List of features I'd love to see come to AWS. For the most part improved security, performance, feature parity with other services and data centres. If you work at AWS and would like to discuss some of these items, you can find me on the AWS Developers
Slack Workspace. I'm known for maintaining Middy, the NodeJS AWS Lambda middleware framework.
- Support creating root and intermediate ECDSA certificates (https://letsencrypt.org/upcoming-features/#ecdsa-root-and-intermediates)
- SES DKIM support for using ECDSA (P-384) (https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim.html#send-email-authentication-dkim-1024-2048)
- [N/A] Support storing ECDSA (P-521) certificates - deprecated from Chrome
- [N/A] Support creating ECDSA (P-521) certificates - deprecated from Chrome
- Support HTTPS and SVCB records (https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/) 2024-10-30
- Using OAC with Lambda Function URL that support POST. Use case SSR w/ streaming responses.
- Allow for dual certificate (RSA & ECDSA) (ex https://www.ssllabs.com/ssltest/analyze.html?d=blog.cloudflare.com&s=104.18.29.7&latest)
- Support use of ECDSA P-384 certificates from ACM (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key)
- Allows s3-fips origins
bucketname.s3-fips.region....
- Origin Shield Support in Canada (https://www.foxy.io/blog/cloudfront-vs-cloudflare-and-how-to-reduce-response-times-for-both-by-35/)
- [-] Response Header Policy (easier to meet security best practice and reduce header size) (workarounds, add more behaviours or set to single char):
- Unable to remove
Server
header. Workaround, set to_
- Unable to set headers to blank (ie
Server
,X-Powered-By
) 2023-01-03 -
Content-Security-Policy
incorrectly applies to non-html - workaround possible - Add support for
Permissions-Policy
, apply to html and js files only - Add support to
Report-To
/Reporting-Endpoints
, apply to html files only - Maybe there needs to be an option to set the mime types a header should be applied to - workaround possible
- Unable to remove
- Protocol Feature Parity w/ CloudFlare
- [N/A] HTTP/2 PUSH/0-RTT (https://www.linkedin.com/pulse/dear-cloudfront-wheres-server-push-0-rtt-http3-almost-agarwalla/?articleId=6662735421019160577) (Deprecated: https://developer.chrome.com/blog/removing-push/)
- HTTP/3 2022-08-15
FIPS 140 (https://aws.amazon.com/compliance/fips/)
- Support on sns, sqs, ssm, states, lambda, ses/email, xray, ecr, ecs, iam, etc in
ca-*
(feature parity tous-*
)-
useFipsEndpoint
/AWS_USE_FIPS_ENDPOINT
blindly applies to all services, epicly fails inca-*
-
- Plans to update to FIPS 140-3? when? (https://www.encryptionconsulting.com/knowing-the-new-fips-140-3/)
- Easy way to only allow access from CloudFront. OAC now exists, but doesn't support apig.
- LLRT x Middy support
- Enable support for Node.js v20 Permission Model
- Support security policy to limit disk and network access (aws-powertools/powertools-lambda-typescript#690 / https://medium.com/cloud-security/lambda-networking-72e2b915f31b)
- JSON Schema for all lambda events & responses
- AWS Supports multiple libraries for the same thing, simplify
- Allow X-Ray tracing for cold starts
- Function URL and CloudFront Origin Request Policies don't support Svelte named form actions (
?/action
) (MikeBild/sveltekit-adapter-aws#27) - Function URL querystring key don't support OData parameters (
?$top
) - arm64 support for Lambda@Edge
- All services support TLS v1.3 (https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/enforcing-tls.html)
- Support multiple responses
- Early Hints (https://developer.chrome.com/blog/early-hints/) (https://blog.cloudflare.com/early-hints-on-cloudflare-pages/)
- Support Server-Sent Events (SSE) (https://germano.dev/sse-websockets/#sse)
- Allow lambda to run for hours (or fargate w/o a VPC)
- Built-in AbortController timeout signal (See middy implementation https://github.com/middyjs/middy/blob/main/packages/core/index.js#L103-L121)
- Function URLs supports WebSockets
- SDK v3 support for S3 global endpoints
- Support for stream responses (middyjs/middy#678) 2023-04-07
- NodeJS 20 runtime
- NodeJS ESM Full support
- NodeJS ESM runtime unable to access runtime or layer node_modules (Regession?)
