December 4th AWS NET+ Tech Share Recap: re:Invent Highlights and Community Updates

AWS re:Invent Updates and New Features

Several exciting announcements from re:Invent were discussed:

Amazon S3 Tables: AWS has introduced Amazon S3 Tables, providing fully managed Apache Iceberg tables optimized for analytics workloads. This service offers up to 3x faster query throughput and up to 10x higher transactions per second compared to self-managed tables. It integrates with AWS Glue Data Catalog, allowing seamless streaming, querying, and visualization of data using services like Amazon Kinesis Data Firehose, Athena, Redshift, EMR, and QuickSight.

Centrally Managing Root Access: AWS Identity and Access Management (IAM) now offers a capability that allows security teams to centrally manage root access for member accounts in AWS Organizations. This feature simplifies the management of root credentials and the execution of highly privileged actions across multiple accounts. Many members on the call were very interested in implementing this feature as it will improve operations and security through decreasing management efforts and reducing attack surface.

Declarative Policies: AWS has introduced declarative policies, enabling organizations to define and enforce desired configurations for AWS services at scale. For instance, you can enforce a "block public access" setting for VPCs across all accounts in your organization, ensuring consistent security postures.

Resource Control Policies (RCPs): AWS Organizations now support Resource Control Policies, a new type of authorization policy that sets the maximum available permissions on resources within your entire organization. RCPs help establish a data perimeter in your AWS environment and restrict external access to resources at scale.

Invoice Configuration: In addition to the central root access management feature, the new invoice configuration features were an eye catcher for many members on the call. AWS has launched Invoice Configuration, allowing you to customize your invoices to fit your business needs. This feature enables you to receive separate AWS invoices for member accounts belonging to different business entities within the same AWS Organization, streamlining financial management and compliance. 

Amazon Nova Models: Amazon has unveiled Amazon Nova, a new generation of foundation models capable of processing text, image, and video inputs. These models, available through Amazon Bedrock, offer state-of-the-art capabilities for generative AI applications, including text generation, image creation, and video production. The most attractive feature of these models is that it is relatively inexpensive compared to other state of the art models from Anthropic and OpenAI. Simon Willison, a well known open-source programmer, created a cost comparison table amongst the models mentioned above. Below is a table from his blog. I highly recommend reading this article for a deeper dive.

If you’re scratching your head about how some of these new features work or if you would like to hear more about them, swing by our upcoming AWS Tech Jam where our (and AWS’) very own Kevin Murakoshi will recap all of the relevant re:Invent announcements. Link to the registration can be found here.

Further Discussion of re:Invent Updates

Several technical announcements were discussed:

• The announcement of the ability to remove root account credentials completely and replace them with temporary ones started a discussion about handling special cases like Amazon Mechanical Turk (MTurk). Many members on the call manage end users that access Amazon MTurk. They brought up how certain MTurk cases require root account privileges. It seems like the new central management feature for root credentials will work for scenarios that exclude use cases around Amazon Mechanical Turk. Further investigation and testing will need to be done to confirm this definitively.
• A note about upcoming changes to CloudTrail events for AWS IAM Identity Center logs.
• Effective January 13, 2025, AWS IAM Identity Center will modify CloudTrail event data by replacing the userName and principalId fields with userId and identityStoreArn, providing unique and immutable user identifiers. The userIdentity type will change from Unknown to IdentityCenterUser for authenticated users, enhancing clarity in user identification. Additionally, group displayName values in administrative events will be replaced with HIDDEN_DUE_TO_SECURITY_REASONS; to access group attributes, use the Identity Store DescribeGroup API operation.

Discussion of AI in Higher Education

The discussion touched on several AI-related topics:

• The University of Delaware shared an innovative use case where they processed thousands of hours of lecture videos to create personalized learning experiences, including a student aid chatbot capable of creating custom flashcards
• The University of Wisconsin-Madison raised important points about managing AI resource access and spending in academic settings, particularly for business school AI courses
• The community discussed challenges in balancing professor requests for comprehensive AI tool access (including OpenAI and Amazon Bedrock) with institutional controls

Looking Forward

The Amplify GenAI Barn-raising event that took place in November was a great success. I will be doing a write up of it so be on the look out for that. The overwhelmingly positive reception of the session generated interest in additional Barn-raising events. Several members of the group expressed interest in implementing Indiana University’s automated transcription service hosted on AWS. The upcoming barn-raising session is planned to take place in spring 2025. Members interested in participating in future barn-raising events are encouraged to reach out with their ideas and use cases.

That’s it for this AWS tech share write up! Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.