda now supports triggering Lambda functions from an Amazon SQS queue in a different account: https://aws.amazon.com/about-aws/whats-new/2021/09/aws-lambda-lambda-function-amazon-sqs-queue/
Migrating custom Landing Zone with RAM to AWS Control Tower: https://aws.amazon.com/blogs/mt/migrating-custom-landing-zone-with-ram-to-aws-control-tower/
Introducing the Ransomware Risk Management on AWS Whitepaper: https://aws.amazon.com/blogs/security/introducing-the-ransomware-risk-management-on-aws-whitepaper/
Validate IAM policies in CloudFormation templates using IAM Access Analyzer: https://aws.amazon.com/blogs/security/validate-iam-policies-in-cloudformation-templates-using-iam-access-analyzer/
Pacu: The Open Source AWS Exploitation Framework: https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/

Transcript
Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.

Corey: Somehow we made it through an entire week without a major vendor having a headline-level security breach. You know, I could get used to this; I’ll take, “It’s harder for me to figure out what to talk about here,” over, “A bunch of customers are scrambling because their providers have failed them,” every time.

So, let’s see what the community had to say. Last week, as you’re probably aware, Let’s Encrypt’s root certificate expiredwhich caused pain for a bunch of folks. Any device or configuration that hadn’t been updated for a few years is potentially going to see things breaking. The lesson here is to be aware that certificates do expire. The antipattern is to do super-long registrations for thing, but that just makes it worse.

One of the things Let’s Encrypt got very right is forcing 90-day certificate rotations for client certs. When you’ve got to do that every three months, you know where all of your certificates are. If you’ve got to replace it once every ten years, you’ll have no clue; that was six employees ago.

In bad week news, Slack was bitten by DNSSEC when they attempted and failed to roll it out. DNSSEC is a bag of pain it’s best not to bother with, as a general rule. DNS is always a bag of pain because of caching and TTL issues. In effect, Slack tried to roll out DNSSEC—probably due to a demand by some big corporate customer—had it fail, panicked and rolled back the change, and was in turn bitten by outages as a bunch of DNS resolvers had the DS key cached, but the authoritative nameservers stopped publishing it. This is a mess and a great warning to those of us who might naively assume that anything like DNSSEC that offers improved security comes without severe tradeoffs. Measure twice, cut once because mistakes are going to show.

I also found a somewhat alarmist article talking about cybersecurity assessments from your customers and fine, but it brings up a good point. If you’re somehow responsible for security but don’t have security in your job title—which, you know, this show is aimed at—you may one day be surprised to have someone from sales pop up and ask you to fill out a form from a prospective customer. Ignore the alarm and the panic but you’re going to want to get towards something approaching standardization around how you handle those.

The first time you get one of these, it’s a novel exercise; by the tenth, you just want to have a prepared statement you can hand them so you can move on with things. Well, those prepared statements are often called things like, “SOC 2 certifications.” There’s a spectrum and where you fall on it depends upon who you work for and what you do. So, take them seriously and don’t be surprised when you get one.

AWS had a few interesting security-related announcements. AWS Lambda now supports triggering Lambda functions from an Amazon SQS queue in a different account. That doesn’t sound like a security announcement, so why am I talking about it? Because until recently, it wasn’t possible so a lot of folks scoped their IAM policies very...

The Compelling Economics of Cloudflare R2

Corey Quinn — Wed, 06 Oct 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/The-Compelling-Economics-of-Cloudflare-R2

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Cloudflare's Object Storage Lesson

Corey Quinn — Mon, 04 Oct 2021 03:00:00 -0700

AWS Morning Brief for the week of September 3, 2021 with Corey Quinn.

F5's Refreshing Culture

Corey Quinn — Thu, 30 Sep 2021 03:00:00 -0700

Links:

“I Trust AWS IAM to Secure my Applications. I Don’t Trust the IAM Docs to Tell Me How”: https://ben11kehoe.medium.com/i-trust-aws-iam-to-secure-my-applications-i-dont-trust-the-iam-docs-to-tell-me-how-f0ec4c119e79
“Introduction to Zero Trust on AWS ECS Fargate”: https://omerxx.com/identity-aware-proxy-ecs/
Threat Stack Aquired by F5: https://techcrunch.com/2021/09/20/f5-acquires-cloud-security-startup-threat-stack-for-68-million/
AWS removed from CVE-2021-38112: https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/
Ransomware that encrypts the contents of S3 buckets: https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

Transcript

Corey: This podcast seems to be going well. The Meanwhile in Security podcast has been fully rolled over and people are chiming in with kind things, which kind of makes me wonder, is this really a security podcast? Because normally people in that industry are mean.

Let’s dive into it. What happened last week in security? touching AWS, Ben Kehoe is on a security roll lately. His title of the article in full reads, “I Trust AWS IAM to Secure My Applications. I Don’t Trust the IAM Docs to Tell Me How”, and I think he’s put his finger on the pulse of something that’s really bothered me for a long time. IAM feels arcane and confusing. The official doc just made that worse For me. My default is assuming that the problem is entirely with me, But that’s not true at all. I suspect I’m very far from the only person out there who feels this way.

An “Introduction to Zero Trust on AWS ECS Fargate” is well-timed. Originally when Fargate launched, the concern was zero trust of AWS ECS Fargate, But we’re fortunately past that now. The article is lengthy and isn’t super clear as to the outcome that it’s driving for and also forgets that SSO was for humans and not computers, But it’s well documented and it offers plenty of code to implement such a thing yourself. It’s time to move beyond static IAM roles for everything.

Threat Stack has been a staple of the Boston IT scene for years; they were apparently acquired by F5 for less money than they’d raised, which seems unfortunate. I’m eagerly awaiting to see how they find F5 for culture. I bet it’s refreshing.

and jealous of Azure as attention in the past few episodes of this podcast, VMware wishes to participate by including a critical severity flaw that enables ransomware in vCenter or vSphere. I can’t find anything that indicates whether or not VMware on AWS is affected, So those of you running that thing you should probably validate that everything’s patched. reach out to your account manager, which if you’re running something like that, you should be in close contact with anyway.

Corey: Now from AWS themselves, what do they have to say? not much last week on the security front, their blog was suspiciously silent. scuttlebutt on Twitter has it that they’re attempting to get themselves removed from an exploit, a CVE-2021-38112, which is a remote code execution vulnerability. If you have the Amazon workspaces client installed, update it because a malicious URL could cause code to be executed in the client’s machine. It’s been patched, but I think AWS likes not having public pointers to pass security lapses lurking around. I don’t blame them, I mean, who wants that? The reason I bring it up is Not to shame them for it, but to highlight that all systems have faults in them. AWS is not immune to security problems, nor is any provider. It’s important, to my mind, to laud companies for rapid remediation and disclosure and to try not to shame them for having bugs in the first place. I don’t always succeed at it, But I do try. But heaven help you if you try to blame an intern for a security failure.

And instead of talking about a tool, Let’s do a tip of the week. Ransomware is in the news a lot, But so far, all that I’ve seen with regard to ransomware that encrypts the contents of S3 buckets is theoretical proofs—or proves—of concept. That said, for the data you can’t afford to lose, you’ve got a few options that stack together neatly. The approach distills down to some combination of enabling MFA delete, enabling versioning on the bucket, and setting up replication rules to environments that are controlled by different credential sets entirely. This will of course become both maintenance-intensive and extremely expensive for some workload...

The Actual Next 1 Million Cloud Customers

Corey Quinn — Wed, 29 Sep 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/The-Actual-Next-1-Million-Cloud-Customers

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Old Zealand's Data Center Migration

Corey Quinn — Mon, 27 Sep 2021 03:00:00 -0700

AWS Morning Brief for the week of September 27,2021 with Corey Quinn.

OMIGOD, Get it Together Already

Corey Quinn — Thu, 23 Sep 2021 03:00:00 -0700

Links:

WTF? Microsoft makes fixing deadly OMIGOD flaws on Azure your job: https://www.theregister.com/2021/09/17/microsoft_manual_omigod_fixes/
Travis CI flaw exposed secrets of thousands of open source projects: https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/
How to Build Strong Security Guardrails in the AWS Cloud With Minimal Effort: https://markn.ca/2021/how-to-build-strong-security-guardrails-in-the-aws-cloud-with-minimal-effort/
Introduction to OWASP Top 10 2021: https://owasp.org/Top10/
AWS SIGv4 and SIGv4A: https://shufflesharding.com/posts/aws-sigv4-and-sigv4a
Inside Figma: getting out of the (secure) shell: https://www.figma.com/blog/inside-figma-getting-out-of-the-secure-shell/
AWS Firewall Manager now supports AWS WAF rate-based rules: https://aws.amazon.com/about-aws/whats-new/2021/09/aws-firewall-manager-waf-rate-based-rules/
How to automate incident response to security events with AWS Systems Manager Incident Manager: https://aws.amazon.com/blogs/security/how-to-automate-incident-response-to-security-events-with-aws-systems-manager-incident-manager/
New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers: https://aws.amazon.com/blogs/security/new-standard-contractual-clauses-now-part-of-the-aws-gdpr-data-processing-addendum-for-customers/
Protect your remote workforce by using a managed DNS firewall and network firewall: https://aws.amazon.com/blogs/security/protect-your-remote-workforce-by-using-a-managed-dns-firewall-and-network-firewall/
AWS Security Hub Automated Response and Remediation: https://github.com/awslabs/aws-security-hub-automated-response-and-remediation
Checkov: https://github.com/bridgecrewio/checkov

Transcript

Corey: Oh, for th—this is the third episode of the Last Week in AWS slash AMB: Security Edition, and instead of buying a sponsorship like a reasonable company, Microsoft Azure is once again forcing me to talk about their cloud instead, via completely blowing it when it comes to security. Again. Not only did they silently install an agent onto virtual machines in Azure that add a handful of trivially exploitable vulnerabilities, it’s also apparently your job to fix it for them. I have to confess, I take Azure a lot less seriously than I did a month ago.

Now, let’s dive in here. Speaking of terrible things, it’s honestly difficult for me to imagine a company screwing the pooch harder than TravisCI did this month. They had a bug that started leaking private credentials into public build logs; this is bad. They fixed it; this is good. And then only begrudgingly disclosed it in a buried release with remarkably little public messaging; this is unfathomable. At this point, if you’re using TravisCI, get the hell off of it. Mistakes happen to every vendor. The ones that try to hide their mistakes are absolutely not companies you can trust.

If you put up a slide deck and accompanying notes entitled How to Build Strong Security Guardrails in the AWS Cloud With Minimal Effort, I’m probably going to take a look at it because strong guardrails are important and minimal effort is critical if you expect it to actually get done. If you’re also my longtime friend Mark Nunnikhoven, then I’m going to default to treating it as gospel because Mark frankly does not miss when it comes to AWS concepts explained in an easily approachable way. Security has got to be aligned with the way engineers work within your environment. Remember, it’s not that hard to spin up a new AWS account on someone’s corporate credit card; you absolutely do not want to incentivize that behavior.

Corey: I periodically say the OWASP Top 10, which is a list of the most critical security risks for applications on the web, has not meaningfully ch...

17 More Ways to Run Containers on AWS

Corey Quinn — Wed, 22 Sep 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/17-more-ways-to-tun-containers-on-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Billed on AWS For Startups

Corey Quinn — Mon, 20 Sep 2021 03:00:00 -0700

AWS Morning Brief for the week of September 20, 2021 with Corey Quinn.

I Azure You This Shall Pass

Corey Quinn — Thu, 16 Sep 2021 03:00:00 -0700

Links:

Principals in AWS IAM: https://ben11kehoe.medium.com/principals-in-aws-iam-38c4a3dc322a
You Don’t Need to Burn off Your Fingertips (and Other Biometric Authentication Myths): https://www.troyhunt.com/you-dont-need-to-burn-off-your-fingertips-and-other-biometric-myths/
Amazon Detective offers Splunk integration: https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-detective-splunk-integration/
IAM Vulnerable - An AWS IAM Privilege Escalation Playground: https://labs.bishopfox.com/tech-blog/iam-vulnerable-an-aws-iam-privilege-escalation-playground

Transcript

Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these are empowered to do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. Take a look at this: what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can even get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary in the weeks ahead.

Corey: Ben Kiko, cloud robotics research scientist at iRobot—motto: “All IoT sucks, but ours is supposed to”—walks us through Principles in AWS IAM. It’s short, it’s concise, and it’s definitely worth taking the time to dig into what he has to say. If you only hunt down one thing from this podcast this week, this is the one.

[Version three of OpenSSL was released 00:03:19], so expect a few conversations around that. There’s also apparently a Rusttls, which is ostensibly OpenSSL rewritten in Rust for the modern era but is in practice just another talking point for the Rust evangelism strikeforce, who is actively encouraged not to find a way to leave a comment on this episode.

Sneak or Snack or Synack raised—however they’re pronounced—[raised a big funding round last week 00:03:19] and still stubbornly refuses to buy a vowel. More interestingly, they report that 50% of security jobs are unfilled. Further, any solution predicated on devs becoming security experts is doomed, which is exactly the point of this podcast. What you need to know about cloud security, minus the fluff and
gatekeeping. Okay fine, yes, and some snark added to keep it engaging because my God, is it dull without that.

Another week, another [Azure Security failure 00:03:19]. This time a flaw existed that could leak data between users of Azure Container Services. Look, this whole thing is about AWS, so why do I talk about Azure issues like this? Simply put, people are going to bring it up in a cloud isn’t secure context, and you should be aware of what they’re talking about when they do. Azure, please get it together. Stuff like this hurts all cloud providers.

Corey: Troy Hunt has a post informing you that despite what your AWS bill may have you believe in the moment, self-immolation is unnecessary. Okay, that’s not actually his point, but specifically, You Don’t Need to Burn off Your Fingertips (and Other Biometric Authentication Myths) doesn’t hit quite the same way. It’s a super handy reminder that for most of you folks, adversaries are not going to steal your fingerprints to get into your systems. They’re either going to bribe you or hit you with a wrench until you tell them your password.

From the mouth of AWS horse—or from the horse’s AWS—Amazon Detective offers Splunk integration. Amazon Detective and the Case of the Missing Mountain of Money is apparently this month’s hot comic book.

And AWS—motto: “Opinions my own”—has a [security checklist 00:03:19], and it’s worth taking a look at because a few of these items that they issue from time to time are, like, “Use multiple AWS accounts,” directly contravenes older guidance. It’s always good to check on things like this around best practices that AWS is putting out there because even if you don’t make changes to your systems as a result, you should know where AWS’s head is at with respect to where the future of the industry is going.

And lastly, there was an interesting tool that came out called IAM Vulnerable. It’s an IAM privilege escalation playground that lets you muck around with exploiting improperly set IAM policies. It’s a good way to kill an hour on an afternoon when you’re not particularly motivated to do other things. Another good ‘I need a distraction’ task is rotating reused or weak passwords that you have in your password manager. And that’s what happened.

Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at

Why Your AWS Bill is Likely a Product of 2 Pizza Teams

Corey Quinn — Wed, 15 Sep 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/awss-per-service-margins/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon EKS AnyVMware

Corey Quinn — Mon, 13 Sep 2021 03:00:00 -0700

AWS Morning Brief for the week of September 13, 2021 with Corey Quinn.

Welcome to AMB: Security Edition

Corey Quinn — Thu, 09 Sep 2021 03:00:00 -0700

Links:

Enumeration vulnerability in AWS: https://twitter.com/donkersgood/status/1433148548565151748
Lacework Cloud Threat Report: https://info.Lacework.com/2021-cloud-threat-report.html
High Availability WireGuard On AWS: https://www.procustodibus.com/blog/2021/02/ha-wireguard-on-aws/
How to improve visibility into AWS WAF with anomaly detection: https://aws.amazon.com/blogs/security/how-to-improve-visibility-into-aws-waf-with-anomaly-detection/
How US federal agencies can authenticate to AWS with multi-factor authentication: https://aws.amazon.com/blogs/security/how-us-federal-agencies-can-authenticate-to-aws-with-multi-factor-authentication/
Ransomware mitigation: Top 5 protections and recovery preparation actions: https://aws.amazon.com/blogs/security/ransomware-mitigation-top-5-protections-and-recovery-preparation-actions/
Top 10 security best practices for securing data in Amazon S3: https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-data-in-amazon-s3/

Transcript

Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these are empowered to do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. Take a look at this: what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can even get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary in the weeks ahead.

Corey: This is the inaugural episode of what is going to become a weekly feature, the AWS Morning Brief: Security Edition, where I do what I normally do: round up the news from Amazon’s cloud ecosystem, pick the things that I find interesting and make fun of them, only in the security world. This is going to be things that the rest of us need to care about, not the things that AWS feels a content need to put out there, but no one in the trenches tends to read. If you don’t work in security—by which I mean have the word security not in your job title—you’re in the right place. Neither do I, but I still have to care. So, what happened last week? Well, let’s dive in and we’ll see how this show shapes up.

We begin with the fact that there’s a contingent of anti-cloud folks out there who make the argument that [the cloud is somehow insecure, unsafe for your data, and not something you should be doing 00:08:26]. I generally have little patience for those folks, but when Azure’s Cosmos DB had a bug that allowed third parties unfettered and unlogged access to customer data, I’m hard-pressed to disagree with them. Events like this aren’t good for anyone. Companies don’t say things like, “Wow, as your security seems dicey, I’m going to use AWS or Google Cloud instead.” They say things instead, like, “Can’t trust the cloud. Hey, Dewey, fire up your Motel Six loyalty card because you’re about to spend the next nine months on the road building more company data centers for us.” Events like this weaken us all.

The second volume of the Lacework Cloud Threat Report has been released, and one of the things I really appreciate about it is that it talks about what’s actually going on in the wild, not invented theoretical threats that are designed to get you to shovel money into their product. I do not and will not condone the fear, uncertainty, and doubt—or FUD—marketing approach. There’s a reason that The Duckbill Group’s web pages are about how we help, not stuffed full of dire warnings about what might go wrong and blow the budget. If I can do it, so can the entire security industry. Nice job, Lacework, on that one.

There was a [great screed on Twitter 00:08:26] last week on the perils of using AWS read-only managed policies. The gist of the argument is that AWS is always updating these things, and permissions that aren’t included today may well be included tomorrow. Further, AWS does indeed have over-scoped permissions in managed policies. I gave a talk about one of them at re:Invent 2019. It’s a good thing to be aware of. While managed policies are definitely convenient, even AWS claims its security policies all squarely on the customer side of the shared responsibility model. Well, when they screw theirs up, they claim that anyway.

Luc van Donkersgoed recently found an enumeration vulnerability in AWS that allows users to determine valid account IDs and any IAM principles in it. AWS insists that this information is not sensitive and thus this doesn’t constitute a vulnerability. I can see that viewpoint, but if it’s true, why do AWS blog post screenshots always blur the account ID? Why isn’t there an API to explicitly get the account ID for a given resource?

The AWS documentation on account identifiers states that you shouldn’t provide credentials to third parties; it doesn’t say anything about account IDs. The messaging is, at a minimum, confusing. Until then, treat your AWS account ID as sensitive, I guess. There’s not a lot of reason for third parties to need it. I just wish AWS wo...

SaaS Cost Tools Suck

Corey Quinn — Wed, 08 Sep 2021 06:44:26 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/saas-cost-tools-suck

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Malevolent Clown Computing

Corey Quinn — Mon, 06 Sep 2021 03:00:00 -0700

AWS Morning Brief for the week of September 6, 2021 with Corey Quinn.

Hey AWS, You’re Missing Forrest for the Trees

Corey Quinn — Wed, 01 Sep 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link https://www.lastweekinaws.com/blog/hey-aws-youre-missing-forrest-for-the-trees/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Error 500: You Suck At Computers

Corey Quinn — Mon, 30 Aug 2021 03:00:00 -0700

AWS Morning Brief for the week of August 30, 2021 with Corey Quinn.

How to Effectively Interview for Work with a Portfolio Site

Corey Quinn — Thu, 26 Aug 2021 07:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/How-to-Effectively-Interview-for-Work-with-a-Portfolio-Site

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Forget MemoryDB

Corey Quinn — Mon, 23 Aug 2021 03:00:00 -0700

AWS Morning Brief for the week of August 23, 2021 with Corey Quinn.

A MultiCloud Rant

Corey Quinn — Fri, 20 Aug 2021 03:00:00 -0700

Transcript

Corey: This episode is sponsored in part by our friends at ChaosSearch. You could run Elasticsearch or Elastic Cloud—or OpenSearch as they’re calling it now—or a self-hosted ELK stack. But why? ChaosSearch gives you the same API you’ve come to know and tolerate, along with unlimited data retention and no data movement. Just throw your data into S3 and proceed from there as you would expect. This is great for IT operations folks, for app performance monitoring, cybersecurity. If you’re using Elasticsearch, consider not running Elasticsearch. They’re also available now in the AWS marketplace if you’d prefer not to go direct and have half of whatever you pay them count towards your EDB commitment. Discover what companies like Klarna, Equifax, Armor Security, and Blackboard already have. To learn more, visit chaossearch.io and tell them I sent you just so you can see them facepalm, yet again.

Corey: You know what really grinds my gears? Well, lots of things, but in this case, let’s talk about multi-cloud. Not my typical rant about multi-cloud not ever being a good best practice—because it’s not—but rather how companies talk about multi-cloud. HashiCorp just did a whole survey on how multi-cloud is the future, and at no point during that entire process did they define the term. So, you wind up with a whole bunch of people responding, each one talking about different things.

Are we talking about multiple clouds and we have a workload that flows between them? Are we talking about, “Well, we have some workloads on one cloud provider and a different set of workloads on other cloud providers?” Did they break it down as far as SaaS companies go of, “Yeah, we have an application and we’d like to run it all on one cloud, but it’s data-heavy and we have to put it where our customers are, so of course we’re on multiple cloud providers.” And then you wind up with the stories that other companies talk about, where you have a bunch of folks where their sole contribution to the ecosystem is, “Ah, you get a single pane of glass between different cloud providers.”

You know who wants that? No one. The only people who really care about those things are the folks who used to sell those items and realized that if this dries up and blows away, they have nothing left to sell you. There’s also a lot of cloud providers who are deep into the whole multi-cloud is the way and the light and the future because they know if you go all-in on a single cloud provider, it will certainly not be them. And then you have the folks who say, “Go in on one cloud provider and don’t worry about it. It’ll be fine. If you need to migrate down the road, you can do that.”

And I believe that that’s generally the way that you should approach things, but it gets really annoying and condescending when AWS tells that story because from their perspective, yeah, just go all-in and use Dynamo as your data store for everything even though there’s really no equivalent on other cloud providers. Or, “Yeah, go ahead and just tie all of your data warehousing to some of the more intricate and non-replicable parts of S3.” And so on and so forth. And it just feels like they’re pushing a lock-in narrative in many respects. I like having the idea of a strategic Exodus, where if I have to move a thing down the road, I don’t have to reinvent the data model.

And a classic example of what I would avoid in that case is something like Google Spanner—or Google Cloud Spanner, or whatever the one they sell us is—because yeah, it’s great, and it’s awesome. And you wind up with, effectively, what looks like an ACID-compliant SQL database that spans globally. But there’s nothing else quite like that, so if I have to migrate off, it’s not just a matter of changing APIs, I have to re-architect my entire application to be aware of the fact that I can’t really have that architecture anymore, just from a data flow perspective. And looking at this across the board, I find that this is also a bit esoteric because generally speaking, the people who are talking the most about multi-cloud and wanting to avoid lock-in, are treating the cloud like it’s fundamentally an extension of their own crappy data center where they run a bunch of VMs and that’s it.

They say they want to be multi-cloud, but they’re only ever building for one cloud, and everything that they’re building on top of it is just reinventing baseline primitives. “Oh, we don’t trust their load balancers. We’re going to run our own with Nginx or HAProxy.” Great. While you’re doing that, your competitors are getting further ahead.

You’re not even really in the cloud: you basically did the lift part of it, declined to shift, declared victory, and really the only problem you solve for is you suck at dealing with hard drive failure, so you used to deal with outages in your data center and now your cloud provider handles it for you at a premium that’s eye-wateringly high.

Corey: I really love installing, upgrading, and fixing security agents in my cloud estate. Why do I say that? Because I sell things for a company that deploys an agent. There’s no other reason. Because let’s face it; agents can be a real headache. Well, Orca Security now gives you a single tool to detect basically every risk in your cloud environment that’s as easy to install and maintain as a smartphone app. It is agentless—or my intro would have gotten me in trouble here—but it can still see deep into your AWS workloads while guaranteeing 100% coverage. With Orca Security there are no overlooked assets, no DevOps headaches—and believe me, you will hear from those people if you cause them headaches—and no performance hits on live environment. Connect your first cloud account in minutes and see for yourself at orca dot security. That’s orca—as in whale—dot security as in that thing your company claims to care about but doesn’t until right after it really should have.

Corey: Look, I don’t mean to be sitting here saying that this is how every company operates because it’s not. But we see a lot of multi-cloud narrative out there, and what’s most obnoxious about all of it is that it’s coming from companies that are strong enough to stand on their own. And by pushing this narrative, it’s increasingly getting to a point where if you’re not in a multi-cloud environment, you start to think, “Maybe I’m doing something wrong.” You’re not. There’s no value to this.

Remember, you have a business that you’re trying to run, in theory. Or for those of us who are still learning things, yeah, we want to learn a cloud provider before we learn all the cloud providers, let’s not kid ourselves. Pick one, go all-in on for the time being, and don’t worry about what the rest of the industry is doing. We’re not trying to collect them all. There is no Gartner Magic Quadrant for Pokemons and I don’t think the cloud providers should be one of them.

I know I’ve talked about this stuff before, but people keep making the same fundamental errors and it’s time for me to rant on it just a smidgen more than I have already.

Thank you for listening, as always to Fridays From the Field on the AWS Morning Brief. And as always, I’m Chief Cloud Economist Corey Quinn, imploring you to continue to make good choices.

Announcer: This has been a HumblePod production. Stay humble.

The Next Million Cloud Customers

Corey Quinn — Wed, 18 Aug 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-next-million-cloud-customers

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

There's No re:Inforce-ment Learning Without Pavlov's Charlie Bell

Corey Quinn — Mon, 16 Aug 2021 03:00:00 -0700

AWS Morning Brief for the week of August 16, 2021 with Corey Quinn.

re:Imagining AWS re:Invent

Corey Quinn — Wed, 11 Aug 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/re:imagining-aws-re:invent

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Accenture Web Services

Corey Quinn — Mon, 09 Aug 2021 03:00:00 -0700

AWS Morning Brief for the week of August 9 2021 with Corey Quinn.

How AWS is Still Egregiously Egressing

Corey Quinn — Fri, 06 Aug 2021 03:00:00 -0700

Links:

AWS’s Egregious Egress: https://blog.cloudflare.com/aws-egregious-egress/

Transcript

Corey: Hi there. Chief Cloud Economist Corey Quinn from the Duckbill Group here to more or less rant for a minute about something it’s been annoying the heck out of me for a while, as anyone who follows me on Twitter or subscribes to the lastweekinaws.com newsletter, or passes me in a crowded elevator will attest to, and that is AWS’s data transfer story.

Back on July 23rd—of 2021, for those listening to this in future years—CloudFlare did a blog post titled AWS’s Egregious Egress, and that was co-authored by Matthew Prince—CloudFlare’s CEO—and Nitin Rao—who is one of their employees. Presumably. That was somewhat unclear—and it effectively tears down the obnoxious—and I mean deeply obnoxious—level of AWS data transfer pricing for egress to the outside world.

And there’s a bunch of things to unpack in this blog post, where they wind up comparing AWS pricing to the wholesale bandwidth market. And they go into a whole depth for those who aren’t aware of how bandwidth is generally charged for. And the markups that they come up with for AWS are, in many cases, almost 8,000%, which is just ludicrous, in some respects, because—spoiler—every year, give or take, the wholesale cost of network bandwidth winds up dropping by about 10%, give or take. And the math that they’ve done that I’m too lazy to check, says that in effect, given that they don’t tend to reduce egress bandwidth pricing, basically ever, while the wholesale market has dropped 93%, what we pay AWS hasn’t. And that’s obnoxious.

They also talk—rather extensively—about how ingress is generally free. Now, there’s a whole list of reasons that this could be true, but let’s face it, when you’re viewing bandwidth into AWS as being free, you start to think of it that way of, “Oh, it’s bandwidth, how expensive could it possibly be?” But when you see data coming out and it charges you through the nose, you start to think that it’s purely predatory. So, it already starts off with customers not feeling super great about this. Then diving into it, of course; they’re pushing for the whole bandwidth alliance that CloudFlare spun up, and good for them; that’s great.

They have a bunch of other providers willing to play games with them and partner. Cool, I get it. It’s a sales pitch. They’re trying to more or less bully Amazon into doing the right thing here, in some ways. Great, not my actual point.

My problem is that it’s not just that data transfer is expensive in AWS land, but it’s also inscrutable because, ignoring for a second what it costs to send things to the outside world, it’s more obnoxious trying to figure out what it costs to send things inside of AWS. It ranges anywhere from free to very much not free. If you have a private subnet that’s talking to something in the public subnet that needs to go through a managed NAT gateway, whatever your transfer price is going to be has four and a half cents per gigabyte added on to it with no price breaks for volume. So, it’s very easy to wind up accidentally having some horrifyingly expensive bills for these things and not being super clear as to why. It’s very challenging to look at this and not come away with the conclusion that someone at the table is the sucker.

And, as anyone who plays poker is able to tell you, if you can’t spot the sucker, it’s you. Further—and this is the part that I wish more people paid attention to—if I’m running an AWS managed service—maybe RDS, maybe DynamoDB, maybe ElastiCache, maybe Elasticsearch—none of these things are necessarily going to be best-to-breed for the solution I’m looking at, but their replication traffic between AZs in the same region is baked into the price and you don’t pay a per-gigabyte fee for this. If you want to run something else, either run it yourself on top of EC2 instances or grab something from the AWS marketplace that a partner has provided to you. There is no pattern in which that cross-AZ replication traffic is free; you pay for every gigabyte, generally two cents a gigabyte, but that can increase significantly in some places.

Corey: I really love installing, upgrading, and fixing security agents in my cloud estate. Why do I say that? Because I sell things for a company that deploys an agent. There’s no other reason. Because let’s face it; agents can be a real headache. Well, Orca Security now gives you a single tool to detect basically every risk in your cloud environment that’s as easy to install and maintain as a smartphone app. It is agentless—or my intro would have gotten me in trouble here—but it can still see deep into your AWS workloads while guaranteeing 100% coverage. With Orca Security there are no overlooked assets, no DevOps headaches—and believe me, you will hear from those people if you cause them headaches—and no performance hits on live environment. Connect your first cloud account in minutes and see for yourself at orca dot
security. That’s orca—as in whale—dot security as in that thing your company claims to care about but doesn’t until right after it really should have.

Corey: It feels predatory, it feels anti-competitive, and you look at this and you can’t shake the feeling that somehow their network group is being evaluated on how much profit it can turn, as opposed to being the connective tissue that makes all the rest of their services work. Whenever I wind up finding someone who has an outsized data transfer bill when I’m doing the deep-dive analysis on what they have in their accounts, and I talk to them about this, they come away feeling, on some level, ripped off, and they’re not wrong. Now, if you take a look at other providers—like Oracle Cloud is a great example of this—their retail rate is about 10% of what AWS’s for the same level of traffic. In other words, get a 90% discount without signing any contract and just sign the dotted line and go with Oracle Cloud. Look, if what you’re doing is bandwidth-centric, it’s hard to turn your nose up at that, especially if you start kicking the tires and like what you see over there.

This is the Achilles heel of what happens in the world of AWS. Now, I know I’m going to wind up getting letters about this because I always tend to whenever I rant about this that no one at any significant scale is paying retail rate for AWS bandwidth. Right, but that’s ...

The Cloud's Competing Approaches to Deprecation

Corey Quinn — Wed, 04 Aug 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/The-Clouds-Competing-Approaches-to-Deprecation

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

EC2 Classic Shuffleboard

Corey Quinn — Mon, 02 Aug 2021 03:30:00 -0700

AWS Morning Brief for the week of August 2, 2021, with Corey Quinn.

Optimize Yourself Before You Invest Yourself

Corey Quinn — Fri, 30 Jul 2021 03:00:00 -0700

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways that we’ve seen AWS used and abused in the wild. Today, we’re going to be talking about the relationship between cost optimization work and investing in reservations or private pricing with AWS. This is kind of a situation conversation. Let’s say you’ve got three months left on your EDP, or maybe your spend is reaching the point where you’re starting to think about investing in, or signing an EDP. But you’ve also got some cost optimization opportunities that you want to work on. How do you prioritize those two ideas?

Tim: I think when we’re talking about this, first it’s important to talk about what goes into an EDP, like, what it is and what it involves. So, EDP for AWS is Enterprise Discount Program, and what it involves is you making a monetary commitment to AWS to spend a certain amount over a certain amount of time. So, a three year EDP, you’re going to spend X amount in one year, X amount the next year, and X amount the third year for a total of whatever you decide on. So, you know, AWS typically going to want 20% year-over-year growth, so you’re going to say—you’re going to spend a million dollars, and then a million dollars plus 20% is something like $1.2 million; then, you know, 20% of that and so forth and
so on.

And then so your total commit will be somewhere around, like, $3.6, $3.7 million, we’ll say, right? Once you signed the EDP, that’s how much you’re going to get billed for, minimum. So, it’s important to cost optimize before you make that commitment because if AWS is expecting you and you’re on the hook to make 20% year-over-year growth, but then you optimize and you save 20% of your bill, it won’t matter because you’re still going to owe AWS the same amount of money even if you cost-optimize.

Jesse: Yeah, I want to take a step back and talk about EDP—as we mentioned, Enterprise Discount Program—also has—there’s a couple other flavors that give you a variety of different types of discounts. EDP generally focuses on a cross-service discount for a certain annual commit, but there are also private pricing agreements or private pricing addendums, and other private pricing, generally speaking, offered by AWS. All of those basically expect some amount of either spend on a yearly basis or some amount of usage on a yearly basis, in exchange for discounts on that usage. And really, that is something that, broadly speaking, we do recommend you focus on, we do recommend that you invest in those reservations, but it is important to think about that—I agree—I would say after cost optimization work.

Amy: The thing is that AWS also provides discounts that are commandment required, that you don’t need an EDP for, namely in reservations and savings plans. So, you would similarly be on the hook if you decide, “I have this much traffic, and I want to savings plan or reservation for it.” And then suddenly you don’t have that requirement anymore, but you still have to make up that commitment.

Tim: I’ll say, I think too, that also matters when you’re looking at things like reservations. If you’re going to reserve instances, you’re going to get an idea of how many you’re specifically going to need, so that way you’re not reserving too many, and then you optimize, you downsize, and all of a sudden, now you have all these reservations that you’re not going to use.

Jesse: One thing to also call out: when renewing an EDP, or private pricing, or when entering into a new agreement for any kind of private pricing with AWS, they will generally look at the last six months of your usage—either broadly speaking if it’s an EDP, or specifically within a specific AWS service if it’s private pricing for a specific service—and they will double, basically, that spend over the last six months and expect you to continue spending that. So, if you spent a high amount of money over the last six months, they’re going to expect that kind of trend to continue, and if you enter into an agreement with that 12-month spend, essentially, going forward, and then make cost optimization changes, you’re ultimately going to be on the hook for this higher level of spending you’re not spending any more. So, if you focus on that cost
optimization work first, it will ultimately give you the opportunity to approach AWS with a lower commit level, which may ultimately mean a lower tier of percentage discount, but ultimately, then you’re not on the hook for spend that you wouldn’t otherwise be spending.

Tim: I think one of the main things people see, too, is when they’ve looked at, like, oh, what’s the low hanging fruit for me to get lower the cost? They’ll think, “Oh, well, I can do EDP,” because AWS is going to want you to sign on; they would love to have that guaranteed money, right? And a lot of times, that’s going to be a much easier thing to do, organizationally, than the work of cost optimization because almost always, that involves engineering hours, it involves planning, it involves some changes that are going to have to be made that’s probably going to be harder than just signing a contract. But again, it’s super necessary because you really need to know, have eyes open, when you’re going to go, and figure out what you’re going to commit, whether it’s private pricing agreement, or an EDP, or reservations. You want to go in there and at least decide what you want to do, what it should look like, get as optimized and as lean as you can, then make your commitments. And then once you get to an EDP, that’s when you’re going to want to do your reservation or savings plans purchases and things like that, so you do that with a discount across those.

Jesse: Yeah, that’s another important thing to point out: focus on the cost optimization work first. Get your architecture, your workloads, as optimized as possible, or as optimized as you can within the given timeframe, then focus on the investment because then you’ll be able to have a much better idea of what your growth is going to look like year-over-year for an EDP or any kind of private pricing. And then after that, purchase any reservations, like reserved instances or savings plans because ultimately, then you get not only the discount from the EDP that you just signed, but any upfront payments that you make, or partial upfront payments that you make for those reservations applied towards your first year EDP. So ultimately, not only are you getting a discount on that, but you are also able to...

The Amazonian Evil Infecting AWS

Corey Quinn — Wed, 28 Jul 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-amazonian-evil-infecting-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Prix Fixe IP Prefixes

Corey Quinn — Mon, 26 Jul 2021 03:00:00 -0700

AWS Morning Brief for the week of July 26, 2021 with Corey Quinn.

AWS Isn’t a Threat to OSS

Corey Quinn — Fri, 23 Jul 2021 03:00:00 -0700

Transcript

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild. Today, we’re going to be talking about AWS, an open-source software. Now, that’s kind of a broad topic, but there have been some specific, recent events I’ll say, over the last year maybe or maybe even less, related to AWS and open-source software that really got us talking, and I wanted to have a deeper conversation with both of you on this topic.

Tim: Well, you should probably start by going over some of the things that you’re mentioning, when you say ‘some of these things,’ what are those things, Jesse?

Jesse: Yeah. So, I think the best place to start is what constitutes open-source software. And specifically, I think, not just what constitutes open-source software, but how does that differ from an open-source company?

Tim: So, open-source software can be anything: Linux kernel, bash, anything like that, any Python functioning module. If you make a piece of software, whatever it is, and you license it with one of the various open-source licenses, or your own open-source license or whatever, it’s something that the community kind of owns. So, when they get big, they have maintainers, everything like that, but at its essence, it’s a piece of software that you can freely download and use, and then you’re free to modify it as you need, and then it’s up to the specifics of the license to whether you’re required to send those modifications back, to include them, or to whatever. But the essence is that it’s a piece of software that’s free for me to use and free for me to modify under it’s license.

Jesse: And one of the other things I want to add to that is, correct me if I’m wrong here, but isn’t a lot of open-source software is very community-owned, so there’s a lot of focus on folks from the community that is using this software giving back not because they need to under the licensing, necessarily, but because they want to continue using this and making it better over time.

Amy: I think one of the issues is that becomes a very opinionated kind of statement where there are a lot of people in the open-source community who feel that if you’re going to use something and make changes to better suit what your needs are, that you should be able to submit those changes back to the community, or back to whoever owns the base of the software. But that said, it’s like the community edition of MySQL before Microsoft bought it, where the assumption was that there’s essentially a candidate of it that anyone can use without the expectation of submitting it back.

Jesse: So, that’s a broad definition of open-source software, but how does open-source software, broadly speaking, differ from an open-source company? I’m thinking specifically there is the open-source software of Elasticsearch, for example, or I should say, previously the open-source software of Elasticsearch that was owned by the open-source company, Elastic. So, what does that relationship look like? How does an open-source company like that differ from the open-source software itself?

Tim: So, there are typically a couple of ways. Usually, a company that is the owner of an open-source product still has some kind of retention of the IP in their various licenses that they can do that with, but essentially—and this is in the words of one of the founders of Elastic—that they’re benevolent dictators over the software. And so they allow folks to contribute, but they don’t have to. And most of those open-source software companies will have a commercial version of that software that has other features that are not available, packages with support or some of the things like that, some kind of value-added thing that you’re going to wind up paying for. The best way to describe—like you said—there’s the company Elastic and then the product Elasticsearch.

I relate back to before: there was Red Hat Linux, which was open-source, and then the company Red Hat. And I remember when they went public and everyone was shocked that a company can make profit off of something they gave away for free. But while the core of the software itself was free, the support was not free, nor was the add-on features that enterprises wanted. And so that tends to be kind of what the business model is, is that you create the software, it’s open-source for a while to get a big user base, and then when it gets adopted by enterprises or people that really would pay for support or for other features, that’s when the license tends to change, or there’s a fork between the open-source version and then the commercial version.

Jesse: And it definitely sounds like there can be benefits to an open-source company essentially charging for not just the open-source software, but these extra benefits like supports and additional features because I know I’ve traced multiple code bugs back to a piece of open-source software that there’s a PR or an issue that has been sitting open for months, if not longer because the community just doesn’t have the time to look into the issue, doesn’t have the time to work on the issue, they are managing it on their own, separate as a side job, separate from their day-to-day work. Whereas if that is a bug that I’m tracing back to a feature in an open-source piece of software, or I should say software that I am paying for through an open-source company, I have a much clearer support path to a resolution to resolving that issue.

Tim: And I think what the end up doing is then you see it more like a traditional core software model, like, you know, a la Oracle, or something like that where you pay for the software essentially, but it comes packaged with these things that you get because of it, and then there’s a support contract on top of it, and then there’s hosting or cloud, whatever it is, on top of that, now, but you would still end up paying for the software and then support as part of the same deal. But as you know, these are for-profit companies. People get paid for them; they are publicly traded; they sell this software; they sell this product, whether it’s the services or the hosting, for profit. That is not open-source software. So, if company X that makes software X, goes under, they are acting like the software would then go under as if the software doesn’t belong to the community.

So, a business that goes after a business is always going to be fair play; I believe they call it capitalism. But when you talk about going after open-source software, you’re looking at what Microsoft was doing in the ’90s and early 2000s, with Linux and other open-source challenges to the Windows and the other paid commercial enterprise software market. When folks started using Linux and servers because it was free, c...

The Great Lie

Corey Quinn — Wed, 21 Jul 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/the-great-lie/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The Festival of Quinns

Corey Quinn — Mon, 19 Jul 2021 03:00:00 -0700

AWS Morning Brief for the week of July 19, 2021 with Corey Quinn.

AWS Application Cost Profiler

Corey Quinn — Fri, 16 Jul 2021 03:00:00 -0700

Transcript

Corey: This episode is sponsored in part byLaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visitlaunchdarkly.com and tell them Corey sent you, and watch for the wince.

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild with a healthy dose of complaining about AWS for good measure. Today, we’re going to be talking about a recent addition to the AWS family: AWS Application Cost Profiler.

Tim: But hold on for a second, Jesse, because AWS Application Cost Profiler we can get to; that’s rather unremarkable. I really want to talk about how impressed I am with AWS InfiniDash. I’ve been benchmarking this thing, and it is fan… tastic. It’s so good. And we could probably talk about for a while, but suffice to say that I am far more impressed with AWS InfiniDash than I am with AWS Application Cost Profiler.

Jesse: You know, that’s fair. And I feel like InfiniDash should absolutely get credit where credit is due. I want to make sure that everybody can really understand the full breadth of everything that InfiniDash is able to accomplish. So, I want to make sure that we do get to that; maybe in a future episode, we can touch on that one. But for right now, I have lots of feelings about AWS Application Cost Profiler, and what better place to share those feelings than with two of my favorite people, Amy and Tim, and then all of you listeners who are listening in to this podcast. I can’t wait to dive into this. But I think we should probably start with, what is AWS Application Cost Profiler?

Amy: It is [unintelligible 00:01:54] in a trench coat.

Jesse: [laugh].

Amy: Which is the way AWS likes to solve problems sometimes. And in this case, it’s talking about separating billing costs by tenants by service, which is certainly a lot of things that people have problems with.

Jesse: That is a lot of buzzwords.

Amy: A lot of words there.

Jesse: Yeah. Looking at the documentation, the sales page, “AWS Application Cost Profiler is a managed service that helps us separate your AWS billing and costs by the tenants of your service.” That has a lot of buzzwords.

Tim: Well, to be fair, that’s also a majority of the documentation about service.

Jesse: Yeah, that is fair. That is a lot of what we saw, and I think we’ll dive into that with documentation in a minute. But I do want to call out before we dive into our thoughts on this service—because we did kick the tires on this service and we want to share what our experience was like, but I do want to call out that this problem that AWS Application Cost Profiler is trying to solve. This idea of cost allocation of shared resources, it is a real, valid problem and it is one that is difficult to solve.

Amy: And we’ve had clients that have had this very explicit problem and our findings have been that it’s very difficult to accurately splice usage and spend against what’s essentially consumption-based metrics—which is how much a user or request is using all the way along your pipeline—if they’re not using dedicated resources.

Jesse: Yeah, when we talk about cost allocation, generally speaking, we talk about cost allocation from the perspective of tagging resources, broadly speaking, and moving resources into linked accounts and separating spend by linked accounts, or allocating spend by linked accounts. But if you’ve got a shared compute cluster, a shared database, any kind of shared resources where multiple tenants are using that infrastructure, slapping one tag on it isn’t going to solve the issue. Even putting all of those shared resources in a single linked account isn’t going to solve that issue. So, the problem of cost allocation for shared resource is real; it is a valid problem. So, let’s talk specifically about AWS Application Cost Profiler as a solution for this problem. As I mentioned, we kicked the tires on this solution earlier this week and we have some thoughts to share.

Tim: I think one of the main things around this AWS Application Profiler like I said, there’s some problems that can be solved there, there’s some insights that people really want to gain here, but the problem is people don’t want to do a lot more work or rewrite their observability stack to do it. The problem is, that’s exactly what AWS Cost Profiler seems to be doing or seems to want you to do. It doesn’t get data from, I think it only gets data from certain EC2 services, and it’s just, it’s doing things that you can already do in other tools to do aggregation. And if I’m going to do all the work to rewrite that stack, to be able to use the Profiler, am I going to want to spend that time doing something else? I mean, that kind of comes to the bottom line about it.

Jesse: Yeah, the biggest thing that I ran into, or that I experienced when we were setting up the Cost Profiler, is that documentation basically said, “Okay, configure Cost Profiler and then submit your data.” And [unintelligible 00:05:54] stop, like wait, what? Wait, what do you mean, ‘submit data?’ And it said, “Okay, well now that you’ve got Cost Profiler as a service running, you need to upload all of the data that Cost Profiler is going to profile for you.” It boggles my mind.

Tim: And it has to be in this format, and it has to have these specific fields. And so if you’re not already emitting data in that format with those fields, now you have to go back and do that. And it’s not really solving any problems, but it offers to create more problems.

Amy: And also, if you’re going to have to go through the work of instrumenting and managing all that data anyway, you could send it anywhere you wanted to. You could send it to your own database to your own visualization. You don’t need Profiler after that.

Jesse: Yeah, I think that’s a really good point, Amy. AWS Cost Profiler assumes that you already have this data somewhere. And if not, it explicitly says—in its documentation it says, to generate reports you need to submit tenant usage data of your software applications that use shared AWS resources. So, it explicitly expects you to already have this data. And if you are going to be looking for a solution that is going to help you allocate the cost of shared resources and you already have this data somewhere else, there are better solutions out there than AWS Application Cost Profiler. As Amy said, you can send that data anywhere. AWS Application Cost Profiler probably isn’t going to be the first place that you think of because it probably doesn’t have as many features as other solutions.

Amy: If you were going to instrument things to that level, and let’s say you were using third-party services, you could normalize your...

Corey Writes Open-Source Code for Lambda and Tailscale

Corey Quinn — Wed, 14 Jul 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

https://www.lastweekinaws.com/blog/Corey-Writes-Open—Source-Code-for-Lambda-and-Tailscale

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The Transitive Property of Cloud Bills

Corey Quinn — Mon, 12 Jul 2021 03:00:00 -0700

AWS Morning Brief for the week of July 12, 2021 with Corey Quinn.

AWS Account Teams and You

Corey Quinn — Fri, 09 Jul 2021 03:00:00 -0700

Links

Pete and Jesse Talk Account Managers

Transcript
Corey: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit lacework.com.

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today, we’re going to be talking about, really, a couple things; building your relationship with AWS, really. This stems from one of the questions that we got from a listener from a previous event. The question is, “How do the different companies that we’ve worked with work with AWS? Is the primary point of contact for AWS at a company usually the CTO, the VP of engineering, an architect, an ops person, a program manager, or somebody from finance, a [unintelligible 00:01:00] trainer? Who ultimately owns that relationship with AWS?”

And so we’re going to talk about that today. I think there’s a lot of really great content in this space. Pete and I, back in the day, recorded an episode talking about building your relationship with your account manager, and with your TAM, and with AWS in general. I’ll link that in the show notes. That’s a great precursor to this conversation. But I think there’s a lot of great opportunities to build your relationship and build rapport with AWS, as you work with AWS and as you put more things on the platform.

Amy: I think one of the things we always say right off the bat is that you should introduce yourself and make a good relationship with your account manager and your technical account manager, just because they’re the ones who, if you need help, they’re going to be the ones to help you.

Jesse: Yeah, I think one of the things that we should also take a step back and add is that if you are listening to this and you’re saying to yourself, “I don’t have an account manager,” that’s actually wrong; you do have an account manager. Anybody who’s running workloads on AWS has an account manager. Your account manager might not have reached out to you yet because usually speaking, account managers don’t reach out unless they see that you’re spending a certain amount of money. They usually don’t start a conversation with you unless you specifically are spending a certain amount of money, have reached a certain threshold, and then they want to start talking to you about opportunities to continue using AWS, opportunities to save money, invest in AWS. But you definitely have an account manager and you should definitely start building that rapport with them as soon as possible.

Amy: First question. How do you actually engage your account manager?

Tim: So, there’s a couple ways to do it. If you have reached a certain spend threshold where your account manager will reach out to you, it’s real simple: you just reply back to them. And it kind of depends. The question most people are going to have is, “Well, why do I need to reach out to my account manager? If I just have, like, a demo account, if I’m just using free tier stuff.”

You probably don’t ever need to reach out to your account manager, so what are the things, typical things that people need to reach out to their account manager for? Well, typically because they want to grow and want to see what kind of discounts are offered for growth, and I want to see what I can do. Now, you can open a support ticket, you can open a billing ticket, but what will end up happening is once you reach a spend threshold, your account manager will reach out to you because they want to talk to you about what programs they have, they want to see how they can help you grow your account, they want to see what things they can do for you because for them, that means you’re going to spend more money. Most account managers within a little bit of time of you opening your account and reaching a lower spend threshold, they’re going to send you an email and say, “Hey, this is my name, this is how you reach me,” et cetera, et cetera. And they’ll send you some emails with links to webinars or other events and things like that, and you can typically reply back to those and you’ll be able to get your account manager sometimes as well. But like I said, the easiest way to get a hold of your account manager or find out who it is, is to start increasing your spend on AWS.

Jesse: So, then if you’re a small company, maybe a startup or maybe just a student’s using AWS for the first time, likely that point of contact within a company is going to be you. From a startup perspective, maybe you are the lead engineer, maybe you are the VP of engineering, maybe you are the sole engineer in the company. We have seen most organizations that we talk to have a relationship with AWS, or build that relationship or own that relationship with AWS at a engineering management or senior leadership level. Engineering management seems to be the sweet spot because usually, senior leadership has a larger view of things on their plate than just AWS so they’re focused on larger business moves for the company, but the engineering manager normally has enough context and knowledge of all of the day-to-day specifics of how engineering teams are using AWS to really be involved in that conversation with your account manager, with your technical account manager, or with your solutions architect, or whatever set of folks you have from AWS’s side for an account team. And I think that’s another thing that we should point out as well, which is, you will always have an account manager; you won’t always have a technical account manager.

The technical account manager generally comes in once you have signed an enterprise discount program agreement. So, generally speaking, that is one of the perks that comes with an EDP, but obviously, there are other components to the EDP to be mindful of as well.

Tim: So, let me clarify that. You get a technical account manager when you sign up for enterprise support. You don’t have to have an EDPs to have enterprise support, but when you sign up for enterprise support, you automatically get a technical account manager.

Jesse: And, Tim, if you could share with everybody, what kind of things can you expect from a technical account manager?

Tim: So, a technical account manager, I mean, they will do—like, all TAMs everywhere pretty much can liaise with support to escalate tickets or investigate them and see what’s going on with them, try and, kind of, white-glove them into where they need to be. AWS TAM’s, they also have the same—or a lot of ...

The Lessons of AWS Infinidash

Corey Quinn — Wed, 07 Jul 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-lessons-aws-infinidash

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Andy Jassy Infinidashes Upstairs

Corey Quinn — Mon, 05 Jul 2021 03:00:00 -0700

AWS Morning Brief for the week of July 5, 2021 with Corey Quinn.

Tagging Isn’t Just About Cost

Corey Quinn — Fri, 02 Jul 2021 03:00:00 -0700

Links:

Transcript

Corey: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit lacework.com.

Jesse: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today, we’re actually going to talk about a very specific listener question that we didn’t get to last week, but really, we had so many thoughts on this topic that we wanted to break it out into its own episode. So, today we’re going to be talking about tagging, and the importance of tagging, and how tagging can be used. And when I say tagging, specifically we’re talking about user-defined cost allocation tags. The original question that I’ll read off was from [Aaron 00:00:58].

Aaron asks, “Is tagging over-recommended as a cost reporting mechanism? I recently took on managing my company’s AWS bill and when talking to AWS and reading third-party blog posts about cost management, a solid tagging strategy is often extolled this step zero for understanding AWS costs. Based on what I know about AWS so far, this approach seems like it may work for some aspects of cost management, but does not seem to be a sound strategy for more formal cost reporting, like budgeting or calculating total spend for a given product or cost center. To me, these activities require complete or near-complete accuracy the tags just don’t seem to be able to provide since there are some costs like data transfer that aren’t tagged, and the fact that the tags are not retroactive—” that’s a big one that I can say is super frustrating for me. “Is there something I’m missing here? Is there in fact, a way to use these tags to ensure that 100% of an AWS account’s costs are in fact attributed back to a specific cost center accurately? It seems drastically simpler to embrace a multi-account strategy where each account is simply billed to whatever cost center makes sense to the organization.” So, Amy and Tim, again, the main question here is, is tagging over-recommended as a cost reporting mechanism?

Tim: The simple answer is no, it is not over-recommended. And the question makes a lot of good points around some of the heartaches and some the problems that come with tagging, specifically about tags not being retroactive, but, if you’re going to make changes to reflect changes in the past, I mean, you know, I don’t really have a good answer for that, if we’re being honest. But if we’re talking about going forward, tracking costs from this point forward, tagging is going to be a much more concise solution than using multi-account strategy. That said, there are a lot of reasons you should use multi-account strategy and tagging together. Multi-account strategy and tagging strategies should definitely be an ‘and’ situation, not an ‘or’ situation. That’s like pizza or steak. No. It’s both pizza and steak.

And I feel like because there are a number of non-cost reasons to use multiple accounts, especially in AWS, the biggest concern of which are service limits, right? Service limits, as you know, are done by account by region, so, if I have a service limit of S3 buckets that I can create—and I think that the hard limit is, like, one thousand—once I need that one thousandth and one S3 bucket, I have to create another account. That account can still be production, it can still be for all the same things that I’ve used for anything else, but I had to add another account so I can spin up S3 buckets. So, how do I track those, what those buckets are for, what those costs are going to be? I’m going to track those with tags.

And I’m going to track those tags from the payer account, or from up in the organization. So, as you set up multiple accounts, you can have—even if they’re all production, they still need to be tagged. Even if they’re all dev, they still need to be tagged. If you’re using the account vending machine style stuff from Control Tower where you spin up a sandbox account, you run some stuff, and then you throw it away, tagging is going to be the best way to track those costs, not just the fact that this account is named a certain thing. Names are arbitrary; they don’t really reflect necessarily what they’re going to be for, accounts can come and go.

So, I don’t necessarily like the use of name. Plus, sometimes it’s hard to do that if you’re doing, like, [unintelligible 00:04:21] various countries and things like that, various languages. Different things can impart different meanings. Tags also still probably use language
problems, but they are arbitrary values. You know you’re going to try and lump these all together; that’s all that matters.

So, I definitely think that, if we’re using tagging, tagging is going to let you be more concise with your costs, it’s going to let you apply costs across different accounts more readily, it’s going to let you apply costs across different cloud providers, especially if you use one of the CMP tools like CloudHealth, or Cloudcheckr, or something like that and you run production workloads from a single cost center across multiple clouds, you’re going to want to tag those in those tools, so, that way, you can keep a consistent track and more concise tracking of costs, versus just using account names. Account names after a while is going to just become unmanageable when it comes to tracking costs.

Amy: I totally agree. And one of the big things that I harp on, especially on this podcast, is that if you’re worried that it’s not going to be as explicit as other billing methods, you will still at least have that data. You will still know per resource—if it’s properly tagged—who it’s supposed to be charged to and who owns it. You would make that decision on an architectural level, you should also make it for your bill, just to make sure that if you ever need that information in the future, you can go get it. You’re not going to get it—since they don’t happen retroactively, then you may as well do it as early as possible.

Jesse: Yeah. It’s super frustrating that a lot of this information is not available retroactively. And while I understand the technical limitations to that, I can’t harp enough why starting to tag resources early is super, super critical to understanding that spend, and using that tagging setup, that tagging policy, to better understand your spend in a number of different ways. But ...

I Scored 81% on my AWS Certification Exam, Locking in my re:Invent Lounge Pass

Corey Quinn — Wed, 30 Jun 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link[https://www.lastweekinaws.com/blog/I-Scored-81%-on-my-AWS-Certification-Exam,-Locking-in-my-re:Invent-Lounge-Pass

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The Wickr Managed Service

Corey Quinn — Mon, 28 Jun 2021 03:00:00 -0700

AWS Morning Brief for the week of June 28, 2021 with Corey Quinn.

Should I Attend re:Invent?

Corey Quinn — Fri, 25 Jun 2021 03:00:00 -0700

Transcript

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways that we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today on the show, we are going to be talking about AWS re:Invent. Now, I know that most of you know what re:Invent is, but I just would love to set the playing field level for everybody really quick. Amy, Tim, what is AWS re:Invent.

Tim: AWS re:Invent is AWS’s week-long corporate conference. It’s not really a user conference; it’s certainly not, like, a community conference, but it’s a week-long sales pitch in the desert. It’s like the worst version of a corporate Burning Man you could ever imagine because they even have a concert.

Jesse: It is in Las Vegas. Now, I personally have mixed feelings about going to Las Vegas in general, but this adds so much to the conference in general because it’s not just in a single conference venue that’s centrally located near the hotels. Is it is across the strip—

Amy: It’s the entire strip.

Jesse: It’s the entire strip. So—

Amy: They block every hotel and they buy every piece of ad space.

Jesse: Yes. There is no escaping AWS re:Invent for the entire week that you’re there. And sometimes that’s a good thing because you do want to be involved in what’s going on, but other times, it is a lot.

Tim: So, I’m trying to figure out which LP that ‘buy the entire Las Vegas trip’ covers because it’s certainly not be frugal.

Amy: No. [laugh].

Jesse: No, not at all. But we do have new information. We decided to do this episode specifically because new information was just released about re:Invent for this year. Amy, what is that information? What do we know?

Amy: They’ve decided, in having to go virtual last year, due to some kind of horrible global crisis, to return in person to the world’s most densely packed tourist spot, Las Vegas, and host this huge event from November 29th to December 3rd—that’s right after Thanksgiving—and just, what do they say? Return to normal. Return to normal.

Tim: That way everybody can get exposed to COVID before they go home for the holidays.

