Hot off the Cloud #007: AppSync JavaScript Resolvers + IAM MFA + CloudFront CD

Here are our toughts about the latest AWS announcements as well as our lessons learned.

Unbelievable, re:Invent starts in 5 days. Therefore it is no surprise that AWS announces new features at a high pace. On the one hand, we are having difficulty keeping track of all the news. On the other hand, we are excited to see our preferred cloud platform evolve. Unfortunately, we are not traveling to Las Vegas this year. So we will follow re:Invent from abroad.

Live Stream

Before we start, this is the written version of our weekly show Hot off the Cloud. Check out the recording in case you prefer watching videos instead of reading!

AWS News

In the following you find our thoughts about the AWS announcements form the past 7 days.

Want this as a weekly newsletter in your inbox? Sign up for our newsletter!

Amazon S3 Glacier improves restore throughput by up to 10x when retrieving large volumes of archived data

Restoring data archived with S3 Glacier is getting faster, as AWS increased the number of restore requests to 1000 TPS per account and region. That’s 10x what has been possible before. So restoring significant amounts of objects is possible at a higher speed from now on.

AWS AppSync GraphQL APIs Supports JavaScript Resolvers

Hurray, no need to write resolvers in the Apache Velocity Template Language (VTL) anymore. AppSyny announces support for JavaScript resolvers!
Note that the JavaScript runtime provides similar functionality to ECMAScript 6.0 but supports only a subset of its features.

Check out the modules @aws-appsync/utils and @aws-appsync/eslint-plugin as they speed up writing and testing JavaScript resolvers.

Also, JavaScript resolvers for AppSync are already supported by CloudFormation. Only one thing is missing before we start using AppSync in production: throttling/rate limiting per tenant/user.

You can now assign multiple MFA devices in IAM

We have been waiting for this feature for years! Finally, we can add multiple MFA devices to our AWS account root users. Until now, we had to use a virtual device, as we both need to log in but are located in different locations. Today, we added 4 YubiKeys as the MFA devices for our root users. Each of us owns two YubiKeys, one of which serves as a backup.

New region in Spain and India

We are impressed by the pace at which AWS is bringing new Regions online. With eu-south-2 (Aragón) and ap-south-2 (Hyderabad), we can choose between 26 regions (plus 2 GovRegions + 2 regions in China).

Be aware that new regions only support some AWS services from the beginning. For example, we have been running into the issue that AWS Backup and Cognito are not yet available in new regions.

Node.js 18.x runtime now available in AWS Lambda

First, we celebrate this announcement as we love to work with the latest technology.

Second, be aware that the Node.js 18.x runtime does not come with v2 of the AWS SDK for JavaScript but provides v3 only. As there are breaking changes between v2 and v3, you need to update your code accordingly before switching to the Node.js 18.x runtime.

Third, Node.js 18, in general comes with interesting new features:

• Native Fetch API the new standard for HTTP requests
• Web Streams API simplifies processing data as a stream
• HTTP Timeouts configure timeouts for recieving HTTP headers
• …

Amazon CloudFront launches continuous deployment support

We are using CloudFront to host our blog cloudonaut.io. The setup is complex, as we use Lambda@Edge to redirect requests or handle authentication, for example. Therefore, when we need to deploy changes to our CloudFront configuration, it happens that we break our blog.

Luckily, AWS announced continuous deployment support for CloudFront. Here is how the new feature works.

1. Create a staging distribution, which belongs to the original distribution, with the configuration you are planning to ship.
2. Configure how CloudFront should decide whether to send a request to the original or staging distribution by header or weight.
3. Watch the CloudWatch metrics and logs for 5XX errors, increased latency, or other issues.
4. Update the original distribution with the configuration you tested on staging.

Unfortunately, AWS does not yet provide a way to automate the blue-green deployment. Especially when you are using Infrastructure as Code, orchestrating the blue-green deployment is tricky.

Also, be aware that continuous deployment is not supported for distributions with HTTP/3 enabled. Also, there is no guarantee that CloudFront will forward requests to the staging distribution as configured -especially under high load- CloudFront might decide to send all requests to the original distribution.

Manage your resources from AWS Organizations using AWS CloudFormation

After so many hours spent automating the process of provisioning AWS accounts and organizations, AWS finally releases CloudFormation support for accounts, organizational units, and policies.

• AWS::Organizations::Account
• AWS::Organizations::OrganizationalUnit
• AWS::Organizations::Policy

So far, we provisioned AWS accounts manually. Now, we are migrating the accounts and organization to CloudFormation. The good news is that CloudFormation even supports importing those resources. Thumbs up!

AWS IAM Identity Center now supports session management capabilities for AWS Command Line Interface (AWS CLI) and SDKs

When AWS announced the possibility of controlling the session length for the IAM Identity Center (formerly AWS SSO), we complained that the session duration did not apply to the temporary credentials used for the CLI and SDKs.
And just a short time later, AWS solves this problem exactly. That’s wonderful!

Lesson Learned: Rotating KMS Keys is getting costly over time!

Do you enable key rotation for customer-managed KMS keys? We do so because many compliance checks like the AWS Security Hub ask you to do so.

Did you know that the cost for a customer-managed KMS key increases by $1 per month each time the key gets rotated? We were surprised that we were already paying $3 per month for one of our keys. And there’s no way to undo that. Old keys cannot be deleted, as they may have been used to encrypt data that still needs to be accessed.

We will think twice before enabling key rotation for customer-manged KMS keys in the future. Rotating keys offers minimal advantages from a security point of view, as existing data is not re-encrypted when rotating keys.

What are your thoughts on rotating customer-managed KMS keys?

Want this as a weekly newsletter in your inbox? Sign up for our newsletter!