今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#AWS

找到 154 篇相关文章

AI 资讯

Designing a Three Reviewer Consensus Platform for Digital Harm Reporting

The Problem Real411 is a South African platform where citizens report digital harms: misinformation, incitement, hate speech, and harassment. When someone submits a complaint, it needs to be reviewed by multiple people, assessed against legal criteria, and resolved with a public verdict. The process must be transparent, auditable, and fair. I joined this project early and worked on it extensively over a long period. A senior solutions architect consulted on the database schema design. There was a cloud person who helped with parts of the infrastructure. Other coworkers contributed at different stages. I spent most of my time on the API layer and the frontend components. This article covers the architecture decisions I worked with, what I learned from the senior architect's design choices, and how the system evolved. The Status Machine Most applications model status as a column on a table. You update the value and the old state is gone. That works for simple workflows but fails when you need to know not just where a complaint is now, but how it got there and who made each decision. The senior architect who consulted on the database design suggested an append only status log. Instead of a single status column, the complaint_status table records every transition as a separate row. Each row has the status code, the user who made the change, a timestamp, and optional notes. The current status is derived by querying the most recent row. I implemented this pattern across the API layer. Every status transition became an insert operation rather than an update. It took some adjustment to shift from mutable state to event sourced state, but the benefits were immediate. Auditing became straightforward. The state machine also became easier to implement because each transition is a simple insert with a business logic check, not a conditional update. The schema has seventeen status codes covering the full lifecycle: received, claimed, under assessment, pending secretariat review,

2026-07-15 原文 →
AI 资讯

Building a Real Time Sports Scoring Engine with WebSockets and DynamoDB Streams

The Problem Sports scoring sounds simple. One team scores a point, the number goes up, everyone sees it. But when you build it as a web application that needs to work on courtside tablets, spectator phones, and wall mounted displays simultaneously, with voice commands and tap controls, the architecture becomes more interesting. The project was Scoring AI, a voice enabled match scoring application for sports courts. Players start a match, share a link, and control the scoreboard from any device. The backend handles real time state synchronization, optimistic locking, idempotent score updates, rate limiting, and WebSocket broadcasting. The team was small. Me and a coworker who handled the CI/CD side. We were at the same level, both full stack, and we designed the system together. He focused on the deployment pipeline and infrastructure automation. I focused on the application layer, the real time system, and the frontend. But the architecture decisions were shared. This article covers the technical decisions we made and how patterns from previous projects influenced them. Why DynamoDB for Live Matches The match scoring data is different from the business data around it. A match lasts about an hour, gets updated frequently, and needs to be read by many viewers at once. After the match is complete, it is archived and rarely accessed. I had seen what happens when you put high frequency state updates into a relational database on a previous project. Row locks, contention, connection pool exhaustion. For Scoring AI, we used DynamoDB for the live match state and PostgreSQL for everything else. The hot path needed fast writes, optimistic locking, and automatic cleanup of abandoned matches. DynamoDB provides all of these. The version field on each match record acts as an optimistic lock. Every score update is a conditional write that checks the version has not changed. The cold path uses PostgreSQL through Kysely for user profiles, subscriptions, pricing plans, payment histor

2026-07-15 原文 →
AI 资讯

From Dubai to Thailand: How I Landed a Remote Role at a South African Company

The Next Chapter When I left the waiter job and returned to engineering, I knew I wanted something different. Not just a different job, but a different way of working. The kind where your location does not limit the problems you can solve. I found that in Thailand, working for a South African company called Exonic. Why Bangkok After Dubai, I wanted somewhere with a lower cost of living where I could build runway while working remotely. Bangkok checks that box. The city is a hub for remote engineers. The internet is fast. The infrastructure works. The street food is better than any restaurant I have ever worked in. I arrived with a laptop and a clear goal: find a remote role where I could work on meaningful projects without being tied to a physical office. Landing the Role at Exonic Exonic is a technology consulting company based in South Africa. They serve clients across multiple industries and geographies. When I found the opening, it matched exactly what I was looking for: full time remote, exposure to diverse projects, and the chance to work across the full stack. The interview process was practical. System design discussions, technical assessments focused on AWS and modern frontend frameworks, and conversations about how I approach end to end delivery. I got the offer and accepted it immediately. As a full time remote employee, I was embedded in Exonic's engineering team. My day to day involved building cloud native solutions for their clients, designing architectures on AWS, and shipping production systems across the entire stack. The team was distributed, and the work required communicating clearly across time zones. Three Continents Through One Company Exonic's client base spans the globe. Over my time there, I built production systems touching three different continents. One project was Scoring AI , a voice enabled match scoring application for sports courts. Players start a match, share a link, and control the scoreboard using voice commands. I worked on th

