willfarrell/aws-wishlist

List of features I'd love to see come to AWS

AWS Wishlist

List of features I'd love to see come to AWS. For the most part improved security, performance, feature parity with other services and data centres. If you work at AWS and would like to discuss some of these items, you can find me on the AWS Developers Slack Workspace. I'm known for maintaining Middy, the NodeJS AWS Lambda middleware framework.

ACM

• Support storing ECDSA (P-521) certificates
• Support creating ECDSA (P-521) certificates
• Support creating root and intermediate ECDSA certificates (https://letsencrypt.org/upcoming-features/#ecdsa-root-and-intermediates)
• SES DKIM support for using ECDSA (P-384, P-521)

Route53

• Support HTTPS and SVCB records (https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/)

CloudFront

• Allow Sveltekit named form actions to work with CloudFront Origin Request Policies and Lambda Function URLs. (MikeBild/sveltekit-adapter-aws#27)
• Support use of ECDSA certificates from ACM
• Allows s3-fips origins bucketname.s3-fips.region....
• Origin Shield Support in Canada (https://www.foxy.io/blog/cloudfront-vs-cloudflare-and-how-to-reduce-response-times-for-both-by-35/)
• TLS 1.3 Only option
• [-] Response Header Policy (easier to meet security best practice and reduce header size) (workarounds, add more behaviours or set to single char):
  • Unable to set headers to blank (ie Server, X-Powered-By) 2023-01-03
  • Content-Security-Policy incorrectly applies to non-html - workaround possible
  • Add support for Permissions-Policy, apply to html and js files only
  • Add support to Report-To, apply to html files only
  • Maybe there needs to be an option to set the mime types a header should be applied to - workaround possible
• Protocol Feature Parity w/ CloudFlare
  • [?] HTTP/2 PUSH/0-RTT (https://www.linkedin.com/pulse/dear-cloudfront-wheres-server-push-0-rtt-http3-almost-agarwalla/?articleId=6662735421019160577) (Deprecated: https://developer.chrome.com/blog/removing-push/)
  • HTTP/3 2022-08-15

WAF

• PAT (https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/)

FIPS 140 (https://aws.amazon.com/compliance/fips/)

• Support on sns, sqs, ssm, states, lambda, ses/email, xray, ecr, ecs, iam, etc in ca-* (feature parity to us-*)
  • useFipsEndpoint/AWS_USE_FIPS_ENDPOINT blindly applies to all services, epically fails in ca-*
• Plans to update to FIPS 140-3? when? (https://www.encryptionconsulting.com/knowing-the-new-fips-140-3/)

API Gateway (HTTP)

• Easy way to only allow access from CloudFront

Lambda

• LLRT access
• Enable support for Node.js v20 Permission Model
• JSON Schema for all events & responses
• AWS Supports multiple libraries for the same thing
  • Trace
    • AWS SDK XRay Node
    • AWS Powertools TypeScript
    • Otel
  • Metrics
    • aws-embedded-metrics
    • AWS Powertools TypeScript
    • Otel
  • Logging
    • AWS Powertools TypeScript
    • Otel
• Allow X-Ray tracing for cold starts
• Support for stream responses (middyjs/middy#678) 2023-04-07
• Function URL and CloudFront Origin Request Policies don't support Svelte named form actions (MikeBild/sveltekit-adapter-aws#27)
• Support security policy to limit disk and network access (aws-powertools/powertools-lambda-typescript#690 / https://medium.com/cloud-security/lambda-networking-72e2b915f31b)
• SDK v3 support for S3 global endpoints
• arm64 support for Lambda@Edge
• All services support TLS v1.3 (https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/enforcing-tls.html)
• Built-in AbortController timeout signal (See middy implementation https://github.com/middyjs/middy/blob/main/packages/core/index.js#L103-L121)
• Support multiple responses
  • Early Hints (https://developer.chrome.com/blog/early-hints/) (https://blog.cloudflare.com/early-hints-on-cloudflare-pages/)
  • Support Server-Sent Events (SSE) (https://germano.dev/sse-websockets/#sse)
• Allow lambda to run for hours (or fargate w/o a VPC)
• Function URLs supports WebSockets
• NodeJS 20 runtime
• NodeJS ESM Full support
  • NodeJS ESM runtime unable to access runtime or layer node_modules (Regession?)
• arm64 support in ca-* (feature parity to us-*) 2022-10-06
• NodeJS v18 runtime (aws/aws-lambda-base-images#47) 2022-11-18
• Inclusion of aws-sdk-v3-js in runtime (aws/aws-sdk-js-v3#2149) 2022-11-18

