AWS Lambda: Best Practices
and Common Mistakes
Given by Derek C. Ashmore
Chicago Cloud Conference
September 21, 2020
©2020 Derek C. Ashmore, All Rights Reserved 1
Who am I?
• Professional Geek
since 1987
• Java/J2EE/Java EE
since 1999
• AWS since 2010
• Azure since 2017
• Specialties
• Cloud
Workshops
• Cloud-native
Applications
• Yes – I still code!
©2020 Derek C. Ashmore, All Rights Reserved 2
Discussion Resources
• This slide deck
– https://www.slideshare.net/derekashmore/presentations
• Sample code on my Github
– https://github.com/Derek-Ashmore/
• Slide deck has hyper-links!
– Don’t bother writing down URLs
©2020 Derek C. Ashmore, All Rights Reserved 3
Agenda
The “What”
and “Why”
of AWS
Lambda
Code-Level
Tips
Operation
and Design
Habits
Summary /
Q&A
© 2020 Derek C. Ashmore, All Rights Reserved 4
What are AWS Lambdas?
• You provide custom code -> AWS runs it
– Java, Node.js, Python, Go, Ruby, .Net Core
– Can implement custom runtimes for languages not in the list!
• Computing power with less management
– AWS manages the hardware
– AWS autoscales that hardware
– AWS maintains that hardware
• Lambdas are event driven
– API Gateway (e.g. RESTful Web Service call)
– Many more
• Lambdas are stateless
• Not to be confused with “Lambda Expressions” in Java 8
© 2020 Derek C. Ashmore, All Rights Reserved 5
Lambda Event Sources
• API Gateway
• SNS Messaging
Subscriptions
• Schedule
• Storage writes
– S3, DynamoDB, Kenesis
© 2020 Derek C. Ashmore, All Rights Reserved 6
• SES Email receipt
• Cloudwatch
– Schedule, Events, log entries
• Cognito (Security)
• CloudFormation
– Creation script
What’s the Business Benefit
• Less Maintenance Hassle
• Unlimited Parallelism
• Current cost advantage
– Don’t pay for idle
– CPU cost currently lower
• Free tier
– 1 M executions and 400K compute seconds per month
– Memory allocated determines allowed free-tier runtime
• 20 cents per 1 M executions + memory/runtime cost
– Administration cost
• No O/S upgrades, server backups, etc.
© 2020 Derek C. Ashmore, All Rights Reserved 7
There’s no free lunch
• Less control over environment
– Harder to tune
– Memory and time limits on execution
• Few Environment amenities
– No connection pooling, session support, caching
• Proprietary Interface
– Potential Technical Lock-in
• No Guarantee that AWS cost will be constant
– Potential Business Risk
• Modern version of CGI
© 2020 Derek C. Ashmore, All Rights Reserved 8
Agenda
The “What”
and “Why”
of AWS
Lambda
Code-Level
Tips
Operation
and Design
Habits
Summary /
Q&A
© 2020 Derek C. Ashmore, All Rights Reserved 9
What Makes a “Best Practice”?
• Makes Support Easier
• Increases Reuse
• Increases Performance
• Minimizes Resource Consumption
– Labor
– Runtime
©2018 Derek C. Ashmore, All Rights Reserved 10
Let’s start with Low-Hanging Fruit
© 2020 Derek C. Ashmore, All Rights Reserved 11
Report Inputs/Env on Exception
• Place a Try / Catch in your handler
– Python Example
– Java Example
• Also check your arguments with a clear error message
© 2020 Derek C. Ashmore, All Rights Reserved 12
def crossAccountHandler(event, context):
try:
………………
except Exception as e:
e.args += (event,vars(context))
raise
Check Arguments Up Front
• Check your arguments with a clear error message
– Python Example
– Java Example
© 2020 Derek C. Ashmore, All Rights Reserved 13
def crossAccountHandler(event, context):
try:
if 'Assumed_Role' in event:
…………………
else:
raise Exception('Assumed_Role not provided as argument')
except Exception as e:
Specify Lambda Source Repo
• Explicitly put the source repository name in the Lambda comments
– In most organizations, the repository name isn’t obvious
– Others changing your code need it
– You don’t want source control to be out of date
© 2020 Derek C. Ashmore, All Rights Reserved 14
"""
secretLambda.py
……………
Source Control: https://github.com/Derek-Ashmore/AWSDevOpsUtilities
"""
Separate Lambda from Business Logic
• Make business logic reusable
– Callable by other applications
– Usable on premises
• Easier to locally develop and debug
– Lambda-specific logic is thin!
