2022 AWS Re:Invent Day 1; Our Favourite Top Highlights
And we’re off to the races. Re:Invent 2022 is kicking off for another year in Las Vegas and the Announcements out of AWS are already coming in fast. In fact, yesterday alone saw 26 announcements for new features and capabilities across the product stack, including:
- Devices Location feature for AWS IoT Core
- Delegated Administrator for AWS Organizations
- Schema Conversion feature in AWS DMS
- Service Connect for Elastic Container Service
- Expanded Language Support for semantic search in Amazon Kendra
- Centralised reporting for AWS Organization in AWS Back Audit Manager
- Legal Hold capabilities for extended data retention in AWS Backup
- Analyse Lending service for automated mortgage document processing in Amazon Textract
- Elastic Throughput for Amazon Elastic File System
- Optimised Writes in Amazon RDS for MySQL providing 2x high write throughput
- Cross-account observability across multiple AWS accounts in Amazon CloudWatch
- Internet Monitor for Amazon CloudWatch
- Scheduling configuration support for AWS IoT Device Manager
- MQTT message broker version 5 for AWS IoT
- Real-Time processing capabilities in Amazon Transcribe Call Analytics API
- Blue/Green deployments for Amazon RDS
- Cross-Region & Cross-Availability Zone failback for Elastic Disaster Recovery
- Amazon Backup support for Amazon RedShift
- Data Protection for CloudWatch Logs
- Application Aware data protection using CloudFormation in AWS Backup
- Tabular search for HTML documents in Amazon Kendra
- Enterprise administrative controls, simple sign-up and new language support for Amazon CodeWhisperer
- Application-centric migration and wave planning support in AWS Application Migration Service
- Optimised Reads for Amazon RDS for MySQL
- Delegated organisation-wide backup administration for AWS Backup
While that’s a pretty big list of features, there are a couple of really interesting announcements that have the potential to make life a lot easier for those in charge of operating/running AWS environments.
Reduced Reliance on Management Account
One of the principal design patterns of an AWS Organization is minimising the number of services/workloads running in your management account and restricting which of your users have access to it. The issue AWS Architects face is that a number of core services can only be administered via the management account which creates a little bit of a catch 22. The good news is that out of the Day 0 announcements, several of them reduce your reliance on giving administrators access to the management account.
Delegated organisation-wide backup administration for AWS Backup
With delegated administration for AWS Backup, Administrators can now delegate permission to “Manage backup policies across accounts in AWS Organizations” and “Monitor cross-account jobs” to other accounts within your AWS organisation. It’s important to note however, that like a number of other aws services you can’t delegate the ability to Register/deregister other delegated administrator accounts so configuration of these accounts will still need to be conducted via the “Management Account”. You can at least configure delegated accounts via the CLI (sorry, no direct SDK integration yet) so we do have a way to automate it.
Instructions on how to get started with the new feature and configure your own delegated administrator accounts can be found in the official production documentation here.
Delegated Administrator for AWS Organizations
This is a big one and quite possibly my personal favourite so far (ok, so i’ll admit it’s day 0 and a little early to be calling favourites… but you get to start somewhere). This feature gives you the ability to delegate the admin tasks around organisation policies (Backup, Service Control, Tag and SI Service Out-Out) to member accounts reducing the need to be making changes via the central management account.
What this means in practice is that you can assign responsibilities for administering say “Backup Policies” for accounts in the “Finance” OU to an account under the control of the finance team. Likewise, you can give project teams the ability to control AI Opt-Out settings for their workload accounts without having to give them access to the management account. This opens up a whole lot of simplification that can occur within large multi-account environments.
If you’ve previously built/implemented a solution providing access to your management account to facilitate this type of work, we highly advise you take a look at the Delegate administrator for AWS Organizations user guide here to get a better understanding of the specifics.
If on the other hand you’d like to get up and running straight away and enable a delegated admin account within your organisation you can follow the guide on the AWS site here, or keep an eye out for an upcoming article on some tips and tricks around building scalable, flexible and secure delegated admin policies.
Improvements to Databases and RDS specifically
In addition to reducing our reliance on the management account, we can also see a number of announcements around Amazon RDS both around deployment and performance, including:
Optimised Reads & Writes in Amazon RDS for MySQL
At a high level (see below for specifics) AWS now offers you the ability to achieve faster reads and writes to your MySQL database by changing the way the environment handles the passage of data through the system. Under the right use case scenarios it’s possible to see as much as a doubling of your performance. However, unfortunately for us Aussies, these features are not yet available in the Sydney region.
Jeff Barr’s already done a fantastic job writing up an article on the specifics of this and I highly recommend you give it a read if you spend any amount of time working with Amazon RDS for MySQL here.
Blue/Green deployments for Amazon RDS
Blue/Green deployments are a pretty common deployment pattern in the release management space and this announcement automates the ability to do the same thing to our backend databases. This is a really simple way to control and facilitate the major or minor DB engine version, change database parameters, or make schema changes in the staging environment.
While this is a really interesting announcement (and I’ll definitely be doing some testing of it over the christmas break) there are a couple of key limitation outlined in the AWS documentation (available here for reference) including:
- Currently only supports MariaDB and MySQL
- Isn’t currently available in the Beijing and Ningxia regions
- AWS CloudFormation, RDS Proxy, Cross-Region Read Replication and Multi-AZ DB clusters are not supported
Observability Quality of Life Improvements
Finally, another area that’s seen a bit of love from AWS over the last few days is Observability and reportability… with a number of QOL (Quality of Life) improvements being announced across CloudWatch and other management services:
Centralised reporting for AWS Organization in AWS Backup Audit Manager
Reporting and auditing your backups, not exactly the most exciting task for system administrators… but definitely something that needs to be done, and something that hasn’t been as easy as it probably should be if you’re utilising a multi-account strategy across your AWS environment.
This release brings us the ability to finally be able to report on the success/failure and the compliance level against our backup policies across multiple accounts and regions within our AWS environment. This means that we can, from a single point of view, understand the overall health and data of our data backup position… drastically reducing the likelihood of missing/overlooking a failed backup action.
All of this is conducted through the AWS Backup Audit Manager from within your AWS Organization’s management account (yeah, I know… you thought we’d just removed the need for management account access for AWS Backup) and can be targeted to OU’s, regions or even specific accounts… perfect for department/team-based reporting.
It’s available today in most regions, and specific details can be found in the product documentation here.
Cross-account observability across multiple AWS accounts in Amazon CloudWatch
This one’s long overdue and really helps those using CloudWatch to monitor their distributed applications. With this release we have a way to assign “Monitoring Accounts”… accounts that can see, access and interact with observability data shared by “Source accounts”. These monitoring accounts will allow you to view and interact with all the Log, Metric and Trace data as well as (it appears at least.. Confirmation coming) service lens and X-Ray.
This will drastically reduce the complexity of running a multi account or micro-service solution and when combined with some of the other announcements (like Internet Monitor) should provide teams with a level of visibility that’s been very difficult to achieve up to this point.
You can take a look at how to get up and running with this feature by taking a look at a blog article written by Danilo Poccia (AWS Chief Evangelist for EMEA) here or keep an eye out on the CMD blog for an upcoming article on how to automate the deployment and confirmation of this feature.
We’re just getting started with Re:Invent for 2022 and with 26 announcements before the official events even get started is a testament to just how much will be happening in the world of Amazon Web Services this week. We’ll continue to publish new Blog articles on the announcements and activities over the course of the week and will be following up our coverage with more deep-dive articles/guides in the coming weeks.