214: The Cloud Pod Loves Inspector Gadget

Welcome to the newest episode of The Cloud Pod podcast! Justin, Ryan, Jonathan, Matthew are your hosts this week as we discuss all things cloud and AI, as well as Amazon Detective, SageMaker, AWS Documentation, and Google Workstation. 

Titles we almost went with (and there’s a lot this week)

The Cloud Pod becomes the cloud docs The Cloud Pod loves inspector gadget The Cloud Pod documents the documentation The Cloud Pod bangs its shin, since geospatial abilities are lacking The Cloud Pod bangs its shin, since we lack geospatial abilities The Cloud Pod bangs its shin, if only we had geospatial abilities Unlike the Cloud Pod, Alibaba Cloud exits the stage Retiring AWS Documents on Github… or how we laid off too many people in our document team and can’t support this albatross anymore ️Microsoft Builds AI tools at its Build Conference and Wants you to Build More

A big thanks to this week’s sponsor:

Foghorn Consulting, provides top-notch cloud and DevOps engineers to the world’s most innovative companies. Initiatives stalled because you have trouble hiring?  Foghorn can be burning down your DevOps and Cloud backlogs as soon as next week.

News this Week:

01:29 Alibaba to Exit Cloud Business After Beijing Undercuts Potential

• Alibaba is apparently planning to spin out its $12 Billion dollar cloud business. 
• It’s unclear if Alibaba is bowing to market pressures or political pressures; in 2020 Beijing became increasingly suspicious of cloud services operated by private firms, and started cracking down on internet services. 
• Alibaba Cloud drew regulatory ire in 2021 for discovering and sharing a flaw before informing authorities (there goes their citizenship score), and was investigated for its role in China’s largest cybersecurity leak. 
• Analysts value it at 30B, and was a once thriving operation that harbored the potential to AWS level of market control in China. 
• “This full spinoff plan involving AliCloud is both bold and puzzling, “Nomura Holdings Inc analysts Jialong Shi and Thomas Shen wrote in a note. "Their current valuation for the unit stands at about $31 billion. AliCloud is BABA’s organic business and is still deemed as one of the long-term drivers for the group even though its growth temporarily slowed down in recent quarters due to macro headwinds. That is why we find it puzzling that BABA has decided to fully spin off this business instead of retaining a minority stake at least.

04:30 Justin - “We're basically entering a very Cold War period between the US and Chinese. And so that's gonna be interesting to see how that continues to shake out. I saw some articles this week as well, like in the information about VC firms trying to exit their investments in China and just realizing that it's not gonna be the growth engine they expect it to be. I mean, we talked about here on the show even some of the supply chain issues with China, with the cloud providers and how it's impacted them. And now, I just saw this week, Apple just announced that they were making chips with Broadcom on US soil for some things. So, there's definitely an undercurrent in our politics about China in general.”  05:46 Matt - “On the flip side, I'm kind of curious to see how taking this business unit out of the general Alibaba is going to work, especially with everyone starting to yell that the big tech companies are growing too large and everything. If this could be an interesting test balloon to see how AWS could spin out of Amazon, GCP could spin out of Google, Azure out of Microsoft, it could be an interesting playbook to see how they start to divide up the business units.  06:15 Justin - “I really don't see anyone doing that unless they're forced to by the government.”

AWS

06:29 Amazon SageMaker Geospatial Capabilities Now Generally Available with Security Updates and More Use Case Samples

• Amazon Sagemaker Geospatial capabilities were originally previewed at AWS re:Invent 2022. They are new Generally available with some security updates and additional sample use cases. 
• This service makes it easy to build, train, and deploy machine learning models using Geospatial data.
• As part of the general availability announcement, they are integrating this capability with KMS and VPC networks.
• AWS is touting several real world use cases for this technology (check out the article linked for more in depth discussion of these topics.)
  • Maximize Harvest Yield for Food Security
  • Damage Assessment
  • Climate Change Monitoring
  • Predict Retail Demands
  • Support Sustainable Urban Development
• Are you excited to try out this new feature? Are you in US West 2? Great! Oh, you’re not? Sad tears - it isn’t available for you yet. 
• Time for the $$$ - the free tier is available for 30 days and includes 10 free ml geospatial compute hours, up to 10gb of free storage and no $150 monthly user fee - for one user. Everything after that will cost you money. Potentially lots of it. So be careful.

