is misspelling the bucket or key. Quick note to self, so I don’t spend another hour in the future triple-checking the IAM policy, KMS key policy, and S3 bucket policy. You can get an AccessDenied because what you’re trying to get doesn’t exist.

How you can prove it to cybersecurity and what it means to your infrastructure lifecycle. — Imagine someone from InfoSec asks you, “how do we control access to the keys that encrypt the logs?” You can tell them, “control access to the logs themselves, and nobody needs access to the keys.” They may object, “But to launch an encrypted EBS volume, you, or the AutoScaling group…

Why You Should Get this Certification, Resources for Learning, and the Exam Experience — I recently passed the Confluent Certified Developer for Apache Kafka (CCDAK) exam. I wanted to share my top tips with you by summarizing my process to prepare for and pass the exam successfully. Why Take This Exam? Certifications are an excellent way to study and stay up to date on the latest curriculum and…

And Why to Get This Certification, the Exam Experience, and Resources for Learning — I’m a solutions architect and work day-to-day with AWS technologies. I recently passed my 13th AWS certification, the AWS Certified Data Analytics Specialty Exam. As an AWS Ambassador, I wanted to share my top tips. Disclaimer: I’m not speaking on behalf of Amazon. Opinions are my own. Why Take This Exam? Motivation

Compared to the output of Ansible facts — I was trying to compare Ansible facts with EC2 instance metadata, to check if instance metadata provides the same level of detail as Ansible does. But after a minute of searching, I didn’t find an example output returned from a call to 169.254.169.254 or fd00:ec2::254, the IP addresses where the…

If you are reading this post, it’s probably because you are knees deep into figuring out how to enable fine-grained access control. And that means you are delegating most of your identity and access management to the controls of the Open Distro for ElasticSearch (now OpenSearch) instead of AWS IAM…

When connecting your AWS environment to a SaaS solution in another AWS account, what do you say if you get asked whether you want to use AWS PrivateLink, Transit Gateway (TGW), or VPC Peering to accomplish this? All three can co-exist in the same environment for different purposes. But let’s…

Gotchas in AWS DataSync for in-cloud data transfers in 2021 — When I was tasked with installing a DataSync agent on EC2 to transfer data from its filesystem to S3, I had some questions. “Why not skip EC2 and sync directly from the EFS filesystem?” “How does the networking work if I skip the EC2 step?” The answers to these questions…

Reasoning about AWS costs using the AWS Cost Explorer and the AWS CLI 🚂 I’ll walk you through a train of thought. Along the way, you’ll see how I discover what aspects of CloudWatch and API Gateway are generating the most charges in the example AWS account, and how I…