DynamoDB now supports resource-based policies. But is that a good idea?
theburningmonk.com
by theburningmonk
4d ago
DynamoDB announced support for resource-based policies [1] a few days ago. It makes cross-account access to DynamoDB tables easier. You no longer need to assume an IAM role in the target table’s account. I was confused by this update and wondered if it was even a good idea. If you need cross-account access to DynamoDB, then it’s surely a sign you’re breaking service boundaries, right? As I said before [2], a microservice should own its data and shouldn’t share a database with another microservice. In many organizations, microservices run in their own accounts. This provides another layer of in ..read more
Visit website
When to use Step Functions vs. doing it all in a Lambda function
theburningmonk.com
by theburningmonk
2w ago
I’m a big fan of AWS Step Functions. I use it to orchestrate all sorts of workflows, from payment processing to map-reduce jobs. Why it’s yet another AWS service you need to learn and pay for. And it introduces additional complexities, such as: It’s hard to test [1]. Your business logic is split between configuration and code. New decision points. Such as whether to use Express Workflows or Standard Workflows [2]. So it’s fair to ask “Why should we even bother with Step Functions?” when you can do all the orchestration in code, inside a Lambda function. Let’s break it down. Lambda pros 1. Do ..read more
Visit website
When to use API Gateway vs. Lambda Function URLs
theburningmonk.com
by theburningmonk
3w ago
“Lambdalith” is a monolithic approach to building serverless applications where a single Lambda function serves an entire API, instead of one function per endpoint. It’s an increasingly popular approach. It provides portability between Lambda functions and container applications. You can lift and shift an existing application into Lambda without rewriting it. You can use web frameworks you are already familiar with, and lean on the existing ecosystems of tools, ORMs and middleware. It also makes testing easier, because you can apply familiar testing methodologies. Tools like the AWS Lambda Web ..read more
Visit website
First impressions of the fastest JavaScript runtime for Lambda
theburningmonk.com
by theburningmonk
1M ago
I thought Lambda needed a specialised runtime. One that works well with its resource-constraint execution environment. I even floated a few ideas in the past but sadly I don’t have the chops to make them happen myself. So I was pleasantly surprised when AWS open-sourced the LLRT runtime for JavaScript [1]! What is LLRT? LLRT, or Low Latency Runtime, is a new and experimental JavaScript runtime for Lambda. It promises 10x faster startup time. Which should significantly help with the dreaded Lambda cold starts. Naturally, I had to test it out for myself and see if the hype was real ..read more
Visit website
What’s the best way to migrate Cognito users to a new user pool?
theburningmonk.com
by theburningmonk
1M ago
I shared on Linkedin [1] the other day that you should avoid using Cognito subs as the user ID for your system. One of the reasons is that a user’s sub does not carry over when you migrate to a new user pool. Someone responded by asking “Is this type of migration really that common that it necessitates consideration?” It’s a great question, so let’s dive into it. When should you consider a user pool migration? How best to do this migration? When to consider user pool migration Migrating users from one Cognito User Pool to another can be highly disruptive. But sometimes it’s our last resort ..read more
Visit website
How to secure CI/CD roles without burning production to the ground
theburningmonk.com
by theburningmonk
1M ago
By now, most of us have moved away from using IAM users for CI/CD pipelines. Instead, we’d use dedicated CI/CD roles, one for each pipeline. This forces us to consider who can assume this role. Identity federation is widely supported by 3rd-party providers such as GitHub Actions [1]. So, no more putting IAM credentials in CI/CD tools and worry that they might be compromised in a security breach [2]. However, attackers can still compromise the pipeline through supply chain attacks. For example, by compromising a Docker image we depend on in our CI/CD pipeline. Or by compromising static analysis ..read more
Visit website
How would you reprocess Lambda dead-letter queue messages on demand?
theburningmonk.com
by theburningmonk
2M ago
Imagine this… You have followed AWS best practices and set up a dead-letter queue (DLQ) or an OnFailure destination for every async Lambda function. (sidebar: you should prefer Lambda Destination over DLQs, here’s why [1]) A message arrives in your DLQ. You are alerted right away because you have alarms on all of your DLQs. You investigate the problem and determine that it was temporary and the message should be re-processed. But now what? Do you extract the payload and invoke the original function manually? What if there are hundreds of similar messages? This manual approach doesn’t scale wel ..read more
Visit website
How to create Private DynamoDB tables accessible only within a VPC
theburningmonk.com
by theburningmonk
2M ago
DynamoDB is a fully managed NoSQL database service known for its low latency and high scalability. Like most other AWS services, it’s protected by AWS IAM. So, despite being a publically accessible service, your data is secure. Conversely, zero-trust networking tells us we should always authenticate the caller and shouldn’t trust someone just because they’re in a trusted network perimeter. All this is to say that you don’t need network security to keep your DynamoDB data safe. However, adding network security on top of IAM authentication and authorization is not a bad thing. Sometimes it’s eve ..read more
Visit website
Year in review, 2023
theburningmonk.com
by theburningmonk
3M ago
2023 has been a bittersweet year. It started with unpleasant medical news and the subsequent surgeries. The silver lining is that I did enjoy the medical leave and perhaps didn’t realise how much I needed that break! Despite several months of medical leave, I still had a productive 2023. 13 public speaking engagements 8 public workshops 2459 new students enrolled in my courses 39 blog posts 417,900 blog visitors 51 YouTube videos 4,225 hours of YouTube watch time 23 podcast episodes 5,434,000 Twitter impressions 4,818,287 LinkedIn impressions Most read blog posts Is serverless overpriced? W ..read more
Visit website
Direct Access for Frontend Apps to AWS Services: Secure and Cost-Effective
theburningmonk.com
by theburningmonk
3M ago
Lean manufacturing focuses on minimizing waste while simultaneously maximizing productivity. If you apply the same mindset and look at our applications today, you will find many CRUD APIs that add little value beyond authentication and authorization. That is, they provide authorised access to a database and ensure a user can’t access someone else’s data. However, AWS services such as DynamoDB and S3 already have authorization control through AWS IAM. So what if we remove the API layer altogether and let the frontend application talk to AWS services directly? This is not only possible but can b ..read more
Visit website

Follow theburningmonk.com on FeedSpot

Continue with Google
Continue with Apple
OR