17. DynamoDB
Encryption at Transit and rest with KMS
This service runs outside VPC and doesn’t have a
resource policy like S3
Can’t block outside access
Add VPC endpoint condition to the KMS key policy,
and make description only from roles inside the vpc.
Backup/Recovery with AWS Backup
Load from S3 only works with empty database
18. S3
KMS encryption everywhere
Via VPC Endpoints to avoid public
internet
Resource policy that require traffic
through vpc endpoint
• Carefull not to lockout management api calls
• Redshift Spectrum doesn’t support vpc
endpoints
19. API
Gateway
Only Rest-API supports VPC endpoint
No HTTP (v2) Api Gateway
mTLS support only for public api-
gateway via the custom domain
(cloudfront)
21. Fargate
Containers without complex infrastructure
Use Secret values to pass environment variables
directly from SSM parameter Store or Secret
Managers
Sidecars, combine containers
ECR Registry with
Inspectorv2 Deepscanning
22. Streaming
& mTLS
Lambda support only PBES1 for Kafka MTLS
(Des/md5/sha1 from 1990’s)
Eventbridge Pipe (same as lambda)
Glue Streaming
• Missing group.id
• Expensive
Limited Sink Connectors
39. Cost
• Only the first CloudTrail is free
• The CloudTrail cost is higher than the
workload. KMS/ DynamoDB audit lines
• DynamoDB Auto-scale is costly on
startup but low after that with billion
records. InfrequentAccess can save
even more.
• Spot and auto scale to 0, save cost on
the non-prod environments
40. Conclusion
SERVERLESS WORKS FOR A HIGH
TRAFFIC IMPORTANT FINANCIAL
APPLICATION
ABLE TO PARSE HUGE PEAK LOADS
WITH A GOOD MONTHLY COSTS
ERRORS / THROTTLING / TIMEOUTS
ARE VERY LIMITED WITH THE FAST
AUTOSCALE DYNAMODB.
GREAT PROJECT, PUSHING THE
TECHNOLOGY BOUNDARIES AND
COMPLEMENT EACH OTHER TEAMS'
STRENGTH.