7:15 Jonathan - “My first thought was, well how can those poor farmers afford technology like this? And I'm thinking, ahhhh no, we're talking about like Monsantos.” We’ll be interested to see how AWS uses this tech over time, potentially for PR purposes.  10:07 New – Simplify the Investigation of AWS Security Findings with Amazon Detective

• Detective should have been called inspector, but they already called something else Inspector, so that’s a lost opportunity. Should have asked us first.
• The detective now offers investigation support for findings in AWS Security Hub in addition to those things detected by Guard Duty.
• It’s now easier than ever before to determine the cause and impact of findings coming from new sources such as AWS Identity and Access Management.
• Justin got an abuse report just this morning, and it gave him an opportunity to try out Detective and was pretty good - except when he actually needed to contact support. So that’s always fun.

12:21 Retiring the AWS Documentation on GitHub

• Do you remember this blog post from 5 years? Randomly we do - 5 years ago Jeff Bar told us about the fact that AWS documentation was open source and available on github.
• Now, after a prolonged period of experimentation AWS will archive most of the repos starting the week of June 5th, and will devote all of their resources to directly improve the AWS documentation and website.
• According to their newest update, the issue was that the primary source for most AWS documentation is an internal system that had to be manually synced with Github Repos.
• Despite the efforts of their documentation team, keeping the public repos in sync has proven to be very difficult and time consuming, with several manual steps and some parallel editing.
• This effort was high and consumed time that could have been used in ways that more directly improved the quality of the documentation - they honestly just decided it wasn’t worth it. AKA they laid too many people off and couldn’t keep up.
• Repos containing code samples, sample apps, cloudformation templates, configuration files and supplementary resources will remain as-is since those repos are primary sources and get high levels of engagement. Do definitely use the thumbs up / thumbs down feature; they say they’re monitoring that.

14:33 Matt - “I'm just more curious of why it was so hard to sync them.”  15:58 Jonathan -”If they can build out ES and orchestrate SQL server clusters, you'd think they could orchestrate copying some docs up to GitHub. Seems a little odd.”  16:37 Jonathan - “I’m sure it has nothing to do with the fact that they don't want Microsoft using all the contents of github to train AI models or anything else…” 17:00 Welcome to AWS Documentation

Have you seen this portal? Come check out the weird page with us! Maybe you can also send in a complaint about the weird graphic design. We are *not* fans.

19:23 AWS partners bring choice of temporary elevated access capabilities to IAM Identity Center

• Customers of AWS IAM Identity Center can use CyberArk Secure Cloud Access, Ermetic, and Okta Access Requests for temporary elevated access, or just in time access.
• This ongoing collaboration with partners; AWS Identity validated that these solutions integrate with Identity Center and address common customer requirements, such as the ability to request and approve time-bound access and to audit action logs.
• Temporary elevated access allows a workforce user who does not have standing permission to perform a task, such as changing the configuration of a production environment, to request permission, receive approval, and perform the task during a specified time.

20:09 Ryan- “As someone who's working towards developing this very same solution for a different project, this is fantastic. I think that the ability to have temporary access to cloud resources is a big key. And then especially if you're already leveraging an identity provider, being able to couple those together within IAM Identity Center is fantastic. So I like this.”

GCP

27:28 Cloud Workstations is now Generally Available!

• Work Stations (not Spaces. Just FYI.)
• Last year at Google Cloud Next, they introduced cloud workstations in public preview as a vital part of the Software Delivery Shield offering, to help address this challenge. Now they are **thrilled** to announce GA of Cloud Workstations with a list of enhanced   features, providing fully managed integrated development environments (IDE) on Google Cloud.
• Cloud workstations enables faster developer onboarding and increased developer productivity while helping support your compliance requirements with an enhanced security posture. The goals are to speed up developer onboarding, provide consistent dev environments and security hardened systems.
• If you would like to force all of your developers to go use a virtual workstation to do all their developer work, this is available to you now! Woohoo!

 30:49 Jonathan - “I like the idea of having a standardized desktop with all the tools already installed because it just really sucks to see - especially new employees - spending a month getting things set up. However, I do value my ‘not connected to the internet’ time and I can sit on the plane and do some work locally. There's plenty of opportunities that will be lost, I think, by forcing people to only use this.”  31:12 Ryan- “It's a good option, right? When I think about some of the struggles with data science and access to data, this sort of offering can make that real easier, but I don't think it replaces my local workstation.”