Jesse: [laugh].well, you at least get one holiday in, if you celebrate or recognize Thanksgiving, and then you get to bring everything back after that.

Amy: Yeah, people bring enough things back from Vegas. I’m not sure we’d have to find more reasons. [laugh].

Tim: [laugh].

Jesse: I know that there’s that great marketing tactic of, “What happens in Vegas stays in Vegas,” but—

Tim: That’s not what they say at the clinic.

Jesse: Nope. Mm-mm. Now, I will say, I know that almost every conference event was completely virtual last year due to the pandemic, and this year, a lot of conferences are still trying to straddle that line between what’s acceptable, can we do maybe smaller events in person, some kind of a hybrid online/in-person thing. I have mixed feelings on this. I appreciate that I can still attend AWS re:Invent from home this year digitally, I can still watch a lot of the main keynote events and a lot of the other information that is being shared, but I don’t know, it’s always hard because if you do a hybrid event, you’re automatically going to miss out on any of that in-person socializing and networking.

Tim: Well. So, I think it’s interesting. AWS re:Invent suffers from the same issue that pretty much all other conferences suffer from is that there’s not really value-add in the talks, at least for attending.

Jesse: Yeah.

Amy: If you’re going to be able to see those talks afterwards if the announcements are going to be publicized afterwards which, that is true in both cases, then what’s the point of spending the money, and the time, and the possible exposure to go watch them in person? So, then the other thing is, “Well, we want to go for some of the training seminars,” or some of these other things. Well, those are also offered online, often. Or, like, copies of them online. These are the same kinds of tutorials like that that you can have your TAM or SA run if you’re an AWS customer currently; that’s what they’re doing there.

The other thing is, too, those in-person sessions get filled up so quickly that there’s no guarantee [unintelligible 00:05:08] anyways. And that’s one of the complaints they’ve had about re:Invent in the past is that you can’t get into any of the sessions. And so, you couple all that along with most of the reason going being—if it’s not the talks and is not the sessions, it’s the hallway track. And then you got to kind of wonder, is the hallway track going to be valuable this year because if it’s hybrid, what percent of the people that you would normally
talk to you are going to be there and what percentage aren’t? And so there’s a lot of calculus that’s got to go into it this year.

Jesse: I’ve always struggled with any vendor-sponsored event, all the talks feel either like a sales pitch, or they feel like a use case that just doesn’t fit for me. And that may just be where I’m at in my professional journey; there’s definitely reasons to go if you want to see some of these talks or see some of this information live, or be the first person to talk about it. Or even the people who are going to be the news sources for everybody else who want to be the first person to talk about, “Oh, we attended, and we saw these things and were live-tweeting the entire conference.” If that’s your shtick, I fully support that, but I always struggle going to any kind of vendor conference because I just feel like the value that I get from the talks, from training if I go to training, just doesn’t feel like enough for me, personally.

Amy: So, I’ve done some of the AWS-led training when Summit was in Chicago, a couple years ago, and I’ll be honest, you lose a lot in these large AWS-led trainings because these classes, it’s not going to be like the ones that you would sign up for even being hosted either by your company or by your local user group chapter where you will have at max 100 people. You have well over that. You have an entire conference room full of people, and they’re asking questions that are across the level of expertise for that topic. I went for one of the certification training seminars and straight-up 15 minutes was spent talking about what a region is. And given that’s page one of any training material, that was a waste of $300....

The Cloud Genie

Corey Quinn — Wed, 23 Jun 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-cloud-genie

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Consistently Crashing EC2 Instances

Corey Quinn — Mon, 21 Jun 2021 03:00:00 -0700

AWS Morning Brief for the week of June 21, 2021 with Corey Quinn.

Listener Questions 6

Corey Quinn — Fri, 18 Jun 2021 03:00:00 -0700

Transcript

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today is a very special episode for two reasons. First, we’re going to be talking about all the things that you want to talk about. That’s right, it’s time for another Q&A session. Get hyped.

Amy: And second as is Duckbill’s customary hazing ritual, we’re putting a new Duckbill Group Cloud Economist Tim Banks through the wringer to answer some of your pressing questions about cloud costs and AWS. And he has pretty much the best hobbies.

Tim: [laugh].

Jesse: Absolutely.

Tim: You know, I choke people for fun.

Jesse: [laugh]. I don’t even know where to begin with that. I—you know—

Amy: It’s the best LinkedIn bio, that’s [laugh] where you begin with that.

Tim: Yeah, I will change it right after this, I promise. But no, I think it’s funny, we were talking about Jiu-Jitsu as a hobby, but my other hobby is I like to cook a lot, and I’m an avid, avid chili purist. And we were in a meeting earlier and Amy mentioned something about a bowl of sweet chili. And, dear listeners, let me tell you, I was aghast.

Amy: It’s more of a sweet stewed meat than it is, like, some kind of, like, meat candy. It is not a meat candy. Filipinos make very sweet stews because we cannot handle chili, and honestly, we shouldn’t be able to handle anything that’s caramelized or has sugar in it, but we try to anyway. [laugh].

Tim: But this sounds interesting, but I don’t know that I would categorize it as chili, especially if it has beans in it.

Jesse: It has beans. We put beans in everything.

Tim: Oh, then it can’t be chili.

Jesse: Are you a purist that your chili cannot have beans in it?

Tim: Well, no. Chili doesn’t have beans in it.

Amy: Filipino food has beans in it. Our desserts have beans in it. [laugh].

Jesse: We are going to pivot, we’re going to hard pivot this episode to just talk about the basis of what a chili recipe consists of. Sorry, listeners, no cost discussions today.

Tim: Well, I mean, it’s a short list: a chili contains meat and it contains heat.

Jesse: [laugh].

Tim: That’s it. No tomatoes, no beans, no corn, or spaghetti, or whatever people put in it.

Amy: Okay, obviously the solution is that we do some kind of cook-off where Tim and Pete cook for everybody, and we pull in Pete as a special quote-unquote, outside consultant, and I just eat a lot of food, and I’m cool with that. [laugh].

Jesse: I agree to this.

Tim: Pete is afraid of me, so I’m pretty sure he’s going to pick my chili.

Jesse: [laugh].

Amy: I could see him doing that. But also, I just like eating food.

Tim: No, no, it’s great. We should definitely do a chili cook-off. But yeah, I am willing to entertain any questions about, you know, chili, and I’m willing to defend my stance with facts and the truth. So…

Amy: If you have some meat—or [sheet 00:03:19]—related questions, please get into our DMs on Twitter.

Jesse: [laugh]. All right. Well, thank you to everyone who submitted their listener questions. We’ve picked a few that we would like to talk about here today. I will kick us off with the first question.

This first question says, “Long-time listener first-time caller. As a solo developer, I’m really interested in using some of AWS’s services. Recently, I came across AWS’s Copilot, and it looks like a potentially great solution for deployment of a basic architecture for a SaaS-type product that I’m developing. I’m concerned that messing around with Copilot might lead to an accidental large bill that I can’t afford as a solo dev. So, I was wondering, do you have a particular [bizing 00:04:04] availability approach when dealing with a new AWS service, ideally, specific steps or places to start with tracking billing? And then specifically for Copilot, how could I set it up so it can trip off billing alarms if my setup goes over a certain threshold? Is there a way to keep track of cost from the beginning?”

Tim: AWS has some basic billing alerts in there. They are always going to be kind of reactive.

Jesse: Yes.

Amy: They can detect some trends, but as a solo developer, what you’re going to get is notification that the previous day’s spending was pretty high. And then you’ll be able to trend it out over that way. As far as asking if there’s a proactive way to predict what the cost of your particular architecture is going to be, the easy answer is going to be no. Not one that’s not going to be cost-prohibitive to purchase a sole developer.

Jesse: Yeah, I definitely recommend setting up those reactive billing alerts. They’re not going to solve all of your use cases here, but they’re definitely better than nothing. And the one that I definitely am thinking of that I would recommend turning on is the Cost Explorer Cost Anomaly Detector because that actually looks at your spend based on a specific service, a specific AWS cost category, a specific user-defined cost allocation tag. And it’ll tell you if there is a spike in spend. Now, if your spend is just continuing to grow steadily, Cost Anomaly Detector isn’t going to give you all the information you want.

It’s only going to look for those anomalous spikes where all of a sudden, you turned something on that you meant to turn off, and left it on. But it’s still something that’s going to start giving you some feedback and information over time that may help you keep an eye on your billing usage and your spend.

Amy: Another thing we highly recommend is to have a thorough tagging strategy, especially if you’re using a service to deploy resources. Because you want to make sure that all of your resources, you know what they do and you know who they get charged to. And Copilot does allow you to do resource tagging within it, and then from there should be able to convert them to cost allocation tags so you can see them in your console.

Jesse: Awesome. Well, our next question is from Rob. Rob asks, “How do I stay HIPAA compliant, but keep my savings down? Do I re...

The Trillion-Dollar Paradoxical Arguments of a16z

Corey Quinn — Wed, 16 Jun 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/Trillion-Dollar-Cloud

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Kinesis Data Increased-Ambient-Temperature Hose

Corey Quinn — Mon, 14 Jun 2021 03:00:00 -0700

AWS Morning Brief for the week of June 14, 2021 with Corey Quinn.

Cloud Cost Management Team Starter Kit

Corey Quinn — Fri, 11 Jun 2021 03:00:00 -0700

Transcript

Corey: This episode is sponsored in part byLaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visitlaunchdarkly.com and tell them Corey sent you, and watch for the wince.

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Jesse: This is the podcast within a podcast where we talk about all the ways that we have seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. I feel like it’s just kind of always necessary. There always has to be just that little bit of something extra; it’s the spice that really makes the dish. Today we’re going to be talking about the ‘Cloud Cost Management Team Starter Kit.’ Now, in a previous episode, we talked about the ‘Cloud Cost Management Starter Kit,’ which was a little bit more generalized, and one of the things that we talked about, ultimately, was building a team that is responsible for some of this work, some of this cloud cost management work.

So today, we’re going to take that one step further; we’re going to talk about all of the things that your cloud cost management team should ultimately be responsible for, what it should look like, how you might want to start building that team within your organization. So, I’m going to kick us off. I think one of the first things that is so, so critical for any team that is going to be doing any work is buy-in at the executive leadership level. You need to make sure that engineering leadership, the C-suite leadership has your back in everything that you’re doing. You need to make sure that the work that you’re doing has been signed off at the highest level so that that leadership can help empower you to do your work.

Amy: And we’ve referenced this before, and really, every time we talk about things like what makes a successful project is that as the one executing that project, you probably need the authority and actionable goals in order to do that, and the leadership is going to be the ones to lay that out for you.

Jesse: Absolutely. If you don’t have the backing of leadership, whether it is your boss, whether it is the C-suite, whether it’s a VP suite, you’re not going to get other people to listen to what you have to say; you’re not going to get other people to, broadly speaking, generally speaking, care about the work that you’re trying to do, the work that you’re trying to incentivize and empower other people in the organization to do.

Amy: And that kind of leads us into the next portion of it where you need to know what the responsibilities are and have that clear delineation so that you understand the things that is expected of you, what the engineering teams, what they’re expected to do, and product teams, and finance teams. Everyone has to have a pretty much fenced-in idea of what they’re allowed to do and what they are expected to deliver, just like in any project.

Jesse: Absolutely. It’s so critical for me to understand what I’m responsible for, you to understand what you’re responsible for. I can’t tell you how many times I’ve been in a meeting where somebody will say something generally like, “We should do X,” and then everyone nods and goes, “Oh, yeah, yeah, yeah. We should do X.” And then everybody leaves the meeting and thinks that somebody else is responsible for it, and nobody’s been clearly assigned that work, or nobody knows that work is ultimately their responsibility.

Amy: And if you don’t assign it, people are going to assume that this is going to be a thing that if they have time to, they’ll get to it. And we harp on it enough that whenever work is not prioritized, it is automatically deprioritized. That’s just the way task lists shake out, especially at the end of sprint meetings.

Jesse: Absolutely. And I think that’s one of the other things that’s so important, too, is that it’s not just about assigning the work, but it’s about making sure that everybody who is involved in the conversation, everybody who’s involved in the work agrees on what those boundaries are, agrees on who is responsible for what actions, more specifically speaking from a task responsibility perspective. Because at the end of the day, I want my team, whether that is my individual team or a cross-functional team, to all be bought into who’s responsible for what parts of the project. We all need to be on the same page in terms of, “Yes, this is my responsibility. This part of the work is my responsibility. I will take ownership over this,” so that we can all help each other.

Get that project goal together. One of the other big ideas that is so critical to starting a cloud cost management team is identifying and socializing your business KPI metrics. Now, this is something that some engineering teams already think about day-to-day. They might have ideas of service-level agreements, metrics, maybe service-level objective metrics, but there might be other business metrics that indirectly—or directly—relate to engineering work. It could be number of users using your SaaS platform, it could be number of API requests, it could be the amount of storage that customers are storing on your platform. You want to identify what these metrics are, and start measuring your cloud spend against these metrics.

Amy: And as far as cost optimization projects go, the KPIs may not line up directly against how many servers you’re standing up, or how many users are coming through. They’ll be very indicative because you are spending money per user and per resource, but perhaps your business goals are different. Maybe you’re not looking at trying to save money, but better understand where that money is going.

Jesse: Absolutely. It’s not just about how many instances are running per hour, it’s not just about how many servers are running per hour, or how many users per server. It’s really about understanding what are the core driving indicators of your business? What are the things that ultimately influence and impact how your workloads, and servers, and API functions, and everything, flow and grow and change over time?

Amy: These metrics also can be influenced by things that are not architecturally specific, like savings plans, or the saving you would get through reservations, or some other contractual deal you get from your provider.

Jesse: Yeah, that’s one of the hard things, too, that we always hear from our clients. There is this idea that they think that they are spending a certain amount of money because they’re getting discounts from savings plans, or from reserved instances or from an enterprise discount program, and maybe their usage is a lot higher than that, but because they get these discounts, they think that they’re actually using a lot less than they actually are. And while this is not something we’re talking about specifically or directly in this conversation, it is something to be mindful of because there definitely can be a difference between your usage and your overall spend if your company is investing in thin...

The Key to Unlock the AWS Billing Puzzle is Architecture

Corey Quinn — Wed, 09 Jun 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-architecture

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

State Money Printing Machine

Corey Quinn — Mon, 07 Jun 2021 03:00:00 -0700

AWS Morning Brief for the week of June 7, 2021 with Corey Quinn.

Balancing Cost Optimizations and Feature Work

Corey Quinn — Fri, 04 Jun 2021 03:00:00 -0700

Links:

The cloud economist starter kit: https://www.lastweekinaws.com/podcast/aws-morning-brief/cloud-cost-management-starter-kit-2/

Transcript

Jesse: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Jesse: This is the podcast within the podcast where we like to talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today, we’re going to be talking about balancing cost optimization work against feature work.

Amy: Buckle up everyone. I’ve got a lot of thoughts about this. Just kidding. It’s just the one: don’t.

Jesse: You heard it here first, folks. Don’t. Amy Negrette just says, “Don’t.”

Amy: Don’t. [laugh].

Jesse: So Amy, does that mean, don’t balance the work?

Amy: More like don’t choose. It’s always hard to make the argument to take an engineer off of feature work. This goes for
all sorts of support tasks like updates and documentation, and as a group, we figured out that trying to put those off until an engineer has time to do it is not going to be a thing that becomes prioritized, it eventually gets deprioritized, and no one looks at it. And that’s why DocOps is the thing. It’s a process that now gets handled as part of and in parallel with software development.

Jesse: Yeah, I’ve had so many conversations in previous companies that I’ve worked for, where they basically said, “Well, we don’t have time to write documentation.” Or they will say, “The code is the documentation.” And, to their credit, there are a lot of places where the code is very cleanly documented, but if somebody is coming into this information for the first time and they don’t have technical knowledge or they don’t have deep expertise in what you’re looking at, they need documentation that is clear, understandable, and approachable. And it is so difficult to find that balance to actually make sure that that work is part of everything that you do.

Amy: And I think what the industry has decided is that if you make it a requirement for pull requests that if you’re going to make a change, you have to document that change somewhere, and that change if it has any kind of user impact, it will be displayed alongside it. That’s the only way to make it a priority with software. And cost optimization has to be treated in a similar respect.

Jesse: Yeah, so let’s talk about cost optimization as a process. To start, let’s talk about when to do it. Is this something that we do a little bit all the time, or do we do it after everything’s already done?

Amy: I know I just cited CostOps as a good model for this, even though that’s literally what we cannot do. We can’t treat cost optimization as something we do a little bit along the way because, again, speaking as an engineer, if I’m allowed to
over-optimize or over-engineer something, I’m going to take that opportunity to do that.

Jesse: Absolutely.

Amy: And if we’re going to do project-wide cost optimization, we need to know what usage patterns are, we need to have a full user and business context on how any system is used. So, if we do a little at each step, you get stuck in that micro-optimization cycle and you’re never actually going to understand what the impact of those optimizations were. Or if you spent too much time on one part over-optimizing another part.

Jesse: It’s also really hard if this is a brand new workload that you’ve never run in the cloud before. You don’t necessarily know what the usage is going to be for this workload. Maybe you have an idea of usage patterns based on some modeling that you’ve done or based on other workloads that you’re running, but as a whole, if this is a brand new workload, you may be surprised when you deploy it and find out that it is using twice the amount of resources that you expected, or half the amount of resources that you expected, or that it is using resources and cycles that you didn’t expect.

Amy: Yeah. We’ve all been in the situation, or at least if you work with—especially with consumer software—that, you’re going to run into a situation where the bunch of users are going to do things that you don’t expect to happen within your application, causing the traffic patterns that you predicted to move against the model. To put it kindly. [laugh].

Jesse: Yeah. So, generally speaking, what we’ve seen work the best is making time for cost optimization work maybe a cycle every quarter, to do some analysis work: to look at your dashboards, look at whatever tooling you’re using, whatever metrics you’re collecting, to see what kind of cost optimization opportunities are available to you and to your teams.

Amy: So, that comes down to who’s actually doing this work. Are we going to assign a dedicated engineer to it in order to ensure it gets done? Anyone with the free cycles to do it?

Jesse: See, this is the one that I always love and hate because it’s that idea of if it’s everyone’s responsibility, it’s no one’s responsibility. And I really want everybody to be part of the conversation when it comes to cost optimization and cloud cost management work, but in truth, that’s not the reality; that’s not the way to get this work started. Never depend on free cycles because if you’re just waiting for somebody to have a free cycle, they’re never going to do any work. They’re never going to prioritize cost optimization work until it becomes a big problem because that work is just going to be deprioritized constantly. There’s a number of companies that I worked for in the past who did hackathons, maybe once a quarter or once every year, and those hackathons were super, super fun for a lot of teams, but there was a couple individuals who always picked up feature work as part of the hackathon, thinking, “Oh, well, I didn’t get a chance to work on this because my cycles were focused on something else, so now I’ll get a chance to do this.” No, that’s not what a hackathon is about.

Amy: You don’t hack on your own task list. That’s not how anything works.

Jesse: Exactly. So instead, rather than just relying on somebody to have a free cycle, kind of putting it out there and waiting for somebody to pick up this work, there should be a senior engineer or architect with knowledge of how the system works, to periodically dedicate a sprint to do this analysis work. And when we say knowing how the system works, we’re really talking about that business context that we’ve talked about many, many times before. A...

Turn That S--- Off

Corey Quinn — Wed, 02 Jun 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/turn-that-sh—-off

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Compute Optimizer Now Less Crap

Corey Quinn — Mon, 31 May 2021 03:00:00 -0700

AWS Morning Brief for the week of May 31, 2021, with Corey Quinn.

Personality Merge Conflicts

Corey Quinn — Fri, 28 May 2021 03:00:00 -0700

Links:

Ted Talk: The Science of Productive Conflict

Transcript

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today, we’re going to talk about the people side of technical projects, especially people who might introduce roadblocks for completing technical projects. Now, you might be thinking to yourself, “Jesse, Amy, that sounds like it is not about AWS.” But let me assure you that any project involving AWS is going to involve multiple different personalities approaching the project from different angles, who ultimately all have the same solution in mind, but have different ideas about how to get that problem done, or different ideas about what’s the right thing that ultimately get done to begin with. So today, we want to talk about that: we want to dive into how can you have really rewarding conversations with those folks? How can you better engage people who are intentionally or unintentionally difficult?

Amy: We want to be very clear that we are not trying to come after anyone. Every time that I’ve gotten an engagement, it isn’t because someone means to be difficult, but maybe there’s a project timeline, maybe there’s something else getting in the way of them being able to fully be present for that specific part of the engagement, and maybe that’s just what’s causing friction, causing speed bumps. And we’re all well aware of this. Jobs are hard, and especially this sort of work can be difficult. So, first of all, we totally understand, and this is just more about how to get everyone moving in the same direction at the same pace.

Jesse: Yeah, absolutely. I mean, especially with the pandemic going on right now, everybody’s doing remote work, some people have never actually met their teammates in person and they’re expected to work together efficiently, and quickly, and easily. It’s hard.

Amy: It also doesn’t help that when we do come in, we come in under the context of a cost optimization project, or some other efficiency-type title. And that sounds a little like the Bobs from Office Space, which I bring up a lot, especially during internal meetings. And it makes it sound like we’re going to come in to shake a bunch of things up and look for inefficiencies where there aren’t any, which is truly not the case. And it can cause a lot of insecurity, especially about how someone thinks that they’re doing their job, or that their job is somehow going to be impacted by what our suggestions are. It may not just be us, but it may be another migration consultation suite, where someone’s coming in to change the architecture that they’ve worked on for a long time, and that can put a lot of people in a state of
unease.

Jesse: And I think it’s also important to note that it’s not just about an external party coming in like Duckbill Group or another external, third-party consulting service, or technical group. It could be an internal separate team. It could be your internal cloud cost management team that is starting conversations with development teams saying, “Hey, I want to better understand how you’re using AWS. I want to understand some of these cost optimization opportunities.” Even in situations like that where all of these conversations are internal within the company, even within teams, there are still multiple different personalities, multiple different people approaching the problem from different angles, and it’s still really, really important to make sure that you approach them collaboratively.

Amy: And ultimately, we wanted to be clear that what we’re going to be talking about is helping people think differently into a growth mindset, and being able to do this work without anyone feeling shame or embarrassment.

Jesse: Yeah. Growth mindset is so critical. It’s something that I love to talk about ad nauseum, and so I won’t dive into it too deeply here, but—

Amy: That’s another episode.

Jesse: [Laugh]. Exactly. Growth mindset is so important for folks in technology teams, especially in today’s technology era where there’s just so much constantly innovating. There’s so much new constantly going on around you, to new technologies, new teams, new ideas, new ways of doing things, new processes, new tools; it’s really important to be open-minded to learning those different things. You don’t have to use every single one of them, but be open-minded to different people approaching problems from different perspectives and different angles.

Amy: Having to face all of this uncertainty will cause some to not be the most cooperative when they have to start reacting into these situations, whether it is an internal change that’s happening, or if it’s an external consulting group; they can start coming back and taking a various sort of stance, and just like being back in middle school, sometimes standing up to a bully is simply how you have to succeed because it’s not about dominating, it’s about compromise and trying to find out what you’re trying to do and find that common ground.

Jesse: Yeah, absolutely. I think that’s the most important part here because when we talk about working with other personalities that are different than yours and having conflict, it’s not about dealing with them; it’s not about overcoming them from the perspective of winning the argument, so to speak. It’s about how do you compromise? How do you effectively find that common ground and move forward together? And sometimes it’s just about sharing context, it’s just about sharing that mental model that you have that might be different than the mental model that this other person has, or maybe the other team has.

Like for example, some teams that we’ve talked to can’t make a cost optimization change due to security, or legal, or product SLA restrictions, but maybe the person who’s coming in from the cloud cost management team or cloud cost management side doesn’t know that because they aren’t as familiar with the product.

Amy: But it can also just be a staffing issue. These projects take work, and if an engineering team is already stressed and stretched to the edge, they’re not going to have the resources, and they don’t want to be the ones to say we simply don’t have the manpower to do this.

Jesse: Yeah, absolutely. And it’s so, so important to be able to identify those bottlenecks or identify those constraints. Because ultimately, if you give a team that already has a ton of things on their roadmap new work and say, “Hey, cost optimizati...

The 17 Ways to Run Containers on AWS

Corey Quinn — Wed, 26 May 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/the-17-ways-to-run-containers-on-aws

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Tim Banks Has Entered the Chat

Corey Quinn — Mon, 24 May 2021 03:00:00 -0700

AWS Morning Brief for the week of May 24, 2021 with Corey Quinn.

Build vs. Buy

Corey Quinn — Fri, 21 May 2021 03:00:00 -0700

Transcript

Jesse: Hello, and welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild. With a healthy dose of complaining about AWS for good measure. Today, we’re going to be talking about build versus buy. I feel like this is really kind of a classic engineering conversation. Amy, what is the build versus buy idea?

Amy: It’s really the idea of whether you decide to use a managed service or SaaS product versus rolling your own and building yourself. It’s very easy to do these days with a few watches on YouTube, maybe some blog articles. You can also do repairs on my house, which is why I always have to get repairs done on my house. [laugh].

Jesse: [laugh]. Yeah, I feel like as much as I love the world of HGTV and the DIY network, I think I can do more than I actually can and I feel like it’s probably a lot safer to just let a professional take the reins. I mean, there’s so many certification programs that teach you how to build and manage your own engineering things, your own distributed databases, your own Kubernetes clusters, your own streaming data platform, and it’s really great to understand the fundamental building blocks of these systems, it’s really great to understand how they work so that ultimately if you are consuming from them or managing them, that you understand the ins and the outs of the system. But the question becomes, do you really need to be the one that’s managing that system? Do you really need to be the one spending your time managing that system on top of writing code for your microservices, on top of managing the architecture, the application, all of the components of your service that are critical?

Amy: So, I guess what we really want to decide is, in what use cases is it okay to build something from scratch, and when is it okay to, essentially, just go to the market and look for something that’s made already?

Jesse: Yeah. And I think that’s the main question that a lot of folks ask: what is the defining line? What are the questions they should think about as they are choosing to build versus buy?

Amy: I think if you want to really look at building a product, and really from the ground up—you have this product in mind and you want to do all the architecture, control it end-to-end—unless this is your core product feature or you’re going to package it for either internal or public release, you almost always—you don’t want to build this yourself because someone has probably built it in a way that’s not going to cause your engineers time or money. Unless it is going to directly make you money, then yes. If this is tied to your product income and your product revenue, please build it yourself. It avoids a lot of licensing issues, you do get to control how it works, how you want it to work. But that said a lot of products, just a bunch of assassins in a trench coat anyway, so—

Jesse: [laugh].

Amy: —it really depends on what’s important to you.

Jesse: Yeah, I feel like this is one of the biggest pitfalls that I see in a lot of organizations where they think about how they want to build out an architecture and they choose that a solution like, stateful distributed service is going to be the right thing that they want. And one of the developers says, “Oh, that’s easy. I can build that in a weekend.” And then they go off and build it, and then they’re stuck managing that system for all of eternity when that’s not the primary purpose of the team that they’re working on, that’s not the primary purpose of the product that they’re working on. So, if you’re going to build something that is directly related to your product, directly related to your business use case, directly related to how your company is making money, something that is absolutely your bread and butter, you definitely want to build that rather than buying that off the shelf.

Because building it will give you that great opportunity to focus on controlling all the ins and outs of the system, understanding all the parts of the system, finding the flexibility when you need flexibility, really fine-tuning and honing all the parts of the system in the way that you need it to work so that ultimately your organization is getting the best bang for their buck out of the system, whereas in a lot of cases, you’re not going to get the same level of flexibility from an off the
shelf solution.

Amy: And especially if you’re going to go in and planning to build your own supporting product, make sure—and I said this before, I’ll say it again—you do check the licenses of any libraries and any SaaS products you use to build it because I reinvented the wheel plenty of times in my career, specifically because I worked in a place where the licensing we were allowed to use would not allow us to use very specific products.

Jesse: Yeah. That’s such a critical business risk and something that I think not every engineer is fully aware of. And to be clear, I don’t think that’s the engineer’s fault. I think that’s part of best practices that every organization can get better at to make sure that everybody understands, what are our limitations on using modules, using open-source solutions from the internet? How can we make sure that we ultimately aren’t creating additional unnecessary business risk?

Amy: When do we go shopping?

Jesse: [laugh]. Yeah, let’s go shopping. Let’s say you’ve decided that the piece of software that you want is not part of your bread and butter, like we were saying. If it’s not part of your organization’s primary product, primary use case, don’t waste engineering time building it for yourself, pay a vendor or a subject matter expert to build it for you—or to manage it for you, even—and then call it a day. It is absolutely worth those trade-offs. The additional cost of paying somebody else to manage it for you is absolutely worthwhile because you then get the opportunity to stay focused on the things that are most important to your team and your business.

Corey: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lac...

New CEO Onboarding at AWS

Corey Quinn — Wed, 19 May 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/New-CEO-Onboarding-at-AWS

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Adam Selipsky's Day One Coreyentation

Corey Quinn — Mon, 17 May 2021 03:00:00 -0700

AWS Morning Brief for the week of May 17, 2021 with Corey Quinn.

Cloud Cost Management Starter Kit

Corey Quinn — Fri, 14 May 2021 14:13:18 -0700

Transcript
Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.

Jesse: Welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure because I mean, who doesn’t love to complain about AWS? I feel like that’s always a good thing that we can talk about, no matter the topic. Today, we’re going to be talking about the ‘cloud cost management starter kit.’ So, the starter kit seems to be a big fad that’s going around. If you’re listening to this episode, you’re probably thinking, “It’s already done. It’s over.”

But I still want to talk about it. I think that this is a really relevant topic because I think a lot of companies are trying to get started, get their hands started in cloud cost management. So, I think this would be a great thing for us to talk about: what’s in our cloud cost management starter kit?

Amy: And it really will help answer that question that I get asked a lot on: what is even a cloud economist, and what do you do?

Jesse: Yeah, I mean, given the current timeframe, I haven’t gone to any parties recently to talk about what I do, but I do feel like anytime I try to explain to somebody what I do, there’s always that moment of, “Okay. Yes, I work with computers, and we’ll just leave it at that.”

Amy: It’s easier to just think about it as we look at receipts, and we kind of figure things out. But when you try to get into the nuts and bolts of it, it’s a very esoteric idea that we’re trying to explain. And no, I don’t know why this is a real job. And yet it is.

Jesse: This is one of the things that always fascinates me. I absolutely love the work that I do, and I definitely think that it is important work that needs to be done for any organization, to work on their cloud cost management best practices, but it also boggles my mind that AWS, Azure, GCP, haven’t figured out how to bake this in more clearly and easily to all of their workflows and all their services. It still boggles my mind that this is something that exists as—

Amy: As a thing we have to do.

Jesse: As a thing we have to do. Yeah, absolutely.

Amy: Well, the good news is, they’re going to change their practices once every six weeks, and we’ll have a new thing to figure it out. [laugh].

Jesse: [laugh]. So, let’s get started with the first item on our cloud cost management starter kit. This one is something that Amy is definitely passionate about; I am definitely passionate about, as well. Amy, what is it?

Amy: Turn on your CUR. Turn on your CUr. If you don’t know what it is, just Google AWS CUR. Turn it on. It will save you a headache, and it will save anyone you bring in to help you [laugh] [unintelligible 00:02:59] a huge headache. And it keeps us from having to yell at people, even though that’s the thing that if you pay us to do it, we will totally do it for you.

Jesse: If you take nothing away from this episode, go check out the AWS Cost and Usage Report—otherwise known as CUR—turn it on for your accounts, ideally enable it in Parquet format because that’s going to allow you to get all that sweet, sweet data in an optimized manner, living in your S3 bucket. It is a godsend. It gives you all the data from Cost Explorer, and then some. It allows you to do all sorts of really interesting business intelligence analytics on your billing data. It’s absolutely fantastic.

Amy: It’s like getting all of those juicy infrastructure metrics, except getting that with a dollar sign attached to it so you know what you actually doing with that money.

Jesse: Yeah, this definitely is, like, the first step towards doing any kind of showback models, or chargeback models, or even unit economics to figuring out where your spend is going. The Cost and Usage Report is going to be a huge first step in that direction.

Amy: Now, the reason why we yell at people about this—or at least I do—is because AWS will only show you the data from the time that it is turned on. They do have it for historical periods, but if you enable it at a specific point, all of your reports are going to start there. So, if you’re looking to do forecasting, or you want to be able to know what your usage is going to be looking like from this point on, turn it on as early as possible.

Jesse: Absolutely. If you are listening to this now and you don’t have the CUR enabled, definitely go pause this episode, enable it now, and come back and listen to the rest of the episode because the sooner you have the CUR enabled, the sooner you’ll be able to get those sweet, sweet metrics for all of your—

Amy: And it’s free.

Jesse: [laugh]. Yeah, that’s even the more important part. It’s free. There’s going to be a little bit of data storage costs if you send this data to S3, but overall, the amount of money that you spend on that storage is going to be optimized because you’re saving that CUR data in Parquet format. It’s absolutely worthwhile.

All right, so number two; the second item on our cloud cost management starter kit, is getting to know your AWS account manager and account team. This one, I feel like a lot of people don’t actually know that they have an AWS account manager. But let me tell you now: if you have an AWS account, you have an AWS account manager. Even if they haven’t reached out to you before they do exist, you have access to them, and you should absolutely start building a rapport with them.

Amy: Anytime you are paying for a support plan, you also have an account manager. This isn’t just true for AWS; I would be very surprised for any service that charged you for support but did not give you an account manager.

Jesse: So, for those of you who aren’t familiar with your account manager, they are generally somebody who will be able to help you navigate some of the more complex parts of AWS, especially when you have any kind of questions about your bill or about technical things using AWS. They will help you navigate those resources and make sure that your questions are getting to the teams that can actually answer them, and then make sure that those questions are actually getting answered. They are the best champion for you within AWS.

If you have more than a certain threshold of spend on AWS, if you’re paying for enterprise support, you likely also have a dedicated technical account manager as well, who will be basically your point person for any technical questions. They are a great resource for any technical questions, making sure that your technical questions are answered, making sure that any conce...

Security is Someone Else’s Job Zero

Corey Quinn — Wed, 12 May 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/security-is-someone-elses-job-zero

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Morning Brief Trailer

Corey Quinn — Tue, 11 May 2021 14:47:48 -0700

The latest in AWS news, sprinkled with snark. Posts about AWS come out over sixty times a day. We filter through it all to find the hidden gems, the community contributions--the stuff worth hearing about! Then we summarize it with snark and share it with you--minus the nonsense.

Time to Fire the DevOps Guru

Corey Quinn — Mon, 10 May 2021 03:00:00 -0700

AWS Morning Brief for the week of May 10, 2021 with Corey Quinn.

A Very Special Episode

Corey Quinn — Fri, 07 May 2021 03:00:00 -0700

Transcript

Corey: This episode is sponsored in part byLaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visitlaunchdarkly.com and tell them Corey sent you, and watch for the wince.

Jesse: Today, on a very special episode of AWS Morning Brief: Fridays From the Field, we say our goodbyes to Pete Cheslock.

Amy: Oh, no. Did the ops bus finally get him?

Jesse: No. Wait, what? What? No. No, he’s not—

Amy: You know, the ops bus, the one that takes out all of the ops people, which is why you need data recovery plans.

Jesse: [laugh]. I mean, I have plans for other reasons, but no. No, Pete, Pete’s not dead. He’s just—I mean, he’s dead to me, but he’s just not going to be here anymore.

Amy: Only on the inside.

Jesse: Welcome to AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Arumbulo Negrette.

Pete: I am Pete Cheslock. I’m here for one last, beautiful, glorious time.

Jesse: I feel like this is going to be like Breakfast Club but in the data center server room.

Pete: Yeah. A little bit. I think so. We will all sit cross-legged on the floor in a circle, share our thoughts and feelings. And maybe some sushi. There were sushi in that movie. And that was, like, really advanced back then in the ’80s.

Jesse: Yeah, I like that. So Pete, you want to give us a little bit of background about why you will be moving on from this podcast?

Pete: Moving on to a whole new world. Yes. Sadly, I am not dead. The ops bus did not get me, and I was not eaten by my smoker, my meat smoker.

Jesse: [laugh]. Although at this point, it’s probably overdue.

Pete: You know, the odds of all three of those are pretty high out, to be really perfectly honest, given this pandemic and everything else going on in this world.

Amy: Isn’t that how it works? You eventually become the smoked meat.

Pete: Yeah, yeah.

Jesse: [laugh].

Pete: All the time. You know, you are what you eat. And if you eat junk and whatnot—so I eat smoked meats, eventually, I’m just going to become, you know, smoked meats, I guess. But no, I am moving on from The Duckbill Group. Just bittersweet is the best word I can come up with. Very sad, but also very excited.

I’m moving on to a new role at a new company that was just kind of an opportunity that I couldn’t pass up. And I’m really excited for something new, but really sad because I don’t get to work with two of my three favorite cloud economists, Jesse, and Amy. Yeah, Corey is one, too, and yes, it’s fun to work with him. But it’s also fun to rag on him a little bit as well.

Jesse: I’m pretty sure you still have the opportunity to rag on him no matter where you go.

Pete: Yeah, that’s true. I mean, we’re Twitter connected. So, I can just slide into his DMs as needed. Yeah.

Amy: And really, what else is Twitter for—

Pete: Exactly.

Jesse: [laugh].

Amy: —than roasting former coworkers and bosses?

Pete: Yeah, I expect a constant stream of Twitter DMs every time you find something, some little fun nugget that I’ve left behind.

Jesse: I feel like that’s appropriate. So today, Pete, I have two questions for you now that you will be moving on from Duckbill Group, moving on from this podcast, I want to know, looking back at your time here working with Duckbill Group, what did you learn? What are the things that surprised you, that you didn’t expect? And what would you say to somebody who wanted to start working in this space, maybe start a career in cloud economics on their own?

Pete: Yeah, so this kind of feels like an exit interview a little bit.

Jesse: [laugh]. And a very public exit interview at that. So, make sure that we bleep all the swear words.

Pete: I think it’s in Duckbill fashion to do a public—a very public-facing exit interview, right? That is Duckbill in a nutshell.

Jesse: I think the only thing more public is if Corey asks you to hold the exit interview on Twitter.

Amy: Exactly.

Pete: [laugh]. I mean, we might have to do that, now. I like that idea. Yeah, so I think those are great questions, and I love the opportunity to talk about it. Because Duckbill is a fantastic company, and coming into Duckbill last year was totally by luck.

Not really—no, not—luck is maybe not the right word. But I had been doing some consulting on my own, and the pandemic and some other forces caused a bunch of my consulting work to dry up really quickly. And I was sitting at home and I’m like, “Wow, I should get a real job.” And I saw a tweet from Mike on Twitter that was like, “Oh, we’re growing The Duckbill Group.” And Mike and Corey and I have known each other for such a long time.

We’ve always said it’d be great to work together at some point in the future, but it’s so hard [laugh] to do. You know, to kind of work with your friends, and timing, and circumstance, and schedule, and everything else. And so when I saw that, I was like, wow, like that might be a lot of fun working with that crew. And I’ve got a lot of experience in AWS and I’ve—my title at one of my previous companies was Captain COGS—for Cost Of Goods Sold—because I was so diligent with the Amazon bill. So, it’s kind of one of those things where I felt like I could be useful and helpful to the organization, and talking with Mike and Corey, it just made a ton of sense.

And so, it was a lot of fun to come on board. So, but then once you’re kind of in, and you start doing this type of work—and you know, Amy and Jesse, you’ve both experienced this—I think no matter how much knowledge you have of Amazon, very, very quickly, you realize that you actually don’t know as much as you really think you did, right?

Jesse: Yeah.

Pete: Because it’s so—there’s just so much.

Amy: And it changes once every five minutes.

Pete: [laugh].

Jesse: Oh, yeah.

Amy: Literally if you—well, just keep an eye on that changelog, you can watch your day get ruined as time goes on.

Jesse: [laugh].

Pete: [laugh]. It’s—yeah, it’s a real-time day ruining. And that’s the new. It’s like Amazon Kinesis: It’s all real-time.

Jesse: [laugh].

Pete: Yeah, it’s so true. And I think the reason behind it is, you know, one...

Developer Portals are an Anti-Pattern

Corey Quinn — Wed, 05 May 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/Developer-Portals-are-an-Anti-Pattern

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Jack's Nimble Studio

Corey Quinn — Mon, 03 May 2021 03:00:00 -0700

AWS Morning Brief for the week of April 3, 2021 with Corey Quinn.

Listener Questions 5

Corey Quinn — Fri, 30 Apr 2021 03:00:00 -0700

Links:

Cloud FinOps: https://www.amazon.com/Cloud-FinOps-Collaborative-Real-Time-Management/dp/1492054623
FinOps Foundation: https://www.Finops.org/
AWS cost management blog: https://aws.amazon.com/blogs/aws-cost-management/
Mastering AWS Cost Optimization: https://www.amazon.com/Mastering-AWS-Cost-Optimization-operational/dp/965572803X

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I am Pete Cheslock.

Jesse: I’m Jesse DeRose.

Pete: Wow, we’re back again. And guess what? We have even more questions. I am… I am… I don’t even know. I have so many emotions right now that are conflicting between a pandemic and non-pandemic that I just—I’m just so happy. I’m just so happy that you listen, all of you out there, all you wonderful humans out there are listening. But more importantly, you are going into lastweekinaws.com/QA and you’re sending us some really great questions.

Jesse: Yeah.

Pete: And we’re going to answer some more questions today. We’re having so much fun with this, that we’re just going to keep the good times rolling. So, if you also want to keep these good times rolling, send us your questions, and we’ll just—yeah, we’ll just roll with it. Right, Jesse?

Jesse: Absolutely. We’re happy to answer more questions on air, happy to let you pick our brains.

Pete: All right. Well, we got a couple more questions. Let’s kick it off, Jesse.

Jesse: Yeah. So, the first question today is from Barry. Thank you, Barry. “New friend of the pod here.” Always happy to have friends of the pod. Although I do feel like that starts to get, like, Children of the Corn, kind of. I think we started that, and I also am excited about it, and also upset with myself for starting that.

Pete: That’s all right. Friend of the pod. Friend of the pod.

Jesse: “New friend of the pod here. I work in strategic sourcing and procurement and I was curious if there are any ways that you recommend to get up to speed with managing cloud spend. This is usually closely monitored by finance or different groups in product, but I can see a significant potential value for a sourcing professional to help, also.” And that’s from Barry, thank you, Barry.

Pete: Well, I’m struggling not to laugh. “This is usually closely monitored by finance or different groups in product.”

Jesse: Yeah…

Pete: But I mean, let’s be honest, it’s not monitored by anyone. It’s just running up a meter in a taxi going 100 miles an hour.

Jesse: Yeah, that’s the hardest part. I want everybody to be involved in the cloud cost management practice, but there’s that same idea of if it’s everyone’s responsibility, it’s no one’s responsibility. And so this usually ends up at a point where you’ve got the CFO walking over to the head of engineering saying, “Why did the spend go up?” And that’s never a good conversation to have.

Pete: No, never a good one. Well, Barry because you’re a friend of the pod, we will answer this question for you. And honestly, I think it’s a great question, which is, we actually have been working with a lot of larger enterprises and these enterprises still have their classic sourcing and procurement teams. That’s not an expertise that is going away anytime soon, but like most teams within the company that are adopting cloud, it’s obviously going to evolve as people are moving away from, kind of, capital intensive purchases and into, honestly, more complex, multi-year OpEx style purchases, with cloud services and all the different vendors that come with it. It’s going to just get a lot harder.

I mean, it’s probably already a lot harder for those types of teams. And so there’s a bunch of places I think that you can go that can help level up your skills around cloud spend. And I would say the first place that I personally got to dive in a little bit more—I mean, my history has been using Amazon cloud and being a person who cared about how much my company spent on it, but when you—joining Duckbill, you need to dive into other areas around the FinOps world. And the book, the O’Reilly book, Cloud FinOps is actually a really great resource.

Yeah, I think it’s really well written and there’s a lot of great chapters within there that you can kind of pick and choose based on what you’re most interested in learning about. If you’re trying to learn more about unit economics, or you’re trying to learn more about how to monitor and track things like that, it’s a great book to dive into, and becomes a really great reference that you can leverage as you’re trying to level up this expertise within yourself or your team.

Jesse: It’s a really, really great resource. The other thing to think about is any kind of collaborative social spaces where you can be with like-minded individuals who also care about cloud costs. Now, there’s a number of meetups that exist under the FinOps title that may be worth looking into. Obviously, we’re recording this during the pandemic so I don’t recommend doing those in person. But as you are able to, there may be opportunities for in-person meetups and smaller local groups focusing on cloud cost management strategies together. But also check out the FinOps Foundation. They have a Slack space that I would love to tell you more about, but unfortunately, we’re not allowed to join. So—

Pete: Yep.

Jesse: —I can’t really say more about it than that. I would hope that you’re allowed to join, but they have some strict guidelines. So, I mean, the worst that can happen is they say no; it’s definitely worth signing up.

Pete: Yeah, and they have to us. [laugh].

Jesse: Yeah.

Pete: I think when you get into the FinOps Foundation, you should angrily say that we should have more FinOps experts in here like the great Jesse DeRose should be a member of this one because right now, he’s just framed his rejection notice from there, and—

Jesse: Oh, yeah.

Pete: —while it looks beautiful on the wall, while I’m on a Zoom with him, I want more for you, Jesse.

"The Sun Also Crashes: Keeping Current"

Corey Quinn — Wed, 28 Apr 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

DynamoDB Streams for DynamoDB Streams

Corey Quinn — Mon, 26 Apr 2021 03:00:00 -0700

AWS Morning Brief for the week of April 26th 2021 with Corey Quinn.

Listener Questions 4

Corey Quinn — Fri, 23 Apr 2021 03:00:00 -0700

Links:

Unconventional Guide: https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. We’re back again, my name is Pete Cheslock.

Jesse: I’m Jesse DeRose. So, happy to be back in the studio after our whirlwind tour of the Unconventional Guide that I feel like we’ve been on for roughly as long as the pandemic’s been going on at this point; probably a little bit less. But lots of really great content there that we were happy to talk about, and I’m happy to be moving on to some other topics.

Pete: Yeah, absolutely. And the topics, we actually get to move on to some of our favorite topics, which are answering your questions. And it turns out, Jesse, there’s more than two people that listen to us. There’s a lot of you; there are dozens of you out there, and we love it.

Jesse: You like me. You really like me.

Pete: So, great. So, great to see. We’ve been getting tons of fantastic questions, a few of which we’re going to answer right now. You can also have your question answered by going over to the lastweekinaws.com/QA and enter in your question there. You can enter in your name, or you can leave it blank, or you could just put something funny there. Anything works. We’re happy to dive in deeper on any particular topic, again, whether it’s about this recent Unconventional Guide series or just something you’re curious about in your day-to-day in your cost management life.

Jesse: Today’s questions are really great because they ultimately get at the practical side of all of our recommendations. Because I feel like every single time I subscribe to one of those self-help books or blogs and I read all these really great short, sweet tidbits, I think to myself, “This is perfect. I’ll go apply this to everything in my life.” But then doing the actual work part is so much harder. Where do you even start with that first step once you’ve got the big picture grand idea? So, today we’ve got some really, really great questions, focusing on the best ways to get started on your cloud cost management journey. So, let’s start off with these questions.

First question is, “Could you cover some practical approaches to applying some of your Cost Management Guide? A lot of your suggestions sound simple on paper, but in practice, they become quite complicated.” So, true. Absolutely, absolutely a concern. “I’ve had some success pulling in a small group of subject matter experts together for short periods of time focusing on low risk, easy things to do. How have you approached actually doing this? What meetings do you set up? What do you take for notes? How do you document your savings? How do you find new opportunities?” That’s from Brian O. Brian O., That’s a really, really great question.

The other one that I want to add to this: “We’re a big AWS shop, and I’ve spent some time inside the AWS beast in the past, and I still struggle with multi-account multi-region data transfer in general, but specifically analyzing cost and usage. There are examples specifically like if data transfer out goes up $25,000 last month, how do you attribute that? How do you know where to apply that? How do you know what ultimately prompted that spend? Love how you work through these types of challenges. What is relatively easy at a single account level gets exponentially more complex with every account and region we function in.” So, true. And that’s from Todd. Thank you, Todd. In both cases, absolutely true.

There’s this really great idea of we can give you the really short and sweet things to think about, but taking those first steps for practically applying these ideas is tough, and it needs to scale over time. And not every practice does.

Pete: Yeah, these are great questions. I, kind of, am remembering that meme that was around for a while, which was, how to draw an owl. “First, draw two circles, and then, you know, you draw the rest of the owl.”

Jesse: Yeah.

Pete: And honestly, oftentimes, some of the stuff even that we say, Jesse, feels that way, and it doesn’t intend to come across that way. It’s just, we could bore you all on a multi-hour long recording of some of these topics. I mean, we do this with our clients, and our clients pay for this pleasure [laugh] for us to put them to sleep with our soft tones of the cloud cost management world. But I think the reality is that it is complex and there are probably unlikely to be quick wins in a lot of these places. One thing that we found is honestly, monitoring, visibility, I think all the cool kids are calling it observability now—

Jesse: [laugh].

Pete: —you know, I can’t believe I’m going to say this, but CloudWatch is actually probably one of the best cloud cost reduction tools that exist out there. There are so many services within AWS that you’re probably using today, that by default, report data to CloudWatch. And those statistics are potentially a huge place to identify resources that are over-provisioned and underused, idle resources, things like that. I can’t tell you how many times that I will go into a client account, and one of the first places I go to is—after Cost Explorer—is probably CloudWatch. So, monitoring spend and monitoring what’s happening there is kind of a great way to get started on that cloud cost idea because you’re getting charged for everything that happens, so knowing what’s happening, and knowing how it’s changing over time is a great way to start understanding and reducing it.

Jesse: Yeah. And I think AWS is probably also using some of those CloudWatch metrics in their optimization recommendations that they make within their own optimization tooling. And it’s probably just not clearly defined or clearly outlined for AWS customers to be able to use the same metrics. So, I feel like if my Compute Optimizer could quickly load or link to a graph that showed me low CPU utilization across a number of instances, that’s a really handy way for me to start using more of CloudWatch’s metrics.

Pete: Yeah, I think Compute Optimizer is honestly, criminally underused out there. I don’t know why. Then honestly, one of the other complaints is like, “Well, you can’t get memory statistics unless you have a CloudWatch Agent.” Yes. So honestly, install the CloudWatch agent; have it report up, the, like, one or two memory metrics that Compute Optimizer needs to make a recommendation and the cost will more than pay for itself.

S3's Durability Guarantees Aren't What You Think

Corey Quinn — Wed, 21 Apr 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AOS Engineering

Corey Quinn — Mon, 19 Apr 2021 03:00:00 -0700

AWS Morning Brief for the week of April 19, 2021 with Corey Quinn.

Listener Questions 3 - How to Get Rid of Your Oracle Addiction

Corey Quinn — Fri, 16 Apr 2021 03:00:00 -0700

Links:

Unconventional Guide to AWS Cost Management: https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/
Migrate from Oracle to Amazon Aurora: https://aws.amazon.com/getting-started/hands-on/migrate-oracle-to-amazon-aurora/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I am Pete Cheslock.

Jesse: I’m Jesse DeRose.

Pete: We’re coming at you again with some more listener questions from the Unconventional Guide to AWS Cost Management. I’m excited. People are listening to us, Jesse.

Jesse: This is fantastic. I’m really excited that we have one fan. I’ve always wanted one fan.

Pete: Well, two fans now. Maybe even more because we keep getting questions. And you can also be one of our Friends of the Pod by going to lastweekinaws.com/QA. And you can give us some feedback, you can give us a question and, like, will totally answer it because we like Friends of the Pod.

Jesse: We may or may not enter you into a raffle to get a Members Only jacket that’s branded with ‘Friends with the Pod.’

Pete: We should get some pins made, maybe.

Jesse: Ohh…

Pete: I think that's a good idea.

Jesse: Yeah.

Pete: So, what are we answering today, or attempting to answer for our listener, Jesse?

Jesse: So today, we’ve got a really great question from [Godwin 00:01:20]. Thank you, Godwin, Godwin writes, “I truly believe that the system that I support is, like, a data hoarder. We do a lot of data ingestion, we recently did a lift-and-shift of the system to AWS, we use an Oracle database. The question is, how do I segregate the data and start thinking about moving it out of traditional relational databases and into other types of databases? Presently, our method is all types of data goes into a quote-unquote, ‘all-purpose database,’ and the database is growing quite fast. Where should I get started?”

Pete: Well, I just want to commend you for a lift-and-shift into Amazon. That’s a Herculean feat, no matter what you’re lifting and shifting over. Hopefully, you have maybe started to decommission those original data centers and you don’t just have more data in twice as many locations.

Jesse: [laugh]. But I also want to call out well done for thinking about not just the lift-and-shift, but the next step. I feel like that’s the thing that a lot of people forget about. They think about the lift-and-shift, and then they go, “Awesome. We’re hybrid. We’re in AWS, now. We’re in our data center. We’re good. Case closed.” And they forget that there’s a lot more work to do to modernize all those workloads in AWS, once you’ve lifted and shifted. And this is part of that conversation.

Pete: Yeah, that’s a really good point because I know we’ve talked about this in the past, the lift-and-shift shot clock: when you don’t start migrating, start modernizing those applications to take advantage of things that are more cloud-native, the technical debt is really going to start piling up, and the folks that are going to manage that are going to get more burnt out, and it really is going to end poorly. So, the fact you’re starting to think about this now is a great thing. Also, what is available to you now that you’re on AWS is huge compared to a traditional data center.

Jesse: Yeah.

Pete: And that’s not just talking about the—I don’t even know if I’ve ever counted how many different databases exist on Amazon. I mean, they have a database for, at this point, every type of data. I mean, is there a type of data that they’re going to create, just so that they can create a database to put it into?

Jesse: Wouldn’t surprise me at this point.

Pete: They’ll find a way [laugh] to come up with that charge on your bill. But when it comes to Oracle, specifically Oracle databases, there’s obviously a big problem in not only the cost of the engine, running the database on a RDS or something to that effect, but you have licensing costs that are added into it as well. Maybe you have a bring-your-own-license or maybe you’re just using the off-the-shelf, but the off-the-shelf, kind of, ‘retail on-demand pricing’ RDS—I’m using air quotes for all these things, but you can’t see that—they will just have the licensing costs baked in as well. So, you’re paying for it—kind of—either way.

Jesse: And I think this is something also to think about that we’ll dive into in a minute, but one of the things that a lot of people forget about when they move into AWS says that you’re not just paying for data sitting on a piece of hardware in a data center that’s depreciating, now. You’re paying for storage, you’re paying for I/O costs, you’re paying for data transfer, to Pete’s point, you’re also paying for some of the license as well, potentially. So, there’s lots of different costs associated with keeping an Oracle Database running in AWS. So, that’s actually probably the best place to start thinking about this next step about where to get started. Think about the usage patterns of your data.

And this may be something that you need to involve engineering, maybe involve product for if they’re part of these conversations for storage of your product or your feature sets. Think about what are the usage patterns of your data?

Pete: Yeah, exactly. Now, you may say to yourself, “Well, we’re on Oracle”—and I’m sure people listening are like, “Well, that’s your problem. You should just move off of Oracle.” And since you can’t go back in time and undo that decision—and the reality is, it probably was a good decision at the time. There’s a lot of businesses, including Amazon, who ran all of their systems on Oracle.

And then migrated off of them. Understanding the usage patterns, what type of data is going into Oracle, I think is a big one. Because if you can understand the access patterns of the types of data that are going in, that can help you start peeling off where that data should go. Now, let’s say you’re just pushing all new data created. And we don’t even know what your data is, so we’re going to take some wild assumptions here on what you could possibly do—but more so just giving you homework, really—thinking about the type of data going in, right?

Machine Learning is a Marvelously Executed Scam

Corey Quinn — Wed, 14 Apr 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/Machine-Learning-is-a-Marvelously-Executed-Scam

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Suspiciously Warm Pools

Corey Quinn — Mon, 12 Apr 2021 03:00:00 -0700

AWS Morning Brief for the week of April 12, 2021 with Corey Quinn.

Predict Your Future (and Make Your CFO Happy)

Corey Quinn — Fri, 09 Apr 2021 03:00:00 -0700

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I am Pete Cheslock.

Jesse: I’m Jesse DeRose.

Pete: We’re back again. And we’re here. We made it, Jesse.

Jesse: I was worried. This was a journey. Thank you, everybody, for coming on this journey with us.

Pete: It was quite an experience going through the Unconventional Guide to AWS Cost Savings. We’ve made it. I just can’t believe we’re here.

Jesse: Yeah.

Pete: So, what are we talking about today for the culmination of our magnum opus of cost savings optimizations?

Jesse: This is a fun one. And I know I keep saying that this is my favorite about everyone, but I have to admit that this one, this topic today probably is my absolute favorite. This one I get really nerdy over. Today, we’re talking about how to predict your future and make your CFO happy. No—spoiler alert—there are not any crystal balls involved in this one. There’s no stock market conversations.

This is talking about how you can use all of the different things that we’ve talked about throughout the course of this Unconventional Guide to really bring it all together into a couple ideas that will help you better understand your cloud costs, and really better understand your business, I think.

Pete: Yeah. All of the things we talked about really lead up to this one, which is the clients of ours that are the most mature, who are incredibly optimized in their Amazon usage, are the ones who have adopted a majority of these specific items. They all lead to this last one, that ability to predict your future usage based on something that’s happening internally, or if a salesperson comes to you and says, “Hey, we’re about to close this deal, but I need to discount our service.” People are going to start wanting to know well, what is the cheapest that you could sell your service for and still have a positive gross margin?

Jesse: Yeah. So, if you’ve done a lot of the things that we’ve talked about in the last couple episodes—I apologize, I know homework’s not the best for a podcast—but if you’ve had the opportunity to work on some of those things, you should have a ton of valuable insights into your spend. We’re talking about tagging, and showback models in particular, maybe even a chargeback model. But you can ultimately use all of this data to better understand what is your forecasted spend is going to look like with a new potential customer coming onto the platform? Or if you get into the topic that we’re going to talk about today, which is mostly unit economics, you can really understand how much can I discount my service and still make a profit, like Pete mentioned?

Pete: Yeah, I mean, imagine there’s a global pandemic that happens, and it causes your usage to spike by 500% within the course of a month. How did your spend change? Do you know where it changed? And did it change in ways that you were expecting it to? Like, my databases grew by a lot, and this other thing didn’t grow by very much.

Like, that would be expected. But also another thing that—a question that we actually like to ask a lot of our clients, if your sales just doubled overnight, okay would your spend change? Where are the places that are most expensive to operate your service? And again, this is kind of generic. I’ve worked in a lot of SaaS services, so I always think of sales, but just think of whether you’re using the cloud for a SaaS service that you provide and sell, like, B2C, things like that, or B2B, you still have users.

They might be internal users. Well, what if your users doubled overnight? What if half the company was using your internal service and now the whole company is? How does that change your usage?

Jesse: And it’s also important to think about not just your AWS usage, but all of the other services that you use that support your overall business model: things like monitoring and observability tools, logging vendors, maybe third-party sim tools. All of these are affecting your overall total infrastructure cost and are all part of this conversation. So, it’s really important to start thinking about those architecture diagrams. Remember, when we said, way, way back at the beginning of this conversation, to overlay costs on top of your architecture diagram, understanding that, understanding what parts of your product or what parts of your architecture are the most expensive will really help you understand what’s going to change?

