Yubikey Push To Run A Lambda Function πβοΈπ€ Leveraging a framework to kick off deterministic or AI agent batch jobs and workflows
teriradichel.substack.com/p/mfa-to-run...
Wondering why if Netgear is a US company when I go to login it is directing me to cognito-idp.eu-west-1.amazonaws.com
They donβt always report issues that only affect a few customers. Also not sure if it was me or my network. Weβll see how it goes today.
Lexus Nexus Breach Involving AWS Secrets Manger, RDS, ECS πβοΈ
Taking a look at the root cause of a breach on AWS, what is actually relevant, and how it may have been prevented
teriradichel.substack.com/p/lexus-nexu...
Never underestimate the value of the OGs.
Took a look at the health dashboard and does not show anything is wrong,
But I did notice Amazon was down today due to deployment issue. Hmm.
I got the commands from Google aimode which was working fine. So I think it was something specific to AWS. I even turned off my firewall to try those actions *gasp* and did not work.
Other parts of AWS console were slow but working. Finally I just opened CloudShell and ran commands to stop all instances and verified stopped.
Looking at the network traffic I can see my browser is trying to reach sa regions when it should stay in us-east-x. I also saw us-west-2 and ca.
I also saw a bunch of denied traffic to sa GuardDuty and other domains with sa in them and the global console domain.
For some reason I could not get to the AWS EC2 dashboard just now to stop an instance. I was trying over and over and looking at all the network traffic.
I had also just created a new account and could not add MFA to it. It kept rejecting my Yubikey. The screens looked different.
This test cost me $75. I thought I had deleted all the resources the same day. Turns out I missed some in an alternate region.
Iβm doing some testing here. I would *never* trust AI to deploy resources based on a prompt if I wasnβt researching something. Use AI to build deterministic scripts to deploy infrastructure on AWS. Then test and verify they work correctly before you use them in production.
Then it proceeded to set up an EC2 reserved instance associated with that service (yes really) in a region I wasnβt operating in.
I set up a script to deploy resources under a certain cost threshold. Turns out the AI intelligent brain thought it was good enough to just pick the first result in the price list for that service. Which was something cheap for a particular service.
But rather than tell me that itβs not possible, I got back plausible results with a spot check. It never told me what I was requesting was not possible. It just gave me a script that does something related.
Next, I had AI write a script to calculate the cost of running any AWS command. You canβt. (I added to to my AWS wishlist on builder.aws.com)
I think I told it to figure out and use the current region in the prompts. Can double check but will be creating a specific SCP for my lovely and creative agents.
I tested automatically creating some AWS infrastructure scripts and test them. Luckily I have an SCP set up to block all but there regions. It went off and created resources in all three regions.
So hereβs a couple of fun things I tried that show how counting on AI π€ to do the right thing can go terribly wrong if you are not testing and paying attention.
I came to a lot of the same conclusions as most of the white papers I have read just by using AI with no complicated overhead, infrastructure, or wordiness. Link pinned to my profile. Good Vibes section of my blog.
Everyone is writing these complicated hard to read white papers about AI. π€ If youβd rather get a quick rundown and understanding of how to use AI more effectively using a lot less words to explain check out my blog posts.
If you donβt need AirPlay on your Mac OS I suggest disabling it.
A Multi-Agent Workflow π€
Creating a multi-agent workflow with Kiro CLI (or any other AI tool for that matter) that processes tasks efficiently
teriradichel.substack.com/p/how-to-cre...
Just found out all my @Substack emails are being flagged as spam in some accounts even after the person adds the sender to the contact list and marks it as not spam. No idea how to resolve that but if you subscribe to my blog, check your spam folder.
I am currently performing API actions in S3 and getting network errors related to an Asia pacific region in the AWS console. Whatβs that all about?
KISS Your AI Prompts π€
Why you should reduce the complexity of your prompts
teriradichel.substack.com/p/kiss-your-...
I wish on AWS I couldβ¦.
Add it to the #awswishlist
builder.aws.com/wishlist
Questions to ask when evaluating an authentication mechanism π
Why I still use a password with a Yubikey, not a passkey or a pin
Why I dislike device code flow with a browser
How lack of segregation facilitated a Microsoft breach.
Defense in Depth βοΈ
teriradichel.substack.com/p/questions-...
OAuth redirection abuse enables phishing and malware delivery | Microsoft Security Blog
I just wrote about this type of attack and what you should be asking about authentication processes. Modifying scopes is an authorization issue but itβs related.
www.microsoft.com/en-us/securi...
Your Model Matters π€
Recent experience trying to complete projects with different models
teriradichel.substack.com/p/your-model...
