Is AWS's Block Public Access Secure By Default?
90% of Java Services in Production Have Vulnerability Risk
Welcome to a brand new edition of the CloudPro! Today, we’ll talk about:
Masterclass:
Fixing AWS Step Function errors due to reference to inactive AWS Batch Job Definition revisions
What Tech Stacks Are Needed For Cloud-Native Architecture In 2024
Secret Knowledge:
Techwave:
HackHub: Best Tools for the Cloud
Cheers,
Editor-in-Chief
Forwarded this Email? Signup Here
MasterClass: Tutorials & Guides
Introduction to Microfrontends
Microfrontends revolutionize web development by breaking down frontends into modular units, promoting flexibility and scalability. They enable independent development, diverse technology choices, and seamless integration. Challenges include cross-cutting concerns and team collaboration, mitigated by centralized services and effective communication. Deploying microfrontends involves setting up CI/CD pipelines and configuring infrastructure. Best practices include vertical team organization, isolation of code, and comprehensive testing.
3 Proven Patterns for Reporting with Serverless
Replicate to Read: Directly accesses data from original sources, simple and fast, but may lack optimization for reporting and requires careful connection management.
Split for Speed and Read: Balances speed and queryability by combining direct data access with transformations for reporting, facing challenges in connection management and complexity.
Eventually Readable: Focuses on ultimate flexibility by unifying data for diverse analysis, but increases complexity, latency, and requires extensive engineering effort.
Fixing AWS Step Function errors due to reference to inactive AWS Batch Job Definition revisions
The issue arises when AWS Step Functions reference inactive AWS Batch Job Definition revisions, leading to failures in ongoing executions. CloudFormation, upon updating a Job Definition, marks previous revisions as inactive, causing errors for Step Functions tasks using these inactive revisions.
The workaround involves creating unique Job Definitions for each change, appending a timestamp to their names. This prevents conflicts and ensures version management. Additionally, applying DeletionPolicy: Retain and UpdateReplacePolicy: Retain properties preserves previous versions while creating new ones.
To manage clutter, a resource tag with creation timestamps is added, allowing deletion of old Job Definitions after a specified period. A CloudFormation template example illustrates this workaround, ensuring stability and avoiding errors in Step Functions executions during Job Definition updates.
Automated cleanup scripts help manage old Job Definitions, ensuring the environment remains tidy. Although AWS hasn't provided a direct solution, this workaround effectively mitigates the issue.
What Tech Stacks Are Needed For Cloud-Native Architecture In 2024
Docker Compose simplifies project setups by managing backend services, databases, and other aspects with just one command: `docker-compose up`. It eliminates the need to manually download and configure services like PostgreSQL, avoiding conflicts and dependencies. This streamlines the project setup process for developers, maintainers, contributors, and users, allowing them to focus on the project itself.
Many projects rely on various services like databases or backend servers. Managing these services manually can be tedious and time-consuming, leading to frustration and wasted time. Docker Compose abstracts away these complexities, allowing everyone to work on the project without worrying about dependencies or conflicts.
Implementing Docker Compose involves creating a `docker-compose.yml` file to define project services. Each service, like frontend, backend, or database, is configured within this file. Docker Compose then automatically builds Docker containers based on these configurations, simplifying the setup process. Dependencies between services can be managed, ensuring they start up in the correct order.
Secret Knowledge: Learning Resources
List of tools for managing Kubernetes on Linux
GUIs and IDEs:
Aptakube GUI: Debian package available for Ubuntu and Debian-based distros, with a 15-day free trial.
Kubernetic: Linux client available as an appimage, simplifies cluster management.
Lens - The Kubernetes IDE: Offers .deb, .rpm, .snap, and AppImage for easy installation.
Podman Desktop: Provides flatpak and tar.gz for Linux, allows parsing and generating Kubernetes YAML files.
JetPilot: A cross-platform Kubernetes desktop client compatible with Linux.
Web UIs:
Kubernetes Dashboard: Can be run on Linux localhost for cluster management.
Portainer: Web UI for managing clusters, works on Linux via local installation.
Headlamp: Fully functional Kubernetes UI, adaptable with a plugin system.
Minikube GUI: Currently in prototyping stage.
CLIs and "Hybrids":
KUI: Enhances kubectl commands with graphics for easier interaction.
k9s: Stylish Kubernetes CLI for cluster management.
Other Tools:
Octant: Helps developers understand app performance on Kubernetes clusters, available for Linux with .deb, .rpm, and .tar.gz options.
What Could Be A Better Alternative To Backstage
A Backstage alternative needs to have the following features:
Ease of Use: The alternative should be easy to configure and use, allowing platform engineering teams to get started in under five minutes. It should not require extensive documentation or technical expertise to operate effectively.
Low Maintenance: To minimize upkeep, the solution should leverage existing scripts and tools used by platform engineers. This avoids the need for custom integrations and dedicated maintenance roles.
Intuitive for Developers: The user interface should follow the "Keep It Simple, Stupid" (KISS) principle, prioritizing simplicity and clarity. Developers should be able to self-serve for their tasks without unnecessary complexity.
How Jersey Mike's Rebuilt their Infrastructure during COVID
Jersey Mike’s is known for its delicious sandwiches, but what sets it apart is its commitment to the community. During the pandemic, they offered a huge discount on sandwiches, leading to a surge in orders through their mobile app. However, their old system couldn't handle the demand, so they revamped their infrastructure using AWS services.
