Amazon Web Services Blog

  • AWS Support Center Moves to AWS Management Console

    We are moving the AWS Support Center in to the AWS Management Console in order to provide you with a better and more productive experience! You can now log on as a federated user and you can now manage your support cases more efficiently.

    Federated Access Support
    We recently gave you the ability to enable your users to sign in to the Console using SSO after authenticating themselves to your existing identity and authorization system. With today's launch, these users can now sign in to the Support Center with their existing (non-AWS) credentials. To learn how to set this up, read the documentation on Giving Federated Users Direct Access to the AWS Management Console.

    Improved Case Management
    The Support Center is your hub for managing your AWS Support cases. You can now pack up to ten service limit increase requests (for a single service) in to a single case and you can easily filter your cases based on type, severity, and status. For certain services, you can even create a service limit increase case directly from the Trusted Advisor:

    Customers with Business and Enterprise levels of support can ask for a callback at the phone number of their choice. They can also strike up a conversation with a Support Engineer via chat. Enterprise level customers even have direct access to their dedicated Technical Account Manager (TAM):

    You can also sort and filter your open and resolved cases:

    We've Got Your Back
    AWS Support offers plans designed to work for AWS customers of all shapes and sizes. If you do not currently have a support plan, you can easily sign up now!

    -- Jeff;

  • New Microsoft System Center Virtual Machine Manager Add-In

    Many enterprise-scale AWS customers also have a large collection of virtualized Windows servers on their premises. These customers are now moving all sorts of workloads to the Cloud and have been looking for a unified solution to their on-premises and cloud-based system management needs. Using multiple tools to accomplish the same basic tasks (monitoring, and controlling virtualized servers or instances) is inefficient and adds complexity to the development of solutions that use a combination of on-premises and cloud resources.

    New Add-In
    In order to allow this important customer base to manage their resources with greater efficiency, we are launching the AWS System Manager for Microsoft System Center Virtual Machine Manager (SCVMM). This add-in allows you to monitor and manage your Amazon Elastic Compute Cloud (EC2) instances (running either Windows or Linux) from within Microsoft System Center Virtual Machine Manager. You can use this add-in to perform common maintenance tasks such as restarting, stopping, and removing instances. You can also connect to the instances using the Remote Desktop Protocol (RDP).

    Let's take a quick tour of the add-in! Here's the main screen:

    You can select any public AWS Region:

    After you launch an EC2 instance running Windows, you can use the add-in to retrieve, decrypt, and display the administrator password:

    You can select multiple instances and operate on them as a group:

    Available Now
    The add-in is available for download today at no charge. After you download and install it, you simply enter your IAM credentials. The credentials will be associated with the logged-in Windows user on the host system so you'll have to enter them just once.

    As is the case with every AWS product, we would be thrilled to get your feedback (feature suggestions, bug reports, and anything else that comes to mind). Send it to

    -- Jeff;

  • New - Create Amazon WorkSpaces Golden Images

    28 Oct 2014 in Amazon WorkSpaces | permalink

    Amazon WorkSpaces is a managed desktop service in the Cloud. It allows administrators to provision cloud-based desktops that can be accessed from laptops (PC and Mac), tablets ( Kindle Fire, Android, and iPad), and zero client devices.

    Today we are making WorkSpaces even more flexible with the addition of a new image creation feature. Administrators can now create customized golden images for use within their organization. They can add additional applications, remove existing applications, and set configurations in order to provide their users with an environment that is appropriate for their needs.

