Blog
Thoughts on engineering, design, and building great products.
Security: IAM Least-Privilege, Throttling, and WAF
Tighten security for the product. Shrink each function's IAM to exactly the actions it needs instead of granting the whole read-write set, set throttling at API Gateway to fight abuse, discuss where to store secrets, and how to attach WAF to an HTTP API. Verify that least-privilege doesn't break functionality, and watch the system shed load when flooded.
Foundation: IAM Service Roles and the S3 Artifact Bucket
Before building the pipeline you need two foundations: IAM service roles that let AWS services act on your behalf, and an S3 bucket to hold artifacts. This article dissects how service roles and trust policies work — why a service assumes a role for temporary credentials instead of storing keys — then creates the role for CodeBuild and the artifact bucket (versioning enabled) with the AWS CLI.
Open an AWS Account Safely and Set Up a Billing Alert
Create an AWS account the right way: enable MFA on the root account, create an IAM user for daily use, install the AWS CLI, and set a Budget so no bill catches you off guard.