© 2020 Derek C. Ashmore, All Rights Reserved 15
def startStopHandler(event, context):
try:
executeStopStart(datetime.datetime.now()
, os.getenv('Scheduled_StartTime', ‘’)
, os.getenv('Scheduled_StopTime', ‘’)
, os.getenv('Scheduled_StartStop_Days', 'M,T,W,R,F’))
……………
return 0;
This is low-hanging fruit that will be appreciated by
your fellow developers!
©2018 Derek C. Ashmore, All Rights Reserved 16
• Log All Inputs and Environment on
Exception
• Check all arguments up front
• Document the source repo at the top.
• Repo readme can have other
developer specifics
• Separate Lambda code from business
logic
• Now let’s talk design and operations….
Agenda
The “What”
and “Why”
of AWS
Lambda
Code-Level
Tips
Operation
and Design
Habits
Summary /
Q&A
© 2020 Derek C. Ashmore, All Rights Reserved 17
Automate builds and deployments!
© 2020 Derek C. Ashmore, All Rights Reserved 18
Lambda Copies Everywhere!
• Changes / Bug Fixes need to be deployed everywhere
• Solving with automation solves the wrong problem!
© 2020 Derek C. Ashmore, All Rights Reserved 19
One Copy for All!
• Scalable – only need to add accounts over time
• Bugfixes in one place
• Configuration usually in common DynamoDB table(s)
• Sample in Python here
©2018 Derek C. Ashmore, All Rights Reserved 20
Cross-Account Execution
• Algorithm is
– Assume a remote-account role using STS
• The response has temporary credentials
– Create a session using the remote account creds
– Do work in the remote account
• Example here: Derek-Ashmore/AWSDevOpsUtilities (Github)
© 2020 Derek C. Ashmore, All Rights Reserved 21
For workloads over 15 min
• Executor that invokes lambda asynchronously for
each account
• Sample in Python here
©2018 Derek C. Ashmore, All Rights Reserved 22
Limit Custom Nesting to One Level
• Debugging with nested executions is
– Time consuming and difficult
– Can’t do locally
– Absolutely requires unique correlation id for the entire transaction
• Allows you to tell invocation history for one logical transaction
– Instead of deep custom nesting, use AWS Step Functions
• Use Step Functions if you need more
© 2020 Derek C. Ashmore, All Rights Reserved 23
Nested Calls using AWS Step Functions
• AWS Step Functions
– Uses a State Machine model
• Think turn-style to get access to train
– States are “Locked” and “Unlocked”
– Locked → Payment input allowed, then “Unlocked”
– Unlocked → One person allowed through, then “Locked”
– Automatically provides correlation between invocations
• Unified logs for the entire transaction
– Now supported by X-ray (09/2020)
• Execution time and health per Step Function workflow
© 2020 Derek C. Ashmore, All Rights Reserved 24
Operations and Design Habits
© 2020 Derek C. Ashmore, All Rights Reserved 25
• Automate Builds and Deployments
• Only install Lambda’s Once
• Limit Lambda nesting to One Level
• Step functions if you need more
• Now let’s talk dependencies and secrets
Use Configuration Injection
• No environment specifics hardcoded in the Lambda deployment
• Use Environment Variables on the Lambda Definition
– No un-encrypted secrets (e.g. database password)
• Use Arguments in the triggering event
– No un-encrypted secrets
• Anti-Example
– Splunk forwarding Lambda with hard-coded Splunk channels
© 2020 Derek C. Ashmore, All Rights Reserved 26
Providing Secrets to Lambdas
• Secrets are needed items like credentials of any type.
• Use IAM Roles to grant permission to read secrets
• Options are:
– Use KMS
• Encrypt credential and base64 encode it
– Place encrypted version in environment variable
• Sample Lambda and Encryption Script (here)
– Use a Digital Vault (e.g. AWS Secrets Manager)
• Sample Lambda here
© 2020 Derek C. Ashmore, All Rights Reserved 27
AWS Secrets Manager
• Use IAM Roles to grant
permission to read secrets
• You don’t need a “secret” to
get a “secret”!