Pete: Yeah, let’s say you’ve got a six-figure bill to Datadog or one of the big log management vendors out there, but inside of that bill, is that all just evenly spread across the whole business? What if your log vendor was—the entire spend was all by one service that some developer left the debug logging enabled for? You know, you’d want a way of understanding that maybe that spend was concentrated in maybe a non-production aspect of your account. Because then again, that wouldn’t grow, right? That wouldn’t affect your growth in your sales the same way as if maybe all of your services were equally sending logs of a certain volume over.

So, all of those extra services, they all add up, and we see it more and more, as more of our clients start adopting more than just Amazon services: they might be adopting a Snowflake, they might be adopting third-party services running databases running in other services, or EMR type workloads that are not on EMR, and they’re running on Qubole or things like that. There’s just a lot of these services that more and more people are consuming from that fall outside of just the AWS invoice.

Jesse: And this also gets back to not just architecture diagrams, but also tagging and showback models, cost visibility, really understanding where your spend is going. And this is fantastic to understand where your spend is going, but finance is probably going to want something a little bit more than this. It’s not just about how much are we spending, or where are we spending it, and maybe it’s not even a finance question. Maybe this is a sales conversation, assuming that you’re a SaaS company. Maybe this is, as Pete mentioned before, “Hey, we want to understand where...

Nobody Cares About the Operating System Anymore

Corey Quinn — Wed, 07 Apr 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Space Accelerator vs. AWS Global Accelerator

Corey Quinn — Mon, 05 Apr 2021 03:00:00 -0700

AWS Morning Brief for the week of April 5, 2021 with Corey Quinn.

Win Friends and Influence DevOps: Continual Tagging Improvement

Corey Quinn — Fri, 02 Apr 2021 03:00:00 -0700

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/
Trash Taxi: https://trash.taxi

Transcript

Corey: This episode is sponsored in part byLaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visitlaunchdarkly.com and tell them Corey sent you, and watch for the wince.

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I’m Pete Cheslock.

Jesse: I’m Jesse DeRose. [laugh].

Pete: Hashtag #FFF. Not my grades in high school; that is Fridays From the Field.

Jesse: We will make it a thing. It’s going to happen.

Pete: It’s going to happen. We’re going to do our best to use the hashtag triple-F as much as possible. So, if you have any questions for us, just again, reminder, you can go to lastweekinaws.com/QA as we talk more about our Unconventional Guide to AWS Cost Management. Please give us your feedback, ask us some questions, we’ll answer those in a future episode. Today, we’re expanding on tagging. Because it’s so thrilling to talk about tagging some more, Jesse.

Jesse: We know that you have struggled to fall asleep at night listening to our podcasts. So, we wanted to do a very special episode just for you, to talk more about tagging. Let’s move into our NPR voices. [silky-smooth voice] Hello, and thank you for listening.

Pete: [buttery-smooth voice] Sponsorship of this—no, I’m just kidding. We’re not—we leave that work to, Corey.

Jesse: [laugh].

Pete: So, today is really about how to win friends and influence DevOps, and it’s all about continual tagging improvement.

Jesse: We talked about the importance of tagging, and one of the things that’s really important to tagging is identifying a tagging strategy, and then building and developing that tagging strategy over time. Your tagging strategy is going to change over time; that is the nature of the beast. Your organization is going to change over time, therefore your organization’s needs are going to change over time, and the tagging strategy and the tagging needs are going to change over time, as well.

Pete: Exactly. You’re going to build new products; you’re going to grow, hopefully; you’re going to add additional Amazon accounts; you can make acquisitions; you could get sold to another business. There’s just so many things that are going to happen, they’re going to change. It’s just inevitable. So, how do you continue this process of tagging, and this is, I think, a really important discussion because when you start that process, you take that first step and you start investing in tagging, the best way to get those—you know, that compound interest on all of the return value that you’re putting into tagging, is by making it a long term, continual process. And I’m not talking about, like, “Well, you know, we do a little thing every month, and it’ll be good by, I don’t know, maybe a month or two, next quarter. And then we’ll be done.”

Jesse: [laugh].

Pete: And that doesn’t work. The best companies that we’ve seen that have really knocked this out of the park have turned this into just a multi-year endeavor. It is going to take you a long time to reach just, like, the pinnacle of tagging, having that ability to allocate just down to the penny of your Amazon spend is going to take a long time. So, manage those expectations appropriately that this is not an overnight fix.

Jesse: So ultimately, at this point, you’ve tagged all of your resources; you’ve built this policy. The next thing to really think about is, why? Because in a lot of cases, a lot of engineers are going to ask you this very question. Why should we tag this information? Why should we tag these resources?

And you’re going to need an answer that’s more than just, “Well, finance wants this information,” or, “Product wants this information,” or, “The engineering leadership team wants this information.” What you’re getting at with tagging is cost attribution. So, at a really high level, for those who aren’t familiar, cost attribution is the process of identifying, aggregating, and assigning your AWS spend to your organization’s teams, your business units, your products, however you want to slice-and-dice that data, whatever different tags you might be leveraging within your tagging policy. So, it’s really about where is your AWS spend going, along these different lines of the different things that finance cares about, that engineering cares about, that product cares about, that IT or security cares about. So, it’s not just about tagging your resources so that everything’s tagged, but it’s about leveraging that information to understand, where are your costs going?

Pete: I think that also gives companies a great KPI—Key Performance Indicator for the non-business folks. But it's a good metric. It’s a good way to track your success with tagging is to basically answer this question: what percentage of spend is tagged? Not number of resources because there are some resources that simply don’t have a cost that have the ability to be tagged. So, tracking tagged by a percentage of resources is, for the most, part not useful.

Jesse: Yeah.

Pete: But tracking what percentage of your spend is tagged—and specifically tags that are enabled as cost allocation tags, which is something that you need to make sure you set up—but by tracking that spend, that KPI, that’s how you can start to understand how good of a job you’re doing at this. Now, again, we’re obviously focused on tags as a cost attribution strategy. But the reality is, is that’s the main use of them on Amazon, specifically. The main use of tags, again, that we see is so people can understand where the money’s going.

Jesse: Yeah. AWS even calls them out as user-defined cost allocation tags. For example, if you want to log into Cost Explorer and see where your spend is going among different products, among different teams, among different business units, you need to make sure that those tags that you’re leveraging are enabled as cost allocation tags in Cost Explorer. So, that’s a really important footnote to call out.

Pete: Yet to that point, is if you do enable your cost allocation tags, there’s maybe some default ones that Amazon will enable for you, but you’ll have to enable any of your own customs. Those take effect going forward; they’re not retroactive. So, if you want to understand which tag is costing you a certain amount of money, make sure to go and enable that as soon as you possibly can because it’s not going to—you’re goin...

You Can't Trust Amazon When It Feels Threatened

Corey Quinn — Wed, 31 Mar 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS FaceHugger Now Integrates With AWS ChestBurster

Corey Quinn — Mon, 29 Mar 2021 03:00:00 -0700

AWS Morning Brief for the week of March 29, 2021with Corey Quinn.

Why Are You Still Paying Retail Prices?!

Corey Quinn — Fri, 26 Mar 2021 03:00:00 -0700

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief. I am Pete Cheslock.

Jesse: I’m Jesse DeRose.

Pete: Fridays From the Field. Triple F.

Jesse: Wooo.

Pete: It’s going to be a thing. We’re working on it. And you can follow along this Unconventional Guide by going to the duckbillgroup.com. Website, you can download this entire Unconventional Guide as a handy PDF. We’ll include the link in our [show notes 00:00:33]. It’s a really long link that I’m not going to read out here.

Jesse: Is it wrong that I want Rebecca Black’s, “Friday” to be our opening intro music now?

Pete: Oh, yeah. That would be, actually, pretty good. I feel like the cost of licensing that might be a little higher than we want to bear. But I don’t know, maybe there’s some sort of fair use thing that we could do with it.

Jesse: I like it. We’ll think about it.

Pete: Well, you know what? We can all just sing it in our heads. And that’s a good way to get it—

Jesse: [laugh].

Pete: —very cost-effective way.

Jesse: We know that you’re groaning as much as we’re groaning, and that’s what’s important.

Pete: That is very true. So, today, we are talking about why are you still paying retail prices for your Amazon usage? And maybe you’re sitting there going, “Well, what else would I pay?” Well, you’d pay less than that, right?

Jesse: Yeah. Last week, we talked about reservations and savings plans, reserved instances. And that’s really important, but today we’re talking about something a little bit different than that. Reservations are still important and still, potentially, part of this conversation, but it’s possible to not pay retail prices. You have to think about it in the same way that you’re thinking about reservations: you have to be willing to make investments into your cloud spend, into your cloud usage.

Pete: So, we mentioned this in a previous episode, that no matter how much your spend is, from a couple of dollars a month all the way up to hundreds of millions of dollars a month, you have an account manager with AWS. You may have never met them, but there is someone that is specifically assigned to you. And the reason for this is that every big-spending client out there starts as a small-spending client, if you’re a startup, you might be spending $10,000 a month. That can be a huge amount of money for your business, but Amazon knows that next year, you’re probably going to spend more than that. And so everyone gets an account manager, and that account management team is there to help you improve your bill.

And by that I mean, help you spend less when it’s possible. So, the way they do this is by helping investing in this relationship. They want you to save money. And I’m not making a funny here, that may sound like a very strange topic. But Amazon doesn’t want you to spend your money wastefully. That makes for angry customers. Right, Jesse?

Jesse: Yeah, this is ultimately something that I see come up again and again. AWS’s account management team really wants to help you; their job is literally to help you. This relationship is super, super important, and can manifest in a number of different ways: it can manifest in your account manager trying to set you up with a solutions architect or technical account manager to use more AWS services; it can be talking about some of the discounts that we’re going to talk about today; it could be a whole slew of things, maybe credits to move or migrate from your data center into AWS. That’s when we’ve seen a couple times with a couple different clients of ours.

Pete: Yes, specifically, we’re talking about one of the most well-known, I guess, of all of the discount programs inside of Amazon called the Enterprise Discount Program. This is often referred to as an EDP. And you might have an Enterprise Discount Program—this is actually separate from something called an Enterprise Agreement which is just, I believe, some shared legal agreements of how you will operate on the platform. This is actually broader than that. This is both Amazon and your business committing to certain terms—so legal is going to get involved; it’s going to be some legal requirements that are needed—but at the end of the day, this is how you can get a discount on your spend, just a straight, broad, cross-service discount that applies to all of your spend—for the most part. I say ‘all’ but for a majority of your spend within Amazon.

Jesse: So, now you’re thinking to yourself, “Fantastic. How do I sign up, sign up? Shut up and take my money.” So, there’s levels to this. We’ve usually seen clients or AWS customers, whose spend exceeds $1 million per year. That’s usually the sweet spot where your account manager will step in and say, “Hey. Hello. Hi, how are you?”

Pete: Yeah. That’s where you get the introduction because at that spend, yeah, okay, you’re at—what—$100,000 a month, at least? Six figures a month, that’s real spend. That’s real spend that’s probably not going to go away anytime soon. And it’s spend that probably is going to increase in the coming years.

Jesse: And even if you’re not at $1 million per year, you can still start that conversation with your account manager today. They can still tell you what are the levers that you have in order to become part of this EDP program? What are the levers that you have to start getting discounts on your usage today?

Pete: So, something we see a lot of, we actually help a lot of our clients, hold their hand through this negotiation process, and help our clients negotiate on their behalf to improve their discounts. And a good number of our clients actually, will preemptively negotiate these contracts in advance of their spend growing on Amazon, basically making these multi-year commitments because maybe they’ve just closed a deal with a large customer, they’re expecting some future growth and they want to make sure that they can get the biggest discount possible. And that’s what an EDP can do is, basically you’re saying, “I commit to spending a certain amount of money per year, and in exchange, I will get a discount.” Now, there’s a lot of nuances here, but the key thing is that when you make that commitment—let...

Sell Me an AWS Service, But Crappier

Corey Quinn — Wed, 24 Mar 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

$500 Million in Request Charges Isn't Really a Request

Corey Quinn — Mon, 22 Mar 2021 03:00:00 -0700

AWS Morning Brief for the week of March 22, 2021 with Corey Quinn.

I'm Sorry, Do You Have a Reservation?

Corey Quinn — Fri, 19 Mar 2021 03:00:00 -0700

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/
Pete’s Twitter: https://twitter.com/petecheslock

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I’m Pete Cheslock.

Jesse: I’m Jesse DeRose.

Pete: We’re back again. We’re continuing the Unconventional Guide to AWS Cost Savings. What are we talking about this week, Jesse?

Jesse: This one’s actually one of my favorite topics. I feel like I say that every episode, but they’re all my favorite topics; just don’t tell any of them that. This week, we are talking about investing in your future. We’re talking about making investments in the AWS platform in terms of reservations.

Pete: Awesome, yeah. I mean, there’s usually a return on investment. But investments are a complicated part. I mean, there’s a lot of different ways that Amazon is happy to take your money, right?

Jesse: Yeah, absolutely. And I feel like this is one that people are aware of tangentially, but I don’t think a lot of people think about regularly. I really wish more folks would make a habit out of regularly looking at usage and looking at the potential for reservations. Because as you said, Pete, there are amazing opportunities to receive a return on that investment, and I don’t think enough companies are taking advantage of that.

Pete: Yeah, there’s a lot of nuances, and we’ll dive into all those things. But before we get started, just want to remind all of our listeners that this Unconventional Guide, you can actually head over to the Duckbill site and go and download this guide, we have it as a handy PDF, for review. Obviously, it’s going to cover some of the future episodes as well. So, you get a little bit of a sneak peek there.

Jesse: Spoilers.

Pete: But if you do better with a written format, it is available. I would read the link off but it’s comically long and figuring out short URLs, we just haven’t reached that level of technical ability over here. So, we’ll include the link to that PDF in our [show notes 00:02:01], and you can go check it out at duckbillgroup.com. But also to go, too, lastweekinaws.com/QA and ask us questions. Send us your questions, your thoughts, your comments, your feelings. As someone I used to know a long time ago, your bitches, moans, groans, and complaints, just add them all in there. And you can add your name; you don’t have to, you can just send it anonymously. But ask your questions. We’ll be taking some time in future episodes to go into those questions and dive in deeper on some of these particular topics that people might be a little confused by or maybe just want some more insight into.

Jesse: Yeah, we’ve gotten some great questions so far that we are planning on future episodes for, and please keep the questions coming. There’s some really, really great questions, really, really great commentary in there. And we absolutely want to make this an engaging conversation. We want this to be a two-way conversation.

Pete: Absolutely. So, diving into investments, I’d have to go online and do some research, but I’m pretty sure it was probably the EC2 instance reservations, were the first type of commitment that you can make to Amazon. And again, if I’m wrong, folks out there listening, please go to lastweekinaws.com/QA and let me know of that. Or you could just tweet me as well at @petecheslock. That’s what most people do is, when I’m wrong, it just tweet at me. Right, Jesse?

Jesse: Yeah. I mean, well, I have a direct connection to you, but if I didn’t, I’ll just tweet at you.

Pete: Yeah, you’ll just tweet at me or Slack DM me or whatever; send me a Zoom message, or maybe hit me up on Chime.

Jesse: Oh, god, yes. If somebody is hitting you up on Chime, you know you’re in trouble.

Pete: That’s very true. [laugh]. Something has gone wrong if I get a message on Chime. But what’s interesting is that the instance reservations was a way of ensuring capacity, and you could basically commit to running an instance, an availability zone in a certain region, and that instance would be there for you. It was a capacity reservation, which is actually something different now, which we might touch on later, but it wasn’t really like a, “Give me a discount.” That came later.

It was an instance reservation: reserve this instance. And this was important because for those folks who have been part of Amazon in the earlier days, there were times that you would ask for a certain instance type in a certain availability zone and Amazon would kindly tell you to go pound sand because they didn’t have one of those for you.

Jesse: Yeah, this is something that we’ve seen with a number of clients who are largely multiregional and leveraging basically every instance type you can think of under the sun, and really putting all of these compute resources to their limits. So, getting some kind of confirmation that they would have this capacity available is kind of important.

Pete: Exactly. I remember specifically—this was yeah, maybe 2010 timeframe, kind of the heyday, the wild times of Amazon—we had been running—a company of mine had been running a sizable NFS cluster on EC2. “Why would you do that Pete? That’s a terrible idea.” Of course it’s a terrible idea.

We didn’t do it by design; we did it because we were a startup, and that was a proof of concept that got out of control, like most technology, right? But when we lost the NFS server itself, we had—I can’t even tell you how many—let’s say 50 EBS volumes that were all striped to this server because that’s a great idea. And we needed another server in that availability zone. We’re not going to snapshot, like, 50 terabytes of EBS. I don’t even know if that capability existed then, to move snapshots across availability zones.

So, we needed another instance, and luckily we had a great relationship with our account team—because we were so early—that I do remember, specifically, we got through to the right people. And the line was essentially, “You need to make this API call in the next 15 minutes, or you’re going to lose the instance that we’re basically setting aside f...

The Future of Cloud is Microsoft's to Lose

Corey Quinn — Wed, 17 Mar 2021 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Word-level Overconfidence

Corey Quinn — Mon, 15 Mar 2021 03:00:00 -0700

AWS Morning Brief for the week of March 15, 2021, with Corey Quinn.

Listener Questions 2

Corey Quinn — Fri, 12 Mar 2021 03:00:00 -0800

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/
Building Successful Communities of Practice: https://www.amazon.com/Building-Successful-Communities-Practice-Webber/dp/095749193X

Transcript

Corey: Ever notice how security tends to be one of those things that isn’t particularly welcoming to folks who don’t already have the word ‘security’ somewhere in their job title? Introducing our fix to that, Meanwhile in Security. To sign up for the newsletter or to find the podcast, visit meanwhileinsecurity.com. Coming soon, from The Duckbill Group.

Pete: Hello, and welcome to the AWS Morning Brief. This is Fridays From The Field, hashtag-triple-F. I am Pete Cheslock.

Jesse: I’m Jesse DeRose, and I have a question: is it hashtag-triple-F, or is it hashtag-F-F-F? Are we spelling out triple F in this hashtag, or is it just literally three Fs?

Pete: The three Fs is a little triggering for me for me, with my high school grades, so let’s just stick to—

Jesse: [laugh].

Pete: —hashtag—

Jesse: —triple-F.

Pete: Triple-F, I think, just has a better flow to it. But that’s a good—it’s a good point in our continued effort to make triple-F—hashtag-triple-f a thing.

Jesse: All of our audience members were really concerned about that one because they’ve been trying to get us trending on Twitter, but they weren’t really sure, was it triple-F. Or was it F-F-F, or was it something in between?

Pete: Exactly. It’s just bad. But we’re going to keep trying at it, and we’ll see what happens. Well, anyway, we are back again to continue our Unconventional Guide to Cost Optimization on AWS with another listener question. And unlike the last time we did listener questions, this question actually came in during our Unofficial Guide, which means we actually have one listener this series. Because we can’t count the last one that was from way before. So, to this one listener, thank you, thank you for listening.

Jesse: Just that one listener. Just you. Thank you.

Pete: Yeah, just you. Everyone else, no, we’re not going to, we’re not going to thank you at all. But if you want to be our second listener, go to lastweekinaws.com/QA and give us a question. What do you want to know more about?

What can we dive in a lot deeper on any of these topics we’re talking about? It’s complex stuff, and we’re all learning this, we’re all trying to figure out what works best. And not every company is the same. And that’s what I actually love about this question because this question actually came in from someone who didn’t put their name—but that’s okay—they work in the public sector, which is why they didn’t put their name in there. And they had a pretty interesting question. So, Jesse, maybe you can read this off for us and let us know what we’re going to be answering today.

Jesse: Yeah. This question is, “We’re an Azure shop, partly cloud on the way, however, we’re also becoming an Oracle OCI shop”—I’m so sorry—“And an AWS shop, and well, it’s public sector, so one-of-everything cloud provider. How do we convince management that cloud is a different thing than on-prem and needs some kind of cloud team? I dislike the phrase DevOps as a job title, but we need something to change the current model where nearly all of this work is outsourced to a quote-unquote, ‘managed service provider?’” Oof. I have so many feelings.

Pete: I would imagine. I mean, I was immediately—I felt called out, you know? Just @ me next time, public sector coward with the DevOps-as-a-job-title phrase.

Jesse: Yeah.

Pete: They often say that only a DevOps tool, I guess—wait, what’s the term? It’s like, “A DevOps tool would give themselves a DevOps as a job title.” Of course, that’s often said about me because I gave myself a title called ‘DevOps Director’ or ‘Director of DevOps.’ Either way, you phrase it, it’s all pretty bad.

Jesse: Yeah. So, there’s a couple of different questions in this, and we’re going to dive into each of them individually. But really, really quick, I want to talk about multi-cloud because that’s kind of the underlying discussion here; something that is not necessarily the focus, but let’s talk about multi-cloud. Why is multi-cloud a thing? Why is it an important thing that you should be thinking about?

Pete: Multi-cloud is an interesting topic that could go a lot of different ways. And I call multi-cloud a lot different than hybrid cloud. I think most people are probably doing hybrid cloud, meaning you’ve got some data centers—because it takes you years and years and years to move off of those—and you’ve also got cloud workloads, or maybe you’ve got some data centers and you’re bursting up to cloud workloads; that’s pretty cool, too. I think of multi-cloud as individual applications being deployed to the cloud vendor and cloud provider, based on maybe price or features or things like that. And honestly there, a lot of the cloud providers are getting closer in feature sets.

But for example, I might want to use Lambda, but I may not want to suffer high cost of data transfer. So, can I build an application that leverages Lambda, but maybe leverages the extremely low cost of Oracle’s OCI data transfer? That made the news when Zoom signed that big contract with Oracle, it was largely driven by network data transfer. So, there are some reasons why multi-cloud might be a thing.

Jesse: And we’ve definitely seen multi-cloud in practice with some of our clients. But I also want to call out the caveat that the clients that were doing this were very mature in their cloud cost practices. So, kudos to those clients because they’re doing amazing, amazing work. But it takes time to really build up a mature, scalable, optimized, multi-cloud strategy.

Pete: Yeah, exactly. And I think the biggest challenge is that we see is, on the one hand, if you say to yourself, “I’m going multi-cloud, therefore, I will only consume core primitives like compute, block, store, object store, networking,” even though all the providers will provide you those services, obviously, the APIs to interact with them will be wildly different, but most importantly, the authentication models are going to be wildly different, how you authenticat...

Corey Quinn’s AWS Beta Certification Exam Report

Corey Quinn — Wed, 10 Mar 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Flow Logs, She Wrote

Corey Quinn — Mon, 08 Mar 2021 03:00:00 -0800

AWS Morning Brief for the week of March 8, 2021 with Corey Quinn.

Tag—You’re It!

Corey Quinn — Fri, 05 Mar 2021 03:00:00 -0800

Links:

Unconventional Guide to AWS Cost Management:https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/
AWS Tagging Best Practices Whitepaper: https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/welcome.html

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I'm Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: And we're back again, Jesse. We are back. But really have we gone anywhere to begin with?

Jesse: We've been making our way slowly but surely through this Unconventional Guide. Lots of really interesting recommendations, lots of really interesting feedback from all of you, which we really, really appreciate. We can't wait to dive into some of those ideas deeper in future episodes.

Pete: Yeah. And don't forget, you can give us additional feedback and questions at lastweekinaws.com/QA, feel free to add your name. Or not. Doesn't matter. It can be totally anonymous. That's fine with us. So today, we're talking about a topic that is very near and dear to our hearts.

Jesse: Yes.

Pete: It is tagging.

Jesse: Yes.

Pete: Tagging your resources in Amazon, or I mean really any cloud provider; any place you can tag something you probably should. And we're going to talk a little bit about strategies for that, how people use their tags, just all the fun things related to it. Tagging, it's easy to do, right, Jesse? You just tag your resources and all your problems go away.

Jesse: Yep. Thanks, everybody, have a good night.

Pete: So yeah, if you've enjoyed this podcast, please go to—no, I’m just kidding.

Jesse: [laugh].

Pete: Tagging is probably the thing that most companies are doing poorly, simply because it's hard, and it's an afterthought, and if you didn't have a really solid forced strategy to ensure tags and force compliance, you're probably not going back to fix it.

Jesse: Yeah. It's not thought about as something that's a first-class citizen in the cloud world. When you think about the things that are important to your business model, you might think about getting your application out the door and running, maybe talking about business requirements for availability, failover, data retention, but tagging is nowhere on that list. That's not something that I think any organization thinks about as part of an MVP, let alone future iterations of their products.

Pete: Tagging feels much like the same feeling I get when my doctor says that I should eat more veggies.

Jesse: Oof.

Pete: I know they're good for me; I know we need to do this. They have vitamins, and fiber, and all these wonderful things. But in order to make those veggies something I want to eat, we have to learn to make it more delicious. Personally, I find duck fat works to make them more delicious. I wish we could apply a duck fat strategy to the tagging problem.

Jesse: Yeah, it's not an easy problem to solve. Or rather, I should say it is an easy problem to solve, but it's not something that anybody is quickly incentivized to solve. Tagging, just for the sake of tagging, it doesn't work.

Pete: Yeah, it's that there really are no incentives for it. No good incentives. It's usually because someone came over to your desk and said, “Hey, what's this charge for? And who's using it? And what's the deal with this?”

And you're going into Cost Explorer, and you're like, “Uh, I don't know. It's in this one account.” And that's as far as you can go to figure out who did what and why that thing is the way it is.

Jesse: Yeah. There are so many different tagging strategies that we've seen. We've seen some clients talk about tagging as a way to potentially penalize engineers who aren't tagging or who are spending too much money. We've seen organizations who are tagging to reward teams that are tagging all their spend or keeping their spend optimized. Across the board, there are just so many different ways to go about this.

Pete: So let's assume you are like most of the companies that we've seen. Definitely not all: there are some rare gems out there that are making tagging a long term and continual process, which we're actually going to talk about in a future episode, how to do that. But let's say you're just looking at your bill, you're looking at your usage, and you're saying to yourself, “Okay. I need to be better at this.” What do they say, “The journey of a thousand miles starts with a single step?” What is that first step?

Jesse: Yeah there's a lot of different ways to go about this. I think there's a couple great places to start. Now, I will say AWS has a thrilling 24-page best practices white paper that we’ll throw a link in the [show notes 00:05:18].

Pete: Have you read that, Jesse?

Jesse: I will say that I have read parts of it. I have not read all of it, and so I want to make it very, very clear to all of our listeners, this is not a document that needs to become the holy grail for your organization. I think in the same way that you could read the SRE book from Google and have some good takeaways, you can skim through this white paper, maybe read through a couple of the sections that seem most applicable to your organization, and then start with those ideas, start with those best practices, and then build them over time organically; develop them over time organically.

Pete: I like to read it some nights when I'm just having trouble sleeping, and maybe by page two or three I’m just out.

Jesse: Yeah. There's a lot of content in there talking about what to tag, why to tag. I think the best place for any organization to start is to think about what are the important things that we need to tag. And that's a conversation that's going to involve not just engineers, but also finance, potentially IT, maybe also security teams, depending on how your organization is built. Because ultimately, what you want to do is understand what are the things that my organization cares about when it comes to our cloud usage?&n...

Two Views of Lambda Diverged in a Yellow Wood

Corey Quinn — Wed, 03 Mar 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Firewall Transit Gateway Dingus

Corey Quinn — Mon, 01 Mar 2021 03:00:00 -0800

AWS Morning Brief for the week of March 1, 2021 with Corey Quinn.

Humans Are the Most Expensive Part of Cloud

Corey Quinn — Fri, 26 Feb 2021 03:00:00 -0800

Links:

Unconventional Guide to AWS Cost Management: https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Pete: Hello, and welcome to Fridays From the Field. I'm Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: And we're back, again. We're continuing our series, the Unconventional Guide to AWS Cost Management. And as always, if you have questions, as we are going through this series and want to learn more, go to lastweekinaws.com/QA. Thank you to all of those who have already submitted questions.

Jesse: Yes.

Pete: Really great ones coming in.

Jesse: Thank you.

Pete: We're going to take a couple of episodes in the future to answer those questions and really dive into them. So, keep them coming. We really love them so far. So Jesse, what are we talking about today?

Jesse: Today, we're going to be talking about one of my favorite topics, which is that humans are the most expensive part of Cloud.

Pete: Yeah, we hear this quite a bit. I mean, not just in salary, right? This is the line that usually is mentioned when we talk to folks about their Amazon spend. They say, “Well, outside of salary, Amazon is our most expensive bill.”

Jesse: Yeah.

Pete: That line has been repeated more times than I can count.

Jesse: But what's so fascinating to me is that this really gets at the idea of total cost of ownership. I think that's ultimately what I really want to focus on for just a second. Total cost of ownership is thinking about all of the spend related to your cloud costs. Now, when you think about cloud costs, you will generally think about just the usage that you have within AWS, maybe some discounts from either an EDP or PPAs. But are you thinking about how much time it's taking your engineers to manage all of that usage, manage that infrastructure, manage the deployment pipelines that are living within the cloud? Are you thinking about all of those components and the cost of those components alongside your usage?

Pete: Yeah, exactly. I think engineers are bad at this.

Jesse: Yeah.

Pete: Myself included. But this is something where we want to build things. That's why we're in this industry. And it's fun to build things. Maybe not so much fun to, kind of, ongoing manage those things. Looking at you, Cassandra and Elasticsearch clusters.

Jesse: [laugh]. Yeah, it's this idea that there are definitely opportunities for engineers to spin things up and manage things on their own when you want to build that Kubernetes cluster and learn how to manage a Kubernetes cluster, learn how to build a Kubernetes cluster. That's great. We don't want to stop you from building and learning at all. But when you're building infrastructure for your organization, for your teams, for your products, is it going to be more cost-effective for you to build this solution yourself, or is it going to be more cost-effective for you to leverage existing managed services within the cloud?

Pete: I like to call it operational FOMO, you know, the fear of missing out. And I think a lot of engineers suffer that when it comes to the new hotness, the new stuff. Kubernetes is a great example. I mean, I feel like a lot of those people were also equally like, “OpenStack is going to be the best thing ever.” And then it didn't.

But I like to think of my time at a previous company where we deployed into the Cloud, specifically Amazon, and there was a fear that was, again, we've mentioned this before, it's an irrational fear about vendor lock-in. And that fear forced us into building forced us only using core primitives: S3, EC2, EBS, really. We really didn't use much more than that. I mean, obviously, the networks and stuff go in there. And the idea was, is that oh, well, we have this portability.

And we—Duckbill Group, Corey, we've all talked about it, written about this. It's a fallacy. You're locked in for a lot of other reasons that I'm not going to go into right now. But because of that, we became very good at running our own databases and specifically consuming a large amount of time-series data. It was a security event application.

And so one of the interesting flip sides of this outcome is that we ran our own monitoring infrastructure. I didn't pay for Datadog. They called me every single day and I was like, “My metrics infrastructure cost me $1,000 a month. You're going to charge me $50,000 a month. Even if you discounted that by half, I still am going to pay a lot more.”

And the reality was, is that we became so good at managing these systems, we didn't need those services. But I always think back at like, at what cost? How much more time could we have invested in the application, the product, how we deployed it, availability, all that stuff, if we hadn't had to invest so much time into running our own Elasticsearch, running our own Mongo, our own Redis, our own Cassandra? We spent a lot of time doing those things.

Jesse: Yeah, there's a lot of opportunities to leverage managed solutions for those things. Because, again, part of it is this idea of your engineers don't have to spend time managing this infrastructure; they can spend time on other things. But also think about what are the other cost components of this architecture that you may be able to leverage by using a native or a managed AWS service? For example, if you look at Amazon Elasticsearch—is it ‘Amazon Elasticsearch?’ Is it—

Pete: I always forget if it's ‘Amazon Elasticsearch’ or ‘AWS Elasticsearch.’ And oftentimes, it doesn't feel like a rhyme or reason why they name it the way they do.

Jesse: Well, let me put it this way. If you look at the managed Elasticsearch service on AWS, you don't end up paying for some of the things that you might pay for if you were managing that infrastructure yourself, like data t...

Setting the Record Straight on the 'Very Funny Cloud Computing Billing Expert'

Corey Quinn — Wed, 24 Feb 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The World Thinks I'm Funny, AWS Disagrees and Commits

Corey Quinn — Mon, 22 Feb 2021 03:00:00 -0800

AWS Morning Brief for the week of February 22, 2021. with Corey Quinn.

Infrastructure Code Smell (aka Who Microwaved the Fish?)

Corey Quinn — Fri, 19 Feb 2021 03:00:00 -0800

Links:

Unconventional Guide to AWS Cost Management: https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief. I’m Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: Fridays From the Field, Jesse. We're back again.

Jesse: Back, back, back again.

Pete: I always say that when I rage quit computers, it would be fun to be a farmer. And so maybe this is a little trial run “Fridays From the Field.” I'm just out in the field.

Jesse: So basically, what I'm hearing is that you are the old man out in the field, yelling at the clouds as they go by.

Pete: Well, now that I work from home pretty much all the time as part of Duckbill, but also due to COVID. I do yell at the squirrels who constantly tear up my yard. I've now turned into that person.

Jesse: [laugh]. Oh, oh, Pete, I'm so sorry.

Pete: Those squirrels. I hate them. So we're back again, talking about the Unconventional Guide to AWS Cost Savings. And this time, we're talking about ‘infrastructure code smell.’

Jesse: Ooh, fun one.

Pete: I like to equate this to, who brought the fish for lunch and microwave to that?

Jesse: I always understood that at a deep core level, but didn't really think about it until I actually did microwave fish one day, and I regret everything.

Pete: Don't do it. I'm telling you, folks, don't do it. You can bring tuna fish in. I guess that's fine. That's a little bit better. If it's packed in oil, it actually is a lot less smelly. Should we do a food podcast? No, I’m just kidding. [laugh].

Jesse: [laugh].

Pete: So ‘code smell,’ I do want to bring this one up because I actually did a little bit of a TIL—today I learned—with code smell. Yeah, this term was actually coined by someone that was a writer about the agile software movement, Kent Beck. He was working with Martin Fowler, who's a noted author about programming. In the book called Refactoring, they coined this phrase ‘code smell.’

Jesse: I did not know this.

Pete: Yeah. You know, you kind of hear a term, you just accept it without really understanding why. But what it was called in this book was, code smell is a surface indication that usually corresponds to a deeper problem in the system. So obviously, it is what it sounds like: something smells. Something doesn't seem good here. And obviously, it can take a lot of forms. You most often hear it in, obviously, software engineering but, guess what? Software engineering has expanded to manage our infrastructure, right?

Jesse: Mm-hm, absolutely. Yeah, it's not just about—or I should say, infrastructure smell is not just about wasted resources. It's really thinking about all of those one-off hacks that got you this far. So, that one time that you couldn't deploy something into production, so you just said, “You know what? I'm just going to log into the console and spin up that instance, and then call it a day, and close the change order, and be done with it so I don't have to worry about it. Maybe I'll open a ticket to see if I can figure out what happened in the deployment pipeline, but I'm not going to worry about it.” All those little things that you did along the way that aren’t probably the best practices that you ultimately should be following and ultimately want everybody else to be following.

Pete: Yeah, and I'm looking at you, software infrastructure manager, who is still running an m1.medium in production. That's code smell.

Jesse: Oof.

Pete: Anyway. Just don't use the m1.mediums. Let them go away. But, Jesse, you're right. It's not just those hacks and one-offs. It's kind of back to the context. It's the how. How you're doing certain things with these Amazon resources, right?

Jesse: Yeah. And I think that's something that's a really important caveat, the call out because there is always a balance between premature optimization and waste. I struggle with this one a lot. My brain automatically thinks, “Well, if I'm going to do this, I'm going to do it the right way the first time, and I'm going to do it the streamlined automated way the first time so that I can just have it all set up the very first go, and set it and forget it and be done and walk away.” But in most cases, that's not how it works.

Pete: Yeah, that is a complicated topic that I've struggled with as well. I've worked for predominantly unprofitable startups. We have a burn rate. We have only a certain amount of money in the bank and you divide by what your spend is, and that's when you're out of money. And doesn't necessarily mean the company's out of business, but it could mean that all that sweet equity that you have no chance of actually turning into real cash has even a less chance of turning into real cash. So, we often in the startup world make those decisions where we try to just get it done in what we hope is the best way possible. Again, we'll regret it two or three years later, but—

Jesse: Regardless of the way you set it up the first time, we will regret it two or three years later.

Pete: It's so true. Even if you say, “I’m going to set this up in the best way possible,” things change, and scale breaks everything eventually. So, in a couple of years, you're just going to be doing things in a different way—for better or worse—than you were doing. And it's kind of just all for not, in many cases.

Jesse: One of my favorites that I see is application logs that are pushed into CloudWatch because you want to be able to see all of your logs in CloudWatch or all your metrics in CloudWatch. But then those same logs and metrics are then being sent off to Kinesis for analysis, they're being sent to Splunk for analysis, they're being sent to Datadog, or insert other third-party vendor here for analysis. So effectively, all you're doing is putting the data into CloudWatch as a cue to go to somewhere else. And CloudWatch isn't cheap. CloudWatch logs are expensive.

Pete: Exactly. This is one of my most frustrating painful-to-see, dare I say anti-pattern of Amazon usage is, partly Amazon to blame on this one because they do make it so easy to get your logs into CloudWatch. It's a default option. If you turn on flow logs, you can have your flow logs go to CloudWatch. God forb...

The Future of AWS Marketing is a Good Story

Corey Quinn — Wed, 17 Feb 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

I Hope I'm Failing the "AWS CFO Sniff Test"

Corey Quinn — Mon, 15 Feb 2021 03:00:00 -0800

AWS Morning Brief for the week of February 15, 2021 with Corey Quinn.

Listener Questions 1

Corey Quinn — Fri, 12 Feb 2021 03:00:00 -0800

Links:

Unconventional Guide

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I'm Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: We're back again. Hashtag Triple F.

Jesse: It's going to be a thing.

Pete: We're still trying to make it a thing. Desperately trying to make it a thing. Otherwise, we're just going to look like fools, Jesse, if it's not a thing.

Jesse: Oh now, I wouldn't want to look like a fool, you know, next to anybody else in my company.

Pete: [laugh]. It definitely seems to be the one that trait you need to have to work at Duckbill is, to be okay looking like a fool. So, we are midway through the Unconventional Guide to AWS Cost Optimizations, cost savings. And we have been sharing a link on pretty much if not all of these recordings where you can send us feedback. And you can send us questions. And someone finally sent us a question. I think people are listening out there, Jesse. Isn't that great?

Jesse: We have one follower. Yay.

Pete: It's amazing. So, we are really happy that someone asked us a question. You can be the next person to ask us a question by going into lastweekinaws.com/QA. That's not our quality assurance site for testing, new branding things, and new products. QA is for ‘question and answer.’

So, go there, check it out, drop in a message, you can put your name there or not, it's totally fine. But this first question—well, first, I need to actually, I need to admit something. I'm lying right now. This question actually came in months ago. We saw it and thought that was a great question, we should answer it at some point. And then we forgot about it. So we're bringing it back up again, and I think it's relevant so I don't feel too bad about it.

Jesse: Yeah, we saw this question around the time that we started recording the entire Unconventional Guide series. And apologies to this listener. This is a very good question. We want to talk about it, so we are talking about it today. But it took a little bit of a time for us to get to this.

Pete: But you know what? We made it. We're here.

Jesse: We’re here.

Pete: We're here. So, Nick Moore asked this great question. He said, “Hey, Pete and Jesse. Very much enjoying your Friday segment on the Morning Brief.” Thank you very much for that. “If possible, I'd like to hear you talk about your experiences with cost optimization for quote, ‘big data’ projects in the cloud, i.e. Using platforms like Hadoop to process large and complex data, either using pass—like, EMR or [IS 00:03:03]. Is this something that your customers ask about often/at all? And how do or would you approach it? Thanks, again.”

Well, hey, this is a truly awesome question. And at a high level, many of our clients actually are pretty heavy users of various Amazon services for their, kind of, big data needs. And big data, it's all relative, right? I mean, to some companies, big data is in the hundreds of terabytes, to other companies it's in the hundreds of petabytes. It's totally relative, but at the end of the day, it's going to be a challenge, no matter how big of a company you are. Your big data challenges are always a challenge.

Jesse: You've got some kind of data science or data analytics work that you want to do with large data sets. That may be large datasets comparatively to the work that you're doing; that may be large data sets comparatively to the industry. Doesn't matter. Either way, it is big data projects, and there are many, many, many, many solutions out there.

Pete: What's interesting, too, is I think the reason that this has grown in prevalence over the last year, more of our clients have been using more of these services is simply because the barrier to entry on these projects, on these engagements, is so low. You can get started on Amazon with some Athena and Glue, maybe some EMR, for just an incredibly low cost. And also, from a technical standpoint, it's not that challenging. I mean, as a good example, most reasonably technical people could take their cost and usage report, get it integrated into Athena using AWS Glue in minutes. I mean, without using CloudFormation. I mean just clicking through to set it up. And honestly, for some clients, their cost and usage reports, and that's a big data problem. That could be—if you're not storing it in Parquet, if you're actually storing it in CSV because you're a mad person, those could be hundreds of gigabytes a day in volume.

Jesse: Yeah. So, when we talk about big data tasks, there's a couple different services that we generally see folks using within AWS. We generally see S3, Kinesis, and most obviously, EMR.

Pete: Yeah, exactly. And we're seeing new services like Kinesis, expanding on Kinesis: Kinesis Firehose, when that came out; people are using that for some of their big data needs, especially when trying to stream data into S3. That's a really powerful feature that Firehose can do. And then, once it's in S3, the question that our clients often ask is, kind of, “What do I do with it now?” And if we dive into just S3, and you've got your data in S3, where are the kinds of places that we see unnecessary charges for data warehouse tasks?

Jesse: Honestly, it's unfortunately kind of both of the major places that you're going to be charged for S3 which is, for your storage costs, and for your requests.

Pete: So, what you're saying is that all S3 charges are unnecessary. [laugh].

Jesse: Just get rid of it. Just put all that on EBS volume somewhere. Turn off your S3, you're solid.

Pete: Exactly. It is kind of funny, but it's true. I mean, there's ways to abuse both of those pricing models, whether it's storage or requests. The first place that we honestly see a lot of this is just people are data pack rats. And let's be honest; I'm one of them as well, I have a NAS setup at home with, like, 30 terabytes of hard drives on it.

I don't throw anything away digitally. Turns out most of our other clients are the exact same way, and sadly, a lot of them use standard storage for S3, which we talk about often. It's common: you get started with the standard storage, that's a great place. But for big data tasks, it's often the wrong storage solution, especially for data that maybe has already been transformed and is stored in a more efficient format; maybe it's queried infrequently. There's two ways to so...

What the Hell is Amazon Web Services

Corey Quinn — Wed, 10 Feb 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Andy Jassy Ascends to Sea Level

Corey Quinn — Mon, 08 Feb 2021 03:00:00 -0800

AWS Morning Brief for the week of February 8, 2021 with Corey Quinn.

Moving Data Is Expensive and Painful (Just Like Moving Banks)

Corey Quinn — Fri, 05 Feb 2021 03:00:00 -0800

Transcript

Corey: This episode is sponsored in part by our friends at Fairwinds. Whether you’re new to Kubernetes or have some experience under your belt, and then definitely don’t want to deal with Kubernetes, there are some things you should simply never, ever do in Kubernetes. I would say, “run it at all.” They would argue with me, and that’s okay because we’re going to argue about that. Kendall Miller, president of Fairwinds, was one of the first hires at the company and has spent the last six years the dream of disrupting infrastructure a reality while keeping his finger on the pulse of changing demands in the market, and valuable partnership opportunities. He joins senior site reliability engineer Stevie Caldwell, who supports a growing platform of microservices running on Kubernetes in AWS. I’m joining them as we all discuss what Dev and Ops teams should not do in Kubernetes if they want to get the most out of the leading container orchestrator by volume and complexity. We’re going to speak anecdotally of some Kubernetes failures and how to avoid them, and they’re going to verbally punch me in the face. Sign up now at fairwinds.com/never. That’s fairwinds.com/never.

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I am Pete Cheslock.

Jesse: I'm still Jesse DeRose.

Pete: We're still here. And you can also be here by sending us your questions at lastweekinaws.com/QA. We're continuing our Unconventional Guide to AWS Cost Management series, and today we're talking about moving data. It's not cheap, is it?

Jesse: No, it's definitely not cheap. It is expensive, and it's painful. And we're going to talk about why, today. And a reminder, if you haven't listened to some of the other episodes in this series, please go back and do so. Lots of really great information before this one and lots of really great information coming after this one. I'm really excited to dive in.

Pete: Yeah, look, they're all great episodes in the end of the day, right? They're just all fantastic.

Jesse: Yeah.

Pete: If I do say so myself.

Jesse: All of the information is important; all of the information is individually important—I think that's probably the best way to put it. You can listen to all these episodes and implement maybe just a handful of things that work best for you; you can listen to all these episodes and implement all of them, all of the suggestions. There's lots of opportunities here.

Pete: If you do actually go and implement all of these suggestions, you really should go to lastweekinaws.com/QA and tell us about it. We'd be very curious to hear how it goes. But if you're struggling with any of these, just let us know as well. These are things that are measured in long periods of time.

It is rare that we run into engagements with clients that you can just click box, save money. Now, don't get me wrong; there's a whole bunch of those, too. But if you want to just fundamentally improve how you're using the Cloud and how you're saving money, those projects are multi-year investments. It's just all of this stuff takes a long time. And you just got to manage those expectations appropriately.

And specifically around this topic, moving data, it is—as Jesse said—painful. It is expensive, especially in Amazon. They will charge you to move the tiniest bit of data literally everywhere, with, like, two minor exceptions. And it's just the worst. Data storage costs, so Duckbill Group, we've kind of become these experts on data transfer and data storage costs, understanding just the complexity around them. And I feel like a lot of times folks only think about the storage being the biggest driver of their spend.

Jesse: Absolutely.

Pete: You know, you never delete your data. But you put it all on S3, right, Jesse? Like that's a cheap place to put your data.

Jesse: Absolutely. Worthwhile. Put it in S3 standard storage, call it a day. I'm done, right?

Pete: Yeah, just do my little, like, wipe my hands, and go on, and we're good. Most people put it in standard storage, just like most people use gp2 EBS volumes; that's the standard everything. And that could be a big driver of cost, but more likely the larger driver—because it's a little bit more hidden, it's a little bit more spread around your entire bill is the transferring of data, the moving data around. And I say moving specifically because there are some services that are charged via I/Os. Via actually putting data into it or taking data out, not just the data transfer.

Jesse: I think it's also really important to call out that most companies that move into the Cloud don't realize that data transfer is something that AWS will charge you for, so I want to make that explicitly clear. As Pete mentioned, in almost every case moving data around, AWS will charge you for that versus in a data center environment where that's kind of hidden, that's not really explicitly a line item in your bill. And here, it absolutely is a line item in your bill and absolutely should be thought of as an important component to optimize.

Pete: Exactly. In the data center world, for any of the folks out there that are in a data-center land, or maybe hybrid-cloud land, your networking costs are, I mean, it's largely a sunk cost. You've got your switches and your lines that run, maybe you're—get charged for the cross-connects, and interacting, data transferring to other areas and things like that. But within your racks, within your own secure domains, you don't have to really think about the cost of those network communications because it's already paid for. And you're definitely not charged at a per-gigabyte level like you are on Amazon.

Jesse: So, we talked about this a little bit before in a previous episode, when we talked about context is king. Context for your application infrastructure is really, really important; understanding how your application interacts with other applications within your cloud infrastructure ecosystem; how your data moves between workloads. All of these things are really, really important, and so specifically, when we talk about data transfer, it's really important to not just understand how your data is moved around, but why your data is moved around. So, we really like to suggest working with all of the teams within your organization. Again, product, potentially legal, maybe IT, to understand your data movement patterns and the business requirements for those data movement patterns.

Why does your data need to move multiple times within an availability zone? Why does it need to move between regions? Do you need to have data that is copied across multiple availability zones? Do you need that data to be cross-region? These are some examples of really important questions to ask to understand, do you need to continue transferring that data? Because the more you can optimize the way that that data is moving around within AWS, the less money you'll ultimately spend.

Pete: Yeah, and this ties into, again as you've noticed, there's a reoccurring theme is th...

Elastic Throws in the Towel on Open Source, Chooses SSPL

Corey Quinn — Wed, 03 Feb 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Unsafely Accelerating AWS Customers

Corey Quinn — Mon, 01 Feb 2021 03:00:00 -0800

AWS Morning Brief for the week of February 1, 2021 with Corey Quinn.

The Unconventional Guide: The Cloud Is Not Your Data Center

Corey Quinn — Fri, 29 Jan 2021 03:00:00 -0800

Links

Forrest Brazeal article referenced: https://acloudguru.com/blog/engineering/the-lift-and-shift-shot-clock-cloud-migration
Unconventional Guide: https://www.duckbillgroup.com/resources/unconventional-guide-to-aws-cost-management/

Transcript

Corey: This episode is sponsored in part by our friends at Fairwinds. Whether you’re new to Kubernetes or have some experience under your belt, and then definitely don’t want to deal with Kubernetes, there are some things you should simply never, ever do in Kubernetes. I would say, “run it at all;” They would argue with me, and that’s okay because we’re going to argue about that. Kendall Miller, president of Fairwinds, was one of the first hires at the company and has spent the last six years the dream of disrupting infrastructure a reality while keeping his finger on the pulse of changing demands in the market, and valuable partnership opportunities. He joins senior site reliability engineer Stevie Caldwell, who supports a growing platform of microservices running on Kubernetes in AWS. I’m joining them as we all discuss what Dev and Ops teams should not do in Kubernetes if they want to get the most out of the leading container orchestrator by volume and complexity. We’re going to speak anecdotally of some Kubernetes failures and how to avoid them, and they’re going to verbally punch me in the face. Sign up now at fairwinds.com/never. That’s fairwinds.com/never.

Pete: Hello, and welcome to the AWS Morning Brief: Fridays From the Field.

Jesse: I like that. I feel like that's good. That's a solid way to start us off.

Pete: Triple F. I am Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: #TripleF. We should get some, I don’t know, jackets made? Mugs?

Jesse: Lapel pins? I'm open. I've always wanted a Members Only jacket.

Pete: If Guy Fieri can call diners, drive-ins, and dives, “Triple D,” then we can definitely call this Triple F.

Jesse: We can definitely make this happen.

Pete: It's not my high school transcript, either, we're talking about here. Oh, well, we are back again, continuing our series on The Unconventional Guide to Cost Management with Episode Two: the Cloud is not your data center.

Jesse: Yeah, this one's gonna be a fun one. I feel like this is a topic that comes up a lot in conversations, sometimes with clients, sometimes with potential clients that are asking, “What kind of things do you see day-to-day? What are some of the big pain points that you see with your cost optimization work?” And so real quick backstory, make sure that you've listened to the previous few episodes to get some context for this segment that we're doing and get some framing for this Unconventional Guide work that we are discussing. But talking about using the Cloud as a data center, I have a lot of thoughts on this.

Pete: Well, hold on a second. Isn't the Cloud just someone else's data center?

Jesse: [laugh] I—yeah, you know, this is the same argument of serverless isn't actually serverless. It's just somebody else's computer.

Pete: [laugh]. Someone else's Docker container. But really, there's a lot of ways we're going with this one. But we're coming at it from, obviously, a cost management perspective. And the big, bold, unpopular opinion that we're gonna say is, the most expensive way to run an application in the Cloud, is by treating the Cloud as just another data center; it's going to cost you way more than it would cost to run in a normal data center. And this goes to the world of, in the early days of Cloud, people just raging online and in conferences about the Cloud, it's so expensive. And yes, it is so expensive, if you treat it like an antiquated data center.

Jesse: And really quick before you get your pitchforks out, there is this concept of ‘lift and shift’ that everybody likes to talk about or ‘technical transformation’ that everybody likes to talk about: moving from a data center into the Cloud, which a lot of people see as this movement where they just uproot everything from their local data center into AWS. And to be clear, we do recommend that. That is a solid strategy to get into the Cloud as fast as possible; just move those workloads over. But it is going to be expensive, and it's not what you ultimately want to stick with long term. So, that's ultimately the big thing to think about here.

Yes, lifting and shifting from your data center into the Cloud is absolutely worthwhile. But it creates this shot clock that's now running after your migration is complete, where if you don't move on to all of the services, and opportunities, and solutions that AWS provides that are native solutions, cloud-native solutions, managed solutions, you're going to end up spending a lot more money than you want.

Pete: Yeah, “The Lift And Shift Shot Clock” that was a great blog post by Forrest from ACG—ACloudGuru. We'll include a link to that in the [00:04:35 show notes]. It talks about how not only do you have technical debt accruing as you lift and shift, but potentially the brain drain as people get sick of managing this hot mess that you've lifted and shifted over. That doesn't mean you shouldn't do it.

You absolutely should get into the Cloud, get into a singular vendor with your workloads as fast as possible so that you can then dedicate resources to refactoring all of that. Don't just forget about it and leave it behind. It's not going to end well for you. And you do have a time; the timer is running. So, when you're only using those core primitives—compute, object store, block store—yeah, you're going to have a pretty fixed cost on your cloud bill.

But to Jesse's point, there's a lot of other services. Some of those require an engineering effort. Some of those just involve correctly using an instance type, a storage location that is more specific to its access patterns. I mean, everything is basic as T class instances—for those services that maybe don't use a lot of CPU—to reminding yourself that there are multiple tiers of S3 storage. Even Intelligent Tiering will just tier it for you.

So, if you go and store everything on standard S3 storage and use GP2 volumes on EC2, yeah, it's gonna be expensive. And I know that because I look at a lot of Amazon bills, and Jesse does too, and we see the same thing. “Oh, you've got a really high bill.” “Yeah, we spend a lot on EC2.” It's, “Like, oh, let me guess. A lot of, like, I3s and C5s and M5s and a ton of EBS, right?” And they give you all this optionality, and I think it's that choice which is so overwhelming for many folks moving to the Cloud. I mean, that's, that's really the case. It's just, “What do I pick?” There's just so much.

Jesse: So, let's talk about ephemerality, especially in the world of compute. Ephemerality really ...

AWS Compensation Explained

Corey Quinn — Wed, 27 Jan 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Elasticsearching For A Business Model

Corey Quinn — Mon, 25 Jan 2021 03:00:00 -0800

AWS Morning Brief for the week of January 25, 2021 with Corey Quinn.

The Unconventional Guide to Cost Management: Architectural Context

Corey Quinn — Fri, 22 Jan 2021 03:00:00 -0800

Check out the full unconventional guide here!

Transcript

Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if wanting new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.

Pete: Hello, and welcome to AWS Morning Brief. I am Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: This is Fridays From the Field. Triple F.

Jesse: I feel like we've really got to go full Jean-Ralphio, Parks and Rec there. “Friday From the Feeeeeeeeeeild.”

Pete: Yeah, so we're going to need to get an audio cut of that and add some techno beats to it. I think that's going to be our new intro song.

Jesse: [imitates techno beats].

Pete: Yeah, we're going to take both of those things. I'm glad we got this recorded because that's going to turn into a fantastic song. So, we're back to talk about The Unconventional Guide to Cost Management. And this is the first episode, this is the first of a whole slew of these that we're going to be going through from the field, these different ways that companies can impact their spend. And no, it doesn't mean go and buy the cloud management vendor of the moment to look at your spend or fire up Cost Explorer. Those are all pieces of it, but broader things, the big levers, the small levers, the levers that don't actually go back and forth, but you turn and you would have no idea because it was designed by an Amazon UX engineer.

Jesse: Yeah, it's really important to call out that this discussion is looking at your cloud spend from a broader perspective and if you didn't get a chance to listen to our episode from last week, we did a little bit of an intro, framing this entire discussion. Go back and take a listen, if you haven't yet. Really talking about why looking at cloud costs through these different lenses is important. Why are you thinking about cloud cost, not just from the perspective of, “Oh, I'm going to delete these EBS snapshots,” or, “I'm going to tag all my resources,” but why is it important to think about cloud costs from other mediums?

Pete: Exactly. So, don't forget, you can go to lastweekinaws.com/QA and put your questions right in that box. Your name is optional. You can just leave your name blank if you don't want anyone to know who you are. Or if you want to say something really nice about me and Jesse, and you just feel a little shy—

Jesse: Aww.

Pete: —that's fine, too. But just put a question in there. And we're going to dedicate some future episodes to answering those questions and diving a little deeper for those that want to know a little bit more. But as being the first episode, we got to talk about something, so what are we talking about today, Jesse?

Jesse: Today we are talking about architecture and architecture context. Now, this is a really, really interesting one for me because the first thing that I think anybody thinks about when they think about cutting costs with their AWS spend is architecture decisions: something related to your infrastructure, whether that's tearing down a bunch of resources, or deleting data that's lying around. But there's a lot more to it than that context is everything. Knowing why your infrastructure is built the way it is, knowing why your application is designed the way it is, is really important to understanding your AWS cloud costs.

Pete: This is where I feel like the Cloudabilitys CloudHealth, CloudCheckr Cloud-whatever companies, their products, sadly, fall down. And similar for every Amazon recommendation engine inside of AWS, they all break down. They lack the knowledge and the context of your organization. I remember a really long time ago, I had installed CloudHealth for the first time, and it said, “Hey, we've identified all these servers. They're sitting idle. Do you want us to turn them off for you?”

Those servers were actually my very large Elasticsearch cluster. They were idle because if no one's querying them they don't do anything, but they sure do hold a lot of data, and they really do need to be available. So, please, please don't turn those off. But that same thing could happen if you were—you know, due to risk or compliance reasons, you had to run some infrastructure as a warm standby in another availability zone or region. Yeah, sure, it's not taking requests, it’s not doing anything, but that doesn't mean that it's not supposed to be running.

Jesse: And this is really getting at one of the first big ideas, which is: work with other teams within the company. Not just other engineering teams, but product teams, possibly also security teams to understand all of the business context for your application and for your infrastructure in terms of data retention, in terms of availability, in terms of durability requirements. Because ultimately, you as a platform engineer, or an SRE, or a DevOps engineer, or whatever the hot new title is going to be a year from now, you need to understand why the infrastructure exists, and you may see servers that are sitting around idly doing nothing, but that's your disaster recovery site that is required by the business, by a service level agreement to be available at a moment's notice if something goes wrong. And so it's really important to understand what those components are and how they work together to build your overall application infrastructure.

Pete: Yeah, that's a great point. I mean, having that knowledge that if you've been at a company for years, you've got a lot of this historical knowledge. People have come and gone, they've come, they've done things, they've implemented items, they've brought new features, they've gone. As companies grow may or not— may not be a single person who really truly understand the impact of various changes. I think we saw that most clearly when Amazon had their Kinesis outage: the amount of different services that were impacted was pretty large because it's just all too big for any one person to understand.

But that doesn't mean that you shouldn't always continually be working to understand those different usage requirements, and chatting with the non-tech teams. Product teams, I feel like are often ignored in startups because you don't really want more work, and that's what those product teams normally do, right? But they're going to have a lot of context.

I remember working in SaaS companies and looking at things like, “This? We don't use this anymore. There's no way we use this. I'm going to turn this off.” And then, I then say, well, the smarter minds prevail. I say, “Well, let me go talk to product people.” And they go, “Oh yeah. We can't get rid of that one super important API because this one client of ours paid us an obscene amou...

