As we all know, AWS does many many many (I feel like Commandant Lassard) updates per month. I’ve gone through the list and taken my top 10, plus a few honourable mentions. Everyone has different requirements but being in Managed Services mine are focused more in that direction. For a full list of July updates, check out:

Without further ado, my list:

EC2Launch v2

AWS has updated the tool for configuring Windows EC2 instances on launch and reboot. The new EC2Launch v2 provides a single program to configure Windows 2008 to Windows 2019 and has a YAML based configuration file. EC2Launch v2 also offers a raft of features missing from EC2Config and EC2Launch v1. For people baking Windows AMIs or with a large fleet of Windows-based EC2 instances, it is definitely worth upgrading to EC2Launch v2.

Migration from an earlier version can either be done manually or via the AWSEC2Launch-RunMigration SSM document.

For a good overview of the differences check out:

AWS Transit Gateway metrics

Transit Gateway is an excellent service for connecting and managing VPCs, and on-premises networks using a single gateway. With this announcement, Transit Gateway now collects and publishes granular metrics to CloudWatch under the AWS/TransitGateway namespace. Without metrics like this, getting a good view of the AWS traffic flow can be difficult. This is just as exciting as when AWS introduced monitoring for Direct Connect interfaces.

Information on the new metrics can be found at

EC2 Image Builder with KMS

EC2 Image Builder is a service to simplify the creation and deployment of Linux or Windows server images, both AMIs and on-premises formats. For instances within AWS, best practice is to have encryption at rest, even on root volumes. This update makes that super easy. By integrating with AWS Key Management Service, encryption can now be done by simply selecting the key from a dropdown. Customer-managed CMKs and aws/ebs are available, along with no encryption. Anything that makes security easy is a good option.

Screen shot showing encryption option

Amazon EMR now supports CMKs

Continuing with my “any security improvement is good” theme, Amazon Elastic Map Reduce now supports using Customer-managed Customer Master Keys for the S3 bucket. Previously the logs written to S3 could only be encrypted with the AWS SSE-S3 keys. Finding this option is a little trickier, though. The Quick Options cluster creation does not allow choosing your keys. If you want that, you’ll need to go to Advanced Options. I don’t know why you’d hide something like this in Advanced Options, but at least it’s now there.


Screen shot showing where to enter CMK

AWS Copilot - Your friend for containers?

I’ll start this off with a disclaimer that I’ve done very little with containers. I suppose that actually makes me a good candidate for this new service, so I’ll need to find some time (hahaha … what’s that?) to test it. AWS describe Copilot as “a command-line interface tool that helps customers develop, release, and operate containerized applications on AWS.” It is available for macOS and Linux. Apart from just deploying, it will also set up a CI/CD pipeline and choose collaboration models that best suits the team you work with, or just yourself.

Anyway, if you are interested in Copilot, you can check out:

AWS Blog -

Doco -

Well-Architected updates

There is not a lot to show with this one, but it is significant and definitely worth noting. July saw an update to both the Well-Architected Framework and accompanying update to the Well-Architected Tool. The Well-Architected Framework is AWS’s guide to best practices for working within AWS. This isn’t just about the best way to implement AWS infrastructure, but also guidance about business practices.

To find out more about Well-Architected, check out:

AWS Secrets Manager goes to Zelkova

AWS Secrets Manager is a tool to, as the name suggests, manage secrets. Now resource-based policies can be attached to these secrets. Also, Secrets Manager uses Zelkova, an AI tool, to validate these policies and ensure you aren’t opening them up too much or making mistakes in the syntax.

Full details are in the documentation:

EFS Automated Backups

When AWS announced AWS Backup the big win was being able to backup EFS. Previously this was a significant pain in the butt and basically required you to clone your current EFS. This is a relatively simple update from a GUI perspective, but I give this a big thumbs up. The best thing is, this is the default option. Leaving this ticked gives a daily backup with 35-day retention. This is also supported with the CLI via put-backup-policy and CloudFormation with the Backup Policy property.

Kinesis sends to ALL THE THINGS!

This announcement was actually sent out as four separate announcements, but AWS Kinesis now supports data delivery to New Relic, Datadog, HTTPS Endpoints and MongoDB Cloud. OK, so four may not be “ALL THE THINGS”, but New Relic and Datadog are undoubtedly excellent additions to fold, and you could argue that an HTTPS Endpoint does open up the game.


Screen shot showing HTTP Endpoint and new Third-party partners

General documentation on these new options can be found at

There is an excellent article on setting up streaming for New Relic:

For streaming to a generic HTTP endpoint, have a look at this blog:

For sending to MongoDB Cloud, check out:

Athena in code

There isn’t much to talk about with this entry, but I feel it is definitely worth an entry into my Top 10. Athena data catalogues can now be configured via CloudFormation. Previously this was Console or API only. Now there is an AWS::Athena::DataCatalog resource.

Details are in the CloudFormation User Guide:

Honourable Mentions

The below few are also worth having a look at. I’ve not gone into much detail with these, but definitely worth investigating.

RDS (MySQL & PostgreSQL on Outposts

RDS has been announced for Outposts. Check out the AWS Podcast for more info:

Rule the land!

28 new managed rules have been released for AWS Config. Jump on the Console for a look.

Time for a new look  

EFS console has a new look. AWS is trying to make it easier to configure and manage.

All the monies!

You can now pay for Marketplace, Data Exchange, IQ & Reserved Instances in 14 currencies, including AUD & NZD.

Announcement here:

EC2 Image Builder streaming to CloudWatch

EC2 Image Builder now has CloudWatch logging support enabled by default. Logs get streamed to the LogGroup /AWS/imagebuilder/. Opting out of CloudWatch logging is done by removing the “logs:XXX” actions from the instance profile.

Further details can be found at