From Inspiration to Action

Upon returning from Stockholm, I began organizing the joint community. After researching existing groups, I noted successful regional collaborations like AWS Community DACH (covering Germany, Austria and Switzerland), the Nordics (encompassing Sweden, Finland, Norway, and Denmark), and Adria (covering Adriatic countries). Central and Eastern European countries clearly lacked this type of collaboration.

Assembling the Team

A good idea attracts strong partners naturally. I immediately reached out to my friends from Slovakia (Michael Salenci, Lydia Delyova) and Romania (Lucian Patian), who enthusiastically joined. It became evident that a joint organization would benefit our region tremendously. Michal helped bring Linda onboard – one of the region’s most active community members and an AWS Hero who also serves as the chairwoman of AWS Community DACH, bringing valuable expertise. Paula Kis, Oleksii Bebyc, Traian Ciobanu and Urban Jurca also happily accepted my invitation. Our community now includes six member countries: Austria , Croatia , Moldova , Romania , Slovenia , Slovakia , Hungary , and Ukraine .

Identity and Branding

Finding the right name proved challenging. I initially considered “AWS Community Danubian” but questioned whether we could effectively manage such a vast region, especially with potential overlaps with Adria and DACH. During the ExecLeaders dinner, I discussed this with Piotr Gralec, an AWS sales representative with extensive regional knowledge, who recommended sticking with “AWS Community CEE” – an advice I gladly accepted.

Inaugural Community Day Event

What better way to introduce our community than with a joint Community Day? My vision is to host AWS Community Day CEE in a different participating country each year. While I was open to any location, everyone suggested Budapest, Hungary for our inaugural event. Although organizing an event at this scale is a considerable challenge, I’m thankful that I can draw upon the experience and lessons learned from previous local Community Days to make it successful.

I am happy to announce that AWS Community Day CEE will take place in Budapest on Thursday, October 16. I’ve already secured an impressive lineup of speakers, including Massimo Re Ferre (Director of Product Management in Next Generation Developer Experience) and Maria Encinar (Global User Group Manager for AWS). This promises to be an exceptional event, and we welcome everyone to participate. Visit awscommunity.eu for more information.

I’m delighted to see this regional community come to life. I’ve always believed in the power of collaboration and am thankful to the regional User Group Leaders supporting this initiative.

A AWS Community CEE: A Regional Collaboration Takes Shape bejegyzés először Road to AWS-én jelent meg.

For those of you attending re:Invent for the first time, as I am, navigating a conference of this scale can be overwhelming. After extensive research and valuable advice from experienced Community Builders like Pubudu Jayawardana and Niklas Westerstråhle, I’ve put together this guide to help fellow attendees make the most of their re:Invent experience.

Registration

It all starts with registering for the conference. The earlier you do it, the more options you have. Registration typically opens around June, giving you ample time to book airfare and accommodations. One tip I learned the hard way: exhibitors at the expo may scan your badge, which can lead to a flood of newsletters. To avoid this, I recommend registering with a dedicated email or tagging your re:Invent emails. For example, if you use Google, registering with something like “misi+reinvent2024@roadtoaws.com” will apply a “reinvent2024” tag to all relevant messages.

Stay

Before booking your flight and accommodation, decide how long you plan to stay. Although re:Invent spans the entire week, most major sessions happen between Tuesday and Thursday, with Friday primarily reserved for repeats. If you stay until Friday, you may have better luck getting into reserved sessions as many attendees head home. However, if your schedule is tight, a two- to three-day stay will cover the key events and announcements.

Flights

After registration, you may find discounted airfare. This year, AWS is partnering with Delta Airlines for exclusive discounts, but I’ve found using flight comparison tools like Momondo offers the best deals. Having tracked flights from Budapest to Las Vegas since June, I noticed prices stay stable through September, with a noticeable increase in October. Be mindful of time differences—Budapest is nine hours ahead of Las Vegas, so jet lag can be intense. Avoid booking any sessions immediately after landing, as adjusting to the time zone takes a while.

