Rowan

Do you have an S3 bucket or DDB table with your companies crown jewels? 👑💎 Now IAM Access Analyzer tells you all the users and roles in your organization that have access to them gems. 🧵 (1/8)

Proactively validate your AWS CloudFormation templates with AWS Lambda | Amazon Web Services AWS CloudFormation is a service that allows you to define, manage, and provision your AWS cloud infrastructure using code. To enhance this process and ensure your infrastructure meets your organization’s standards, AWS offers CloudFormation Hooks. These Hooks are extension points that allow you to invoke custom logic at specific points during CloudFormation stack operations, enabling […]

Who's using CloudFormation Hooks? How are you using them?

They're relevant to my interests 😸 but haven't found a use for them yet.

At this stage, I just really want the web console popup to disappear for good...

AWS IAM updates last week:

- SecurityAudit got an update 🥳 mostly S3 tables
- network-firewall getting flow operations
- route53-recovery-control-config (???) getting resource policies

I'm still not sure why every week there seem to be version updates to some policies, but without actual changes?!

Are you doing the refactor yourself, or just getting a new context window to do it?

I've had good results getting Claude to write the tests, then it's easier for me to refactor (it loves if/else statements more than I do) without regressions.

Vibe coding digrams #FAIL

GenAI remains a key part of my daily workflow, but it feels like I'm running in to more limitations - anyone else?

In this case, the LLM kept trying the same thing, even though it detected there was a problem with it (very neat!)

As more "stuff" gets made (code/blogs/etc) by AI, don't underestimate the power of giving presentations/speaking to advance your career!

Speaking at meetups and conferences has given me such a high ROI for the effort, and it gets easier the more you do it!

GitHub - PatMyron/cloudformation-resource-providers: automated monorepo of public CloudFormation AWS resource providers automated monorepo of public CloudFormation AWS resource providers - PatMyron/cloudformation-resource-providers

Having access to the actual resource providers that CloudFormation uses to provision resources has saved me a few times!

This is repo is a great compilation by Pat Myron

Just remember, if you use CDK, you use CloudFormation too 😉

Interesting (maybe) AWS IAM action/policy updates from last week (ending 23/3):

- deeplens gone 🔪🤖
- cleanrooms gets protected (?) jobs
- connect gets data lake integration

15 separate updates detected this week, which is more than usual, but not to show for it...

Here's my dependency diagram for YourPublic.Cloud

Each one of these is its own AWS CloudFormation stack, with its own deployment, tests, etc

The complexity of SaaS is 🤯 no wonder it took me so long... and it's not finished yet!

Anyone here actually HAPPY with how their company is using GenAI/LLMs today?

I heard on a podcast that ~50% of people use AI in their work, but only ~7% of companies... and that just doesn't add up! 😅

Do you have a good approach? If so, share it with us please! 🙏

GitHub - aws-samples/aws-cross-account-break-glass-example Contribute to aws-samples/aws-cross-account-break-glass-example development by creating an account on GitHub.

How do you do break glass access on AWS?

I saw this example repo from AWS, but I wonder what other solutions people are using...

What do you do if your IdP or Identity Center goes down?

Interesting AWS IAM action updates from last week:

- Bedrock gets prompt routing
- Support will allow starting and getting interactions
- Batch will get consumable resources (?)
- Can't set challenge questions for your account anymore

It's not often you see IAM actions removed, but it can happen!

Early bird sponsorship for AWS Community Day Australia 2025 is only available for another week!

It's on August 15 in Brisbane.

A bunch of sponsorship packages have already been sold, so if you want to get the best price reach out ASAP!

awscommunitydayaus.com/

Creating a Data Perimeter with Resource Control Policies (RCPs) and AWS KMS On November 13th, 2024, AWS released Resource Control Policies (RCPs). These are not Service Control Policies (SCPs), but rather a good complement to SCPs. We see Resource Control Policies as a good way to enforce data perimeters and to protect resources.

One of the best articles on AWS Resource Control Policies (RCPs) out there so far: Creating a Data Perimeter

And the winner of the Longest AWS Service Name Award goes to... AWS Chatbot! 🤖

Bitten by a subtle async bug today, and Claude.ai saved me

Using the array index notion on what would *eventually* be an array was instead trying to access the Promise object... and failing silently 🤦‍♂️

It didn't pick it up until I asked very specifically about this logic, but the answer was spot on

And to keep being updated by changes on AWS IAM Managed Policies, please consider following @mamip.bsky.social ✌️

Interesting AWS IAM policy & action updates from last week:
- New iotmanagedintegrations action namespace
- New gameliftstreams action namespace
- CloudWatch RUM getting resource policies soon
- AWSFaultInjectionSimulatorECSAccess new version, but only the CreateDate changed? 🤨

Safe.eth on X: "Investigation Updates and Community Call to Action" / X Investigation Updates and Community Call to Action

New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...

Shout out to Brigid Johnson for one of the best explainers of AWS Resource Control Policies (RCPs) out there!

Eventually I'll have time to go through the docs in detail 😆

www.reddit.com/r/aws/commen...

How did you learn to use AWS?

This thread made me realise I was lucky - I learnt AWS when there were only a few services (not even IAM!)

I guess there's got to be *some* upside to getting old 👴

I wanted one scan per day (for free accounts - paid get more), but I also want to fail reports that take too long.

Unfortunately I used the same interval for both checks, so a report would be PENDING up until the interval, then it would be marked FAIL‍ED.

Super.
Efficient.
Fail.

#buildinpublic

Interesting AWS IAM policy updates from last week:

* New qdeveloper action namespace (no API yet)
* bedrock invocation and session actions
* Backup Search Operator managed policy
* cloudshell gets ApproveCommand
* SageMaker Studio gets more Bedrock specific managed policies

Thanks! That's definitely been the #1 answer

I broke my sign ups last week 😥

How are people doing end-user/E2E testing in production?
I need recommendations!

Centralize root access for member accounts - AWS Identity and Access Management Learn how to secure the root user credentials of your AWS accounts managed using AWS Organizations.

Quick AWS security win:

Step 1) Enable privileged root actions
Step 2) Delete the root credentials for all your member accounts
Step 3) Sleep better at night 😴

I've got limited space for another short-term/async consulting client.

I specialise in AWS IAM and security reviews, keeping cost and compliance on AWS under control, and building serverless solutions to business problems.

If you need help on AWS, let me know!

I'm thinking about running another workshop: For beginners, covering ALL the different AWS policy types (I'm looking at you, Resource Control Policies!) with plenty of service-specific examples.

Let me know if that's interesting to you, or tag someone who might be!

Always check the scale!

I made an AWS IAM permissions error in my Lambda function that broke signups.

If I can still get it wrong after writing awsiamguide.com, then anyone can...