The Various Billing Philosophies of AWS

Corey Quinn — Wed, 20 Jan 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Replicating DynamoDB the Dumb Way

Corey Quinn — Mon, 18 Jan 2021 03:00:00 -0800

AWS Morning Brief for the week of January 18th, 2021 with Corey Quinn.

Introducing From the Field: The Unconventional Guide to Cost Management

Corey Quinn — Fri, 15 Jan 2021 03:00:00 -0800

About Corey Quinn

Transcript

Corey: When you think about feature flags—and you should—you should also be thinking of LaunchDarkly. LaunchDarkly is a feature management platform that lets all your teams safely deliver and control software through feature flags. By separating code deployments from feature releases at massive scale—and small scale, too—LaunchDarkly enables you to innovate faster, increase developer happiness—which is more important than you’d think—and drive transformation throughout your organization. LaunchDarkly enables teams to modernize faster. Awesome companies have used them, large, small, and everything in between. Take a look at launchdarkly.com, and tell them that I sent you. My thanks again for their sponsorship of this episode.

Pete: Hello, and welcome to the AWS Morning Brief: Friday From the Field. Triple F; that's what we're calling it now. We’re going a new direction. I'm Pete Cheslock.

Jesse: I'm Jesse DeRose, and I'm so excited for Triple F.

Pete: Triple F. Hashtag Triple F. So, moving away, taking this into a new direction, we have… not stolen that's a little bit too aggressive. But we have been lovingly gifted this podcast from Corey Quinn after taking over while he was on paternity leave, we just kept on doing it; we never stopped, we never let him have it back. And he was nice enough just to give us this opportunity to take this Friday podcast into a new direction and talk about things that we're seeing as cloud economists in the field working with our clients.

Jesse: Yeah, it really started as this confessional discussion of weird architecture patterns that we've seen, but then it definitely morphed into more of the other things that we've seen from either our work with Duckbill or work with previous engagements or previous companies. So, it just felt fitting to rebrand just ever so slightly and focus more of our efforts on what are the things that we're seeing day-to-day? What are the major problems that our clients are seeing? What are some of the pain points we've seen? What are the new features from AWS that are really the interesting and important things to talk about?

Pete: Exactly. We have an interesting insight that I think a lot of folks in the industry don't get to see. We, for one, look at countless Amazon bills, seeing how people are spending their money. But we also are often reached out to directly to help engineering teams better answer questions that they're getting from finance. I mean, that's the biggest fear I have—

Jesse: Yeah.

Pete: —CFO comes walking over to my desk, and I haven't submitted an expense report recently like, what do they want?

Jesse: [laugh]. I didn't do it. It wasn't me.

Pete: Even worse is when some of your executives start learning some of these terms. And they say, “Hey, what's our cost per unit on Amazon Cloud?”

Jesse: Yeah, it is something that has morphed from just a conversation about engineering teams thinking about their architecture patterns and what might be best for them to getting the entire company involved—especially finance—to ask all these questions and really think about, what's the bottom line here? How can we better understand this cloud spend?

Pete: I know most people are probably thinking, “Doesn't tagging solve this problem. Can’t I just tag everything, and then I have all my answers, right?” Problem solved.

Jesse: I'm sorry, did you just tell me to go F myself there, Pete?

Pete: [laugh]. Obviously, we both know that even the best of companies, the most mature companies we work with, yeah, they might be about 90% plus fully tagged, but even those companies still have to put in a lot of effort to answer these questions and to understand where their spend is going. Because they say, that which gets measured gets improved. So, are you measuring your spend? Are you measuring your growth? Do you understand how your spend changes as usage changes, your customers change? I mean, there's countless questions. But there's another thing that we see, too, Jesse, right? This circle of pain, the—what is it—the cost management circle of pain.

Jesse: Yeah. Yeah. It's this really fascinating idea focusing on cloud cost optimization, where a company will realize that their cloud spend has gone up for whatever reasons, and they say, “Oh, no. We need to do something about this.” Whether that is because finance has come over and asked the question, or because engineering has caught the issue.

And so they go through this quick session, maybe a quarter, maybe a couple months or more of figuring out, “How can we cut costs? Can we remove resources? Can we put these practices into place? Can we build some processes? Okay, now, everything's fine, right? We've managed to bring our costs back down. We managed to get rid of all of those EBS snapshots that were collecting dust and never to be used, so now we can go about business as usual again, right?”

And so then they continue on as if nothing has happened. And without making long term changes, those costs are going to rise again. And then all of a sudden, we're back in the same spot of, “Oh, no, our cloud costs have gone up, why did they go up? We did all these things to make sure that we didn't have run into this issue again. Why are our cloud costs going up again?” And the cycle just repeats. It's a really unfortunate kind of spiral.

Pete: I remember my time at a startup where we were under a series of really high growth, a lot of customers coming on the platform. And my favorite meeting ever was the CEO talking about our financials. And he mentioned that our gross margin was negative 175%, which for the non-financial folks, means that for every dollar of income negative 175% is being spent for that. You normally want that number to be positive if you want to have a successful business. And remember, the line he said is, “We are going to successfully go out of business with a gross margin that is negative one hundred and seventy”—whatever I said.

This is an important number that people need to think about. And what's amazing is that within a year, we had turned that around to be an extremely high gross margin because we started looking, and tracking, and bringing cultural change, and giving ownership to people to own these numbers. So, it's not just an engineering problem anymore. Everyone thinks that the Amazon bill is because your engineers built a certain thing, or turned on a certain type of instance. And sure, part of that is absolutely true, but I always like to say that your Amazo...

Parler’s New Serverless Architecture

Corey Quinn — Wed, 13 Jan 2021 03:00:00 -0800

Special thanks to Alice Goldfuss for this week’s awesome title!

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Insurrection Week

Corey Quinn — Mon, 11 Jan 2021 03:00:00 -0800

AWS Morning Brief for the week of January 11, 2021 with Corey Quinn.

Kubernetes is the Most Expensive Way to Run a Service

Corey Quinn — Fri, 08 Jan 2021 03:00:00 -0800

Transcript
Corey: Software powers the world. LaunchDarkly is a feature management platform that empowers all teams to safely deliver and control software through feature flags. By separating code deployments from feature releases at scale, LaunchDarkly enables you to innovate faster, increase developer happiness, and drive DevOps transformation. To stay competitive, teams must adopt modern software engineering practices. LaunchDarkly enables teams to modernize faster, Intuit, GoPro, IBM, Atlassian, and thousands of other organizations rely on LaunchDarkly to pursue modern development and continuously deliver value. Visit us at launchdarkly.com to learn more.

Pete: Hello, and welcome to the AWS Morning Brief. I’m Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: And we're back yet again. We're well into 2021. I mean, about a week or so, right?

Jesse: I'm excited. I'm just glad that when midnight struck. I didn't roll back over into January 1st of 2020.

Pete: Yeah, luckily, it's not a Y2K scenario. I don't think we have to deal with the whole date issues until, what, 2032 I think, whatever that the next big Y2K-ish date issue is going to be. I'm hopefully retired by the time that that happens.

Jesse: That's future us problem.

Pete: Yeah. Future us problem, absolutely. Well, we've made it. We've made it to 2021, which is a statement no one thought they were going to say last year at this point.

Jesse: [laugh].

Pete: But here we are. And today, we're talking about an interesting topic that may bring us some hate mail. I don't know. You tell me, folks that are listening. But we're seeing this more and more in our capacity as cloud economists working with clients here at The Duckbill Group, that folks who are running Kubernetes—whether it's EKS, or they're running it on EC2 using maybe, like, an OpenShift—are actually spending more than people who are using other primitives within AWS.

So, we wanted to chat a little bit about why we think that is, and some of the challenges that we're seeing out there. And we would love to hear from you on this one. If you are using Kubernetes in any of the ways that we're going to talk about, you can actually send us a story about how you're doing that and maybe answer some of these questions we have, or explain how you're using it. If you go to lastweekinaws.com/QA to ask us questions—not quality assurance—but go to QA for asking us questions. You can put in your information, you can add your name, it's optional if you want. You can be completely anonymous and just tell us how much you enjoy our wonderful tones and talking about technology. So, Kubernetes. Why is this the thing, Jessie?

Jesse: I feel like when it first came out, it was the hot thing. Like, everybody wanted Kubernetes, everybody wanted to be Kubernetes, there were classes on Kubernetes, there were books on—like, I feel like that's still happening. I think it has amazing potential in a lot of ways, but I also feel like… in the same way that you might read the Google SRE book and then immediately turn to your startup team of three people and say, “We're going to do everything the way that Google does it,” this isn't always the right option.

Pete: Feel like the Google SRE book is, like, The Mythical Man Month, which is, the book that everyone wants to quote, the name of the book, but none of those people have ever actually read the book.

Jesse: Yeah, there's lots of really great ideas, but just because they're great ideas that worked well for a large company at scale doesn't necessarily mean that they're going to be the same right ideas for your company.

Pete: And also, we're both fairly grizzled former system administrators and operators; Kubernetes is not the first, kind of, swing of the bat at this problem. I mean, we've had Mesos which, it's still around but not as hip and cool; we've had OpenStack. Does—remember when all the Kubernetes people were all like, “Nope, OpenStack is going to be the greatest thing ever.” So, needless to say, we are a little jaded on the topic.

Jesse: You can't forget about Nomad, either, from HashiCorp built cleanly into HashiCorp’s Hashi stack with all of their other amazing development and deployment tools.

Pete: Yeah. I mean, this is a problem that people want to solve. But in the rise of Cloud, on Amazon I always struggled with why it was needed. And we're going to talk a little bit about that.

So, again, what is Kubernetes? I hope people are listening that would know this, but maybe not. It's an abstraction layer for scheduling workloads. It's the solution to the Docker problem. Like, a container is great. I have a container, it is a totally self-contained application, ready to go, my configuration, my dependencies. And now I need a place to run it. Well, where do I run this container? Well, pre-Kubernetes, Jessie, you'd probably use something like ECS—the Elastic Container Service—might be a way that you could schedule some workloads.

Jesse: Or maybe if you just wanted to run a single virtual machine somewhere and run that container in the virtual machine, you might do that as well.

Pete: Yeah, that was how a lot of the earliest users of Docker were just running Docker: they were just running the containers as applications—because that's what they are—on their bare EC2. They would just run some EC2 and run a Docker container on there. And there were benefits to that. You got this isolated package deployed out there not having to worry about dependencies. You have to worry about having the right Python dependencies or Ruby dependencies.

It came with everything it needed, and that was a big solution. Now Kubernetes, I think, brings this really interesting concept that I like. It's this API that theoretically you could use in a lot of different places. If you now have this API to deploy your application anywhere there's a Kubernetes cluster, does this solve vendor-lock-in? Could you use Kubernetes to solve some of these issues that we see?

Jesse: You could use Kubernetes to solve vendor-lock-in in the same way that you could use multi-cloud to solve vendor lock-in. Again, it is a solution to the problem, but is it the right solution for your company?

Pete: That is always the question I feel like I would ask folks when they were using Kubernetes is, I would always ask why they were using it. I honestly will say I never got—I don’t want to say wouldn't say never; that's not fair. I rarely would get a good answer. It was often like a little bit of operational FOMO—you know, the fear of missing out on the next hottest thing, which of course, that's never a good way to pick your architecture stack. Now, that being said, at a previous company, we were investigating Kubernetes to solve a problem with our stateless applications—because I in no way trusted it to run anything stateful.

None of my databases I wanted on it. But it is a great way to put more control into my developers’ hands-on deploying their applications. We ran predominantly C class instances on EC2. And th...

Terrible Ideas for Avoiding AWS Data Transfer Costs

Corey Quinn — Wed, 06 Jan 2021 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Lookout for 2020

Corey Quinn — Mon, 04 Jan 2021 03:00:00 -0800

AWS Morning Brief for the week of January 4, 2021 with Corey Quinn.

AWS Wishlist and Chrismahanukwanzakah Part 2

Corey Quinn — Fri, 01 Jan 2021 03:00:00 -0800

Links

Transcript
Corey: When you think about feature flags (and you should), you should also be thinking of LaunchDarkly. LaunchDarkly is a feature management platform that lets all your teams safely deliver and control software through feature flags by separating code deployments from feature releases at massive scale (and small-scale too), LaunchDarkly enables you to innovate faster, increase developer, happiness (which is more important than you think), and drive transformation throughout your organization.

LaunchDarkly enables teams to modernize faster. Awesome companies have used them, large, small, and everything in between. Take a look at launchdarkly.com to learn more and tell them that I sent you. My thanks again for their sponsorship of this episode.

Pete: Hello and welcome to the AWS Morning Brief. I am Pete Cheslock.

Jesse: I'm Jesse DeRose.

Pete: We are welcomed yet again with Amy Negrette.

Amy: Hello.

Pete: We are here. We made it. It is actually 2021.

Jesse: I can tell you flying cars: definitely a thing. World peace: we're close, we're so close.

Pete: We're so close. Well, guess what? We made it, we survived 2020. And with it, we brought with us part two of the #awswishlist. So, this is where we went through—especially as leading up to re:Invent and getting through re:Invent—we went through and looked at the Twitter hashtag of #awswishlist so that we could pick out some of our favorite things, some #awswishlist items that we think are important to us, or just interesting in their own right. We'll include the link to these tweets in the [00:01:57 show notes].

So definitely go check that out, and you can check out the conversation, or maybe follow some of that to see when things actually come around. But yeah, we'll just walk through some of the things we found that were pretty interesting and chat about why we hope Amazon includes them into a future release. So, one thing that I saw which I thought was pretty interesting because I run into this problem also, is a way of downloading data from various third party locations directly into S3, Dynamo, or some sort of data store location. Essentially, it'd be awesome to just completely get rid of having services around, or Fargates, or Lambdas set up for downloading data from places that—how cool would it be? And this is, again, not an enterprise-y type feature, but just, like, a personal thing of how cool would it be to be, like, I want to take this ISO from a place and just put a URL in S3 and say, “Put that thing in this thing,” and call it a day. So, again, a personal complaint of mine plus, also, someone else tweeted it, so there's two people out there that want this—at least—so therefore Amazon, you got to build it for me.

Amy: Those are the rules.

Pete: Those are the rules. Right. Right, Amy, those are the rules.

Jesse: And I feel like, let's be honest, that ISO that you want to download anyway is probably living in S3 somewhere else anyhow. So, it's just moving bucket to bucket.

Pete: Someone has that, you know, Slackware ISO that I've been looking for, from, you know, 2001. It's in someone else's bucket; just let me have it myself. Exactly. Amy, what did you find in your discovery of the #awswishlist hashtag?

Amy: This is a thing that I think really should be on any of these on-demand pay-as-you-go services because AWS really targets those [00:03:48 unintelligible] markets for a lot of their serverless deployments. And this actually came from one of my friends who had this problem on Twitter, where you need to be able to set a maximum on on-demand spend, let's say in his case, Dynamo. So, you don't hypothetically build in a loop and spend a whole bunch of money.

Pete: Yeah.

Amy: And really, it should be in anything that does that. If it's not telling you something where I'm only wanting to run this much because it's on-demand, then you should be able to control that spend somehow.

Pete: And with the—what is it—millisecond billion on Lambda, you can get really granular bills for your poorly architected Lambda functions.

Jesse: I feel like computers are the best because they'll do exactly what you want them to do, except for when they do what you tell them to do and not what you actually want them to do, and that drives me absolutely insane. So, I'm with you. I think that this is a great opportunity.

Amy: That problem will be solved when the robots take over.

Pete: [laugh]. One of my favorite discoveries of doing our kind of Duckbill cost optimizations where we dive into people's spend and help them architect things new was finding a Lambda function that was taking longer and longer to execute—meaning, costing more money—by putting more and more data into a poorly configured Dynamo table that was also causing it to take longer and longer. And so not only did you have a Dynamo table that was poorly configured, taking this data and taking longer to do it, you were just getting a hit on both sides. It happens.

Jesse: That hurts my soul.

Pete: So, what’d you find, Jesse? What was some of the good wishlist items that you're hoping for in 2021?

Jesse: So, I come from a background of a lot of infrastructure as code I've worked a lot with Terraform, I know enough about Chef to be dangerous to your production environment. One thing that I saw a couple people tweet about that I would love to see is mock AWS API endpoints for, effectively, unit tests for a lot of infrastructure as code. Because if you think about when you're building infrastructure as code, the only way that you can really test it is by running it, by actually seeing, “Can I actually create the resources that I think I'm creating with this infrastructure as code content?” So, I would love to see maybe a feature flag for AWS services through the API where you can say, “Hey, don't actually create this RDS database or this EC2 instance, but just return the results as if I did create it. Maybe leave the Instance ID blank or something like that.” And then you, in writing your unit tests, can confirm all the details that you would expect to see in that response.

Pete: I feel like there was a—Atlassian, maybe, had a project that was something like this, some sort of a way of unit testing these things. Again, it was something on GitHub, so even if it was associated with a large publicly traded enterprise, I'm sure it's fallen into disrepair at this stage.

Jesse: [laugh]. I will say I found an open-source tool looking into this one, called LocalStack that allows you to basically spin up an instance on your local machine that acts as the AWS API endpoint so that it actually creates this mock endpoint for you locally on your machine. But effectively, I'd love to see th...

Counting Twitter Followers over Time, the Corey Quinn Way

Corey Quinn — Wed, 30 Dec 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Chat Slapfight

Corey Quinn — Mon, 28 Dec 2020 03:00:00 -0800

AWS Morning Brief for the week of December 28, 2020 with Corey Quinn.

AWS Wishlist and Chrismahanukwanzakah Part 1

Corey Quinn — Fri, 25 Dec 2020 03:00:00 -0800

Links

Transcript
Corey: This episode is sponsored in part by our friends at Linode. You might be familiar with Linode; they’ve been around for almost 20 years. They offer Cloud in a way that makes sense rather than a way that is actively ridiculous by trying to throw everything at a wall and see what sticks. Their pricing winds up being a lot more transparent—not to mention lower—their performance kicks the crap out of most other things in this space, and—my personal favorite—whenever you call them for support, you’ll get a human who’s empowered to fix whatever it is that’s giving you trouble. Visit linode.com/screaminginthecloud to learn more, and get $100 in credit to kick the tires. That’s linode.com/screaminginthecloud.

Pete: Hello and welcome to AWS Morning Brief. I am Pete Cheslock. I'm joined yet again with Jesse DeRose. We are also excited to re-invite recurring guest for number two, Amy Negrette. Say hello, Amy.

Amy: Hello.

Pete: So, we are here. This is Christmas. Or should I say Christmahanukwanza.

Jesse: So, close. That works.

Pete: So, close. But it's the Christmahanukwanza episode—Hanu—hanukwanza—

Jesse: Christmashanukwanzika.

Pete: And if you thought Hanukkah was spelled a bunch of different ways, Christmahanukwanza is spelled a lot of different ways. And we are here to talk about the #amazonwishlist, which is honestly one of my favorite hashtags to follow on Twitter—#awswishlist. It is pretty popular, it's heavily used.

Jesse: It was actually so heavily used that they made a specific @awswishlist account, basically, specifically to follow a lot of these hashtags, and to re-highlight a lot of these hashtags, especially when some of the wishes are actually fulfilled.

Pete: Yeah, I think it's a great thing, and if I was an Amazon product manager, I would love this too because just talk about making my job a lot easier, I guess.

Jesse: One thing that I do want to call out, I was looking through a number of the tweets going around for the hashtag#awswishlist, and I noticed that there was some of the responses from AWS folks, which one I'd love to say thank you, AWS for actually taking this seriously and actually responding to folks in conversation on Twitter for these wishlist items. There was one that I found where the person directed the original poster to an AWS support page, which was basically AWS’s, like, ‘Contact Us’ page. And the Contact Us page basically said, “Hey, if you have some questions, here's what you should do. I have some questions that could help improve an AWS product or service, how can I send feedback to AWS?” And all the answers were, “Click the feedback button on the page that you're on, either in the AWS console or the AWS documentation, or contact AWS support directly.” So, close—

Pete: Did you just tell me to go F myself there, Jesse? [laugh].

Jesse: [laugh]. I didn't maybe say it in so many words, but I think I did.

Amy: I absolutely love it when a support page says, “Maybe you should just do it yourself.” And I'm like, “Well if I did, I probably wouldn't have been here in the first place.”

Pete: Exactly. So, what we decided to do, what we thought would be kind of fun, is to troll through the Twitter #awswishlist hashtag and take a look at what people were saying, especially because it's a lot busier around the pre to current re:Invent time. And so independently each of us put together a list of things that—I mean, at least I could speak for myself—I thought were interesting, or things that I thought would be cool to have. And yeah, we're just going to talk about them and see from there. So, we'll include a link to each of these tweets in the [00:04:18 show notes] so you can check them out, and also so you can see the conversation on them.

What was also cool, I just want to call out is that some of these that we saw on there, at least that I saw have been resolved by re:Invent time. One was AWS CloudShell that was announced recently at re:Invent, someone was saying I want is this AWS CloudShell thing because other vendors have this: Azure has this, Google has this. So, here's a scenario where Amazon was catching up. So, I thought that was pretty cool to see. So, I'm going to kick it off because, whatever, I'm here, and I got my list in front of me.

So, this is actually related to the CloudShell one, which I thought was interesting. So, there was some conversation online about CloudShell, and this is maybe potentially allowing people to remove the need of having a bastion host, which, how cool is that you don't have to run those anymore?

Jesse: Oh, yeah.

Pete: And so there was a question around, “Well, does my identity get a home directory?” Which sounds like the answer was “Yes.” But the question mark there had to do when using AWS SSO because it has to do with the IAM principle, it's what comes back from the sts get-caller-identity. So, if you are using one of the different Federation technologies, your actual identity could be different for each one. And so that's a wishlist item that I could definitely be on board with because if you're dealing with IAM roles or Federation, and your home directory is never the same, that can be kind of annoying.

Jesse: I cannot tell you how many times I have downloaded a file or put a file somewhere on a bastion host, gone away to a different project, come back to it, or SSH’ed into the same bastion host and wondered why it wasn't there anymore, only to realize that I was on a different bastion host in a different environment, or that the data had been purged every so often for security or cleaning purposes. I would absolutely love clean roles and just really, really well defined boundaries on this. Coming from somebody who uses different AWS accounts on a regular basis for the different clients that we work with, I would just love to see this really kind of clean structure of AWS, IAM usage, and user management and security.

Pete: And, Jesse, we saw similar issues, I believe, when we were playing around with QuickSight, and Federation, and IAM so—

Jesse: Oh, yes.

Pete: Hopefully that gets a little bit fixed up. But anyway, I thought that was a pretty interesting one. Amy, what did you find in your discovery of the Amazon wishlist hashtag?

Amy: I did find one for X-Ray support in API Gateway HTTP API. Again, one of the worst, longest names of any service, and EventBridge, which surprisingly, one that this hasn't happened yet, but two, [00:07:12 unintelligible] for me is kind of a double-edged sword where it's one of those services that everyone needs, but als...

EBS Volumes

Corey Quinn — Wed, 23 Dec 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Some Cloud Shells Take Years to Form

Corey Quinn — Mon, 21 Dec 2020 03:00:00 -0800

AWS Morning Brief for the week of December 21, 2020 with Corey Quinn.

Ask a Cloud Economist: Cost Attribution in AWS

Corey Quinn — Fri, 18 Dec 2020 03:00:00 -0800

Links

Follow Pete + Jesse on Twitter

Pete: Hello, and welcome to AWS Morning Brief. I am Pete Cheslock.

Jesse: And I'm Jesse DeRose.

Pete: We're back again, and we're here to answer an audience question. So, every once in a while people tweet at us—you can tweet me @petecheslock. Jesse, what is your Twitter handle?

Jesse: @Jessie_DeRose.

Pete: Yeah, mine is just petecheslock. I do feel bad for the other Pete Cheslock, who actually does live in Boston as well because taking all of his profile names.

Jesse: You should change yours to @therealpetecheslock, or he should change his to @therealpetecheslock, and then it'll just be an ongoing escalating battle.

Pete: That's very true. So, occasionally on the Twitters, we get questions asked of whatever around Amazon cost management, things like that. And we wanted to actually take this opportunity to answer one of the more interesting questions that we received. Because granted, sometimes we get questions and they're pretty boring, so we don't answer them. We just focus on the fun ones, [laugh]—

Jesse: [laugh].

Pete: —selfishly, but we got this question that was really interesting. It had to do with someone who is essentially starting over within Amazon Web Services, meaning they were going to be redeploying their application into a series of new AWS accounts. And they asked us, “What are the most recent best practices—” I hate that term, but the important things you should do and consider when you're deploying into Amazon, into AWS. And we kind of sat back, we thought to ourselves, “Wow, how often does someone have that opportunity?” Right, Jesse?

Jesse: Yeah. Not in any of my experience has that happened for me. I'm very, very envious of these people.

Pete: Yeah, I had that opportunity one time, where we were essentially doing that, like, net-new, starting over. But this was years ago, where there wasn't a lot of insight into this, and we didn't have the features like we have today where Amazon organizations—AWS Organizations—allows such an easy way to create accounts and get started with multiple accounts. So, anyway, we want to take this opportunity to talk about what we believe and what we see as the things that you should focus on, what you should optimize for when getting started, when creating, kind of, net-new in AWS.

Jesse: Yeah, there's a lot of different things that you can optimize for in AWS, and it really depends on what your business goals are; what do you ultimately want to accomplish when you are deploying your application into the cloud? But one of the big ones that we see, selfishly, here at Duckbill Group is cost optimization. And so we wanted to talk a little bit more about cost allocation and cost attribution—which are essentially the same thing, we may use the terms interchangeably in this conversation—to talk about how you can think about cost attribution, why you should think about cost attribution and some of the best ways to go about implementing that in AWS as you're building these new accounts, this new space.

Pete: Yeah, and that being said, I really like people to really think when they create these things. Again, what are you optimizing for? Some people might say, “Oh, well, we want to optimize for security.” And that's great. You absolutely should do that.

Jesse: Sure.

Pete: Security is a first principle, something to absolutely focus on. But what if I told you that the other, probably, most important thing in AWS is—and something if you're not doing it today, you're going to be asked to do it in the future—is accurate cost attribution. And what if you could do both highly secure accounts, and segment based on security, but also get this cost attribution? That is, I think, what we're going to dive into today.

Jesse: Yeah, I think that there's a lot of big conversations around engineers, and multiple other teams when you start talking about the DevOps movements, the DevSecOps movements, all these movements of the software engineers who are actually writing the code and the engineers or the operations folks who are—maybe—managing the infrastructure, maybe deploying the code, maybe the software engineers are deploying the code, it really depends on your team setup. But there's this, kind of, idea that the engineering teams that are working with this code, and then there's all these other teams in the company that have other things that are their top priority, and starting to bridge that gap to have conversations with finance to better understand what do they need to know from you about how you're spending money in AWS, and security who wants to better understand are we patched for the upcoming audit? Are we compliant based on these terms? It's really important to start thinking about how you optimize in AWS based on those ideas, those conversations with other teams. So, that's kind of ultimately what I'm thinking about, specifically, today, specifically about the conversation between finance and engineering and talking about cost attribution.

Pete: But Jesse, aren't tags supposed to solve all of my problems when it comes to cost allocation?

Jesse: [laugh]. Oh, I wish. They are supposed to. There's that whole idea of ‘set it and forget it,’ there's a big movement of ‘tag it and forget it,’ and as much as I want to believe in that, it’s unfortunately just not true. Like, tagging is definitely a first step, but it goes so much further than tagging and I think that's one of the big things that a lot of folks miss or don't think about when they're talking about tagging and cost attribution.

Pete: If you loved it, you would have put a tag on it.

Jesse: [laugh].

Pete: But really, while tagging is an important thing to do, and we've seen some of our clients, their tagging percentages can be upwards of 90 percent, which is herculean in ability and effort to reach that level of coverage, but even then, getting that last 5 to 10 percent in many cases could be actually impossible to do because there can be a series of spend within Amazon which is just untaggable, or at least untaggable in a realistic way. And that's where multiple accounts can really help your busine...

Is ECS Deprecated?

Corey Quinn — Wed, 16 Dec 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

SageMaker SageFactory

Corey Quinn — Mon, 14 Dec 2020 03:00:00 -0800

AWS Morning Brief for the week of December 14, 2020 with Corey Quinn.

The Kinesis Outage

Corey Quinn — Fri, 11 Dec 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter
AWS Outage Message
"Kinesis Outage" by Ryan Frantz

Pete: Hello, everyone. Welcome to the AWS Morning Brief. It's Pete Cheslock again—

Jesse: And Jesse DeRose.

Pete: We are back to talk about ‘The Kinesis Outage.’

Jesse: [singing] bom bom bum.

Pete: So, at this point, as you're listening to this, it's been a couple of weeks since the Kinesis outage has happened, and I'm sure there are many, many armchair sysadmins out there speculating at all the reasons why Amazon should not have had this outage. And guess what? You have two more system administrators here to armchair quarterback this as well.

Jesse: We are happy to discuss what happened, why it happened. I will try to put on my best announcer voice, but I think I normally fall more into the golf announcer voice than the football announcer voice, so I'm not really sure if that's going to play as well into our story here.

Pete: It's going, it's going, it's gone.

Jesse: It’s—and it's just down. It's down—

Pete: It's just—

Jesse: —and it's gone.

Pete: No, but seriously, we're not critiquing it. That is not the purpose of this talk today. We're not critiquing the outage because you should never critique other people's outages; never throw shade at another person's outage. That's not only crazy to do because you have no context into their world. It's just, it's not nice either, so just try to be nice out there.

Jesse: Yeah, nobody wants to get critiqued when their company has an outage and when they're under pressure to fix something. So, we're not here to do that. We don't want to point any fingers. We're not blaming anyone. We just want to talk about what happened because honestly, it's a fascinating, complex conversation.

Pete: It is so fascinating and honestly, loved the detail, a far cry from the early years of Amazon outages that were just, “We had a small percentage of instances have some issues.” This was very detailed. This gave out a lot of information. And the other thing too is that, when it comes to critiquing outages, you have to imagine that there are unlikely to be more than a handful of people even inside Amazon Web Services that fully understand the scope of the size and the interactions of all these different services. There may not even be a single person who truly understands how these dozens of services interact with each other.

I mean, it takes teams and teams of people working together to build these things and to have these understandings. So, that being said, let's dive in. So, the Wednesday before Thanksgiving, Kinesis decided to take off early. You know, long weekend coming up, right? But really, what happened was is that there was an addition of capacity to Kinesis, and it caused it to hit an operating system limit causing an outage.

But interestingly enough—and what we'll talk about today—are the interesting and downstream effects that occurred via CloudWatch, Cognito, even the status page, and the Personal Health Dashboard. I mean, that's a really interesting contributing factor or a correlating outage. I don't know the words here, but it's interesting to hear that both CloudWatch goes down and the Personal Health Dashboard goes down.

Jesse: That's when somebody from the product side says, “Oh, that's a feature, definitely not a bug.”

Pete: But the outage to CloudWatch then even affected some of the downstream services to CloudWatch—such as Lambda—which also included auto-scaling events. It even included EventBridge, which was impacted, and that even caused some ECS and EKS delays with provisioning new clusters and scaling of existing clusters.

Jesse: So, right out of the bat, I just want to say huge kudos to AWS for dogfooding all of their services within AWS itself: not just providing the services to its customers, but actually using Kinesis internally for other things like CloudWatch and Cognito. They called that out in the write-up and said, “Kinesis is leveraged for CloudWatch, and Cognito, and for other things, for various different use cases.” That's fantastic. That's definitely what you want from your service provider.

Pete: Yeah, I mean, it's a little amazing to hear, and also a little terrifying, that all of these services are built based on all of these other services. So, again, the complexity of the dependencies is pretty dramatic. But at the end of the day, it's still software underneath it; it's still humans. And I don't want to say that I am happy that Amazon had this outage at all, but watching a company of this stature, of this operational expertise, have an outage, it's kind of like watching the Masters when Tiger Woods duffs one into the water or something like that. It's just—it's a good reminder that—listen, we're all human, we're all working under largely the same constraints, and this stuff happens to everyone; no one is immune.

Jesse: And I think it's also a really great opportunity—after the write-up is released—to see how the Masters go about doing what they do. Because everybody at some point is going to have to troubleshoot some kind of technology problem, and we get to see firsthand from this, how they go about troubleshooting these technology problems.

Pete: Exactly. So, of course, one of the first things that I saw everywhere is everyone is, on mass, moving off of Amazon, right? They had an outage, so we're just going to turn off all our servers and just move over to GCP, or Azure, right?

Jesse: Because GCP is a hundred percent uptime. Azure is a hundred percent uptime. They're never going to have any kind of outages like this. Google would never do something to maybe turn off a service, or sunset something.

Pete: Yeah, exactly. So, with the whole talk about hybrid-cloud and multi-cloud strategies, you got to know that there's a whole slew of people out there, probably some executive at some business, who says, “Well, we need to engineer for this type of durability, this type of thing to happen again,” but could you even imagine the complexity...

The Google Disease Afflicting AWS

Corey Quinn — Wed, 09 Dec 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Hit by the Conference Trainium

Corey Quinn — Mon, 07 Dec 2020 03:00:00 -0800

AWS Morning Brief for the week of December 7, 2020 with Corey Quinn.

AWS S3 Storage Lens: The Best Service Not Announced at AWS Storage Day

Corey Quinn — Fri, 04 Dec 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter

Transcript
Corey: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial.

Pete: Hello, welcome to AWS Morning Brief. I am Pete Cheslock, and I am here yet again with Jesse DeRose.

Jesse: Hello.

Pete: We here to talk about the best service announced not during AWS Storage Day 2020.

Jesse: So, close.

Pete: So, close, though. It was announced a few days after, and that is the AWS S3 Storage Lens service, which I think I've got that naming right. I know sometimes it's ‘AWS thing,’ sometimes it's ‘Amazon thing,’ and to be honest, I never know which is which.

Jesse: Yeah.

Pete: AWS S3 Storage Lens is honestly one of the best new services that I've seen out, released thus far. I guess we're still pre-re:Invent announcements in a lot of this stuff. But what it is is a—from their site it says, “S3 Storage Lens delivers organization-wide visibility into object storage usage, activity trends,” blah, blah, blah, blah, blah, marketing speak. Basically, it allows you to get a view of your S3 usage across accounts. Which, that's mindblowing, right?

Jesse: Yeah. This feature has so much potential; I'm really excited to see where they go with it.

Pete: Yeah. And so when I first saw this blog post on Amazon’s site talking about it, my mind just started going crazy because again, we work in Duckbill Group as cloud economists with a lot of different clients, and because Amazon organizations may be the reason why, made it very easy to spin up new accounts, maybe also the adage, the design principle of creating many Amazon accounts to kind of segment workloads or to provide you to—segment your workloads in a way for cost reasoning or security reasons. But all of those things—somewhat related, somewhat not—have caused a lot of our clients to have lots of Amazon accounts. I mean, you could see hundreds, in some cases, of Amazon accounts.

And the issue that I've always kind of had, and especially an issue we deal with in helping our clients analyze their costs and optimize their costs is how do you aggregate S3 usage? Because S3 is normally in the top five of services that we see in usage, how do you pull that together? And I guess we do that a lot of different ways. Jesse, maybe you can chat a little bit about what are some of the ways that we try to analyze this spend currently?

Jesse: Yeah. Pete, I think I'm really excited about this feature because AWS already offers aggregate looks at metrics for other top services by spend. Like, for EC2, you've got Compute Optimizer. We don't have anything for RDS yet, but I feel like that might be not far off, given Compute Optimizer’s existence. And we already have other tools that allow you to look across multiple accounts to look at metrics, especially if you're looking at Cost Explorer, for example, you can see metrics across multiple accounts, you can see spend across multiple accounts.

So, I feel like this makes sense. I'm really excited to see that you can look at all of your S3 storage metrics in one place because right now, the only way that we're able to get any kind of representation of S3 usage is through Cost Explorer. And there are ways that you can go about filtering and slicing that data to get usage information and certain metrics, slicing and dicing on different filters for accounts and cost allocation tags, but it's all at the bucket level, or at the usage level, and if you really want to dig in deeper, you don't have a lot of options.

Pete: Yeah, it's a service that they're operating on your behalf. So, your only insight is what they give you insight into. Maybe some of that is CloudWatch metrics, there's obviously the S3 storage analytics that can give you some idea in your storage—based on access—that can help you kind of optimize, but nothing really again at the—ability to see it across multiple accounts is I think, really the big game-changer too.

Jesse: And I think what's really amazing here is that the majority of metrics that they're offering are free. And we'll get into that in a minute, but I'm really impressed that so many of these metrics are shared free of charge. You just have to turn it on. And then you have access to all of this great information that you can work with.

Pete: Yeah. I think that's a great point that we haven't mentioned yet, that this is—the basic form of this is free. And the metrics that you can get are pretty useful in the free tier. Also, this is actually something that is turned on in your account right now. If you have an Amazon account, go into S3, it's actually under S3, it'll be on the left-hand column—at least it should be unless they go move stuff around—but you'll see a drop-down for Storage Lens, and you'll see an option for dashboards.

And when you go into the dashboards, there will be a default dashboard already pre-configured with the free metrics enabled for your account. Now, that could be super helpful if, let's say, you just have one account, you can get some real good high-level metrics around your storage based on bucket. You can go into that dashboard and really quickly see total storage across all your buckets. You can see trend analysis with, day-by-day, week-by-week change comparison, how are things growing. There was one thing that I saw that I was really blown away by because this is something we deal with a lot is they have broken the metrics out in kind of a high-level summary, focusing on data protection, like being able to see data percentage replicated or encrypted, but also based on cost efficiency, too, being able to see if you have versioning enabled, obviously, there's a cost for that.

How many old versions of this thing do you have, but also incomplete multipart uploads? That is potentially a large and in many ways, super hidden cost for some users of Amazon S3. If you are uploading a multipart file, and it fails, it lives in this purgatory, storage purgatory, where you're charged for it, but you may not see it in an obvious way.

Jesse: And we see that with a lot of our clients who have multipart uploads and end up with these incomplete multipart uploads that just take up space. There's no clear metrics right now, prior to Storage Lens, that say, here's all of this stale multi-part upload usage that you're paying for, that's effectively just taking up wasted space. But now we have metrics for that; now we have information that can clearly tell us where they are, how much space they're taking, and you can actually do something about it.

Pete: Right. Yeah, it gives you this intelligence that you can act upon. To talk about those metrics, since we're kind of on that stage, when ...

The Most Under-Appreciated AWS Service

Corey Quinn — Wed, 02 Dec 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Punched in the Faith

Corey Quinn — Mon, 30 Nov 2020 03:00:00 -0800

AWS Morning Brief for the week of November 30, 2020 with Corey Quinn.

AWS Services for Thanksgiving Dinner

Corey Quinn — Fri, 27 Nov 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter

Pete: Hello, and welcome to AWS Morning Brief. I am Pete Cheslock, and I am here yet again with Jesse DeRose. Jesse, welcome back.

Jesse: Thanks for having me, Pete.

Pete: But it's not just the two of us. We have a very special guest: we are also joined with one of the newest hires to The Duckbill Group, Amy Negrette. Amy, hello.

Amy: Hello. And one might say the most special of guests; that person would be me.

Pete: The most special of guests.

Jesse: [laugh].

Pete: Well, we are pleased to have you. So, in honor of Thanksgiving—American Thanksgiving, for anyone outside of the United States, or who doesn't celebrate. But this is the American Thanksgiving holiday week. We wanted to take a little different approach to this week's episode. And Amy, you were the one who kind of came up with this idea, and so that's why we forced you to join us because—

Jesse: One of us. One of us.

Pete: [laugh]. Because you had such a good idea, and we wanted to make sure that we just pulled this together and really did a Thanksgiving theme to this podcast. So, I don't know about either of you, but my family has some very clear requirements about what dishes do and do not constitute Thanksgiving. And you can always expect the turkey and the stuffing. It's just not Thanksgiving without those core components.

Jesse: But then your cousin's boyfriend shows up with the candied vegetables that nobody asked to be candied. And, you know, you put a little bit on your plate because you want to be nice. You don't want to start World War III in the middle of Thanksgiving dinner. And you say, “Oh, yeah, this is good.” But then you're definitely giving those food scraps to the dog under the table and you don't go back for seconds.

Pete: I mean, a metric ton of sugar is probably the only way to make turnips taste good.

Jesse: Yeah.

Pete: So, with that in mind, we wanted to talk about what AWS services are those core services that you expect the customers kind of using to leverage the cloud, what services would kind of represent a Thanksgiving meal? Which ones constitute the turkey, or the stuffing, or the green bean casserole which, while preparing this, there seem to be some conflicting thoughts about the quality of a green bean casserole.

Jesse: There are some hot takes. Some hot, hot, hot takes in this discussion, putting this list together.

Pete: So, I'll kick us off with an easy, softball one because why not? But it's EC2, right? This is the turkey. It's the main course. And it's also what you'll be eating three to five times a day for every day for the next week or two because you're going to have a lot extra. It's just going to be around for a long time.

Jesse: Yeah, I feel like EC2 is one that you're going to get in some capacity, anywhere. Whether it is straight-up EC2 instances, whether it is Fargate, ECS, you're going to be using this compute resource in some capacity if you're using AWS. I don't think I know of any AWS customer that is not using some level of compute with EC2. Except for the few people who have managed to move entirely serverless to Lambda, which I am thoroughly impressed if you've been able to do that.

Pete: So, that is actually a great one which is Amy you do a lot with the serverless community. What do you think Lambda would be as a Thanksgiving side dish?

Amy: It is the canned cranberry sauce because everyone who I hear talk about it they seem to hate it, but I love it. I love not having to work for anything. It tastes the same and the sauce itself tastes like jelly and Lambda packages everything in a way where I don't have to deal with it, and to me that makes everything else super easy.

Pete: I think it's the slow oozing out of the can it does that really kind of makes me not want to like it, and those just too perfect ridges from the form of it. But I don't know what it is about it; when you just slice through that and put it on your plate, so delicious. And don't at me with your fancy homemade cranberry sauce, whatever. None of that can hold a candle.

So, I actually think Lambda is the special smoked turkey. Because it's a new trend. Lambda being in the new trend, serverless is a new trend. And of course, everyone who is doing a smoked turkey or has a smoker just can't stop talking about it, much like serverless. They just can't stop talking about it.

Jesse: Yeah. I mean, I think that ever since you bought your smoker, you have not stopped telling us all about the meats that you're smoking on a recurring basis.

Pete: I mean, I got a 16-pound turkey for $14, and I got turkey for days.

Jesse: What I love is that not only do you have a smoker and you talk about it, but you have a monitoring system that you set up so that you can monitor the temperature of the smoker at any given time.

Pete: I'm a bit of a Luddite at home. I don't like IoT powered anything because I think they're all generally terrible, but for some reason, yeah, my smoker has a little whatever, cellular—powered, connects to my wifi, but I can get to it from the app on my cell phone, can check the temperature of the turkey, out of the store running errands. “Oh, got to get home soon, my turkey’s almost done.”

Jesse: Okay, I’ve got another easy one for us. S3 is your mashed potatoes. It's good, it's on everyone's plate, there appears to always be an infinite amount of it. Everybody's going to want some. And most importantly, if you leave a bucket of it open overnight, you're going to regret it.

Pete: Yeah, that's going to turn to glue pretty fast, not Amazon Glue, which actually if we are going to talk about Amazon Glue and Lake Formation, and that weird amalgamation of Amazon services, we actually have one for that. This is something called the piecaken, which I had never heard about until I saw an Instagram ad because that's a thing. But a piecaken is a pecan pie—pecan or pecan? Let's not, do that.

Jesse: Oh, God, don't start.

Pete: Okay. Pumpkin pie, spice cake, and an apple pie filling. It's like three pies stacked into a cake. And that's what I think of when I think about the whole Lake Formation/Glue setup when you're trying to query or analyze your data lake.

Jesse: Yeah, my arteries just clogged ...

Secrets of AWS Contract Negotiation

Corey Quinn — Wed, 25 Nov 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

GitHub's Basement

Corey Quinn — Mon, 23 Nov 2020 03:00:00 -0800

AWS Morning Brief for the week of November 23, 2020 with Corey Quinn.

AWS Storage Day 2020 Part 2

Corey Quinn — Fri, 20 Nov 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter

Transcript
Corey: Gravitational is now Teleport because when way more people have heard of your product than your company, maybe that’s a sign it’s a time to change your branding. Teleport enables engineers to quickly access any computing resource, anywhere on the planet. You know, like VPNs were supposed to do before we all started working from home, and the VPNs melted like glaciers. Teleport provides a unified access plane for developers and security professionals seeking to simplify secure access to servers, applications, and data across all of your environments without the bottleneck and management overhead of traditional VPNs. This feels to me like it’s a lot like the early days of HashiCorp’s Terraform. My gut tells me this is the sort of thing that’s going to transform how people access their cloud services and environments. To learn more, visit goteleport.com.

Pete: Hello, and welcome to AWS Morning Brief. I am Pete Cheslock, and I'm also here, again, with Jesse DeRose. Hey, Jesse, how's it going?

Jesse: Not too bad. Thanks for having me.

Pete: It is part two of AWS Storage Day. If you haven't had the chance to listen to last week's episode, Jesse and I dove into some of the new features really focusing on what we would think is the biggest feature of AWS Storage Day, which was the S3 Intelligent Tiering. Go back and listen to it if you didn't hear about it. But essentially, Amazon keeps extending out features [00:01:34 unintelligible] this Intelligent Tiering platform. And we talked a little bit about it last week.

But there were a lot of announcements as part of Storage Day, some pretty impressive, and some that were maybe a little underwhelming. We'll let you be the judge of that because some of these things could be incredibly important for you as—maybe—someone who operates on Amazon. So, now what we're going to do is we're going to dive into some of the other features, not only additional interesting S3 features, but there were a lot of new features announced around EBS, and EFS, and FSx, and all of the different ways that you can interact with AWS storage. I don't want to call it the biggest feature of this section because I think—let's be honest—they're all equally meh features, right, Jesse?

Jesse: Yeah.

Pete: I think that's going to be the common thread. Again, you might look at some of these features and go, “Finally, my life is so much better because they've announced this feature.” But I got to say, outside of Intelligent Tiering, Storage Day felt a little weak. But let's dive in anyway. S3 Replication; if you are replicating your data from one S3 bucket to another bucket, another region, which maybe you need to do for compliance reasons, disaster recovery reasons, some of the new features they added are around replication metrics and notifications.

Now, previously, these metrics and notifications were only available if you used the Time Control Replication, and that is a additional charge to get a predictable SLA for your data to be backed up. They made these metrics now available for anyone, so that's actually awesome to hear that they’ve really just extended that out and are kind of giving you something for free. Additionally, they now replicate delete markers, which I swear I looked at a bunch of documents to understand better what delete markers mean, and the best I got to it, I don't actually really understand the problem from before, other than as you delete a version of something in the source, the delete marker moves over. But then maybe the previous versions are in the destination. That was my gist of it, Jessie, what was your gist of that one?

Jesse: Yeah, I struggled a little bit with some of these previously because S3 replication always felt like this magical hand-wavy feature where you turned it on and then just waited, and eventually your objects would show up in your destination bucket or destination folder. But there wasn't really any clear path to what was going on behind the scenes. So, I'm really excited to see that now these metrics and notifications are available to everyone, not just to folks who were using the Replication Time Control feature, and allows everybody to more easily understand how their data is replicating between S3 buckets behind the scenes. So, I feel good about this one. I feel like this is definitely a step in the right direction. I'm really excited to see that this is now broadly available for everybody that's using S3. I think it will make using S3 Replication easier for a lot of folks who need it for business purposes or any other use case.

Pete: Yeah, absolutely. Another really awesome feature—I was actually excited for this because, of course, it must affect me in my day-to-day—S3 object ownership is now available for all the Amazon regions and amazingly supported by CloudFormation, which I feel like is always an afterthought. But what this allows you to do is you can use this feature too, when you upload files, it'll make sure that the ownership is assumed by the bucket you've uploaded it into. And so this gets around a lot of hairy issues that come into S3 permissioning, IAM permissioning. I mean, S3 permissioning, in general, predates IAM. I don't know how many people actually know that. And I think because of it, there are some really gnarly edge cases people run into, and this is a big problem solver.

Jesse: I am really, really excited about this feature release, I cannot say how many times we've run into this edge case with some of our internal tooling because we have effectively copied or synced data from a client's S3 bucket into our S3 bucket, and we don't gain ownership. And that becomes such a permissioning headache to be able to do anything with that data once we have it in our S3 bucket. So, I'm really excited to see that object ownership is now not only a first-class citizen but now is also built into and supported by AWS CloudFormation.

Pete: Yeah, absolutely. Another new feature: it has to do with Outpost actually, and you can get S3 on Outposts now which, that's truly amazing if you think about it. Now, I don't know of anyone who actually is using Outposts, and I would love to chat with someone who can, if they're even allowed to, or if they're stuck under an NDA. But what an Outpost allows you to do is essentially purchase a rack of AWS; it's a rack of servers and storage with Amazon APIs. If you really just think about that for a second, that's pretty impressive.

And if you are going to do hybrid cloud, and you have maybe some data locality requirements like you really need data in a specific location and that's not a region that Amazon supports, or you have data centers, or there's always some requirements, you can now get S3 on there. And they said that they can support 48 or 96 terabytes of S3 capacity per Outpost. What that actually means—like, is that a rack? Is that a whole rack? Is that just a single S3 configuration? Hard to really know. There's no API to go and provision an Outpost yet.

Jesse: Yeah, I'm really curious about this one to see how folks end up using it because I'm super excited that this is a feature that's now available. I love the idea of Outposts, even though it may not be a business use case for us internally. But I'm really curious to see how thi...

What I Don't Get About the AWS Gateway Load Balancer

Corey Quinn — Wed, 18 Nov 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The Place to be for the Important Deets with Brooke Mitchell

Corey Quinn — Mon, 16 Nov 2020 03:00:00 -0800

AWS Morning Brief for the week of November 16, 2020 with Brooke Mitchell.

AWS Storage Day 2020

Corey Quinn — Fri, 13 Nov 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter

Transcript

Corey: This episode is sponsored in part by Catchpoint. Look, 80 percent of performance and availability issues don’t occur within your application code in your data center itself. It occurs well outside those boundaries, so it’s difficult to understand what’s actually happening. What Catchpoint does is makes it easier for enterprises to detect, identify, and of course, validate how reachable their application is, and of course, how happy their users are. It helps you get visibility into reachability, availability, performance, reliability, and of course, absorbency, because we’ll throw that one in, too. And it’s used by a bunch of interesting companies you may have heard of, like, you know, Google, Verizon, Oracle—but don’t hold that against them—and many more. To learn more, visit www.catchpoint.com, and tell them Corey sent you; wait for the wince.

Pete: Hello, and welcome to AWS Morning Brief. I am Pete Cheslock. Corey, while being back from his paternity leave, is still not here. We are having too much fun. And by we, I mean I'm joined again with Jesse DeRose. Hey, Jesse.

Jesse: Thanks as always for having me, Pete.

Pete: It's so much fun to again chat with people outside of my little family unit, that we've just decided not to give this back to Corey. And luckily, Corey has many other podcasts that he does, he was pretty happy to give it away.

Jesse: I feel like you should never talk about your children that way, but he's got a plethora at this point. So, he's willing to kind of share the wealth.

Pete: Exactly. And if you notice, we have a new theme song that came out, I think it was last week was the first week that we brought in the new theme song, which is I think much in line with a previous episode where we talked about ’80s breakdancing movies that the new theme song kind of has that vibe to it.

Jesse: I hope you're wearing the Members Only jean jacket that I sent you, along with the shades to match the uniform.

Pete: Yeah. I mean, I was born in ’80, so the ’80s for me, I was very young. I'm kind of waiting for the ’90s movies to come around again because I want to rock out my JNCO jeans and my wallet chain.

Jesse: [laugh], yes.

Pete: And all that good stuff.

Jesse: I am ready.

Pete: Exactly. Well, what are we talking about today? Well, earlier this week, AWS Storage Day 2020 happened on Tuesday. If you were a part of that, it was a free online event. As Amazon called it, a full day online event. Except it was only about four hours long, so kind of mailing it in on that one, huh?

Jesse: Can we start discussing that with our boss and say that a full day of work is technically just four hours? Can we just start working with that going forward?

Pete: Yeah, we'll just say it right now. So, hey, Corey, we're done for the day. Put in the old college four.

Jesse: [laugh]. That's what you say, “I put in the old college try. I just did my full day of four hours, according to AWS. So, this has been great. I'll talk to you tomorrow.”

Pete: Exactly. Well, Storage Day this year—it's the second year in a row if I'm remembering it correctly. 2019 was the last year they did that—and I feel like this kind of ties into the fact that there's just so many announcements that happened around re:Invent, that leading up into re:Invent, you have a lot of announcements to maybe soften the blow for a lot of folks. And Storage Day, really is just this whole day—well, four hours worth of a whole day—talking about everything related to storage. And we're talking about things like S3, EBS, EFS, FSx, for the five huge enterprises that probably use FSx.

Although if you actually do use FSx, I'd be curious to hear about how you like it and what you think of it because we don't really hear a lot of people using it. But these are all the services, plus many more, that Amazon talked about as part of its Storage Day.

Jesse: Yeah, it was a really interesting discussion. I greatly appreciate that AWS broke out this discussion prior to AWS re:Invent, but they dropped a lot of knowledge on us all at once, and in, like, rapid-fire succession, I was really, kind of… not necessarily surprised, but there's a lot of information that they shared all at once. And I have to admit that after sitting through this presentation, I now have a greater appreciation for Apple's slow presentation style. As much as I hate it; as much as I hate sitting for an hour and a half for one announcement while they toot their own horn, I have to say that the buildup and getting me involved in the story and bringing me along with them. It works, it absolutely works. And it was kind of hard for me to pick up on all the things that went on during AWS Storage Day this year because there was a lot of things going on.

Pete: And honestly, the fact they give so much information is really amazing in, I guess, both their ability to tout, in many cases, minor feature changes that most SaaS businesses would just turn on and maybe blog about. But this is—obviously the engine of AWS is so good at discussing their wins. But you're right, it's just a huge amount. On Monday, Jeff Barr of course, wrote the blog post with a lot of these details, linking to countless other blog posts. And I think it really speaks to just how, probably every, or nearly every Amazon service ties into storage in some way. It's a huge, huge part of this ecosystem.

Jesse: Absolutely.

Pete: So, as you can imagine, there were so many new features that we're not even going to be able to cover them all throughout the course, but we did want to call out some of the big ones, or at least what we thought were the biggest ones, the most interesting new features, new product announcements that came out, and also just touch on some of the other things that we thought were pretty interesting as well. And yeah, there was a lot of fun stuff. I think the biggest one that was announced was the S3 Intelligent-Tiering, which is a class storage tier within S3, adds additional levels of archive access. So, if you imagine Intelligent-Tiering, you know, you have the automatic tiering of data from frequently accessed to infrequently accessed as things age out, they essentially automate that for you. So, as things are not accessed, you just start automatically paying less for them. And anything automatic in a cost savings world is going to help you save money.

If you don't have to think about it and it just does it for you, it's fantastic. Well, Intelligent-Tiering added in these additional tiers—which they are Glacier—level tiers. They are additional places that your data can eventually move to as they start aging out based on a whole series of criteria. But there's caveats. There's more caveats now.

Before, one of the interesting things that we actually learned as part of this—because it was buried in a pricing page footnote—is that when you store something into Intelligent-Tiering, there is a minimum storage time period that you will get charge...

Why AWS Announces Regions in Advance

Corey Quinn — Wed, 11 Nov 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

The AWS Tea is Hot. Some, calling it Lipton.

Corey Quinn — Mon, 09 Nov 2020 03:00:00 -0800

AWS Morning Brief for the week of November 9, 2020 with Jam Leomi.

Certifications: The Good, The Bad & The Ugly

Corey Quinn — Fri, 06 Nov 2020 03:00:00 -0800

Links

Follow Last Week In AWS on Twitter

Transcript
Corey: This episode is sponsored in part by Catchpoint. Look, 80 percent of performance and availability issues don’t occur within your application code in your data center itself. It occurs well outside those boundaries, so it’s difficult to understand what’s actually happening. What Catchpoint does is makes it easier for enterprises to detect, identify, and of course, validate how reachable their application is, and of course, how happy their users are. It helps you get visibility into reachability, availability, performance, reliability, and of course, absorbency, because we’ll throw that one in, too. And it’s used by a bunch of interesting companies you may have heard of, like, you know, Google, Verizon, Oracle—but don’t hold that against them—and many more. To learn more, visit www.catchpoint.com, and tell them Corey sent you; wait for the wince.

Pete: Hello, and welcome to the AWS Morning Brief. I am Pete Cheslock. Corey is not here. He's never coming back. No, I'm just kidding, he's just not joining us for the Friday Morning Brief for a little while. Maybe we'll invite him back as a guest, but until then, I'm again joined by Jesse DeRose. Welcome back yet again, Jesse.

Jesse: Thank you so much for having me, I am so happy that Corey has not figured out that we just reset all of his passwords to ‘1234’ and locked him out of everything.

Pete: We did add an exclamation point to the end, and we made it very secure, but I do think it’s the—

Jesse: Very secure.

Pete: —it’s the ultimate troll to essentially take over Corey’s podcast for a period of time—while of course, he's taking care of his children—and essentially just inviting him back as a guest on it. So, I think that'll be fun. Maybe we'll have to do that: invite him back as a guest on his own podcast.

Jesse: I love it.

Pete: Well, we're here today to talk about, maybe, potentially contentious topic certifications. Are they good, or are they a bag of crap?

Jesse: This is a spicy one. I'm excited for this conversation.

Pete: So, certifications, this is a business that's more profitable for AWS than SimpleDB is.

Jesse: Nailed it.

Pete: Their whole certification ecosystem has really just blown up. I mean, I've been a part of the Amazon ecosystem since nearly the beginning, working for a startup back in 2009 timeframe; we were very early, and there was no certification, there was no re:Invent. I mean, all that stuff came after. And just looking now at the amount of certifications that exist, you've got, kind of, your default Cloud Practitioner level, you've got Solutions Architect Associate Level, Developer Level, you've got Professional Level, you can be a DevOps Engineer Professional.

But then, more importantly, they even have these specific specialties in addition, so you can have an advanced networking specialty, or an ML or data analytics. It's really interesting how this has just exploded across the ecosystem, and having been to many re:Invents, they put a good amount of effort into certifying a lot of engineers at those events. But Amazon certifications are actually not the only thing we're talking about today. It's a big part of what we're talking about, but there's a lot of certifications out there. And for a lot of people, that's how they got into the industry. So, there's potentially a lot of good, but that's not always the case.

Jesse: Yeah. I honestly have a lot of mixed feelings on certifications. And honestly, there's strongly mixed feelings on certifications. So, what I really want to talk about today is, are they good? Or are they crap? Are they things that are ultimately beneficial for you to sit for and to take, or are they a waste of your time? And honestly, I think it all really boils down to which certification you're looking at and what do you want to do with it? What's the ultimate end goal for getting this certification? Because that can ultimately really influence whether or not this certification is going to be worth your time and money.

Pete: Exactly. I mean, what is the point of these to begin with? I mean, other than being just a great cash cow for some businesses?

Jesse: Yeah, I like to think about it like—I compare it to a college degree. I know it's not but I think about it in the same sense of like—

Pete: See, that's a very spicy comparison for some people who have paid lots of money for a college degree—much like myself—to compare it to a certification, but I like where you're going with this, so give it to me.

