Rowan
@rowanu.bsky.social
AWS IAM, cloud security, and serverless
Reposted by Rowan
Do you have an S3 bucket or DDB table with your companies crown jewels? 👑💎 Now IAM Access Analyzer tells you all the users and roles in your organization that have access to them gems. 🧵 (1/8)
June 17, 2025 at 2:40 PM
Do you have an S3 bucket or DDB table with your companies crown jewels? 👑💎 Now IAM Access Analyzer tells you all the users and roles in your organization that have access to them gems. 🧵 (1/8)
Who's using CloudFormation Hooks? How are you using them?
They're relevant to my interests 😸 but haven't found a use for them yet.
At this stage, I just really want the web console popup to disappear for good...
They're relevant to my interests 😸 but haven't found a use for them yet.
At this stage, I just really want the web console popup to disappear for good...
Proactively validate your AWS CloudFormation templates with AWS Lambda | Amazon Web Services
AWS CloudFormation is a service that allows you to define, manage, and provision your AWS cloud infrastructure using code. To enhance this process and ensure your infrastructure meets your organization’s standards, AWS offers CloudFormation Hooks. These Hooks are extension points that allow you to invoke custom logic at specific points during CloudFormation stack operations, enabling […]
aws.amazon.com
March 31, 2025 at 11:57 PM
Who's using CloudFormation Hooks? How are you using them?
They're relevant to my interests 😸 but haven't found a use for them yet.
At this stage, I just really want the web console popup to disappear for good...
They're relevant to my interests 😸 but haven't found a use for them yet.
At this stage, I just really want the web console popup to disappear for good...
AWS IAM updates last week:
- SecurityAudit got an update 🥳 mostly S3 tables
- network-firewall getting flow operations
- route53-recovery-control-config (???) getting resource policies
I'm still not sure why every week there seem to be version updates to some policies, but without actual changes?!
- SecurityAudit got an update 🥳 mostly S3 tables
- network-firewall getting flow operations
- route53-recovery-control-config (???) getting resource policies
I'm still not sure why every week there seem to be version updates to some policies, but without actual changes?!
March 31, 2025 at 9:33 PM
AWS IAM updates last week:
- SecurityAudit got an update 🥳 mostly S3 tables
- network-firewall getting flow operations
- route53-recovery-control-config (???) getting resource policies
I'm still not sure why every week there seem to be version updates to some policies, but without actual changes?!
- SecurityAudit got an update 🥳 mostly S3 tables
- network-firewall getting flow operations
- route53-recovery-control-config (???) getting resource policies
I'm still not sure why every week there seem to be version updates to some policies, but without actual changes?!
Vibe coding digrams #FAIL
GenAI remains a key part of my daily workflow, but it feels like I'm running in to more limitations - anyone else?
In this case, the LLM kept trying the same thing, even though it detected there was a problem with it (very neat!)
GenAI remains a key part of my daily workflow, but it feels like I'm running in to more limitations - anyone else?
In this case, the LLM kept trying the same thing, even though it detected there was a problem with it (very neat!)
March 26, 2025 at 7:19 PM
Vibe coding digrams #FAIL
GenAI remains a key part of my daily workflow, but it feels like I'm running in to more limitations - anyone else?
In this case, the LLM kept trying the same thing, even though it detected there was a problem with it (very neat!)
GenAI remains a key part of my daily workflow, but it feels like I'm running in to more limitations - anyone else?
In this case, the LLM kept trying the same thing, even though it detected there was a problem with it (very neat!)
As more "stuff" gets made (code/blogs/etc) by AI, don't underestimate the power of giving presentations/speaking to advance your career!
Speaking at meetups and conferences has given me such a high ROI for the effort, and it gets easier the more you do it!
Speaking at meetups and conferences has given me such a high ROI for the effort, and it gets easier the more you do it!
March 26, 2025 at 6:48 AM
As more "stuff" gets made (code/blogs/etc) by AI, don't underestimate the power of giving presentations/speaking to advance your career!
Speaking at meetups and conferences has given me such a high ROI for the effort, and it gets easier the more you do it!
Speaking at meetups and conferences has given me such a high ROI for the effort, and it gets easier the more you do it!
Having access to the actual resource providers that CloudFormation uses to provision resources has saved me a few times!
This is repo is a great compilation by Pat Myron
Just remember, if you use CDK, you use CloudFormation too 😉
This is repo is a great compilation by Pat Myron
Just remember, if you use CDK, you use CloudFormation too 😉
GitHub - PatMyron/cloudformation-resource-providers: automated monorepo of public CloudFormation AWS resource providers
automated monorepo of public CloudFormation AWS resource providers - PatMyron/cloudformation-resource-providers
github.com
March 25, 2025 at 9:48 AM
Having access to the actual resource providers that CloudFormation uses to provision resources has saved me a few times!