© 2020 Derek C. Ashmore, All Rights Reserved 28
Avoid Heavy-Footprint Dependencies
• Minimizes load time
– Mitigates cold-start problem
• Java
– Use Guice over Spring
• Python
– Use AWS provided deps first (list is
here)
© 2020 Derek C. Ashmore, All Rights Reserved 29
Idempotence
• Possible for your Lambda to be invoked multiple times for the same event
– Prevent repeat actions from having a different effect.
• Options
– Record the event id –> Skip repeated events
• Most event sources provide a unique request id
– Lambda invoking lambda does not!
• Negatively affects performance
– 1 extra read
– 1 extra write
• Need to roll-off old events
– Insure that the effect is the same each time
• Not perfect → You don’t control invocation order
© 2020 Derek C. Ashmore, All Rights Reserved 30
Dependency Management
• AWS Layers can be used for
dependency management
– Can upgrade your library
dependencies in one location
• Provides convenience
• Use for custom runtimes!
• Beware of unintended
consequences
– Easies to inadvertently break
published lambdas using layers
© 2020 Derek C. Ashmore, All Rights Reserved 31
Common Mistakes
• Deploying inappropriate workloads as Lambdas
– Install full Java web application as Lambda
• Required keep-alive lambdas to prevent cold-starts
• Not keeping business logic unit-testable
• Creating the distributed monolith
– Lambdas with extensive nested execution
– Lambdas not independently deployable
© 2020 Derek C. Ashmore, All Rights Reserved 32
Further Reading
• This slide deck
– https://www.slideshare.net/derekashmore/presentations
• AWS Lambda Reading List
– http://www.derekashmore.com/2016/04/aws-lambda-reading-list.html
• Amazon’s Published Best Practice List
– https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
© 2020 Derek C. Ashmore, All Rights Reserved 33
Questions?
• Derek Ashmore:
– Blog: www.derekashmore.com
– LinkedIn: www.linkedin.com/in/derekashmore
• Connect Invites from attendees welcome
– Twitter: https://twitter.com/Derek_Ashmore
– GitHub: https://github.com/Derek-Ashmore
– Book: http://dvtpress.com/
© 2020 Derek C. Ashmore, All Rights Reserved 34

AWS Lambda: Best Practices and Common Mistakes - Chicago Cloud Conference 2020

  • 1.
    AWS Lambda: BestPractices and Common Mistakes Given by Derek C. Ashmore Chicago Cloud Conference September 21, 2020 ©2020 Derek C. Ashmore, All Rights Reserved 1
  • 2.
    Who am I? •Professional Geek since 1987 • Java/J2EE/Java EE since 1999 • AWS since 2010 • Azure since 2017 • Specialties • Cloud Workshops • Cloud-native Applications • Yes – I still code! ©2020 Derek C. Ashmore, All Rights Reserved 2
  • 3.
    Discussion Resources • Thisslide deck – https://www.slideshare.net/derekashmore/presentations • Sample code on my Github – https://github.com/Derek-Ashmore/ • Slide deck has hyper-links! – Don’t bother writing down URLs ©2020 Derek C. Ashmore, All Rights Reserved 3
  • 4.
    Agenda The “What” and “Why” ofAWS Lambda Code-Level Tips Operation and Design Habits Summary / Q&A © 2020 Derek C. Ashmore, All Rights Reserved 4
  • 5.
    What are AWSLambdas? • You provide custom code -> AWS runs it – Java, Node.js, Python, Go, Ruby, .Net Core – Can implement custom runtimes for languages not in the list! • Computing power with less management – AWS manages the hardware – AWS autoscales that hardware – AWS maintains that hardware • Lambdas are event driven – API Gateway (e.g. RESTful Web Service call) – Many more • Lambdas are stateless • Not to be confused with “Lambda Expressions” in Java 8 © 2020 Derek C. Ashmore, All Rights Reserved 5
  • 6.
    Lambda Event Sources •API Gateway • SNS Messaging Subscriptions • Schedule • Storage writes – S3, DynamoDB, Kenesis © 2020 Derek C. Ashmore, All Rights Reserved 6 • SES Email receipt • Cloudwatch – Schedule, Events, log entries • Cognito (Security) • CloudFormation – Creation script
  • 7.