Jesse: I'm sorry for all the listeners who just dropped off and returned back to the latest episode of the Adventure Zone or Serial. I appreciate for those of you who are still with us to continue on. For me, a certification can provide a lot of similar opportunities for a college degree in terms of, it's a way to validate your knowledge. It's a way for you to prove, “Hey, I understand these ideas, these concepts,” that maybe you wouldn't be able to validate otherwise. And it validates your knowledge externally, and it gives you the opportunity to show a potential employer, “Hey, I have proven that I am familiar with these topics related to your business, and that is why you should hire me, or that is why you should consider giving me this promotion or giving me this opportunity.” It really gives a candidate an opportunity to derisk yourself. And I have proof. I have third-party-validated proof that I am familiar with these things.

Pete: Look, Jeff Bezos personally signed—actually I don't know if that's the case. It's probably Andy Jassy—personally signed my certification. So, it's like Andy Jassy is giving me this job recommendation, and Andy Jassy’s stamp of approval.

Jesse: “Do you want us to get Andy Jesse on the phone? Because we can get him on the phone right now, and he can confirm that he personally approved me for this role.”

Pete: Exactly. I mean—and I, of course, say that he stamped mine. So, interestingly enough, I do not have any Amazon certifications, but you do Jessie.

Jesse: I do. I have the Solutions Architect Associate certification.

Pete: So, I have at various points in the last couple of companies I've worked at have looked at getting an Amazon certification, and honestly, I have had the same kind of thought processes you just mentioned, which was, what will this give me? And will it give me for my time, and let's not say the money aspect because, for all these scenarios that I'm dealing with, the company was going to pay for it.

Jesse: Sure.

Pete: So, that was less of a risk, but it is my time. I don't want to take it and fail it, and have to take it again; that's just wasteful. So, I’d want to spend some time preparing and reviewing. But if I were to get—at this stage of my career, having been working with Amazon for a long time, if I were to get a Cloud Practitioner or Solutions Architect Associate, does this open up any doors for me? And to be honest, at my stage of my caree...

The Other Side of Paternity Leave

Corey Quinn — Wed, 04 Nov 2020 03:00:00 -0800

Want to give your ears a break and read this as an article? You’re looking for this link.

Sponsors

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Did He Put Your Million Dollar Check In Someone Else's Box

Corey Quinn — Mon, 02 Nov 2020 03:00:00 -0800

AWS Morning Brief for the week of November 2, 2020 with Courtney Wilburn.

Blinded by QuickSight

Corey Quinn — Fri, 30 Oct 2020 03:00:00 -0700

Links

Last Week In AWS Twitter: https://twitter.com/lastweekinaws
https://wellarchitectedlabs.com/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief. I am Pete Cheslock. I'm still here. I'm going to be here for a while I guess, but not alone. I'm here with Jesse. Jesse, thank you again for coming on board and keeping me company.

Jesse: Always a pleasure.

Pete: It's honestly just nice to talk to someone else that's outside of my little family unit or my pandemic crew.

Jesse: I would say it's nice to get paid to just talk about my feelings. But I mean, I'm not technically getting paid for this.

Pete: Yeah, I feel like I'm just trying to balance the conversations with coworkers, podcasting this, my kids at this point, have more Zooms than I do.

Jesse: [laugh]. I think that probably says something about our social lives and about ourselves. And I feel like I need to go rethink everything.

Pete: Well, my son who is six years old, he does a better job of managing his mute button than most full-grown adults I know.

Jesse: I feel like that's the fun thing. I really want to see how the next generation is going to grow up with technology, better understanding the mute button, and all of this video content than we do.

Pete: It is hilarious to hear my daughter yelling at her friends, “You're on mute.” [laugh]. Oh, well, what is not on mute today is both of us. We are talking about the most loved Amazon service, Amazon QuickSight.

Jesse: I think it's technically going to be on blast today rather than on mutes.

Pete: Yeah, I think we're going to struggle to keep this one on time. So, if we go long, I apologize in advance. But we're talking about QuickSight, which for those that maybe have never heard of QuickSight before, it's Amazon's business intelligence tool. The question you're probably asking yourself, to be perfectly honest, is why? Why did you even try QuickSight?

Like what point, what thing were you solving that made you think of QuickSight? So, we're going to tell that story. But first, let's just pivot into BI tools, business intelligence tools. That's the category that QuickSight is technically in. So, we'll talk a little about that, and also how we actually use BI tools within Duckbill because that'll give you, hopefully, the context into answering that question of, “Why did you even try QuickSight, Pete? Why?”

Jesse: I mean, I feel like there's probably still going to be people asking us why after this podcast, and I'm sorry for those listeners. We don't have an answer for you. Maybe we're just masochists. We don't know.

Pete: It's just because it's there, I think is what the final answer is. [laugh].

Jesse: Absolutely. So, business intelligence tools solve a whole variety of problems and we could probably do an entire episode on them in general. They help you gain insights from your data, which is fantastic. I absolutely love that this is even a category of service out there. But today specifically, to keep it on track, we want to specifically talk about gaining insights from your spend data, your AWS spend data. And to do that, we really need to start by talking about the AWS Cost and Usage Report.

Pete: Yeah, the Cost and Usage Report—you might hear it referred to as the CUR. I heard it referred to as the CUR often and it took me quite a while to actually figure out what anyone was talking about. So, if you hear someone say the CUR, they probably mean the Cost and Usage Report. But this is the v2, we'll call it, version of the Amazon billing data.

It's incredibly high fidelity, I think is the term. It's very granular; there's a lot of data in there. And it's not enabled by default; you need to actually go turn it on. But what's awesome about this tool is it can provide you some really deep insight into where your money is going, and the only cost for it is the cost to store the data. And the Cost and Usage Report itself, when you turn this report on and have it dumped into your S3 bucket location of choice, you can actually have it store into a couple different file formats.

One of them is Excel CSV format. And the other one is a Parquet format, which is a columnar data store and is a lot more efficient for this type of data. And it's the Parquet version of this that we use, we tell our clients—clients of Duckbill—to turn this on and turn it on with Parquet because then you can use tools like Athena to query your data and just leave it in S3 and run those ad hoc queries. So, Athena, though, which we're not talking about Athena, is challenging to use, in some cases—

Jesse: Yeah.

Pete: —you have to know SQL, which if you don't know SQL you're kind of in a bad spot. So, we use a BI tool, a very popular one called Tableau to query our data on Athena. So, Athena is kind of the engine, you could also obviously put your CUR data into an actual database. But largely, the queries we're doing, these are all human-generated. We're fine if they take seconds; they don't need to happen in milliseconds.

Jesse: Yeah, I mean, there's lots of solutions out there. There's third party commercial apps like Tableau and Looker—RIP—there's open-source options like Metabase. But of course then, in true AWS fashion, there's also a hastily integrated acquisition called QuickSight.

Pete: So, I have this memory in my head—and hopefully someone will correct me if they're listening to it, and I'm wrong here—but I feel like QuickSight was actually an acquisition. Like Amazon, which really doesn't usually acquire a lot of teams or businesses into Amazon Web Services, with like a couple of pretty rare exceptions, I'm almost positive, that QuickSight was actually some other product that Amazon acquired into it. But the history of QuickSight from at least the Amazon umbrella started around 2015 is when they announced it at re:Invent, and I was there for that announcement. I remember that announcement clearly, and I still actually kind of laugh at it when it came out. Now, first off, that was 2015 is when it was announced, and not for nothing, it does not look like it has gotten much better in the five years that it's been operating since launch.

<...

Reader Mailbag: Savings Plans (AMB Extras)

Corey Quinn — Wed, 28 Oct 2020 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/reader-mailbag-savings-plans

Sponsors

StrongDM: https://strongdm.com
Linode: https://www.linode.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Not Throwing Away My Shot!

Corey Quinn — Mon, 26 Oct 2020 03:00:00 -0700

AWS Morning Brief for the week of October 26, 2020 with Ceora Ford.

Best and Worst Ways to Incentivize Teams

Corey Quinn — Fri, 23 Oct 2020 03:00:00 -0700

Links

Last Week In AWS Twitter: https://twitter.com/lastweekinaws

Transcript

Pete: Hello, and welcome to AWS Morning Brief. I’m Pete Cheslock. I'm still here; Corey is still not. I'm sorry. But don't worry, I'm here again with Jesse DeRose. Welcome back yet again, Jesse.

Jesse: Thank you for having me back. I have to say for all our listeners, I'm sorry I have not watched the entire Step Up trilogy and all the other breakdancing movies we talked about last time. It is still on my todo list. But fear not, it will happen. We will talk about this again.

Pete: Well, that actually brings a really good point, which is we need to make a correction from our last podcast. We talked about how Breakin' 2: Electric Boogaloo was the sequel for Breakin’, and I had incorrectly thought that Breakin’—the first one—also had ‘Electric Boogaloo’ in the name. It turns out I lack the ability to read an article on Wikipedia. There was a very carefully placed period in that sentence which, as our listeners probably know, delineates one sentence from another. So, no: Breakin' one, it was just called Breakin’. It was not Breakin’: Electric Boogaloo. I’m—just have no ability to read anything on Wikipedia, apparently.

Jesse: I still feel like this is a missed opportunity for the first one in the franchise to be Breakin’: Electric Boogalone.

Pete: [laughs]. Almost as bad as Electric Boogalee, but—

Jesse: It's up there.

Pete: —that's for another podcast. Anyway, we are talking today, not about breakdancing movies from the 1980s, we are actually talking about a little bit of a different change in our normal conversation, not necessarily around Amazon-specific technologies, but around fostering change within an organization, and some of the worst ways that we have seen change kind of implemented into an organization. Fostering change, it's important in any organization in general—and maybe we're a little biased; we spend so much of our time dealing with cost savings and cost optimization, but it really is so much more important when you deal with over-reaching cost optimization and, kind of, management strategy within a company.

Jesse: Yeah, I feel like there's this massive disconnect between a lot of companies, where leadership has this really, really heavy incentive—or really, really heavy goal to better understand and manage cloud costs, and the individual contributors or the underlying engineering teams just don't have the same focus. And that's not to say that they don't care about costs, so much as maybe they have other roadmap items that they're working on or other tasks that have been prioritized before cost optimization projects. So, there really seems to be this disconnect to think about cost optimization more thoroughly throughout all levels of an organization. And it ultimately makes us think about how do you go about making that change because it seems like the best way to instill the importance of cloud cost optimization and management across a company is by instilling it in the company's culture. So, today, I really want to focus on what are some of the ways that we can get the entire company to care about cost optimization and management, the same way that leadership might care about cost optimization and management. Or alternatively, if this is an individual contributor that cares, how they can get the rest of the company to care about these things and vice versa.

Pete: Yeah, that's a really good point. And we deal with a whole swath of different companies and different people at those companies, where it's kind of amazing to see how some people just inherently really care about what's being spent. And it could be for various reasons. Maybe these are people that may not have any connection to the bill or paying the bill, but more just—they just—I mean, myself, I am this person. I just hate waste. I hate waste in all parts of my life, but I really hate waste in my Amazon bill because finding out that I didn't have to spend $10,000 last month on all of those API list requests on S3 due to that bug, it just—it cuts up my soul.

Jesse: And it's really rare to find people in any organization, whether it's a client that we're working with or an organization that you work in, that are super, super invested in that kind of cost optimization work. But when you find them—I was working with one recently at one of our clients who described themselves as a super nerd about cost optimization work. And that's perfect. That's what we want. We want somebody who nerds out over this stuff, and really passionately cares about, what's it going to cost for us to make changes?

Pete: Yeah. I mean, we are two people who have focused our careers on caring about how much people spend on their bill. We're cost nerds. It's fine. It's okay to say it.

Jesse: I accept this term. I accept.

Pete: [laughs]. So, before we get to some of the good ways that we've seen to get people to care about this stuff, we want to talk about some of the worst practices we've seen. And this is broader than just cost management. This really is, what are some of the worst ways that we have been a part of seeing a company just try to affect change, whether you're a startup that's trying to pivot to the next thing, make it to the next funding round; or maybe you're an enterprise and you're just trying to go digitally native, cloud-native, multi-cloud, or something like that. The technology is not your challenge. It's not the technology is the reason why you're not going to accomplish your goal. It's always going to be the people and getting them to care about it. So, what are some ways, Jessie, that you've seen that have been particularly grinding to you?

Jesse: Yeah, if we're going to talk about incentivizing practices, I think that the big one that we need to talk about is gamifying the system where the leadership or management sets some kind of goal to say, “We want all of our IT team’s support tickets to be closed within 48 hours.” So, that's a great goal to set; that's a lovely SLA goal to work towards, but if you just set that goal blanketly, for your team, they're going to gamify the system hard. They are going to end up closing tickets as soon as they send a response, rather than waiting for the issue to be resolved or not. I've experienced this multiple times, and it driv...

Reader Mailbag: Potpourri (AMB Extras)

Corey Quinn — Wed, 21 Oct 2020 03:00:00 -0700

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/reader-mailbag-potpourri

Sponsors

nOps: https://www.nops.io/
Linode: https://www.linode.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Don't Interrupt Me... Last Week In (A)s I (W)as(S)aying

Corey Quinn — Mon, 19 Oct 2020 03:00:00 -0700

AWS Morning Brief for the week of October 19, 2020 with guest host Brianna McCullough.

AWS Cost Anomaly Detection 2: Electric Boogaloo

Corey Quinn — Fri, 16 Oct 2020 03:00:00 -0700

About Corey Quinn

Pete: Hello, and welcome again to the AWS Morning Brief: Whiteboard Confessional. Corey is still enjoying some wonderful family time with his new addition, so you're still stuck with me, Pete Cheslock. But I am not alone. I have been joined yet again, with my colleague, Jesse DeRose. Welcome back, Jesse.

Jesse: Thank you for having me. I will continue to be here until Corey kicks me back off the podcast whenever he returns and figures out that I've locked him out of his office.

Pete: We'll just change all the passwords and that'll just solve the problem.

Jesse: Perfect.

Pete: What we're talking about today is the “AWS Cost Anomaly Detection, Part Two: Electric Boogaloo.”

Jesse: Ohh, Electric Boogaloo. I like that. Remind me what that's from. I feel like I've heard that before.

Pete: Okay, so I actually went to go look it up because all I remembered was that there was, like, a movie from the past, “Something Two: Electric Boogaloo,” and I dove to the internet—also known as Wikipedia—and I found it it was a movie called Breakin’ 2: Electric Boogaloo], which is a 1984 film. And it says it's a sequel to the 1984 breakdancing film Breakin’: Electric Boogaloo, which I thought was kind of interesting because I always thought of that joke ‘Electric Boogaloo’ was as related to the part two of something, but it turns out it's not. It's actually can be used for both part one and part two.

Jesse: I feel like I'm a little disappointed, but now I also have a breakdancing movie from the ’80s to go watch after this podcast.

Pete: Absolutely. If this does not get added to your Netflix list, I just—I don't even want to know you anymore.

Jesse: [laughs].

Pete: What's interesting, though, is that there was a sequel called Rappin’, which says, “Also known as Breakdance 3: Electric Boogalee.”

Jesse: Okay, now I just feel like they're grasping at straws.

Pete: I wonder if that was also a 1984 film. Like, if all of these came out in the same year. I haven't looked that deep yet.

Jesse: I feel like that's a marketing ploy, that somebody literally just sat down and wrote all of these together at once, and then started making the films after the fact.

Pete: Exactly. One last point here, because it's too good not to mention, was that it basically says that all these movies, or at least the later one, had an unconnected plot and different lead characters; only Ice-T featured in all three films, which then got me to think a sec—wait a second, Ice-T was in this movie? Why have I not watched this movie?

Jesse: Yeah. This sounds like an immediate cult classic. I need to go watch this immediately after this podcast; you need to go watch this.

Pete: Exactly. So, anyway, that's the short diversion from our, “AWS Cost Anomaly Detection, Part Two” discussion. So, what did we do last time? Why is this a part two? Hopefully, you have listened to our part one. It was, I thought, quite amazing—but I'm a little bit biased on that one—where we talked about a new service that was very recently announced at Amazon called AWS Cost Anomaly Detection.

And this is a free—free service, which is pretty rare in the Amazon ecosystem—that can help you identify anomalies in your spend. So, we got a bit of a preview from some of the Amazon account product owners for this Cost Anomaly Detection, and then we got a chance to just dive into it when it turned on a few weeks ago. And it was pretty basic.

It's a basic beta service—they actually list it as beta—and the idea behind this is that it will let you know when you have anomalies in your cost data, primarily increases in your cost data. I remember specifically talking that it was specifically hard to identify decreases in spend as an anomaly. So, right now it only supports increases. So, a few weeks ago, we went into our Duckbill production accounts, turned it on, and we were just waiting for anomalies so that we could do this.

Jesse: I also think it's worth noting that I'm actually kind of okay with it being basic for now because if you look at almost any AWS service that exists right now, I would say none of them are basic. So, this is a good place to start and gives AWS opportunities to make it better from here without making it convoluted or difficult to set up in the first place.

Pete: A basic Amazon service, much like myself.

Jesse: [laughs].

Pete: So, guess what? We found anomalies. Well, we didn't find them. The ML backing Cost Anomaly Detection found some anomalies. So, that's what we're here to talk about because now that we actually have some real data, and real things happened, and we actually dove into some of those anomalies, interestingly enough. So, that's what we're here to talk about today.

Jesse: It's also probably worth noting that we changed our setup a few times over the course of kicking the tires on this service, and unfortunately, we weren't able to thoroughly test all of the different features that we wanted to test before this recording. So, we do still have some follow up items that we'll talk about at the end of this session. But we did get a chance to look at the majority of options and features of this service, and we'll talk about those today.

Pete: So, if you remember—or maybe you don't because you didn't listen to the last episode we did—we configured a monitor, is what it's called, that will analyze your account based on a few different criteria. And the main one is,...

Reader Mailbag: Accounts (AMB Extras)

Corey Quinn — Wed, 14 Oct 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/reader-mailbag-accounts/

Sponsors

StrongDM: https://strongdm.com
Linode: https://www.linode.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Snark Interrupted

Corey Quinn — Mon, 12 Oct 2020 03:00:00 -0700

AWS Morning Brief for the week of October 12, 2020 with guest host Veliswa Boya.

The Cloud is Not Just Another Data Center (Whiteboard Confessional)

Corey Quinn — Fri, 09 Oct 2020 03:00:00 -0700

About Corey Quinn

Links

A Cloud Guru Blog post, Lift and Shift Shot Clock: https://acloudguru.com/blog/engineering/the-lift-and-shift-shot-clock-cloud-migration
The Duckbill Group: https://www.duckbillgroup.com/

Pete: Hello, and welcome to the AWS Morning Brief: Whiteboard Confessional. I am again Pete Cheslock, not Corey Quinn. He is still out, so you're stuck with me for the time being. But not just me because I am pleased to have Jesse DeRose join me again today. Welcome back, Jesse.

Jesse: Thanks again for having me.

Pete: So, we are taking this podcast down a slightly different approach. If you've listened to the last few that Jessie and I have ran while Corey has been gone, we've been focusing on kind of deep-diving into some interesting, in some cases, new Amazon services. But today, we're actually not talking about any specific Amazon service. We're talking about another topic we're both very passionate about. And it's something we see a lot with our clients, at The Duckbill Group is people treating the Cloud like a data center.

And what we know is that the Cloud, Amazon, these are not just data centers, and if you treat it like one, you're not actually going to save any money, you're not going to get any of the benefits out of it. And so there's an impact that these companies will face when they choose between something like cloud-native versus cloud-agnostic or a hybrid-cloud model as they adopt cloud services. So, let's start with a definition of each one. Jessie, can you help me out on this?

Jesse: Absolutely. So, a lot of companies today are cloud-native. They focus primarily on one of the major cloud providers when they initially start their business, and they leverage whatever cloud-native offerings are available within that cloud provider, rather than leveraging a data center. So, they pay for things like AWS Lambda, or Azure Functions, or whatever cloud offering Google's about to shut down next, rather than paying for a data center, rather than investing in physical hardware and spinning up virtual machines, they focus specifically on the cloud-native offerings available to them within their cloud provider.

Whereas cloud-agnostic is usually leveraged by organizations that already use data centers so they're harder pressed to immediately migrate to the Cloud, the ROI is murkier, and there's definitely sunk costs involved. So, in some cases, they focus on the cloud-agnostic model where they leverage their own data centers, and cloud providers equally so that compute resources run virtual servers, no matter where they are. Effectively, all they're looking for is some kind of compute resources to run all their virtual servers, whether that is in their own data center, or one of the various cloud providers, and then their application runs on top of that in some form.

Last but not least, the hybrid-cloud model can take a lot of forms, but the one we see most often is clients moving from their physical data centers to cloud services. And effectively, this looks like continuing to run static workloads in physical data centers or running monolith infrastructure in data centers, and running new or ephemeral workloads in the Cloud. So, this often translates to: the old and busted stays where it is, and new development goes into the Cloud.

Pete: Yeah, we see this quite a bit where a client will be running in their existing data centers, and they want all the benefits that the Cloud can give them, but maybe they don't want to really truly go all-in on the Cloud. They don't want to adopt some of the PaaS services because of fear of lock-in. And we're definitely going to talk about vendor lock-in because I think that is a super-loaded term that gets used a lot. Hybrid-cloud, too, is an interesting one because some people think that this is actually running across multiple cloud providers, and that's just something we don't see a lot of. And I don't think there are a lot of clients, the companies out there running true multi-cloud, I think is the term that you would really hear.

And the main reason I believe that not a lot of people are doing this, running a single application across multiple clouds is that people don't talk about it at conferences. And at conferences, people talk about all the things that they do when in reality, it's so wishful thinking. And yet no one is willing to talk about this kind of, oh, we're multi-cloud in like, again, kind of, singular application world. So, one thing we do see across these three, you know, models, at a high level, cloud-native, agnostic, hybrid-cloud, the spend is just dramatically different. If you were to compare multiple companies across these different use cases. Jessie, what are some of the things that you've seen across these models that have impacted spend?

Jesse: I think first and foremost, it's really important to note that this is a hard decision to make from a business context because there's a lot of different players involved in the conversation. Engineering generally wants to move into the Cloud because that's what their engineers are familiar with. Whereas finance is familiar with an operating model that does not clearly fit the Cloud. Specifically, we're talking about CapEx versus OpEx: we're talking about capital expenditures versus operating expenditures. Finance comes from a mindset of capital expenditures, where they are writing off funds that are used to maintain, acquire, upgrade physical assets over time.

So, a lot of enterprise companies manage capital expenditure for all the physical hardware in their data centers. It's a very clear line item to say, “We boug...

Reader Mailbag: AWS Services (AMB Extras)

Corey Quinn — Wed, 07 Oct 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/reader-mailbag-aws-services/

Sponsors

StrongDM: https://strongdm.com
Linode: https://www.linode.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

No Hateration or Holleration in this Dancery

Corey Quinn — Mon, 05 Oct 2020 03:00:00 -0700

AWS Morning Brief for the week of October 5th, 2020 featuring guest host Angela Andrews.

Turn on AWS Cost Anomaly Detection Right Now—It’s Free (Whiteboard Confessional)

Corey Quinn — Fri, 02 Oct 2020 03:00:00 -0700

About Corey Quinn

Transcript

Pete: Hello and welcome to the AWS Morning Brief: Whiteboard Confessional. Corey is still not back. Of course, he did just leave for paternity leave, so we will see him in a few weeks. So, you're stuck with me, Pete Cheslock, until then. But luckily, I am joined again by Jesse DeRose. Jesse, thanks again for joining me today.

Jesse: Thank you for having me. You know, I have to say I love recording from home. I can't see the look in our listeners’ eyes as they glaze over while we're talking. It's absolutely fantastic.

Pete: It's fantastic. It's like a conference talk, but there's no questions at the end. It's the best thing ever.

Jesse: Yeah, absolutely. I love it.

Pete: All right. Well, we had so much fun last week talking about a new service. Although it turns out it was new to us. It was the AWS Detective—or Amazon Detective. There's still some debate about what the actual official name of that service is. For some reason, I thought that service came out in the summertime, but it turns out it was earlier in the year. So, still a great service, AWS Detective—or Amazon Detective, whichever way you go with that one—but we had such a fun time talking about a new service that we had the opportunity of testing out an actual brand new service. This was a service that was just announced last Friday. And that's the AWS Cost Anomaly Detection service. Jessie, what is this service all about?

Jesse: So, you likely would notice if your AWS spend spiked suddenly, but only the really, really mature organizations would be able to tell immediately which service spiked. Like, if it's one of your top five AWS Services by spend, you'd probably be able to know that it's spiked, you'd probably be able to see that easily in either your billing statement or in Cost Explorer. But what if you're talking about a spike in a much smaller amount of spend, that's still important to you, but it's a service that you don't spend a ton of money on: it's a service that is not a large percentage of your bill. Let's say you use Workspace, and you only spend $20 a month on Workspace. You ultimately do want to know if that spend spikes 100 percent or 200 percent, but overall, that's only maybe $20 on your bills. So, that's not something to see very easily unless it spikes exponentially.

So, the existing solutions for this problem require a lot of hands-on work to build a solution. You either need to know what your baseline spend is in the case of AWS Budgets, or you need to perform some kind of manual analysis via custom spreadsheets or business intelligence tools. But AWS Cost Anomaly Detection kind of gets rid of a lot of those things. It allows you to look at anomalous spend as a first-class citizen within AWS.

Pete: Yeah, the other trick too, with this anomalous spending—and I've gotten really good at learning how to spell ‘anomaly’ because I've always spelled it very wrong my entire life, but in just writing the preparatory material for this, the number of times I spelled anomaly has really solved that problem for me. Now, sometimes those mature organizations, they might see that anomalous spend, maybe the day after, maybe the week after, but I've been a part of organizations who they see that spend when the bill comes. That's actually pretty common. You're not an outlier if you only identify these outliers in spend when your bill arrives. And that outlier in spend could be something like, “Wow, we changed a script, and we're doing a bunch of list requests, and wow, we're that $8,000 come from?” or, “We're testing out Amazon Aurora and we did a lot of IOs last weekend, and our estimated bill is going to be $20,000.” Those are all things that if you're not a crazy person who's so in love with your bill that you look at it every day, you're going to miss that, right? You're just going to wait to the invoice. That's what everyone happens, right, Jesse?

Jesse: Absolutely. Yeah, it has been really fascinating for us to see this pattern again and again, honestly, with some of the clients that we worked with, but also within the companies that I've worked with over the years. It's just not something that is highly thought about until finance sees the bill at the end of the month or after the end of the month, and then it becomes a retroactive conversation, or a retrospective to figure out what happened. And that's not the best way to think about this.

Pete: Yeah, exactly. I mean, the best way to save money on your bill—something we see every day—is to avoid the charge, right? Avoid those extra charges. And the way you can do that is to know of an anomaly in advance. So, one of the best parts of this feature—I can't believe it, we've made it nearly five minutes into this conversation without calling out the most impressive part of Anomaly Detection—is the fact that it's all ML-powered. Now, I know what you're thinking, that you just cringed when I said ML, it's machine learning. And I cringe whenever a company markets based on machine learning. And the rule that I have is, you need to tell me how many PhDs are on your staff before I believe you can actually do machine learning.

Jesse: [laughs].

Pete: In the Amazon case, as it turns out, I could guess that they hire quite a few PhDs, so I feel like I'm going to give them a pass on this one.

Jesse: I feel like this is going to be a fun, over-under conversation of how many PhDs were on the team that put this service together, or built the machine learning component of AWS Cost Anomaly Detection.

Pete: I'll tell you what. It's good to be more than most SaaS services, that market towards machine learning.

Jesse: Absolutely.

Pet...

Paternity Leave (AMB Extras)

Corey Quinn — Wed, 30 Sep 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/paternity-leave/

Sponsors

StrongDM: https://strongdm.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Cost Anam--Anom--screw it, Cost Outlier Detection

Corey Quinn — Mon, 28 Sep 2020 03:00:00 -0700

AWS Morning Brief for the week of September 27th, 2020.

Inspecting Amazon Detective (Whiteboard Confessional)

Corey Quinn — Fri, 25 Sep 2020 03:00:00 -0700

Links

The Duckbill Group: https://www.duckbillgroup.com/

Transcript

Pete: Hello, and welcome to the AWS Morning Brief: Whiteboard Confessional. You are not confused. This is definitely not Corey Quinn. This is Pete Cheslock. I was the recurring guest. I've pushed Corey away, and just taken over his entire podcast. But don't worry, he'll be back soon enough. Until then, I'm joined by a very special guest, Jesse DeRose. Jesse, want to say hi?

Jesse: Howdy everybody.

Pete: Jesse and I are two of the cloud economists that work with Corey here at The Duckbill Group, and I convinced Jesse to come and join me today to talk about a new Amazon service that we had the pleasure—mm, you be the judge of that—of testing out recently, a service called Amazon Detective. This is a new service that I want to say was announced a couple of weeks ago, actually longer than that because, as you'll learn, it took us a little while to actually get a fully up and running version of this going, so we could actually do a full test on it. But as you can imagine, we get a chance to try out a lot of new Amazon services. And when we saw this service come out, we were pretty excited. Jesse, maybe you can chat a little bit about what piqued your interest when we first heard of Amazon Detective.

Jesse: So, we here do a lot of analysis work with VPC Flow Logs. There's so much interesting data to be discovered in your VPC Flow Logs, and I really enjoy getting information out of those logs. But ultimately, digging into those logs via AWS’s existing services can be a bit frustrating; it can be a bit time-consuming in order to go through the administrative overhead to analyze those logs. So, for me, I was really excited about seeing how AWS Detective automatically allowed us to dig into some of that data, ideally more fluidly, or more organically, or naturally, to get at the same information with, ideally, less hassle.

Pete: Exactly. So, for those that have not heard of AWS Detective yet, I'm just going to read off a little bit about what we read on the Amazon documentation that actually got us so excited. They talked a lot about these different security services like Amazon GuardDuty Macie, Security Hub, and all these partner products. But finding this central source for all of this data was challenging.

And one of the things they actually called out which got us really excited is these few sentences. They said, “Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time.” It was actually this sentence that got us really excited because, as Jesse mentioned, we spend a lot of time trying to understand our clients’ data transfer usage. What is talking to what? Why is there charge for data transfer between certain services? Why is it so high? Why is it growing? And we spend, unfortunately, a lot of time digging around in the VPC Flow Logs. So, when we saw this, we got really excited because—well, Jesse, how do we do this today? How do we actually glean insight from Flow Logs?

Jesse: It's a frustrating process. I feel like there has got to be a better way for us to get this information from a lot of our clients, and every single time we have to ask our clients to send over or share these VPC Flow Logs. There's that little wince of the implied. “I’m so sorry that we have to ask you to do it this way,” because it's doable, but it requires sinking data between S3 buckets, creating and running Athena queries, there's lots of little pieces that are required to build up to the actual analysis itself. There's no first-class citizens when it comes to analyzing these logs.

Pete: It's really true. And Athena, the Data Factory—the Data Glue—what is it? Glue. You have to create a Glue Catalog. It's just a lot of work when we're really just trying to understand who and what are the top producers, consumers of data that is likely impacting spend for a client.

So, we saw this and we thought to ourselves, “Wow, that one sentence it put in the list, it said, ‘The interactions between all of these resources and users over time.’” We got really excited for this. We also got excited because, of course, we love understanding how much things cost, but the pricing for Detective, it didn't seem that crazy. I mean, it's not great, but it's all based on ingested logs, which they don't really describe. So, our assumption is that if you send it your VPC Flow Logs, or CloudTrail logs, or whatever, you're going to pay for those on top of probably already paying for them today. So, that could be a deal-breaker for some clients out there.

Jesse: That's the thing that was super frustrating for me, or super interesting for me is that AWS Detective, in terms of pricing and in terms of technology and capability, doesn't replace any of these other components. It is additive, which, generally speaking, I think is great, but when you start looking at it from a price perspective, that means that you're going to pay for CloudTrail logs, and VPC Flow Logs, and GuardDuty, and Macie, and all of these other services, and now you're going to pay for AWS Detective on top of that. So, it feels like you're paying twice for a lot of these services, when you could do a lot of the same analysis work yourself. And it's probably not going to be as clean to do it yourself in terms of building out the Glue Catalogs that we talked about building out, Athena tables and queries. But ultimately, it may be less expensive because it's not ultimately paying for all these additive services on top of each other.

Pete: Exactly. I think we're definitely not being fair to the Amazon Detective product teams because we're trying to use this service, or we're hoping this service solves a really specific painful use case for us. And really, it's just based on what we found in their public-facing marketing.

So, how does this actually work? Well, we found some really great information online via Amazon. They did a great job documenting how this all works. Essentially, you enable Amazon Detective, and you enable CloudTrail, and VPC, and GuardDuty, you have to enable it in multiple accounts, and Jesse can talk a little bit more about some of the caveats we ran into just setting it...

Reader Mailbag: Billing (AMB Extras)

Corey Quinn — Wed, 23 Sep 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/reader-mailbag-billing/

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

EC2 Gets t4gging Support

Corey Quinn — Mon, 21 Sep 2020 03:00:00 -0700

AWS Morning Brief for the week of September 21, 2020.

Chef Gets Gobbled Up (Whiteboard Confessional)

Corey Quinn — Fri, 18 Sep 2020 03:00:00 -0700

Transcript

Corey: This episode is sponsored in part by Catchpoint look, 80% of performance and availability issues don't occur within your application code in your data center itself. It occurs well outside those boundaries. So it's difficult to understand what's actually happening. What Catchpoint does is makes it easier for enterprises to detect, identify, and of course validate how reachable their application is. And of course, how happy their users are. It helps you get visible and to reach a bit availability, performance, reliability, of course, absorbency. Cause we'll throw that one in too. And it's used by a bunch of interns and companies you may have heard of like, you know, Google, Verizon, Oracle, but don't hold that against them. And many more. To learn more, visit www.catchpoint.com and tell them Cory sent you, wait for the wince.

Welcome to the AWS Morning Brief: Whiteboard Confessional, now with recurring perpetual guest, Pete Cheslock. Pete, how are you?

Pete: I'm back again.

Corey: So, today I want to talk about something that really struck an awful lot of nerves across, well, the greater internet. You know, the mountains of thought leadership, otherwise known as Twitter. Specifically, Chef has gotten itself acquired.

Pete: Yeah, I saw some, I guess you would call them, sub-tweets from some Chef employees before it was announced, which is kind of common, where responses ranged from, “Oh, that's something new,” to, “Welp.” And I've thought it—I was like, “Wow, that's interesting.” Of course, then I start looking for news of what happened, of which we all found out not long after.

Corey: Before we go into it, let's set the stage here because it turns out not everyone went through the battles of configuration management circa 2012 to 2015 or so—at least in my experience. What did Chef do? What was the product that Chef offered? Who the heck are they?

Pete: So, Chef, they were kind of a fast follower in the configuration management space to another very popular tool that I'm sure people have used out there called Puppet. Actually, interestingly enough, the founders of Chef ran a consulting company that was doing Puppet consulting; they were helping companies use Puppet. And both of those tools really came from yet another tool called CFEngine, which in many ways—depending on who you ask—it's kind of considered the original configuration management, the one that had probably the earliest, largest usage. But it was very difficult to use. CFEngine was not something that was easy, it had a really high barrier to entry, and tools like Puppet and Chef, they came out around the, let's say 2007, 8, 9 10 timeframe, were written in Ruby which was a little bit easier of a programming language to get up and running with. And this solved a problem for a lot of companies who needed to configure and manage lots of servers easily.

Corey: And there are basically four companies in here that really nailed it for this era; you had Puppet, Chef, Salt, and Ansible. And in the interest of full disclosure, I was a very early developer behind SaltStack, and I was a traveling contract trainer for Puppet for a while. I never got deep into Chef myself for a variety of reasons. First and foremost was that its configuration language was fundamentally Ruby, and my approach back then—because I wasn't anything approaching a developer—was that if I need to learn a full-featured programming language at some point, well, why wouldn't I just pivot to becoming, instead, a developer in that language and not have to worry about infrastructure? Instead, go and build applications and then work nine to five and not get woken up in the middle of the night when something broke. That may have been the wrong direction, but that was where I sat at the time.

Pete: Yeah, I came at it from a different world. So, I had worked for a startup that no one has probably really ever heard of, unless you have met me before, like, know who I am, but a company called Sonian which was very early in the cloud space. It was email archiving, so it wasn't anything particularly mind-blowingly interesting because it's compliant email archiving, but what was interesting is that we were really early in the cloud space, and a lot of the tools that people use today just didn't exist for managing cloud servers. It was 2008, 2009, pretty early, EC2 timeframe. How would you provision your EC2 instance, back then? Maybe you use CFEngine, maybe use Puppet.

And actually, interestingly enough, that company—Sonian—was originally a Puppet shop because Chef didn't exist yet. And there were a series of issues we ran into, technical capabilities that Puppet just couldn't do for us at the time. And again, that time being 2009, 2010, and a lot of the very early Chef team, founding team, early engineers, were really working with us very closely to bootstrap our business on Chef writing a lot of those original cookbooks that became community cookbooks. And so, my intro into Chef and the Chef community is a lot earlier than most, and I went a lot deeper with it just by nature of being so early into that space.

Corey: One of the things that struck me despite not being a Chef aficionado myself was, first, just how many people in the DevOps sphere were deeply tied into that entire ecosystem. And two, love or hate whatever the product, or company, et cetera, did, some of the most empathetic people I've ever met were closely tied to Chef’s orbit. So, I have not publicly commented until now on Chef getting acquired, just because I'm trying to give the people who are in that space, time to, I guess, I don't know if grieve is the right word, but it's important to me that I don't have a whole lot to say there, and it's very easy for me to say something that comes across as crass, or not well thought out, or unintentionally insulting to a lot of very good people. So, I'm sitting here on the sidelines watching it and more or less sitting this one out, but it's deeply affected enough people that I wanted to talk about it here.

Pete: Yeah. And I'm glad that we are taking this opportunity to talk about it a bit. I had a lot of thoughts and feels. I tried to write a blog post about this to try to get them down somewhere, and a couple of paragraphs into it, I just, I really couldn’t… it just seemed like a meandering random mess of words without any real destination. But a few people online have mentioned this, and I'll definitely call it out as well, which is that Chef was, it was a tool. It was a tool like any other. You either loved it or you hated it. If you hated it, you probably really loved Ansible, or you really loved Puppet. It was a really, kind of, Vim versus Emacs feel to it, where you either we're all in on it or not.

But the thing that I think Chef really brought for me is not only leveling up my career in a way that I would not be where I'm at today if it wasn't for that tool and that community, but just how genuine everyone was within that community, and the interactions that we had at conferences, at Chef conferences, DevOps conferences and things of that nature, and even continued the conversations online back before Slack, which it's hard to even remember that: when we all were on IRC, and we were in the Chef IRC channel, and it was a fantastic channel with a ton of people who would dive in and help you out on your Chef problems....

Is the AWS Free Tier Really Free? (AMB Extras)

Corey Quinn — Wed, 16 Sep 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/is-the-aws-free-tier-really-free/

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Going Flat Out Like A Koala In Season

Corey Quinn — Mon, 14 Sep 2020 03:00:00 -0700

AWS Morning Brief for the week of September 14th, 2020.

Pulling Back the Curtain on Palantir (Whiteboard Confessional)

Corey Quinn — Fri, 11 Sep 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: This episode is brought to you by Trend Micro Cloud One™. A security services platform for organizations building in the Cloud. I know you're thinking that that's a mouthful because it is, but what's easier to say? “I'm glad we have Trend Micro Cloud One™, a security services platform for organizations building in the Cloud,” or, “Hey, bad news. It's going to be a few more weeks. I kind of forgot about that security thing.” I thought so. Trend Micro Cloud One™ is an automated, flexible all-in-one solution that protects your workflows and containers with cloud-native security. Identify and resolve security issues earlier in the pipeline, and access your cloud environments sooner, with full visibility, so you can get back to what you do best, which is generally building great applications. Discover Trend Micro Cloud One™ a security services platform for organizations building in the Cloud. Whew. At trendmicro.com/screaming.

Corey: Welcome to the AWS Morning Brief. I'm Cloud Economist Corey Quinn, And this is the Whiteboard Confessional segment that has increasingly been taken over by my colleague, Pete Cheslock, as we tear through various cloud-based companies, public filings as they race to go public and inflict their profits, or in more cases, losses on the public markets. Pete, thanks for joining me.

Pete: I am super happy to be back again, and making my mother happy that I'm actually using that MBA that I spent all that time to get.

Corey: So, we could wind up talking just about how Palantir is awful in a variety of ways. My personal favorite was the letter that their CEO attached saying that effectively engineers were stupid and didn't see the big picture, which is a weird thing to say about a whole group of people you're actively trying to hire, but all right. Let's talk about their S-1 filing. This has been anticipated for a while. What do you think?

Pete: Well, Palantir has been around for a very long time. I think it's been around a lot longer than a lot of people realize. You know, early 2000s. It was technology built to tie data together and to be honest, I only know—I’ve ever heard of one company actually using Palantir—the technology—a commercial company. They were actually using it as a SIM—SIM, whatever you want to call it—Security Information Management System—

Corey: Event management or something like that. Yeah.

Pete: Exactly. And ironically enough, that company actually—that was using Palantir—replaced it with an Elasticsearch ELK stack, which I thought was fascinating. I know nothing about their software, but I was very fascinated to read the S-1 because there's been this mythology around it and you can hear so much about insiders at Palantir, employees selling their shares in this wide secondary market. So, I was very curious to see what we were going to find, and there are definitely some interesting bits within.

Corey: There certainly are. And it's strange because for a while Palantir was doing interesting things in the market. They were offering $20,000 referral bonuses to people who referred engineers in for certain roles, and you didn't have to be a Palantir employee to do it, which was fascinating. They've recently moved headquarters from Palo Alto over to Denver, Colorado, which… okay. They are claiming it's for this whole lofty mission. Let's not kid ourselves: it's a tax play. [laughs].

And there's also a whole bunch of interesting stuff buried in here. But yeah, in many ways, this is a legacy company in some respects. It's been around almost 20 years. And strangely, I don't know about you, but I don't know anyone who works for Palantir. I did a little digging in preparation for this episode, and it turns out, I actually kind of do, but they're very quiet about it. It's one of those things where people don't want to be called out for working at a company that is this particular flavor of controversy, and I can't say I blame them.

Pete: Yeah, I haven't looked through my LinkedIn to see if any of my connections have ever worked there. Granted, it's such a West Coast company that me out in the East Coast, be pretty rare to run into anyone out here who's kind of taken their time and done the Palantir. I have heard, again, the rumors that they've always paid very well, and—

Corey: They would kind of have to.

Pete: You know, in the Bay Area, you kind of have to. And competing for talent against other places who pay really well, like Netflix, and Uber, and all these other big companies that are out there. So, it's a big competition for the top talent.

Corey: Oh, yeah. And most of what they do is data analytics. They take in a whole bunch of data, and they crunch a whole bunch of numbers and come out with other stuff. Historically, they have been focused on selling their services to governments, but now they're expanding in the enterprise story as well. And that is, of course, going to be a bit of a challenge for them as they expand into it, but we can talk about what they do, how they do it, and all the other challenges. Let's talk about Cloud. What do we know about their cloud environment based upon their public filing?

Pete: Well, they talk about their commitments. So, this is something you often see in S-1s of their various cloud commitments, and I think this one was super interesting in that they listed commitments for about $1.5 billion in cloud commitments over six years, and this was an agreement they entered into at the end of last year. Just a massive, massive amount of cloud spend commitment, right?

Corey: Yeah, it’s a quarter billion dollars a year in spend. Which is, again, we see a number of customers in that range pretty frequently, it's not always typical to see the better part of a decade done to satisfy those commitments, though. Usually they're, “Well, this stuff is always changing. Let's talk about doing this for the next three years.” Six is a bit on the outside range of what we tend to see.

What's fun to me was the breakdown of that commitment, which was just—I've been using this as a talking point for a week now—which is they have to undisclosed cloud companies in this part. They mention elsewhere that they use Azure and that they use AWS. Great. Fine. For one cloud provider, they have a six-year commitment of $1.49 ...

Dipping my Toes into Digital Ocean (AMB Extras)

Corey Quinn — Wed, 09 Sep 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/dipping-my-toes-into-the-digitalocean

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon Repeatedly Stomps on Own Schmeckel

Corey Quinn — Mon, 07 Sep 2020 03:00:00 -0700

AWS Morning Brief for the week of September 7, 2020.

SnowflakeDB’s S-1: The Fine Print (Whiteboard Confessional)

Corey Quinn — Fri, 04 Sep 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: Welcome to the AWS Morning Brief: Whiteboard Confessional series, where I am joined once again by my colleague, Pete Cheslock. Pete, thanks for taking the time to tolerate my slings, arrows, and other various forms of cynicism.

Pete: You know, I didn't take that much offense to the fact that I have an MBA, so I decided to come back and see if we can make use of that investment.

Corey: So, fun story. The last one of these that we did was talking about—who's one was that? They're starting to run together at this point.

Pete: That was Sumo Logic’s.

Corey: That's right. And it was, “Oh, let’s talk about what they're doing.” And then throughout the day, I think five tech companies all filed to go public, which is just bizarre. So, we're going to take a couple more episodes to slice and dice a couple more that were of interest to us.

Pete: Yeah, absolutely. We're going to chat about one that I was honestly been waiting for because of the hype and the myths around this company. But it's a big data company called Snowflake.

Corey: They're very special and unique.

Pete: They're very special. I think—I often will listen to CNBC in the background, it's kind of interesting to get little words, and sometimes tech pops up into a CNBC broadcast. When Snowflake filed. I think one of the announcers had said something to the effect of, “I don't know why you'd want to be called Snowflake.” [laughs]. So, I had a good chuckle at that one.

Corey: Because they've been around longer then that's been a disparaging term used by jerks.

Pete: [laughs]. Exactly, exactly. So, they filed their S-1 in that flurry with a whole slew of other companies—which we will definitely get to at least one more of those—and honestly, this company, I've never worked there. I did at one point go through a sales process which I can share some of my thoughts and opinions there, but the reason why I was so excited to see this one is because of the sheer amount of VC money that this company has raised, well over—I don't know if ‘well over’ but definitely over a billion dollars of VC funding raised. It's crazy.

Corey: My comment at one of the big tech conferences last year—back when that was a thing we went to—was I was walking around their booth, and I noticed that they had this mock-up of a race car suspended in the air. And then I realized, “Oh, my God, that isn't a mock-up.” Which told me at that point that if you're paying retail pricing for Snowflake, you're probably doing something very wrong.

Pete: Yeah, absolutely. I think to dive into one of my favorite Snowflake stories, at a previous company, we were checking Snowflake out—we got connected with them via some connections our head of product had and some success that we heard that Snowflake had with helping, you know, a data warehouse. That's what it is: it's a data warehouse technology. If you're in the Amazon ecosystem, you might be using Redshift. Snowflake can do some of those things, it can do some other things.

Corey: Why would I use something like Snowflake instead of Redshift? I mean, for starters, naive approach as well, okay, this is in a different Amazon account, so at minimum, I'm going to be paying data transfer in and out on both sides. But again, we're talking data warehousing, the data transfer is usually something of a rounding error compared to all the extra cost goes into that.

Pete: And this is where I think a lot of their growth in the early days came from a lot of the deficiencies in Redshift. In technologies, in the investment that Amazon was doing there, Snowflake could do a lot of things just simply better. I think additionally, too, they were probably taking a lot of business from Oracle shops and things of that nature. But I do know a friend of mine at his company, they had a well over a million dollars a month in Redshift spend, and they actually moved over to Snowflake as a cost-savings initiative. It was significantly cheaper.

But what’s, I think, so fascinating, when I heard that I was like, “Well, hold on a second. You know, Snowflake runs inside of Amazon.” So, I'm always curious of how that relationship exists with Amazon where you've got some account manager who's going to lose on some big spend of an Amazon customer by their Redshift spend going down dramatically, but then whoever the account manager for Snowflake must just be super excited by that because obviously their spend is going to go up.

Corey: Yeah, on some level, if you're running a data warehouse on top of AWS, from the high-level AWS perspective, well, is it spend that’s going to happen on your account, or is it spend that’s going to happen on Snowflakes account? It's not likely that you're going to be building everything on top of AWS, and then Snowflake is going to be running its stuff on another provider. The data transfer charges there become exceedingly non-trivial.

Pete: Yeah, absolutely. One of the things that is interesting about how Snowflake works, at least from my recollection a few years ago, is that you can stream your data into S3 which is very cost-effective. Snowflake can actually ingest your data from S3, and what they basically do is they put it into their S3. And you pay the same S3 pricing. I remember the sales guy.

He w...

8 AWS Terms Project Managers Need to Know (AMB Extras)

Corey Quinn — Wed, 02 Sep 2020 03:00:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/8-aws-terms-project-managers-need-to-know/

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Amazon EC2 Hibernation Bear is High Koala-ity

Corey Quinn — Mon, 31 Aug 2020 03:00:00 -0700

AWS Morning Brief for the week of August 31st, 2020.

The Logic of Sumo Logic’s IPO (Whiteboard Confessional)

Corey Quinn — Fri, 28 Aug 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: Welcome to the AWS Morning Brief, what is normally the Whiteboard Confessional slot, but lately, I had such a good time speaking last week with my colleague Pete Cheslock that we're back again today. Say hello, Pete.

Pete: Hello.

Corey: So, as of the day we are recording this, earlier in the week, the Sumo Logic S-1 has been released, which means that Sumo Logic—motto, “We do logs, too.”—also is going public, which seems to be a bit of a flurry lately of companies deciding to, well, to be uncharitable, inflict themselves on the public markets.

Pete: Yeah, it turns out when you take venture capital money, eventually those venture capitalists, they would like to see a return. So, kind of make sense in a little ways, but at the same time, it's just, I guess, another location to raise money.

Corey: One of the problems that I've run into across the monitoring space, as these companies go public is—let's ignore the fact that it seems like none of them seem to be making money in a profitable basis. I mean, I haven't looked at the details yet, but Sumo is losing money, correct?

Pete: Oh, yeah. Yeah, absolutely. Although let's be really honest, that's not really a dig at Sumo. I mean, they all lose money. [laughs].

Corey: And to be fair, they also raised only—quote-unquote, “only”—$340 million while they were private. But there's a strange inflection here around how monitoring companies seem to work in this space. I don't know who sponsors any given episode of this show until after I've already recorded it, so I'm really hoping it's not them, but if it is, our goal is to be authentic. And it seems to me that there's very little differentiation in all of these companies that offer log analysis, for the most part. I mean, ChaosSearch, where you used to work, had something actually innovative in this space where the data lives in S3 and you can query it without having to pay the same extortionate rates that everything else did. But by and large, most of the rest of the players in this space, it seems the differentiator is starting to be marketing. Am I missing something stupendous?

Pete: No, I think you're spot on there, and you can normally see it when you look at a company's S-1. So, that S-1 includes a lot of information within there, but some of the key points are—at least that I kind of look at—are some of their financial statements; I'm just curious what their revenue is, what it costs to bring in that revenue, profit and everything else. But these companies, they break out their operating expenditures across things like research and development, sales and marketing, and for a lot of these marketing companies, you'll find their spend in sales and marketing to be just huge. In many ways, their spend is nearly their revenue. And let's not forget you still have engineers and your Amazon bill that you have to pay for as well. So, they seem to be very marketing-centric because it's a knife fight out there in the monitoring space, monitoring and logging. It seems like every day, there’s a new logging and monitoring company popping up with just a different way of doing things.

Corey: I get that it's a hard space and these problems are incredibly challenging. The challenge that I run into though is, in many cases, I just want a centralized place where I can effectively look at the logs in real-time as events happen, and start looking for specific patterns with various filters, and that's about it. And it seems like that is a somewhat naive use case—which I get—but then every company out there is chasing Splunk in one form or another. Because Splunk was the first company that really did this right, and they charged the appropriately high ransom in order to make that happen, and then everyone else seemed to go through a generation of, “We’re like Splunk, only not horribly expensive.” And then it became increasingly complex and down this entire path to a point where now, I'm looking at any of these tools and it turns out I need to take a class before I'm able to use them effectively, to learn their own variants of SQL, or how to wind up pointing it at some esoteric data source I'd forgotten.

Pete: Yeah, I think—and I've actually had a bunch of conversations with—as you would expect from spending some time at a logging data analytics company—but there's almost like multiple waves of logging that has happened. And Splunk was kind of the first in many ways. They created a revolutionary way of storing data. That was what they built. That was the core technology way earlier than a lot of other people were dealing with this problem.

They also focused a lot in the SIM/SIEM—that's security, information, event management. So, they sold in a lot of ways to these security companies. And then you had companies that started to pop up that were in the more of the monitoring space, like the Datadog and the New Relics of the world. Datadog and New Relic were getting the requests, “Well, we want logging, too. Like, we're paying for this.” And so then they started consolidating on logging.

And then you had kind of the next generation was like, well, it costs too much money to use these hosted vendors, and the reason it costs so much is because they're using these open source technologies to store this log data, so there's no real innovation there, and this next wave of logging companies that exist out there are all like the, “Well, what if you didn't index your data? What if you just tagged it really, really well?” And that's this third wave we're into now, wher...

Route 53 Query Logging (AMB Extras)

Corey Quinn — Thu, 27 Aug 2020 09:25:20 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link https://www.lastweekinaws.com/blog/everything-you-need-to-know-about-route-53-resolver-query-logging/

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com/

Sponsors

New Relic: https://newrelic.com/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Comfortably Spit a Rat

Corey Quinn — Mon, 24 Aug 2020 03:00:00 -0700

AWS Morning Brief for the week of August 24, 2020.

Whiteboard Confessional: Google’s Deprecation Policy

Corey Quinn — Fri, 21 Aug 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: Normally, I like to snark about the various sponsors that sponsor these episodes, but I'm faced with a bit of a challenge because this episode is sponsored in part by A Cloud Guru. They're the company that's sort of famous for teaching the world to cloud, and it's very, very hard to come up with anything meaningfully insulting about them. So, I'm not really going to try. They've recently improved their platform significantly, and it brings both the benefits of A Cloud Guru that we all know and love as well as the recently acquired Linux Academy together. That means that there's now an effective, hands-on, and comprehensive skills development platform for AWS, Azure, Google Cloud, and beyond. Yes, ‘and beyond’ is doing a lot of heavy lifting right there in that sentence. They have a bunch of new courses and labs that are available. For my purposes, they have a terrific learn by doing experience that you absolutely want to take a look at and they also have business offerings as well under ACG for Business. Check them out. Visit acloudguru.com to learn more. Tell them Corey sent you and wait for them to instinctively flinch. That's acloudguru.com.

Corey: Welcome to the AWS Morning Brief. In lieu of the Whiteboard Confessional’s traditional approach today, I want to talk about a different kind of whiteboard issue. Specifically the whiteboard interview you wind up taking at Google, which is just a giant red herring because the real question is “How well did you erase the whiteboard afterwards?” so it aligns with their turning stuff off that people love policy. I'm joined this week by my colleague, Pete Cheslock from The Duckbill Group. Welcome, Pete.

Pete: Hello.

Corey: So, we're talking today about Steve Yegge’s article that went around the internet three times over the weekend, and it was titled “Dear Google Cloud, Your Deprecation Policy is Killing You.” Normally, you would think that that would be some form of clickbait headline, but it's not. It was a massive 23-minute long read, as per Medium. And we will, of course, throw a link to this in the [show notes]. But, Pete, what was your take on this thing?

Pete: Well, I missed it on the first go around, but when you sent me over the link, and the first thing I saw was Medium saying, a 23 minute read, and you had told me how this post had blown up. I think that really speaks for how incredibly well written this post is about this particular issue, that people in this world are willing to invest 23 minutes to read it. I was locked into it the whole time. It held my attention the whole time because of just how deep it went into Google and just how they operate.

Corey: Steve Yegge is famous for doing the platforms rant back in 2012 or so. He's a former Amazon employee who I think spent something like seven years at Amazon, about an equal time at Google, left to go run architecture at Grab a couple of years back, and then, due to these unprecedented times, is now independent/doing his own thing right now. So, that is an absolutely fascinating trail because when he writes about this stuff, he knows what he's talking about. This isn't one of those, “Eh, I’m just going to go ahead and pen something that's poorly articulated, and see what happens.” What's more amazing is I haven't seen much in the way of pushback on this. The points that he hits in this article are pretty damning, and even people from Google are chiming in with, “Yeah, that tracks.”

Pete: Yeah, and for all those listening that maybe haven't read this yet, maybe going to go read it after listening to this. What the real, I guess, crux of this post is about is how Google aggressively deprecates things and the kind of culture within Google that really drives that world to happen, and how just opposite it is to a company like Amazon. I think my biggest takeaway from this was this light bulb, “Oh my goodness, it all makes sense now,” idea of how aggressively Google deprecates things has to do with code cleanliness. They don't like five different APIs to do the same thing, so they'll deprecate four of them and keep things clean and whatever. And what I think is really interesting, too, that I read in here is how internally, this works great for Google Because they have all these tools that can automatically update code, and update APIs, and let people know if a deprecation is happening. But he compares this to, like, Java and Emacs, which historically, take decades—if ever—fully removing APIs. It was a really fascinating read.

Corey: It really was and one thing that stuck with me was, it makes perfect sense in hindsight. If you are Google and can dictate how all of your employees write software that makes it into production and have automated tooling to go back and handle deprecations for you, then great, that does work. The problem is, is that the rest of the world is not like your internal engineers. The problem I see behind Google Cloud, by and large, is that it assumes that everyone tends to write software the way that Google engineers would. That's not a valid assumption, I assure you. I write software that is nothing like anyone who calls themself a software engineer would ever write, but your cloud offering has to support my nonsense.

Pete: Right. Compare this to Amazon. So, that's one of the biggest other takeaways that really hit me. And this came up when I think I was looking at a cloud bill and seeing SimpleDB still on it. SimpleDB, which they don't really market it, they don't tell you to use it, it's not part of design things. Although, Corey, you can correct me if I'm wrong there, if it's included, if it's really talked about much anymore, I don't think it is—

Corey: No, they've tried to bury it, but they are still hiring for that team from time to time.

Pete: That's—yeah, I remember you had mentioned that. And so think about that. Think about the m1.medium, right. I think m1.medium was the first instance type back in 2006—

Could you imagine if Amazon deprecated some...

Cloud Repatriation Isn’t a Thing (AMB Extras)

Corey Quinn — Wed, 19 Aug 2020 05:13:38 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/cloud-repatriation-isnt-a-thing/

Sponsors

A Cloud Guru: https://acloudguru.com
New Relic: https://newrelic.com

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

AWS Observerless Now GA

Corey Quinn — Mon, 17 Aug 2020 03:00:00 -0700

AWS Morning Brief for the week of August 17, 2020.

Whiteboard Confessional: The Case for Internal Tooling

Corey Quinn — Fri, 14 Aug 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

In almost any production environment, there's going to be a few tasks as your company grows that someone winds up having to perform in your production app. And in many cases, the people who have to perform those tasks are themselves not excessively technical, which means if you fail to properly invest in internal tooling, well, that means you're going to have someone who winds up getting this, effectively, printed out page that hangs in their cubicle—or equivalent during these uncertain times—where they wind up following a checklist of, step one: SSH into a production server. Step two: copy and paste the following command, which in turn, I don't know, spins up a Ruby on Rails console, or does some task on the database and returns a query. Now, this is universally recognized as awful because, for better or worse, most business users are not overwhelmingly comfortable when it comes to using SSH on the command line.

