Last week, at the AWS Summit San Francisco, AWS unveiled the new AWS Secrets Manager service. This new service allows you to:
This service enables you to avoid storing database credentials and other secrets in configuration files on your servers. Secrets can be retrieved and used dynamically.
It’s basically doing for any secret what “IAM Roles for EC2 Instances” did for IAM access keys.
But the real power of the AWS Secrets Manager comes from the automated rotation. This allows you to change your passwords every 30 days (for example).
Back in 2016, AWS extended the resource ID length from 8 characters to 17 characters. Back then, this change applied to EC2 instances, EBS snapshots, EBS volumes, and EC2 instance reservation IDs.
Now they’re doing it again with the remainder of EC2 resource types, such as:
For example, short AMI image IDs are like ami-12345678 and long AMI image IDs are like ami-12345678901234567.
Here’s what you need to know about the longer resource IDs and their impact.
In our previous posts, I showed you how to copy your DB and Aurora snapshots to ensure they are preserved beyond the lifetime of your RDS instance. However, those copies were simply second copies in the same region as the original
In this post, I’ll show you how to copy your RDS snapshots to a second region for extra protection. Please note that I will restrict this post to unencrypted snapshots. Copying encrypted snapshots is more involved, so I’ll show that in a separate post.
RDS snapshots can be unencrypted or they can be encrypted at rest. Today, best practice is to use encryption-at-rest on your RDS instances and clusters, and to encrypt your RDS snapshots.
When you create an RDS snapshot from an RDS instance or cluster, the resulting snapshot will be encrypted if the source instance or cluster is encrypted. But if the source is not encrypted, then your RDS snapshot is not encrypted. When you create an RDS snapshot, you are not given the option to encrypt it.
However, when you copy an RDS snapshot, you can add or change the KMS keys used. So, if you have an unencrypted RDS snapshot that you want to encrypt, you can encrypt it by copying it, encrypting it along the way.
RDS cluster snapshots are snapshots created from Amazon RDS Aurora clusters. RDS snapshots created from MySQL, PostgreSQL, MariaDB, Oracle, and Microsoft SQL Server instances are different. Those are considered “DB snapshots” and are handled differently.
Aurora cluster snapshots are created from an Aurora cluster. All Aurora instances share the same underlying cluster data. So when you create a snapshot for Aurora, you are creating it from the cluster, not the instances.
The Aurora cluster snapshots can be copied for longer data retention beyond the standard RDS cluster snapshot lifetime, which maxes-out at 35 days. Also, the automated RDS snapshots are deleted when the RDS cluster is deleted. So if you need to preserve your data after the cluster is deleted, then you’ll need to make a copy of it yourself.
In this example, we’ll copy our RDS Aurora snapshot within the same region.
RDS DB snapshots are snapshots created from Amazon RDS DB instances. Those being MySQL, PostgreSQL, MariaDB, Oracle, and Microsoft SQL Server. Amazon Aurora also has snapshots, however, those are considered “cluster snapshots” and are handled differently.
The DB snapshots can be copied for longer data retention beyond the standard RDS instance snapshot lifetime, which maxes-out at 35 days. Also, the automated RDS snapshots are deleted when the RDS instance is deleted. So if you need to preserve your data after the instance is deleted, then you’ll need to make a copy of it yourself.
In this example, we’ll copy our RDS DB snapshot within the same region.
As companies, big or small, move into the cloud, it’s becoming more and more important to ensure that data is protected. There are numerous options for data resilience, including (but not limited to), Amazon EBS and Amazon S3. What you choose to use depends on your business requirements.
Amazon EBS volumes are supposed to be redundant within an availability zone, however they have been known to fail, both due to technical issues, and by human error.
When storing important data in your EC2 instances, a sound backup strategy is vital.
AWS provides an EBS-native backup option in the form of EBS snapshots. AMI images take that one step further in that an AMI image includes EBS snapshots for each attached EBS volume in addition to metadata about the EC2 instance itself. With an AMI image, you can replace a “broken” EC2 instance very quickly.
So, if your EC2 instances contain data that cannot be lost, creating daily AMI images can be key to ensuring your business stays in business.
Most likely you have heard about Spectre and Meltdown by now. It’s all over the news. As an IT or DevOps engineer, it’s now your job to patch your EC2 instance operating systems.
This task can be “fun” if you need to SSH/RDP into every EC2 instance and apply patches. Or, it can be truly fun if you decide to use AWS Systems Manager to apply patches to your OS.
Modern cloud-based data services have revolutionized the way companies manage their data. Tools such as Amazon Athena and Amazon Redshift have changed data warehouse technology, catering for a move towards interactive, real-time, analytical solutions.
Both Amazon Athena and Redshift offer their own unique benefits and use cases. Athena provides a cheaper and more portable way to query data while Redshift offers unrivalled performance and scalability.
The following article provides a brief comparison of the Amazon Athena and Redshift data services. By understanding the main uses of each and comparing them under key headings, you can come to a more informed decision in choosing the right tools for your company’s data needs.