Accommodation

AWS partners with several hotels near the conference venues offering discounts, though note that these bookings often don’t allow free cancellations. If flexibility is important, booking through platforms like Booking.com or Expedia can provide more options, including free cancellation periods.
The Venetian serves as the conference’s hub, hosting key events and the expo, while the nearby Wynn and Encore hotels are also popular options ($269 and $279 per night, respectively). For a more affordable alternative, I recommend Treasure Island, which is only half the price ($133/night) and located conveniently close to The Venetian. Keep in mind that navigating from one hotel to another can take longer than expected due to the sheer size of the event and the Strip—be prepared for a lot of walking!

Weather

Las Vegas in December has a daily temperature range from 4°C (39°F) to 15°C (58°F). Mornings and evenings can be cold, sometimes dropping to freezing, while afternoons are relatively mild. As Las Vegas is a desert city, staying hydrated is essential. Bring plenty of water and comfortable layers.

Local Transport

Getting from the airport to your hotel or the event can be done by bus, carpool, or taxi. If you’re staying near the south end of the Strip, ridesharing services are often the cheapest and quickest option, though traffic can sometimes be a problem. Taxis from the airport have a fixed rate to the Strip, and be prepared to pay a $3 surcharge if paying by card. Lines for rideshares like Uber or Lyft can also be long, so sometimes taxis are faster. Budget-conscious attendees can opt for buses, but note that routes can change—such as the CX bus now stopping at Flamingo rather than New York New York.

Re:Invent spans multiple venues along the Strip, so travel time between sessions can add up. re:Invent shuttle buses run frequently, but they can be delayed by traffic. For faster options, consider using the Las Vegas Monorail, which connects key venues, including Harrah’s, The LINQ, MGM Grand, and the SAHARA (re:Play party). For sessions at Mandalay Bay, the free tram from Excalibur is a convenient option.

Food at re:Invent

Complimentary breakfast is served daily from Monday to Friday between 6:30 AM and 8:30 AM, with Friday’s breakfast located at Caesars Forum and The Venetian. Free lunch is available from Monday to Thursday between 11:00 AM and 1:00 PM. Based on my experience at the Stockholm Summit, I recommend grabbing lunch early, as food can run out if attendees take extra portions. If you want to dine well, heading to a restaurant or one of the partner-organized events is a better option.

Expo

The Expo Hall opens Monday afternoon and runs through Thursday, offering opportunities to network with partners and pick up some swag. If you want to avoid the crowds, try going in the early mornings. The Expo is also where you’ll find Lightning talks, which offer quick 20-minute presentations on customer stories and product demos.

Sessions

Organizing your session schedule is critical, especially if you’re trying to make the most of the week. For this task, I recommend my fellow speaker, Raphael Manke’s Unofficial AWS re:Invent Session Planner 2024. Reserved seating opens on October 8, and you’ll need to act fast. Here’s a quick breakdown of the session types:

• Keynote: Major announcements happen here, but it’s challenging to secure a good seat. Many veterans leave 15 minutes early to avoid the post-event rush.
• Breakout sessions: These are 1-hour, non-interactive presentations that are recorded. While interesting, many attendees skip them to focus on live sessions.
• Builders’ sessions: Hands-on sessions in small groups. These are repeated throughout the week, so staying until Friday can increase your chances of participating.
• Chalk talks: Highly interactive 1-hour discussions that begin with a lecture and conclude with Q&A. These are not recorded, making them popular among experienced attendees.
• Code talks: Technical sessions at level 300 and above, focused on deep coding topics. Attendees are encouraged to ask questions.
• Lightning talks: Short, 20-minute presentations held in the Expo Hall.
• Workshops: Guided, hands-on labs to build solutions. Time constraints often limit how deeply you can explore the topics.

Health & Safety

With thousands of people attending re:Invent from all over the world, the chances of catching a virus increase. Bring hand sanitizer, consider wearing a mask, and wash your hands regularly to stay healthy during and after the event.