- arm64 support in
ca-*
(feature parity tous-*
) 2022-10-06 - NodeJS v18 runtime (aws/aws-lambda-base-images#47) 2022-11-18
- Inclusion of aws-sdk-v3-js in runtime (aws/aws-sdk-js-v3#2149) 2022-11-18
- ERC image for x-ray daemon should exist in all region - us-east-1 outage prevented image from pulling, stopping all container from running
- Fargate tasks without a VPC (or lambda without time restriction)
- Fargate tasks have up to 30s cold start time when being run as a task
- bastion service for connecting to RDS (make it easier than the few work around solutions other there). See willfarrell/aws-bastion for how.
- arm64 support in
ca-*
(feature parity tous-*
)
- Cheaper / Smaller NAT Gateway option
- Cheaper VPC Endpoints, combine all into one, or have all work like gateways
- Allow DNS override apply at the subnet level instead of the VPC level
- Allow Content-Digest header support
- Allow CSP header on HTML files to be set - allows overriding to allow inline styles/scripts with
nonce/hashes
- For Upload Signed URLs, allow only one file to complete. Additional attempts before expiry should be rejected. Now possible with
If-None-Match
- Aurora DSQL (successor to Aurora Serverless v2?)
- Supports views, triggers, foreign keys
- Supports postgis
- Data API support
- Aurora Serverless v2
- Data API doesn't support IAM roles (RDS Signer), forces use of Secrets Manager, which goes against least priveldge.
- Data API support from read replicas
- Data API support for stream responses
- Multi-region support - replaced by DSQL?
- Performace insights & Enahansed Logging should not require a min of 2 ACU
- Data API Missing, support for streams using
COPY TO/FROM
(https://www.lastweekinaws.com/blog/the-aurora-serverless-road-not-taken/) - Should scale down to zero ACUs (https://www.lastweekinaws.com/blog/the-aurora-serverless-road-not-taken/)
- Data write API in
ca-*
- BUG: When using a read replica, all instances are unable to scale down to minimum value.
- Postgres v15 (feature parity with RDS) 2023-04-07
- Postgres v14 (feature parity with RDS) 2022-06-22
- Support for Postgres TimescaleDB extension (timescale/timescaledb#65)
- RDS Proxy unable to connect using IAM signer
- Cheaper RDS Proxy
- DAX in
ca-*
- serverless scales lower 2023-03-02
- Support event sources (CloudFront, APIG HTTP, cloudwatch, s3, sns, console)
- SNS 2023-02-10
- Support for x-ray on CloudFront + WAF + lambda@edge
- Be able to measure during lambda cold start (queue and connect to first request ID?)
- Be able to see longer time period (24-36h)
- Show enabled integrations in Security standards list for easy filtering and viewing (i.e. Prowler)
- Ability to tag a resource with the reason to suppress it in Security Hub. Shows reason inside SecHub. (i.e. Key=EC2.22, Value=Used for Fargate Task that is not always running)
- Lambda.1 no way to pass when Lambda Function URL is used for SSR with POST
- EC2.21 conflicts with AWS Lambda / NAT Gateway Ephemeral ports
- Update
CIS AWS Foundations Benchmark
to v1.4.0 (https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html) 2022-11-10
- Step Function Execution event history links back to specific log, not just log group for lambda and ECS
- X-Ray Traces link back to specific log for lambda and ECS
- Allow easy filtering for logs using Request Id - Request Id timeline view across all services
- CloudWatch RUM in ca-central-1
- CO2 Impact:
- Have
ca-central-1
&ca-west-1
classified as a green data centres - More granular details - by service
- Toggle egress estimate? CloudFront to IP transfer impact
- Have
- IPFS serverless service (Save files to s3, serverless node, serverless http gateway)
- CloudFront & ACM support for Onion Secret services endpoint for Tor