    Creating a Custom Image
    Let's create a custom WorkSpaces image. I'll start by launching one of the built-in bundles. Wait for it to launch:

    Then I connect as usual, configure it as desired, and then disconnect. I used the Kindle client for WorkSpaces, and chose to install PuTTY to illustrate this post:

    Next, I return to the WorkSpaces Console and find the WorkSpace that was launched and customized. I select it and choose Create Image from the Instance Actions menu:

    Now I fill in the name and description, click Create Image, and wait for the image creation process to finish (this can take up to 45 minutes):

    I can check the WorkSpace Images tab to see when my image is ready. Behind the scenes, WorkSpaces will make a copy of the source WorkSpace, copy the user profile to the default profile, prepare the image for use (Sysprep), validate the custom image with a test launch, and publish the image to your account. The Status will change to Available when the image is ready:

    Once the image is ready I am ready to create a bundle from it by selecting the image and choosing Create Bundle from the menu:

    I simply fill in the name and description and choose the hardware:

    When the bundle is ready I can launch WorkSpaces for my users. As you can see, I now have the opportunity to give them one of the standard bundles or my newly created custom one:

    Things to Know
    Here are a couple of things to keep in mind:

    • Existing WorkSpaces that were launched weeks or months ago must first be rebooted in order to be used as the basis for a custom image.
    • If you want to keep your bundle updated with new applications or patches, simply create a new image and update the bundle from the console. You can use the updated bundle to launch new WorkSpaces, or rebuild existing WorkSpaces to move all of your users to the latest image.
    • You can create up to 5 custom images for each AWS account. If you need to create more, simply Contact Us.
    • Our new custom images tutorial contains additional information about the process described above.

    This new feature is available now and you can start using it today. There are no charges for image creation or storage.

    -- Jeff;

  • AWS Week in Review - October 20, 2014

    27 Oct 2014 | permalink

    Let's take a quick look at what happened in AWS-land last week:

    Monday, October 20
    Tuesday, October 21
    Wednesday, October 22
    Thursday, October 23
    Friday, October 24

    Here are some of the events that we have on tap for the next week or two ("Loft" is short for the AWS Pop-up Loft in San Francisco):

    Stay tuned for next week! In the meantime, follow me on Twitter and subscribe to the RSS feed.

    -- Jeff;

  • Multi-AZ Support / Auto Failover for Amazon ElastiCache for Redis

    24 Oct 2014 in Amazon ElastiCache | permalink

    Like every AWS offering, Amazon ElastiCache started out simple and then grew in breadth and depth over time. Here's a brief recap of the most important milestones:

    • August 2011 - Initial launch with support for the Memcached caching engine in one AWS Region.
    • December 2011 - Expansion to four additional Regions.
    • March 2012 - The first of several price reductions.
    • April 2012 - Introduction of Reserved Cluster Nodes.
    • November 2012 - Introduction of four additional types of Cache Nodes.
    • September 2013 - Initial support for the Redis caching engine including Replication Groups with replicas for increased read throughput.
    • March 2014 - Another price reduction.
    • April 2014 - Backup and restore of Redis Clusters.
    • July 2014 - Support for M3 and R3 Cache Nodes.
    • July 2014 - Node placement across more than one Availability Zone in a Region.
    • September 2014 - Support for T2 Cache Nodes.

    When you start to use any of the AWS services, you should always anticipate a steady stream of enhancements. Some of them, as you can see from list above, will give you additional flexibility with regard to architecture, scalability, or location. Others will improve your cost structure by reducing prices or adding opportunities to purchase Reserved Instances. Another class of enhancements simplifies the task of building applications that are resilient and fault-tolerant.

    Multi-AZ Support for Redis
    Today's launch is designed to help you to add additional resilience and fault tolerance to your Redis Cache Clusters. You can now create a Replication Group that spans multiple Availability Zones with automatic failure detection and failover.

    After you have created a Multi-AZ Replication Group, ElastiCache will monitor the health and connectivity of the nodes. If the primary node fails, ElastiCache will select the read replica that has the lowest replication lag (in other words, the one that is the most current) and make it the primary node. It will then propagate a DNS change, create another read replica, and wire everything back together, with no administrative work on your side.

    This new level of automated fault detection and recovery will enhance the overall availability of your Redis Cache Clusters. The following situations will initiate the failover process:

    1. Loss of availability in the primary's Availability Zone.
    2. Loss of network connectivity to the primary.
    3. Failure of the primary.

