AWS Notes

🟢 Issue #81 | 23 July 2023 ▪️ Amplify JS lib better performance ▪️ AppConfig Agent simplifies feature flag and config use for EC2 ▪️ CloudWatch ML backed Logs Insights pattern query command ▪️ CodeCatalyst workflows triggered by GitHub pull requests ▪️ Config advanced queries +65 resource types ▪️ Connect      ▫️ CloudFormation support for routing profiles and queues      ▫️ pre-defined Contact Lens conversational analytics metrics ▪️ Connect Cases case assignment ▪️ Connect Wisdom chat agents ▪️ ECS domainless gMSA authentication ▪️ Elemental MediaTailor cue ad tags in Channel Assembly ▪️ EMR on EKS Apache Spark with Java 17 ▪️ Fargate faster container startup using Seekable OCI ▪️ Glue Crawlers Apache Hudi Tables ▪️ IoT Device Defender monitoring of device disconnect durations ▪️ IVS rendition filtering and higher frequency thumbnails ▪️ Lake Formation delegation of LF-Tag management ▪️ Lambda & EventBridge Pipes enhanced filtering ▪️ Lex Introducing Analytics ▪️ PrivateLink CloudWatch Contributor Insights integration ▪️ Redshift QUALIFY clause in SELECT SQL statement ▪️ Redshift ML integration with Amazon Forecast ▪️ Route 53 Resolver is now available on AWS Outposts rack ▪️ SageMaker JumpStart Meta Llama 2 foundation models ▪️ SNS mobile push notifications in 12 new regions ▪️ Tools Lambda Annotations Framework for .NET. ▪️ Translate real time translation of Docx files ▪️ WAF URI path aggregation key for rate-based rules

✅ Issue #80 | 16 July 2023 ▪️  Aurora PostgreSQL pgvector for vector storage and similarity search & version updates ▪️  Batch on Fargate Linux ARM64 and Windows x86 containers in CLI/SDK ▪️  CloudFront 3072-bit RSA certificates ▪️  Connect programmatically delete Routing Profiles and Queues ▪️  DMS Redshift Serverless support ▪️  DocumentDB index improvements ▪️  Elemental MediaLive       ▫️  1-second metrics       ▫️  alert categories in Channel Assembly ▪️  EMR on EKS programmatic execution for managed endpoints ▪️  FSx for NetApp ONTAP       ▫️  IPSec encryption of data in transit       ▫️  two additional monitoring and troubleshooting capabilities       ▫️  write once, read many (WORM) protection with SnapLock ▪️  Karpenter Windows containers support ▪️  Lambda now detects and stops recursive loops in Lambda functions ▪️  Location Service       ▫️  API Keys for Maps, Places, and Routes       ▫️  publishing device position updates on EventBridge ▪️  Mainframe Modernization expands control and visibility of runtime ▪️  Omics FedRAMP Moderate authorization ▪️  OpenSearch Service version 2.7 ▪️  Personalize add columns to existing datasets ▪️  Proton deployment history ▪️  QuickSight       ▫️  axis customization options for small multiples and radar chart       ▫️  unified color experience for analysis and dashboards ▪️  RDS for SQL Server self-managed Active Directory ▪️  S3 Inventory ACLs as object metadata in inventory reports

AWS is offering 7-day free trial on Skill Builder - a learning platform built by the experts at AWS. Practice building with AWS Builder Labs, develop your role-based skills using gamified learning with AWS Cloud Quest, verify your skills by taking a Jam Journey challenge, and prepare for an AWS Certification with enhanced exam prep materials. Details: https://pages.awscloud.com/GLOBAL-Other-GC-Skill-Builder-Subscription-Free-Trial.html NOTE: This promotion is redeemable through July 30th, 2023. Terms and conditions apply. If you do not cancel your free trial after 7 days, you will be automatically subscribed at $29 USD per month.