Now, in an ideal world with unlimited resources, you would be able to have an internal tools developer who could focus on things like that specifically for your teams. And in fact, most very large hyper-scale companies have entire herds of people doing nothing but that. But when you're building something from scratch, and you're a relatively small, scrappy team, it's much more challenging because you take a step back and have to make some unfortunate and challenging determinations of, “Okay, am I going to A) sit here and have very expensive people build tooling, or B) have them work on features, which, you know, bring money into the company?” I'm not going to sit here and say that people are wrong for not investing in internal tooling early on.

But at some point, the longer you go without making those investments, the greater your risk is because someone is going to get something wrong. They're going to fat-finger a command somewhere; they're going to run it on the wrong system; a key pair is going to not do what it needs to do; some error-checking was not built into whatever script you're having them run, and a command is going to fail, but it's going to continue on as if it succeeded and potentially run the wrong thing in the wrong place. It effectively is setting up a recipe for disaster, and when this happens, as it inevitably will, the natural response is going to be to blame the poor schmuck who had to go ahead and run your crappy shell script command because you couldn't bother to invest in internal tooling. This is an area that's near and dear to my heart because it's something that I spend a fair bit of time worrying about myself. Again, I've built a ridiculous architecture that powers my newsletters, and I have a separate aspect of that, that lets my ad sales folks wind up injecting sponsor stuff into the newsletter for me.

Fun fact that isn't super well known, I don't see any of the sponsor stuff that goes out in my newsletter until after I've already written that week's issue because I don't want to wind up finding myself having to change what I say to avoid irritating a sponsor, you know, like someone with a sense of self-preservation or an appreciation for maintaining their income might do. So, it's sort of an editorial firewall for me. In order for that to make sense, though, there was no way in the world I was going to get away with having people who are managing the ad sales portion, SSH-ing into a box, and running this arcane script that talks to DynamoDB. And, “Oh, yeah, just run this script; it invokes a lambda function, and—hey, where are you going? Come back,” is how that story is going to play out.

So, my initial approach was to look into what it would take to pay someone who's good at building web forms and front-end tooling. It turns out those people cost a lot of money. My approach was to ultimately use Retool, which I've talked about repeatedly on this show, but there are a lot of tools in this space. AWS Honeycode, for example, is one of the worst examples of something like this. The value there is that it ties together a bunch of APIs with a drag-and-drop Visual Basic style interface that lets you build internal web apps.

And their pricing model is such that you would never in a million years use this for anything public. But for internal tooling, it's a great approach. Sure, you need some developer time to set up the APIs, or the scripts that it calls on the back end, but it's really an accelerated function here because you don't need anyone to spend time on UI, past drag and drop. When it comes time to update something, you can wind up changing an API parameter or building a quick API on the other side and the interface remains remarkably consistent for users. There are a number of tools like this out there, and I'm a big fan of the no-code/low-code movement, specifically because it solves incredible business issues here.

This episode is sponsored in part by our good friends over a ChaosSearch, which is a fully managed ...

Disaster Recovery (AMB Extras)

Corey Quinn — Wed, 12 Aug 2020 13:10:42 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link: https://www.lastweekinaws.com/blog/your-disaster-recovery-plan-is-a-joke-written-by-clowns/

Sponsor

New Relic: https://newrelic.com/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Don't Hate the Player; Hate the Name

Corey Quinn — Mon, 10 Aug 2020 03:00:00 -0700

AWS Morning Brief for the week of August 10, 2020.

Whiteboard Confessional: Secrets about Secrets Management

Corey Quinn — Fri, 07 Aug 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Welcome. I am Cloud Economist Corey Quinn, and this is the AWS Morning Brief: Whiteboard Confessional. One of the nice things about how I do business is that I don't actually know when I record these episodes, who is going to be sponsoring it. Today, I'm going to talk about secrets management. The reason I bring this up is that should whatever sponsor has landed the ad slot for this week be talking about a different way of handling secrets management, you should of course disregard everything I'm about to say, and buy their product and or service instead. That said, let's talk about secrets management and how it can be done in some of the most appalling ways imaginable.

There are a depressing number of you listening to this, where if I were to steal your laptops, A) you potentially would not have hard drive encryption turned on, so I could just pull things off of your system. That said, most modern operating systems do this by default now, so that's less of a threat. Now, let's pretend that I wind up instead surmounting an almost impossible barrier. That's right, getting a corrupted browser extension onto your system that somehow has access to poke around in your user's home directory.

Think for a second about what I might find. Would I find, oh, I don't know, SSH keys that would grant me access to your production environment? Well, that wouldn't be that big of a problem because there's no possible way I would know what hosts they go for unless I look at the known_hosts file sitting right next to your SSH keys. But even that's a little esoteric because that's not something I would ever do at grand scale. Let’s instead consider what happens if I poke around in the usual spots and find long-lived IAM credentials, or whatever your cloud provider of choice’s equivalent is, which I believe is IAM in most cases unless you're using IBM Cloud, in which case, it's probably an old-timey skeleton key that is physically tied to your laptop.

Now, the reason this becomes a common pattern is because it's honestly pretty convenient. You're going to need to be able to access production environments or your cloud environment, and have permissions that are generally granted to you, and ease of access is always juxtaposed with convenience. And invariably, convenience tends to win out. Sure, you can mandate the use of multi-factor authentication for those credentials to get into production, but that means you have to type in a code or press a button on a Yubikey, or something else. That fundamentally means you're going to be spending a lot more time pressing buttons or digging out passphrases than you're going to spend getting into production in a hurry.

So, we make trade-offs; we cheat; it's human nature. And of course, once you get into your production environment, things are rarely better. It seems that you have a choice. You can either have the same password shared absolutely everywhere within an environment, or you have these incredibly secure key management systems, but in return becomes virtually impossible to rotate credentials. We've seen this before, and we've talked about this before. When we look at what happens when someone leaves a job unexpectedly, and suddenly the credential rotation causes four site outages in the next two days.

There's always a trade-off here. And the problem is, is that these elaborate multi-step secret retrieval processes that people can deploy are no stronger than their weakest link. I've talked about it in an early episode, but probably one of the most bizarre I've ever seen was for regulated data, where in order to start the database server, it required a long key that was cut into pieces, and then we needed to have multiple staff contribute and turn their key like we were launching a freakin’ nuclear missile from a submarine. And it worked, sure, but at the same time, it meant to restart a server, you needed at least two people nearby, and that became a little nutty. Let's also ignore for a minute the fact that this was just for encrypting the data at rest.

Once the service was running, it was loaded into RAM. There was no real guarantee that this was going to be any more secure than anything else. And let's face it, we're living in an era now where people stealing the server out of our cloud-hosted environment is not the primary or secondary or tertiary threat modeling that anyone has to do. For better or worse, you can give an awful lot of crap to the cloud providers, but they've pretty much solved the ‘someone rams a truck into the side of the building, grabs a rack into the back of said truck and peels off into the night.’ Except IBM Cloud. So, what are some patterns that work for this? Great question. But first:

Multi-Cloud is the Worst Practice (AMB Extras)

Corey Quinn — Wed, 05 Aug 2020 07:30:00 -0700

Links Mentioned

Want to give your ears a break and read this as an article? You’re looking for this link https://www.lastweekinaws.com/blog/multi-cloud-is-the-worst-practice/

Sponsors

New Relic: https://newrelic.com/

Never miss an episode

Join the Last Week in AWS newsletter
Subscribe wherever you get your podcasts

Help the show

Leave a review
Share your feedback
Subscribe wherever you get your podcasts

What's Corey up to?

Drastic Load Balancing Code Changes

Corey Quinn — Mon, 03 Aug 2020 03:00:00 -0700

AWS Morning Brief for the week of August 3rd, 2020.

Whiteboard Confessional: The Bootstrapping Problem

Corey Quinn — Fri, 31 Jul 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Hello, and welcome to this edition of the AWS Morning Brief: Whiteboard Confessional, where we confess our various architectural sins that we and others have committed. Today, we're going to talk about, once upon a time, me taking a job at a web hosting provider. It was the thing to do at the time because AWS hadn't eaten the entire world yet, therefore, everything that we talk about today was still a little far in the future. So, it was a more reasonable approach, especially for those with, you know, budgets that didn't stretch to infinity, or willingness to be an early adopter of someone else's hosting nonsense to go ahead and build out something in a data center.

Now, they were obviously themselves not hosting on top of a cloud provider because the economics made less than no sense back then. So, instead, they had multiple data centers built out that provided for customers various hosting needs. Each one of these was relatively self-contained unless customers wound up building something themselves for failover. So, it wasn't really highly available so much as it was a bunch of different single points of failure, and an outage of one would impact some subset of their customers, but not all of them. And that was a fairly reasonable approach provided that you communicate that scenario to your customers because that's an awful surprise to have later in time.

Now, I was brought in as someone who had had some experience in the industry, unlike many of my colleagues who had come from the hosting provider’s support floor and promoted into systems engineering roles. So, I was there to be the voice of industry best practices, which is a terrifying concept when you realize that I was nowhere near as empathetic or aware back then as I am now, but you get what you pay for. And my role was to apply all of those different best practices that I had observed, and osmosed, and had bluffed, into what this company was doing, and see how it fit in a way that was responsible, engaging, and possibly entertaining. So, relatively early on in my tenure, I was taking a tour of one of our local data centers and asked what I thought could be improved. Now, as a sidebar, I want to point out that you can always start looking at things and pointing out how terrible they are, but let's not kid ourselves; we very much don't want to do that because there are constraints that shape everything that we do and we aren't always aware of them. So, making people feel bad for their choices is never a great approach if you want to stick around very long. So, instead, I started from the very beginning, and played, “Hi. I'm going to ask the dumb questions, and see where the answers lead me to.”

So, I started off with, “Great, scenario time. The power has just gone out. So, everything's dark, now how do we restart the entire environment?” And the response was, “Oh, that would never happen.” And to be clear, that's the equivalent of standing on top of a mountain during a thunderstorm, cursing God while waving a metal rake into the sky. After you say something like that there is no disaster that is likelier. But all right, let's defuse that. “Humor me. Where's the runbook?” And the answer is, “Oh, it lives in Confluence,” which is Atlassian’s wiki offering. For those who aren't aware, Wikis in general, and Confluence in particular, is where documentation and processes go to die. “These are living documents,” is a lie that everyone says because that's not how it actually works.

“Cool. Okay, so let's pretend that a single server instead of your whole data center explodes and melts. When everything's been powered off, you turn it back on. That one doesn't survive the inrush current, and that one server explodes. That server happens to be the Confluence server. Now what? How do we bootstrap the entire environment?” The answer was, “Okay, we started printing out that runbook and keeping it inside each data center,” which was a way better option. Now, the trick was to make sure that you revisited this every so often, when something changed, and make sure that you weren't looking at how things were circa five years ago, but that's a separate problem. And this is fundamentally a microcosm of what I've started to think of as the bootstrapping problem. I'll talk to you a little bit more about what those look like in the context of my data center atrocities. But first:

This episode is sponsored in part by our good friends over a ChaosSearch, which is a fully managed log analytics platform that leverages your S3 buckets as a data store with no further data movement required. If you're looking to either process multiple terabytes in a petabyte-scale of data a day or a few hundred gigabytes, this is still economical and worth looking into. You don't have to manage Elasticsearch yourself. If your ELK stack is falling over, take a look at using ChaosSearch for log analytics. Now, if you do a direct cost comparison, you're going to say, “Yeah, 70 to 80 percent on the infrastructure costs,” which does not include the actual expense of p...

AWS re:Lease The Kraken

Corey Quinn — Mon, 27 Jul 2020 03:00:00 -0700

AWS Morning Brief for the week of July 27, 2020.

Whiteboard Confessional: The Worst Thing You’ll See on Any Whiteboard

Corey Quinn — Fri, 24 Jul 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

This episode is brought to you by Trend Micro Cloud One™. A security services platform for organizations building in the Cloud. I know you're thinking that that's a mouthful because it is, but what's easier to say? “I'm glad we have Trend Micro Cloud One™, a security services platform for organizations building in the Cloud,” or, “Hey, bad news. It's going to be a few more weeks. I kind of forgot about that security thing.” I thought so. Trend Micro Cloud One™ is an automated, flexible all-in-one solution that protects your workflows and containers with cloud-native security. Identify and resolve security issues earlier in the pipeline, and access your cloud environments sooner, with full visibility, so you can get back to what you do best, which is generally building great applications. Discover Trend Micro Cloud One™ a security services platform for organizations building in the Cloud. Whew. At trendmicro.com/screaming.

Welcome to the AWS Morning Brief: Whiteboard Confessional. I am Cloud Economist Corey Quinn, which means that I fix the horrifying AWS bill both by making it more understandable, as well as lower. On today's episode of the AWS Morning Brief: Whiteboard Confessional, I looked around the whiteboards in the backgrounds of the Zoom calls that I'm having with basically everyone these days because going to the office during a pandemic is and remains a deadly risk, and it's amazing how much you can learn about people's companies by what they leave on the whiteboards. Whether you happen to be visiting their office or left inattentively in the background because they forget that they didn't turn on the Zoom background.

One of the most disturbing things that we'll see on any whiteboard in any company that you work at, ever, is an org chart. And what makes it disturbing, first off, is that when you see an org chart, that means that generally, someone is considering reorganizing, which is a polite framing of shuffling the deck chairs on the Titanic. It ties into one of the great corporate delusions that somehow you're going to start immediately making good decisions, and all of the previous poor decision making you've made is going to fall away like dew in the new morning. And the reason that that's the case is that everyone tends to be an optimist when looking forward because otherwise, we'd wake up crying and never go to work.

Have you ever noticed that you can take a look at an org chart or an architecture diagram and remove all of the labels, and you've accidentally built the exact same thing just with different services rather than teams? Well, I'm certainly not the first person to make this observation. What I'm talking about is known as Conway's Law. Conway's Law is named after computer programmer Melvin Conway, who in 1967 introduced a phenomenal idea, for the time, that we still haven’t escaped from, specifically, any organization that designs a system defined broadly will produce a design whose structure is a copy of the organization's communication structure. Effectively what that means is you ship your culture as well as your org chart, and if we take a look at how different seminal software products of the ages have come out. It's pretty clear that there is at least some passing resemblance to reality.

You take a look at Amazon; they're effectively an entire microservices company. They have so many different small two pizza teams building things, and sure enough, you take a look at AWS, for example, they have 200 some-odd services that are ideally production-grade, but again, it's a mixed bag. Because again, not every team is identical, and not every team has the same resources. So, as a result, though, you take a look at that, that is the good part of their culture. Well, what's bad? Well, anything that involves all of those teams to coordinate at once on something. Think of the billing system. Think of the AWS web console. You start to see where these things break down. These are the seams between services that AWS tends to miss out on.

If you take a look at Google, for example, the entire model there, to my understanding, is you want to get promoted and you want to get a raise, and that all comes down to certain metrics that don't necessarily align with what people want to be working on. So, you see people instead focusing on things that are they're incentivized to do to go up in the org, and not maintain things that they built last year, which is why I suspect, at least, that we see this neverending wave of Google product deprecations. And the list goes on, and I'm certainly not a corporate taxonomist; I'm a cloud economist, so I'm not going to go into too much depth on what that looks like in different places, but it does become telling. Let's get into that a bit more. But first:

This episode is sponsored in part by ChaosSearch. Now their name isn’t in all caps, so they’re definitely worth talking to. What is ChaosSearch? A scalable log analysis service that lets you add new workloads in minutes, not days or weeks. Click. Boom. Done. ChaosSearch is for you if you’re trying to get a handle on processing multiple terabytes, or more, of log and event data per day, at a disruptive price. One more thing, for those of you that have been down this path of disappointment before, ChaosSearch is a fully managed solution that isn’t playing marketing games when they say “fully managed.” The data lives within your S3 buckets, and that’s really all you have to care about. No managing of servers, but also no data movement. Check them out at chaossearch.io and tell them Corey sent you. Watch for the wince when you say my name. That’s chaossearch.io.

Now, one thing that I sort of pride myself on being—because I have to be—is data center archaeologist. Frankly, these days it’s cloud archaeology. But when I go into a new client environment, I ask them to show me the...

AI/ML Marketing Algorithm Continues to Malfunction

Corey Quinn — Mon, 20 Jul 2020 03:00:00 -0700

AWS Morning Brief for the week of July 20, 2020.

Whiteboard Confessional: The Right and Wrong Way to Interview Engineers

Corey Quinn — Fri, 17 Jul 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Sponsorships can be a lot of fun sometimes. ParkMyCloud asked, “Can we have one of our execs do a video webinar with you?” My response was, “Here’s a better idea. How about I talk to one of your customers instead, so you can pay to make fun of you.” And turns out, I’m super-convincing. So, that’s what’s happening. Join me and ParkMyCloud’s customer, Workfront, on July 23rd for a no-holds-barred discussion about how they’re optimizing AWS costs, and whatever other fights I manage to pick before ParkMyCloud realizes what’s going on and kills the feed. Visit parkmycloud.com/snark to register. That’s parkmycloud.com/snark.

Welcome. I am Cloud Economist Corey Quinn, and this is the AWS Morning Brief: Whiteboard Confessional; things that we see on whiteboards that we wish we could unsee. Today I want to talk about the worst whiteboard confessions of all time, and those invariably all tend to circle around what we ask candidates to do on a whiteboard during job interviews. There are a whole bunch of objections, problems, and other varieties of crappy opinions around whiteboarding as part of engineering job interviews, but they're all a part of the larger problem, which is that interviewing for engineering jobs fundamentally sucks. There are enough Medium articles on how trendy startups have cracked the interview to fill an S3 bucket. So, I'm going to take the contrarian position that all of these startups and all of these people who claim to have solved the problem, suck at it.

And these terrible questions fall into a few common failure modes, most of which I've seen when they were levied at me back in my engineering days, and I was exercising my core competency of getting rapidly ejected from other companies. So, I spent a lot of time doing job interviews, and I kept seeing some of the same things appear. And they're all, of course, are different. But let’s start with some of the patterns. The most obnoxious one by far is the open-ended question of how would you solve a given problem? And as you start answering the question, they're paying more attention than you would expect. Maybe someone's on their laptop, quote-unquote ‘taking notes’ an awful lot. And I can't ever prove it, but it feels an awful lot—based upon the question—like, this is the kind of problem where you could suddenly walk out of the interview room, walk into the conference room next door and find a bunch of engineers currently in a war room trying to solve the question you were just asked.

And what I hate about this pattern is it's a way of weaseling free work from interview candidates. If you want people to work on real-world problems, pay them. One of the best interviews I ever had is by a company that no longer exists called Three Rings Design. They wanted me to stand up some three-tiered web app, and turn on monitoring, and standard basic DevOps-style stuff; they gave an AWS account credential set to me. But what made them stand out is that they said, “Well, this is a toy problem. We're not going to use this in production, surprise. It's a generic question. But we don't believe in asking people to do work for free, so when you submit your results, we'll pay you a few hundred bucks.” And this was a standard policy they had for everyone who made it to that part of the interview. It was phenomenal, and I loved that approach. It solved that problem completely. But it's the only time I've ever seen it in my entire career.

A variant of this horrible technique is to introduce the same type of problem, but it's with the proviso that this is a production problem that we had a few months ago. It's gone now, but how would you solve it? Now on its face, this sounds like a remarkably decent interview question. It's real-world. They've already solved it. So, whatever answer you give is not likely to be something revolutionary that's going to change how they approach things. So, what's wrong with it? Well, the problem is, is that in most cases, the right answer is going to look suspiciously like whatever they did to solve the problem when it manifested.

I answered a question like this once with, “Well, what would strace tell me?” And the response was, “What does strace do?” I explained that it attached to processes and looked at the system calls that that process was making, and their response was, “Oh, yeah, that would have caught the problem. Huh. Okay, pretend strace doesn't exist.” Now it's not just the question of how you would solve the problem, but how you would solve the problem while being limited to their particular, often myopic, view of how systems work and how infrastructure needs to play out. This manifests itself the same way, by the way, in the world of various programming languages, and doing traditional developer engineer’s. It's awful because it winds up forcing you to see things through a perspective that you may not share. Part of the value of having you go and work somewhere is to bring your unique perspective. And, surprise, there's all these books on how to pass the technical interview. There are many fewer books on how to freaking give one that doesn't suck. And I wish that some people would write that book and that everyone else would read it. You can tell an awful lot about a company by how they go about hiring their people.

Corey: This episode is sponsored in part by ChaosSearch. Now their name isn’t in all caps, so they’re definitely worth talking to. What is ChaosSearch? A scalable log analysis service that lets you add new workloads in minutes, not days or weeks. Click. Boom. Done. ChaosSearch is for you if you’re trying to get a handle on processing multiple terabytes, or more, of log and event data per day, at a disruptive price. One more thing, for those of you that have been down this path of disappointment before, ChaosSearch is a fully managed solution that isn’t playing marketing games when they say “fully managed.” The data lives within your S3 buckets, and th...

AWS Machine Learning Your Business From Inside

Corey Quinn — Mon, 13 Jul 2020 03:00:00 -0700

AWS Morning Brief for the week of July 13, 2020.

Whiteboard Confessional: The Curious Case of the 9,000% AWS Bill Increase

Corey Quinn — Fri, 10 Jul 2020 03:00:00 -0700

About Corey Quinn

Links

CHAOSSEARCH
@QuinnyPig
Chris Short’s LinkedIn: https://www.linkedin.com/in/thechrisshort/

Transcript

Corey: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

This episode is sponsored in part by ParkMyCloud, fellow worshipers at the altar of turned out [BLEEP] off. ParkMyCloud makes it easy for you to ensure you're using public cloud like the utility it's meant to be. just like water and electricity, You pay for most cloud resources when they're turned on, whether or not you're using them. Just like water and electricity, keep them away from the other computers. Use ParkMyCloud to automatically identify and eliminate wasted cloud spend from idle, oversized, and unnecessary resources. It's easy to use and start reducing your cloud bills. get started for free at parkmycloud.com/screaming.

When you're building on a given cloud provider, you're always going to have concerns. If you're building on top of Azure, for example, you're worried your licenses might lapse. If you're building on top of GCP, you're terrified that they're going to deprecate all of GCP before you get your application out the door. If you're building on Oracle Cloud, you're terrified, they'll figure out where you live and send a squadron of attorneys to sue you just on general principle. And if you build on AWS, you're constantly living in fear, at least in a personal account, that they're going to surprise you with a bill that's monstrous.

Today, I want to talk about a particular failure that a friend of this podcast named Chris Short experienced. Chris is not exactly a rank neophyte to the world of Cloud. He currently works at IBM Hat, which I'm told is the post-merger name. He was deep in the Ansible community. He's a Cloud Native Computing Foundation Ambassador, which means that every third word out of his mouth is now contractually obligated to be Kubernetes.

He was building out a static website hosting environment in his AWS account, and it was costing him between $10 and $30 a month. That is right aligned with what I tend to cost. And he wound up getting his bill at the end of the month: “Welcome to July, time to get your bill,” and it was a bit higher. Instead of $30, or even $40 a month, it was $2700. And now there was actual poop found in his pants.

This is a trivial amount of money to most companies, even a small company, and I say this from personal experience, runs on burning piles of money. However, a personal account is a very different thing. This is more than most people's mortgage payments if you don't make terrible decisions like I do, and live in San Francisco. This is an awful lot of money, and his immediate response was equivalent to mine. First, he opened a ticket with AWS support, which is an okay thing to do. Then he immediately turned to Twitter, which is the better thing to do because it means that suddenly these stories wind up in the public eye.

I found out roughly 10 seconds later, as my notifications blew up with everyone saying, “Hey, have you met Corey?” Yes, Chris and I know each other. We're friends. He wrote the DevOps’ish newsletter for a long time, and the secret cabal of DevOps-y type newsletters runs deep. We secretly run all kinds of things that aren't the billing system for cloud providers.

So, he hits the batphone. I log into his account once we get a credential exchange going, and I start poking around because, yeah, generally speaking, 100x bill increase isn't typical. And what I found was astonishing. He was effectively only running a static site with S3 in this account making the contents publicly available, which is normal. This is a stated use case for S3, despite the fact that the console is going to shriek it's damn fool head off at you at every opportunity, that you have exposed an S3 bucket to the world.

Well, yes, that is one of its purposes. It is designed to stand there, or sit there depending on what a bucket does—lay there, perhaps—and provide a static website to the world. Now, in a two-day span, someone or something downloaded data from this bucket, which is normal, but it was 30 terabytes of data, which is not. At approximately nine cents a gigabyte, this adds up to something rather substantial, specifically after free tier limits are exhausted, that's right: $2700.

Now, the typical responses to what people should do to avoid bill shocks like this don't actually work. “Well, he should have set up a billing alarm.” Yeah, aspirationally the AWS billing system runs on an eight-hour eventual consistency model, which means that at the time the bill starts spiking. He has at least 8 hours, and in some cases as many as 24 to 48, before those billing alarms would detect. The entire problem took less time than that.

So, at that point, it would be alerting after something had already happened. “Oh, he shouldn't have had the bucket available to the outside world.” Well, as it turns out, he was fronting this bucket with CloudFlare. But what he hadn't done is restrict bucket access to CloudFlare’s endpoints, and for good reason. There's no way to say, “Oh, CloudFlare’s, identity is going to be defined in an IAM managed policy.” He has to explicitly list out all of CloudFlare’s IP ranges, and hope and trust that those IP ranges will never change despite whatever networking enhancements CloudFlare makes, it's a game of guess and check and having to build an automated system around this. Again, all he wanted to do was share a static website. I've done this myself. I continue to do this myself and it costs me, on a busy month, pennies. In some rare cases, dozens of pennies.

Kicking AWS's ASS into Space

Corey Quinn — Mon, 06 Jul 2020 03:00:00 -0700

AWS Morning Brief for the week of July 7, 2020.

Whiteboard Confessional: The Day IBM Cloud Dissipated

Corey Quinn — Fri, 03 Jul 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Welcome to the AWS Morning Brief’s Whiteboard Confessional series. I am Cloud Economist Corey Quinn, and today's topic is going to be slightly challenging to talk about. One of the core tenants that we've always had around technology companies and working with SRE, or operations-type organizations is, full stop, you do not make fun of other people's downtime because today it's their downtime, and tomorrow it's yours. It's important. That's why we see the hashtag #HugOps on Twitter start to—well, not trend. It's not that well known but definitely happens fairly frequently when there's a well-publicized multi-hour outage that affects a company that people are familiar with.

So, what we're going to talk about is an outage that happened several weeks ago for IBM Cloud. I want to point out some failings on IBM’s part but this is in the quote-unquote, “Sober light of day.” They are not currently experiencing an outage. They've had ample time to make public statements about the cause of the outage. And I've had time to reflect a little bit on what message I want to carry forward, given that there are definitely lessons for the rest of us to learn. HugOps is important, but it only goes so far, and at some point, it's important to talk about the failings of large companies and their associated response to crises so the rest of us can learn.

Now, I'm about to dunk on them fairly hard, but I stand by the position that I'm taking, and I hope that it's interpreted in the constructive spirit that I intend it to. For background, IBM Cloud is IBM's purported hyperscale cloud offering. It was effectively stitched together from a variety of different acquisitions, most notable among them SoftLayer. I've had multiple consulting clients who are customers of IBM Cloud over the past few years, and their experience has been, to put it politely, a mixed bag. In practice, the invective that they would lobby against it would be something worse.

Now, a month ago, something strange happened to IBM Cloud. Specifically, it went down. I don't mean that a service started having problems in a region. That tends to happen to every cloud provider, and it's important that we don't wind up beating them up unnecessarily for these things. No, IBM Cloud went down. And when I say that IBM Cloud went down, I mean, the entire thing effectively went off the internet. Their status page stopped working, for example. Every resource that people had inside of IBM Cloud was reportedly down. And this was relatively unheard of in the world of global cloud providers.

Azure and GCP don't have the same isolated network boundary per region that AWS has, but even in those cases, we tend to see far more frequently rolling outages rather than global outages affecting everything simultaneously. It's a bit uncommon. What's strange is that their status page was down. Every point of access you had into looking at what was going on with IBM Cloud was down. Their Twitter accounts fell silent, other than pre-scheduled promotional tweets that were set to go out. It looked for all the world like IBM had just decided to pack up early, turn everything off on the way out of the office, and enjoy the night off.

That obviously isn't what happened, but it was notable in that there was no communication for the first hour or so of the outage, and this was causing people to go more than a little bonkers. One of the pieces that was interesting to me, while this was happening, since it was impossible to get data out of this for anything substantive or authoritative, was I pulled up their marketing site. Now, the marketing site still worked—apparently, it does not live on top of IBM Cloud—but it listed a lot of their marquee customers and case studies. I went through a quick sampling, and American Airlines was the only site that had a big outage notification on the front of it. Everything else seemed to be working.

So, either the outage was not as widespread as people thought, or a lot of their marquee customers are only using them for specific components. Either one of those is compelling and interesting, but we don't have a whole lot of data to feed back into the system to draw reasonable conclusions. Their status page itself, like it was mentioned, was down, and that's super bad. One of the early things you learn when running a large-scale system of any kind is the thing that tells you—and the world—that you're down cannot have a dependency on any of the things that you are personally running. The AWS status page had this, somewhat hilariously, during the S3 outage a few years ago, when they had trouble updating what was going on due to that outage. I would imagine that's no longer the case, but one does wonder.

And most damning, and the reason I bring this up is the following day, they posted the following analysis on their site: “IBM is focused on external network provider issues as the cause of the disruption of IBM Cloud services on Tuesday, June 9th. All services have been restored. A detailed root cause analysis is underway. An investigation shows an external network provider flooded the IBM Cloud network with incorrect routing, resulting in severe congestion of traffic, and impacting IBM Cloud services, and our data centers. Migration steps have been taken to prevent a recurrence. Root ...

Oh, Honey; Help the Cops in us-west-3

Corey Quinn — Mon, 29 Jun 2020 03:00:00 -0700

AWS Morning Brief for the week of June 29, 2020.

Whiteboard Confessional: Bespoke Password Management

Corey Quinn — Fri, 26 Jun 2020 03:00:00 -0700

About Corey Quinn

Links

This episode is sponsored in part by ParkMyCloud, fellow worshipers at the altar of turned out [bleep] off. ParkMyCloud makes it easy for you to ensure you're using public cloud like the utility it's meant to be. just like water and electricity, You pay for most cloud resources when they're turned on, whether or not you're using them. Just like water and electricity, keep them away from the other computers. Use ParkMyCloud to automatically identify and eliminate wasted cloud spend from idle, oversized, and unnecessary resources. It's easy to use and start reducing your cloud bills. get started for free at parkmycloud.com/screaming.

In today's episode of the Whiteboard Confessional on the AWS Morning Brief, I want to talk to you about how I log into AWS accounts. Now, obviously, I've got a fair few of them here at The Duckbill Group, ranging from accounts that I use to test out new services, to the accounts that run my Last Week in AWS newsletter production things, to my legacy account because of course I have a legacy account for a four-year-old company. This is the Cloud we're talking about. And, as of this writing, they add up to currently 17 accounts in our AWS organization.

Beyond that, there's a lot more we have to worry about. We assume restricted roles into client AWS accounts to conduct our cost analyses. Getting those set up has been a bit of a challenge historically. We have a way of doing it now that we've open-sourced in our company GitHub repo. Someday, someone will presumably discover this, and then I'll get to tell that story. Now, to add all of this complex nonsense, let's not forget that back when I used to travel to other places, before the dark times we're currently living in, I used to do all of my work when I was on the road from an iPad Pro.

So what was the way to intelligently manage logging into all of these different accounts and keep them straight? Now, using IAM passwords and username pairs is patently ridiculous. By the time you take in whatever accounts I'm currently working on, we've got, eh, 40 AWS accounts to care about, which would completely take over my password manager if I go down that path, it further wouldn't solve for the problem of most of the time I interact with these accounts only via API. Now, that's not entirely true because, as we've mentioned, the highest level of configuration management enlightenment is, of course, to use the console, and then lie about it.

Today, I want to talk about how I chained together several ridiculous things to achieve an outcome that works for basically all of these problems. There are almost certainly better ways to do this than what I do. I keep hearing rumors that AWS Single Sign-On can do all this stuff in a better way, but every time I attempt to use it, I get confused and angry and storm off to do something else. So here's what I do. First, I start with my baseline AWS account that has an actual IAM user with a permanent set of credentials in it. That's my starting point. Now, I store those credentials on my Mac in Keychain, and on my EC2 instance running Linux, it lives within the pass utility, which uses GPG-based encryption to store a string securely.

Now, before I get angry letters—because oh, dear Lord, do I get them—let me just say that this is a requirement that instance roles with those ephemeral credentials won't suit. So using an instance role for that EC2 instance won't apply. Specifically, because there's no way today to apply MFA to instance roles, and some of the roles I need to assume do have MFA as a requirement, so that's a complete non-starter. And the way that I manage in these different environments, those effective route pair of credentials are managed by a tool that came out of 99 designs called aws-vault. Don't confuse this with HashiCorp’s Vault, which is something else entirely. This started off as a favorite of mine, but given their periodic breaking changes that the aws-vault maintainers have introduced with different versions, it becomes something far less treasured. They'll release a bunch of enhancements that up the version, which is great, but they haven't gotten around to fixing the documentation well, so I have to stumble my way through it, and I'm angry every time I spin up something new, and then I give up and roll back to a version that works.

There are now other tools I'm looking at as an alternative to this, mostly because this behavior has really torqued me off. Now aws-vault, as well as many other tools in the ecosystem, can read your local configuration file in your .aws directory. It uses this for things like chaining roles together, so you can assume a role in an account that then is allowed to assume a role in a different account, and so on and so forth. It can tell you which credential set to use, which MFA device is going to be used to log into accounts, what region that account is going to be primarily based in etcetera. It's surprisingly handy except for when it breaks with aws-vault releases in [unintelligible] what it's expecting to see in that file. I digress again. Sorry, just thinking about this stuff makes me mad, so I'm going to cool down for a second.

111 Gigabytes Per Ounce

Corey Quinn — Mon, 22 Jun 2020 03:00:00 -0700

AWS Morning Brief for the week of June 22, 2020.

Whiteboard Confessional: Help, I’ve Lost My MFA Device!

Corey Quinn — Fri, 19 Jun 2020 03:00:00 -0700

About Corey Quinn

Links

This episode is sponsored by a personal favorite: Retool. Retool allows you to build fully functional tools for your business in hours, not days or weeks. No front end frameworks to figure out or access controls to manage; just ship the tools that will move your business forward fast. Okay, let's talk about what this really is. It's Visual Basic for interfaces. Say I needed a tool to, I don't know, assemble a whole bunch of links into a weekly sarcastic newsletter that I send to everyone. I can drag various components onto a canvas: buttons, checkboxes, tables, etc. Then I can wire all of those things up to queries with all kinds of different parameters, post, get, put, delete, etc. It all connects to virtually every database natively, or you can do what I did and build a whole crap ton of lambda functions, shove them behind some API’s gateway and use that instead. It speaks MySQL, Postgres, Dynamo—not Route 53 in a notable oversight; but nothing's perfect. Any given component then lets me tell it which query to run when I invoke it. Then it lets me wire up all of those disparate APIs into sensible interfaces. And I don't know frontend; that's the most important part here: Retool is transformational for those of us who aren't front end types. It unlocks a capability I didn't have until I found this product. I honestly haven't been this enthusiastic about a tool for a long time. Sure they're sponsoring this, but I'm also a customer and a super happy one at that. Learn more and try it for free at retool.com/lastweekinaws. That's retool.com/lastweekinaws, and tell them Corey sent you because they are about to be hearing way more from me.

Welcome to the AWS Morning Brief: Whiteboard Confessional. Today I want to talk about infosec. Specifically, an aspect of infosec that I think is not given proper attention, namely two-factor auth. Now, two-factor auth is important to enable but first, back up a second. Use a password manager with strong passwords for all of your stuff. Those are table stakes at this point.

Now, most password managers will offer to also store your multi-factor auth codes, your OTP tokens, etcetera. I'm not a big fan of that because it feels to me, perhaps incorrectly, like I'm collapsing multiple factors back down into that same factor. Someone gets access to my password manager, worst-case scenario, I’m potentially hosed. That's not great. Now, the password managers will argue that this isn't technically true, yada, yada. I'm old fashioned. I'm grumpy. I'm an old Unix systems administrator that had certain angry loud opinions, so I'm going to keep using separate tools for managing passwords, as well as getting in as a second factor. May I also point out that SMS is terrible as far as a second factor. Don't use it if you possibly can, for reasons that go well beyond the scope of this show: we're not that kind of podcast.

Now, let's talk about what happens if you, for one reason or another, lose your MFA device, or the app on your phone because this happened to a certain business partner of mine named Mike Julian. Now, Mike wound up getting a new phone, which is great because his was something from the Stone Age presumably some kind of Nokia candy bar phone. I hear someone dropped one of those things once the last time they were in mass sale and accidentally killed the dinosaurs. So, that's the kind of era of phone he was upgrading from to, I think, the iPhone SE, but don't quote me on that. I don't tend to pay attention to his taste in electronics. Personally, I question his taste in business partners, but that's all right; he signed on the dotted line; he stuck with me now.

So, he inadvertently wound up losing access to all of his old MFA tokens and having to get them re-added in other places. Some systems worked super well for this. It was a matter of, “Oh, I'll just use my backup codes,” which he kept like a good responsible person. It let him in, he would then be able to regenerate backup codes, change over the device and everything was glory. For others, he wasn't so lucky and had to phone in and get a reset after identity verification. So, now he didn't have his multi-factor device, so it would fall back to using SMS because it had his cell phone. And he could not disable that with some environments. So, that becomes an attack vector, if you're able to compromise an SMS number which, surprise, is not that hard if you put some effort into it.

This, of course, does bring us to Amazon. Mike needed to reset his Amazon MFA token. Now, when I say Amazon, I don't mean AWS. I mean, Amazon, and I'm going to go back and forth as I go down the story a little bit. So, this is an Amazon retail account, not an AWS account. And it turns out when you Google how to reset your Amazon MFA token, all the results are about AWS.

So, “Okay, that's interesting,” says Mike. He Googles effectively to remove all results from aws.amazon.com. Cool. Now all the results are about things that are not Amazon stuff. Not anything helpful. So, there's no documentation in Google for any of this as applies to Amazon retail, it may as well not exist as a problem. This is less than ideal from Mike's perspective. He was able to reset his AWS multi-factor auth for the AWS account—that's for the same email address tied to that amazon.com account, but AWS and Amazon have completely separate MFA infrastructures.

So, this is fascinating. He posts on Twitter, which is the number one way to get help when you have an Amazon issue and you run a company devoted to making fun of Amazon, and AWS support chimes in because they're helpful. Someone else says, “I've been trying to solve this problem for 10 years and got nowhere. Good luck, Godspeed.” And it seemed odd because it's an Amazon retail problem. Why is AWS chiming in? And this leads to a phone call. Mike finally winds up getting on a series of phone calls with AWS support.

...

AWS Graviton2 Clock Speeds Broadly Non-Competitive

Corey Quinn — Mon, 15 Jun 2020 03:00:00 -0700

AWS Morning Brief for the week of June 15, 2020

Whiteboard Confessional: On Getting Fired

Corey Quinn — Fri, 12 Jun 2020 03:00:00 -0700

About Corey Quinn

Links

Today's episode of the AWS Morning Brief: Whiteboard Confessional was supposed to be about a zero-day that I was disclosing. Cooler heads have prevailed and we will talk about that next week instead, once I've finished some conversations with the company in question. Sorry to disappoint you all, but I have something you might enjoy instead.

So, today I want to talk about getting fired, which is one of my personal specialties. I'm not kidding when I tell people that a primary driver of starting my own consultancy was to build a company wherein I could not be ejected on the spot by surprise. Since I can't be fired anymore, let's talk about the mechanics of getting fired from someone who's been through it, just so folks get a better perspective on this. In the United States, our worker protections are basically non-existent compared to most civilized countries. Barring a contract or collective bargaining agreement to the contrary, you can be fired in the United States for any reason or no reason, except based upon membership in a protected class.

So, to be clear, my personality is certainly justification enough to fire me. I say this for our listeners in other countries who hear I was fired and equate that to a moral failing. “What’d you do, rob the cash register?” No, I'm just me; I'm difficult to work with; I'm expensive to manage, and my personality is exactly what you would expect it to be based upon this podcast. The way the firing usually works is that you get an unexpected meeting request with your boss. “Hey, can we chat?”

Those meetings are so unnerving that even that intro leaves scars years later, my business partner and I—both of us can't be fired clearly. But we still get nervous when we tell each other, “Hey, we need to talk in an hour.” We have instituted an actual policy against this at our company, just due to the collective trauma that so many of us have gone through with those, “Is this how I get fired?” moments. So, you have an unplanned meeting with your boss. Nine times out of 10—or more: 99 times out of 100 that's fine—it’s no big deal: it’s about something banal.

But on this meeting, you walk in and surprise, there's someone from human resources there too, and they don't offer you coffee. First. I want to say the idea of calling people resources is crappy. HR—whatever you want to call it: people ops—but regardless, they're there; they're certainly not smiling, and they don't offer you coffee.

And that's the tell. When you're invited to a meeting that you weren't expecting and no one gives you coffee, it is not going to be a happy meeting. They usually have a folder sitting there on the table in front of them that has a whole bunch of paperwork in it. There's the, “This is the NDA that you signed, when you started your job here; it's still enforceable: We're reminding you of it paperwork.” There's a last paycheck and a separate paycheck of your cashed out vacation time in jurisdictions where that gets paid out, like California. And often, there's another contract there. This is called a severance agreement. The company is going to pay you some fixed amount of money in return for absolving them of any civil claims that you may have had during the course of your employment. I'm not your attorney, but let me tell you what the right answer here is.

Whatever you do, do not sign that contract in that room, in that moment. You've just been blindsided; you don't have a job anymore; you're most definitely not at your best. And you're certainly going to be in no position to carefully read a nuanced legal document prepared by your employer’s attorney designed to constrain your future behavior. They may say, “Take all the time you want,” or they may imply they can't give you your last paycheck until you sign it. The Department of Labor would like a word with them if that's the case because that's not legal.

Thank them, leave with your head held high and bask for a moment in the freeing sense of no longer having any obligation to your now ex-employer. All the projects you had in flight, let them go. All the things y...

Enduring the Cloud Migration Factory

Corey Quinn — Mon, 08 Jun 2020 03:00:00 -0700

AWS Morning Brief for the week of June 8, 2020.

Whiteboard Confessional: The Time I Almost Built My Own Email Marketing Service

Corey Quinn — Fri, 05 Jun 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript
Corey: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

nOps will help you reduce AWS costs 15 to 50 percent if you do what tells you. But some people do. For example, watch their webcast, how Uber reduced AWS costs 15 percent in 30 days; that is six figures in 30 days. Rather than a thing you might do, this is something that they actually did. Take a look at it. It's designed for DevOps teams. nOps helps quickly discover the root causes of cost and correlate that with infrastructure changes. Try it free for 30 days, go to nops.io/snark. That's N-O-P-S dot I-O, slash snark.

Welcome once again to the AWS Morning Brief: Whiteboard Confessional. Today I want to talk about, once again, an aspect of writing my Last Week in AWS newsletter. This goes back to before I was sending it out twice a week, instead of just once, and my needs weren't that complex. I would gather a bunch of links throughout the week: I would make fun of them and I had already built this absolutely ridiculous system that would render all of my sarcasm from its ridiculous database where it lived down into something that would work to generate out HTML. And I've talked about that system previously, I'm sure I will again. That's not really the point of the story.

Instead, what I want to talk about is what happened after I had that nicely generated HTML. Now, I've gone through several iterations of how I sent out my newsletter. The first version was through a service known as Drip, that's D-R-I-P. And they were great because they were aimed at effectively non-technical folks, by and large, where it’s, “Oh, you want to use a newsletter. Go ahead.”

I looked at a few different vendors. MailChimp is the one that a lot of folks go with for things like this. At the time I was doing that selection, they were having a serious spam problem. People were able to somehow bypass their MFA. Basically, their reputation was in the toilet and given my weird position on email spam, namely, I don't like it, I figured this is probably not the best time to build something on top of that platform, so that was out.

Drip was interesting, in that they offered a lot of useful things, and they provided something far more than I needed at the time. They would give me ways to say, “Okay, when someone clicks on this link, I can put them in different groups, etcetera, etcetera.” You know, the typical email, crappy tracking thing that squicks people out. Similarly to the idea of, “Hey, I noticed you left something in your cart. Do you want to go back and buy it?” Those emails that everyone finds vaguely disquieting? Yeah, that sort of thing. So, 90 percent of what they were doing, I didn't need, but it worked well enough, and I got out the door and use them for a while.

Then they got acquired, and it seemed like they got progressively worse month after month, as far as not responding to user needs, doing a hellacious redesign that was retina searingly bad, being incredibly condescending toward customer complaints, subtweeting my co-founder on a podcast, and other delightful things. So, the time came to leave Drip. So, what do I do next? Well, my answer was to go to SendGrid. And SendGrid was pretty good at these things. They are terrific at email deliverability—in other words, getting email, from when I hit send on my system into your inbox, bypassing the spam folder, because presumably, you've opted in to receive this and confirmed that you have opted in—so that wasn't going to be a problem.

And they still are top-of-class for that problem, but I needed something more than that. I didn't want to maintain my own database of who was on the newsletter or not. I didn't want to have to handle all the moving parts of this. So, fortunately, they wound up coming out with a tool called Marketing Campaigns, which is more or less designed for kind of newsletter-ish style things if you squint at it long enough. And I went down that path and it was, to be very honest with you, abysmal.

It was pretty clear that SendGrid was envisioning two different user personas. You had the full-on developer who was going to be talking to them via API for the sending of transactional email, and that's great. Then you had marketing campaign folks who were going to be sending out these newsletter equivalents or mass broadcast campaigns, and there was no API to speak of for these things. It was very poorly done. I'm smack dab between this, where I want to be able to invoke these things via API, but I want to also be able to edit it in a web interface, and I don't want to have to handle all the moving parts myself. So, I sat down and had a long conversation with Mike, my business partner. And well, before I get into what we did, let's stop here.

This episode is sponsored in part by N2WS. You know what you care about? Many things, but never backups. At least until right after you really, really, really needed to care about backups. That's what N2WS does for your AWS account. It allows you to cycle backups through different storage tiers; you can back things up cost-effectively, and safely. For a limited time, N2WS is offering you $100 in AWS credits for setting up their free trial, and I encourage you to give it a shot. To learn more, visit snark.cloud/n2ws. That's snark.cloud/n2ws.

So, we looked at ConvertKit, which does a lot of things right, but there are a few things wrong. There's still no broadcast API, you have to click things to make it go. So, I have an email background, Mike has an engineering background. And we sat there and we've decided we're going to build something ourselves to solve this problem. And we started drawing on a whiteboard in my office. This thing is four feet by six feet, it is bolted to the wall by a professional because I have the good sense to not tear my own wall down, instead hiring someone else to do it for me.

<...

AWS Security Landscapers

Corey Quinn — Mon, 01 Jun 2020 03:00:00 -0700

AWS Morning Brief for the week of June 1, 2020

Whiteboard Confessional: The Core Problem in Cloud Economics

Corey Quinn — Fri, 29 May 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

nOps will help you reduce AWS costs 15 to 50 percent, if you do what tells you. But some people do. For example, watch their webcast, how Uber reduced AWS costs 15 percent in 30 days; that is six figures in 30 days. Rather than a thing you might do, this is something that they actually did. Take a look at it. It's designed for DevOps teams. nOps helps quickly discover the root causes of cost, and correlate that with infrastructure changes. Try it free for 30 days, go to nops.io/snark. That's N-O-P-S dot I-O, slash snark.

Corey: Welcome to the AWS Morning Brief: Whiteboard Confessional. Today we're going to tell a story that only happened a couple of weeks ago. We don't usually get to tell stories about what we do in the AWS bill fixing realm because companies are understandably relatively reticent to talk about this stuff in public. They believe, rightly or wrongly, that it will annoy Amazon which, frankly, is one of my core competencies. They think that it shows improper attention to detail to their investors and others.

I don't see it that way, but I found a story that we can actually talk about today in a bit more depth and detail than we normally would. So, we get a phone call about three weeks ago. Someone has a low five-figure bill every month on AWS. That's generally not large enough for us to devote a consulting project to, because frankly the ROI would take far too long. It's too small of a bill to make an engagement with us cost-effective, but we had a few minutes to kill and thought, “Eh, go ahead and pull up your bill. We'll take a quick look at it here.” Half of their bill historically—and growing—had been data transfer which, okay, that's interesting. And as we've known from previous episodes, data transfers is always strange. So, they looked at this and they said, “Okay, well, obviously then instead of serving things directly, we should get a CDN.”

So, then instead of getting a CDN, they chose to set up CloudFront, which basically is a CDN only worse in every way. And they saw no impact to their bill after a month of this. Okay, let's change that up a bit. Now, instead of CloudFront. We're going to move to an actual CDN. So, they did, there was a small impact to their bill. Okay, and costs continue to rise and what's going on? At this point in the story, they call us, which generally if you're seeing something strange on your bill, is not a terrible direction to go in. We see a lot of these things and if we can help you, we will point you towards someone who can. So, our consensus on this was, great. It is too small to look at the bill.

But let's pop into Cost Explorer and see what's going on. We break it down by service and S3 was the biggest driver of spend. Now, that's interesting. Number two was EC2. But okay, we start with the big numbers and work our way down. This is apparently novel for folks doing in-depth bill analysis, but we're going to go with it anyway. We start taking a look within that S3 category of usage type, and lo and behold, data transfer out to the internet is driving almost all of it. The cost per request is super low. That tells us in turn that—because we've seen a lot of these—that there are large objects, but relatively few requests for them.

So, all right, we're going to slice and dice slightly differently within Cost Explorer, AWS’s free—with an asterisk next to it—tool for exploring various aspects of your bill. That asterisk, incidentally, means that if you're doing this via API, it is one cent per call. If you're doing this in the console, it's free. Be aware, that can catch you by surprise if you write a lot of very chatty scripts. You have been warned. So, yeah, most of the spend was indeed on GetObject calls. So, okay, we know that data transfer spend was coming from an S3 bucket that was not going to a CDN. Otherwise, it's going to show up as a different data transfer charge in a different section of their bill.

Okay, so now we know it's S3. We have to figure out what bucket it lives within. And this is an obnoxious process, and we tell them this. And they’re like, “Oh, yeah, we know what bucket that is.” This, incidentally, is where almost every software tool tends to fall down. We could spend some time tracking this down programmatically. Or we can just ask someone who already has the context of what their business does and how it works loaded into their head. Because otherwise, what we'd have to do is tag all their buckets, and then wait a few days for that tag to percolate into the billing system, and then query it again because the visibility into this sort of thing is terrible. It's a shortcoming of both Cost Explorer and S3 in that weird seam between the two. There's fundamentally no easy way to see at a glance which buckets are costing you money unless you do something fun with tagging.

To that end, I'm a big believer in having every bucket tagged with a bucket name option. So, I can start slicing on that, and then you enable that as a cost allocation tag. So, great. Now, what is it that's getting requested? Well, you can also dig into this via access logs once you have the bucket, to see what's going on. Great. Now, we take a look at this, and sure enough—well, before I go into what it actually was, let's pause here for a moment.

Corey: So, this bucket was set to public access. Aha! it only allowed GetO...

Introducing AWS SnowCannon

Corey Quinn — Mon, 25 May 2020 03:00:00 -0700

AWS Morning Brief for the week of May 25, 2020.

Whiteboard Confessional: Naming Is Hard, Don’t Make it Worse

Corey Quinn — Fri, 22 May 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

nOps will help you reduce AWS costs 15 to 50 percent if you do what tells you. But some people do. For example, watch their webcast, how Uber reduced AWS costs 15 percent in 30 days; that is six figures in 30 days. Rather than a thing you might do, this is something that they actually did. Take a look at it. It's designed for DevOps teams. nOps helps quickly discover the root causes of cost, and correlate that with infrastructure changes. Try it free for 30 days, go to nops.io/snark. That's N-O-P-S dot I-O, slash snark.

Good morning AWS, and welcome to the AWS Morning Brief: Whiteboard Confessional. Today we're going to revisit DNS. Now, now, slow down there, Hasty Pudding. Don't bother turning the podcast off. For once, I'm not talking about using it as a database… this time. As you're probably aware, DNS is what folks use to equate friendly names for twitterforpets.com, or incredibly unfriendly names like Oracle.com, to IP addresses, which is how computers tend to see the world. I'm not going to rehash what DNS does.

Instead, I'm going to talk about a particular kind of DNS problem that befell a place I used to consult for. They're publicly traded now, so I'm not going to name them. An awful lot of shops do something that's called split-horizon DNS. What that means is that if you're on a particular network, a DNS name resolves differently than it does when you're on a different network. For example, admin.twitterforpets.com will resolve to an administrative dashboard if you're on the Twitter For Pets internal network via VPN, but it won't resolve to that dashboard if you're outside the network, or it might resolve nowhere, or it might resolve just back to their main website, www.twitterforpets.com.

And that's fine. Most DNS providers can support this, and Route 53 is, of course, no exception. This is, incidentally, what the Route 53 resolver, that was released in 2018, is designed to do: it bridges private DNS zones to on-premises environments, so your internal zones can then resolve to private IP addresses without having to show your private IP address ranges in public zones to everyone. So, the reason that matters is that this keeps you from broadcasting your architecture or your network layout externally to your company. Some folks consider doing that to be a security problem because it discloses information that an attacker can then leverage to gain further toeholds into your network. Some folks also think that that tends to be a little bit on the extreme side. I'll let you decide because I don't care, and that's not what the story is about.

The point is that split-horizon DNS is controversial, for a few reasons, but in many shops, it is considered the right thing to do because it's what they've been doing. The internal DNS names either don't resolve anything publicly, or they resolve to a different system that’s configured to reject the request outright. But there is another path you can take; a third option that no one discusses because it's a path that's far darker, because it is oh, so very much dumber. But first…

This episode is sponsored in part by N2WS. Do you know what you care about? Many things, but never backups. At least until right after you really, really, really needed to care about backups. That's what N2WS does for your AWS account. It allows you to cycle backups through different storage tiers; you can back things up cost-effectively, and safely. For a limited time, N2WS is offering you $100 in AWS credits for setting up their free trial, and I encourage you to give it a shot. To learn more visit snark.cloud/n2ws. That's snark.cloud/n2ws.

What I'm about to describe is far too stupid for my made-up startup of Twitter For Pets, so we're going to have to invent a somehow even dumber company, and we're going to call it Uber For Squirrels. It's like regular Uber, except it somehow manages to lose less money. Now, there's a very strong argument among the engineering community inside of Uber For Squirrels. Split-horizon DNS is dangerous is what is decided and argued for. And that's the proclamation because a misconfiguration could leak records in the wrong places, and theoretically take the entire online site for Uber For Squirrel down. There are merits to those arguments and you can't dismiss them out of hand, so a bargain was struck.

The external DNS zone was therefore decreed to be uberforsquirrels.com, while the internal zone was configured to be uberforsquirrels.net. The uberforsquirrels.net zone was only accessible inside of the network. From the outside, nobody could query it. Now, this is, in isolation—before I go further—a bad plan all on its own. When you're reading quickly, uberforsquirrels.com and uberforsquirrels.net don't jump out visually to people as being meaningfully different. You're going to typo it in config files constantly without meaning to, and then you're going to have a hell of a time tracking it down because it's not immediately obvious that you're talking to the wrong thing; you might think it's a network problem. Your tab completion is going to break out of your known_hosts file, if you have such a thing configured in your environment, it's going to have to hit tab a couple of extra times to cycle through the dot net variants and the dot com variants. It's just a general irritant.

But that's not enough to justify an episode of the show. Because wait, that is still some Twitter For Pets level brokenness. Why do I need to throw Uber For Squirrels under the bus? Well, because it turns out that despite using uberforsquirrels.net everywhere as their internal domain, they didn't actually own uberforsquirrels.net. It wasn't entirely clear who did other than that the registration was in another country, so it probably wasn't something that the CEO registered and then forgot about in his random domain list of things he acquired for companies he was going to start o...

Amazon Macie Some Well Deserved Pushback

Corey Quinn — Mon, 18 May 2020 03:00:00 -0700

AWS Morning Brief for the week of May 18, 2020.

Whiteboard Confessional: You Down with UTC? Yeah, You Know Me

Corey Quinn — Fri, 15 May 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

nOps will help you reduce AWS costs 15 to 50% if you do what it tells you. But some people do, for example, watch their webcast, "How Uber reduced AWS costs 15% in 30 days". That is six figures in 30 days. Rather than a thing you might do, this is something that they actually did. Take a look at it. It's designed for dev ops teams nOps helps quickly discover the root causes of costs and correlate that with infrastructure changes. Try it free for 30 days. Go to nops.io/snark. That's nops.io/snark.

Today I want to talk about a funny thing: time. Time has taken on a different meaning for many of us during the current pandemic. Hours seem like days. Days seem like months. But in the context of computers, time is a steady thing. Except when it's not. Things like leap years, leap seconds, Google's famous leap smear and, of course, our ever-changing friends, time zones, combine and collude with one another to make time a very hard problem when it comes to computers. In the general case, computers think of time in terms of seconds since the start of the Unix epoch on January 1, 1970. This is incidentally—and not the point of this episode—going to cause a heck of a lot of excitement when 32-bit counters rollover in 2038. But that's a future problem similar to Y2K, that I'm sure won't bother anyone.

Time leads to suboptimal architectural choices, which is bad, and then those choices become guidance which is in turn far, far worse. Now, AWS has said a lot of things over the years that I despise and take massive issue with. Some petty and venial, like pronunciation, but none of them were quite so horrifying as a tweet. On May 17, 2018, the official AWS Cloud Twitter account tweeted out an article with the following caption, “Change the timezone of your Amazon RDS instance to local time.” I hit the roof immediately and began ranting about it and railing against that tweet in particular.

I believe this is the first time that me yelling at AWS in public hit semi-viral status. My comment, to be precise, was absolutely do not do this. UTC is the proper server timezone unless you want an incredibly complex problem after you scale. Fixing this specific problem has bought consultants entire houses in San Francisco. Now, I stand by that criticism and I maintain that your databases should be in UTC at all times, as should the rest of your servers. And I'll explain why, but first:

This episode is sponsored in part by N2WS. You know what you care about? Many things, but never backups. At least, until right after you really, really, really needed to care about backups. That's what N2WS does for your AWS account. It allows you to cycle backups through different storage tiers so you can back things up cost effectively and safely. For a limited time N2WS is offering you a hundred dollars in AWS credits for setting up their free trial. And I encourage you to give it a shot. To learn more, visit snark.cloud/n2ws. That's snark.cloud/n2ws.

It's important that all of your systems be in the same timezone UTC, or Universal Time Coordinated doesn't change with the seasons. It doesn't observe daylight saving time. It's the closest thing we've got to a unified central time that everyone can agree on. Now, you're going to take issue with a lot of that, and I'm not suggesting that you should display that time to your users. You have a lot of options around how you can alter the display of time at the presentation level. You can detect the timezone that their browser is set to. You can let them select their time zone in the settings of your application. You can do what ConvertKit—one of my vendors—does, and force everything to display in US East Coast time for some godforsaken reason. But all of those options are far better than setting the server time to local time.

Years ago, I've been told that this shameful secret exists within companies during job interviews when I asked what kind of problems they're currently wrestling with, and it's a big deal because changing one system requires changing every system that winds up tying back to that. Google apparently had all of their servers originally set to Pacific Coast time or headquarters time, and this caused them problems for over a decade. I can't confirm that because I haven't ever worked there, so I wouldn't know other than stories people tell while sobbing into beers. But it stands to reason because once you've gone down this path, it is incredibly difficult to fix it.

