AWS::KinesisFirehose::DeliveryStream talks about BucketARN and RoleARN,
while AWS::Lambda::Permission talks about SourceArn and AWS::Lambda::Function talks about Role (referring to an ARN)

although there is at least one resource, AWS::KinesisFirehose::DeliveryStream (not to mention policy statements), that requires not a bucket name, but a bucket ARN (?!), there's no cloudformation function to get the ARN of a bucket

when running a "delete" action in the background

arn:aws:s3:::some-bucket:foo/* was accepted as a valid resource today (typo :foo should have been /foo)

athena (hive) expects partitions to be part of the indexing path in a key-value pattern (year=YYYY/month=MM/day=DD/hour=HH), but firehose cannot be configured to do that.
given that, automatic partitioning needs to be done manually

http://theburningmonk.com/2017/06/aws-x-ray-and-lambda-the-good-the-bad-and-the-ugly/

Given that we are all grown ups and agree that the best way to secure AWS access is via Roles with permissions, and Users with one permission (i.e. to assume a role) - ref https://cloudonaut.io/improve-aws-security-protect-your-keys-with-ease/ - I have an easy shell alias aws_switch that allows me to switch between profiles with different roles.

Problem is that aws-sdk-js (nor other sdks e.g aws-sdk-go) does not understand that my current shell is a AWS environment with an assumed role.

across the entire Console there are intertwined resources, yet only in very few places one can actually get links to jump from one resource to another e.g. Kinesis Firehose links to the bucket's view in Console.

update your Lambda resource in a stack template by adding a new key Environment.Variables, and you'll see that warm lambda instances are left running, basically still ignoring the new environment variable

one api gateway was about to be end-of-life but we wanted a gradual deprecation, so we removed one resource at a time.

removing all resources was fine, until we wanted to make other changes in that stack.
cloudformation started complaing how the rest api has no methods, thus it cannot create an api deployment anymore... (it managed first time)

imagine you have a diff in a cloudformation stack template similar to

-    "RouteGroup": {
+    "ApiRouteGroup": {
       "Properties": {
         "HostedZoneName": "example.com.",
         "RecordSets": [
           {
             "Name": "foo.example.com",
             "ResourceRecords": [
               "bar.example.com"
             ],
             "TTL": 300,
             "Type": "CNAME"
           }
         ]
       },
       "Type": "AWS::Route53::RecordSetGroup"
     },

basically a rename.

Don't be confused when you see this in your cloudformation event log:

18:17:12 UTC+0100	UPDATE_COMPLETE	AWS::CloudFormation::Stack	ci	
18:17:12 UTC+0100	DELETE_COMPLETE	AWS::Route53::RecordSetGroup	RouteGroup	
18:16:39 UTC+0100	DELETE_IN_PROGRESS	AWS::Route53::RecordSetGroup	RouteGroup	
18:16:36 UTC+0100	UPDATE_COMPLETE_CLEANUP_IN_PROGRESS	AWS::CloudFormation::Stack	ci	
18:16:33 UTC+0100	CREATE_COMPLETE	AWS::Route53::RecordSetGroup	ApiRouteGroup	
18:15:27 UTC+0100	CREATE_IN_PROGRESS	AWS::Route53::RecordSetGroup	ApiRouteGroup	Resource creation Initiated
18:15:24 UTC+0100	CREATE_IN_PROGRESS	AWS::Route53::RecordSetGroup	ApiRouteGroup	
18:15:20 UTC+0100	UPDATE_IN_PROGRESS	AWS::CloudFormation::Stack	ci	User Initiated

CloudFormation DELETES the DNS record !

several services do not offer the possibility to delete items in "item-view", only in "list-view" despite having no multi-selection i.e. you can only delete one by one

example: IAM Roles, S3 Buckets, etc

Executing a cloudformation change-set would result in "Internal Failure" next to the stack itself (not a resource). Very clear error message, no doubt.

Upon trial-and-error investigation, I figured it's a IAM permission issue (giving AdministratorAccess solves the issue).

It's impossible to detect which permissions are missing, support is yet to reply back.

for unknown reasons, s3-firehose prefixes the dumps with a YYYY/MM/DD/HH prefix and cannot be configured to do otherwise

When a stack encounters a failure, if it created a new Firehose resource, it may fail to delete the resource with a message like
"Firehose FOO under accountBAR cannot be deleted in CREATING state".

If not setting ContentType in the call to getSignedUrl, then it is not usable with a content type.
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property

• Console > S3: no radio box, and diff click behaviour whether you click the bucket name or the row
• Console > CloudFormation: checkbox performs like a radiobox
• radiobox in a table UI? I can understand actions being limited when having multiple selection, but I do want to be able to delete multiple items at once

Services -> History shows 6 most recent services...
I bet most users use more than 6 every week, and that all users have a considerable screen real estate.

unlike other AWS services, S3 buckets are global and not even scoped by an AWS account, meaning the names need to be unique.

if you want to save yourself the trouble if later on you want to have one bucket per region, name them with a region suffix.

on top of that, bucket contents can be accessed via HTTP, and HTTPS if and only if they don't contain dots. so once again save yourself the trouble and don't use any dots.

the simplest advice that I have is to treat them like domain names, all lowercase, all alphanumeric and hyphens. e.g. <my-own-bucket>-<at-my-company-tld>-<in-this-region> -> builds-example-com-eu-west-1

it is beyond me why there isn't any naming limitation and/or automatic translation. KISS should prevail!