    Creating a Multi-AZ Replication Group
    You can create a Multi-AZ Cache Replication Group by checking the Multi-AZ checkbox after selecting Create Cache Cluster:

    A diverse set of Availability Zones will be assigned by default. You can easily override them in order to better reflect the needs of your application:

    Multi-AZ for Existing Cache Clusters
    You can also modify your existing Cache Cluster to add Multi-AZ residency and automatic failover with a couple of clicks.

    Things to Know
    The Multi-AZ support in ElastiCache for Redis currently makes use of the asynchronous replication that is built in to newer versions (2.8.6 and beyond) of the Redis engine. As such, it is subject to its strengths and weaknesses. In particular, when a read replica connects to a primary for the first time or when the primary changes, the replica will perform a full synchronization with the primary. This ensures that the cached information is as current as possible, but it will impose an additional load on the primary and the read replica(s).

    The entire failover process, from detection to the resumption of normal caching behavior, will take several minutes. Your application's caching tier should have a strategy (and some code!) to deal with a cache that is momentarily unavailable.

    Available Now
    This new feature is available now in all public AWS Regions and you can start using it today. The feature is offered at no extra charge to all ElastiCache users.

    -- Jeff;

  • OpenID Connect Support for Amazon Cognito

    23 Oct 2014 in Amazon Cognito | permalink

    This past summer, we launched Cognito to simplify the task of authenticating users and storing, managing, and syncing their data across multiple devices. Cognito already supports a variety of identities — public provider identities (Facebook, Google, and Amazon), guest user identities, and recently announced developer authenticated identities.

    Today we are making Amazon Cognito even more flexible by enabling app developers to use identities from any provider that supports OpenID Connect (OIDC). For example, you can write AWS-powered apps that allow users to sign in using their user name and password from Salesforce or Ping Federate. OIDC is an open standard enables developers to leverage additional identity providers for authentication. This way they can focus on developing their app rather than dealing with user names and passwords.

    Today's launch adds OIDC provider identities to the list. Cognito takes the ID token that you obtain from the OIDC identity provider and uses it to manufacture unique Cognito IDs for each person who uses your app. You can use this identifier to save and synchronize user data across devices and to retrieve temporary, limited-privilege AWS credentials through the AWS Security Token Service.

    Building upon the support for SAML (Security Assertion Markup Language) that we launched last year, we hope that today's addition of support for OIDC demonstrates our commitment to open standards. To learn more and to see some sample code, see our new post, Building an App using Amazon Cognito and an OpenID Connect Identity Provider on the AWS Security Blog. If you are planning to attend Internet Identity Workshop next week, come meet the members of the team that added this support!

    -- Jeff;

  • Now Open - AWS Germany (Frankfurt) Region - EC2, DynamoDB, S3, and Much More

    23 Oct 2014 in Amazon EC2, Europe | permalink

    It is time to expand the AWS footprint once again, this time with a new Region in Frankfurt, Germany. AWS customers in Europe can now use the new EU (Frankfurt) Region along with the existing EU (Ireland) Region for fast, low-latency access to the suite of AWS infrastructure services. You can now build multi-Region applications with the assurance that your content will stay within the EU.

    New Region
    The new Frankfurt Region supports Amazon Elastic Compute Cloud (EC2) and related services including Amazon Elastic Block Store (EBS), Amazon Virtual Private Cloud, Auto Scaling, and Elastic Load Balancing.

    It also supports AWS Elastic Beanstalk, AWS CloudFormation, Amazon CloudFront, Amazon CloudSearch, AWS CloudTrail, Amazon CloudWatch, AWS Direct Connect, Amazon DynamoDB, Amazon Elastic MapReduce, AWS Storage Gateway, Amazon Glacier, AWS CloudHSM, AWS Identity and Access Management (IAM), Amazon Kinesis, AWS OpsWorks, Amazon Route 53, Amazon Relational Database Service (RDS), Amazon Redshift, Amazon Simple Storage Service (S3), Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS), and Amazon Simple Workflow Service (SWF).

