AWS Backup finally got CloudFormation support, AWS continued with great releases around EBS encryption, and I launched a new experiment.

AWS Backup CloudFormation

I’ve mentioned AWS Backup, and its ability to create backups of EFS, a couple  of times. And when I mentioned it, I complained that it didn’t have CloudFormation support. Which means that I should at least be nice enough that it now (finally!) has that support. Of course, I could complain about the syntax but let’s just leave it at being happy it’s there.

EBS Encryption

In the past couple of weeks AWS released a number of really nice updates with regards to encryption of EBS volumes. In case you’re not aware, most instances you spin up will run completely on EBS volumes and AMIs are basically EBS snapshots. Which means that it’s not completely surprising that several related releases happened in a short time.

Two weeks ago I wrote how you can now share encrypted AMIs with other accounts. That was great news, but then AWS improved on that by adding the ability to launch encrypted instances directly from unencrypted instances. Again, this was something that caused a lot of issues in the past. For example, if you have a company policy that says all data should be encrypted at rest¹ AMIs from the marketplace can’t be used without first creating your own encrypted AMIs. Which may not always be possible. So this will completely skip the need for that. Meaning a far simpler workflow.

Now, you know me² and if you read the above link you will notice a complete lack of something called CloudFormation support. Usually I would be loudly complaining about that right now. And if I wrote this a week ago³ I would have done so. But then AWS released something even better: opt-in default encryption.

This allows you, on a per region basis, to enable EBS encryption by default. Which means that you can automatically enable it for CloudFormation simply by turning on this setting. So yes, go turn it on. You can set a custom key for the encryption as well so you’re not stuck with the AWS provided default key. Of course, when you actually spin up an instance or create a volume you can decide to use a different key. The only thing you can’t do is choose not to use encryption.

AWSCLI Tips

Something I’ve been thinking about for a while⁴ is to try something new. Don’t get me wrong, I enjoy writing here, but I also want to experiment a bit. So, I quietly launched one of those experiments during the weekend. AWSCLI Tips is a Twitter account and associated GitHub repo that aims to give some ideas of what you can achieve with the AWS CLI. Right now I’m putting up a single tweet per day, which will usually⁵ consist of a short blurb, a couple of screenshots, and a link to the command in function form as in the examples below.

Many cli commands require the ID of your VPC, but that is hard to remember (especially now that they're 17 random characters). Why not use a function to call it based on the Name tag? The code for vpcbyname is at https://t.co/jryV33jUhE pic.twitter.com/a2EWwaLVyd

— AWSCLI Tips (@awscli_tips) May 27, 2019

When you have an API key, but all access is MFA only, you can get an authorised STS token using a combination of aws iam list-mfa-devices and aws sts get-session-token. Code at https://t.co/Vc6OyHCZjs #awstips pic.twitter.com/LiBhtKHyD0

— AWSCLI Tips (@awscli_tips) May 26, 2019

If you think this is interesting to you, follow the account and do any of the usual liking/retweeting things. I’m also very interested in hearing ideas from people. Either as something you wrote that I can retweet⁶ or even as something I can try to puzzle out for you.