Articles

Actually Fixing AWS S3

A concrete proposal for redesigning AWS S3's Account Regional Namespace to finally separate private bucket configuration from public access, eliminating a class of accidental data exposure.

Securing CI/CD Access to AWS

How to securely grant CI/CD pipelines least-privilege access to AWS accounts using Lambda, OU StackSets, and short-lived credentials — no long-lived secrets.

How when AWS was down, we were not

Nothing can have an unlimited uptime. But even when AWS and other hyperscalers are having incidents, we've created an architecture that is resilient to those outages. Here's how we do it for Authress.

AWS Auth Caching Strategies

Trade-offs and patterns for caching authentication and authorization decisions in AWS workloads — reducing latency and cost without sacrificing security correctness.

API Gateway Authorizers: Vulnerable By Design

Exposing a critical flaw in AWS API Gateway's Lambda authorizer caching behavior that allows stale JWT decisions to persist — and how to architect around it.

The Risks of User Impersonation

Why allowing admins to impersonate users creates audit gaps, liability exposure, and subtle authorization bugs — and what to build instead.

Migrating CloudFormation to TF

A practical, zero-downtime migration path from AWS CloudFormation to Terraform — including state import strategies and pitfalls to avoid.

Are millions of accounts vulnerable due to Google's OAuth Flaw?

A rebuttal to Truffle Security's viral Google OAuth disclosure — arguing the actual vulnerability is apps trusting email over the immutable `sub` claim, not a Google flaw.

Magic links and Passwordless login

How magic links and passkeys work under the hood, when to use them, and the security gotchas that trip up teams implementing passwordless authentication.

AWS Advanced: The Quota Monitor Review

A deep-dive review of AWS's Quota Monitor solution — its design trade-offs, gaps, and how to extend it to get actionable alerts before hitting service limits.

Idempotency in DynamoDB

Patterns for implementing idempotent writes in DynamoDB — conditional expressions, idempotency keys, and handling retries safely in distributed systems.

OAuth Login should be standardized — and this is why it cannot be

Why every identity provider implements OAuth login slightly differently, the trust relationship at the core of the problem, and what it would actually take to standardize.

AWS Advanced: Getting SES Production Access

Navigating AWS's SES sandbox restrictions and the exact steps — request templates, bounce handling, and feedback loops — needed to get production sending approved.

Challenges building solutions for user sharable resources

The hidden complexity of letting users share resources with each other — ownership semantics, delegation chains, and why authorization-first design makes it tractable.

How does machine to machine authentication work?

A clear walkthrough of M2M auth flows — client credentials, scoped tokens, and how services authenticate each other without user involvement.

AWS Advanced: Serverless Prometheus in Action

Running Prometheus on Lambda without a persistent server — collecting and remote-writing metrics from serverless workloads using an event-driven scrape architecture.

AWS Metrics: Advanced

Beyond CloudWatch basics — custom metrics, metric math, anomaly detection, and building dashboards that surface actionable signals instead of noise.

AWS VPC: Private Subnets Increase Risk

The counterintuitive argument that private subnets create a false sense of security while adding operational complexity — and what actually protects your workloads.

The Devastating Failure of Technical Leadership

The most common ways technical leaders fail their teams — defaulting to heroics, hoarding context, and confusing technical depth with leadership effectiveness.

Denylists and Invaliding user access

How to implement instant access revocation with short-lived JWTs — token denylists, distributed cache invalidation, and the trade-offs of each approach.

Myths about API HTTP clients

Debunking common misconceptions about how HTTP clients, connection pooling, retries, and timeouts actually work — and the bugs they silently cause.

You are probably testing wrong

Why most test suites give false confidence — the difference between testing behavior vs. implementation, and how to write tests that actually catch production regressions.

Measuring team success

Moving beyond velocity and story points — the leading and lagging indicators that actually tell you whether an engineering team is healthy and improving.

The Required team meetings

The minimal set of meetings an engineering team actually needs — and how to run each one so they create alignment instead of draining focus.

Breaking up the monolith: Breaking changes

How to introduce breaking API changes during a microservices migration without taking down dependent consumers — versioning strategies and parallel-run patterns.

AWS CloudWatch: How to scale your logging infrastructure

Scaling CloudWatch Logs without watching the bill explode — log filtering, sampling strategies, and routing high-volume events to cost-effective storage.