This is repo is a great compilation by Pat Myron
Just remember, if you use CDK, you use CloudFormation too 😉
This is repo is a great compilation by Pat Myron
Just remember, if you use CDK, you use CloudFormation too 😉
Interesting (maybe) AWS IAM action/policy updates from last week (ending 23/3):
- deeplens gone 🔪🤖
- cleanrooms gets protected (?) jobs
- connect gets data lake integration
15 separate updates detected this week, which is more than usual, but not to show for it...
- deeplens gone 🔪🤖
- cleanrooms gets protected (?) jobs
- connect gets data lake integration
15 separate updates detected this week, which is more than usual, but not to show for it...
March 24, 2025 at 11:19 AM
Interesting (maybe) AWS IAM action/policy updates from last week (ending 23/3):
- deeplens gone 🔪🤖
- cleanrooms gets protected (?) jobs
- connect gets data lake integration
15 separate updates detected this week, which is more than usual, but not to show for it...
- deeplens gone 🔪🤖
- cleanrooms gets protected (?) jobs
- connect gets data lake integration
15 separate updates detected this week, which is more than usual, but not to show for it...
Here's my dependency diagram for YourPublic.Cloud
Each one of these is its own AWS CloudFormation stack, with its own deployment, tests, etc
The complexity of SaaS is 🤯 no wonder it took me so long... and it's not finished yet!
Each one of these is its own AWS CloudFormation stack, with its own deployment, tests, etc
The complexity of SaaS is 🤯 no wonder it took me so long... and it's not finished yet!
March 21, 2025 at 3:46 AM
Here's my dependency diagram for YourPublic.Cloud
Each one of these is its own AWS CloudFormation stack, with its own deployment, tests, etc
The complexity of SaaS is 🤯 no wonder it took me so long... and it's not finished yet!
Each one of these is its own AWS CloudFormation stack, with its own deployment, tests, etc
The complexity of SaaS is 🤯 no wonder it took me so long... and it's not finished yet!
Anyone here actually HAPPY with how their company is using GenAI/LLMs today?
I heard on a podcast that ~50% of people use AI in their work, but only ~7% of companies... and that just doesn't add up! 😅
Do you have a good approach? If so, share it with us please! 🙏
I heard on a podcast that ~50% of people use AI in their work, but only ~7% of companies... and that just doesn't add up! 😅
Do you have a good approach? If so, share it with us please! 🙏
March 20, 2025 at 9:49 AM
Anyone here actually HAPPY with how their company is using GenAI/LLMs today?
I heard on a podcast that ~50% of people use AI in their work, but only ~7% of companies... and that just doesn't add up! 😅
Do you have a good approach? If so, share it with us please! 🙏
I heard on a podcast that ~50% of people use AI in their work, but only ~7% of companies... and that just doesn't add up! 😅
Do you have a good approach? If so, share it with us please! 🙏
How do you do break glass access on AWS?
I saw this example repo from AWS, but I wonder what other solutions people are using...
What do you do if your IdP or Identity Center goes down?
I saw this example repo from AWS, but I wonder what other solutions people are using...
What do you do if your IdP or Identity Center goes down?
GitHub - aws-samples/aws-cross-account-break-glass-example
Contribute to aws-samples/aws-cross-account-break-glass-example development by creating an account on GitHub.
github.com
March 18, 2025 at 11:49 PM
How do you do break glass access on AWS?
I saw this example repo from AWS, but I wonder what other solutions people are using...
What do you do if your IdP or Identity Center goes down?
I saw this example repo from AWS, but I wonder what other solutions people are using...
What do you do if your IdP or Identity Center goes down?
Interesting AWS IAM action updates from last week:
- Bedrock gets prompt routing
- Support will allow starting and getting interactions
- Batch will get consumable resources (?)
- Can't set challenge questions for your account anymore
It's not often you see IAM actions removed, but it can happen!
- Bedrock gets prompt routing
- Support will allow starting and getting interactions
- Batch will get consumable resources (?)
- Can't set challenge questions for your account anymore
It's not often you see IAM actions removed, but it can happen!
March 17, 2025 at 11:11 PM
Interesting AWS IAM action updates from last week:
- Bedrock gets prompt routing
- Support will allow starting and getting interactions
- Batch will get consumable resources (?)
- Can't set challenge questions for your account anymore
It's not often you see IAM actions removed, but it can happen!
