Session 052 — Aurora: Serverless, Global Database and Differences vs Standard RDS
Aurora architecture with shared cluster volume, Aurora Serverless with ACU scaling, Global Database for cross-region DR, and fundamental differences vs standard RDS.
Aurora architecture with shared cluster volume, Aurora Serverless with ACU scaling, Global Database for cross-region DR, and fundamental differences vs standard RDS.
Multi-AZ DB Instance vs DB Cluster vs Read Replicas, RDS Proxy for connection pooling, Performance Insights and transition to CloudWatch Database Insights.
Karpenter architecture vs Cluster Autoscaler, Helm installation with IAM, NodePool and EC2NodeClass with instance constraints, automatic consolidation, and decision criteria for each approach.
EKS managed add-ons with categories and field management, VPC CNI with Prefix Delegation, CoreDNS tuning, and EBS CSI Driver with IRSA for dynamic PersistentVolumes.
IRSA OIDC flow with ProjectedServiceAccountToken and STS AssumeRoleWithWebIdentity, EKS Pod Identity with add-on and ABAC session tags, and decision criteria for each approach.
Managed node groups with labels and taints, Fargate Profiles with limitations, cluster version upgrade in order, 4 phases of node group update, and kubectl drain without downtime.
eksctl ClusterConfig YAML, kubeconfig with aws eks update-kubeconfig, VPC CNI Secondary IP Mode and Prefix Delegation, pod density per instance type, and cluster verification.
Hierarchies with get-parameters-by-path, String/StringList/SecureString types, Standard vs Advanced tiers, Parameter Policies, CDK dynamic references, and SSM vs Secrets Manager decision criteria.
AWSPENDING/AWSCURRENT/AWSPREVIOUS version lifecycle, the 4 rotation function steps, Single User vs Alternating Users, native RDS rotation, custom rotator, and resilient applications.
AWS Budgets with automatic actions (SCP, IAM, stop instances), mandatory tag hierarchy for chargeback, Tag Policies, AWS Config for compliance, and cost allocation models.
GetCostAndUsage API with tag filters and AmortizedCost, Cost Anomaly Detection with monitors and thresholds, Compute Optimizer for EC2/Fargate rightsizing, and cost governance pipeline.
Spot Instances with up to 90% discount, price-capacity-optimized allocation strategies, instance type diversification, interruption handling via IMDS and EventBridge, and Auto Scaling with mixed instances.
Compute Savings Plans, EC2 Instance Savings Plans and Reserved Instances compared by flexibility, discount and risk. ROI calculation, break-even and over-commitment.
X-Ray Groups with filter expressions, sampling rules by endpoint, annotations vs metadata, distributed trace navigation ALB→Lambda→DynamoDB, and latency diagnosis.
Composite Alarms with AND/OR/NOT logical expressions, anomaly detection with ML dynamic band, alarm actions with Lambda and SSM, and alarm states with missing data treatment.
Logs Insights queries to aggregate errors by endpoint, extract fields with parse, timeseries with bin(), auto-discovered fields, and reusable saved queries.
Custom metrics via EMF in Lambda without API calls, EMF document structure, EMF vs PutMetricData, high-resolution metrics, Powertools Metrics, and high-cardinality pitfalls.
Global Tables v2019 multi-region, last-writer-wins conflict resolution, MREC vs MRSC, rWRU/rWCU cost, DAX with Global Tables, and regional write patterns.
Atomic TransactWriteItems with multiple entities, ConditionExpression for optimistic locking, 2x transaction cost, ClientRequestToken for idempotency, and isolation levels.
DAX cluster architecture, item cache vs query cache, write-through, strongly consistent reads, node sizing, cost-benefit calculation, and patterns where DAX does not help.
DynamoDB Streams anatomy, delivery and ordering guarantees, Lambda event source mapping, event filtering, CDC pattern for OpenSearch, and fan-out to multiple consumers.
GSI with sparse index and write sharding, write amplification with multiple GSIs, GSI throttling back-pressure on base table, LSI vs GSI, and real index cost calculation.
Adjacency list for many-to-many, composite sort keys for hierarchies, GSI overloading for multiple access patterns, and when single-table creates more problems than it solves.
Access patterns first paradigm, generic PK and SK with entity prefixes, item collections, GetItem and Query operations with begins_with and BETWEEN, and single-table design.
NLB for TCP/UDP with static IP and PrivateLink, Gateway Load Balancer for inline inspection with GENEVE, preserve client IP by target type, and North-South topology with GLB.
Native OIDC authentication on ALB with Cognito, mTLS with trust store for machine-to-machine, and WAF Web ACL with managed rules for L7 protection.
Listener rules with multiple conditions (path + header + query string), weighted target groups for ALB canary releases, fixed response for health checks, and CDK/CLI deploy.
Choosing between Lambda@Edge and CloudFront Functions based on latency, body access, cost and deploy. Header injection, URL rewrite, JWT authentication at edge, and CDK deploy.
Structured JSON logs with correlation fields, X-Ray active tracing with custom subsegments, Lambda Insights for per-invocation metrics, and correlation across all three pillars.
Parallel for concurrent branches, inline and distributed Map for iteration, InputPath/Parameters/ResultPath/OutputPath pipeline, and Retry with backoff + Catch by error type.
A practical collection on AWS security covering GuardDuty, Security Hub, IAM Privilege Escalation, Inspector, Config, Macie, CloudTrail, S3 Exfiltration and Threat Modeling.
