We are also adding a new option to allow you to opt for delivery of SNS messages in raw format, in addition to the existing JSON format. This is useful if you are using SNS in conjunction with SQS transmit identical copies of a message to multiple queues.

Here's some more information for you:

• 256KB Payloads (SQS and SNS) allows you to send and receive more data with each API call.  Previously, payloads were capped at 64KB.  Now, large payloads are billed as one request per 64KB 'chunk' of payload.  For example, a single API call for a 256KB payload will be billed as four requests. Our customers tell us larger payloads will enable new use cases that were previously difficult to accomplish.
• SNS Raw Message Delivery allows you to pack even more information content into your messaging payloads.  When delivering notifications to SQS and HTTP endpoints, SNS today adds JSON encoding with metadata about the current message and topic.  Now, developers can set the optional RawMessageDelivery property to disable this added JSON encoding.  Raw message delivery is off by default, to ensure existing applications continue to behave as expected.

Getting started with Amazon SNS and Amazon SQS is easy with our free tier of service. To learn more, visit the Amazon SNS page  and the Amazon SQS page.  To learn more about subscribing SQS queues to SNS topics, visit the SQS developer reference guide.

-- Jeff;

The post contains a complete explanation of the policy. You can use it as-is or you can customize it as needed.

-- Jeff;

I interviewed members of our professional services and development teams. I also interviewed the leader of our support organization. The AWS Careers Page contains additional information about each of the job families. We have open positions in North and South America, Europe, Africa, and the Asia-Pacific parts of the world.

If you would like to apply for any of the jobs, please use the email address associated with the job family. I'd also like to ask you to take a moment to fill out the survey.

Professional Services
I spoke with Matt Tavis to learn about his responsibilities as a member of the AWS Professional Services team:

To apply for a position on the AWS Professional Services team, send your resume to awsproservejobs@amazon.com. Don't forget the survey!

Software Development
I spoke with Andrew Dickinson to learn about his job as a senior software development engineer (SDE):

To apply for a position as a software development engineer, send your resume to awssdejobs@amazon.com. Again, don't forget the survey.

Support
Brent Jaye runs the team that provides AWS support to customers around the globe. He is hiring for a multitude of positions:

To apply for a position on the AWS support team, send your resume to awssupportjobs@amazon.com. Did I mention the survey?

I hope that you enjoy  these videos, and that they give you a glimpse of what it is like to work on the team.

-- Jeff;

Stay tuned for next week! In the meantime, follow me on Twitter and subscribe to the RSS feed.

-- Jeff;

FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. With the award of this ATO, AWS has demonstrated it can meet the extensive FedRAMP security requirements and as a result, an even wider range of federal, state and local government customers can leverage AWS’s secure environment to store, process, and protect a diverse array of sensitive government data. Leveraging the HHS authorization, all U.S. government agencies now have the information they need to evaluate AWS for their applications and workloads, provide their own authorizations to use AWS, and transition workloads into the AWS environment.

On May 21, 2013, AWS announced that AWS GovCloud (US) and all U.S. AWS Regions received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements at the Moderate impact level. Two separate FedRAMP Agency ATOs have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West Regions. These ATOs cover Amazon EC2, Amazon S3, Amazon VPC, and Amazon EBS. Beyond the services covered in the ATO, customers can evaluate their workloads for suitability with other AWS services. AWS plans to onboard other AWS services in the future. Interested customers can contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.

The FedRAMP audit was one of the most in-depth and rigorous security audits in the history of AWS, and that includes the many previous rigorous audits that are outlined on the AWS Compliance page. The FedRAMP audit was a comprehensive, six-month assessment of 298 controls including:

• The architecture and operating processes of all services in scope.
• The security of human processes and administrative access to systems.
• The security and physical environmental controls of our AWS GovCloud (US), AWS US East (Northern Virginia), AWS US West (Northern California), and AWS US West (Oregon) Regions
• The underlying IAM and other security services.
• The security of networking infrastructure.
• The security posture of the hypervisor, kernel and base operating systems.
• Third-Party penetration testing.
• Extensive onsite auditor interviews with service teams.
• Nearly 1,500 individual evidence files.