Key Takeaways

• Register with a dedicated or tagged email to manage incoming messages
• Bring hand sanitizer and a mask to reduce the risk of illness
• Avoid scheduling back-to-back sessions at different venues—travel time can be significant
• Pack comfortable shoes; you’ll be doing a lot of walking
• Carry a battery pack as outlets are hard to come by. Wi-Fi can be unreliable, so consider getting a good data plan
• Have cash on hand, as taxis prefer it, and withdrawing from casino ATMs can be expensive

Enjoy your stay at re:Invent and don’t forget to say hello!

A Navigating AWS re:Invent 2024: A First-Time Speaker’s Guide bejegyzés először Road to AWS-én jelent meg.

Amazon Bedrock is available in 13 AWS regions:

• US East (N. Virginia)
• US West (Oregon)
• Asia Pacific (Tokyo)
• Asia Pacific (Singapore – limited access)
• Asia Pacific (Sydney)
• Asia Pacific (Mumbai)
• Canada (Central)
• Europe (London)
• Europe (Frankfurt)
• Europe (Paris)
• Europe (Ireland – limited access)
• South America (São Paulo)
• AWS GovCloud (US-West)

Note: Due to limited access in Ireland, Singapore and GovCloud, these regions are excluded from my analysis, leaving us with 10 regions for comparison.

Anthropic uses "Haiku" for its smallest model, "Sonnet" for the mid-range option, and "Opus" for its top-tier model.

On June 21, 2024, Anthropic introduced Claude 3.5 Sonnet, claiming it can match or exceed OpenAI's GPT-4o or Google's Gemini across numerous tasks. This new model is exclusively available through the Anthropic API, Amazon Bedrock, and Google Cloud's Vertex AI. Since this is a new model, it is currently only available from us-east-1 at the time of this blog post.

When it comes to Amazon Bedrock, the rule of thumb you've come to know about AWS pricing and service availability no longer applies. If you are based in Europe, you have learned that the region with the most services is Ireland (eu-west-1) and that the cheapest option is usually Stockholm (eu-north-1).
With Bedrock, this all changes; the region that offer the most Anthropic FM's for Europe is Frankfurt (eu-central-1). If you're developing with Generative AI in Europe, Frankfurt is now your best choice.
In the US, your rule of thumb remains the same, with us-east-1 being the region that provides the most functionality, but there is a catch: the highest-end model, Claude 3 Opus is only available in Oregon.

Amazon Bedrock's on-demand and batch pricing is consistent across regions (e.g., you pay the same for Claude 3 Haiku in Oregon and Canada). In fact, Claude Sonnet 3 and 3.5 cost the same. This uniform pricing strategy underscores AWS's commitment to making advanced Generative AI models accessible and affordable for developers.

Provisioned Throughput pricing

When we look at the provisioned throughput pricing, we see fewer choices. We are limited to Claude Instant and Claude 2.0/2.1 models and with only 4 regions. Frankfurt is right behind the top US regions in terms of prices, with Tokyo being the most expensive.

Summary

AWS demonstrates its strong commitment to Generative AI through multiple actions. It offers competitive pricing for Anthropic's foundation models, continually expands Bedrock's availability to new regions, and promptly makes the latest foundation models accessible to its users.

These efforts highlight AWS's dedication to advancing and supporting Generative AI, providing developers with the latest tools at affordable prices.

A Amazon Bedrock – Consistent Anthropic FM pricing across regions bejegyzés először Road to AWS-én jelent meg.

One of the biggest disadvantages of Lightsail over EC2 is that you cannot easily change your instance type. Currently, there is no one-click option to switch from a 512 MB memory bundle to a 1 GB memory bundle. AWS is aware of this issue and is working on a solution that will allow you to upgrade to a larger bundle in the future. Until then, we have to do it the hard way.

How do I get 1 vCPU for free?

