aws

AWS Control Tower Landing Zone 4.0 introduces a flexible Controls-Only experience, allowing full programmatic setup and customization of multi-account environments. Key Changes: Optional Service Integrations - Choose which integrations to enable: AWS Config AWS CloudTrail Security Roles AWS Backup Dedicated Resources - Better isolation with separate resources per service: Separate S3 buckets for AWS Config and CloudTrail Individual SNS topics for each service Flexible Organization Structure - Removed previous requirements:...

AWS Certificate Manager (ACM) now supports automated certificate management for Kubernetes workloads through AWS Controllers for Kubernetes (ACK). Previously, using ACM certificates in Kubernetes required manual steps: exporting certificates via API, creating Kubernetes Secrets, and manually updating them at renewal. With ACK, you can define certificates as Kubernetes resources, and the controller automates the complete lifecycle - requesting, exporting, creating Secrets, and auto-updating at renewal. This works for both public certificates (ACM exportable certificates) and private certificates (AWS Private CA), enabling automated certificate management for:...

You know what’s wild? AWS is almost twenty years old now. That’s both cool and kind of terrifying at the same time. I’ve been working with AWS for a while, and honestly, I still catch myself thinking about things the way they used to be, not how they actually work today. The problem is that AWS changes constantly, but a lot of the foundational stuff has evolved in ways that aren’t super obvious....

Another year, another AWS re:Invent has come and gone. I’ve been following the announcements closely, and there are some genuinely interesting developments worth discussing. The Big Picture This year’s re:Invent felt a bit different. The pre:Invent announcements started later than usual (mid-November instead of early October), and the keynote felt more focused on GenAI than infrastructure improvements. That said, there are still plenty of practical enhancements that can make our lives easier....

It’s 2024, and AWS finally built a browser-based S3 viewer. Twenty years after S3 launched, you can now browse your buckets directly in the browser. It’s still in alpha, but hey, better late than never, right? You might be thinking - wait, weren’t there options before? Like S3Fox? Yeah, there were some third-party tools, but AWS itself never had an official browser interface. So what took so long? Real Problem: Access Control Turns out, building a simple file browser wasn’t the hard part....

Recent elasticsearch licensing change ensures that the Beats modules are sending data to an officially supported versions of Elasticsearch and Kibana where Elastic can attest to the quality and scale of the products. Does AWS have any plans to fork a version filebeat? https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.13.html https://www.reddit.com/r/aws/comments/nn95aq/elastic_has_broken_filebeat_as_of_713_it_no/ What are the alternatives? Host elasticsearch on EC2 instances, why not? CloudWatch, slow… https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_ES_Stream.html Kubernetes options like ECK or helm chart deployments…tricky for production usage Loki?...

Userdata is compatible with the standard AWS EKS Terraform module, with the sole recommendation being the utilization of a custom AMI. In order to use instance-store you also need to install local-static-provisioner - https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner Terraform example: eks-dev-instance-store = { instance_types = ["r6id.large"] min_size = 1 max_size = 3 desired_size = 1 block_device_mappings = {# Root volume xvda = { device_name = "/dev/xvda" ebs = { volume_size = 24 volume_type = "gp3" iops = 3000 encrypted = false delete_on_termination = true } } } ami_id = data....

There are numerous solutions for accessing private RDS instances, many of which require thoughtful design. The solution I use sometimes is straightforward: I deploy it as a Helm chart within a k8s cluster. In this setup, access to the RDS is contingent on having access to the k8s cluster with the appropriate RBAC configurations. While it may not be perfect, it’s secure, quick to implement, and requires minimal maintenance. The following command demonstrates the basic principle:...

Expose Amazon EKS pods through cross-account load balancer https://aws.amazon.com/blogs/containers/expose-amazon-eks-pods-through-cross-account-load-balancer/

Simplified EKS access https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-eks-controls-iam-cluster-access-management/ https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/ https://github.com/hashicorp/terraform-provider-aws/issues/34982