The award of this FedRAMP Agency ATO enables agencies and federal contractors to immediately request access to the AWS Agency ATO packages by submitting a FedRAMP Package Access Request Form and begin to move through the authorization process to achieve an ATO using AWS. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov .

It is important to note that while FedRAMP applies formally only to U.S. government agencies, the rigorous audit process and the resulting detailed documentation benefit all AWS customers. Many of our commercial and enterprise customers, as well as public sector customers outside the U.S., have expressed their excitement about this important new certification. All AWS customers will benefit from the FedRAMP process without any change to AWS prices or the way that they receive and utilize our services.

You can visit http://aws.amazon.com/compliance/ to learn more about the AWS and FedRAMP or the multitude of other compliance evaluations of the AWS platform such as SOC 1, SOC 2, SOC 3, ISO 27001, FISMA, DIACAP, ITAR, FIPS 140-2, CSA, MPAA, PCI DSS Level 1, HIPAA and others.

-- Jeff;

The first time you copy an EBS snapshot of a volume to a particular Region, all of the data will be copied.  The second and subsequent copies of snapshots from the same volume to the same destination region will be incremental: only the data that has changed since the last copy will be transferred. As a result, the snapshot will transfer less data and complete more quickly than before. 

The magnitude of the improvement will depend on the amount of data that has been changed since the last snapshot copy. To give you a sense for how much of a benefit you can expect, we measured the amount of change between snapshots across a wide variety of EBS volumes running a number of applications. Based on our findings, we expect to see a 50x speedup for the second and subsequent incremental copies of an EBS volume snapshot.

AWS customer Aptean uses EBS Snapshot Copy as part of their enterprise disaster recovery offering.  Aptean Vice President Mario Baldasserini told me that:

Aptean has been using EBS Snapshot Copy since its launch in providing innovative disaster recovery solutions for our worldwide customers.  We are thrilled with the incremental support availability as it will allow us to further reduce our recovery objectives in providing a worldwide product solution on AWS.

I look forward to hearing more about how you leverage the faster cross-Region EBS Snapshot Copy in your own applications.

Earlier this year, we launched the cross-region EC2 AMI Copy feature, which builds on the EBS Snapshot Copy.  Today's enhancement also makes the AMI Copy faster when you copy EBS-backed AMIs.

Other than the speed and efficiency benefits mentioned above, this change is transparent and you need not do anything special in order to take advantage of it if you are making copies using the AWS Management Console, the ec2-copy-snapshot or ec2-copy-image commands, or the CopySnapshot or CopyImage API.

-- Jeff;

Custom SSL Certificates
When a user requests content from a web site using the HTTPS protocol, the web server encrypts the data with a digital certificate before sending it along. The information in the certificate identifies the source of the content and also supplies the decryption key. Protecting content in this way increases user confidence and trust in the site.

When you create a CloudFront distribution, you receive a unique domain name for your distribution – e.g. d123.cloudfront.net. You can use this domain name directly in your URLs, or create a CNAME to something your viewers are familiar with or that represents your brand – e.g. www.mysite.com. However, until today you couldn’t use this CNAME to deliver your content over HTTPS as CloudFront edge servers didn’t have the SSL certificate for your domain to hand out to the browsers. That’s changing today!

You can now upload a SSL certificate and instruct CloudFront to use it when handling HTTPS requests for a particular CloudFront distribution.

To get started, you need to request an invitation on our web site. As soon as your request is approved, you can upload your SSL certificate and use the AWS Management Console to associate it with your distribution. Here's what you need to do:

1. Purchase a Certificate from a Recognized Certificate Authority. Your certificate must be in X.509 PEM format, and must include a certificate chain. CloudFront supports many types of certificates including domain validated certificates, extended validation (EV) certificates, high assurance certificates, wildcard certificates (*.example.com), and subject alternative name (SAN) certificates (example.com and example.net).
   
   
2. Upload the Certificate to Your AWS Account. Use the IAM CLI to upload the certificate to your AWS account as follows:
   
   
   iam-servercertupload -s www.cloudfrontdemo.com -k privatekey.txt -c certchain.txt -b publickey.txt -p/cloudfront -v
   
   Note that you must include the -p (path) option to indicate that the certificate will be used with CloudFront. Read the iam-servercertupload documentation for more information.
   
