A Week in Las Vegas
re:Invent hits and misses
Welcome to Unlimited Leave. If you're just joining us from re:Invent this is a weekly AWS newsletter with a focus on Managing, Governing, and Automating your AWS Environments.
I hope your bags are full of swag, wallets full of cash, and you're on the path to recovering from re:Play.
Now let's see what happened during the week in the world of AWS Management and Governance.
This week's topics
I'm writing this Thursday morning while Live Steaming Dr. Vogel's Keynote on a swing from the main floor of the Venetian. Thirty minutes in, I can tell a lot of my predictions from last week aren't going to come to fruition -- yet. Pre:Invent announcements didn't seem to carry very well into the week. That's ok. I'm still standing firm.
I'll keep this issue short as I assume you have plenty to catch up on from the week.
If you're looking for a roll-up of all announcements for the week, you're best bet is the Top Announcements of AWS re:Invent 2022 blog post. You won't get a rehashing and 'my take' on each one.
- pre:Invent Predictions
- re:Invent 2022 Hot Topics
- Account Assessment for AWS Organizations
Leading up to re:Invent there was some traction on Control Tower, delegated services, and some updates on how Service Catalog can now leverage permissions in child accounts. I was hopeful that those would carry over. There were some early in the week, but not as many as I was hoping.
Those announcements were:
- The delegation of AWS Organizations to a separate administrator account. I haven't played with this during the week yet but it raises some questions about the protection of SCPs and what really can be done from the delegated account
- To accompany the delegation of AWS Orgs, the CloudFormation team released the AWS Organizations Resource. This makes sense because now admins can manage Orgs with IaC in the delegated account.
- AWS Backup now has Organization-wide delegation as well as the ability to backup and restore CloudFormation Stacks
- AWS CloudWatch now has cross-account observability, but it's looking like this needs to be enabled in each account and each region. I'm assuming as soon as you complete that task, AWS will release an Org service trust similar to that of Security Hub to Aggregate and enable for all accounts and regions. Don't get a head of this one just yet.
- Control Tower did get a little extra love early in the week as well with comprehensive control management. I would be remiss if failed to mention that Control Tower did receive an enhancement for account-level customization which I did mention might be coming. This isn't the full-on CfCT but it is a start. Expect more features to this in the future.
- I also mentioned we would see some movement towards better CI/CD tools. Looks like AWS CodeCatalyst is that solution. In all fairness, I had beta access to a solution for a while that looked like this. I didn't dig too deep into it and it was disabled for a while leading up to re:Invent. I look forward to playing with this.
- Tools for speeding up the deployment of applications with AWS Application Composer were also released.
re:Invent 2022 Hot Topics
Aside from more hardware announcements Monday night, the theme this year seemed to revolve around Machine Learning. AI/ML isn't something we are going to focus on in the newsletter. However, it's starting to appear that AWS is slowly turning into a SaaS company that uses its own infrastructure and services to build OOTB solutions.
- For instance, SageMaker ML Service had many announcements
- AWS Supply Chain uses ML to 'increase supply chain resilience'
- AWS Connect also received updates with ML implemented in the back-end
Again, there was a lot of quality announcements but not a lot we will focus on in the niche of Management and Governance.
Account Assessment for AWS Organizations
If you are in the business of moving accounts between Organizations or taking ownership of Accounts from other Organizations, you run the risk of breaking things in the transition.
The Solution? Account Assessment for AWS Organizations
I had the luxury of talking with the creator of this solution. This solution is fairly new but there is a lot on the roadmap. For me personally, this solution is going to be a huge time saver in the near future as I have to absorb approximately 100 accounts from an Organization that I have no visibility of at the moment. When I get access, I'm going to have very little time to run an inventory of all the roles, trusts, and resource shares in the Organization. This solution is going to help immensely with that.
I missed the session (COP325) but hopefully, it will be available online later. Since it was a Chalk Talk, I'm thinking it wasn't recorded.
Now that re:Invent is over, expect the content here to be more focused on the actual implementation of solutions for securing and automating in your environments.
I had a lot of conversations during the week with both AWS Employees close to Management and Governance (CloudOps) as well as other architects around the conversation of multi-account and multi-org.
There were a lot of mixed emotions on the topic and solid points. Some say it will never happen. Others see where it could be useful in very specific use cases. I'll admit, my use cases have always been pretty edgy. 90% or more will not need multiple Organizations. However, the principles I plan to discuss in this newsletter port well from single Organization architectures. The rest is done with automation.
I was asked at one point if I am doing multi-org because of the lack of service functionality or for some other reasons. As in - if some functionality or services were included in Organizations today, would I still be doing multi-org? The short answer to that question is, I think so. In other situations my response would be - it depends.
I plan to talk more about this next week. Just to provide some clarification on my 'Case for Multi-Org'
Help us grow
Happen to go to re:Invent with a colleague that spent way too much time at the tables or recovering in their room from the night before?
Forward them this email or tell them to subscribe 👇