Previously, the cheaper Lightsail bundles only offered 1 vCPU. This was because the underlying t2 instances had 1 vCPU options. Now that AWS Lightsail has moved to the new t3 instance family, there are no 1 vCPU options, only 2 vCPU’s. While there has been a change under the hood, AWS has maintained its Lightsail pricing, so you get an additional free vCPU when you move to the t3 instance family.

Upgrading a Lightsail instance

To upgrade your Lightsail instance, you must create a manual snapshot. Under Snapshots, click Create Snapshot and give your snapshot a name. Creating a snapshot takes time, so be patient while your snapshot is being created.

While the snapshot is being created, go to the Networking tab, and if you have an IPv4 address, be sure to click Create static IP. This will allow you to keep your current public IPv4 address. Unfortunately, there is no option to keep your IPv6 address, so you will need to update your DNS settings in the future.

Under IPv4 firewall, make a note or a screenshot of your firewall rules, as they won’t be migrated either. If you have IPv6 networking, do the same for these rules as well, since you may have different IPv4 and IPv6 firewall rules.

By now, your snapshot has probably been created. Select Snapshots from the left menu and you will see your newly created snapshot. Click on the three dots and select Create New Instance. Here you can select an IPv6 bundle if you don’t need a public IPv4 address or the new 2vCPU options. There is only one restriction. You cannot select a lower bundle that you already have.

Note that Lightsail instance names are unique, so you cannot name your new instance the same as your previous instance (and there is no option to change the instance name in the future). I added www. in front of my instance.

Now that your new instance is up and running, first detach your IPv4 address from your old instance and attach it to your new. Also, enter your firewall rules that you saved earlier.

Do not forget to update your DNS settings with your new IPv6 public address. Stop your old instance and test your new instance.

Cleanup

Once you have verified that the new instance is fully functional, you can perform a manual cleanup. First, go to Snapshots and delete the snapshot you created for the upgrade. AWS charges $0.05 USD GB/mo for snapshots, so if you don’t need it, just delete it. You will also need to manually delete the old instance.

Amazon Lightsail is the easiest way to get started with AWS, upgrading your instance is not. While AWS implements this feature, you must manually upgrade your Lightsail instance.

A Upgrading Amazon Lightsail instance bundles – get an additional vCPU for free bejegyzés először Road to AWS-én jelent meg.

I saw a video on YouTube about how to make your business card smart with a simple NFC sticker. The problem is that while you can program a vCard into a sticker, iOS devices don’t support them yet. The only way to get an iPhone to read an NFC vCard is to host the vCard file on the web. Then it hit me. Why not host the vCard on AWS using only free tier resources.

The obvious solution was Lambda and Lambda Function URLs since they are completely free. Plus, you can be sure that AWS will still be around in 5 or 10 years, so your digital business card will still be running.
Also, it’s very easy to update your information if something changes, you don’t have to buy a new one. Which is good for the environment too!

During development I ran into issues that required creating extra policies to make it work. Since I wanted to make it as simple as possible for everyone to use it I created a CloudFormation template that creates all the resources for you.
And when you no longer need it, CloudFormation can delete all the used resources. But why would you do that when it’s completely free.

The code is written in Node.js 18.x and produces a v. 3.0 vCard. You might ask why not v. 4.0 and the answer is simple. Apple doesn’t support it and I wanted to make it as compatible as possible.
The other problem I faced is that according to the vCard specifications you can link an image URL as your photo, but Apple devices don’t support that either. The photo should be Base64 encoded in your vCard.
That is why CloudFormation creates an S3 bucket where you can store your photo (avatar.jpeg) and the Lambda function will convert it to Base64 and include it in your card.

Not just Apple, AWS has some weird things too. For example, when you create a FunctionURL for your Lambda function, this URL is not defined in your Lambda environment variable. To get the FunctionURL, you need to grant the GetFunctionUrlConfig role to read your function URL. Since a vCard allows you to define the source of the vCard where you can always get the latest version, I had to create a policy and attach it to the Lambda role to include the FunctionURL in the vCard.

