At Reinvent 2021 AWS came out with the goods as they usually do. I thought for this blog I would zero in on what I find the most attractive updates that came out. I will dig into each of the 3 areas I will focus on and then hopefully you can make use of them in your own Cloud work.
AWS Control Tower Enhancements to Guard Rails
I want to touch on 2 really cool enhancements that AWS have added to Control Tower that I personally have been pushing my AWS Account Manager for, for a while and I am sure many others have too. The first is Governance. If you create a Landing Zone (and feel free to review my blog on that here if you need to) then you will know you can determine what regions you want to Govern and best practice is generally to enable Governance on regions you want resources in.
But what if you DON’T want to Govern or use a region?
Previously you would need to enable a Service Control Policy to Deny access to AWS services with an exclusion for regions you do want to Govern. Its certainly a viable option for a coder such as myself but a simpler option would be to have an AWS Guard Rail that you could enable which gives you the same benefit and works dynamically as you add more regions to Governance over time.
As AWS have done a fantastic job of making it easy.
In order to enable this cool new enhancement (assuming you are on version 2.7 of higher of the Control Tower Landing Zone).
1. Login to the Organisational Management Account where Control Tower is installed as an administrative user.
2. Access Control Tower from the List of Services
3. Select Guardrails from the left menu as indicated below
If you filter by Data Residency Category what you will notice is that on November 30 2021 a number of detection and prevention Guardrails were added to help maintain control over where the data is and meet a compliance obligation you might have. The One relevant to us is labelled Deny access to AWS based on the requested AWS region
Interesting thing to note about this Guardrail is that you can view it here and see what the configuration details are but it is not actually configured here. To configure it you need to update your landing zone configuration
1. Go to Landing Zone Settings
2. Click Modify Settings
3. Under Region Deny Setting select Enable
It is important to read and understand what this is doing. If you have got resources in an unGoverned region already then you will likely lose access to those resources so its important to ensure that you move any resources you need to a Governed region or Terminate them.
This is certainly something I have architected into my existing AWS Account framework and have updated my code to remove the custom built SCP and will use this instead.
Nested Organisational Units for Control Tower
This isnt something that really needs a long explanation (unlike the above enhancement) as Control Tower has technically allowed Nested OUs for a while but the caveat was that you could not Govern them using the Control Tower Console. So you couldnt manage Guardrails Targeting a Nested OU within your Organisation.
Now you can. As of Reinvent 2021 Control Tower allows you specify the Parent OU of an Organisational Unit created within Control Tower whichallows for more granular separation of AWS Accounts within an Organisational Structure. And this can help with Guard rails as Control Tower OUs can only have 5 SCPs attached so you can have SCPs at a parent OU Level and then SCPs at a child OU Level which provides better control
Storage Enhancements for Cost Benefit
Away from Control Tower I thought I would focus on 2 key enhancements for Storage costs that will help many (particularly those using EBS Snapshots for long term backup of VMs)
Snapshot Archive
The biggest issue I have had with backups for EBS via Snapshots is the cost of snapshots is higher than other storage types and for short term
One of the Key benefits of EBS Snapshots is you can schedule them pretty frequently (I have seen workloads with hourly or less snapshots) but as the number of snapshots grow the cost of retaining them grows as well. I have customers who have 7 year retention requirements for Snapshots which is quite expensive over the long term.
So AWS Have now introduced EBS Snapshot Archive Capability which takes advantage of AWS Glacier lower cost storage and is designed for long term retention of rarely accessed Data on EBS.
Archiving a Snapshot from the console is pretty easy. You find a snapshot you have taken in the Snapshots section of the EC2 service and then select Archive Snapshot. You will then need to Restore Snapshot if you need to actually create a volume from it and that will take 24 hours or so to be available.
My hope is that this functionality will be extended further to AWS Backup so that AWS Backup can lifecycle/archive the snapshots in the vault to cheaper storage as well but this is still a really nice addition
EBS Snapshot Recycle Bin
I call this one of those “you didn’t know you needed it until you need it” improvements. It added a failsafe against deleting a snapshot you shouldnt have.
I have seen situations where when some request comes in to clean up snapshots a random snapshot that was meant to be retained was accidentally removed causing all sorts of grief (and in some cases major Incidents to remediate). Previously if that happened there was nothing anyone could do but with the introduction of Snapshot Recycle Bin protection that can be undone (for a while).
How does it work?
You create a retention Policy that takes effect when snapshots are deleted.
1. Create a Retention Policy
The Recycle Bin is available from within the Snapshots pane on the EC2 Service Console.
2. Click Create Retention Rule
Define the Rule specs (Give it a name, Select Resource Type (at the moment only EBS Snapshots is supported but that may change in future because otherwise the Resource Type would be redundant). Select all if you want to cover ALL snapshots. Then define how long you want to retain them for and then any tags you want to add for the rule and click create
What happens now then is that when a snapshot is deleted it will be removed from the Snapshots console but now visible in the Recycle Bin Console under the Resources link. If you need to recover it there is a recover link there or if you dont then it will expire at the end of the retention period. It looks like below
That is all for now. I might have some more insights from Reinvent when I get a little more time but these were some key takeaways that really stuck out to me.
