🧃 OH YEAH! - We're Back!!!

Updates, re:Invent, and Large-scale resource inventory

🎅 Merry Christmas!!! 🛷 This is Unlimited Leave, in case you forgot you were subscribed, we’re the AWS Management and Governance newsletter sharing news, tips, tricks, and resources that will help you manage one (or more) AWS Organizations with rigor and scalability.

After a 6 month break, we’re busting back into your inbox like the Kool-Aid man in your (or your parents) 1978 Kitchen.

Hopefully, this is a nice surprise to accompany your lump of coal, the necktie from the kids, or the vacuum you got from your husband who means well but misses the mark. EVERY. DAMN. YEAR.

This week's topics

  • A few quick updates

  • Notable re:Invent Announcements

  • Run scheduled ECS tasks across Multiple Orgs and/or Accounts

A few quick updates

Before completely dropping out of your inboxes, I completed refunds for all of the faith-filled, trusting, and supportive individuals who wanted in on my Greenfield AWS Organizations Course. Not that you all aren’t supportive. You are, however, those who stepped out to support something that wasn’t complete, I’ll forever be grateful to you. It meant a lot to me that you were willing to support me through this email content alone.

That process started to hit some snags very quickly when I realized recording, editing, and supplying supporting documentation — along with the infrastructure to deploy the resources — all on my own was going to be a problem. The quality that I wanted to provide just wasn’t going to be possible and my desire to put out ‘perfect’ products was quite paralyzing. I’m working on that.

Account migration and ownership

Around this time, I was also wrapping up some M&A activities where I was solely responsible for the migration and management of dozens of AWS accounts. The stress and juggling of tasks became a lot and my natural inclination was to support the course as well as my subscribers. That was a clear conflict of priority and I had to focus on the big rocks.

I’m happy to announce that the initial cleanup and fallout from that large-scale project is complete. No issues. No outages. Many surprises and lessons learned that over time I’m excited to share here. There are still many cleanup tasks ahead, but those can be managed and prioritized appropriately.

Personal Challenges

It’s been on my radar for as long as I can remember but without external validation and motivation I neglected it my whole adult life. Through many conversations and obvious signs during this stressful time, my wife convinced me (requested) that I get evaluated for some neurodivergent symptoms.

Let’s just say, no surprises there… I’m still working to dial things in but have seen major improvements where it matters the most. Home and family.

New momentum and excitement

I have things in the works currently to supplement this newsletter, continue to provide enhanced value for supporting AWS Organizations and replace the content that was originally going to be course content. Just without the revolving door of outdated content.

This newsletter will continue to get attention going forward in 2024. Through re:Invent this year I realized how much I missed providing updates on the AWS Services and Features I use daily. This newsletter helped me implement and better understand all of the announcements. On that note…

Post re:Invent Hangover

I did not get to go to re:Invent this year. Multiple reasons there, but honestly, having gone in recent years and being overwhelmed, this allowed me to pay much closer attention to what was happening with all of the announcements and tinker in real-time.

Now that things have settled down, I’ve had a chance to collect the main announcements that brought me the most excitement. Granted, some of the Bedrock and other AI/ML announcements were interesting, but none of them made much of a difference to the work I do directly.

Here are the few that made the most impact for me:

  • New from AWS: You can now customize security controls in AWS Security Hub - huge from my perspective. A long time coming. In a recent issue, I shared the custom (aws-samples) framework for disabling and managing cross-account/region controls using Lambdas and Step Functions. This was a pleasant update to finally have but also caused a decent amount of rework to have to surgically remove the old solution.

  • Announcing AWS Console-to-Code (Preview) to generate code for console actions - more of a fun announcement than a need. Still not as good as the AWS Console Recorder Chrome plugin but has a promising application to help less savvy developers meet my organizational requirements of deploying most everything with code long-term.

  • AWS CloudFormation introduces Git management of stacks - I saw this one coming. I noticed in the console in late August or early September the ability to link to GitHub when in the CFN Console. Though the functionality didn’t work, it was clearly a misfire and I submitted it through channels and it was promptly removed.

  • Automate AWS Control Tower landing zone operations using APIs - after previously not having any API actions for CT, this was a pleasant surprise and also a long time coming. This is a prime example of how I realized building a course to implement these tools would need constant updates, modifications, and testing. I’m still not in a place to commit that time to keep the content fresh and relevant.

  • Use IAM Identity Center APIs to audit and manage application assignments - getting group and permission set assignments programmatically was something I’ve always waited for and even tried to build a custom solution for. This came at just the right time.

  • Recent Honorable mentions:

    • More Security Hub Controls

    • Inspector Container Insights

    • Cost Anomaly Detection support for CloudFormation

    • Control Towner Landing Zone Control & Policy updates

Run scheduled ECS Tasks across
Multiple Orgs and/or Accounts

As with many topics in the newsletter, the configurations I’ve inherited or taken over have been comprised of multiple AWS Organizations. Sometimes 2-3. Other times 50-60.

After a recent acquisition of multiple AWS Accounts into existing Organizations as well as the addition of more Organizations, I had to come up with a way to run a very specific process/service across all accounts in all organizations. The particular service in question was already containerized and seems to be the least amount of effort to get up and running and then iterate on over time.

The problem required the containerized service to take a configuration file. The issue is that the configuration can and may need to change before every scheduled task run.

The process of modifying the configuration boiled down to having the configuration stored in our source control, tested and verified, and then uploaded to the respective SSM Parameter Store for the respective task. At some point, this process may become automated as well.

The sanitized CloudFormation to deploy the basic solution can be found here:

The solution uses CloudFormation Loops to deploy N number of ECS Task Definitions, SSM Parameters, and companion EventBridge Schedules.

More to come with this over time but I wanted to provide you something with this first issue back after a long time.

Thank you!

Lastly, thank you all again for hanging on and staying on this list. If you find you no longer get value from this content, please feel free to unsubscribe. If you have any issues doing so, email me directly and I’ll get you removed.

Going forward, after the first week of the year, I plan on being active again. An email every 2 weeks is the schedule at the moment.

As we roll into a new year I’d like to share some thoughts from Epictetus that helped spark my motivation to get back to sharing with this community.

Review past issues HERE | Share with others HERE
Disclaimer: The resources and topics shared within this newsletter are for informational use only. Any resources deployed or tools implemented are done so at your own risk. Do your research and testing before the implementation of any resource or service deployed for any workload.