Background As organisations continue to grow and with the resulting increases in AWS consumption there is a need to be able to cost-effectively scale not just workloads but also governance and guardrails to ensure that security requirements are met across the estate.

In a fast-paced cloud environment governance is fundamental, defining standard policies for deployment and shifting left controls are key to successful organisations. Thanks to AWS Landing Zone and AWS Guardrails organisations can confidently deploy, control, and audit their resources and developments.

With AWS IAM Identity Center, formerly known as AWS Single Sign-On, it became simpler to integrate identity providers such as Azure AD, JumpCloud etc across the whole AWS organization. Cloudformation support in turn enabled simpler and more consistent, declarative provisioning of Permission Sets in the Organization.

Background In November 2020 AWS announced that Security Hub now integrates with AWS Organizations. Unlike for many other AWS Organizations services integrations you will not find the ability to enable Security Hub on the Organizations page in the Master account.

Background With the advent of the Raspberry Pi 4, Pi’s are sufficiently powerful in terms of both CPU and memory for AWS development. Furthermore, AWS has recently made significant headway in the ARM space with the release of Graviton-based EC2 and support for ARM 64-bit (aarch64) with the following services:

Background With the advent of the Raspberry Pi 4, Pi’s have become quite powerful both in CPU and memory terms and are now good candidates for software development on ARM architecture.

Background It’s much faster to be able to develop and debug AWS Glue / PySpark scripts locally. The Developing and Testing ETL Scripts Locally Using the AWS Glue ETL Library instructions describe installation but are not complete.

Introduction Using Serverless combined with Cognito can be a great way to eliminate the real estate as well as development and operational footprint when it comes to authentication and authorisation stacks.

Introduction If correctly composed, logs can be an extremely useful resource to tap into in the following use cases: Support end-users Derive business metrics (how many users used our service yesterday, over the last 7 days and in the past month?

Introduction Why adopt DevOps? IT change can be painful and subject to long lead times in many organisations. The pain generally stems from treating change as exceptional rather than business-as-usual - often in the form of running a project to effect the change.

Background We have recently completed a Serverless & DevOps transformation project with one of our clients, CitizenMe. CitizenMe presently has more than 200.000 global end-users and has processed millions of transactions since inception.

In military terms a Landing Zone is an area where aircraft can land; in effect a base camp from where operations can extend. AWS has for the last year or two used the term Landing Zone to convey an infrastructure foundation and security baseline on which applications and services can “land”.

AWS Cross-Account Roles are an excellent way of managing access to a target account (the account in which work is carried out) from other AWS accounts. Some scenarios to consider in this context include:

For both test and build purposes I often find myself reusing parts of past CloudFormation templates. Over time I’ve found that the foundation of the templates like VPC, subnets, routing tables etc remain roughly the same.

AWS CloudFormation size limits are well-documented in the User Guide. However, this does not make hitting any of the limits any less painful. I recently hit the template body size limit in request (–template-body) of 51200 bytes on one of my templates.

Over the years I have witnessed, proposed and implemented a wide range of AWS use cases; and few of them actually belong in the sexier cutting-edge, containerised, hyper/auto-scalable, serverless micro-services realm.

One of the largest concerns of allowing AWS API calls to be made from the outside is issuing an API key and secret for developer and administrator PCs and laptops alike because they may be interceptable in one way or another.