Are you overwhelmed by the avalanche of announcements that may or may not improve the security, reliability, and cost of your AWS Cloud deployments?
Resolve to do less yourself by having AWS do more.
In this post, we’ll highlight 5 of the biggest announcements from AWS re:Invent and 2018q4 to give you some ideas on what you can delegate to AWS in 2019. These services and tools will help you build, connect, and operate your AWS deployment securely, reliably, and cost-effectively.
Use Security Hub to Centralize Alerts and Analysis
AWS Security Hub helps you centralize management of your AWS security and compliance controls. This simplifies compliance, governance, and security monitoring across all AWS accounts in your organization by aggregating, organizing, and prioritizing security information in a single place. Security Hub is a good tool to organize and prioritize information flowing into your Security Operations Center, especially if you have gone all-in on AWS for Cloud services.
The Hub aggregates security alerts and findings from multiple AWS security services, such as the Config, GuardDuty, Inspector, and Macie. Services from AWS Partner solutions can also publish their findings to Security Hub. The Hub summarizes findings visually on dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows such as the CIS benchmark for AWS accounts.
Transit Gateway Connects Networks In and Out of AWS
AWS Transit Gateway is an AWS service customers can use to build a hub-and-spoke network topology. You can connect your existing VPCs, data centers, remote offices, and remote gateways to a managed Transit Gateway. You have full control over network routing and security, even if your VPCs, Active Directories, shared services, and other resources span multiple AWS accounts. The gateway’s statistics and logs flow into CloudWatch and VPC Flow Logs. The Transit Gateway will likely supplant the Transit VPC pattern as a way of solving private network interconnection problems.
EC2 Auto Scaling Group Upgrade Simplifies HA, Lowers Cost
EC2 Auto Scaling Groups have been upgraded to support sophisticated strategies for highly available and cost efficient operations. You can now specify multiple instance types and instance purchase options in a single configuration. This makes it much easier to mix and match diverse instance types sourced from both on-demand and spot markets. The mix of instances in the ASG is optimized to seek the lowest overall cost whenever a scale-out or scale-in event takes place, while meeting the other requirements set by your configuration. These new ASG capabilities can replace most home-grown multi-ASG EC2 instance deployments, which are usually quite complicated.
Automate IAM Permissions Analysis
The IAM Access Advisor is a neat tool you can use to identify unnecessary permissions and audit the last time a service was used by an IAM user, group, or role. These IAM Access Advisor capabilities are now available via the AWS command-line tool, SDKs, and API instead of being locked-up inside the AWS console. This makes it much simpler to converge to least privilege policies without adopting third-party tooling.
Migrate S3 Objects to Best Tier with Intelligent Tiering
S3 Intelligent-Tiering is a new Amazon S3 storage class designed for customers who want to optimize storage costs automatically when data access patterns change, without performance impact or operational overhead. S3 Intelligent-Tiering delivers automatic cost savings by moving data between the standard frequent access and infrequent access classes. Objects are automatically moved from frequent to infrequent access tiers if they have not been accessed in 30 days.
This approach is ideal for data with unknown or changing access patterns and data as it helps customers take advantage of the infrequent access tier, which carries a 50% discount to frequent access. As always, it is important to understand how the availability (99.9%), minimum eligible object size for transfer of 128KB, and costs of this new class will impact your application. Intelligent-Tiering should be a good default storage class to adopt for many applications, especially those without a carefully planned data organization strategy.
Consider delegating more of what you do (or wish you did) to AWS this year so that you can focus your team’s efforts on doing what only you can do. These highlighted announcements describe a fraction of what Amazon is doing to make customer experiences great on AWS. Please reach out if would like to dive deeper into any of these new features or how to improve your delivery on AWS.
Happy New Year!