A very Happy New Year 2020 to all of you
As you all know, the maximum number of new announcement wrt AWS is made in the re:Invent conference around the first week of Dec. Last year was no different. It makes you dizzy trying to catch up with all the new things that have been introduced. Here is an attempt by me to give you a gist of new products/features for some of the generic services. (I am not listing the developments in specialized services like Game Development, AI, Graph Database and so on). What I am going to talk about would probably impact a lot of people and may become part of the future certification exams.
Amazon’s Builders Library
If you are an architect you would be very interested in this. Amazon’s Builder Library is basically Amazon telling us how they build and operate the cloud. In Amazon’s own words, “The Amazon Builders’ Library is a collection of living articles that describe how Amazon develops, architects, releases, and operates technology”. The articles here talk about technology, they talk about how releases are planned and how the operations are performed. If you want to get an idea on how the cloud is actually operated, this is the place for you
Amazon’s Builders Library link
AWS Local Zones
We all know about AWS Regions and Availability Zones. In some cases you may want much more faster response than what you can get from a Region closest to you. For example, assume you have your maximum users in Bangalore. Currently you can have your resources only in Mumbai region. You feel that latency of connecting to Mumbai is not acceptable for your end users. In this case, if your resources are in Bangalore, it would help improve the latency.
AWS Local Zones try to address this problem. AWS is now going to create Local Zones (or maybe we can call it mini-Regions) closer to a large number of users. These Local Zones will not have the full gamut of AWS Services. They will have services like EC2, EBS, Load Balancers and VPC available to the users. The Local Zones will be connected to the Region via a dedicated link so that you can establish the connection between your resources in the Local Zone and the resources in the region of your choice. Currently only the Los Angeles Local Zone is available (on invitation).
This is an important development. I am sure that there will be more Local Zones in the near future and this will have an impact on how we architect our solutions
AWS Local Zones link
S3 Access Points and RTC
With growth in data and subsequently the need to store large amount of common data in S3, has given rise to security issues. You now have the scenario of multiple user / applications accessing the common data from S3. Assume you want to control access for multiple users / applications in a granular fashion. We can do this using the bucket policies but this can soon turn into a nightmare since one misstep would affect multiple users/application
AWS has now introduced the concept of S3 Access points to address this issue. We can now create multiple access points for the same bucket and provide permissions at the access point level. Each of these access points can then be provided to different users/applications. This way any problem in security configuration will only affect a small subset of users/applications. This will allow us to manage our S3 permission more effectively.
Read more details on at this link : S3 Access Points
Replication Time Control (RTC)
You must be aware that we can setup replication for a bucket. The destination of the replication can be a bucket in the same zone or in a different zone. With Replication Time Control, Amazon will try and complete the replication within a specified time period. Amazon backs it up with a SLA. Here is what AWS says about this feature: “S3 Replication Time Control is designed to replicate 99.99% of objects within 15 minutes after upload, with the majority of those new objects replicated in seconds. S3 RTC is backed by an SLA with a commitment to replicate 99.9% of objects within 15 minutes during any billing month”
More details here: S3 RTC
VPC sharing allows subnets to be shared with other AWS accounts within the same AWS Organization. So you can now have a VPC is spread across two or more accounts of the same AWS Organization. This allows you more control in terms of centralizing VPC control.
Check out the link to understand the benefits and how to share your subnets.
Let’s take a use case in the serverless domain. Assume when your Lambda function is triggered, it establishes a database connection to your RDS instance. Assume that you trigger a huge number of Lambda functions in parallel. Each of these functions has to establish a database connection with your RDS instance. When the function is completed, the connection will be tore down. Establishing connections take a toll on RDS instance as this consumes CPU/Memory resources. So the performance of RDS decreases if it is constantly opening and closing connections. The other kind of problem is when a huge number of connections are opened and many kept idle so that when a request comes the response could be fast. You basically overprovision the number of connections in this case.
RDS Proxy has been introduced to solve problems like these. The RDS Proxy sits between the application and RDS. It opens a pool of connections with the RDS instance. Your application now connects to the RDS Proxy and the proxy allocates a connection from the pool. In case of connections which are infrequently used, RDS Proxy will share these across applications. RDS Proxy ensures that there is no more open/closing connection burden on RDS instance, thus improving the efficiency of RDS instance and thus the efficiency of your application
RDS Proxy Link
AWS Resource Access Manager (RAM)
Let us take a use case like this: assume you have multiple accounts for your organization. Each account builds its own VPC and wants to manage the VPN connections. So each account may end up asking for Transit Gateway. So your organization has to pay for multiple Transit Gateways. Amazon has now introduced Resource Access Manager (RAM). This allows you to share resources amongst various AWS Accounts within the same organization, thus reducing the management effort and the cost.
Currently you can share Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM
Resource Access Manager Link
AWS provides a lot of tools for security. For example we have Amazon Guard Duty which looks at your logs (like VPC Flow Logs) and alerts you to possible security issues. It will also point out where the error lies. This is very useful tool and in many cases this may be sufficient. In some of cases though you will need to dig deeper in order to find out the root as why this security flaw came into existence. AWS Detective helps you in finding the root cause of potential security issues. It uses Machine Learning, Graph Theory and Statistical Analysis to build linkages, which will help you get to the root cause faster. For this AWS Detective uses various data sources like VPC Flow Logs, AWS CloudTrail and Guard Duty.
AWS Detective Link
IAM Access Analyzer
While services like Guard Duty & Detective tell you about security vulnerabilities, a challenge that all organizations have to face is giving permissions inadvertently to external principals. IAM Access Analyzer is a tool which tells you which of the resources have given permissions to external principals. Access Analyzer considers your account as the zone of trust. Access Analyzer analyzes all your policies and if it finds any policy giving permission to an external principal, it records the finding. Similarly, if any policy changes and that change provides access to external principal, you will be notified.
IAM Access Analyzer link
Will continue this in Part 2 tomorrow