    The Region supports all sizes of T2, M3, C3, R3, and I2 instances. All EC2 instances must be launched within a Virtual Private Cloud in this Region (see my blog post, Virtual Private Clouds for Everyone for more information).

    There are also three edge locations in Frankfurt for Amazon Route 53 and Amazon CloudFront.

    This is our eleventh Region (see the AWS Global Infrastructure map for more information). As usual, you can see the full list in the Region menu of the AWS Management Console:

    Rigorous Compliance
    Every AWS Region is designed and built to meet rigorous compliance standards including ISO 27001, SOC 1, PCI DSS Level 1, to name a few (see the AWS Compliance page for more info). AWS is fully compliant with all applicable EU Data Protection laws. For customers who wish to use AWS to store personal data, AWS provides a data processing agreement. More information on how customers can use AWS to meet EU Data Protection requirements can be found at AWS Data Protection.

    Many organizations in Europe are already making use of AWS. Here's a very small sample:

    mytaxi (Slideshare presentation) is a very popular (10 million users and 45,000 taxis) taxi booking application. They use AWS to help them to service their global customer base in real time. They plan to use the new Region to provide even better service to their customers in Germany.

    Wunderlist (case study) was first attracted to AWS by, as they say, the "fantastic technology stack." Empowered by AWS, they have developed an agile deployment model that allows them to deploy new code several times per day. They can experiment more often (with very little risk) and can launch new products more quickly. They believe that the new AWS Region will benefit their customers in Germany and will also inspire the local startup scene.

    AWS Partner Network
    Members of the AWS Partner Network (APN) have been preparing for the launch of the new Region. Here's a sampling (send me email with launch day updates).

    Software AG is using AWS as a global host for ARIS Cloud, a Business Process Analysis-as-a-Service (BPAaaS) product. AWS allows Software AG to focus on their core competency—the development of great software and gives them the power to roll out new cloud products globally within days.

    Trend Micro is bringing their security solutions to the new region. Trend Micro Deep Security helps customers secure their AWS deployments and instances against the latest threats, including Shellshock and Heartbleed.

    Here are a few late-breaking (post-launch additions):

    1. BitNami - Support for the new Amazon Cloud Region in Germany.
    2. Appian - Appian Cloud Adds Local Hosting in Germany

    Here are some of the latest and greatest third party operating system AMIs in the new Region:

    1. Canonical - Ubuntu Server 14.04 LTS
    2. SUSE - SUSE Linux Enterprise Server 11 SP3

    For Developers - Signature Version 4 Support
    This new Region supports only Signature Version 4. If you have built applications with the AWS SDKs or the AWS Command Line Interface (CLI) and your API calls are being rejected, you should update to the newest SDK and CLI. To learn more, visit Using the AWS SDKs and Explorers.

    AWS Offices in Europe
    In order to support enterprises, government agencies, academic institutions, small-to-mid size companies, startups, and developers, there are AWS offices in Germany (Berlin, Munich), the UK (London), Ireland (Dublin), France (Paris), Luxembourg (Luxembourg City), Spain (Madrid), Sweden (Stockholm), and Italy (Milan).

    Use it Now
    This new Region is open for business now and you can start using it today!

    -- Jeff;

    PS - Like our US West (Oregon) and AWS GovCloud (US) Regions, this region uses carbon-free power!

  • Statcast Debuts at the World Series - Powered by AWS

    23 Oct 2014 | permalink

    Yesterday, the team at MLB Advanced Media (MLBAM) launched Statcast for the 2014 World Series. This cool new video experience, powered by AWS, demonstrates for fans how high-resolution cameras and radar equipment precisely track the position of the ball and all of the players on the field during a baseball game. The equipment captures 20,000 position metrics for the ball every second. It also captures 30 position metrics for each player every second.

