AWS re:Invent reCap
As Jonn Callahan and I sat at AWS re:Invent this year, one thing kept coming up in our conversations: inspiration. Between the exciting new service releases, the innovative use cases, and the great networking events, it was hard to go to bed at night without compiling a list of all of the things we want to build, or how we can modify our current architecture to scale better at a lower cost point.
We wanted to share a list of the features and services we thought will have the most impact on our architectural designs, or help our clients best stay secure.
AWS Cloud9 is a cloud-based IDE that can quickly be deployed on AWS, providing native AWS integrations, Code Collaboration, and much more. As an application security team, this allows us to collaborate directly with developers, and help them architect their application in a more secure manor.
One of the features we are most excited for is the direct Lambda integration. We’re seeing a lot of our clients re:Imagining their architecture, and much of that includes going serverless. Cloud9 supports the ability to run lambda functions locally for development, and also easily deploy them to production. Coupled with recent changes to CodeDeploy, developers now have the ability to gradually deploy lambda functions, which is an essential requirement for most DevOps teams.
DynamoDB Global Tables
DynamoDB Global Tables brings multi-region replication and multi-master support to AWS DynamoDB, allowing developers to build applications with multi-region fault tolerance while maintaining their single-digit millisecond latency.
Global Tables will allow users to develop a multi-region fault-tolerant application, without spending a large amount of time designing and implementing a complex architecture. By reducing architecture complexity, we are hoping to see an increased security posture.
Although Global Tables will not be enabled by default, they can be easily enabled through the AWS console.
Amazon Aurora Serverless
Amazon Aurora Serverless brings the serverless concept of paying for what you use to AWS Aurora. Instances will now spin up/down or scale up/down as needed, allowing teams to seamlessly scale their applications as necessary, while ensuring they are not also overpaying for unused resources.
Aurora Serverless is built for applications with infrequent, intermittent or unpredictable workloads. Example include online games, low-volume blogs, new applications where demand is unknown, and dev/test environments that don’t need to constantly run.
We are particularly excited about Aurora Serverless for selfish reasons. A lot of our internal tooling relies on MySQL databases with infrequent or unpredictable workloads. This will allow us to both directly save on operating costs, and also reduce the complexity of our architecture.
AWS has been heavily involved in the machine learning game for awhile now. This includes video and image processing through the Rekognition service, which gives people access to the power of facial recognition without any kind of specialized hardware or technical ability. However, this service has been cost prohibitive for the average person to leverage within their own house.
Enter the DeepLens. This is a camera that is capable of applying deep learning techniques to image and video processing locally. As someone immensely interested in this kind of technology at a hobbyist level, we found this news extremely exciting. For a relatively small upfront charge of $250, you can rely on the device (as opposed to Rekognition) for simple visual processing projects.
We’re particularly interested in applying this device to physical security measures. Particularly, building out a system which leverages employee photos against a live video feed of corporate ingress points or sensitive areas.
It is always exciting when a new EC2 instance is released as it usually translates to cheaper bills for us and our clients. In this case, the new M5 instances look to be a solid step up from the previous M4 generations. This generation runs on top of the new Nitro hypervisor, which Amazon boasts of being very lightweight. This means less resources eaten by the host and more available to the consumer.
The new M5 instances run on the brand new Intel Xeon Platinum 8175, as opposed to the Intel Xeon E5-2676 that the M4s run on. Additionally, the M5s are able to take advantage of the new Advanced Networking feature, which allows for up to 25 Gbps worth of bandwidth.
Fargate lets you run containers without managing servers or clusters for orchestration. Fargate works with both ECS and EKS and lets you focus on your applications rather than management of the underlying infrastructure. It manages the underlying container lifecycle like EC2 manages virtual machines. The pricing model also compares to serverless functions, where you only pay for the compute time and storage you use. By paying for containers based on actual usage, rather than having dedicated containers running continuously, it is very similar to Azure’s Container Instances.
We look forward to utilizing Fargate internally to reduce the overhead of managing containers for our microservices. Additionally, as we see more and more clients begin to deploy containerized architectures, we can see Fargate being utilized to reduce the complexity of systems administration.
Elastic Kubernetes Service (EKS)
Elastic Kubernetes Service (EKS) allows you to run your containers in Kubernetes clusters directly on AWS rather than having to manage your own clusters. EKS is similar to Azure’s AKS and Google Cloud Platform’s Kubernetes Engine. This simplifies management of services and infrastructure and helps scale microservices without the heavy lifting required to manage Kubernetes. EKS can use either EC2 or Fargate launch types. At nVisium, we use a combination of containers on AWS ECS and Kubernetes, so EKS is a feature with immediate use to our team when it’s released in 2018.
EKS also enhances security by allowing you to use IAM natively with Kubernetes. IAM can be used for actions such as authenticating to a Master node or authenticating via the API. Bringing Kubernetes to AWS also allows us to leverage CloudWatch and CloudTrail for enhanced visibility into security events. Security events can be consumed using standard AWS facilities for logging and auditing that are used elsewhere.
Not only do our consultants hold official AWS certifications, but nVisium is also a recognized member of the Amazon Partner Network (APN). Additionally, we rely on AWS in-house, providing us with hands-on experience in securing such an environment. We’re looking forward to taking advantage of these AWS services internally and most importantly working with our clients to implement these new features to ensure a more secure AWS infrastructure.