The other issue I faced is that while you can include your Lambda code in CloudFormation, it creates an index.js file instead of an index.mjs which is required for Node.js 18.x. There is a solution to include the code in an S3 bucket and CloudFormation will retrieve the code from there, but then you are stuck with the region where your S3 bucket is. So I created two CloudFormation templates.
If you want the easiest installation and don’t want to change your region, use the default template. This will run in US East (N. Virginia). If you want to host your business card in another region, use the template-with-code.yaml instead, but you will need to rename index.js to index.mjs for the code to work.

All the source code is available on GitHub under the Apache 2.0 license. See the GitHub page for detailed installation information.
Use template.yaml if you want the simplest installation.
If you want to specify the region in which the resources are created, use the template-with-code.yaml stack instead and rename the index.js source file to index.mjs.

I hope this little code is as useful as it was fun to write it.

A Free and easy DIY digital business card bejegyzés először Road to AWS-én jelent meg.

I chose Mastodon as my primary platform because it is the most popular of all. You may choose otherwise, as these networks can communicate seamlessly with each other no matter what server you are running.

Twitter (now: X) as a commercial company has the right to restrict or commercialize its API, which can be a struggle for startups or small developers. Mastodon is not only free and open source, but also much more developer friendly. One such feature is the support of bot accounts. You are not limited at these accounts, in fact you are encouraged to use them. In Mastodon, you can specifically mark if an account is a bot, making it more transparent to everyone.

The first step is always the hardest, choosing your Mastodon server. There are many to choose from, some are for specific communities, some are geographically restricted. If you are unsure, just stick with the oldest: mastodon.social.

Create an account here and check the This is an automated account box under your profile. This will let others know that this is a bot account. Under Development, create a new application and select the appropriate permissions. Since my bot will only publish, I only selected write:statuses.

In a previous blog post I created a website for Hungarian tech conferences. I will use this as my input source. Currently this site doesn’t offer an easy way to export information, so I modified the Jekyll code to generate a CSV file for the upcoming events. This way I can parse the data more easily.

The Serverless Approach

From the title of this post, you have probably guessed that I am going to take a serverless approach. I don’t want to deal with security updates and patches. I just want this bot to work with very little maintenance.

Tip: Choose arm64 as your Lambda architecture because it is cheaper to run.

There are a handful of API clients for Mastodon to choose from. Since I will be using Node.js 18.x for the runtime, I wanted to find one that was compatible with it. My choice was Masto.js, which is maintained quite frequently and supports most of the Mastodon API features.

To download CSV data from techconf.hu, I will use Axios as in my previous projects. As for parsing CSV data my choice was csv-parse (watch out there are multiple CSV parsers out there, some names may only be different with a hyphen). I then created separate Layers for each function and attached it to my Lambda function.

Making it all work

The code is pretty simple. First I download the CSV file and parse it with csv-parse. Then I set up the Toot (Mastodon’s phrase for Tweet) and publish it with Masto.js.

One problem I faced is that in Mastodon every Toot has a language variable. If you don’t set it specifically, it defaults to the one set in your Mastodon account.

Tip: Since the Fediverse is so decentralized, it is a good idea to tag all your posts.

import { parse } from 'csv-parse';
import { login } from 'masto';
import axios from 'axios';

export const handler = async(event) => {
    var tweet = "Upcoming Hungarian Tech Conferences 🇭🇺\n\n";
    var conferencesThisWeek = false;
    const currentDate = new Date();
    const endOfWeek = new Date(new Date().setDate(new Date().getDate() + 7));
    currentDate.setHours(0,0,0,0);
    endOfWeek.setHours(0,0,0,0);
    var conferenceDate;
    var csv;
    
    await axios({
        url: 'https://techconf.hu/conferences.csv',
        method: 'GET',
        responseType: 'blob'
    }).then((response) => {
        csv = response.data;
    });
    
    const parser = parse(csv, {
        delimiter: ",",
        from_line: 2
    });
    
    for await (const record of parser) {
        conferenceDate = new Date(record[3]);
        if (currentDate <= conferenceDate && conferenceDate <= endOfWeek) {
            tweet += '👉 ' +record[0] + ' (' + record[2] + ')\n📅 ' + record[3] + ' - ' + record[4] + '\n🔗 ' + record[1] + '\n\n';
            conferencesThisWeek = true;
        }
    }
    
    if (conferencesThisWeek) {
        tweet += '#Hungary #Technology #Conference';
        
        const masto = await login({
            url: 'https://mastodon.social/api/v1/',
            accessToken: ''
        });
    
        await masto.v1.statuses.create({
            status: tweet,
            visibility: 'public',
            language: 'en'
        });
    }
    
