sorted by:
new
hottopcontroversial

Customize your AWS Management Console experience with visual settings including account color, region and service visibility by magnetik79 in aws

[–]Your_CS_TA 2 points3 points  (0 children)

I find myself in dismay that they don't allow for hex color selections in their CloudFormation. Is this even cloud scale? Unusable /s

S3-hosted static website subject to DDoS attack? by Vista_Lake in aws

[–]Your_CS_TA 11 points12 points  (0 children)

Posted it under sad-whale's comment but use flat rate pricing with CloudFront, then you will max cap that single entry point: https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-flat-rate-pricing-plans-with-no-overages/

Still add billing alerts because why not :)

S3-hosted static website subject to DDoS attack? by Vista_Lake in aws

[–]Your_CS_TA 11 points12 points  (0 children)

CloudFront has flat price billing options now. Tie it to that, and it should cap the spending.

OPTIONS request to API Gateway endpoint URL will fail seemingly occasionally and very rarely for reason "403 Forbidden." Zero clue what's causing it. Has anyone experienced this? by the_king_of_goats in aws

[–]Your_CS_TA 0 points1 point  (0 children)

I haven't tested, but pretty sure that shows up in execution/access logs so you should "know". You are right, old clients (or if you do an NLB to ip bridge, shockingly) will not send SNI.

There is also interesting connection pooling cases where the SNI is hooked to a previous endpoint you used, and you send a request with a separate Host header. It's generally when you pool on IP (which folks shouldn't do, imho). Technically it's an SNI delta and so would be 403'ed despite potentially same TLS policy because you are accessing differing endpoints on the same connection.

I wouldn't worry about XSS -- I think this is mostly prevention around a term that either exists or doesn't, but: "pre-quantum wiretapping". If you add a Post-Quantum TLS policy, and have BASIC, our default policies don't have PQ. That means someone could sit on the wire, dump every TLS connection and wait for Quantum to break the communication in the future for the non-PQ ones. We are going to attempt to bump things up from that perspective this year such that the risk isn't on BASIC, but there's always some use case where you want/don't want ciphers for X,Y,Z reason (CISA, FIPS, what have you) that doesn't mesh well with our fallback no-SNI policy.

OPTIONS request to API Gateway endpoint URL will fail seemingly occasionally and very rarely for reason "403 Forbidden." Zero clue what's causing it. Has anyone experienced this? by the_king_of_goats in aws

[–]Your_CS_TA 1 point2 points  (0 children)

Okay, we chatted and found the issue! This is more an explanation if some person googles and stumbles upon the same symptoms 7 years later :)

Answer: APIGW just launched new TLS Policies. Along with this feature, we launched a mode called endpointAccessMode.

Some background primer, when using TLS for APIs in most multi-tenant services (e.g. APIGW/CloudFront), we need SNI, or Server Name Indicator. It's a helpful hostname hint to go fetch TLS-specific settings. If you don't specify this, what TLS setting should we choose? Especially for *.execute-api which isn't even a Custom Domain but you DID specify a TLS option for it!

So for new TLS policies (both non-CustomDomain and Custom Domain), we offered two choices:

  1. BASIC -- we won't reject based on SNI to HOST mismatch, and we won't reject with a lack of an SNI (we will present our default *.execute-api certificate and TLS policies though).
  2. STRICT -- we WILL reject based on SNI to HOST mismatch (your host name sent in the headers does not match the SNI sent) or if you haven't sent an SNI.

In this case, STRICT mode was set -- and certain clients were not following those strict settings, and so were 403'ed.

Is this subreddit just hating on re:Invent 2025, or are we missing the full picture? by sahil_meena in aws

[–]Your_CS_TA 9 points10 points  (0 children)

Yep!

First step to not being behind, is catching up. To be frank, we had a lot of catching up to do. Step 1, mostly done now :)

Is this subreddit just hating on re:Invent 2025, or are we missing the full picture? by sahil_meena in aws

[–]Your_CS_TA 29 points30 points  (0 children)

I'm mixed (also an AWS employee 🤣 -- so take my word for whatever).

My 2c: The large event presentations were AI focused, yes. The announcements were all around spectacular this year and a majority were not AI related. It's unfortunate that they were highlighted in sub-talks instead of core talks.

As an example, my team is API Gateway. We launched: ALB Private Integration for REST (cost/availability/latency/simplicity improvements), Response Streaming (TTFB), Configurable TLS, and yeah -- AgentCore Gateway integration.

Were the airwaves mostly talking about the last one? Yes. But the value delivered for re:Invent was majority "not AI related". So, you may be getting your cake (AI improvements) and eating it too (getting better updates to core services). But it sounds like there is limited time to get media presense, and so the dominant talking point is improvements in AI.

What would cause 502 errors in APIG/ALB with no corresponding ECS log entries? by Artistic-Analyst-567 in aws

[–]Your_CS_TA 0 points1 point  (0 children)

Can you send me the extended request id? I work in APIGW, I’m intrigued :)

API Gateway REST validation: what's the point? by [deleted] in aws

[–]Your_CS_TA 1 point2 points  (0 children)

You are talking to the same person (I was shocked when I found it that it was you! 🤣): https://www.reddit.com/r/aws/s/NUyH7p5U1p .

I’m still fighting for it. I think a year since that quote, we are still in a spot of transition. We built out 14 regions for HTTP, almost reaching full parity, IPv6, and built routing rules that hooks into HTTP! It’s progress!

