July 10, 2022

3rd Generation Graviton

Recently AWS released Graviton 3 processes (at least in the US initially anyway) and it was time to take them for a run against our everyday performance test. There are a few things to keep in mind before we dig into these stats. First off, the stated performance improvements may not reflect significantly in ’everyday’ workloads, as it looks like there were efforts put into specific areas as follows: up to 2x better floating-point performance up to 2x faster crypto performance up to 3x better ML performance Compared to Graviton2. Read more

February 26, 2022

AWS Account Setup

I often read or hear about people starting their AWS journey by setting up new AWS account and getting themselves into trouble when someone breaks in and runs up a huge bills. With that in mind I thought I would write a CloudFormation template with the services I recommend in a base setup and also describe some of the things I setup. Root MFA Once you’ve signed up with your “Root” user, setup MFA: Read more

August 29, 2021

WAFv2 CloudFront CDK

In the last post I covered off how to create a REGIONAL WAF in CDK. In this post I’m going to create a CLOUDFRONT WAF. This is a little bit more involved. I’m going to assume that your application stack is not in us-east-1 and thus we’ll need to create another stack in us-east-1. This is going to use several of the tricks we discussed in an earlier post. Existing Let’s say you have an existing stack that has a CloudFront distribution in it. Read more

August 29, 2021

WAFv2 CDK

AWS CDK Doesn’t yet have a highlevel WAFv2 construct. Using the learnings I’ve recently discussed, I’ve created two constructs. One you can use for REGIONAL WAFs and one for CLOUDFRONT WAFs. AWS CDK seems to be moving towards an approach of having cross regional resources created via custom resources, but this doesn’t exist for WAF yet, and I’ve had mixed results. In this post we will first start with the REGIONAL solution. Read more

August 23, 2021

Route 53 DNSSEC

I love security and love to keep my systems security. I have been using capabilities such as SPF and DKIM records and more recently DMARC records and ensuring I have quality SSL setup on my web server and testing using https://www.ssllabs.com/ssltest/ and ensuring I have quality headers too and test using https://securityheaders.com/. Now that Route 53 supports DNSSEC (https://datatracker.ietf.org/doc/html/rfc4033) I figured it was about time I enabled it. You can find some information about DNSSEC and enabling on your domain by following the AWS blog post: https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/. Read more

© Greg Cockburn

Powered by Hugo & Kiss.