State machine with Task, Choice, Wait, Succeed and Fail, Standard vs Express Workflow guarantees, execution history for diagnostics, and integration patterns with Lambda and SQS.
Lambda Layers for shared dependencies, external Extensions in the Lambda lifecycle, and Powertools for structured logging, tracing and metrics with minimal code.
Event source mapping for SQS with batch size and bisect-on-error, event filters to process only specific events, partial batch response, and retry and DLQ behavior per source.
Execution environment lifecycle, cold start factors, Provisioned Concurrency, SnapStart for Java/.NET, and PC vs on-demand cost calculation.
FireLens with Fluent Bit for multi-destination log routing, enhanced Container Insights for per-task metrics, and X-Ray daemon as sidecar for distributed tracing.
ECS Service with CODE_DEPLOY deployment type, AppSpec for blue/green, test hooks after traffic shift, automatic rollback with CloudWatch Alarms, and canary/linear strategies.
Capacity Providers for Fargate and Fargate Spot with weights, Application Auto Scaling with custom metrics, backlog per task for SQS, and Spot cost savings calculation.
Fargate awsvpc model with ENI per task, granular security groups, Task Role vs Execution Role, VPC endpoints for private subnets, and ECS Exec for debugging.
ECS Service with ALB Target Group, health checks with grace period, AWS Cloud Map for service-to-service discovery, and when to use each approach.
Complete task definition with multiple containers (sidecar pattern), awslogs driver for CloudWatch, EFS volumes, and CPU/memory limits per task vs per container.
Cached context lookups in cdk.context.json, feature flags to control migration behaviors, and cdk.json structure for teams with reproducible CI.
CustomResource with Provider and AwsCustomResource to provision resources not natively supported, and Aspects to traverse and validate all constructs in a stack automatically.
Sequential and parallel stages with Wave, validation ShellSteps between stages, envFromCfnOutputs, self-mutation in action, and debugging asset publishing failures.
Cross-account bootstrap with --trust, CodeStar Connections with GitHub via OIDC, CDK Pipeline with Source + Build + UpdatePipeline, and self-mutation.
Infrastructure unit tests with aws-cdk-lib/assertions, hasResourceProperties, matchers, Capture, snapshot tests and combined testing strategy.
Lambda deploy with bundled dependencies via NodejsFunction and PythonFunction, DockerImageFunction, and how assets are staged to S3/ECR by CDK.
Multiple stacks with distinct environments, Stage for multi-account, cross-stack references, and when to use stack per account vs nested stacks.
Distinction between L1 (CfnBucket), L2 (Bucket) and L3 (patterns) constructs, escape hatches, Construct Hub, and when each level is appropriate.
CDK v2 project initialization in TypeScript/Python, cdk bootstrap, construct structure, and cdk synth, cdk diff and cdk deploy commands.
Changesets to review changes before applying, drift detection to find divergences, and stack policies to protect critical resources from accidental replacement.
Complete YAML template with typed Parameters, Resources with Ref and Fn::GetAtt, Outputs exported across stacks, and deploy via aws cloudformation deploy with changesets.
SSO profile configuration with IAM Identity Center, assume-role for cross-account context switching, pagination with --page-size and --max-items, and filtering with --query and JMESPath.
Deep dive into Amazon ECS Managed Daemons, a new feature that lets you manage monitoring, logging and security agents independently from applications on ECS Managed Instances.
Meet SQS Admin Panel, a 100% serverless web panel to manage Amazon SQS queues with dashboard, DLQ redrive, export/import and one-command deploy.
Deep dive into Arch CLI, an open source tool that centralizes AWS account management with security auditing, FinOps, containers, monitoring and AI-powered analysis.
Deep dive into AWS IAM Policy Autopilot, an open source tool that now works as a Kiro Power to automatically generate IAM policies from your code.
Deep dive into sub agents in Kiro CLI: how they work, when to use them, orchestration patterns and practical examples to speed up your workflow.
A reflection on the purpose of technology and the Renaissance Developer concept presented by Werner Vogels at AWS re:Invent 2025.
Understand GuardDuty Extended Threat Detection (ETD), see examples of AttackSequence findings, and implement automated responses with EventBridge + Lambda.
Complete guide on DevSecOps in AWS: Policies-as-Code with CloudFormation Guard and OPA, SAST with Amazon Inspector Code, and observability with CloudWatch and X-Ray.
Learn how the new Amazon Inspector code analysis feature lets you detect vulnerabilities directly in your repository, using SAST techniques integrated into AWS DevSecOps.
Strategies to prevent, detect and respond to attacks like Rules File Backdoor affecting Copilot/Cursor
Comprehensive strategies to prevent, detect, and respond to ransomware attacks in AWS environments
Complete guide to protecting S3 data against exfiltration attacks using only AWS services
Complete guide on Amazon Inspector: configuration, findings management, and best practices
Complete guide on AWS IAM Identity Center (SSO): configuration, IdP integration, and best practices
Complete guide on Prowler: an open source tool for security auditing and compliance in AWS
Complete container security guide: comparison between ECS and EKS with best practices
Complete guide to open source tools for reinforcing security in AWS environments: IDS/IPS, containers, SIEM and more
Complete guide on Amazon GuardDuty: advanced features, multi-account integration, and response automation
Advanced guide on Amazon ECS: clusters, task definitions, security, observability, and high availability
Collaborative repository with practical examples and configurations for AWS
Summary of the top security announcements at AWS re:Invent 2024