Unwrapping a new AWS account, a checklist

Here’s a checklist of what I do when I unwrap a new AWS account.
I’m hoping to get some feedback on what else is being done out there.

I might create separate AWS accounts for these reasons:

– New Client (yay!)
– New Project
– New Environment

The Checklist

We begin cleaning up as root, right after registration is completed.

1) User Setting: Password should be >= 32 char, max-miX3d! (generate programmatically, never re-use)
2) User Setting: Enable MFA
3) Account Setting: Enable IAM Billing Support (AWS Security Blog: “Don’t Forget to Enable Access to the Billing Console!“)
4) Account Setting: Enable AWS Support [optional]
5) IAM > Roles: Create role(s) for Vanilya’s admin(s) to use through role switching
6) IAM > Groups: Create group for local-to-account Vanilya admins [edit: usually skip]
7) IAM > Users: Create users for local-to-account Vanilya admins (download & securely store as: name.lastname.account.aws.yyyy.mm.dd.csv) [edit: usually skip]
8) IAM > Users: Add users to Group created on step #4
9) IAM > Account Settings: Disable unneccessary Security Token Service Regions
10) IAM > Account Settings: Set password policy
11) IAM > Dashboard > Give account a nickname for use in signin URL and other features.

Switch to an admin user, depending on account either local or through Role.
This switch has the added benefit of immediately testing if you got 4-7 correct.

12) VPC > Delete “default” VPC
13) CloudTrail > Enable
14) Config > Enable

That’s all that comes to mind for now, happy cleaning!

What do you do first in a new account?

AWS Lambda is the future of virtualization

Just finished implementing my first project with AWS API Gateway + AWS Lambda.
Simply? AWS Lambda is the future of virtualization.
And it’s here, today.

Joining the trend of utilizing standardized slices of computing — represented by a train of technologies like Docker containers, VMs/AMIs, OpsWorks/ElasticBeanstalk/Chef/Puppet/etc — comes “Lambda“, a new contender from AWS.
I recently decided to use it for a project.

AWS Lambda is basically running code (python, nodejs) without managing any servers.
Pay only for resources used: (MB of RAM) * (Total Running Time)

And it’s cheap. Very cheap.
$0.000000208 / smallest unit of computing right now (Dec 2015)
That is the price of 128MB RAM per 100ms.
That is $2.08^10-7.
That is ~1/48,000 of a single $0.01 cent.

First I used the AWS API Gateway UI to create a skeleton RESTful API that wrapped some Lambda functions (=> that in turn interacted with a few 3rd-party APIs). Doing this with API Gateway was very straight-forward. It was as simple as clicking through creating resources (ex: /users), and methods (ex: POST, GET, PUT, etc.) to interact with those resources (POST to /users).

Then I made it so that those API methods triggered Lambda functions.

Then… node.js + Lambda were looming over us for a while.
Suddenly, a single optimization led to a 40% decrease in average Lambda execution time.

Instantly, with the very next request our API served, we had 40% more capacity.

The clouds had parted (no pun intended),
and all I saw were sweet little Lambdas.

Even auto-scaling on EC2 & ECS seem such a waste of resources in comparison with the per-execution resource allocation Lambda provides.

and I imagine $USD/Lambda perpetually dropping, as has been AWS’s policy for everything,
So what if, in time, a single Lambda could become even cheaper?
How cheap could it become? Could it be free?

I feel that Lambda is in prototype form and holds the potential to be a utility-like computing service, or a unit of computing itself, and even if it doesnt do any of this, Lamba made me think bigger through thinking smaller.

AWS Lambda is a huge step in the evolution of portable, cheap, standardized computing and I’m very excited to see where it goes.

nodejs as a package on the debian family

NodeJS recently updated their install instructions for Debian, Ubuntu and Mint.
Finally, instead of compiling from source, the most recent nodejs/npm packages are available through an official repository.