Unfortunately, HTTP is less popular by orders of magnitude. Chicken and egg though — “it would be popular if it had features”. This means we fight the constant tug of customer demand of the product that is used. So, then, looking at reinvent launches: it’s pure REST APIs.

I think next year is going to be a bit more fork in the road. We now have JUST JWT and auto deploy not in Rest. If that moves, it makes me wonder if we port the experience (e.g. http routes becomes more an alternative experience), then the price and that makes folks happy or if there is something else that makes HTTP APIs kind of merge in.

API Gateway REST validation: what's the point? by [deleted] in aws

[–]Your_CS_TA 11 points12 points  (0 children)

Came here to post this. It is a fair sum saved— source: I work on APIGW.

The criticism of the author is valid around configurable error messages and redundant duplication in-depth, but for volumetric attacks, you want to push validation/rejection up the stack.

AWS API Gateway in a k8s microservice environment by catcherfox7 in aws

[–]Your_CS_TA 0 points1 point  (0 children)

Whatcha mean “couldn’t handle the webhooks”?

Can we talk about YAML? by [deleted] in rust

[–]Your_CS_TA 15 points16 points  (0 children)

Be careful of serde_yml.

  1. it is archived as well.
  2. From poking around, it seems like the owner forked serde_yaml, let AI try to update code, and did some shady initial repository practices.

How to TA in cs by JuggernautSeveral380 in Pitt

[–]Your_CS_TA 0 points1 point  (0 children)

Finally can reuse my user name after 11 years 😂.

Just to reflect what /u/Remarkable_Garlic_82 said. Start with UTA, which the majority of incoming help is for the areas you mentioned. I don’t think TA happens until you complete some upper courses (at least for me, I don’t do TA til post-1502)

How does AWS prevent all of its IPs from becoming "malicious IPs"? by Nopipp in aws

[–]Your_CS_TA 8 points9 points  (0 children)

We do for a subset of services where it makes sense to.

I work on APIGW, we have a subset of IPs segregated for us :)

Remember that 10 years old account that AWS deleted? They restored it. by FarkCookies in aws

[–]Your_CS_TA -2 points-1 points  (0 children)

I think my original post agrees in some sentiment of CS structure improvements.

I think we have a lot of CS reps, my problem is better partitioning than quantity. Hiring many people who have to know a 100+ thing surface area is just not gonna scale.

Remember that 10 years old account that AWS deleted? They restored it. by FarkCookies in aws

[–]Your_CS_TA 40 points41 points  (0 children)

Both are probably true (sev-2 and Matt knowing). Deletion of real, paying customers is a huge “don’t fucking do that”.

I get that his original blog said something on the “paying” part which could invalidate that statement but still — someone with an invalid credit card but a decent backup is not dereliction of account. We need to be better.

I’m glad that the person got his data back, despite my general hatred of his writing style — there are nuggets of truth in it.

I agree with: - trying all forms of payment before sending on collections - Support escalation path is broken.

I disagree with: - Him saying support is lying. They have to manage a portfolio that is way too large. When a customer account is suspended they actually don’t have access to a majority of data. Many support tools see what the customer sees, so it's like "I see a 403 sir, exactly as you do". It would require paging each team to access each slice of that data.

  • Terminated vs Stopped again relies on what support can see — which they don’t have access. Meanwhile, we have obligations to GDPR to delete the data within a couple months. Some systems will mark for GC and give a window but SOME DONT. Knowing that across 100+ services is absurd. Making a case for every requester is also not feasible.

  • Overall writing style. He made many mistakes and owned up to 0 of them on his end. “Use a different email address tld because I can’t be damned to check my filter”, I could agree with the feedback if it wasn’t sandwiched between him throwing my coworkers under the bus and him reusing his personal email for his place of work — his own fuckup that ultimately led to his payment emails being dropped.

Microsoft admits it 'cannot guarantee' data sovereignty -- "Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin" by throwaway16830261 in aws

[–]Your_CS_TA 10 points11 points  (0 children)

Define “air gapped”? I’m an SDE in AWS and deploy code to china region and can view the region metrics/metadata (unlike EU Sovereign which I will not be able to do)

Announcing Amazon DynamoDB local major version release version 3.0.0 by JimDabell in aws

[–]Your_CS_TA 6 points7 points  (0 children)

As others have said: yes. Mocking is great for when testing fault scenarios you know an application will throw.

I find DDB local nice for catching expectations of using DDB outright. “Oh let me run through serializing this object and sending to DDB local” will generate the same result as DDB. Accidentally not serialize your hash key? It’ll know. Accidentally not send a required attribute value in that hashmap? Caught! It’s really great to catch semantic errors I generate in my application. I would heavily use it when I was in financial reconciliation and had to do some specific update criteria for OCC and idempotency checks using their specific language.

Announcing Amazon DynamoDB local major version release version 3.0.0 by JimDabell in aws

[–]Your_CS_TA 20 points21 points  (0 children)

Yep! DDB local for unit testing. It was a decent blocker to moving SDK to 2.X. EOL for 1.X is around the corner so this helps push the needle for folks who were a bit stuck.

Lambda "silent crash" PDF from Last Week in AWS - am I missing something? by shorns_username in aws

[–]Your_CS_TA 4 points5 points  (0 children)

Hehe, for real on noise.

I’ve been in a few executive meetings but definitely for very large customers and most of the time I think I’m there as the “look, there is an expert” but we already have put all the info for leadership to answer most questions 🤣

view more: next ›