They set up AWS Control Tower to manage multiple AWS accounts and automate account provisioning. With CloudFormation templates, they automated the deployment of infrastructure components like EKS for Kubernetes, Fargate for container orchestration, and RDS for databases. They also ensured scalability by using EKS with Fargate, which adjusts resources according to demand.
These changes allow Jersey Mike’s to handle high demand, save costs, and reduce the workload for their team, ensuring a fresh and reliable experience for their customers.
Automatic Image Update to Git using Flux and GitHub Actions
Automatic image updates using GitOps streamline the process of keeping containerized applications up-to-date and secure. GitOps automates updates, ensuring timely deployments, consistency across environments, and fostering collaboration. Tools like Flux and Argo CD automate image updates based on predefined policies, enhancing workflow efficiency. Integration with GitHub Actions enables automated deployments to staging and manual approvals for production releases. During incidents, GitOps allows for pausing updates and reverting to previous versions as needed.
Kubectl Port-forward Flow Explained
kubectl port-forward allows users to access a pod in a Kubernetes cluster from their local machine.
Initialization: User runs kubectl port-forward with pod details.
Auth & Authz: CLI authenticates with Kubernetes API server, checks permissions.
Info Retrieval: CLI fetches pod details from API server.
Port-forwarding: CLI requests port-forwarding, API server establishes a connection.
Configuring iptables: Kubelet sets up rules for traffic redirection.
SPDY Session: User interacts with the pod's app via SPDY.
This enables seamless interaction with pod apps from a local environment.
TechWave: Cloud News & Analysis
90% of Java Services in Production Have Vulnerability Risk
A recent report by Datadog sheds light on the security landscape of Java services in production environments.
90% of Java services face critical or high-severity vulnerabilities from third-party sources.
Despite numerous alerts, only 0.0065% of automated security scanner attempts successfully exploit vulnerabilities.
The adoption of short-lived credentials in CI/CD pipelines, crucial for preventing data breaches, remains low, with only 37% of organizations using keyless authentication.
Postman Makes AI Tool for API Management Platform
Postman has launched Postbot, an AI tool that automatically generates tests and documentation for APIs, aiming to enhance API quality and streamline development. Leveraging open-source large language models, Postbot simplifies API testing and documentation creation, addressing the growing complexity of managing APIs amid the rise of microservices. With the proliferation of APIs, developers will increasingly rely on AI tools to manage them effectively.
GitHub Preview of Copilot Workspaces Advances AI Agenda
GitHub introduced a technical preview of GitHub Copilot Workspace, which uses AI to assist software engineering teams in completing tasks like generating code, creating builds, and running tests. This tool, powered by advanced reasoning engines and large language models (LLMs), allows teams to automate various aspects of the development process via natural language commands. By simplifying project management and embedding AI into DevOps workflows, GitHub Copilot Workspace aims to streamline software development.
Is AWS's Block Public Access Secure By Default?
This article discusses the state of Amazon's Block Public Access feature, which helps prevent public access misconfigurations in AWS services. It categorizes the feature into three types based on default settings and configuration options. The article provides insights into the availability and settings of Block Public Access across various AWS services, such as S3, DynamoDB, and EC2. It also outlines best practices for configuring Block Public Access and highlights recent updates and historical milestones related to this feature. Additionally, it offers recommendations for account configuration and identity and access management to enhance security.
What’s the biggest unsolved problem within Site Reliability Engineering?
The biggest unsolved problem in Site Reliability Engineering (SRE) is how to effectively pass on knowledge and experiences across generations, particularly between those who have hands-on experience with traditional data center infrastructure and those who are more familiar with cloud-based systems. This challenge arises due to the vast differences in occupational experiences and perspectives. While newer generations of SREs may be adept at managing complex systems at scale in the cloud, they lack firsthand experience with legacy systems and traditional infrastructure management. Bridging this gap in understanding is essential for ensuring the continuity and evolution of SRE practices.
Minimizing on-call burnout through alerts observability
The article discusses how to prevent on-call workers from burning out due to too many alerts. They use tools like Prometheus and Alertmanager to manage alerts but found limitations in their setup. They improved it by storing alert data in a database and using Grafana for visualization. This helped them understand which alerts were working well and which ones needed fixing, making the on-call process more efficient and preventing burnout.
HackHub: Best Tools for Cloud
One command sets up your development environment anywhere, automating the complex process of provisioning, configuration, and secure connection.
A Linux/Unix desktop environment built with the Fyne toolkit, featuring material design and easy development in Go language, requiring specific runtime dependencies for optimal performance.
A PostgreSQL extension offering index recommendations for query performance enhancement, supporting generic parameters, materialized views, and identifying obscured tables/columns by views.
A SAST tool designed to identify and prevent hardcoded secrets such as passwords, API keys, and tokens in Git repositories, available for installation via Homebrew, Docker, or Go, with support for pre-commit hooks and GitHub Actions for integration into development workflows.
If your company is interested in reaching an audience of developers and, technical professionals, and decision makers, you may want to advertise with us.
If you have any comments or feedback, just reply back to this email.
Thanks for reading and have a great day!