    What’s the BusinessBenefit • Less Maintenance Hassle • Unlimited Parallelism • Current cost advantage – Don’t pay for idle – CPU cost currently lower • Free tier – 1 M executions and 400K compute seconds per month – Memory allocated determines allowed free-tier runtime • 20 cents per 1 M executions + memory/runtime cost – Administration cost • No O/S upgrades, server backups, etc. © 2020 Derek C. Ashmore, All Rights Reserved 7
  • 8.
    There’s no freelunch • Less control over environment – Harder to tune – Memory and time limits on execution • Few Environment amenities – No connection pooling, session support, caching • Proprietary Interface – Potential Technical Lock-in • No Guarantee that AWS cost will be constant – Potential Business Risk • Modern version of CGI © 2020 Derek C. Ashmore, All Rights Reserved 8
  • 9.
    Agenda The “What” and “Why” ofAWS Lambda Code-Level Tips Operation and Design Habits Summary / Q&A © 2020 Derek C. Ashmore, All Rights Reserved 9
  • 10.
    What Makes a“Best Practice”? • Makes Support Easier • Increases Reuse • Increases Performance • Minimizes Resource Consumption – Labor – Runtime ©2018 Derek C. Ashmore, All Rights Reserved 10
  • 11.
    Let’s start withLow-Hanging Fruit © 2020 Derek C. Ashmore, All Rights Reserved 11
  • 12.
    Report Inputs/Env onException • Place a Try / Catch in your handler – Python Example – Java Example • Also check your arguments with a clear error message © 2020 Derek C. Ashmore, All Rights Reserved 12 def crossAccountHandler(event, context): try: ……………… except Exception as e: e.args += (event,vars(context)) raise
  • 13.
    Check Arguments UpFront • Check your arguments with a clear error message – Python Example – Java Example © 2020 Derek C. Ashmore, All Rights Reserved 13 def crossAccountHandler(event, context): try: if 'Assumed_Role' in event: ………………… else: raise Exception('Assumed_Role not provided as argument') except Exception as e:
  • 14.
    Specify Lambda SourceRepo • Explicitly put the source repository name in the Lambda comments – In most organizations, the repository name isn’t obvious – Others changing your code need it – You don’t want source control to be out of date © 2020 Derek C. Ashmore, All Rights Reserved 14 """ secretLambda.py …………… Source Control: https://github.com/Derek-Ashmore/AWSDevOpsUtilities """
  • 15.
    Separate Lambda fromBusiness Logic • Make business logic reusable – Callable by other applications – Usable on premises • Easier to locally develop and debug – Lambda-specific logic is thin! © 2020 Derek C. Ashmore, All Rights Reserved 15 def startStopHandler(event, context): try: executeStopStart(datetime.datetime.now() , os.getenv('Scheduled_StartTime', ‘’) , os.getenv('Scheduled_StopTime', ‘’) , os.getenv('Scheduled_StartStop_Days', 'M,T,W,R,F’)) …………… return 0;
  • 16.
    This is low-hangingfruit that will be appreciated by your fellow developers! ©2018 Derek C. Ashmore, All Rights Reserved 16 • Log All Inputs and Environment on Exception • Check all arguments up front • Document the source repo at the top. • Repo readme can have other developer specifics • Separate Lambda code from business logic • Now let’s talk design and operations….
  • 17.
    Agenda The “What” and “Why” ofAWS Lambda Code-Level Tips Operation and Design Habits Summary / Q&A © 2020 Derek C. Ashmore, All Rights Reserved 17
  • 18.
    Automate builds anddeployments! © 2020 Derek C. Ashmore, All Rights Reserved 18
  • 19.
    Lambda Copies Everywhere! •Changes / Bug Fixes need to be deployed everywhere • Solving with automation solves the wrong problem! © 2020 Derek C. Ashmore, All Rights Reserved 19
  • 20.
    One Copy forAll! • Scalable – only need to add accounts over time • Bugfixes in one place • Configuration usually in common DynamoDB table(s) • Sample in Python here ©2018 Derek C. Ashmore, All Rights Reserved 20
  • 21.
    Cross-Account Execution • Algorithmis – Assume a remote-account role using STS • The response has temporary credentials – Create a session using the remote account creds – Do work in the remote account • Example here: Derek-Ashmore/AWSDevOpsUtilities (Github) © 2020 Derek C. Ashmore, All Rights Reserved 21
  • 22.
    For workloads over15 min • Executor that invokes lambda asynchronously for each account • Sample in Python here ©2018 Derek C. Ashmore, All Rights Reserved 22
  • 23.