10 полезных советов по ускорению OpenSearch: https://www.tecracer.com/blog/2023/07/performance-boost-10-expert-tips-for-optimizing-your-amazon-opensearch-service-cluster.html ▫️ Choose the right instance type ▫️ Start big ▫️ Use bulk ingest requests and employ multi-threading ▫️ Minimize frequent updates to the same document ▫️ Monitoring ▫️ Profile queries ▫️ Find an optimal shard number and size ▫️ Optimize shard locating ▫️ Use filters ▫️ Use search templates #OpenSearch

☸️ Confidential Kubernetes https://kubernetes.io/blog/2023/07/06/confidential-kubernetes/ Реально хорошая статья по состоянию дел с Confidential Computing в отношении Kubernetes. Жаль, без авторов со стороны AWS, потому для человека в теме, по части AWS будут сразу видны некоторые, скажем так, моменты. 1️⃣ «A managed CloudHSM from AWS costs around $1.50 / hour or ~$13,500 / year.» А-ха-ха. В год, страшное дело, для бизнеса с такими требованиями по безопасности. И особенно смешно с учётом стоимости HSM в Azure: 😃 Hourly usage fee per HSM Azure Dedicated HSM $4.85 2️⃣ Технология Confidential Computing на AWS или AWS Nitro Enclaves, лишь кратко упомянута из-за «have a different threat model compared to the CPU-based solutions by Intel and AMD». Тут всё верно, целиком согласен. Nitro Enclaves — крутая фича, однако годность её AWS придётся всю жизнь доказывать, т.к. простых путей проверить этого нет и нужно целиком полагаться на авторитет AWS и аудиторов, а не техническую невозможность доступа в изолированное окружение. 3️⃣ AMD SEV — упомянуты лишь Azure и Google. Хотя на AWS теперь тоже доступны SEV-SNP (в то время как на Google лишь SEV-ES). 4️⃣ Скорость работы — реализация Confidential Computing от AMD очень эффективна: «SEV-SNP VM overhead is <10%». Про реализацию от Intel сказано расплывчато, что "hard to benchmark". Перевожу на простой — полный тормоз. 😁 5️⃣ Смешное название CoCo (Confidential Containers) и возможность запускать Confidential Kubernetes worker nodes вновь распространяется лишь Azure и Google. А правильно было упомянуть, что AWS Nitro Enclaves работает на EKS. 6️⃣ Хорошее и важное замечание «they don't offer a dedicated confidential control plane» — пока никакое облако не предлагает Confidential Kubernetes мастер-ноды, речь только о workers. 7️⃣ Constellation — интересная штука, буду признателен, если кто-то поделится опытом использования. Итого, хорошая статья, очень рекомендую ознакомиться. #security #ConfidentialComputing #ConfidentialKubernetes

⛅ Issue #79 | 9 July 2023 ▪️  Application Migration Service multi-account migrations ▪️  Backup expands cross-account backup AWS Region coverage ▪️  CloudWatch Cross-Account Service Quotas ▪️  CodeBuild GitHub Actions support ▪️  Config +16 resource types ▪️  Connect autorun based on agent activity ▪️  DynamoDB       ▫️ Distributed Cache Provider .NET       ▫️ local version 2.0 ▪️  EKS increases pod density limits for Windows containers ▪️  Elemental MediaLive input thumbnail images ▪️  Glue Crawlers Apache Iceberg Tables ▪️  GuardDuty EKS Runtime Monitoring expands OS and processor support ▪️  Mainframe Modernization Blu Age runtime deployment ▪️  OpenSearch Service higher IOPS and throughput for gp3 volumes ▪️  Personalize latest streamed data ▪️  RDS       ▫️ PostgreSQL 16 Beta 2 Preview Environment       ▫️ PostgreSQL Multi-AZ logical replication with 2 readable standbys ▪️  SageMaker Model Cards now integrated with model versions in Registry ▪️  Systems Manager Parameter Store increases API throughput limit ▪️  Textract AnalyzeDocument - Forms

​​🆕 CodeBuild + GitHub Actions: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html You can use an action runner to run GitHub Actions within CodeBuild. This can be done by adding steps to any phase in your buildspec file. #CodeBuild #GitHub