ECS

• ERC image for x-ray daemon should exist in all region -us-east-1 outage prevented image from pulling, stopping all container from running
• Fargate tasks without a VPC (or lambda without time restriction)
• Fargate tasks have 30s cold start time when being run as a task
• bastion service for connecting to RDS (make it easier than the few work around solutions other there)
• arm64 support in ca-* (feature parity to us-*)

VPC (for ECS Fargate Tasks)

• Cheaper / Smaller NAT Gateway option
• Cheaper VPC Endpoints, combine all into one, or have all work like gateways
• Allow DNS override apply at the subnet level instead of the VPC level

S3

• For Upload Signed URLs, allow only one file to complete. Additional attempts before expiry should be rejected.
• Allow CSP header on HTML files to be set - allow overriding to allow inline styles/scripts with nonce/hashes

RDS

• Aurora Serverless v2
  • When using a read replica, all instances are unable to scale down to minimum value.
  • Multi-region support
  • Performace insights should not require a min of 2 ACU
  • Data API Missing, support for streams using COPY TO/FROM (https://www.lastweekinaws.com/blog/the-aurora-serverless-road-not-taken/)
  • Data write API in ca-*
  • Should scale down to zero ACUs (https://www.lastweekinaws.com/blog/the-aurora-serverless-road-not-taken/)
  • Postgres v15 (feature parity with RDS) 2023-04-07
  • Postgres v14 (feature parity with RDS) 2022-06-22
• Support for Postgres TimescaleDB extension (timescale/timescaledb#65)
• Cheaper RDS Proxy
• RDS Proxy unable to connect using IAM signer

DynamoDB

• DAX in ca-*

Neptune

• serverless scales lower 2023-03-02

X-Ray

• Support event sources (CloudFront, APIG HTTP, cloudwatch, s3, sns, console)
  • SNS 2023-02-10
• Support for x-ray on CloudFront + WAF + lambda@edge
• Be able to measure during cold start (queue and connect to first request ID?)
• Be able to see longer time period (24-36h)

Security Hub

• Show enabled integrations in Security standards list for easy filtering and viewing (i.e. Prowler)
• Ability to tag a resource with the reason to suppress it in Security Hub. Shows reason inside SecHub. (i.e. Key=EC2.22, Value=Used for Fargate Task that is not always running)
• EC2.21 conflicts with AWS Lambda / NAT Gateway Ephemeral ports
• Lambda.1 no way to pass when using CloudFront to Lambda Function URL
• Update CIS AWS Foundations Benchmark to v1.4.0 (https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html) 2022-11-10

CloudWatch

• Step Function Execution event history links back to specific log, not just log group for lambda and ECS
• X-Ray Traces link back to specific log for lambda and ECS
• Allow easy filtering for logs using Request Id - Request Id timeline view across all services
• CloudWatch RUM in ca-central-1

BIlling

• CO2 Impact:
  • Have ca-central-1 & ca-west-1 classified as a green data centres
  • More granular details - by service
  • Toggle egress estimate? CloudFront to IP transfer impact

New

• IPFS serverless service (Save files to s3, serverless node, serverless http gateway)
• CloudFront & ACM support for Onion Secret services endpoint for Tor