    // TODO implement
    const response = {
        statusCode: 200,
        body: JSON.stringify('Hello from Lambda!'),
    };
    return response;
};

Scheduling

The easiest way to schedule a Lambda function is to use the Amazon EventBridge Scheduler. Simply select your schedule pattern and the Lambda function as the target, and it will execute your code at the given time.

Final Thoughts

Did I mention the best part? This is all free. The services I used are all covered by the AWS Free Tier (as of this writing).

Feel free to create similar bots or improve my code or just follow my bot at: https://mastodon.social/@techconf

A Creating a Serverless Mastodon Bot bejegyzés először Road to AWS-én jelent meg.

I was looking for a solution that was open source and that anyone could contribute to it. While discussing this issue with María Encinar (EMEA Community Programs Manager
– AWS), it turned out that other European countries are facing similar problems and there is also a trend on these conference websites. She recommended me this GitHub repository.
As far as I could track it down it all started with Android Study Group, which created a GitHub Page for Android conferences. Spain, Portugal, Italy and even Canada soon followed. I realized right away that I am on the right track. The source code is open source, hosted on GitHub and anyone can contribute to it with a simple Pull request. This was a great foundation, but I knew I wanted more.

Hungarian translation

The main problem we face here in Hungary is that while there are a lot of events happening here, some are primarily in English. For someone who is just starting with AWS, this could be an extra challenge that they might not take. That is why my first improvement was to translate the interface into Hungarian. I didn’t want to exclude English speakers as well, so I made the interface bilingual. This way everyone can feel comfortable on the website.

The other improvement I made is that I clearly highlighted the language of the conference. This way I can help people who prefer content in their native language.

Deployment on AWS

I cannot ignore the fact that I am an AWS Community Builder, so it was a no-brainer that I would implement this on AWS. Registering a domain and setting it up on Route 53 was the first step. Then I looked at the possibilities of hosting. The site is written in Jeklly and each page is generated separately. Using GitHub Actions, I can regenerate the static pages every time there is a new commit.
Hosting a static website on AWS isn’t rocket science. S3 static file hosting is a cheap and easy way. I just needed to find a way how to publish my files to S3. Jake Jarvis created a GitHub Action that can sync your files to S3. All you have to do is to create the appropriate IAM permissions and your files will be pushed to the S3 bucket of your choice. From there, AWS will do the rest. I have created a CloudFront distribution to get HTTPS and fast access from Hungary. Currently, there is no AWS region in Hungary, but there is an edge location in Budapest, so serving the site from there gives fast access to Hungarian users.

The outcome

The result is techconf.hu, a community-curated list of tech conferences around Hungary. I sincerely hope that this project will benefit the Hungarian AWS community, and perhaps other countries facing similar issues will follow. Happy Conferencing!

A Bringing together Hungarian technology conferences bejegyzés először Road to AWS-én jelent meg.

The basics: S3 static website hosting

Hosting your static website has never been easier. With Amazon S3 static hosting, you can serve your static pages by simply uploading it to an S3 bucket and enabling public access (be sure to name your bucket as your domain name). You can find a lot of articles on the web that explain how to set up S3 static hosting, which is why I am not going to go into any further details here.

But there are limitations: S3 static hosting doesn’t support HTTPS, the de-facto-minimum for website hosting. To use HTTPS, you need to set up Amazon CloudFront. This comes with a lot of extra features like GeoIP restrictions, caching and a free SSL certificate. Not to mention, you can finally disable your S3 public access (which could be a security risk) and give limited access to CloudFront only (with a bucket policy).