Step-up authorization

Implementing step-up auth — prompting users to re-authenticate or pass MFA only when accessing sensitive actions, without disrupting the rest of the session.

Breaking up the monolith: Zero downtime migrations

Database migration patterns that let you extract services from a monolith without any downtime — strangler fig, dual writes, and live traffic cutover strategies.

Adding Custom Domains to your SaaS

The full stack of what it takes to let SaaS customers bring their own domain — certificate provisioning, routing, multi-tenancy, and the edge cases that bite you.

AWS Cognito: Don't go to production

A candid assessment of AWS Cognito's limitations — the migration lock-in, the missing features, and the edge cases that become production crises at scale.

My DNS doesn't work

A structured debugging guide for DNS failures — TTL traps, split-horizon confusion, propagation delays, and the tools that actually tell you what's happening.

AWS Step Functions: Advanced

Advanced Step Functions patterns — dynamic parallelism, error handling strategies, cross-account execution, and keeping state machine definitions maintainable.

I got a CORS error, now what?

A methodical guide to CORS — what the browser is actually enforcing, why your preflight is failing, and the exact headers needed for every scenario.

Breaking up the monolith: Magic identifiers

How poorly designed IDs — auto-increment integers, opaque hashes — create coupling that makes monolith decomposition painful, and what to use instead.

Can't connect to service running in EC2

The five most common reasons you can't reach your EC2 service — security groups, NACLs, routing tables, OS firewall, and the binding address — with a systematic checklist.

When to use AWS Credentials

A decision tree for when to use IAM roles vs. access keys vs. instance profiles — and the common misuses that quietly introduce credential leakage.

The Punishment of Building a Slack App

A honest account of the Slack app development experience — OAuth flows, event subscriptions, rate limits, and the platform decisions that make it harder than it should be.

JWT access token misconceptions

The most dangerous myths about JWTs — why "stateless" doesn't mean unsecured, the clock skew problem, and what teams get wrong about token validation.

Handling security of long running transactions

Authorization challenges unique to long-running jobs — token expiry mid-flight, permission changes during execution, and how to safely checkpoint and resume.

Creating resources in custom AWS accounts

Cross-account resource provisioning patterns in AWS — role assumption, permission boundaries, and how to automate account vending in a multi-account organization.

To message bus or not to message bus

When event-driven architecture helps and when it just adds indirection — the signals that tell you a message bus will solve your problem vs. create a new one.

Things that are wrong with Terraform

A candid critique of Terraform's design decisions — state management pitfalls, HCL limitations, and the footguns that slow down teams using it at scale.

Making an infinite CSS carousel

Building a seamless looping carousel using pure CSS animations — no JavaScript, no layout jank, and how to tune the timing for any number of slides.

Security for deleting resources

The often-ignored authorization requirements around delete operations — soft deletes, deletion tokens, cascading permissions, and preventing accidental data loss.

The Wolf Pack Team

A team topology pattern for high-autonomy, high-accountability engineering teams — how to structure collaboration so people move fast without stepping on each other.

Promotion in Action: What everyone should know to get to the next level

The unwritten rules of engineering promotions — how decisions actually get made, what managers look for, and how to make your impact visible without playing politics.

API Authentication: Creating service client API keys

How to design, issue, and rotate API keys for service-to-service authentication — key format, storage, scoping, and the lifecycle management often left as an exercise to the reader.

Setup user authentication with any identity provider

A provider-agnostic guide to wiring up user login with OIDC — the discovery document, token validation, and the session management layer that connects them.

Validating JWTs in Web APIs

The correct way to validate JWTs server-side — algorithm pinning, key rotation via JWKS, claim verification, and the subtle mistakes that leave APIs wide open.

How to secure a multitenant application architecture

Data isolation patterns, tenant-scoped authorization, and the architectural guardrails that prevent one tenant's data from leaking into another's.

Choosing the right error code: 401, 403, or 404

Why the choice between 401, 403, and 404 matters for security, UX, and API design — and the information disclosure implications of getting it wrong.

So you want to build your own authorization?

The underestimated complexity of rolling your own authorization system — RBAC edge cases, performance at scale, and why most teams end up rebuilding it three times.

Securely store client IDs and secret access keys

Where and how to store API keys and client secrets in different environments — environment variables, secret managers, and the practices that prevent accidental exposure.