- Bedrock gets prompt routing
- Support will allow starting and getting interactions
- Batch will get consumable resources (?)
- Can't set challenge questions for your account anymore
It's not often you see IAM actions removed, but it can happen!
Early bird sponsorship for AWS Community Day Australia 2025 is only available for another week!
It's on August 15 in Brisbane.
A bunch of sponsorship packages have already been sold, so if you want to get the best price reach out ASAP!
awscommunitydayaus.com/
It's on August 15 in Brisbane.
A bunch of sponsorship packages have already been sold, so if you want to get the best price reach out ASAP!
awscommunitydayaus.com/
March 17, 2025 at 2:37 AM
Early bird sponsorship for AWS Community Day Australia 2025 is only available for another week!
It's on August 15 in Brisbane.
A bunch of sponsorship packages have already been sold, so if you want to get the best price reach out ASAP!
awscommunitydayaus.com/
It's on August 15 in Brisbane.
A bunch of sponsorship packages have already been sold, so if you want to get the best price reach out ASAP!
awscommunitydayaus.com/
One of the best articles on AWS Resource Control Policies (RCPs) out there so far: Creating a Data Perimeter
Creating a Data Perimeter with Resource Control Policies (RCPs) and AWS KMS
On November 13th, 2024, AWS released Resource Control Policies (RCPs). These are not Service Control Policies (SCPs), but rather a good complement to SCPs. We see Resource Control Policies as a good way to enforce data perimeters and to protect resources.
www.fogsecurity.io
March 13, 2025 at 8:09 AM
One of the best articles on AWS Resource Control Policies (RCPs) out there so far: Creating a Data Perimeter
And the winner of the Longest AWS Service Name Award goes to... AWS Chatbot! 🤖
March 12, 2025 at 2:07 AM
And the winner of the Longest AWS Service Name Award goes to... AWS Chatbot! 🤖
Bitten by a subtle async bug today, and Claude.ai saved me
Using the array index notion on what would *eventually* be an array was instead trying to access the Promise object... and failing silently 🤦♂️
It didn't pick it up until I asked very specifically about this logic, but the answer was spot on
Using the array index notion on what would *eventually* be an array was instead trying to access the Promise object... and failing silently 🤦♂️
It didn't pick it up until I asked very specifically about this logic, but the answer was spot on
March 11, 2025 at 10:26 AM
Bitten by a subtle async bug today, and Claude.ai saved me
Using the array index notion on what would *eventually* be an array was instead trying to access the Promise object... and failing silently 🤦♂️
It didn't pick it up until I asked very specifically about this logic, but the answer was spot on
Using the array index notion on what would *eventually* be an array was instead trying to access the Promise object... and failing silently 🤦♂️
It didn't pick it up until I asked very specifically about this logic, but the answer was spot on
Reposted by Rowan
And to keep being updated by changes on AWS IAM Managed Policies, please consider following @mamip.bsky.social ✌️
March 10, 2025 at 9:19 AM
And to keep being updated by changes on AWS IAM Managed Policies, please consider following @mamip.bsky.social ✌️
Interesting AWS IAM policy & action updates from last week:
- New iotmanagedintegrations action namespace
- New gameliftstreams action namespace
- CloudWatch RUM getting resource policies soon
- AWSFaultInjectionSimulatorECSAccess new version, but only the CreateDate changed? 🤨
- New iotmanagedintegrations action namespace
- New gameliftstreams action namespace
- CloudWatch RUM getting resource policies soon
- AWSFaultInjectionSimulatorECSAccess new version, but only the CreateDate changed? 🤨
March 10, 2025 at 9:07 AM
Interesting AWS IAM policy & action updates from last week:
- New iotmanagedintegrations action namespace
- New gameliftstreams action namespace
- CloudWatch RUM getting resource policies soon
- AWSFaultInjectionSimulatorECSAccess new version, but only the CreateDate changed? 🤨
- New iotmanagedintegrations action namespace
- New gameliftstreams action namespace
- CloudWatch RUM getting resource policies soon
- AWSFaultInjectionSimulatorECSAccess new version, but only the CreateDate changed? 🤨
Reposted by Rowan
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...
Safe.eth on X: "Investigation Updates and Community Call to Action" / X
Investigation Updates and Community Call to Action
x.com
March 6, 2025 at 5:21 PM
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...
Shout out to Brigid Johnson for one of the best explainers of AWS Resource Control Policies (RCPs) out there!
Eventually I'll have time to go through the docs in detail 😆
Eventually I'll have time to go through the docs in detail 😆
March 6, 2025 at 6:26 AM
Shout out to Brigid Johnson for one of the best explainers of AWS Resource Control Policies (RCPs) out there!