Pro tip: Give CloudFront ListBucket permissions in your S3 bucket policy, otherwise the client will not receive HTTP status codes, including a 404 when trying to access non-existent content:

Mishi

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::roadtoaws.com",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::111111111111:distribution/AAAAAAAAAAAAA"
                }
            }
        },
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::roadtoaws.com/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::111111111111:distribution/AAAAAAAAAAAAA"
                }
            }
        }
    ]
}

Because of the caching involved with CloudFront, this is not ideal for development. You either have to test your code locally or without HTTPS enabled.  This is the main reason why I would still like to see HTTPS support in S3 in the future.

Make it dynamic

Static websites are a thing of the past. You will most likely need some kind of dynamic content. While there are a lot of services that provide functionality, like E-mail sending, Comments, that you could include in your static code to make it dynamic, you’d most likely have to write your own code. This is where Lambda Function URLs come in handy. With a simple Lambda function, you can execute code or use other AWS resources that you can invoke with a simple HTTP request in your browser. But how do you restrict it to a specific IP, domain, or CloudFront?

AWS recommends authenticating through IAM, and while this is really a secure way, it makes development challenging.  The first thing you see is CORS where you can set your origin to a domain. Unfortunately, this didn’t work for me the way I wanted it to. This doesn’t restrict your Lambda from being called from any IP. You can also set an X-Custom header here, but that doesn’t really limit external access.

Then you look for matching IAM permissions that you can attach to Lambda functions. In the available Policies you can find InvokeFunctionUrl where you can add an IP address to limit the invocation to a specific IP. This sounds great! You create a policy and attach it to your Lambda Role. Unfortunately, this does not restrict your Lambda access either.

So what was my solution?

1. Restrict in code

The first obvious solution is to check the source IP with your Lambda function. Here is a sample code in Node.js (you can find a similar code for other languages online):

const ipAddress = event.identity.sourceIP;

if (ipAddress === '52.84.106.111') {
  const error = {
      statusCode: 403,
      body: JSON.stringify('Access denied'),
  };
  
  return error;
} else {
  const hello = {
      statusCode: 200,
      body: JSON.stringify('Hello World!'),
  };
  
  return hello;
}

While this obviously works, you’re adding extra code to a Lambda function that’s primary role is to do something else. Not to mention that this will increase the runtime and the resources used by Lambda. Most importantly, how can you be sure that the IP you get in the sourceIP variable is really the IP the client comes from.

My biggest concern with this solution was that I not only wanted to restrict my functions to one specific IP but to the whole CloudFront distribution – so that I can be sure that it is called from one of my static pages –. With this method, it would be a hassle to maintain an up-to-date list of all CloudFront servers.

2. reCAPTCHA

Yes, you heard it right, Google reCAPTCHA. This may sound strange at first, but this is the solution I have implemented in my work and provides the solutions to the above challenges.

Embeding the reCAPTCHA code in your static web pages is a good idea. In fact, Google recommends that you include the code in all of your pages – not just the ones that you need it, such as form validations – because that way the algorithm can more effectively detect fraudulent use. Within the lambda function, I can now validate whether or not the user really invoked my Lambda function URL from my static web page. Here is the code I use to verify the reCAPTCHA request:

const gRecaptchaResponse = event.queryStringParameters["g-recaptcha-response"];
    
    var verificationUrl = "https://www.google.com/recaptcha/api/siteverify?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&response=" + gRecaptchaResponse;
    const recaptchaResult = await getRequest(verificationUrl);
    
    if (false == recaptchaResult.success || 0.5 > recaptchaResult.score) {
      return error;
    }

In conclusion

S3 static website hosting is the easiest way to start with your serverless journey. While there are obstacles ahead you can always find a serverless solution.

A Restricting AWS Lambda Function URLs to CloudFront bejegyzés először Road to AWS-én jelent meg.