    Limit Custom Nestingto One Level • Debugging with nested executions is – Time consuming and difficult – Can’t do locally – Absolutely requires unique correlation id for the entire transaction • Allows you to tell invocation history for one logical transaction – Instead of deep custom nesting, use AWS Step Functions • Use Step Functions if you need more © 2020 Derek C. Ashmore, All Rights Reserved 23
  • 24.
    Nested Calls usingAWS Step Functions • AWS Step Functions – Uses a State Machine model • Think turn-style to get access to train – States are “Locked” and “Unlocked” – Locked → Payment input allowed, then “Unlocked” – Unlocked → One person allowed through, then “Locked” – Automatically provides correlation between invocations • Unified logs for the entire transaction – Now supported by X-ray (09/2020) • Execution time and health per Step Function workflow © 2020 Derek C. Ashmore, All Rights Reserved 24
  • 25.
    Operations and DesignHabits © 2020 Derek C. Ashmore, All Rights Reserved 25 • Automate Builds and Deployments • Only install Lambda’s Once • Limit Lambda nesting to One Level • Step functions if you need more • Now let’s talk dependencies and secrets
  • 26.
    Use Configuration Injection •No environment specifics hardcoded in the Lambda deployment • Use Environment Variables on the Lambda Definition – No un-encrypted secrets (e.g. database password) • Use Arguments in the triggering event – No un-encrypted secrets • Anti-Example – Splunk forwarding Lambda with hard-coded Splunk channels © 2020 Derek C. Ashmore, All Rights Reserved 26
  • 27.
    Providing Secrets toLambdas • Secrets are needed items like credentials of any type. • Use IAM Roles to grant permission to read secrets • Options are: – Use KMS • Encrypt credential and base64 encode it – Place encrypted version in environment variable • Sample Lambda and Encryption Script (here) – Use a Digital Vault (e.g. AWS Secrets Manager) • Sample Lambda here © 2020 Derek C. Ashmore, All Rights Reserved 27
  • 28.
    AWS Secrets Manager •Use IAM Roles to grant permission to read secrets • You don’t need a “secret” to get a “secret”! © 2020 Derek C. Ashmore, All Rights Reserved 28
  • 29.
    Avoid Heavy-Footprint Dependencies •Minimizes load time – Mitigates cold-start problem • Java – Use Guice over Spring • Python – Use AWS provided deps first (list is here) © 2020 Derek C. Ashmore, All Rights Reserved 29
  • 30.
    Idempotence • Possible foryour Lambda to be invoked multiple times for the same event – Prevent repeat actions from having a different effect. • Options – Record the event id –> Skip repeated events • Most event sources provide a unique request id – Lambda invoking lambda does not! • Negatively affects performance – 1 extra read – 1 extra write • Need to roll-off old events – Insure that the effect is the same each time • Not perfect → You don’t control invocation order © 2020 Derek C. Ashmore, All Rights Reserved 30
  • 31.
    Dependency Management • AWSLayers can be used for dependency management – Can upgrade your library dependencies in one location • Provides convenience • Use for custom runtimes! • Beware of unintended consequences – Easies to inadvertently break published lambdas using layers © 2020 Derek C. Ashmore, All Rights Reserved 31
  • 32.
    Common Mistakes • Deployinginappropriate workloads as Lambdas – Install full Java web application as Lambda • Required keep-alive lambdas to prevent cold-starts • Not keeping business logic unit-testable • Creating the distributed monolith – Lambdas with extensive nested execution – Lambdas not independently deployable © 2020 Derek C. Ashmore, All Rights Reserved 32
  • 33.
    Further Reading • Thisslide deck – https://www.slideshare.net/derekashmore/presentations • AWS Lambda Reading List – http://www.derekashmore.com/2016/04/aws-lambda-reading-list.html • Amazon’s Published Best Practice List – https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html © 2020 Derek C. Ashmore, All Rights Reserved 33
  • 34.
    Questions? • Derek Ashmore: –Blog: www.derekashmore.com – LinkedIn: www.linkedin.com/in/derekashmore • Connect Invites from attendees welcome – Twitter: https://twitter.com/Derek_Ashmore – GitHub: https://github.com/Derek-Ashmore – Book: http://dvtpress.com/ © 2020 Derek C. Ashmore, All Rights Reserved 34