​​☁️ Отличия облачных провайдеров по публичным проектам: https://iot-analytics.com/global-cloud-projects Качественная аналитика, которая даёт представление о специфике клиентской базы провайдеров на основании порядка 7 тысяч публично доступных проектов, которые указывают используемое облако. Company / Market share / Share of public projects AWS 39% 37% Azure 27% 30% Google 9% 22% Oracle 2% 7% Alibaba 5% 4% Others 18% n/a Интересное: 🔹 Oracle для публичных проектов идёт четвёртым 🔸 У Google 2/3 клиентов мелкие, у AWS половина, а у Azure лишь треть (т.е. 2/3 большие и очень большие) 🔹 AWS доминирует в Индии, Azure в Японии, Google во Франции 🔸 Alibaba на 87% это Китай и Азия #info

У настоящего безопасника нет цели, у него есть лишь сертификации: https://pauljerimy.com/security-certification-roadmap/ #security

​​CloudFormation team is running a survey to learn more about your perception of CloudFormation performance, with the goal of helping to improve the customer experience. 📢 Take the survey at: https://amazonmr.au1.qualtrics.com/jfe/form/SV_2lwFTzuDD4aZL0i #CloudFormation

​​Видео с конференции по безопасности контейнеров: https://www.youtube.com/playlist?list=PL80eyh4Ug9W_808zqJhiRGeXT6JvXpwBk #containers #kubernetes #security

​​🏗️ Terraform on AWS — Workshop https://catalog.us-east-1.prod.workshops.aws/workshops/41c5a1b6-bd3e-41f4-bd46-85ab7dc6dad4/en-US ▫️ Understand the basic building blocks of Terraform (providers, data sources, resources, etc) ▫️ Develop your first Terraform project on AWS ▫️ Getting started into a typical workflow for Terraform ▫️ Update and deploy changes into your infrastructure environment #Terraform #workshop

​​A great example of how to migrate from MongoDB to PostgreSQL. https://blog.stuartspence.ca/2023-05-goodbye-mongo.html Five years ago, MongoDB was all the rage. Riding the NoSQL fad, rather than real-world requirements, many startups chose MongoDB as their primary database. If you have such a project, a migration to a "regular" SQL database is a very good idea. PostgreSQL is now the most popular, and rightly so. This article will give you the arguments for migration to a more convenient for most cases PostgreSQL. #PostgreSQL #MongoDB

🌥 Issue #78 | 2 July 2023 ▪️  Amazon Linux 2023.1 secure boot ▪️  Amplify Hosting monorepo frameworks support ▪️  AppFabric new no code service to connect SaaS applications ▪️  App Runner update and rebuild a failed service ▪️  AppStream 2.0 applications manager ▪️  Athena       ▫️  new ODBC driver       ▫️  querying restored data in S3 Glacier ▪️  Aurora MySQL zero-ETL integration with Redshift | Preview ▪️  Batch ‘Min vCPUs’ for Multi-Node Parallel Jobs ▪️  CloudFormation launches Guard 3.0 with support for stateful rules ▪️  CloudWatch dashboard variables ▪️  Connect Chat       ▫️  additional customization options for the chat widget       ▫️  quick reply and carousel messages       ▫️  search for tags within an instance ▪️  Database Migration Service more comprehensive pre-migration assessments ▪️  DevOps Guru encryption using customer managed keys ▪️  DynamoDB simplifies and lowers the cost of handling failed conditional writes ▪️  EC2 R6a with faster EBS-optimized performance ▪️  ECS faster tasks launch on instances with prolonged shutdown ▪️  Elemental MediaConnect higher frequency metrics ▪️  Elemental MediaTailor creative ad id signaling in video manifests ▪️  FSx for OpenZFS CSI Driver ▪️  GameLift Amazon Linux 2023 ▪️  Glue native Snowflake connector with new ETL capabilities  | Preview ▪️  Incident Detection & Response 3rd Party Event Ingestion ▪️  IoT TwinMaker Knowledge Graph supports showing query results in scenes ▪️  Kendra Retrieval API ▪️  Kinesis Data Analytics Studio Flink version 1.15 ▪️  Lambda       ▫️  remote invoke with SAM CLI       ▫️  simplifies copying environment variables in the console code editor ▪️  Marketplace transaction purchase order support for server products ▪️  Omics Common Workflow Language ▪️  OpenSearch       ▫️  ingesting events from Security Lake       ▫️  update cluster manager nodes without blue/green ▪️  Pinpoint time zone estimation for endpoints ▪️  Private 5G New commitment pricing | GA ▪️  RDS Optimized Writes for MySQL and MariaDB supports m5d, r5d, and m6gd database instances ▪️  Redshift native console integration with ThoughtSpot ▪️  Resilience Hub EC2 Support ▪️  S3       ▫️  Mountpoint adds support for creating new files       ▫️  query restore Glacier object status with S3 LIST API ▪️  SageMaker       ▫️  Canvas Parquet file format support       ▫️  Data Wrangler direct connection to Snowflake data       ▫️  Feature Store time to live (TTL) in online store       ▫️  improved developer productivity with RStudio       ▫️  Neo PyTorch/TensorFlow models compilation for Inferentia 2/Trainium 1       ▫️  Role Manager fine-grained permissions with CDK Lib within minutes ▪️  Simple Email Service metric export ▪️  Timestream free trial ▪️  Translate custom terminology feature

