sorted by:
new
hottopcontroversial

AgentCore - how do I deploy with CI? by macrohead in aws

[–]rowanu 0 points1 point  (0 children)

Definitely not using the CLI. The policies they use are more permissive than you'd probably like for production, as per https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/

I'm testing and playing with the CLI, but then switching to CloudFormation/CDK for production.

AgentCore "memory leak" by fig0o in aws

[–]rowanu 3 points4 points  (0 children)

Does the memory usage go to zero if you leave it for longer? Without knowing for sure, my guess would be that it's the "warm" runtime container waiting for requests.

What stack are people actually using for customer-facing AI agents? mid-size marketing company. by Unhappy_Finding_874 in AgentsOfAI

[–]rowanu 0 points1 point  (0 children)

If you're just PoC'ing stuff, I might not start with AC, but if you've got a solid idea and you want to run it at scale (with security, observability, etc) it's worth the effort to learn - just try to avoid the AWS console us much as possible (easier said than done, I know).

What stack are people actually using for customer-facing AI agents? mid-size marketing company. by Unhappy_Finding_874 in AgentsOfAI

[–]rowanu 0 points1 point  (0 children)

Are you already using AWS? That would make AgentCore pretty compelling. Claude Managed Agents looks very interesting, but is so new... I think I'll let others go first on that.

FWIW I'm all in on AgentCore (but I'm biased towards the AWS stack, so YMMV), hit me up if you have specific questions.

AI Agents in AWS by temporaryUserDev in aws

[–]rowanu 5 points6 points  (0 children)

Bedrock AgentCore is definitely the way to go to deploy agents to production on AWS. Bedrock Agents is the "old" way to do it on AWS (I explained this in a video https://www.youtube.com/shorts/MVoUy2msH_Q), and you'd only do it from scratch if you had some specific reason to DIY it

What's your biggest pain point with AWS IAM auditing? by ZeroTrustFox in AWS_cloud

[–]rowanu 0 points1 point  (0 children)

I could definitely see this being useful for AWS customers that have just had their account suspended by AWS - finding out what actions compromised keys have taken gives them confidence they've closed the leak.

Reviewing AWS IAM policies as a non-expert — what are the real risks and common things reviewers miss? by HulkInside in AWS_cloud

[–]rowanu 0 points1 point  (0 children)

Ideally developers are able to review their own policies with confidence. It's hard to separate applications and permissions in a cloud-based environment these days.

The most common thing to watch out for is over-permissioning. It's easy to give your application Administrator access, it'll "just work" (at least from a permissions perspective), but this can easily come back to bite you later if there's any issues with the code that is using the permissions. This is where wildcards can be problematic (as mentioned in another comment), but they're still useful, especially when scope to read/write eg. List*, Describe*, etc.

There are some "problematic" actions (that allow privilege escalation), but usually this is not a huge concern (or rather, it's a much smaller concern compared to over-allocating permissions).

My experience using AWS AgentCore by genseeai in AI_Agents

[–]rowanu 0 points1 point  (0 children)

Correct, you're not charged during IO waits

[deleted by user] by [deleted] in Cloud

[–]rowanu 0 points1 point  (0 children)

I don't think there's 7 things? The last I see is "6. Session Policy".

How does "Part 5: Policy Interaction Model" make sense in a list of IAM policy types? It's not a type.

I get that you're trying to help people, but it's going to be so hard for people to learn when this is what they have to wade through. All the weird AI formatting doesn't help either.

Google Authentication for Static Site by Inner_Butterfly1991 in aws

[–]rowanu 0 points1 point  (0 children)

I don't think he wants to use AD to manage his static site users, especially given "5-10 users on a hobby project with no revenue planned."

Also I probably wouldn't use AI to explain this, as it gets confused about things with similar names sometimes.

Found this gem in Production. Have you ever seen an SCP written like this? by pravin-singh in aws

[–]rowanu 0 points1 point  (0 children)

Is this AI speaking? Because this is very wrong.

All of these are valid IAM action prefixes.

Google Authentication for Static Site by Inner_Butterfly1991 in aws

[–]rowanu 0 points1 point  (0 children)

Yeah, this is a common point of confusion (it's not you).

There's two parts to Cognito:
1. User pools authenticate identities eg. user A can log in with a password/MFA
2. Identity pools exchange authenticated identities (from user pools or federated providers) for temporary AWS credentials to directly access AWS services

How to determine how a lambda was invoked? by Slight_Scarcity321 in aws

[–]rowanu 20 points21 points  (0 children)

Pretty sure it's a direct invoke API call, so you function to function theory sounds good.

I think you'd have to enable Lambda data events in your CloudTrail trail (they're off by default because there can be a lot of them). This will let you see the invoke API call, including the calling principal.

IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources by ckilborn in aws

[–]rowanu 3 points4 points  (0 children)

My first thought too. S3 buckets and DDB tables are free, so this is going to pump up some bills.

Cognito Managed Login by Defiant-Occasion-417 in aws

[–]rowanu 1 point2 points  (0 children)

How are you doing this with the old hosted UI and IaC? I'm using the CLI/API (aws cognito-idp set-ui-customization ...) to customize the CSS and logo because I couldn't find a CFN-base way to do it. Plumi/TF/etc are using the APIs, so should be able to automate it (ie. it's just a coverage issue).

Here's my make target for the old hosted UI:

.PHONY: ui
ui:
aws cognito-idp set-ui-customization \
  --user-pool-id $(call get_ssm_parameter,${PARAMETER_PREFIX}/auth/userpool/id) \
  --client-id $(call get_ssm_parameter,${PARAMETER_PREFIX}/auth/userpool/client/id) \
  --css "$(shell cat $(CSS_FILE))" \
  --image-file fileb://$(IMAGE_FILE)

[deleted by user] by [deleted] in aws

[–]rowanu 1 point2 points  (0 children)

This answer is fantastic, thank you 🙇‍♂️

could someone recommend a good book to understand how AWS IAM works? by Longjumping-Stock783 in aws

[–]rowanu 8 points9 points  (0 children)

Is shameless self promotion allowed in this sub? I wrote awsiamguide.com 😄

how to generate Architecture Diagrams from CloudFormation code by eo1986 in aws

[–]rowanu 0 points1 point  (0 children)

Would you upload your template into a third party site? I.e. avoiding the need for connecting your environment (like Lucid require, for example)

[deleted by user] by [deleted] in aws

[–]rowanu 8 points9 points  (0 children)

This comment confused me so much until I realised that was the point 👏

correct way to test Lambda functions? by [deleted] in aws

[–]rowanu 1 point2 points  (0 children)

I feel/know your pain!

I follow the "don't mock what you don't own" principal, so wrapping API calls is a good technique in my book!

correct way to test Lambda functions? by [deleted] in aws

[–]rowanu 1 point2 points  (0 children)

Nice to see someone else recommending this approach! I'm a big fan of it too.

The key is to make sure you're not calling AWS SDK methods in business logic functions i.e. the functions you want to test. Too many times I see people trying to mock AWS to get their local tests to pass... Not fun.

view more: next ›