Skip to content

Dropping the K

Using DynamoDB as a Secrets Manager

A wizard keeping a secret

What if I told you you could build a serverless secrets manager with a similar security footprint to AWS Secrets Manager, but with a fraction of the cost, better scalability and better latency? With the release of DynamoDB table resource policies in March 2024, this became much easier. In this post, I describe how I reduced the cost of storing secrets to ~zero and improved the latency to get secrets by almost 50% by switching to DynamoDB.

Using CloudFront as a Lightweight Proxy

Weary traveler staring out onto the edge of space (Golden Axe loot goblin done by bubu

In the last post, I explored using CloudFront Functions as a blazing fast API that ran on the edge. Since then, I've learned a lot more about CloudFront, SigV4 and Origin Access Control (OAC). This led me to some discoveries on how to use CloudFront as a lightweight proxy for S3 and Lambda. In this "loot drop", I'll detail how to use CloudFront to read and write directly to S3, create a url bookmark service and send PUT and POST requests to an IAM protected Lambda Function Url.

Using CloudFront functions as a REST API

Weary traveler staring out onto the edge of space

While writing an AWS Step Function, I needed to sort an array of objects by an object path -- something that was beyond the ability of the built-in intrinsic functions. It was easily done with a Lambda, but that struck me as overkill. Could I use something lightweight like CloudFront functions? Yes! In this post, I'll show how I use CloudFront as a performant, inexpensive REST API that runs on the edge.

Bifurcating Lambda Logs

Log with bytes streaming out of it

It is common to emit two log types; application logs and request logs from a service application. In EC2, ECS and Fargate these logs can be pumped to separate CloudWatch Log Groups using the CloudWatch Agent, FireLens and FluentBit. Unfortunately in Lambda, these logs can only go to one log group. In this post, I explore a method for pumping request logs to a separate log group to workaround this Lambda limitation.

AWS Lambda Request Timeline

Samuel Johnson

Have you ever thought you understood the timeline of a request in AWS Lambda only to stare at your logs and traces and find out that you didn't? The official documentation has diagrams that look pretty, but don't convey everything that is important. In this post I'll present the infographic I use to understand what Lambda is doing and what is and isn't in the logs.

Coldstarts with the AWS Javascript 3.502 SDK

Drift car without doors

In November 2023, I noticed Lambda coldstarts were 40 ms - 300 ms slower because they unnecessarily loaded the SSO credentials provider. I cut a GitHub issue which was closed with wontfix. Fast forward to January 29, version 3.502 of the AWS JavaScript SDK was released to lazy load non-essential credentials providers. This is a big win, but you can still squeeze out more performance. In this post I'll show you how to make your coldstarts 35 ms faster.

Why I'm spicy about Lambda coldstarts

Spicy Coldstart

Big coldstart will try anything. It’s bikeshedding. Git gud. Negligible at scale. Use the AWS SDK v3. Read this blog. Just use provisioned concurrency.

But the truth is, we aren’t holding it wrong and coldstarts aren’t all your fault. In this post, I fail to stay frosty. In fact I get spicy, and make the case that we shouldn’t lay off the pepper until we stopped getting blamed for AWS’s coldstart problem.

Totally async EventBridge

Man entering the backdoor

I'm a big fan of the CloudWatch Embedded Metrics Format. It lets you write metrics to the lambda log without the overhead of a service call. Alas, there is no Embedded EventBridge Format, you need to make a sync call to EventBridge to put events onto the bus. Can we make it more asynchronous? In this post, I'll describe a back door to publishing events to EventBridge by just writing JSON to the lambda log.

Optimizing lambda coldstarts

Lambo kicking it into 6th gear

You thought you could just set some flags and your node.js lambda function would be bundled, tree-shaken, minified and go from ice cold to glowing hot in milliseconds? My sweet summer child. I thought that too, but then I analyzed the bundle, pored over some traces and realized how wrong I was. What follows is the rabbit hole I went down to optimize my lambda coldstarts.