Are you passionate about cloud computing and love to share your knowledge with others? #aws has an exciting opportunity for you! The AWS Community Builder Program is now open for applications until July 13th. Join a vibrant community of like-minded individuals, connect with AWS experts, and contribute to the growth of the AWS community. Apply here: APPLICATION FORM More info: OFFICIAL PAGE

​​Multi-Layered Security. #friday

GenAI чатбот нужно? https://github.com/aws-samples/aws-genai-llm-chatbot

EC2 Instance Connect — халява закончилась Две недели порадовались и хватит. AWS ограничила использование EC2 Instance Connect лишь портами SSH/RDP и теперь при попытке присоединиться к RDS или другим ресурсам, получаем ошибку: "The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request." То есть они теперь проверяют параметр --remote-port и если он не 22 или 3389, то отбой. Что ж, очень жаль, будем искать. P.S. SSM Session Manager снова/всегда рулит. 😁 #EC2_Instance_Connect

Мы рады сообщить, что все доклады с AWS Security Day были выложены на YouTube-канале AWS на русском. Вы можете просмотреть их, перейдя по ссылке: ☁️ Hybrid Architectures for Personal Data Compliance Святослав Редько, AWS Senior Solutions Architect Дана Есентай, Senior Consultant, KPMG | Certified Data Privacy Solutions Engineer ☁️ Layering AWS security services to automate incident response Игорь Иванюк, AWS Principal Solutions Architect ☁️ How we make AWS Secure Игорь Шарфмессер, Senior Solution Architect, AWS ☁️ Панельная сессия с экспертами KPMG, AWS, КИБ МЦРИАП РК, qCloudy Модератор Ринат Узбеков, Principal Account Manager AWS ISV Global/AWS Kazakhstan Country Sales Lead ☁️ Настройка безопасной инфраструктуры для Kubernetes. On-premise vs AWS Артем Прима, Developer Advocate, qCloudy ☁️ Демонстрация "Governance with AWS Control Tower" Михаил Голубев, AWS Principal Solutions Architect Также, мы подготовили фотоотчет с мероприятия, чтобы вы могли пережить воспоминания и поделиться ими с коллегами. Фотографии доступны по ссылке. Спасибо, что присоединились к нам на AWS Security Day, и надеемся, что материалы помогут вам еще глубже разобраться в вопросах безопасности в облаке AWS. Отдельное спасибо нашим медиа-партнерам @we_project @kz_bi @thetechkz и всем, кто помогал в распространении информации об ивенте. 🔥 Подписывайтесь @cloudnativekz ☁️ Подписывайтесь @aws_kz