    The data is used to create a newly introduced video overlay experience — Statcast powered by AWS — to display the computed performance metrics that measure the performance of each player. This data, and the renderings that it creates, help to provide today's baseball fans with the detailed and engaging online content that they crave.

    Here are a couple of examples that will show you more about the data collected and displayed through Statcast, using a diving catch from Game 6 of the ALCS. First, the pitch:

    The reaction in center field:

    And the catch:

    Watch the complete video to see and hear the action!

    -- Jeff;

  • AWS Ad Tech Conference - This Friday in San Francisco!

    22 Oct 2014 in AWS Loft | permalink

    The advertising space is going through a rapid, technology-enabled, data-driven transformation!

    Many of the companies driving this change are using AWS services like Amazon Elastic MapReduce, Amazon Redshift, Amazon DynamoDB, Amazon Kinesis, and Amazon CloudFront to serve, ingest, process, store, analyze, track, and optimize their online advertising campaigns.

    If you work for an ad tech company in the San Francisco area you should consider attending a free one-day event for developers and architects this coming Friday (October 24th) in San Francisco.

    Attend, Learn, Meet
    If you attend the event you will get to learn AWS in a series of five technical deep dive sessions that are laser focused on the key AWS technologies that I mentioned above. You will also get to hear AWS customers such as Adroll (ad retargeting), Blinkx (video discovery and sharing), Bloomreach (big data marketing), Krux Digital (cross-screen data management), SetMedia (digital video classification), Tune and Viglink (automated monetization) share their real-life use cases, architectures, and the lessons they learned on their journey to the cloud. The day will end with a networking reception at 5:00 PM.

    This event is designed for developers and architects who are already familiar with AWS and are looking to increase their knowledge of key ad tech enabling services and learn directly from their industry peers. This is not an introductory or business-level event.

    Register Now
    The event runs from 10:00 AM to 6:00 PM this coming Friday. It will be held in the AWS Pop-up Loft at 925 Market Street in San Francisco. Registration is mandatory, space is limited, and there's no charge to attend. To register:

    1. Go to the AWS Pop-up Loft site and click Register to attend the AWS Loft. If this is your first time registering for an event at the AWS Pop-Up Loft, you'll need to create a new account first. Otherwise, just log in to the site first.
    2. On the Evening Events/Sessions go to Friday, 10/24/14, check the box for Advertising Technology Day and continue through the registration process.

    Here is the agenda for the day:

    Time Session
    9:30 AM Arrive and Register
    10:00 AM Customer Presentation (Viglink)
    10:30 AM Customer Presentation (Krux)
    11:00 AM Amazon EMR Best Practices
    11:30 AM Customer Presentation (Bloomreach)
    12:00 PM Lunch and Informal Q&A
    12:30 PM Amazon Redshift Best Practices
    1:00 PM Customer Presentation (Tune)
    1:30 PM Amazon Kinesis Best Practices
    2:00 PM Customer Presentation (SET Media)
    2:30 PM Amazon CloudFront Best Practices
    3:00 PM Customer Presentation (Blinkx)
    3:30 PM Amazon DynamoDB Best Practices
    4:00 PM Customer Presentation (AdRoll)
    4:30 PM Q&A
    5:00 PM Happy Hour Networking Reception

    -- Jeff;

  • New AWS Directory Service

    Virtually every organization uses a directory service such as Active Directory to allow computers to join domains, list and authenticate users, and to locate and connect to printers, and other network services including SQL Server databases. A centralized directory reduces the amount of administrative work that must be done when an employee joins the organization, changes roles, or leaves.

    With the advent of cloud-based services, an interesting challenge has arisen. By design, the directory is intended to be a central source of truth with regard to user identity. Administrators should not have to maintain one directory service for on-premises users and services, and a separate, parallel one for the cloud. Ideally, on-premises and cloud-based services could share and make use of a single, unified directory service.