Azure

34:53 Microsoft Build brings AI tools to the forefront for developers

• Microsoft Build was this week, and boy they announced a ton of AI stuff! ALL. THE. STUFF.
• If you have upgraded to Windows 11 or Windows 365 you're about to get a lot of AI - in the form of copilot; which is also opening up Copilot plugins to developers.
• Microsoft will use the same plugin standard as ChatGPT to allow easy interoperability between Azure AI, GitHub AI, and Microsoft Copilot.
• New Azure AI studio, which will make it simple to integrate external data sources into Azure Open AI services.
• They are introducing Azure Machine Learning Prompt Flow to make it easier for developers to construct prompts while taking advantage of popular open-source prompt orchestration solutions like Semantic Kernel.
• Azure Open AI service is bringing advanced models to integrate external data sources into Azure OpenAI Service. In addition, we’re excited to introduce Azure Machine Learning prompt Flow to make it easier for developers to construct prompts while taking advantage of popular open source prompt.
• Justin’s personal favorite - Microsoft Fabric is a new unified platform for analytics that includes data engineering, data integration, data warehousing, data science, real-time analytics, applied observability and business intelligence, all connected to a single data repo called OneLake.
• Copilot in Fabric in every data experience, customers can use conversational language to create dataflows and data pipelines, generate code and entire functions, build machine learning modes or visualize results - real language for the win! Can’t wait to see this one in use.
• Azure Dev Box received new capabilities including customization using configuration as code and new start developer images; you can get a whole new developer experience.

37:30 Jonathan - “So we were right about low code being a non-starter. I just don't think we quite saw these AI tools coming quite as fast as they have.” 37:40 Ryan - “Drag and drop we knew wasn't gonna work, but if I could just say it… ok! There's nothing worse than trying to figure out, you know, the fields of a data and, and, you know, dimension it the right way. And then screwing it all up and not knowing how to get back to the three changes that go when it was sort of what you wanted, but not quite. And I do really like this. I've been playing around with more and more solutions that are similar… I’m lazier for it, which is great.”  38:28 Jonathan - “I think the race is officially on now between Google getting Bard or whatever integrations and personal assistants set up on Android phones and maybe Chromebooks. We don't really hear much about Chromebooks anymore.” (Says the guys who have spent a quarter of the podcast talking about Chromebooks.)

 Oracle

No new news.

Continuing our Cloud Journey Series Talks

39:54 Security in Cloud Native

• This week in cloud journeys we’re discussing all things security! We know you’ve been waiting patiently for this one. There’s quite a bit to unpack, including connectivity capabilities, dynamic environments, and autoscaling, among other issues. Also on the agenda today:
  • Encryption - Encrypt everything EVERYWHERE. All of it. Run the encryption. Make your compliance and security departments happy.
    • How do you then manage all the keys? Single key? Per customer? Per environment? Managed provider? There’s a lot of technologies; a lot of things that need to come into play when making decisions.
  • Zero Trust Access
    • Can be a big part of your security story
  • Managed Security Services - DLP, Config, Security Hub, Guard Duty
    • Ability to use tokens
    • Most cloud providers don't have this as an option for users; so it’s usually 3rd party software or writing your own.
  • Secure connectivity between distributed APIs
  • Newer Technologies require newer security methods
  • Dynamic environments require contextual information about workloads

45:32 Ryan - “we've had decades of managing security in our environments and data centers and we've built tooling to match. And it's always my favorite cloud experience when the security team comes up and says, oh, we've got a vulnerability at this IP. Like, that's not a thing. Like that IP is gone. It's been gone for a long time. Like it's, you know, it's... It is an ephemeral construct and a lot of the tools are built to identify those sorts of things by stuff that's very static in a data center, but it's not very static in a cloud environment.”

 48:45 Jonathan- “I think the problem is just that everyone had their own very siloed areas of responsibility. So you'd have the virtualization team and the network team and the, you know, release team, security team, they all have their own separate sets of tools with no access to each of those tools. And so it's really kind of like this is the only way that those machines could be scanned was by feeding it a massive subnet and just pinging everything until they got some response from something. or installing agents everywhere. And it really isn't a model that translates well to the cloud and auto scaling groups or managed instance groups.”

 After Show

50:43 “The Need to Visualize a Cloud Infrastructure” aka Justin Does a Thing

www.cloudockit.com

www.lucidchart.com

www.hava.io

Spotted on the Horizon

Next week on the Cloud Pod Podcast…

Closing

And that is another week in the cloud! We would like to thank our sponsors Foghorn Consulting, who is definitely NOT AI generated. Check out our website, the home of The Cloud Pod where you can join our newsletter, slack team, send feedback or ask questions at thecloudpod.net or tweet at us with hashtag #thecloudpod