AWS Release Radar – 2022-01-30

by Hana Burtin

Waiting a full month before reviewing released features makes a big digest so let’s takes things by topics:

Security

Automatic DDoS Mitigation for AWS Firewall

DDoS is one of the most basic risks for web application. It’s often seen as a brute force attack to overflow the target capacity to respond with a massive request number. But that’s way more subtle than this. Indeed it’s possible to create saturation by opening huge number of connection pushing the target to wasting all its compute power/bandwidth from the attack, but other attacks like slow loris takes advantage of the application layer (L7) to force the target keeping connections alive longer that it should.

L7 attacks are harder to catch, and basically requires a L7 firewall. That where this new feature get really useful.

It will identify the suspicious traffic, allowing to monitoring, evaluates new rules to ensure malicious traffic isolation won’t impact the known normal activity and is able to isolate it.

Guard duty

Guard duty is a threat detection service that monitor AWS account for any malicious activity.

It’s now available for EKS.

Cross Account Credential Use for EC2

This one is super important, it’s easy to block resource access to any traffic outside of AWS.

What happen if some of your credential was stolen, and used from an EC2 Instance owned by an external entity?

For now on guard duty is able to flag whenever credentials are used from an external EC2 instance.

External use of credential is not always an attack but I would remind that best practice should be to give access to a specific role to the account you want to share resources with and have this account request temporary credentials using STS Assume role.

Compute

IPv6

Not much to tell about this one, but quite important though: IPv6 is now available for

AWS Lambda

Batch Size Window

MSK, Kafka, Apache Active MQ and Apache Rabbit MQ now support up to 300s wait before invoking a lambda. Help processing more records/lambda that help reducing costs as is creates less lambda trigger.

Another use case for increasing batching window is reducing concurrency for non latency critical workflows:

  • When you have a workflow that require using the same process for all event, but the process runtime have a logarithmic runtime relation to the number for event processed. It’s useful to process more event at once to reduce the overall processing time
  • Another use case is when part of the processing is inherently non concurrent (let’s say SQL inserts) increasing the batch window will help ensuring events are processing with less concurrency reducing the subsequent locks.

Local Testing

One of the best way to deploy lambdas is using CDK or SAM, but testing can be a bit complex.

It’s now possible to use SAM CLI to trigger a lambda locally even for functions in CDK constructs using their CDK identifier.

This is really useful as testing using SAM will clone a AWS Lambda image ensuring you are not comprising the validity of your tests with external library you might have installed.

Resources & Architecture as Code

Cloud formation new registries

Not much to say here, you’ll have the complete list in the link just above. New services can be configured/provisioned using cloud formation.

CDK

Big CDK month, with 2 important updates:

CDK v2

This new version will consolidate the construct library with the new aws-cdk-lib. Anoth nice feature is disabling auto rollbacks that will keep the already provisioned resources making redeployment faster.

Construct Hub

This one is super interesting: AWS Release a new hub where you can share your CDK construct, pushing a bit further the use of CDK constructs as small bits of infrastructure that will be used together to produce an application. I’m really interested in this one, and I’ll give it a deeper look very soon.

Database

Redshift

Automatic Materialized View

This one can be really useful: Redshift is now able to use machine learning to evaluate when creating a materialized view will be beneficial and drop the view when no longer relevant to help the workload. When you have many queries that works on really similar datasets to perform different compute task, this should help but materializing a view with the most used data reducing the overtime to create this view for each of your query.

Spectrum Data Validation

Spectrum tables can be a huge mess. When data are send that don’t match what you are expecting, for example string column longer than what you expect. Before the default behavior was to the the value to NULL, creating a risk of providing wrong result after querying the table.

It’s now possible to replace faulty characters, putting the query on error. Using SET spectrum_query_maxerror TO n; it’s possible to set a threshold to when the queries should fail.

Apaches Spark SQL support update Glue Data Catalog

Now it’s possible to use spark SQL to insert data or update tables in Glue. This will make keeping your data catalog updated across services.

0 Replies to “AWS Release Radar – 2022-01-30”

Leave a Reply

Your email address will not be published. Required fields are marked *