    Perhaps you want to run Microsoft Windows on EC2 or centrally control access to AWS applications such as Amazon WorkSpaces or Amazon Zocalo. Setting up and then running a directory can be a fairly ambitious undertaking once you take in to account the need to procure and run hardware, install, configure and patch the operating system, and the directory, and so forth. This might be overkill if you have a user base of modest size and just want to use the AWS applications and exercise centralized control over users and permissions.

    The New AWS Directory Service
    Today we are introducing the AWS Directory Service to address these challenges! This managed service provides two types of directories. You can connect to an existing on-premises directory or you can set up and run a new, Samba-based directory in the Cloud.

    If your organization already has a directory, you can now make use of it from within the cloud using the AD Connector directory type. This is a gateway technology that serves as a cloud proxy to your existing directory, without the need for complex synchronization technology or federated sign-on. All communication between the AWS Cloud and your on-premises directory takes place over AWS Direct Connect or a secure VPN connection within a Amazon Virtual Private Cloud. The AD Connector is easy to set up (just a few parameters) and needs very little in the way of operational care and feeding. Once configured, your users can use their existing credentials (user name and password, with optional RADIUS authentication) to log in to WorkSpaces, Zocalo, EC2 instances running Microsoft Windows, and the AWS Management Console. The AD Connector is available in Small (up to 10,000 users, computers, groups, and other directory objects) and Large (up to 100,000 users, computers, groups, and other directory objects).

    If you don't currently have a directory and don't want to be bothered with all of the care and feeding that's traditionally been required, you can quickly and easily provision and run a Samba-based directory in the cloud using the Simple AD directory type. This directory supports most of the common Active Directory features including joins to Windows domains, management of Group Policies, and single sign-on to directory- powered apps. EC2 instances that run Windows can join domains and can be administered en masse using Group Policies for consistency. Amazon WorkSpaces and Amazon Zocalo can make use of the directory. Developers and system administrators can use their directory credentials to sign in to the AWS Management Console in order to manage AWS resources such as EC2 instances or S3 buckets.

    Getting Started
    Regardless of the directory type that you choose, getting started is quick and easy. Keep in mind, of course, that you are setting up an important piece of infrastructure and choose your names and passwords accordingly. Let's walk through the process of setting up each type of directory.

    I can create an AD Connector as a cloud-based proxy to an existing Active Directory running within my organization. I'll have to create a VPN connection from my Virtual Private Cloud to my on-premises network, making use of AWS Direct Connect if necessary. Then I will need to create an account with sufficient privileges to allow it handle lookup, authentication, and domain join requests. I'll also need the DNS name of the existing directory. With that information in hand, creating the AD Connector is a simple matter of filling in a form:

    I also have to provide it within information about my VPC, including the subnets where I'd like the directory servers to be hosted:

    The AD Connector will be up & running and ready to use within minutes!

    Creating a Simple AD in the cloud is also very simple and straightforward. Again, I need to choose one of my VPCs and then pick a pair of subnets within it for my directory servers:

    Again, the Simple AD will be up, running, and ready for use within minutes.

    Managing Directories
    Let's take a look at the management features that are available for the AD Connector and Simple AD. The Console shows me a list of all of my directories:

    I can dive in to the details with a click. As you can see at the bottom of this screen, I can also create a public endpoint for my directory. This will allow it to be used for sign-in to AWS applications such as Zocalo and WorkSpaces, and to the AWS Management Console:

    I can also configure the AWS applications and the Console to use the directory:

    I can also create, restore, and manage snapshot backups of my Simple AD (backups are done automatically every 24 hours; I can also initiate a manual backup at any desired time):

    Get Started Today
    Both types of directory are available now and you can start creating and using them today in the US East (Northern Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), and Europe (Ireland) Regions. Prices start at $0.05 per hour for Small directories of either type and $0.15 per hour for Large directories of either type in the US East (Northern Virginia) Region. See the AWS Directory Service page for pricing information in the other AWS Regions.

    -- Jeff;