The AWS Well-Architected Framework consists of six pillars:

• Operational excellence
• Security
• Reliability
• Performance efficiency
• Cost optimization
• Sustainability

AWS not only provides training and documentation on the AWS Well-Architected Framework but also provides the tools you can use to monitor your cloud infrastructure.

In this blog post, I will present a method on how to test your cloud environment against the Security and Reliability pillars of the AWS Well-Architected Framework.

The Security pillar focuses on the ability to protect information, systems, and assets while delivering business value through risk assessments and migration strategies.
The Reliability pillar focuses on the ability to recover from failures and meet demand in foundations, workload architecture, change, and failure management.

Setup

AWS Systems Manager is the go-to place to gain operational insights into AWS. Here on the Quick Setup page, we can select Conformance Packs. But let’s not run so far ahead since we need to prepare our environment first. Without that the tests will fail with a not so useful error message.

To prepare our environment we have to enable Config Recording. We can enable this by going to AWS Config and selecting 1-click setup. This will record all resources (excluding global resources) set an AWS Config role and create an S3 bucket. If you would like to fine-tune which resources you would like to record, select or create a specific role or choose a specific S3 bucket select Get started instead. Once recording is enabled we can go back to Systems Manager.

In the Conformance Packs configuration screen, we can select if we would like to check for operational best practices for the AWS Well-Architected Framework Reliability or Security pillars or both. We can schedule when to run the configuration and select our region. Once the pack is deployed the tests usually take a couple of minutes to run.

Results

AWS Config will show the results grouped by AWS services.

Clicking on an issue shows a detailed explanation.

Pricing

Pricing is based on the number of conformance pack evaluations. While AWS currently doesn’t show how many evaluations are in each pillar it’s hard to get the exact number without running it. It would be nice if AWS would have fixed pricing for Operational Best Practices conformance packs. AWS Config has a pricing example on their website that shows a total config bill.

Summary

The AWS Well-Architected Framework is a great and unique feature of AWS that differentiates itself from other cloud providers and I don’t see why it’s not yet included in the AWS Free Tier. Having a healthy cloud environment is good both for AWS and for the customer.

A Operational best practices for AWS Well-Architected Framework bejegyzés először Road to AWS-én jelent meg.

Apple made the transition from Intel to Apple silicon relatively easy for end-users. Rosetta 2 does a wonderful job for applications compiled exclusively for x86-64-based processors to be translated for execution on Apple silicon. Since Apple silicon has been out for a while many developers provide Apple silicon compiled binaries. In fact, there are fewer major companies that don’t provide an Apple silicon version of their app. This is why some people, including myself – never install Rosetta. In this way, I can guarantee that all my apps are optimized for the new processor.

The AWS documentation says that there are three ways to install the CLI on the Mac:

• GUI Installer
• Command line installer – All users
• Command line – Current user

The sad news is that all of these methods use the same macOS pkg file. This installer in this file is not yet optimized for Apple silicon but the included binaries are. This means that you have to install Rosetta just to install an Apple silicon app. Strange, indeed. Thankfully there’s another solution that the official documentation doesn’t mention, Brew.

Homebrew is the missing package manager for macOS. You probably already use it if you would like to install apps like wget or mc. Installation is simple and straightforward, just run the following command in your terminal.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Next run these two commands to add Brew to your PATH:

echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv)"

The only downside I see with Brew is it sends data to Google. It does warn you about this but doesn’t tell you how to turn it off. While Homebrew maintainers say these analytics help them decide on future features and prioritize current work – and recommends them to keep it on – I am still not a fan of personal data collection, even if it’s anonymous. To turn this off simply run the following command:

brew analytics off

Now that Brew is installed you can easily install the AWS CLI by executing the following command:

brew install awscli

Voilà, the AWS CLI is now installed without Rosetta.

I should note that this workaround was needed at the time of writing this article and AWS will probably fix the installer, but until then just use Brew.

A Installing AWS CLI on Apple silicon bejegyzés először Road to AWS-én jelent meg.