Eventually I'll have time to go through the docs in detail 😆
Eventually I'll have time to go through the docs in detail 😆
How did you learn to use AWS?
This thread made me realise I was lucky - I learnt AWS when there were only a few services (not even IAM!)
I guess there's got to be *some* upside to getting old 👴
This thread made me realise I was lucky - I learnt AWS when there were only a few services (not even IAM!)
I guess there's got to be *some* upside to getting old 👴
March 5, 2025 at 2:26 AM
How did you learn to use AWS?
This thread made me realise I was lucky - I learnt AWS when there were only a few services (not even IAM!)
I guess there's got to be *some* upside to getting old 👴
This thread made me realise I was lucky - I learnt AWS when there were only a few services (not even IAM!)
I guess there's got to be *some* upside to getting old 👴
I wanted one scan per day (for free accounts - paid get more), but I also want to fail reports that take too long.
Unfortunately I used the same interval for both checks, so a report would be PENDING up until the interval, then it would be marked FAILED.
Super.
Efficient.
Fail.
#buildinpublic
Unfortunately I used the same interval for both checks, so a report would be PENDING up until the interval, then it would be marked FAILED.
Super.
Efficient.
Fail.
#buildinpublic
March 4, 2025 at 11:26 AM
I wanted one scan per day (for free accounts - paid get more), but I also want to fail reports that take too long.
Unfortunately I used the same interval for both checks, so a report would be PENDING up until the interval, then it would be marked FAILED.
Super.
Efficient.
Fail.
#buildinpublic
Unfortunately I used the same interval for both checks, so a report would be PENDING up until the interval, then it would be marked FAILED.
Super.
Efficient.
Fail.
#buildinpublic
Interesting AWS IAM policy updates from last week:
* New qdeveloper action namespace (no API yet)
* bedrock invocation and session actions
* Backup Search Operator managed policy
* cloudshell gets ApproveCommand
* SageMaker Studio gets more Bedrock specific managed policies
* New qdeveloper action namespace (no API yet)
* bedrock invocation and session actions
* Backup Search Operator managed policy
* cloudshell gets ApproveCommand
* SageMaker Studio gets more Bedrock specific managed policies
March 3, 2025 at 2:00 AM
Interesting AWS IAM policy updates from last week:
* New qdeveloper action namespace (no API yet)
* bedrock invocation and session actions
* Backup Search Operator managed policy
* cloudshell gets ApproveCommand
* SageMaker Studio gets more Bedrock specific managed policies
* New qdeveloper action namespace (no API yet)
* bedrock invocation and session actions
* Backup Search Operator managed policy
* cloudshell gets ApproveCommand
* SageMaker Studio gets more Bedrock specific managed policies
I broke my sign ups last week 😥
How are people doing end-user/E2E testing in production?
I need recommendations!
How are people doing end-user/E2E testing in production?
I need recommendations!
February 28, 2025 at 2:50 AM
I broke my sign ups last week 😥
How are people doing end-user/E2E testing in production?
I need recommendations!
How are people doing end-user/E2E testing in production?
I need recommendations!
Quick AWS security win:
Step 1) Enable privileged root actions
Step 2) Delete the root credentials for all your member accounts
Step 3) Sleep better at night 😴
Step 1) Enable privileged root actions
Step 2) Delete the root credentials for all your member accounts
Step 3) Sleep better at night 😴
Centralize root access for member accounts - AWS Identity and Access Management
Learn how to secure the root user credentials of your AWS accounts managed using AWS Organizations.
docs.aws.amazon.com
February 27, 2025 at 5:23 AM
Quick AWS security win:
Step 1) Enable privileged root actions
Step 2) Delete the root credentials for all your member accounts
Step 3) Sleep better at night 😴
Step 1) Enable privileged root actions
Step 2) Delete the root credentials for all your member accounts
Step 3) Sleep better at night 😴
I've got limited space for another short-term/async consulting client.
I specialise in AWS IAM and security reviews, keeping cost and compliance on AWS under control, and building serverless solutions to business problems.
If you need help on AWS, let me know!
I specialise in AWS IAM and security reviews, keeping cost and compliance on AWS under control, and building serverless solutions to business problems.
If you need help on AWS, let me know!
February 26, 2025 at 9:03 AM
I've got limited space for another short-term/async consulting client.
I specialise in AWS IAM and security reviews, keeping cost and compliance on AWS under control, and building serverless solutions to business problems.
If you need help on AWS, let me know!
I specialise in AWS IAM and security reviews, keeping cost and compliance on AWS under control, and building serverless solutions to business problems.
If you need help on AWS, let me know!