See https://github.com/joyent/node/wiki/Installing-Node.js-via-package-manager for details, but basically its as easy as:
curl -sL https://deb.nodesource.com/setup | sudo bash -
apt-get install nodejs

or as a one-liner:
curl -sL https://deb.nodesource.com/setup | sudo bash -;apt-get install -y nodejs


Bobby Fischer

Bobby Fischer was an American chess Grand Master.
He invented “Chess 960” where the game “employs the same board and pieces as standard chess; however, the starting position of the pieces on the players’ home ranks is randomized.”
960 apparently is the number of different starting positions one can have.
Cool dude.
(Inspiration: http://xkcd.com/1392/large/ )

svbtle wordpress theme

Finally. My favorite blog community’s look is available as a WordPress theme: https://github.com/gravityonmars/wp-svbtle
I’m using it as is, cause thats how lazy I am.
I think this theme has the potential to be the new default.

ubuntu 11.10 alt-tab crashes desktop, restart mandatory to fix

Hello there dear peeps,

If you’re having the above-summarized problem, at your login screen (where you type your password), click the little cogs and choose ‘Ubuntu 2D’ from that list.

Fancy window-switching looses all of its visual appeal, but at least you don’t have to restart 10 times a day because, omg, you pressed ALT+TAB.

Linux would be loved by mainstream PC customers if it could only get rid of its tough-love attitude towards daily users; and I want it so bad to be so.
I’d be a bit more accepting if ALT+TAB was anything but default behavior – on any graphical desktop platform.

Well, honestly, I don’t remember if Win 3.11 had ALT+TAB…

Update: through the guts of the non-Apache stack

The Business
It’s been some time since I wrote here; we’ve had a few setbacks with our chosen name. We were told we’d be facing some trademark litigation if we went forward with it, so dropping that premium domain name, finding the courage to spend money on another premium domain name again was a fairly taxing ordeal.

Now we have a name that’s been cleared of any obvious patent/trademark litigation issues, we’re waiting on the actual domain transfer to our registrar.

New Gadgets
Some new things I’m using this month are Trello from FogCreek, a simple (*agile*, but I don’t use it for that purpose) list-making/organising board. I highly recommend it. The stack behind it is also very contemporary; compared to FogCreek’s other software, Trello is on the cutting edge. LESS for CSS, CoffeeScript for their JS along with backbone.js. You can read more on that at fogcreek: http://blog.fogcreek.com/the-trello-tech-stack/

Amazon Web Services RDS (Relational Database Service) – so here what Amazon does is take care of the install, maintenance, regular backup/snapshot, and master-slave configuration for your database over multiple availability zones and give you a single price to pay, a single endpoint to connect to, advanced and flexible security, and lots of metrics to follow the performance of your DB.

I’m extremely pleased with RDS for now. I understand there can be some write latency due to the concurrent/consistent-write nature of their master/slave setup. But off the bat I know my DBs are safe, at least against the most common failures. Some write latency for that peace-of-mind is a worthy tradeoff.

nginx: best thing since slices of virtual machines
nginx: this one I’ve taken up very recently, but I’m extremely pleased with its low-overhead nature. Having to struggle with apache’s memory demands, in todays RAM-based-pricing market was a constant occupation.

When switching over to nginx its not just about replacing Apache but replacing mod_php as well. Running PHP as an external daemon has been a new experience, and not without some segfault madness. But its also refreshing to have it as an external resource, completely separate yet supported by nginx’s internals. Some of the problems I had to troubleshoot have been very unpopular, I’ve been frustrated with Google a couple of times for making me go in circles, giving too much weight to a single keyword. Sometimes I wished Google would just say ‘Hey buddy, I got nothing for you on this one.’ rather than making me have to go through pages of irrelevant content.

Outdated Xeon CPUs are recipe for underperforming nginx setups
During our trial and error phase we learned a couple of things. The most shocking was this: AWS will give you old generation Xeon CPUs on their low/mid-end instances. Always check ‘cat /proc/cpuinfo’ to see what generation Xeon you’re using. Apparently the instruction set has seriously been expanded and improved upon, and furthermore modern CPU-focused software like nginx are highly capable of utilizing on those new instruction sets so you’re losing a lot of performance between even a single generation of CPUs.

BTW, Linode’s cheapest VPS has an L55xx Xeon, as always – kudos Linode!
I’ve had to open a few tickets recently, and I didn’t even know this but Linode’s support is stellar people. 10 out of 10, easily. Average response time has been 5-6 minutes and very professional.