What's not so obvious is why exactly this is so painful. And the problem comes down to change. Time zones change. Daylight saving time alters when it takes place in the given location from year to year. And time zones themselves don't hold still either, as geopolitical things tend to change.

Remember that computers don't just use time to tell you what time something is right now. They look at when log entries were made, what happened in a particular time frame? What was the order of those specific events that all came from different systems? When was a change actually implemented? And you really, really don't want to have to apply complex math to logs just to reconstruct historical events in time. “Well, that one was before daylight saving time took effect that year in that particular location where the server was running in, so just carry the two.” That becomes awful stuff, and no one wants to have to go through that. It also leads to scenarios where you can introduce errors with bad timezone math.

Now, there are a couple of solid objections here, but one of the only ones that I saw advocated on Twitter when I started ranting about it was of the very reasonable form, “Look, most stuff that uses databases in a lot of companies is for a single location at a single company, and it's never going to need ...

The AWS Machine That Goes PING

Corey Quinn — Mon, 11 May 2020 03:00:00 -0700

AWS Morning Brief for the week of May 11, 2020.

Whiteboard Confessional: Click Here to Break Production

Corey Quinn — Fri, 08 May 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

On this show, I talk an awful lot about architectural patterns that are horrifying. Let’s instead talk for a moment about something that isn’t horrifying. CHAOSSEARCH. Architecturally, they do things right. They provide a log analytics solution that separates out your storage from your compute. The data lives inside of your S3 buckets, and you can access it using APIs you’ve come to know and tolerate, through a series of containers that live next to that S3 storage. Rather than replicating massive clusters that you have to care and feed for yourself, instead, you now get to focus on just storing data, treating it like you normally would other S3 data and not replicating it, storing it on expensive disks in triplicate, and fundamentally not having to deal with the pains of running other log analytics infrastructure. Check them out today at CHAOSSEARCH.io.

Today on the AWS Morning Brief: Whiteboard Confessional, I'm telling a different story than I normally do. Specifically, this is the tale of an outage from several weeks ago. The person who shared this story with me has requested to remain anonymous and further wishes me to not mention their company at all. This is, incidentally, a common occurrence. Folks don't generally want to jeopardize their relationship with AWS by disclosing a service issue they see, whereas I don't have that particular self-preservation instinct. Then again, I'm not a big AWS customer myself. I'm not contractually bound to AWS in any meaningful way, and I'm not an AWS partner, nor am I an AWS Hero. So, all that AWS really has over me in terms of leverage is the empty threat of taking away my birthday. So, let's dive into this anonymous story. It's a good one.

A company was minding its own business, and then had a severity one incident. For those who aren't familiar with that particular designation, you can think of that as being the company's primary service fell over in an embarrassingly public way. Customers noticed, and everyone runs around screaming a whole lot. Now, if we skip past the delightful hair-on-fire diagnosis work, the behavior that was eventually tracked down was that an SNS topic had a critical listener get unsubscribed. That SNS topic invoked said listener, which in turn drove a critical webhook call via API gateway. This is a bad thing, obviously.

Fundamentally, customers stopped receiving webhooks that they were expecting, and this caused a nuclear meltdown given the nature of what the company does, which I can't disclose and isn't particularly relevant anyway. But, for those who are not up to date on the latest AWS terminology, service names, and parlance, what this means at a high level is that a thing happens inside of AWS, and whenever that thing happens, it's supposed to fire off an event that notifies this company's paying customers. This broke because something somewhere unsubscribed the firing off dingus from the notification system. Now that we're aware of what caused the issue at a very high level, time to dig into how it happened and what to do about it. But first:

In the late 19th and early 20th centuries, democracy flourished around the world. This was good for most folks, but terrible for the log analytics industry because there was now a severe shortage of princesses to kidnap for ransom to pay for their ridiculous implementations. It doesn’t have to be that way. Consider CHAOSSEARCH. The data lives in your S3 buckets in your AWS accounts, and we know what that costs. You don’t have to deal with running massive piles of infrastructure to be able to query that log data with APIs you’ve come to know and tolerate, and they’re just good people to work with. Reach out to CHAOSSEARCH.io. And my thanks to them for sponsoring this incredibly depressing podcast.

The logs for who unsubscribed it are, of course, empty, which is a problem for this company’s blameless-in-theory-but-blame-you-all-the-way-out-of-the-company-if-it-turns-out-that-it-was-you-that-clicked-this-thing-and-didn't-tell-anyone, philosophy. CloudTrail doesn't log this event because why would it? CloudTrail’s primary purpose is to rack up bills and take the long way around before showing events in your account, not to assist with actual problem diagnosis, by all accounts. Now, fortunately, this customer did have AWS Enterprise Support. It exists for precisely this kind of problem. It granted them access to the SNS team which had considerably more insight into what the heck had happened, at which point the answer became depressingly clear, as well as clearly depressing.

It turns out that the unsubscribe URL at the bottom of every SNS notification wasn't authenticated. Therefore, anyone who had access to the link could have invoked it, and that's what happened when a support person did something very reasonable: Copy and paste a log message containing that unsubscribe link into a team Slack channel. It wasn't their fault [00:06:04 unintelligible] because they didn't click it. The entity triggering this was—and I swear I'm not making this up—Slackbot.

Have you ever noticed that when you paste a URL into Slack, it auto expands the link to show you a preview? It tries to do that on every URL, and you can't disable URL expansion at the -Slack workspace level. You can blacklist URLs but only if the link expansion succeeds. In this case, it doesn't have a preview, so it doesn't succeed, so there's nothing for it to blacklist. Slack’s helpful feature can't be disabled on a team-wide level, so when that unsubscribe URL shows up in a log snippet that got pasted, it silently unsubscribed the consumer from SNS and broke the entire system.

Now, there are an awful lot of things that could have been different here. Isn't this the sort of thing that might be better off with SQS, you might reasonably ask? Well, four years ago, when this system was built, SQS itself could not, and did not support invoking Lambda functions, so SNS was the only real option. T...

AWS Non-Profit Organisations

Corey Quinn — Mon, 04 May 2020 03:00:00 -0700

AWS Morning Brief for the week of May 4, 2020.

Whiteboard Confessional: Hacking Email Newsletter Analytics & Breaking Links

Corey Quinn — Fri, 01 May 2020 03:00:00 -0700

About Corey Quinn

Links

On Monday, I sent out a newsletter issue to over 18,000 people where the links didn't work for the first hour and a half. Then they magically started working. Today on the AWS Morning Brief: Whiteboard Confessional. I'm not talking about a particular design pattern, but rather conducting a bit of a post mortem of what exactly broke and why it suddenly started working again an hour and a half later. To send out the Last Week in AWS newsletter, I use a third-party service called ConvertKit that, in turn, wraps itself around SendGrid for actual email delivery. They, in turn, handle an awful lot of the annoying difficult parts of newsletter management. As a quick example, unsubscribes. If you unsubscribe from my newsletter, which you should never do, I won't email you again. That's because they handle the subscription and unsubscription process.

Now, as another example, when you sign up for the newsletter, you get an email series that tailors itself to a “choose your own platypus” adventure based upon what you select. True story. Their logic engine powers that, too. ConvertKit is awesome for these things, but they do some things that are also kind of crappy. For example, they do a lot of link tracking that is valuable, but it's the creepy kind of link tracking that I don't care about and really don't want. Also, unfortunately, their API isn't really an API so much as it is an attempt at an API that an intern built, because they thought it was something you might enjoy.

I can't create issues via API. I have to generate the HTML and then copy and paste it in like a farm animal. And their statistics and metrics API's won't tell me the kinds of things I actually care about, but their website will, so they have the data, it just requires an awful lot of clicking and poking. And when I say things I don't care about, let me be specific. Do you know what I don't care about? Whether you personally, dear listener, click on a particular link. I do not care; I don't want to know. That's creepy; It's invasive, and it isn't relevant to you or me in any particular way.

But I do care what all of you click on in aggregate. That informs what I include in the newsletter in the future. For example, I don't care at all about IoT, but you folks sure do. So, I'm including more IoT content as a direct response to what you folks care about. Remember, I also have sponsors in the newsletters, who themselves include links, and want to get a number of people who have clicked on those things. So, it also needs to be unique. I care if a user clicks on a link once, but if they click on it two or three times, I don't want that to increment the counter, so there are a bunch of edge case issues here.

Here are the questions that I need to answer that ConvertKit doesn't let me get at extraordinarily well. First, what were the five most popular links in last week's issue? I also want to care what the top 10 most popular links over the last three months were. That helps me put together the “Best of” issues I'm going to start shipping out in the near future. I also care what links got no clicks because people just don't care about them or I didn't do a good job of telling the story. It helps me improve the newsletter.

With respect to sponsors, I care how each individual sponsor performs relative to other sponsors. If one sponsor link gets way fewer clicks, that's useful to me. Since I write a lot of the sponsor copy myself, did I get something wrong? On the other hand, if a sponsored link gets way more clicks than normal, what was different there? I explicitly fight back against clickbait, so outrage generators, like racial slurs injected into the link text are not permitted. So, therefore when a sponsored link outperforms what I would normally expect, it means that they're telling a story that resonates with the audience, and that is super valuable data. Now, I'll tell you what I built, and what went wrong. After this.

I built a URL redirector to handle all of these problems plus one more. Namely, I want to be able to have an issue that has gone out with a link in it, but I want to be able to repoint that link after I've already hit send. Why do I care about that? Well, if it turns out that a si...

Cape Town Region Is Expensive AF

Corey Quinn — Mon, 27 Apr 2020 03:00:00 -0700

AWS Morning Brief for the week of April 27, 2020.

Whiteboard Confessional: Don’t Run a Database on Top of NFS

Corey Quinn — Fri, 24 Apr 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey: On this show, I talk an awful lot about architectural patterns that are horrifying. Let’s instead talk for a moment about something that isn’t horrifying. CHAOSSEARCH. Architecturally, they do things right. They provide a log analytics solution that separates out your storage from your compute. The data lives inside of your S3 buckets, and you can access it using APIs you’ve come to know and tolerate, through a series of containers that live next to that S3 storage. Rather than replicating massive clusters that you have to care and feed for yourself, instead, you now get to focus on just storing data, treating it like you normally would other S3 data and not replicating it, storing it on expensive disks in triplicate, and fundamentally not having to deal with the pains of running other log analytics infrastructure. Check them out today at CHAOSSEARCH.io.

I talked a lot about databases on this show. There are a bunch of reasons for that, but they mostly all distill down to that databases are, and please don't quote me on this as I'm not a DBA, where the data lives. If I blow up a web server, it can have hilarious consequences for a few minutes, but it's extremely unlikely to have the potential to do too much damage to the business. That's the nature of stateless things. They're easily replaced, and it's why the infrastructure world has focused so much on the recurring mantra of cattle, not pets.

But I digress. This episode is not about mantras. It's about databases. Today's episode of the AWS Morning Brief: Whiteboard Confessional returns to the database world with a story that's now safely far enough in the past that I can talk about it without risking a lawsuit. We were running a fairly standard three-tiered web app. For those who haven't had the pleasure because their brains are being eaten by the microservices worms, these three tiers are web servers, application servers, and database servers. It's a model that my father used to deploy, and his father before him.

But I digress. This story isn't about my family tree. It's about databases. We were trying to scale, which is itself a challenge, and scale is very much its own world. It's the cause of an awful lot of truly terrifying things. You can build an application that does a lot for you on your own laptop. But now try scaling that application to 200 million people. Every single point of your application architecture becomes a bottleneck long before you'll get anywhere near that scale, and you're gonna have oodles of fun re-architecting it as you go. Twitter very publicly went through something remarkably similar about a decade or so ago, the fail whale was their error page when Twitter had issues, and everyone was very well acquainted with it. It spawned early memes and whatnot. Today, they've solved those problems almost entirely.

But I digress. This episode isn't about scale, and it's not about Twitter. It's about databases. So my boss walks in and as we're trying to figure out how to scale a MySQL server for one reason or another, and then casually suggests that we run the database on top of NFS.

[Record Scratch]

Yes, I said NFS. That's Network File System. Or, if you've never had the pleasure, the protocol that underlies AWS’s EFS offerings, or Elastic File System. Fun trivia story there, I got myself into trouble, back when EFS first launched, with Wayne Duso, AWS’s GM of EFS, among other things, by saying that EFS was awful. At launch, EFS did have some rough edges, but in the intervening time, they've been fixed to the point where my only remaining significant gripe about EFS is that it's NFS. Because today, I mostly view NFS is something to be avoided for greenfield designs, but you've got to be able to support it for legacy things that are expecting it to be there. There is, by the way, a notable EFS exception for Fargate and using NFS with Fargate for persistent storage.

But I digress. This episode isn't about Fargate. It's about databases.

Corey: In the late 19th and early 20th centuries, democracy flourished around the world. This was good for most folks, but terrible for the log analytics industry because there was now a severe shortage of princesses to kidnap for ransom to pay for their ridiculous implementations. It doesn’t have to be that way. Consider CHAOSSEARCH. The data lives in your S3 buckets in your AWS accounts, and we know what that costs. You don’t have to deal with running massive piles of infrastructure to be able to query that log data with APIs you’ve come to know and tolerate, and they’re just good people to work with. Reach out to CHAOSSEARCH.io. And my thanks to them for sponsoring this incredibly depressing podcast.

So I'm standing there, jaw agape at my boss. This wasn't one of those many mediocre managers I've had in the past that I've referenced here. He was and remains the best boss I've ever had. Empathy and great people management skills aside, he was also technically brilliant. He didn't suggest patently ridiculous things all that often, so it was sad to watch his cognitive abilities declining before our eyes. “Now, hang on,” he said, “before you think that I've completely lost it. We did something exactly like this before at my old job, it can be done safely, sanely and offer great performance benefits.” So, I'm going to skip what happens next in this story because I was very early in my career. I hadn't yet figured out that it's better to not actively insult your boss in a team meeting, based only upon a half baked understanding of what they've just proposed. To his credit, he took it in stride, and then explained how to pull off something that sounds on its face to be truly monstrous.

Now I've doubtless forgotten most of the technical nuance here, preferring ...

AWS Billing System Go BRRRRRR

Corey Quinn — Mon, 20 Apr 2020 03:00:00 -0700

AWS Morning Brief for the week of April 20, 2020.

Whiteboard Confessional: The 15-Person Startup with 700 Microservices: A Cautionary Tale

Corey Quinn — Fri, 17 Apr 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Today, I want to rant about microservices. What are microservices you may very well ask? the broken answer to a misunderstood question. Let’s Talk about what gave rise to microservices: specifically monoliths. that is generally what predated microservices as a design pattern. And by monoliths, I mean one giant codebase, the way that grandpa used to build things. back then Git wasn’t a thing. Subversion and Perforce ruled the day, and everyone wore a pair of fighting trousers to work in the morning. The problem with monoliths was that it’s challenging in the extreme, culturally, to have a whole host of developers working on the same codebase. one person’s change can inadvertently break the build for the other 5000 engineers all working on that same codebase, and with the various version control systems that were heavily in use before Git became usable by mere mortals. There weren’t a lot of workflows that made it easy to have multiple people collaborate on the same system.

So microservices, for that and a few other reasons, became suggested as a way of solving for this problem. breaking apart those ancient monoliths into functional microservices where each item does one thing began to make a lot of sense. And it solves for a political problem super neatly. You want each team responsible for a given microservice, And that promise is compelling. Because in theory, if you think about this, if you build a microservice and you publish what data that service takes in and in what format it needs to be, and what it will return in response to having that data sent to it, then what your microservice does to achieve its goal and how it works doesn’t matter at all to anyone else. You can replace the database, you can move to serverless, or containers, or punch cards. It doesn’t really matter how it does the work, just so long as the work gets done in the way that is published. And whatever decisions you make, only ever impact your own team as far as how those things get done. So the sky’s the limit, you don’t have to really focus on collaborating with folks the way that you once had. As long as that API remains stable, the sky remains the limit. So suddenly, your 5000 developers are now able to not be tightly coupled to one another and can do all kinds of things and move way faster. It’s a great model. But it’s also a problem. Why?

The problem is that this works super well for places with thousands of engineers all working on one product. But then Hacker News got a hold of it, And because it’s Hacker News, it took exactly the wrong lessons from this approach and instead started embracing this pattern where it was patently ridiculous, rather than helpful. Now, as a result of this, you see startups out there with 700 microservices, but somehow only 15 employees. Where’s the sense in that? As a result, you have massive sprawl, an awful lot of duplicate work, and no real internal standards in many cases. And as a result, this misguided belief that everything should look architecturally like Google’s internal systems, Despite the fact that your entire application could run on a single computer from 2012 without breaking a sweat. Even Google would argue that its internal systems should not look like Google’s internal systems, but technical debt is a thing and the choices we make constrain what we’re able to do. The problem here is that microservices fundamentally are tied to solving a political problem by a technical means. It’s about how to make people work more effectively. And this somehow instead became a technical best practice. It’s not, not for everyone. It introduces complexity. It leads to scenarios where no one, absolutely no one has all of the various moving parts in their head. It’s prime material for here on the whiteboard confessional Because when you truly embrace microservices, your whiteboards are always full of things that nobody understands. It ties into the larger problem of building things in service to your own resume, or to your engineering department or to the world practice of engineering as some abstract ideal, rather than in service to The business needs that your company exists entirely to cater to. Plus, when you have oodles of microservices hanging around everywhere, First you have a library problem of which service does what. no one knows, And if you ever track it down, great, each one of those services also needs to be monitored....

Goldilocks and the Three Elastic Beanstalk Consoles

Corey Quinn — Mon, 13 Apr 2020 03:00:00 -0700

AWS Morning Brief for the week of April 13, 2020.

Whiteboard Confessional: The Rise and Fall of the T-Shaped Engineer

Corey Quinn — Fri, 10 Apr 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey Quinn: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

For a long time now, I’ve been a believer in the idea of the T-shaped engineer. And what I mean by that is that you should be broad across a wide variety of technologies, but deep in one or two very specific areas. So, it looks a bit like a T, or an inverted T, depending upon how you wind up visualizing that. I’m describing this with words. I don’t have a whiteboard in front of me. Use your imagination, you’ll be okay. The point being is that whenever you’re working in a new environment, or on a new problem, having a broad base of technologies of which you’re aware, is incredibly useful to fall back upon. Now, the reason to be super deep in one or two areas, is that specialization is generally what lets people charge more for various services. People want to hire domain-specific expertise for an awful lot of problems that they want to get solved. So, having something that you can bring into job interviews and more or less mop the floor with people asking questions around that domain is an incredibly valuable thing to have.

But that has some other consequences too. And that’s what today’s episode of The Whiteboard Confessional is talking about. Back in my first Unix admin job, I busily began upgrading a whole lot of the infrastructure and ripping out very early Red Hat Enterprise Linux and CentOS version 4 systems and replacing them with the one true operating system, which, of course, is FreeBSD. And I had a litany of explanation as to why it was the best option, what it could do for various problems, and why there was just absolutely no comparison between FreeBSD and anything else. I could justify it super easily, and the real defense mechanism here was that people get really, really, really tired of talking to zealots, so no one kept questioning me. They just basically said, “Fine, whatever,” and got out of the way. Years later, I decided to focus on something that wasn’t an esoteric operating system to go super deep in, and that’s right, I picked SaltStack, which is configuration management done right, tied to remote execution.

I’d worked with Puppet, I’d tolerated CFEngine, but I had a bunch of angry loud opinions about it and SaltStack was absolutely the way and the light. So, in the company I was working at at that time, I rolled it out everywhere, and our entire provisioning and configuration management process was run through SaltStack. And I could come up with a whole litany of reasons why this was the right answer, and that no one else was going to be able to come close to what the ideal correctness that SaltStack provided. And people eventually stopped arguing with me, because they had better things to do than argue with a zealot about which configuration management system was the right one to go with. I’ve also talked on previous episodes of the show about using ClusterSSH. And this was before I discovered the religion that was configuration management.

It was the right answer, because rather than having to run a for loop with shell scripting, which was suboptimal for a wide variety of reasons, and I would explain to everyone why it was suboptimal. So, again, they shrugged, got out of the way and let me use ClusterSSH. And a similar pattern happened when I was working with large scale storage. NetApp was the right answer for all of our enterprise storage needs because let’s face it, it wasn’t my money. And when it comes to NFS, even today, they are head and shoulders above anything else in the space. And then eventually, it turned to AWS. And for a while, I want to say around 2014, 2015, I would tell you why AWS was the right answer for every problem. What challenge are you trying to work with? Well, AWS has an answer for that, because of course, they do. Their product strategy is, “yes”. Now, what do all of those independent stories have in common? Great question. Let’s talk about that. But first…

The problem is, is that everything I just mentioned, was a pet technology, or a pet company. Something that I had taken the time to get deep in and learn. And therefore, it became my de facto answer for a...

Amazon Detective and the Case of the Giant AWS Bill

Corey Quinn — Mon, 06 Apr 2020 03:00:00 -0700

AWS Morning Brief for the week of April 6, 2020.

Whiteboard Confessional: My Metaphor-Spewing Poet Boss & Why I Don’t Like Amazon ElastiCache for Redis

Corey Quinn — Fri, 03 Apr 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey Quinn: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

When you walk through an airport—assuming that people still go to airports in the state of pandemic in which we live—you’ll see billboards saying, “I love my slow database, says no one ever.” This is an ad for Redis. And the unspoken implication is that everyone loves Redis. I do not. In honor of the recent release of Global DataStore for Amazon ElastiCache for Redis. Today I’d like to talk about that time ElastiCache for Redis helped cause an outage that led to drama. This was a few years back and I worked at a B2B company—B2B of course, meaning business-to-business. We were not dealing direct-to-consumer—I was a different person then, and it was a different time, specifically, the time was late one Sunday evening, and my phone rang. This was atypical because most people didn’t have that phone number. At this stage of my life, my default answer when my phone rang was, “Sorry, you have the wrong number.” If I wanted phone calls, I’d have taken out a personals ad. Even worse when I answered the call, it was work. Because I ran the ops team, I was pretty judicious in turning off alerts for anything that wasn’t actively harming folks. If it wasn’t immediately actionable and causing trouble, then there was almost certainly an opportunity to be able to fix it later during business hours. So, the list of things that could wake me up was pretty small. As a result, this was the first time that I had been called out of hours during my tenure at this company, despite having spent over six months there at this point, so who could possibly be on the phone but my spineless coward of a boss? A man who spoke only in metaphor, we certainly weren’t social friends because who can be friends with a person like that?

“What can I do for you?” “As the roses turn their faces to the sun, so my attention turned to a call from our CEO. There’s an incident.” My response was along the lines of, “I’m not sure what’s wrong with you, but I’m sure it’s got a long name, it is incredibly expensive to fix.” Then I hung up on him and dialed into the conference bridge. It seemed that a customer had attempted to log into our website recently and had gotten an error page, and this was causing some consternation. Now, if you’re used to a B2C or business-to-consumer environment, that sounds a bit nutty because you’ll potentially have millions of customers. If one person hits an error page, that’s not CEO level of engagement. One person getting that error is, sure it’s still not great, but it’s not the end of the world. I mean, Netflix doesn’t have an all hands on deck disaster meeting when one person has to restart a stream. In our case, though, we didn’t have millions of customers, we had about five and they were all very large businesses. So, when they said jump, we were already mid-air. I’m going to skip past the rest of that phone call in the evening because it’s much more instructive to talk about this with the clarity lent by the sober light of day the following morning. And the post mortem meeting that resulted from it. So, let’s talk about that. After this message from our sponsor.

So, in hindsight, what happens makes sense, but at the time when you’re going through an incident, everything’s cloudy, you’re getting conflicting information. And it’s challenging to figure out exactly what the heck happened. As it turns out, there were several contributing factors, specifically four of them. And here’s the gist of what those four were.

Number one, we used Amazon ElastiCache for Redis. Really, we were kind of asking for trouble. Two, as tends to happen with managed services like this, there was a maintenance event that Amazon emailed us about. Given that we weren’t completely irresponsible, we braved the deluge of marketing to that email address, and I’d caught this and scheduled it in the maintenance calendar. In fact, we specifically were allowed to schedule when that maintenance took place. So, we scheduled it for a weekend. In hindsight: mistake. When you’re having maintenances like this happen, you want to make sure that they take place when there are people around to keep an eye on things.

Three, the maintenance was supposed to be invisible. The way that Amazon ElastiCache for Redis works is you have clusters, and you have a primary and you have a replica. The way that they do maintenances is they wind up updating the rep...

The "AWS For God's Sake Leave Me Alone" Service

Corey Quinn — Mon, 30 Mar 2020 03:00:00 -0700

AWS Morning Brief for the week of March 30, 2020.

Whiteboard Confessional: Console Recorder: The Thing AWS Should Have Built

Corey Quinn — Fri, 27 Mar 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey Quinn: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semi-polite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real-world forces us to build, and that the best to call your staging environment is “theory” because invariably, whatever you’ve built works in the theory, but not in production. Let’s get to it.

You’ll notice that I periodically refer to various friends of the show as code terrorists. It’s never been explained, until now, exactly what that means and why I use that term. So, today, I thought I’d go ahead and help shine a little bit of light on that. One of the folks that I refer to most frequently is Ian Mckay, a fine gentleman based out of Australia. And he’s built something that is both amazing and terrible all at the same time, called Console Recorder. But let me back up before I dive into this monstrosity. Let’s talk about how we get things that we build in AWS into production. There are basically four tiers. Tier one is using the AWS web console itself, we click around and we build things. Great. Tier two is we use CloudFormation like sensible folks. Tier three is Terraform with all of its various attendant tooling, and then there’s the ultra tier four that I do, which is we use the AWS console and then we lie about it. Some folks are gonna play around here and say that oh, you should use the CDK, or something like that, or custom scripts that wind up spinning up production.

And all of those are well and good, but only recently did CloudFormation release the ability to import existing resources. And even then, much like Terraform import, it’s pretty gnarly and not at all terrific. So, what do you wind up generally doing? Well, if you’re like me, you’ll stand up production resources inside of an AWS account. You will click around in the console—I always start with the console, not because I don’t know how these other tools work, that’s a side point, but rather because that helps me get a sense for how these services are imagined by the teams building them. They tend to assume that everyone who interacts with them is going to go through the console at some point, or at least they should. So, it gives me access and exposure to what their vision of this service is. Then once you’ve built something up, it often finds its way into production, if you at all like me, where I’ll spin something up just to test something and it works, and oh my stars, and suddenly you just want to get it out and not worry about it, so you don’t go back and rebuild it properly.

So, now you’re left with this hand-built thing that’s just flapping around out there in production. What are you supposed to do? Well, according to the AWS experts, if we’re allowed to use that term to describe them, you’re supposed to smack yourself on the forehead, be convinced that you’re fundamentally missing the boat here, throw everything you’ve just built away and go back and do it properly. Which admittedly seems a little bit on the nose for those of us who’ve done exactly this far more times over the course of our career than we would care to count. So, today, however, I posit that there’s an alternate approach that doesn’t require support from AWS, which, to be honest, long ago seems to have given up on solving this particular problem in a way that human beings can understand. And I’d like to tell you about that, after this brief message from our sponsor.

This brings us back to where we started this conversation, with defining what a code terrorist was and pointing out Ian Mckay, out of Australia, who’s built something absolutely terrifying called Console Recorder for AWS. And this is a browser extension that works in Chrome, it works in Firefox, possibly others I stopped looking after those two. And what it does is you click a button in your browser when you start doing something inside the AWS console, and it does exactly what it says it would on the tin, where it starts recording what you’re doing. Their icon turns to a bright red record symbol, and you do whatever it is you’re going to do to spin something up. When you’re done, you hit the button again and say stop recording, and it opens a brand new tab.

...

Watch Your Bill or They'll CloudWatch It For You

Corey Quinn — Mon, 23 Mar 2020 03:00:00 -0700

AWS Morning Brief for the week of March 23, 2020.

Whiteboard Confessional: Configuration MisManagement

Corey Quinn — Fri, 20 Mar 2020 03:00:00 -0700

About Corey Quinn

Show Notes

CHAOSSEARCH.io
Twitter: https://twitter.com/QuinnyPig

Transcript

Historically, many best practices were, in fact, best practices. But over time, the way that we engage with systems changes. The problems that we’re trying to solve for start resembling other problems. And, at some point entire industries shift. So, what you should have been doing five years ago is not necessarily what you should be doing today. Today, I’d like to talk a little bit about not one or two edge case problems, as I have in previous editions of the Whiteboard Confessional, but rather, I want to talk about an overall pattern that’s shifted. And that shift has been surprisingly sudden, yet gradual enough that you may not entirely have noticed. This goes back into, let’s say 2012, 2013, and is in some ways the story of how I learned to speak publicly. So this is indirectly one of the origin stories of me as a podcaster, and continuing to engage my ongoing love affair with the sound of my own voice. I was one of the very early developers behind SaltStack. Salt, for those who are unfamiliar, is a remote execution framework slash configuration management system that let me participate in code development. It turns out that when you have a pattern of merging every random pull request that some jackass winds up submitting, and then immediately submitting a follow up pull request that fixes everything you just merged in, it’s, first, not the most scalable thing in the world, but on balance provides such a wonderful welcoming community, that people become addicted to participating in it. And SaltStack nailed this in the early days.

Now, before this, I’d been focusing on configuration management in a variety of different ways. Some of the very early answers for this were CFEngine, which was written by an academic and is exactly what you would expect an academic to write. It feels more theoretical than it does something that you would want to use in production. But okay, Bcfg2 was something else in this space, and the fact that that is its name tells you everything you need to know about how user-friendly that was. And then the world shifted. We saw Puppet and Chef both arise. You can argue which came first, I don’t care enough in 2020 to have that conversation. But they wound up promoting a model of a domain-specific language, in Puppet’s case, versus chef where they decided, “All right, great, we’re gonna build this stuff out in Ruby.” From there, we then saw a further evolution of Ansible and SaltStack, which really round out the top four. Now, all of these systems fundamentally do the same thing, which is how do we wind up making the current state of a given system look like it should? That means, how do you make sure that certain packages are installed across all of your fleet? How do you make sure that the right users exist across your entire fleet? How do you guarantee that there are files in place, that have the right contents? And when the contents of those files change, how do you restart services? Effectively, how do you run arbitrary commands and converge the state of a remote system so it looks like it should? Because trying to manage systems at scale is awful.

You heard in a previous week what happened when I tried to run this sort of system by using a Distributed SSH client. Yeah, it turns out that mistakes are huge and hard to fix. This speaks toward the direction of moving into cattle instead of pets when it comes to managing systems. And all of these systems more or less took a different approach to it. And some were more aligned with how I saw the world than others did. So I started speaking about SaltStack back in 2012 and giving conference talks. The secret to giving a good conference talk, of course, is to give a whole bunch of really terrible ones first, and woo boy were these awful. I would put documentation on the slides. I would then read the documentation to people frantically trying to teach folks the ins and outs of a technical system in 45 minutes or less. It was about as engaging as it probably sounds like. Over time, I learned not to do that, but because no one else was speaking about SaltStack I was sort of in a rarefied position of being able to tell a story, and learn to tell stories, about a platform that I was passionate about, as it engaged a larger and larger community. Now, why am I talking about all of this on the Whiteboard Confessional? Excellent question.

But first, in the late 19th and early 20th centuries, democracy flourished around the world. This was good for most folks, but terrible for the log analytics industry because there was now a severe shortage of princesses to kidnap for ransom to pay for their ridiculous implementations. It doesn’t have to be that way. Consider CHAOSSEARCH. The data lives in your S3 buckets in your AWS accounts, and we know what that costs. You don’t have to deal with running massive piles of infrastructure to be able to query that log data with APIs you’ve come to know and tolerate, and they’re just good people to work with. Reach out to CHAOSSEARCH.io. And my thanks to them for sponsoring this incredibly depressing podcast.

The reason I bring up configuration management across the board is not because I want to talk about the pattern of doing terrible things within it, and oh, the...

The Saddest Kubernetes Hanukkah

Corey Quinn — Mon, 16 Mar 2020 03:00:00 -0700

AWS Morning Brief for the week of March 16, 2020.

Whiteboard Confessional: Everything's a Database Except SQLite

Corey Quinn — Fri, 13 Mar 2020 03:00:00 -0700

About Corey Quinn

Links

Transcript

Corey Quinn: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semipolite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

Many things make fine databases that replicate data from one place to another, that takes various bits of data and puts them where they need to go. Other things do not make fine databases that do such things. Let’s talk about one of those today. For those who have never had the dubious pleasure of working with it, SQLite is a C library that implements a relational database engine. And it’s pretty awesome. It’s very clearly not designed to work in a client-server fashion, but rather to be embedded into existing programs for local use. In practice, that means that if you’re running SQLite, that’s S-Q-L-I-T-E, your database backend is going to be a flat-file or something very much like that, that lives locally.

This is technology used all over the place, and mobile apps and embedded systems, in web apps for some very specific things. But that’s not quite the point. I once worked somewhere that decided to build a replicated environment that was active, active, active, across three distinct data centers. You would really hope that that statement was a non sequitur. It’s not. If you were to picture Hacker News coming to life as a person, and that person decided to design a replication model for a database from first principles, you would be pretty close to what I have seen. By taking a replicated model that runs on top of SQLite, you can get this to work, but the only way to handle that—because there’s no concept of client-server, as mentioned—so you have to kick all of the replication and state logic from the database layer, where it belongs up, into the application code itself, where it most assuredly does not belong. The downside of this—well, there are many downsides, but let’s start with a big one that this is not even slightly what SQLite was designed to do at all.

However, take a startup that decides if there’s one core competency they have, it’s knowing better than everyone else; this is that story. Now, I am obviously not a developer, and I’m certainly not a database administrator. I was an ops person, which means that a lot of the joy of various development decisions fell to whatever group I happened to be in at that point in time. It turns out that when you run replicated SQLite as a database, that you have to get around an awful lot of architectural pain points by babying this thing something fierce. There are a number of operational problems that going down a path like this will expose. Let me explain what some of them look like, after this.

I’m not going to engage in a point-by-point teardown of this replicated SQLite as primary datastore Eldritch Horror. My favorite database personally remains Route 53, and even that’s a better plan than this monstrosity. I’m not going to tackle point-by-point, everything that made this horrifying thing, come to life, so awful to deal with. Anyone who runs this at any sort of scale for more than a week is going to discover a lot of these on their own. But I am going to cherry-pick a few things that were problematic about it. Remember back in the days of Windows, when things would get slow and crappy, and you had to basically restart your machine while the disk defragmented forever? Yeah, it turns out that most database systems have the same problem. The difference is, is that reasonable adult-level database systems that have human beings who are used to how this stuff works, tend to put that underneath the hood, so you don’t really have to think about this.

With SQLite, it wasn’t really designed for this sort of use case. So you get to wind up playing these games yourself, which is just an absolute pleasure and a joy, except the exact opposite of that. Which means that every node periodically has to be taken down in a rotation after, in our case about a week or so, or it would start chewing disk, it would take forever to start returning the results to some queries, and the performance of the entire site would wind up slamming to a halt. So, you have to make people aware that this exists. When we first discovered that it was fun. The problem here is that what you’re doing is speaking to a larger problematic pattern. Namely, you’re forcing what has historically been a low-level function that even most operations people don’t need to know or care about, into something that is now at the forefront of every developer’s mental model of the application. And if they forget that this is one of the things that has to happen, woe be unto them. Further, it should be pretty freakin’ obvious by now, by everything I’ve de...

Nothing’s Certain but Death and Distinguished Engineers

Corey Quinn — Mon, 09 Mar 2020 03:00:00 -0700

AWS Morning Brief for the week of March 9, 2020.

Whiteboard Confessional: Scaling Databases in a Single Bound

Corey Quinn — Fri, 06 Mar 2020 03:00:00 -0800

About Corey Quinn

Links

Transcript

Corey: Corey: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semipolite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

But first… On this show, I talk an awful lot about architectural patterns that are horrifying. Let’s instead talk for a moment about something that isn’t horrifying. CHAOSSEARCH. Architecturally, they do things right. They provide a log analytics solution that separates out your storage from your compute. The data lives inside of your S3 buckets, and you can access it using APIs you’ve come to know and tolerate, through a series of containers that live next to that S3 storage. Rather than replicating massive clusters that you have to care and feed for yourself, instead, you now get to focus on just storing data, treating it like you normally would other S3 data and not replicating it, storing it on expensive disks in triplicate, and fundamentally not having to deal with the pains of running other log analytics infrastructure. Check them out today at CHAOSSEARCH.io.

So I’m going to deviate slightly from the format that I’ve established so far on these Friday morning whiteboard confessional stories, and talk instead about a pattern that has tripped me and others up more times than I care to remember. So it’s my naive hope that by venting about this for the next 10 minutes or so, I will eventually be able to encounter an environment where someone hasn’t made this particular mistake. And what mistake am I talking about? Well, as with so many terrifying architectural patterns, it goes back to databases. You decide that you’re going to write a small toy application, You’re probably not going to turn this into anything massive. And in all honesty, baby seals will probably get more hits than whatever application you’re about to build will. So you don’t really think too hard about what your database structure is going to look like. You spin up a database, you define the database endpoint inside the application, and you go about your merry way. Now, that’s great. Everything’s relatively happy, and everything we just described will work. But let’s say that you hit that edge or corner case where this app doesn’t fade away into obscurity. In fact, this turns out to have some legs, the thing that you’re building now has attained business viability or is at least seeing enough user traffic that it now has to worry about load.

So you start taking a look at this application because you get the worst possible bug reports six to eight months later; it’s slow. Where do you start looking when something is slow? Well, personally, I start looking at the bar, because that is a terribly obnoxious problem to have to troubleshoot. There are so many different ways that latency can get injected into an application. You discover the person reporting the slowness is on the other side of the world with satellite internet connection that they’re apparently trying to set up to the satellite with a tin can and a piece of very long string. There’s a lot of failure states here that you get to start hunting down. The joys of latency hunting. But in many cases, the answer is going to come down to, oh, that database that you defined is now no longer up to the task. You’re starting to bottleneck on that database. Now, you can generally buy your way out of this problem by scaling up whatever database you’re using. Terrific, great, it turns out that you can just add more hardware, which in a time of cloud, of course, just means more money and a bit of downtime while you scale the thing up, but that gets you a little bit further down the road. Until the cycle begins to rinse and repeat, and it turns out, there are only instances that are so large that you’ll be able to get to power databases. Also, they’re not exactly inexpensive. Now, I would name exact sizes of what those databases might look like. But this is AWS, they’re probably going to release at least five different instance families and sizes, by the time I finish recording this. But it gets published later at the end of the week. So instead, there is an alternative here, and it doesn’t take much from an engineering or design perspective when you’re building out one of these silly toy apps that will never have to scale. What is that fix, you might wonder? Terrific question. Let me tell you in just a minute.

So this is a pattern that increasingly, modern frameworks are recommending, but a number of them don’t. And I’m not going to name names, because I don’t want to wind up in a slap and tickle fight around which frameworks are good versus which frameworks are crappy. You can all make your own decisions around that. But the pattern that makes sense for this is even when you’re beginning with a toy app, go ahead and define two database endpoints, one for reads, And one for writes. Invariably, this is going to solve a whole host of problems with most database technologies. If you take a look at most applications, and yes, I know there are going to be exceptions to this, they tend to bottleneck on reads. If you have just a single database or database cluster, then all of the read traffic gets in the way of being able to write to that. That includes things that don’t actually need to be in line with the rest of what the application is doing. If you can have a read replica that’s used for business analytics, great. Your internal business teams can beat the living crap out of that database replica without damaging anything that’s in the critical path of serving users. And the writes can then go specifically to the primary node, w...

Amazon Transcribe Gets

Corey Quinn — Mon, 02 Mar 2020 03:00:00 -0800

AWS Morning Brief for the week of March 2, 2020.

Whiteboard Confessional: How Cluster SSH Almost Got Me Fired

Corey Quinn — Fri, 28 Feb 2020 03:00:00 -0800

About Corey Quinn

Links

Transcript

Corey: On this show, I talk an awful lot about architectural patterns that are horrifying. Let’s instead talk for a moment about something that isn’t horrifying. CHAOSSEARCH. Architecturally, they do things right. They provide a log analytics solution that separates out your storage from your compute. The data lives inside of your S3 buckets, and you can access it using APIs you’ve come to know and tolerate, through a series of containers that live next to that S3 storage. Rather than replicating massive clusters that you have to care and feed for yourself, instead, you now get to focus on just storing data, treating it like you normally would other S3 data and not replicating it, storing it on expensive disks in triplicate, and fundamentally not having to deal with the pains of running other log analytics infrastructure. Check them out today at CHAOSSEARCH.io.

So, once upon a time, way back in the mists of antiquity, was a year called 2006. This is before many folks listening to this podcast were involved in technology. And I admit as well that it is also several decades after other folks listening to this podcast got involved in technology. But that’s not the point of this story. It was my first real job working in anything resembling a production-style environment. I’d dabbled before this, running various environments on Windows desktop style support. I’d played around with small business servers for running Windows-style environments. And then I decided there wasn’t much of a future in technology and spent some time as a technical recruiter, spent a little bit more time working in a sales role, which I was disturbingly good at, but I was selling tape drives to people. But that’s not the interesting part of the story. What is, is that I somehow managed to luck my way into a job interview for a university, helping to run their Linux and Unix systems.

Cool. Turns out that interviewing is a skill like any other. The technical reviewer was out sick that day, and they really liked both the confidence of my answers, as well as my personality. That’s two mistakes right there. One; my personality is exactly what you would expect it to be. And two; hiring the person who sounds the most confident is exactly what you don’t want to do. It also tends to lend credence to people who look exactly like me. So I had converted some systems over in the first few months for that role to FreeBSD, which is like Linux, except it’s not Linux. It’s a Unix and it’s far older, derived from the Berkeley software distribution. and managing a bunch of those systems at scale was a challenge. Now understand, in this era scale meant something radically different than it does today. I had somewhere between 12 and 15 nodes that I had to care about. Some more mail servers. Some were NTP servers, of all things. Utility boxes here and there, the omnipresent web servers that we all dealt with, the Cacti box whose primary job was to get compromised and serve as an attack vector for the rest of the environment, etcetera.

This was a university. Mistakes didn’t necessarily mean the same thing there as they would in revenue-generating engineering activities. I was also young, foolish, and the statute of limitations is almost certainly expired by now. So, running the same command on every box was annoying. This was in the days before configuration management was really a thing. BCFG2 was out there and incredibly complex. And CFEngine was also out there, which required an awful lot of in-depth arcane knowledge that I frankly didn’t have. Remember, I bluffed my way into this job and was learning on the fly. So I did a little digging and, lo and behold, I found a tool that solved my problems. called ClusterSSH. And oh, was it a cluster. The way that this works was that it would spin up different xterm windows on your screen that you could then provide a list of hosts for, and it would open one for every host you gave it.

Great. So now I’m logged into all of those boxes at once. If this is making you cringe already, it probably should, because this is not a great architectural pattern. But here we are, we’re telling this story, so you probably know how that worked out. One of the intricacies of FreeBSD is that instead of running systems that turn things on or turn things off, as far as services to start on boot. For example, with Red Hat derived systems, before the dark times of systemd, you could write things like chkconfig, that’s C-H-K, the word config, and then you could give a service and tell it to turn it on or off at certain run levels. This is how you would tell it to, for example, start the webserver when you boot, otherwise, you reboot the system, the webserver does not start, and you wonder why TCP now terminates on the ground. This was all controlled via a single file—/etc/rc.conf. That controlled which services were allowed to start, as well as which services were going to be started automatically on boot. It would generally be a boolean value provided to the particular service name.

Well, I was trying to do something, probably, I want to say, NTP related, but don’t quote me on that, where I wanted to enable a certain service to start on all of the systems at once. So I typed a command, specifically echoing the exact string that I wanted in quotes, so it would be quoted appropriately, and then with the right angle bracket, to that file—/etc/rc.conf, and then I pressed enter. Now, for those who are unaware of Unix-isms and how things work shell, a single right angle bracket means overwrite this file, two angle brackets say append to the end of this file. I was trying to get the second one, and instead, I wound up getting the first. So suddenly, I had just rewritten all of those files across every server. Great plan, huh? Well, I realized what I’d done as soon as I checked my work to validate that the system had taken the update appropriately, it had not, it had taken something horrifying up instead. What happened next? Great question.

RSA Thinks AWS Firewall Manager is a Job Title

Corey Quinn — Mon, 24 Feb 2020 03:00:00 -0800

AWS Morning Brief for the week of February 24, 2020.

Whiteboard Confessional: Route 53 DB

Corey Quinn — Fri, 21 Feb 2020 03:00:00 -0800

About Corey Quinn

Transcript

Corey: Welcome to AWS Morning Brief: Whiteboard Confessional. I’m Cloud Economist Corey Quinn. This weekly show exposes the semipolite lie that is whiteboard architecture diagrams. You see, a child can draw a whiteboard architecture, but the real world is a mess. We discuss the hilariously bad decisions that make it into shipping products, the unfortunate hacks the real world forces us to build, and that the best to call your staging environment is “theory”. Because invariably whatever you’ve built works in the theory, but not in production. Let’s get to it.

But first… On this show. I talk an awful lot about architectural patterns that are horrifying. Let's instead talk for a moment about something that isn't horrifying: CHAOSSEARCH. Architecturally, they do things right. They provide a log analytics solution that separates out your storage from your compute. The data lives inside of your S3 buckets and you can access it using API's you've come to know and tolerate through a series of containers that live next to that S3 storage. Rather than replicating massive clusters that you have to care and feed for yourself, instead, you now get to focus on just storing data, treating it like you normally would other S3 data and not replicating it, storing it on expensive discs in triplicate and fundamentally not having to deal with the pains of running other log analytics infrastructure. Check them out today at chaossearch.io.

I frequently joke on Twitter about my favorite database being Route 53, which is AWS’s managed database service. It’s a fun joke, to the point where I’ve become Route 53’s de facto technical evangelist. But where did this whole joke come from? It turns out that this started life as an unfortunate architecture that was taken in a terrible direction. Let's go back in time, at this point almost 15 years from the time of this recording, in the year of our Lord 2020. We had a data center that was running a whole bunch of instances—in fact, we had a few data centers, or datas center, depending upon how you chose to pluralize, that’s not the point of this ridiculous story. Instead what we’re going to talk about is what was inside these data centers. In this case, servers.

I know, server-less fans, clutch your pearls, because that was a thing that people had many, many, many years ago. Also known as roughly 2007. And on those servers there was this new technology that was running and was really changing our perspective of how we dealt with systems. I am, of course, referring to the amazing transformative revelation known as virtualization. This solved the problem of computers being bored and not being able to process things in a parallelized fashion—because you didn’t want all of your applications running on all of your systems—by building artificial boundaries between different application containers, for a lack of a better term.

Now in these days, these weren’t applications. These were full-on virtualized operating systems, so you had servers running inside of servers, and this was very early days. Cloud wasn’t really a thing. It was something that was on the horizon, if you’ll pardon the pun. So, this led to an interesting question of, “All right. I wound up connecting to one of my virtual machines, and there’s no good way for me to tell which physical server that virtual machine was connecting to.” How could we solve for this? Now, back in those days, with the Hypervisor technology we used, which was Xen, that’s X-E-N—it’s incidentally the same virtualization technology that AWS started out with for many years before releasing their Nitro Hypervisor, which is KVM derived, a couple of years ago. Again, not the point of this particular story. And one of the interesting pieces about how this works was that Xen doesn’t really expose anything, at least in those days, that you could use to query the physical host it was running on.

So, how would we wind up doing this? Now, at very small scale where you have two or three servers sitting somewhere, it’s pretty easy. You log in and you can check. At significant scale, that starts to get a little bit more concerning. How do you figure out which physical host a virtual instance is running on? Well, there’s a bunch of schools of thought you can approach this from. But what you’re trying to build is known, technically, as a configuration management database, or CMDB. This is, of course, radically different from configuration management, such as Puppet, Chef, Ansible, Salt, and other similar tooling. But, again, this is technology, and naming things has never been one of our collective strong suits. So, what do we wind up doing? You can have a database, or an Excel spreadsheet, or something like that that has all of these things listed, but what happens when you then wind up turning an old instance off, and spinning up a new instance on a different physical server? These things become rapidly out-of-date. So, what we did was sort of the worst possible option. It didn’t solve for all of these problems, but at least was able to address what we wound up doing. At least, let us address what the perceived problem was, in a way that is, of course, architecturally terrible, or it wouldn’t have been on this show.

DNS has a whole bunch of interesting capabilities. You can view it, more or less, as the phone number for the internet. It translates names to numbers. Fully qualified domain names, in most cases, to IP addresses. But it does more than that. You can query IP address and wind up getting the PTR, or reverse record, that tells you what the name of a given IP address is, assuming that they match. You can set those to different things, but that’s a different pile of madness that I’m certain we will touch upon a different day. So, what we did is we took advantage of a little-known record type known as TXT, or text, record. You can put arbitrary strings inside of TXT records and then consume them programmatically, or use a whole bunch of different things. One of the ways that we can use that, that isn’t patiently ridiculous is, domains generally have TXT records that contain their SPF record, which shows which systems are authorized to send mail on their behalf as an anti-spam measure. So, if you have something else that starts claiming to send email from your domain that isn’t authorized, that gets flagged as spam by many receiving servers.

We misused TXT records, because there is no limit, really, to how many TXT records you can have, and wound up using that as our configuration management database. So, you could query a given instance, we’ll call it webserver003.production.losangeles.company.com, which was our naming scheme for these things, and it would return a record that was itself a fully qualified domain name, but it was the name of the physical host on top of which it was running. So, yeah, we could then propagate that, as we could with any other DNS records, to other places in the ...

EBS Gets Overly Multi-Attached

Corey Quinn — Mon, 17 Feb 2020 03:00:00 -0800

AWS Morning Brief for the week of February 17, 2020.

Polly Brand Voice Want a Platypus?

Corey Quinn — Mon, 10 Feb 2020 03:00:00 -0800

AWS Morning Brief for the week of February 10, 2020.

Networking in the Cloud Fundamentals: BGP Revisited with Ivan Pepelnjak

Corey Quinn — Thu, 06 Feb 2020 03:00:00 -0800

About Corey Quinn

Transcript
Corey: Hello and welcome to our Networking In The Cloud mini series, sponsored by ThousandEyes. That's right. There may be just one of you, but there are a thousand eyes. On a more serious note, ThousandEyes has sponsored their cloud performance benchmarking report for 2019, at the end of last year, talking about what it looks like when you race various cloud providers. They looked at all the big cloud providers and determined what does performance look like from an end user perspective? What does the user experience look like among and between different cloud providers? To get your copy of this report, you can visit snark.cloud/realclouds. Why real clouds? Well, because they raced AWS, Azure, GCP, IBM Cloud, and Alibaba, all of which are real clouds. They did not include Oracle cloud because, once again, they are real clouds. Check out your copy of the report at snark.cloud/realclouds.

Welcome to week 12 of the Networking In The Cloud mini series of the AWS Morning Brief, sponsored by ThousandEyes. So one of the early episodes of the Networking In The Cloud mini series had me opining and relatively uninformed broad brush strokes about the nature of BGP. Today I am joined by Ivan Pepelnjak, who is a former CCIE who wrote a fascinating blog post that I will link to in the show notes, saying, "This is great, but this is what happens when someone who's good at one thing steps completely out of their comfort zone into things they don't fully understand and start opining confidently, if not authoritatively." Ivan, thank you for taking the time to speak with me.

Ivan: Thanks for having me on. And no, I was way more polite than your summary.

Corey: Absolutely. I believe that there's a way to tell a story of the hero's journey that everyone talks about when they're building a narrative arc. Instead, I go for the moron's journey and I always like to be the moron because, generally, I tend to be, and as I walk through the world and get things sometimes right, occasionally wrong, I love being corrected when I stumble blindly into an area I don't know. First because it gives me an opportunity to learn something new, which is great, but it also gives me that opportunity to be the dumbest person in the room again, which is awesome. So...

Ivan: That's exactly why I blog to get your opinions.

Corey: Exactly. You have data, I have opinions and mine are louder seems to be the way that discourse works in the modern era. So from a high level, what did I get wrong about BGP?

Ivan: Well, you got everything right about the mess that we are in and the fragility of the generic internet infrastructure. The only thing you got wrong was that you blamed the tool, but not people using the tool.

Corey: It always feels like it's safer, on some level, to blame technology because if the takeaway is, "Well, the user experience around tool X isn't great, and that adds a contributing factor to why things break." That seems to be a message that carries slightly better than, "And thus the answer is for everyone to be smarter and stop screwing up." And that may very well be the answer. It's just a bitter pill to swallow sometimes. So I find blaming a tool is easy.

Ivan: Yeah, but it's like blaming the knives for people to get cut or blaming the chainsaw for people to cut off their arm because they were not properly trained.

Corey: One of my assertions was that BGP is more or less a hot mess because it was designed for an era when people on the internet fundamentally could trust one another and that doesn't seem to be the case today. The analogy in my mind, that I don't think I mentioned, was SMTP, the the email protocol, for lack of a better term. When that was built, the internet was more or less comprised of researchers and who in the world would ever abuse a protocol like email? It's not like there was any money involved in the internet. Fast forward today and your spam folder is inherently a garbage fire.

Ivan: Yeah, but BGP has a slightly different history. It was redesigned a few times. There were several attempts to get the global routing protocol right. And BGP, the last attempt, already included the tools that allow entities that don't trust each other, like commercial internet service providers, to exchange information and apply policies on inbound and outbound updates. So for example, I don't want to hear about your customers because I hate you and I don't want to peer with you or I don't want to tell you about my customer because that customer has a special deal and their traffic can only go through some other transit providers so I will not tell you about that customer. Those things were already a major requirement when BGP was designed and it always included the tools to implement the policies that individual commercial entities wanted to have, which by the way, never happens to SMTP. We have BGP version 4 now and we are still on SMTP version zero.one plus enhancements.

Corey: I guess the best analogy I can come up with through my exposure with BGP, because I tend to handle inter networking between various groups about as well as I write code, things that I have some vague awareness that there are things you should be doing here that I will almost certainly not get right, so I back away slowly and leave it to professionals. As a result, every time I really see how BGP works in any hands-on sense or a point where it's forced upon my awareness, it's similar to how I become aware of plumbing. I don't think about it. I don't question it. I just expect when I turn the faucet on or flush the toilet that water will do what it's going to do. I don't expect the toilet to explode. So the only time I think about BGP is when there is a peering dispute or when there's a flap or, on one notable occasion, when I was at a security conference and, as a demo, some folks hijacked the entire AS of the SN for the conference and rerouted it halfway around the world and back, which explained why everything was super latent and crappy.

Ivan: Yeah. You're absolutely right, but all the incidents you mentioned are not the fault of the tool. They are the fault of the tool not being properly used. And also, let's be honest, it took them hundreds of years to get the plan being to the point when you can just turn on the faucet and the clean and drinkable water comes out of it. It's not like that would have happened in the last year or two, and very probably it wouldn't have happened without public pressure to bring us dri...

Lies, Damned Lies, and Sponsored Benchmarks

Corey Quinn — Mon, 03 Feb 2020 03:00:00 -0800

AWS Morning Brief for the week of February 3, 2020.

Networking in the Cloud Fundamentals: Cloud and the Last Mile

Corey Quinn — Thu, 30 Jan 2020 03:00:00 -0800

About Corey Quinn

Transcript

Corey: Hello and welcome to our Networking in the Cloud, mini series sponsored by ThousandEyes. That's right. There may be just one of you, but there are a thousand eyes on a more serious note. ThousandEyes has sponsored their cloud performance benchmarking report for 2019 at the end of last year. Talking about what it looks like when you race various cloud providers. They looked at all the big cloud providers and determined what does performance look like from an end user perspective? What does the user experience look like among and between different cloud providers? To get your copy of this report, you can visit snark.cloud/realclouds. Why real clouds? Well, because they raced AWS, Azure, GCP, IBM Cloud and Alibaba, all of which are real clouds.

They did not include Oracle Cloud because once again they are real clouds. Check out your copy of the report at snark.cloud/realclouds. It's interesting that that report focuses on the end user experience because as this mini series begins to wind down, we're talking today about the last mile and its impact on what perceived cloud performance looks like. And I will admit that even having given this entire mini series and having a bit of a network engineering background, once upon a time, I still wind up in a fun world of always defaulting to blaming my local crappy ISP.

Now today, my local ISP is amazing. I use Sonic in San Francisco. I get Symmetric Gigabit. It's the exact opposite of Comcast who was my last provider until Sonic came to my neighborhood and it was fun that day because I looked up and down the block and saw no fewer than six Sonic trucks ripping Comcast out by the short and curlies. Which let's not kid ourselves, is something we all wish we could do and I was the happiest boy in town the day I got to do it. Now, the hard part is figuring out that yes, it is in fact a local ISP problem because it isn't always. This is also fortuitous because I spent the last month or so fixing my own local internet situation and today I'd like to tell you a little bit more about that as well as how and why.

Originally when I first moved into my roughly, we'll call it 2,800 square foot house, it's spread across three stories, I wound up getting EEROs, that's E-E-R-O. They're a mesh network set up that was acquired by Amazon after I'd purchased them. These are generation one. The wireless environment in San Francisco is challenging and in certain parts of my house, the reception as a result, wound up being a steaming bowl of horse crap. The big challenge was figuring out that, that's what the problem was. With weird dropouts and handoff issues, it was interesting. This one area that caused immediate improvement was not having these things talk to each other wirelessly as most full mesh systems will do, but instead making sure that they were cabled up appropriately to a switch, the central patch panel and then hooked them in. Now you have to be careful with switches because a lot of stuff won't do anything approaching full throughput because that can get expensive and a lot of consumer gear is crap.

This was a managed HP pro curved device back in the days that HP made networking equipment. That was great. And it's still crap, but it is crap that works at full line rate. So there's that. Next I wound up figuring that ... all right, it's time to take this seriously. So I did some research and talked to people I know who are actually good at things, instead of sounding on the internet like they're good at things. And I figured the next step was to buy some Ubiquiti Networks style stuff. Great. We go ahead and trot some of that out. It's an enterprise gear. It's full mesh. I of course now have a guest wifi that you have to pay for to use the hotspot. It's called Toss a coin to your wifi for an SS ID because of course it is. I have problems. And it's fun and I can play these stupid games, but suddenly every weird internet problem I had in my house started getting better as a result.

And it's astonishing how that changed my perception of various third party services. None of whom, by the way, had anything to do with my actual problem. But there were still some perceptual differences. And this impacts the cloud in a number of subtle ways and that's what I want to talk about today. So one of the biggest impacts is DNS. And I don't mean that in the sense of big cloud provider DNS, we've already talked about how DNS works in a previous episode. But rather what resolver you wind up using yourself. One of the things that I did as a part of this upgrade, is I rolled out a distribution of Linux called Pi-hole, which sounds incredibly insulting as applied to people as in, you know what, you should shut? Your Pi-hole. However, it's designed to run on top of Raspberry Pi and provide a DNS server that creatively blocks ads.

And that's super neat. I liked the idea of just blocking ad servers, but you have to trust whatever you're using for a DNS resolver because of a few specific use cases that I stumbled over as I went down this process. One, it turns out that having access to every website you'd care to visit as far as a list of things you've been doing, is not really the most privacy conscious thing in the universe. Now, for some reason, the internet collectively decided, you know who we trust with all the things that we look at on the internet and have no worries about giving that information to? That's right. Freaking Google. So eight dot eight dot eight dot eight, was a famously to remember open resolver and it works super well. It's quick. It returns everything. The problem is, is that Google's primary business model is very clearly surveillance and I don't do anything particularly interesting.

