Amazon re:Invent was held last week in Las Vegas. We saw a lot of exciting announcements, some expected and some more surprising. Amazon has the major launches detailed here:
For our campus usage, I’m most excited about these:
- Fargate – makes containers easier than ever before.
- ECS for Kubernetes – allows container management with Kubernetes, which may be how you’re already doing it.
- Hibernation for Spot Instances – don’t lose your work if you get outbid.
- New Spot Pricing Model – smooths out spot market pricing to avoid sudden surprises.
- Aurora Serverless – auto-scale database capacity, even down to zero (with a quick scale-up when you need it again)
- DynamoDB Backups – I can get rid of the scripts I wrote to back up DynamoDB; they don’t work as well as the new service.
- Comprehend – process spoken language.
- Translate – translate between spoken languages.
- SageMaker – machine learning made easy.
- Inter-Region VPC Peering – we’re evaluating how we can make the UOFI Active Directory available in regions outside us-east-2.
- PrivateLink – access private services without advanced VPC configuration.
- GuardDuty – use AWS’ behind-the-scenes machine learning to alert on unexpected behavior within your account.
by Katherine Kendig
The Amazon Web Services (AWS) campus contract, which integrates security and support from both Amazon and Illinois’s Technology Services, enabled the NCSA Genomics team to initiate two forays into cloud computing during the summer of 2017: Ellen Nie, a student researcher, deployed a software prototype on the cloud that will make data-intensive genomic studies faster and more feasible, while Jennie Zermeno investigated cloud-based containerization to streamline workflows. Continue reading
In just under two weeks Amazon Web Service’s annual re:Invent conference will kick off in Las Vegas. During the week-long conference, there will be three separate keynote events where Andy Jassy, Werner Vogels, and Peter Desantis will be sharing new services, roadmaps, and vision of where AWS will be going over the next year.
This year the keynote events will be live streamed and you can watch live from your office/home/phone while these announcements are made. AWS has published a website to register for watching the live stream, and it includes all the relevant information about when the events are occurring, etc. Please take a moment to check it out and register if you are interested.
Schedule of keynote live streams:
Tuesday Night Live with Peter DeSantis, VP, AWS Global Infrastructure
Tuesday, Nov. 28 |8:00 PM – 9:30 PM PT
Keynote featuring Andy Jassy, CEO, Amazon Web Services
Wednesday, Nov. 29 | 8:00 AM – 10:30 AM PT
Keynote featuring Werner Vogels, Chief Technology Officer, Amazon.com
Thursday, Nov. 30 | 8:30 AM – 10:30 AM PT
If you cannot view the live stream, the events should be available to view via YouTube or Twitch within the next week.
We’ve seen a few account compromises on campus resulting from AWS IAM credentials checked into a public Github repository.
I encourage our customers to implement Amazon’s git-secrets package, which will automatically scan your code for keys and reject a git check-in if they’re found.
But if you’re not putting keys in your code, where should they go? A few suggestions:
- If you’re running from an EC2 instance, you can use an EC2 role to grant access to any API calls originating from that instance. This is my preferred method because no key management is required.
- Create local profiles that store credentials outside your application. “aws configure” will get you started with the AWS CLI.
- Populate your environment variables, again pulling the data out of your code.
Amazon documents their best practices for managing AWS access keys, which includes more options and more detail.
Besides handling credentials carefully, it’s useful to give your application the least privileges it needs. I recommend creating a dedicated IAM user or role for each application and granting it only the permissions it needs. Attackers tend to be most interested in credentials that allow them to launch EC2 instances. If your application doesn’t need that capability, you can dramatically limit the potential for attack.
The Illinois Amazon Web Services (AWS) team has added additional lab dates to their fall schedule. An Amazon solutions architect and an Illinois AWS team member will be on-site to offer technical assistance and discuss cloud topics.
- September 27: 9:15 to 11:15 a.m. in 27 Illini Hall
- October 17: 9:15 to 11:15 a.m.in 28 Illini Hall
- October 25: 9:00 to 11:00 a.m. in the Undergraduate Library ICS Lab
- November 15: 2:00 to 4:00 p.m. in 27 Illini Hall
- December 6: 3:00 to 5:00 p.m. in Wohlers Hall ICS Lab
During each lab session, you’ll have your choice of topics:
- AWS 101: Introduction to EC2
- Identity and Access Management
- S3 and CloudFront for content distribution
- Relational Database Service
- Automating AWS with CloudFormation
- Introduction to Lambda
- Building clusters with Alces Flight
- Elastic MapReduce
You may run through multiple labs if time allows.
Technology Services will grant you access to a shared AWS account for the lab; you don’t need your own. Computers will be available onsite, though you’re welcome to bring your own laptop if you prefer.
Please register here to reserve your seat.