Posts

When to use Step Functions vs. doing it all in a Lambda function

I’m a big fan of Step Functions, but it’s yet another AWS service you must learn and pay for.

It also introduces additional complexities. My application is harder to test; my business logic is split between configuration (ASL) and code; and I have new decision points, such as whether to use Express Workflows or Standard Workflows.

So it’s fair to ask, “Why should we even bother with Step Functions?”. Why not just do everything in code, inside a Lambda function?

Let’s break down the pros and cons and look at the trade-offs of each.

When to use API Gateway vs. Lambda Function URLs

API Gateway, AWS, Lambda, Serverless

“Lambdalith” is a monolithic approach to building serverless applications where a single Lambda function serves an entire API, instead of having one function per endpoint. It’s an increasingly popular approach and provides portability between Lambda and containers and lets you use familiar web frameworks.

Tools like the AWS Lambda Web Adapter have made this approach more accessible, and it also works well with Lambda Function URLs.

But don’t be too hasty to get rid of API Gateway just yet!

In this post, let’s look at the pros and cons of API Gateway vs. Lambda Function URLs, and let me explain why I still prefer API Gateway.

First impressions of the fastest JavaScript runtime for Lambda

AWS, Javascript, Lambda, Serverless

LLRT, the new Low Latency Runtime for JavaScript, is an experimental runtime for Lambda that promises 10x faster startup time!

In this post, let’s look at why it’s so damn fast, and what design choices it makes (and why they make sense in the context of Lambda).

What’s the best way to migrate Cognito users to a new user pool?

AWS, Cognito, Lambda, Serverless

The challenge with a Cognito User Pool migration is that the user password cannot be extracted from Cognito. This is a good thing. It shows that Cognito follows security best practices and does not store user passwords in plain text.

But it makes our lives more difficult during a Cognito User Pool migration.

In this post, let’s consider three approaches for migrating users to a new Cognito User Pool.

How to secure CI/CD pipelines without burning developer productivity to the ground

AWS, Security

When it comes to CI/CD roles, your instinct might be to lock them down to just what it needs. Because we all want to follow the principle of least privilege. But as you will see in this post, this comes with a hefty price in terms of developer productivity, and it’s not as secure as you might think.

So instead, I prefer a more holistic approach when it comes to securing CI/CD pipelines, involving account boundaries, SCPs, ABAC and the use of permissive roles. Come in and find out how.

First impressions of CloudFormation’s IaC generator and CDK migrate

AWS, CDK, CloudFormation, SAM

AWS just announced the CloudFormation IaC Generator and added a CDK migrate command. These make it easier for you to manage manually created resources with Infrastructure as Code.

This is my first impressions of it – what worked, what didn’t and where the gaps are.

How to reprocess Lambda dead-letter queue messages on-demand

AWS, Serverless

Imagine this. You have followed AWS best practices and set up a dead-letter queue (DLQ) or an OnFailure destination for every async Lambda function.

A message arrives in your DLQ. You are alerted right away because you have alarms on all of your DLQs.

You investigate the problem and determine that it was temporary and the message should be re-processed.

But now what?

How to create private, VPC-only DynamoDB tables

AWS, DynamoDB, Security

You don’t need network security to keep your DynamoDB data safe. However, adding network security on top of IAM authentication and authorization is not a bad thing. Sometimes, it’s even necessary to meet regulatory requirements.

In this post, let’s see how to put DynamoDB in VPC so your data can only be accessed from within a VPC. We will look at what works best for feature teams and what works best for platform teams.

Year in review, 2023

2023 has been a bittersweet year. It started with unpleasant medical news and the subsequent surgeries. The silver lining is that I did enjoy the medical leave and perhaps didn’t realise how much I needed that break! Despite several months of medical leave, I still had a productive 2023. 13 public speaking engagements 8 public …

Year in review, 2023 Read More »

How to Securely let Frontend Apps to Directly Access AWS services

AWS, DynamoDB, S3, Serverless

In this post, let’s discuss a radical idea – if the API layer is not adding any value besides authentication and calling the AWS SDK, then why not just remove it and let the frontend talk to your AWS resources directly? It will be the cheapest way to build a full-stack application, and there are similar precedents in the IoT space already.

It’s not the way that I’d recommend for most of you. But it’s possible to do it safely so that a user can only access his/her data. All you need is a little bit of IAM policy and a Cognito Identity Pool.