If you look at my DNS history, you're going to find a lot of things that you'd think you could use to blackmail me, but it turns out you actually can't because I talk about them on podcasts. That's right. I use Route 53 as a database. What of it? And it's all very strange just as far as even without anything to hide, I still feel this sense of pervasive creepiness at the idea that a giant company can look at this. Can look at my previous browsing history. So blocking things like that are of interest to me. So okay, instead, if I run Pi-hole that acts as my own resolver but then it winds up passing queries on to an upstream provider. I mean I could run my own, but that has other latency concerns and DNS latency when you're making requests is super indicative because the entire internet has gone collectively dumb. And decided to display a simple static webpage, You need to make 30 distinct DNS request in series and wait for them all to come back and other ridiculous nonsense that is the modern web today.

What makes this extra special is I figured out, okay, I'm not going to go with Google or CloudFlar...

Dedicated T3 Instances Burst My Understanding

Corey Quinn — Mon, 27 Jan 2020 03:00:00 -0800

AWS Morning Brief for the week of January 27th, 2020.

Networking in the Cloud Fundamentals: Connectivity Issues in EC2

Corey Quinn — Thu, 23 Jan 2020 03:00:00 -0800

About Corey Quinn

Transcript

Corey: Welcome to the AWS Morning Briefs miniseries, Networking In the Cloud, sponsored by ThousandEyes. ThousandEyes has released their cloud performance benchmark report for 2020. They effectively race the top five cloud providers. That's AWS, Google Cloud Platform, Microsoft Azure, IBM Cloud, and Alibaba Cloud, notably not including Oracle Cloud, because it is restricted to real clouds, not law firms. It winds up being derived from an unbiased third party and metric-based perspective on cloud performance as it relates to end user experience. So this comes down to what real users see, not arbitrary benchmarks that can't be gamed. It talks about architectural and conductivity differences between those five cloud providers and how that impacts performance. It talks about AWS Global Accelerator in exhausting detail. It talks about the Great Firewall of China and what effect that has on cloud performance in that region, and it talks about why regions like Asia and Latin America experience increased network latency on certain providers. To get your copy of this fascinating and detailed report, visit snark.cloud/realclouds, because again, Oracle's not invited. That's snark.cloud/realclouds, and my thanks to ThousandEyes for their continuing sponsorship of this ridiculous podcast segment.

Now, let's say you go ahead and spin up a pair of EC2 instances, and as would never happen until suddenly it does, you find that those two EC2 instances can't talk to one another. This episode of the AWS Morning Brief's Networking in the Cloud Podcast focuses on diagnosing connectivity issues in EC2. It is something that people don't have to care about until suddenly they really, really do. Let's start with our baseline premise, that we've spun up an EC2 instance, and a second EC2 instance can't talk to it. How do we go about troubleshooting our way through that process?

The first thing to check, above all else, and this goes back to my grumpy Unix systems administrator days is: are both EC2 instances actually up?

Yes, the console says they're up. It is certainly billing you for both of those instances, I mean, this is the cloud we're talking about, and it even says that the monitoring checks, there are two by default for each instance, are passing. That doesn't necessarily mean as much as you might hope. If you go into the EC2 console, you can validate through the system logs that they booted successfully. You can pull a screenshot out of them. If everything else was working, you could use AWS Systems Manager Session Manager, and if you'll forgive the ridiculous name, that's not a half bad way to go about getting access to an instance. It spins up a shell instance in a browser that you can poke around inside that instance within, but that may or may not get you where it needs to go. I'm assuming you're trying to connect to one of those instances or both of those instances and failing, so validate that you can get into both of those instances independently.

Something else to check. Consider protocols. Very often, you may not have permitted SSH access to these things. Okay, or maybe you can't ping these and you're assuming they're down. Well, an awful lot of networks block certain types of ICMP traffic, echo requests, for example. Type eight. Otherwise, you may very well find that whatever protocol you're attempting to use isn't permitted all the way through. Note incidentally, just as an aside, that blocking all ICMP traffic is going to cause problems for your network. When things are fragmented and they need to have a different window size set for things that are being sent across the internet, ICMP traffic is how things are made aware of that. You'll see increased latency if you block all ICMP traffic, and it's very difficult to diagnose, so please, for the love of God, don't do that.

Something else to consider as you go down the process of tearing apart what could possibly be going on with these EC2 instances not able to speak to each other. Try and connect to them via IP addresses rather than DNS names. Just because there's ... I'm not saying the problem is always DNS, but it usually is DNS, and this removes a whole host of different problems that could be manifesting if you just go by IP address. Suddenly resolution, timeouts, bad DNS, et cetera, fall by the wayside. When you have a system that you're trying to talk to another system and you're only using IP, suddenly there's a whole host of problems you don't have to think about. It goes well.

Something else to consider in the wonderful world of AWS is network ACLs. The best practice around network ACLs is, of course, don't use them. Have an ACL that permits all traffic, and then do everything else further down the stack. The reason is that no one thinks about network ACLs when diagnosing these problems. So if this is the issue, you're going to spend a lot of time spinning around and trying to figure out what it is that's going on.

The next more likely approach, and something to consider whenever you're trying to set up different ways of dividing traffic across various regimes of segmentation, is security groups. Security groups are fascinating, and the way that they interact with one another is not hugely well understood. Some people treat security groups like they did old school IP address restrictions, where anything in the following network, and you can express that in CIDR notation the way one would expect, or C-I-D-R depending on how you enjoy pronouncing or mispronouncing things, can wind up being used, sure, but you can also say members of a particular security group are themselves allowed to speak to this other thing. That, in turn, is extraordinarily useful, but it also means extremely complex things, especially when you have multiple security groups layering upon one another.

Assuming that you have multiple security group rules in place, the one that allows traffic is likelier to have precedents. Note as well that there's a security group rule that is in place by default that allows all outbound traffic. If that's gotten removed, that could be a terrific reason why an instance is not able to speak to the larger internet.

One thing to consider when talking about the larger internet is what ThousandEyes does other than releasing cloud benchmark performance reports. That's right. They are a monitoring company that gives a global observer perspective on the current state of the internet. If certain providers are having problems, they're well positioned to be able to figure out who that provider is, where that provider is having the issue, and how that manifests, and then present that in real time to its customers. So if you have widely dispersed users and want to keep a bit ahead of what t...

AWS Back-All-The-Way-Up

Corey Quinn — Mon, 20 Jan 2020 03:00:00 -0800

AWS Morning Brief for the week of January 20th, 2020.

Networking in the Cloud Fundamentals: Data Transfer Pricing

Corey Quinn — Thu, 16 Jan 2020 03:00:00 -0800

About Corey Quinn

Transcript

Corey: Welcome to the AWS Morning Brief, specifically our 12-part mini series, Networking In The Cloud, sponsored by ThousandEyes. ThousandEyes recently released their state of the cloud benchmark performance report. They raced five clouds together and gave a comparative view of the networking strengths, weaknesses, and approaches of those various providers. Take a look at what it means for you. There's actionable advice hidden within, as well as incredibly useful comparative data, so you can start comparing apples to oranges instead of apples to baseballs. Check them out and get your copy today at snark.cloud/realclouds. That's snark.cloud/realclouds because Oracle cloud was not invited to participate.

Now, one thing that they did not bother to talk about in that report, is how much all of that data transfer across different providers costs. Today I'd like to talk about that, which is a bit of a lie because I'm not here to talk about it at all, I'm here to rant like a freaking lunatic for which I make no apologies whatsoever.

This episode is about data transfer pricing in AWS. Because honestly I need to rant about something and this topic is entirely too near and dear to my heart, given that I spend most of my time fixing AWS bills for interesting and various sophisticated clients.

Let's begin with a simple question. The answer to which is guaranteed to piss you off like almost nothing else. What does it cost to move a gigabyte of data in AWS? Think about that for a second. The correct answer, of course, is that nobody freaking knows. There is no way to get a deterministic answer to that question without asking a giant boatload of other questions.

Let me give you some examples, and before I do, I would like to call out that every number I'm about to mention applies only to us-east-1, because of course different regions in different places have varying costs, that every single one of these numbers is different in other places sometimes, but not always. Why? Because things are awful. I told you I was going to rant. I'm not apologizing for it at this point.

Let's begin simply and talk about what it takes to just shove a gigabyte of data into AWS. Now in most cases that's free. Inbound bandwidth is always free to AWS usually, until it passes through with load balancer or does something else but we'll get there. What does it cost to move data between two AWS regions? Great. The answer to that is, two cents per gigabyte in the primary regions, except there's one use case which gets slightly less. And that is moving between us-east-1 and us-east-2. One is in Virginia, two is in Ohio. That is half price at one cent per gigabyte. My working theory behind that is that it's because even data wants to get the hell out of Ohio.

Let's take it a step further. Let's say you were in an individual region. What does it cost to move data from 1-AZ to another? The documentation was exquisitely unclear, and I had to do some experiments with spinning up a few instances in otherwise empty AWS accounts, and using DD and Netcat to hurl data across various links to find out the answer and then wait till it showed up on my bill. The answer is it also costs 2 cents per gigabyte, the same cost as region to region. It's one cent per gigabyte out of an AZ and one cent per gigabyte in to an AZ. And that's right, it means you get charged twice. If you move 10 gigabytes, you are charged for 20 gigabytes on that particular metric.

This also has the fun ancillary side effect of meaning that moving data between Virginia and Ohio is cheaper to do that cross region transfer than it is to move that same data within an existing region. Oh wait, it gets dumber than that. What do load balancer data transfer fees look like? The correct answer is who the hell knows? On the old classic load balancers, it was 0.8 cents per gigabyte in or out to the internet and there was also an instance fee, but that's not what we're talking about today. Traffic from any existing load balancer today to something inside of an AZ is free unless it crosses an availability zone and then we're back into cross AZ data transfer territory and anything going from an availability zone to a load balancer costs one cent per gigabyte.

Now the newer load balancer generations, the ALDs and the NLDS, what does that cost? Nobody freaking knows because data throughput is just one of several dimensions that go into a load balancer capacity unit, which mean that what your data transfer price is going to look like is going to vary wildly because in this particular case, it's not data transfer itself. There's still that as it leaves, but you also have to pay for this as an additional through the load balancer fee, but it's blended into an LCU, so it's not at all obvious at times that that is in fact what you're being billed for.

In another episode of this mini series, we talked about global accelerator. Now there's a site to site VPN option, which they had for a while, but at re:Invent last year they announced a accelerated VPN option that leverages a lot of global accelerator technology to let that site to site VPN take advantage significantly of the global accelerator. Now what does that cost? I could not freaking tell you. There are, I am not exaggerating, five distinct billing line items, if you run an accelerated site to site VPN and of course, all of them cost you money. I am not exaggerating. That is the actual state of the world. It is incredibly annoying. It is so annoying that I'm going to have to take a break before I blow a blood vessel to tell you more about ThousandEyes instead.

So other than the cloud report, what is ThousandEyes? They effectively act as the global observer that watches the entire internet from a whole bunch of different listening posts around that internet and keeps track in near real time of what's going on, what's being slow, what providers are having issues and giving information directly to your folks on your side to be able to understand, adapt and mitigate those outages and slow downs. It helps immediately get to the point of is this a networking problem globally or is it our last crappy code deploy that broke things? If this sounds like something that might be useful for you or your team, I encourage you to check them out at thousandeyes.com. They're a fantastic company with a fantastic product and best of all their billing makes sense.

We're back to ranting again. That's right. My problem with the AWS data transfer pricing is not that it's shitty and complex, but also that it's expensive. Pricing largely has not changed since AWS...

Your Database Will Explode in Sixty Seconds

Corey Quinn — Mon, 13 Jan 2020 03:00:00 -0800

AWS Morning Brief for the week of January 13th, 2020.

Networking in the Cloud Fundamentals: The Cloud in China

Corey Quinn — Thu, 09 Jan 2020 03:00:00 -0800

About Corey Quinn

Transcript
Corey: Welcome back to Networking In The Cloud, a special 12 week mini feature of the AWS morning brief sponsored by ThousandEyes. This week's topic, The Cloud in China, but first, let's talk a little bit about ThousandEyes. You can think of ThousandEyes as the Google maps of the internet, just like you wouldn't leave San Jose to drive to San Francisco without checking which freeway to take because local references are always going to resonate the best when telling these stories, business rely on ThousandEyes to see the end to end paths that their applications and services are taking from their servers to their end users, to identify where the slowdowns are, where the pile ups are, and what's causing these issues. They can use ThousandEyes to figure out what's breaking and ideally notify providers before their customers notice. To learn more, visit thousandeyes.com. And my thanks to them for their sponsoring of this mini series.

Now, when we're talking about China, I want to start by saying that I'm not here to pass judgment. Here in the United States, we're sort of the Oracle cloud of foreign policy, so Lord knows that my hands aren't clean any. Instead, I want to have a factual discussion about what networking in China looks like in the world of cloud in 2020. To start, China is a huge market. The market for cloud services in China this year is expected to reach just over a hundred billion dollars. So there's a lot of money on the table, there's a lot riding on companies making significant inroads into an extremely lucrative market that is extremely technologically savvy.

Historically, according to multiple Chinese cloud executives who were interviewed for a variety of articles, China's enterprise IT market is probably somewhere between five to seven years behind most Western markets. That means that there's a huge amount of opportunity for companies to be able to make inroads and make an impact on that market before it winds up being dominated, like a lot of the Western markets have been by certain large Seattle-based cloud providers, ahem, ahem.

Now, due to Chinese regulations, in order to run a cloud provider in China, it has to be operated by a Chinese company. That's why Microsoft works with a company called 21Vianet, whereas AWS has two partners, Beijing Sinnet and NWCD. Those local partners in fact own and operate the physical infrastructure that the cloud providers are building in China and become known as the seller of record. Although the US cloud companies of course do, or at least ostensibly retain all the rights to their intellectual property, either trademarks, their copyrights, etc.

That said, if you take a look at any of the large cloud providers, service and region availability tables, there's very clearly a significant lag between when services get released in most regions and when they do inside the mainland China regions. Some of the concern, at least according to people off the record, comes down to concern over intellectual property theft. And in the current political climate where we have basically picked an unprovoked trade war with China, it winds up complicating this somewhat heavily. If for no other reason, then companies are extremely skittish about subjecting what they rightly perceive to be their incredibly valuable intellectual property to the risks of operating inside of mainland China, so on the one hand they don't want to deal with that. On the other, there are over half a billion people in China with smartphones, just shy of 900 million people on the internet in one form or another. So there's an awful lot of money at stake. So companies find themselves rather willing to overlook some things that they otherwise would not want to bother with. Now again, I'm not here to moralize, I just find the idea to be somewhat fascinating.

Most of that stuff you can find out just from reading news articles and various press releases. So let's go a little bit further into how companies are servicing the Chinese market. Not for nothing, but picking on AWS because they are the incumbent in this space, and this is the AWS morning brief. But looking at the map on my wall, they have regions in Tokyo, in Seoul, in Hong Kong, in Singapore and Mumbai. If you squint enough, that sort of forms a periphery around the outside of mainland China. Here in the real world, if it's at all feasible, companies tend to use those regions that are more or less scattered around China, rather than within China if it is even slightly feasible and then provide services to their customers inside of China through those geographically local regions without having to deal with having a physical presence inside of China. You can learn a lot about this by looking at ThousandEyes 2019 Public Cloud Performance Benchmark Report, where they wound up figuring out what's going on with IBM, AWS, Azure and Google Cloud, and of course Alibaba this year, which is interesting and we'll get there in a minute because this is restricted to real clouds.

Oracle cloud is not a real cloud and thus was not invited. Figure out what the different architectural conductivity differences are between these cloud providers. Take a look at the AWS global accelerator and how it pans out and what you can actually expect from real world networks going to other real world networks, and see what it is that makes sense for various use cases. My thanks again to ThousandEyes for sponsoring this podcast. You can get your own copy of the report at snark.cloud/real clouds, that's snark.cloud/realclouds.

One of those real clouds as mentioned is Alibaba. The reason that I bring them up is that they currently dominate China's cloud market. Alibaba has something on the order of a 43% market share inside of mainland China. Second behind them with 17.4% is 10 Cent. 10 Cent is also growing rapidly. AWS is up there as well, given their significant posture and other places. But then there's a whole smattering of small scale cloud operators that are still vying for a piece of a very large, very lucrative pie.

Now, if you're talking to any of those providers inside of China, then the networking works pretty much like you'd expect it to anywhere else on the planet. The challenge and why this is worth an entire episode is what happens when you try to network outside of China into the rest of the internet. Let's talk a little bit about China's great firewall. This was started roughly in 1998 in order to enforce Chinese law. News, shopping sites, stereo search engines and pornography are all blocked through a wide variety of methods in accordance with Chinese law, that tends to change and ebb and flow. No...

Burning Amazon Lex to CD-ROM

Corey Quinn — Mon, 06 Jan 2020 03:00:00 -0800

AWS Morning Brief for the week of January 6th, 2020.

Listener Mailbag

Corey Quinn — Mon, 30 Dec 2019 03:00:00 -0800

AWS Morning Brief for the week of December 30th, 2019.

It's a Horrible Lyfebin

Corey Quinn — Mon, 23 Dec 2019 03:00:00 -0800

AWS Morning Brief for the week of December 23rd, 2019.

Networking in the Cloud Fundamentals: Regions and Availability Zones in AWS

Corey Quinn — Thu, 19 Dec 2019 03:00:00 -0800

About Corey Quinn

Transcript
Corey: Hello, and welcome back to our Networking in the Cloud mini series sponsored by ThousandEyes. That's right. ThousandEyes is state-of-the-cloud Performance Benchmark Report is now available for your perusal. It's really providing a lot of baseline that we're taking all of the miniseries information from. It pointed us in a bunch of interesting directions and helps us tell stories that are actually, for a change, backed by data rather than pure sarcasm. To get your copy, visit snark.cloud/realclouds because it only covers real cloud providers. Thanks again to ThousandEyes for their ridiculous support of this shockingly informative podcast mini series.

It's a basic fact of cloud that things break all the time. I've been joking for a while that a big competitive advantage that Microsoft brings to this space is that they have 40 years of experience apologizing for software failures, except that's not really a joke. It's true. There's something to be said for the idea of apologizing to both technical and business people about real or perceived failures being its own skillset, and they have a lot more experience than anyone in this space.

There are two schools of thought around how to avoid having to apologize for service or component failures to your customers. The first is to build super expensive but super durable things, and you can kind of get away with this in typical data center environments right up until you can't, and then it turns out that your SAN just exploded. You're really not diversifying with most SANs. You're just putting all of your eggs in a really expensive basket, and of course, if you're still with power or networking outage, nothing can talk to the SAN, and you're back to square one.

The other approach is to come at it with a perspective of building in redundancy to everything and eliminating single points of failure. That's usually the better path in the cloud. You don't ever want to have a single point of failure if you can reasonably avoid it, so going with multiple everythings starts to make sense to a point. Going with a full on multi-cloud story is a whole separate kettle of nonsense we'll get to another time. But you realize at some point you will have single points of failure and you're not going to be able to solve for that. We still only have one planet going around one sun for example. If either of those things explode, well, computers aren't really anyone's concern anymore. However, betting the entire farm on one EC2 instance is generally something you'll want to avoid if at all possible.

In the world of AWS, there aren't data centers in the way that you or I would contextualize them. Instead, they have constructs known as availability zones and those composed to form a different construct called regions. Presumably, other cloud providers have similar constructs over in non-AWS land, but we're focusing on AWS as implementation in this series, again, because they have a giant multi-year head start over every other cloud provider, and even that manifests in those other cloud providers comparing what they've built and how they operate to AWS. If that upsets you and you work at one of those other cloud providers, well, you should have tried harder. Let's dive in to a discussion of data centers, availability zones, and regions today.

Take an empty warehouse and shove it full of server racks. Congratulations. You have built the bare minimum requirement for a data center at its most basic layer. Your primary constraint and why it's a lot harder than it sounds is power, and to a lesser extent, cooling. Computers aren't just crunching numbers, they're also throwing off waste heat. You've got to think an awful lot about how to keep that heat out of the data center.

At some point, you can't shove more capacity into that warehouse-style building just because you can't cool it if it's all running at the same time. If your data center's particularly robust, meaning you didn't cheap out on it, you're going to have different power distribution substations that feed the building from different lines that enter the building at different corners. You're going to see similar things with cooling as well, multiply redundant cooling systems.

One of the big challenges, of course, when dealing with this physical infrastructure is validating that what it says on the diagram is what's actually there in the physical environment. That can be a trickier thing to explore than you would hope. Also, if you have a whole bunch of systems sitting in that warehouse and you take a power outage, well, you have to plan for this thing known as inrush current.

Normally, it's steady state. Computers generally draw a known quantity of power. But when you first turn them on, if you've ever dealt with data center servers, the first thing they do is they power up everything to self-test. They sound like a jet fighter taking off as all the fans spin up. If you're not careful, and all these things turn on at once, you'll see a giant power spike that winds up causing issues, blowing breakers, maxing out consumption, so having a staggered start becomes a concern as well. Having spent too much time in data centers, I am painfully familiar with this problem of how you safely and sanely recover from site-wide events, but that's a bit out of scope, thankfully, because in the cloud, this is less of a problem.

Let's talk about the internet and getting connectivity to these things. This is the Networking in the Cloud podcast after all. You're ideally going to have multiple providers running fiber lines to that data center hoping to avoid fiber's natural predator, the noble backhoe. Now, ideally, all those fiber lines are going over different paths, but again, hard thing to prove, so doing your homework's important, but here's something folks don't always consider: If you have a hundred gigabit ethernet links to each computer, which is not cheap, but doable, and then you have 20 servers in a rack, each rack theoretically needs to be able to speak at least two terabit at all times to each other server in each other rack, and most of them can't do that. They wind up having bottle-necking issues.

As a result, when you have high-traffic applications speaking between systems, you need to make sure that they're aware of something known as rack affinity. In other words, are there bottlenecks between these systems, and how do you minimize those to make sure the crosstalk works responsibly? There are a lot of dragons in here, but let's hand-wave past all of it because we're talking about cloud here. The point of this is that there's an awful lot of nuance to running data centers, and AWS and other large cloud providers do a better job of it than you do. That's not me insulting your data center staff. That's just a fact. They have the scal...

AWS Dep-Ric-ates Treasured Offering

Corey Quinn — Mon, 16 Dec 2019 03:00:00 -0800

AWS Morning Brief for the week of December 16th, 2019.

reInvent Wrap-up, Part 4

Corey Quinn — Fri, 13 Dec 2019 03:00:00 -0800

AWS Morning Brief for Friday, December 13th, 2019

Networking in the Cloud Fundamentals, Part 6

Corey Quinn — Thu, 12 Dec 2019 03:00:00 -0800

About Corey Quinn

Over the course of my career, I’ve worn many different hats in the tech world: systems administrator, systems engineer, director of technical operations, and director of DevOps, to name a few. Today, I’m a cloud economist at The Duckbill Group, the author of the weekly Last Week in AWS newsletter, and the host of two podcasts: Screaming in the Cloud and, you guessed it, AWS Morning Brief, which you’re about to listen to.

Transcript
Corey: Knock knock. Who's there? A DDOS attack. A DDOS a... Knock. Knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock, knock.

Welcome to what we're calling Networking in the Cloud, episodes six, How Things Break in the Cloud, sponsored by ThousandEyes. ThousandEyes recently launched their state of the cloud performance benchmark report that effectively lets you compare and contrast performance and other aspects between the five large cloud providers, AWS, Azure, GCP, Alibaba and IBM cloud. Oracle cloud was not invited because we are talking about real clouds here. You can get your copy of this report at snark.cloud/realclouds. and they compare and contrast an awful lot of interesting things. One thing that we're not going to compare and contrast though, because of my own personal beliefs, is the outages of different cloud providers.

Making people in companies, by the way, companies are composed of people, making them feel crappy about their downtime is mean, first off. Secondly, if companies are shamed for outages, it in turn makes it far likelier that they won't disclose having suffered an outage. And when companies talk about their outages in constructive blameless ways, there are incredibly valuable lessons that we all can learn from it. So let's dive into this a bit.

If there's one thing that computers do well, better than almost anything else, it's break. And this is, and I'm not being sarcastic when I say this, a significant edge that Microsoft has when they come to cloud. They have 40 some odd years of experience in apologizing for software failures. That's not trying to be insulting to Microsoft, it's what computers do, they break. And being able to explain that intelligently to business stakeholders is incredibly important. They're masters at that. They also have a 20 year head start on everyone else in the space. What makes this interesting and useful is that in the cloud, computers break differently than people would expect them to in a non-cloud environment.

Once upon a time when you were running servers and data centers, if you see everything suddenly go offline, you have some options. You can call the data center directly to see if someone cut the fiber, in case you were unaware of fiber optic cables' sole natural predator in the food chain is the mighty backhoe. So maybe something backhoed out some fiber lines, maybe the power is dead to the data center, maybe the entire thing exploded, burst into flames and burned to the ground, but you can call people. In the cloud, it doesn't work that way. Here in the cloud, instead you check Twitter because it's 3:00 AM and Nagios is the original call of duty or PagerDuty calls you, because you didn't need that sleep anyway, telling you there is something amiss with your site. So when a large bond provider takes an outage, and you're hanging out on Twitter at two in the morning, you can see DevOps Twitter come to life in the middle of the night, as they chatter back and forth.

And incidentally, if that's you, understand a nuance of AWS availability zone naming. When people say things like us-east-1a is having a problem and someone else says, "No, I just see us-east-1c is having a problem," you're probably talking about the same availability zone. Those letters change, non deterministically, between accounts. You can pull zone IDs, and those are consistent. But by and large, that was originally to avoid having problems like everyone picking A, as humans tend to do or C, getting the reputation as the crappy one.

So why would you check Twitter to figure out if your cloud provider's having a massive outage? Well, because honestly, the AWS status page is completely full of lies and gaslights you. It is as green as the healthiest Christmas tree you can imagine, even when things are exploding for a disturbingly long period of time. If you visit the website, stop.lying.cloud, you'll find a Lambda and Edge function that I've put there that cuts out some of the croft, but it's not perfect. And the reason behind this, after I gave them a bit too much crap one day and I got a phone call that started with, "Now you listen here," it turns out that there are humans in the loop, and they need to validate that there is in fact a systemic issue at AWS and what that issue might be, and then finally come up with a way to report that in a way that ideally doesn't get people sued and manually update the status page. Meanwhile, your site's on fire. So that is a trailing function, not a leading function.

Alternately, you could always check ThousandEyes. That's right, this episode is sponsored by ThousandEyes. In addition to the report we mentioned earlier, you can think of them as Google Maps of the internet without the creepy privacy overreach issues. Just like you wouldn't necessarily want to commute during rush hour without checking where traffic is going to be and which route was faster, businesses rely on ThousandEyes to see the end to end paths their applications and services are taking in real time to identify where the slow downs are, where the outages are and what's causing problems. They use ThousandEyes to see what's breaking where and then importantly, ThousandEyes shares that data directly with the offending service providers. Not just to hold them accountable, but also to get them to fix the issue fast. Ideally, before it impacts users. But on this episode, it already has.

So let's say that you don't have the good sense to pay for ThousandEyes or you're not on Twitter, for whatever reason, watching people flail around helplessly trying to figure out what's going on. Instead, you're now trying desperately to figure out whether this issue is the last deploy your team did or if it's a global problem. And the first thing people try to do in the event of an issue is, "Oh crap, what did we just change? undo it." And often that is a knee jerk response that can make things worse if it's not actually your code that caused the problem. Worse, it can eat up precious time at the beginning of an outage. If you knew that it was a single availability zone or an entire AWS region that was having a problem, you could instead be working to fail over to a different location instead of wasting valuable incident retime checking Twitter or looking over your last 200 commits.

Part of the problem, and the reason this is the way that it is, is that unlike rusting computers in your data center currently being savaged by raccoons, things in the cloud break differently. You don't have the same diagnostic tools, you don't have the same level of visibility into what the hardware is doing, and the behaviors themselves are radically different. I have a half dozen tips and tricks on how to monitor whether or not your data center's experiencing a problem r...

reInvent Wrap-up, Part 3

Corey Quinn — Wed, 11 Dec 2019 03:00:00 -0800

AWS Morning Brief for Wednesday, December 11th, 2019

reInvent Wrap-up, Part 2

Corey Quinn — Tue, 10 Dec 2019 03:00:00 -0800

AWS Morning Brief for Tuesday, December 10th, 2019.

reInvent Wrap-up, Part 1

Corey Quinn — Mon, 09 Dec 2019 03:00:00 -0800

AWS Morning Brief for the week of December 9th, 2019.

Wherever You May Rome

Corey Quinn — Mon, 02 Dec 2019 03:00:00 -0800

AWS Morning Brief for the week of December 2nd, 2019.

Networking in the Cloud Fundamentals, Part 5

Corey Quinn — Thu, 28 Nov 2019 03:00:00 -0800

About Corey Quinn
Over the course of my career, I’ve worn many different hats in the tech world: systems administrator, systems engineer, director of technical operations, and director of DevOps, to name a few. Today, I’m a cloud economist at The Duckbill Group, the author of the weekly Last Week in AWS newsletter, and the host of two podcasts: Screaming in the Cloud and, you guessed it, AWS Morning Brief, which you’re about to listen to.

Transcript
Corey: As the world spins faster, it heats up because of friction. Therefore, for the good of humanity, the AWS Global Accelerator must be turned off.

Welcome once again to Networking in the Cloud, a 12 week special on the AWS Morning Brief, sponsored by ThousandEyes. Think of ThousandEyes as the Google Maps of the internet without the creepy privacy implications. Just like you wouldn't necessarily go from one place to another without checking which route was less congested during rush hour, businesses rely on ThousandEyes to see the end to end paths that their applications and services are taking, from their servers, to their end users, or between other servers, just to identify where the slow downs are, where the pile ups live, and what's causing various issues. They use ThousandEyes to see what's breaking where and then of course depend upon ThousandEyes to share that data directly with the offending providers, to shame them into accountability and get them to fix the issue. Learn more at thousandeyes.com.

So, today we talk about the Global Accelerator, which is an offering from AWS that they announced at re:Invent last year. What is it? Well, when traffic passes through the internet from your computer on route to a cloud provider, or from your data center to a cloud provider, the provider has choices as to how to route that traffic in. Remember, there's no cloud provider that we're going to be talking about that doesn't have a global presence. So, they have a number of different choices.

Some, such as GCP and Azure, will route that traffic directly into their networks right away, as close to the end user as possible. Others, like AWS and interestingly Alibaba, will have that traffic ride the public internet as long as possible, until it gets to the region that that traffic is aimed at, and then ingested into the provider's network. And, IBM has an interesting hybrid approach between the two of these that doesn't actually matter, because it's IBM Cloud.

Now, Global Accelerator offers a slightly different option here. Because by default, traffic bound to AWS will ride the public internet until it hits the region at the end. That means that traffic is subject to latency based upon public internet congestion. It's subject to non-deterministic latency, as far as leading to... Some packets will get there faster than others, as they take different routes, so jitter becomes a concern.

Global Accelerator sort of flips the behavior on its head, where instead of traveling across the entire internet until it smacks into a region, traffic now winds up landing into AWS's network far sooner, and then rides along AWS's backbone to where it needs to go. And then, it smacks into one of a number of different end points. Today, at the time of this recording, it supports application load balancers, either internal or external, network load balancers, elastic IPs and whatever you can tie those to, and of course EC2 instances, public or private. We'll mention that... The caveat about that a little later on.

On the other side, to the internet, what happens is that Global Accelerator gives out two IP addresses that are Anycast. What that means is using BGP, those are generally repointed to the closest supported region to the customer. As a result, they can do a lot of changes to network architecture in completely invisible ways to the end user. It supports, for example, shifting traffic to different regions or endpoints. It can shape how that traffic winds up manifesting on the fly.

So, other ways of managing this such as using DNS, means that suddenly you don't have high TTLs anymore on the client side. That mean the traffic doesn't shift as closely as you'd like, and IP caching as well once that DNS record is resolved, no longer applies. You see this all over the place with, for example, public DNS resolvers. The same IP addresses are what people use globally to talk to, well known DNS resolvers, but strangely it's always super quick and not traveling across the entire internet. Imagine that.

This is similar in some ways to AWS's CloudFront service. CloudFront is, as mentioned, a CDN that has somewhat similar performance characteristics. It generally winds up being a slightly better answer when you're using a protocol like HTTP or HTTPS that the entire CDN service has been designed around. They have a whole bunch of locations that are scattered across the globe, and sure it takes a year and a day to update a distribution or deploy a new one in CloudFront, but that's not really the point of this comparison here.

Where Global Accelerator shines, is where you have non HTTP traffic, or you need that super responsive failover behavior. You have a lot more control with Global Accelerator as well. So if for example, data processing location is super important for you due to regulatory requirements, it's definitely worth highlighting that Global Accelerator does grant additional flexibility here. But it's not all sunshine and roses.

There are some performance metrics that shine interesting lights on this. Where do those performance metrics come from, you might wonder? Well, I'm glad you asked. They come from the ThousandEyes state of the cloud performance benchmark report. As mentioned previously, they wound up doing a whole series of tests across a whole variety of different cloud providers from different networks, that in turn wind up showcasing where certain cloud providers shine, where certain cloud providers don't necessarily work as well in some context as others do, and more or less, for lack of a better term, let you race the clouds. It's one of the fun things that they're able to do because they serve the role of global observer. They have a whole bunch of locations where they can monitor from, and they see customer traffic so they understand what those use cases look like in real life.

Feel free to get your copy of the report today. They race, GCP, Azure, AWS, Alibaba, and IBM Cloud. As mentioned on previous episodes, Oracle Cloud was not included because they use real clouds. You get your copy today at snark.cloud/realclouds, that's snark.cloud/realclouds and thanks again to ThousandEyes for their continuing support of this ridiculous mini series. Now, what did ThousandEyes learn? Well, this should be blindingly obvious, but in case it's not, the Global Accelerator is not super useful if you and your customers aren't far apart.

An example that came up in the report was that if you're in North America, which by and large has decent internet connectivity provided you're not somewhere rural due to a variety of terrible things, we'll get to in a future episode, then it...

Improving Customers by Stuffing Them Into Containers

Corey Quinn — Mon, 25 Nov 2019 03:00:00 -0800

AWS Morning Brief for the week of November 25th, 2019.

Networking in the Cloud Fundamentals, Part 4

Corey Quinn — Thu, 21 Nov 2019 03:00:00 -0800

About Corey Quinn

Transcript

An IPv6 packet walks into a bar. Nobody talks to it.

Welcome back to what we're calling a networking in the cloud, a 12 week networking extravaganza sponsored by ThousandEyes. You can think of ThousandEyes as the Google maps of the internet. Just like you wouldn't dare leave San Jose to drive to San Francisco without checking to see if the 101 or the 280 was faster, businesses rely on ThousandEyes to see the end to end pads their apps and services are taking and for localized traffic stories that mean nothing to people outside of the Bay Area. This enables companies to figure out where are the slowdowns happening, where are the pile ups and what's causing issues. They use ThousandEyes to see what's breaking where, and importantly they share that data directly with the offending service providers to hold them accountable in a blameless way and get them to fix the issue fast, ideally before it impacts their end users.

Learn more at thousandeyes.com. And my thanks to them for sponsoring this ridiculous podcast mini-series.

This week we're talking about load balancers. They generally do one thing and that's balancing load, but let's back up. Let's say that you, against all odds, you have a website and that website is generally built on a computer. You want to share that website with the world, so you put that computer on the internet. Computers are weak and frail and often fall over invariably at the worst possible time. They're herd animals. They're much more comfortable together. And of course, we've heard of animals. We see some right over there.

So now you have a herd of computers that are working together to serve your website. The problem now of course, is that you have a bunch of computers serving your website. No one is going to want to go to www6023.twitterforpets.com to view your site. They want to have a unified address that just gets to wherever it has to happen. Exposing those implementation details to customers never goes well.

Amusingly, if you go to Deloitte, the giant consultancy's website, the entire thing lives at www2.deloitte.com. But I digress. Nothing says we're having trouble with digital transformation quite so succinctly.

So you have your special computer or series of computers now that live in front of the computers that are serving your website. That's where you wind up pointing twitterforpets.com to, or www.twitterforpets.com towards. Those computers are specialized and they're called load balancers because that's exactly what they do; they balance load, it says so right there on the tin. They pass out incoming web traffic to the servers behind the load balancer so that those servers can handle your website while the load balancer just handles being the front door that traffic shows up through.

This unlocks a world of amazing possibilities. You can now, for example, update your website or patch the servers without taking your website down with a back in five minutes sign on the front it. You can test new deployments with entire separate fleets of servers. This is often called a blue green deploy or a red black deploy, but that's not the important part of the story. But you can start bleeding off traffic to the new fleet and, "Oh my god, turn it off, turn it off, turn it off. We were terribly wrong. The upgrade breaks everything." But you can do that; turn traffic on, turn traffic off to certain versions and see what happens.

Load balancers are simple in concept but they're doing increasingly complicated things. For instance, you're a load balancer. How do you determine which of the 200 servers that you're in front of that all do the same thing because they have the same website and the same application code running on them, how do you determine which one of those receives the next incoming request?

There are a few patterns that are common. The first and maybe the simplest is called round robin. You'll also see this referred to as next in loop. Let's say you have four web servers. Your first request goes to server one. Your second request goes to server two. Server three and server four, and the fifth request goes back to server one. It just rotates through the servers in order and passes out requests as they commit.

This can work super well for some use cases, but it does have some challenges. For example, if one of those servers get stuck or overloaded, piling more traffic onto it is very rarely going to be the right call. A modification of round robin is known as weighted round robin, which works more or less the same way, but it's smarter. Certain servers can get different percentages of the traffic.

Some servers, for example across a wide variety of fleets can be larger than others and can consequently handle more load. Other servers are going to have a new version of your software or your website and you only want to test that on 1% of your traffic to make sure that there's nothing horrifying that breaks things because you'd fundamentally rather break things for 1% of your users then 100% of your users. Ideally you'd like to break things for 0% of your users, but let's keep this shit semi-real, shall we?

You can also go with the least loaded metric type of approach. Some smarter load balancers can query each backend server or service that they're talking to about its health and get back a metric of some kind. If you wire logic into your application where it says how ready it is to take additional traffic, load balancers can then start making intelligent determinations as to which server to drop traffic onto next.

Probably one of the worst methods you can use to determine how to pass out traffic to load balancers is random, which does exactly what you'd think because randomness isn't. There's invariably going to be clusters and hotspots and the entire reason you have a load balancer is to not have to deal with hot spots; one server's overloaded and screaming while the one next to it is bored, wondering what the point of all of this is.

There are other approaches too that offer more deterministic ways of sending traffic over to specific servers. For example, taking the source IP address that a connection is coming from and hashing that. You can do the same type of thing with specific URLs where the hash of a given URL winds up going to specific backend services.

Why would you necessarily want to do that? Well, in an ideal world, each of those servers is completely stateless and each one can handle your request as well as any others. Here in the real world, things are seldom that clean. You'll find yourself very often with state living inside of your application. So if you have a backend server that handles your first request and then your next request goes to a different backend server, you could be prompted to log in again and that becomes really unpleasant for the end user exper...

A CloudFormation Feature of Great Import

Corey Quinn — Mon, 18 Nov 2019 03:00:00 -0800

AWS Morning Brief for the week of November 18th, 2019.

Networking in the Cloud Fundamentals, Part 3

Corey Quinn — Thu, 14 Nov 2019 03:00:00 -0800

Transcript

This episode of Networking in the Cloud is sponsored by ThousandEyes. Their 2019 Cloud Performance Benchmark Report is now live as of yesterday. Find out which Clouds do what well, AWS, Azure, GCP, Alibaba, and IBM Cloud all have their networking capabilities raced against each other. Oracle was not invited, because we are talking about actual Cloud providers here, not law firms. Get your copy of the report today at Snark.Cloud/realclouds. That's Snark.Cloud/realclouds. That's completely free. Download it, let me know what you think. I'll be cribbing from that in future weeks. Now, for the third week of our AWS Morning Brief Screaming in the Network, or whatever we're calling it, mini-series on how computers talk to one another. Let's talk about the larger internet.

Specifically, we begin with BGP, or Border Gateway Protocol. This matters, because it's how different networks talk to one another. If you have a whole bunch of different computer networks gathered into a super network, or internet as some people like to call it, how do those networks know where each one lives? Now, from a home user perspective, or even in some enterprises, that seems like sort of a silly question, because it is. You have a network that lives on your end of things. You plug a single cable in, and every other network lives through that cable. When you're talking about large disparate networks though, how do they find each other? More to the point, because of how the internet was built, it's designed so that any single failure of another network can now be routed around. There are multiple paths to get to different places. Some biased for cost, some biased for performance, some biased for consistency. And all of those decisions have to be made globally. BGP is the lingua franca of how those networks talk to one another. BGP is also a hot mess.

It's the routing protocol that runs the internet, and it's comprised of different networks in this parlance, autonomous systems, or AS's, and it was originally designed for a time before jerks ruled the internet, and that's jerks in terms of people causing grief for others, as well as shady corporate interests that are publicly traded on NASDAQ. There's no authentication tied to BGP. Effectively, it is trusted to contain correct data. There is no real signing or authentication that someone who announces something through BGP is authorized to do it, and it's sort of amazing the whole thing works in the first place, but what happens is, is when a large network with other networks behind it winds up doing an announcement, it says, oh, I have routes to these following networks. And it passes them on to its peers. They in turn pass those announcements on, oh, behind me. Then this way two hops is this other series of networks, and so on and so forth.

Now this can cause hilariously bad problems that occasionally make the front page of the newspaper when a bad announcement gets out. A few years ago there was an announcement from an ISP that said, oh, all of YouTube lives behind us. That announcement should never have gone out, and their upstream ISP should have quashed it, and they didn't. So suddenly a good swath of the internet was trying to reach YouTube through a relatively small link. As you can imagine, TCP terminated on the floor. Not every link can handle exabytes of traffic. Who knew? That gets us to another interesting point. How do these large networks communicate with each other? You have this idea of one network talks to another network. Does money change hands? Well, in some cases, no. If traffic volumes are roughly equal and desirable on both sides, we'll have our networks talk to one another, and no money changes hands. This is commonly known as peering.

At that point, everything is mostly grand, because as traffic continues to climb, you increase the links. Both parties generally wind up paying to operate infrastructure on their own side and in between, and traffic continues to grow. Other times it doesn't work that way where you have one network with a lot of traffic, and another network that doesn't really have much of any, and people want to go from one end to the other. Very often this is known as a transit agreement, and money changes hands from usually the smaller network to the bigger network, but occasionally the other direction depending on the specifics of the business model, and at that point, every byte passing through is metered and generally charged for. Usually this is handled by large ISPs and carriers and businesses behind the scenes, but occasionally it spills out into public view. Comcast and Netflix, for example, have been having a fantastic public spat from time to time, and this manifests itself when there's congestion and you're on Comcast.

If so, I'm sorry for you, and your Netflix stream starts degrading into lower picture quality. Occasionally it's skips or whatnot, and strangely whenever Comcast and Netflix come to an agreement, of course under undisclosed terms, magically these problems go away almost instantly. Originally this sort of thing was frowned upon. The FCC got heavily involved, but with the demise in the United States of network neutrality, suddenly it's okay to start preferring some traffic over others through a legalistic framework, and this has led to a whole bunch of either malfeasant behavior or normal behavior that people believe is malfeasant. And that doesn't leave anyone in a terrifically good place. I'm not here to talk about politics, but it does wind up leading to an interesting place, because there's an existential problem to the business model for an awful lot of ISPs out there. Because generally speaking, when you wind up plugging into your upstream provider, maybe it's Comcast, maybe it's AT&T, maybe it doesn't matter, but you're generally trying to use them as a dumb pipe to the internet.

The problem is, is they don't want to be a dumb pipe. There's a finite number of dollars that everyone is going to pay for access to the internet, and that is a naturally self-limiting business model, so they're trying to add value with services that don't really tend to add much value at all. My wireless carrier for example, wants to sell me free storage, and an email address, and a bunch of other things that I just don't care about, because I already have an email solution that works out super well for me. My Cloud storage that I care about is either Dropbox, something in AWS or other nonsense. I don't need to have Verizon's Cloud storage, but they keep trying to find alternative business models. Some of these ways are useful and beneficial to everyone, and others are well to be honest, less so.

Comcast for example, isn't going to build you a search engine that is going to rival Google, which is kind of weird on some level because if you take a look from a customer service perspective, C...

EC2 Instances Now On Layaway

Corey Quinn — Mon, 11 Nov 2019 03:00:00 -0800

AWS Morning Brief for the week of November 11th, 2019.

Networking in the Cloud Fundamentals, Part 2

Corey Quinn — Thu, 07 Nov 2019 03:00:00 -0800

Transcript

An ancient haiku reads, "It's not DNS. There's no way it's DNS. It was DNS."

Welcome to the Thursday episode of the AWS Morning Brief. What you can also think of as networking in the cloud. This episode is sponsored by ThousandEyes and their Cloud State Live Event Wednesday, November 13th from 11:00 AM until noon, Central Time. There'll be live streaming from Austin, Texas, the live reveal of their latest cloud performance benchmark where they pit AWS, Azure, GCP, IBM, and Alibaba cloud against each other from a variety of networking perspectives. Oracle Cloud is pointedly not invited. If you'd like to follow along, visit snark.cloud/cloudstatelive, that's snark.cloud/cloudstatelive, and thanks to ThousandEyes for their sponsorship of this ridiculous yet educational podcast episode.

DNS, the domain name system, it's how computers translate numbers into something humans can understand when those humans have a first language that is not math. Put more succinctly if I want to translate www.twitterforpets.com into an IP Address of 1.2.3.4, I probably want a computer able to do that because humans find it easier to remember twitterforpets.com. Originally, this was done with a far more manual process. There was a file on every computer on the internet that was kept in sync with each other. The internet was a smaller place back then, a friendlier time and jerks who are trying to monetize everything at the expense of others were no longer lurked behind every shadow, so how does this service work?

Well, let's go back to the beginning. When you look at a typical domain name, let's call it www.twitterforpets.com there's a hierarchy built in and it goes from right to left. In fact, if you pick any domain you'd like that ends .com, .net, .technology, .dev, .anything else you care about there's another dot at the end of it. That's right. You could go to www.google.com., and it works just the same way as you would expect it to. That dot represents the root and there are a number of root servers run by various organizations that no one entity controls scattered around the internet and they have an interesting job where their role is to resolve who is the authoritative responsible DNS server for the top-level domains. That's all that the root servers do.

The top-level domains, in turn, have name servers that refer out to who is responsible for any given domain within that top-level domain and so on and so forth. You can have subdomains running at your own company. You could have twitterforpets.com but all of the engineering.twitterforpets.com domains are delegated to a subname server out and so on and so forth. It can hit ludicrous lengths if you'd like. Now, once upon a time, this was relatively straightforward because there were only so many top-level domains that existed; .com, .net, .org, .edu, .mil and so on and so forth, and the governing body, ICAN, decided, "You know what's great? Money," so they wound up, in turn, going for additional top-level domains that you could grab the .technology, .blog, .underpants for all I know, no one can keep them all in their head anymore and one leaps to mind of an incredibly obnoxious purchase by google.dev.

Now, you can have anything you want .dev exist as a domain because Google has taken responsibility for owning that subdomain. Why is that obnoxious? Well, historically for the longest time on the internet, there were a finite number of top-level domains that people had to worry about. So internally, when people were building out their own environments, they would come up with something that was guaranteed never to resolve, .dev was a popular pick. You could put that to a local name server inside your firewall or you could even hard-code it on your laptop itself and it worked out super-well. Now, anyone who registers whatever domain you picked has the potential to set up a listener on their end. That is not just a theoretical concern. I worked at a company once that had their domain.com as their external domain and domain.net for their internal domain, which is reasonable, except for the part where they didn't own the .net version of their domain.

Someone else did and kept refusing offers to buy it, so periodically, we would try and log into something internal while not being on the VPN, despite thinking that we were, and type a credential into this listener that is set up and immediately have to reset our credentials. It was awful. Try not to do that. If you use a development domain, make sure you own it, it's $12, everyone will be happier with this. Now, a common interview question that people love to ask when it comes to CIS Admins, SRS, DevOps, whatever we're calling them this week, is when I punch www.google.com into my web browser and I hit enter how does it translate that into an IP address?

There're a lot of things you can hit, but by and large, the way that it works is something like this. Oh, and a caveat they love to add in because otherwise, this gets way more complicated, is every server involved has a cold cache, and we'll get to what that means in a bit, but at that point, your browser then says, "Oh, who has www.google.com?" It passes that query to the system resolver on your computer that goes through a series of different resolution techniques. It usually will check the /etc/host's file if it's on a Mac or a Linux style box, and if there isn't anything hardcoded in there, which there is it for purposes of this exercise, it queries the systems external resolver.

This is usually provided by your ISP, but you can also use Google's public resolvers 8.8.8.8 And 8.8.4.4, Cloudflare's 1.1.1.1, OpenDNSs, which is really weird and no one can remember them off the top of their head, but there're a lot of different options. When that gets queried, it's looks at that www.google.com because it has a cold cache its first question is great, "Who owns .com?" It queries the route name server. The route name server says, "Oh, .com is handled by the .com TLD authoritative servers," and it passes that out. The route name server then returns who's authoritative for.com to the resolver. The resolver says, "Great," and then queries is the authoritative name server for .com, "Who has www.google.com?" and it returns the authoritative name servers for google.com.

Now, something strange if you were to actually try this yourself is that the answer to that question is generally ns1.google.com that sets up the opportunity for an infinite loop where oh, nsi.google.com. Ask .com, "Who has nsi.google.com?" except for the part that when it returns with that result specifically, it includes an IP address. That IP address is known as a glue record to break that circular dependency. Glue records are often one of those things that pop up in CIS Admin type interviews to prove the interviewer thinks they're smarter th...

The Rain in Spain Falls Mainly on the Control Plane

Corey Quinn — Mon, 04 Nov 2019 03:00:00 -0800

AWS Morning Brief for the week of November 4th, 2019.

Networking in the Cloud Fundamentals, Part 1

Corey Quinn — Thu, 31 Oct 2019 03:00:00 -0700

Links Referenced

Transcript

UDP. I'd make a joke about it, but I'm not sure you'd get it.

This episode is sponsored by ThousandEyes. Think of ThousandEyes as the Google Maps of the internet. Just like you wouldn't dare leave San Jose to drive to San Francisco without checking if 101 or 280 was faster and yes, that's a very localized reference to San Francisco Bay area. Businesses rely on ThousandEyes to see the end to end paths their apps and services are taking from their servers to their end users to identify where the slowdowns are, where the pileups are hiding and what's causing the issues. They use ThousandEyes to see what's breaking where and importantly, they share that data directly with the offending service providers to hold them accountable and get them to fix the issue fast, ideally before it impacts end users. You'll be hearing a fair bit more about ThousandEyes over the next 12 weeks because Thursdays are now devoted to networking in the cloud. It's like screaming in the cloud, only far angrier.

We begin today with the first of 12 episodes. Episode one, the fundamentals of cloud networking. You can consider this the AWS morning brief networking edition. So a common perception in the world of cloud today is that networking doesn't matter, and that perception is largely accurate. You don't have to be a network engineer the way that any reasonable systems or operations person did even 10 years ago, because in the cloud, the network doesn't matter at all until suddenly it does at the worst possible time, and then everyone's left scratching their heads.

So let's begin with how networking works, because a computer in 2019 is pretty useless if it can't talk to other computers somehow. And for better or worse, Bluetooth isn't really enough to get the job done. Computers talk to one another over networks, basically by having a unique identifier. Generally, we call those IP addresses here in the path that this future has taken. In a different world, we would've gone with token ring and a whole bunch of other addressing protocols, but we didn't. Instead we went with IP, the unimaginatively named internet protocol, and with the current version of the internet protocol, version four, we're not talking about IPv6 because let's not kid ourselves, no one's really using that at scale despite everyone claiming that it's going to happen real soon now.

So there are roughly 4 billion IP addresses and change, and those are allocated throughout effectively the entire internet. When this stuff was built back when it was just defense institutions and universities on the internet, 4 billion seemed like stupendous overkill. Now it turns out that some people have 4 billion objects on their person that are talking to the internet and all chirping and distracting them at the same time when you're attempting to have a conversation with them.

So those networks are broken down into subnetworks or subnets, for lack of a better term. And they can range anywhere from a single IP address, which in CIDR, C-I-D-R parlance is a /32 to all 4 billion and change, which is a /0. Some common ones tend to be /24, which is 256 IP addresses, of which 254 are usable and you can expand that into 512 with a /23 and so on and so forth. The specific math isn't particularly interesting or important and it's super hard to describe without some kind of whiteboard. So smile, nod and move past that. So then you have all these different subnets. How do they talk to one another? I mean the easy way to think of it is, "Oh, I have one network, I plug it directly into another network and they can talk to each other."

Well, sure in theory. In practice, it never works that way because those two networks are often not adjacent. They have to talk to something else, go through different hops to go from here to there to somewhere else, to somewhere else to finally the destination it cares about. And when you take a look at the internet as being this network that spans the entire world, well that turns into a super complicated problem because remember, the internet was originally designed to be something that could withstand a massive disruption generally in the terms of nuclear war where effectively large percentages of the earth were no longer habitable, had to be able to reroute around things and routing is more or less how that wound up working.

The idea that you could have different paths to get to the same destination and that solves an awful lot. It's why the internet is as durable as it is, but also explains why these things are terrible and why everyone is super quick to blame the network. One last thing to consider is network address translation. They're private IP address ranges that are not reachable over the general internet, anything starting with a 10 for example, the entire 10/8 is considered private IP address space. Same with one 192.168, anything in that range is as well and anything between 172.16 and 172.20, give or take, if I'm wrong, don't at me. It's been a very long week and translating those private IP addresses into public IP addresses is known as network address translation or NAT. We're not going to get into the specifics of that at the moment, but just know that it exists.

Now, most of the traditional networking experience doesn't come from working in the cloud. It comes from working in data centers, a job that sucks and some of the things that you learn doing that are tremendously impactful. They completely change how you view how computers work and in the cloud, that knowledge becomes invaluable. So let's talk a little bit about what it looks like in the world of cloud, specifically AWS, because AWS had effectively five years of uninterrupted non-compete time where no one else was really playing with cloud. So by the time everyone else woke up, the patterns that AWS had established were more or less what other people were using. This is the legacy of Rip Van Wrinkling through five years of cloud. If you don't want me to talk about AWS and talk about a different company instead, that other company should have tried harder.

In AWS context, they have something known as a virtual private network or a VPC, and planning out what your network looks like in those environments is relatively challenging because people tend to make some of the same mistakes here as they did in data centers. For example, something that has changed is that common wisdom in a data center is that anything larger than a /23 or a subnet that has 512 IP addresses in it was a complete non-starter because at that point that is a large enough subnet that your broadcast domain or everything being able to talk to everything is large enough that it was going to completely screw over your switch. It would get overwhelmed. You'd wind up with massive challenges and things falling over constantly, so having small subnets was critical.

Now in the world of cloud, that's not true anymore because broadcast storms aren't a thing that AWS and other reasonable cloud providers allows to happen. It winds up getting tamped down. There are rate limits. They do all kinds of interesting things that mean that this isn't really an issue. So if you want to have a massive flat n...

Last of the JEDI

Corey Quinn — Mon, 28 Oct 2019 03:00:00 -0700

AWS Morning Brief for the week of October 28th, 2019.

AWS CloudWatch Anomaly Wake-Up Calls

Corey Quinn — Mon, 21 Oct 2019 03:00:00 -0700

AWS Morning Brief for the week of October 21st, 2019.

The Right to Bare Metal ARMs

Corey Quinn — Mon, 14 Oct 2019 03:00:00 -0700

AWS Morning Brief for the week of October 14th, 2019.

Hope and Change Management

Corey Quinn — Mon, 07 Oct 2019 03:00:00 -0700

AWS Morning Brief for the week of October 7th, 2019.

API Has Two Syllables

Corey Quinn — Mon, 30 Sep 2019 03:00:00 -0700

AWS Morning Brief for the week of September 30th, 2019.

NoSQL Workbench Gets Rapid Sequel

Corey Quinn — Mon, 23 Sep 2019 03:00:00 -0700

AWS Morning Brief for the week of September 23rd, 2019.

CSI: Driver Support YEEEEEAAAAAAAAHHHHHH!

Corey Quinn — Mon, 16 Sep 2019 03:00:00 -0700

AWS Morning Brief for the week of September 16th, 2019.

Amazon SageMaker Private Worker Throughput Worker

Corey Quinn — Mon, 09 Sep 2019 03:00:00 -0700

AWS Morning Brief for the week of September 9th, 2019.

me-south-1 is Southern Maine, right?

Corey Quinn — Mon, 02 Sep 2019 03:00:00 -0700

AWS Morning Brief for the week of September 2nd, 2019.

Amazon Fivecast

Corey Quinn — Mon, 26 Aug 2019 03:00:00 -0700

AWS Morning Brief for the week of August 26th, 2019.

The Seven Things You Can’t Say at re:Invent

Corey Quinn — Mon, 19 Aug 2019 03:00:00 -0700

AWS Morning Brief for the week of August 19th, 2019.

SageMaker Supports R, Pirates' First Love Remains C

Corey Quinn — Mon, 12 Aug 2019 03:00:00 -0700

AWS Morning Brief for the week of August 12th, 2019.

CapitalOne's CapitalZeroDay

Corey Quinn — Mon, 05 Aug 2019 03:00:00 -0700

AWS Morning Brief for the week of August 5th, 2019.

Spot Instances for IBM Enterprise Linux

Corey Quinn — Mon, 29 Jul 2019 03:00:00 -0700

AWS Morning Brief for the week of July 29th, 2019.

Elastic Fabric Adapters and the Suspenders of Disbelief

Corey Quinn — Mon, 22 Jul 2019 03:00:00 -0700

AWS Morning Brief for the week of July 22, 2019.

Marching in CloudFormation: Their Rebuilding Year

Corey Quinn — Mon, 15 Jul 2019 03:00:00 -0700

AWS Morning Brief for the week of July 15, 2019.

If You Can't Make It In New York, AWS Will

Corey Quinn — Mon, 08 Jul 2019 03:00:00 -0700

AWS Morning Brief for the week of July 8th, 2019

reInforce Meant Learning

Corey Quinn — Mon, 01 Jul 2019 03:00:00 -0700

AWS Morning Brief for the week of July 1st, 2019.

AWSECS4K8S(EKS) Finally Renamed

Corey Quinn — Mon, 24 Jun 2019 03:00:00 -0700

The AWS Backwards Shuffle

Corey Quinn — Mon, 17 Jun 2019 03:00:00 -0700

AWS Morning Brief for the week of June 17th, 2019.

Tom Clancy’s Systems Manager OpsCenter

Corey Quinn — Mon, 10 Jun 2019 03:00:00 -0700

AWS Morning Brief for the week of June 10th, 2019.

Data Ah-Pee Goes GA

Corey Quinn — Mon, 03 Jun 2019 03:00:00 -0700

AWS Morning Brief for the week of June 3rd, 2019.

Welcome to AWS Morning Brief

Corey Quinn — Fri, 31 May 2019 03:00:00 -0700

Welcome to AWS Morning Brief, the podcast that summarizes the news from the AWS ecosystem--and makes fun of it.