   
3. Map Your Domain Name to Your Distribution. Create a CNAME record in your site's DNS record set to map the domain or sub-domain to the distribution's domain name. You must also inform CloudFront that the distribution is associated with the domain:
   
   
   
   
   
4. Associate the Certificate with the Distribution:
   
   
   

And that's all it takes!

When your viewers download your content from CloudFront over an SSL connection, their SSL connection will terminate at a CloudFront edge location. This will remove some of the burden of SSL encryption from your origin server. You can also configure CloudFront to use an HTTPS connection for origin fetches, resulting in end-to-end encryption all the way from your origin to your users.

We charge a fixed monthly fee for each custom SSL certificate, with pricing pro-rated to each hour of usage. More information on pricing for the use of SSL certificates is available on the CloudFront pricing page.

Detailed documentation on the entire process is available in the CloudFront Developer Guide.

Root Domain Hosting
You can now use Route 53 (the AWS Domain Name Service) to configure an Alias (A) record that maps the apex or root (e.g. "cloudfront.com") of your domain to a CloudFront distribution.

Once configured, Route 53 will respond to each request with the IP address(es) of the CloudFront distribution. This will allow visitors to easily and reliably access your web site even if they don't specify the customary "www" prefix.

Here's all you need to do:

Route 53 does not charge for queries to Alias records that are mapped to a CloudFront distribution. You can now use Route 53's Alias records instead of CNAME records for all domain entries that point to CloudFront distributions. Read the Route 53 Developer Guide to learn more about this new feature.

-- Jeff, with lots of help from Nihar Bihani;

Update: Some of you have expressed surprise at the price tag for the use of SSL certificates with CloudFront. With this custom SSL certificate feature, each certificate requires one or more dedicated IP addresses at each of our 40 CloudFront locations. This lets us give customers great performance (using all of our edge locations), great security (using a dedicated cert that isn’t shared with anyone else) and great availability (no limitations as to which clients or browsers are supported). As with any other CloudFront feature, there are no up-front fees or professional services needed for setup. Plus, we aren’t charging anything extra for dynamic content, which makes it a great choice for customers who want to deliver an entire website (both static and dynamic content) in a secure manner.

We have supported RHEL on EC2 since November of 2007, and we launched the AWS Free Usage Tier in December of 2010. We are combining these two offerings and customers eligible for the free usage tier now have the option to run RHEL as part of the 750 hours of monthly Linux usage.

You can use the AWS Marketplace (1-Click) or the AWS Management Console to launch a micro instance running RHEL:

Read Getting Started Guide AWS Free Usage Tier to learn how to get started with the free usage tier, or the Red Hat Section to learn about RHEL on EC2.

-- Jeff;

On-Demand prices have been reduced as much as 18% for MySQL and Oracle BYOL (Bring Your Own License) and 28% for SQL Server BYOL. All of your On-Demand usage will automatically be charged at the new and lower rates effective June 1, 2013.

Reserved Instance prices have been reduced as much as 27% for MySQL and Oracle BYOL. The new prices apply to Reserved Instance purchases made on or after June 11, 2013.

Here is a table to illustrate the total cost of ownership for an m2.xlarge DB Instance for MySQL or Oracle BYOL using a 3-year Reserved Instance:

Although Reserved Instance purchases are non-refundable, we are making a special exception for 1-year RI's purchased in the last 30 days and 3-year RI's purchased in the last 90 days. For a limited time, you can exchange recently purchased RI's for new ones. You'll receive a pro-rata refund of the upfront fees that you paid at purchase time. If you would like to exchange an RDS Reserved Instance for a new one, simply contact us.

As you may know from my recent blog post, we have made a lot of progress since releasing Amazon RDS just 3.5 years ago. In addition to the recently announced Service Level Agreement (SLA) for Multi-AZ database instances, you have the ability to provision up to 30,000 IOPS for demanding production workloads, encryption at rest using Oracle's Transparent Data Encryption, and simple disaster recovery using Multi-AZ and read replicas.

-- Jeff;

PS - Here's a full list of AWS price reductions.

Stay tuned for next week! In the meantime, follow me on Twitter and subscribe to the RSS feed.

-- Jeff;