Kinesis Firehose (S3) declares BufferingHints, CompressionFormat, Prefix as optional
http://docs.aws.amazon.com/firehose/latest/APIReference/API_S3DestinationConfiguration.html

but CloudFormation will fail when they are undefined (thus they are required).

as per the docs "Only Amazon S3 buckets that are empty can be deleted. Deletion will fail for buckets that have contents." (even with DeletionPolicy is set to Delete).

why is it like that? I doubt that even AWS knows why. As the creator of that resource, good design says that I should be able to do anything I want with it. Can you imagine if your OS would implement a similar rule? "oh yeah, you created this folder, you have r/w permissions, but hey first delete every file one by one in this folder and then we'll let you delete the folder itself"

PS: the ridiculous situation gets even worse when the bucket is created as part of a cloudformation stack-create process - if the stack fails, then the bucket doesn't get deleted.

one benefit that you buy into when switching to "serverless" cloud architecture is elasticity i.e. just show us the money, and we scale your infrastructure anyway you need. Wrong!

Kinesis shards can only be scaled manually, and you pay for the idle capacity. The mismatch should be corrected by using the capacity as a maximum (i.e. I don't want to pay more than X USD for this dynamodb table being used this month), and you only pay for the used capacity.

or else everyone implements their own always-out-of-date constants
such as https://github.com/tobiipro/aws-util-firecloud/blob/master/src/r53.js
or https://github.com/tobiipro/aws-util-firecloud/blob/master/src/regions.js

http://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html

one benefit that you buy into when switching to "serverless" cloud architecture is elasticity i.e. just show us the money, and we scale your infrastructure anyway you need. Wrong!

DynamoDB read/write capacity can only be scaled manually, and you pay for the idle capacity. The mismatch should be corrected by using the capacity as a maximum (i.e. I don't want to pay more than X USD for this dynamodb table being used this month), and you only pay for the used capacity.

When creating a AWS::ApiGateway::Method resource in cloudformation to act as a simple HTTP reverse proxy, it is still necessary to add set Properties.Integration.IntegrationResponses to the illogical [{"StatusCode": 200}].

On top of that, the source server can reply with any HTTP status code, not just 200 (but thank goodness for this illogical part, I mean!)

deleting a bucket or a firehose requires you to type/paste the resource's name in a confirmation dialog.
but not deleting a kinesis stream...

example:

S3 event notifications were introduced in Nov 2014 https://aws.amazon.com/blogs/aws/s3-event-notification/

only to be superseded in Jan 2016 by CloudWatch events https://aws.amazon.com/blogs/aws/new-cloudwatch-events-track-and-respond-to-changes-to-your-aws-resources/

Why not slap me if I use AWS::S3::Bucket - NotificationConfiguration and tell me "yo, I think you should use AWS::Events::Rule" ?

in the Route53 UI, the table with record sets shows columns with separators that CANNOT be moved

see https://stackoverflow.com/questions/9067993/upload-to-s3-with-curl-using-pre-signed-url-getting-403 https://stackoverflow.com/a/43419319/465684

not able to sort on all columns, and while it's ok not to sort on 100% of the columns, selection of the columns is random and not considering basic user intent (like sorting dates)

e.g. Console > IAM > Users

AWS::KMS::Key policy statements handle a Sid with space,
but AWS::Lambda::Function policy statements cannot and CloudFormation fails with:

Statement IDs (SID) must be alpha-numeric. Check that your input satisfies the regular expression [0-9A-Za-z]*

Firehose can be configured to dump onto an S3 bucket raw or compressed records.

When choosing compression, Firehose will write instead to an object like "foo.gz" (as opposed to the uncompressed "foo") but also set metadata "Content-Encoding: gzip". Other metadata will stay the same "Content-Type: application/octet-stream".

This is not just confusing but plain logic breakdown as any HTTP-knowledge person would tell you. Either don't use the ".gz" extension and stick to "Content-Encoding: gzip", or use it and set "Content-Type: application/gzip" and forget the Content-Encoding header.

• https://news.ycombinator.com/item?id=14601809
• https://thehftguy.com/2016/06/15/gce-vs-aws-in-2016-why-you-should-never-use-amazon/
• https://news.ycombinator.com/item?id=12939856
• http://blog.neptune.io/dos-and-donts-of-dynamodb-autoscaling/
• https://dblooman.com

IAM > Encryption Keys: if my active region (upper-right corner is eu-west-1) then default to it, and not just pick "the first region" (us-east-1)

Console > IAM > Encryption Keys

change the status of a key (enabled or disable) one, and then sort by Status. You'll notice that the sorting happens based on the old status of the key, not the new one.

Kinesis Firehose (S3) declares BufferingHints, CompressionFormat, Prefix as optional.
CloudFormation as required.

s3:PutLogEvents (typo of a logs:PutLogEvents) will succeed