2026-07-15 原文 →
开发者

The Hidden Cost of Manual IAM Review

The Hidden Cost of Manual IAM Review Most teams don't track how long they spend reviewing IAM policies. When I started measuring it on my own team, the numbers were worse than I expected. A thorough manual review of one IAM policy takes 10 to 15 minutes. Not a quick scan. A real review: read every statement, trace every cross-account trust, verify every condition key, check for privilege escalation paths, confirm the resource ARNs match what you think they should. At 4 engineers touching IAM once a week, that's 4 hours a month. 48 hours a year of senior engineers reading JSON documents. And that's the optimistic case. Add a security incident. Add an audit. Add the emergency Friday-afternoon policy change that needs review before deploy. The real number is higher. What manual review misses The problem isn't just the time. It's that humans are bad at repetitive structured-data review, especially under time pressure. Here are the things I've seen slip through manual IAM reviews on production systems: iam:PassRole with no condition. This is the big one. PassRole lets a principal pass a role to a service — and if there's no iam:PassedToService condition, that role can be passed to any service that accepts roles. Including services the attacker controls. The reviewer saw the action, mentally categorized it as "role stuff," and moved on. It was statement 47 of 52 — the reviewer had already been reading policies for 40 minutes. Wildcard resource with sensitive actions. s3:* on Resource: "*" is obvious. s3:GetObject on "arn:aws:s3:::*-backup/*" with a wildcard in the bucket name — that's subtle. The reviewer reads it as "restricted to backup buckets" and moves on. But the wildcard means any bucket ending in -backup , including ones in other accounts if cross-account access is configured. Missing aws:SourceArn on Lambda invocation permissions. When you grant another service permission to invoke your Lambda function, you need aws:SourceArn to prevent the confused deputy

2026-07-15 原文 →
AI 资讯

The Right Way to Start Claude Code on an AWS Project

You know the drill for adding an MCP server to a project: dig the exact command string out of the docs, hand-write a .mcp.json with an absolute path you'll typo once, restart the editor, and discover no tools showed up because the server expected a config file you haven't created yet. Plenty of MCP servers lose their would-be users somewhere inside that loop. Infrawise collapses the whole loop into one command. It's an open-source tool ( npm ) that statically analyzes your codebase, AWS infrastructure, and database schemas, then exposes that context to AI coding assistants over MCP — so Claude Code knows your actual partition keys, GSIs, and indexes instead of guessing from source files. This post is about the part that usually kills tools like this before they deliver any value: setup. Section 1: One command, four steps npm install -g infrawise # or skip install and use npx cd your-project infrawise start --claude start does four things, in order: 1. Probes your environment. If there's no infrawise.yaml in the project, it generates one. It reads AWS_PROFILE if set; otherwise it looks at your configured AWS profiles — one profile means zero questions, several means one prompt asking which to use. That's the entire interview. (If you want the full guided wizard instead, infrawise start --interactive runs it.) 2. Runs the analysis. It scans your AWS services, database schemas, and codebase, builds a graph of services, tables, indexes, and query patterns, and runs rule-based analyzers over it. No LLM is involved in this step — extraction and analysis are deterministic, so the same infrastructure always produces the same graph. 3. Writes .mcp.json to your project root. This is the file you'd otherwise write by hand: { "mcpServers" : { "infrawise" : { "command" : "infrawise" , "args" : [ "serve" , "--stdio" , "--config" , "/absolute/path/to/infrawise.yaml" ] } } } 4. Opens Claude Code. Claude Code reads .mcp.json automatically and starts the session with all 21 infrawise

2026-07-14 原文 →
AI 资讯

AI Data Centers and the Concentration of Wealth

This essay was written with Nathan E. Sanders, and originally appeared in The Guardian . Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data centers bring is worth their costs. Still, we worry that a focus on data centers obscures the larger impacts of AI on people’s lives: the concentration of power of AI companies, and their widespread political and financial influence...

2026-07-13 原文 →
AI 资讯

Article: Removing a Hidden Round Trip from a Multi-Region AWS API

When a series of regional outages forced a rethink of a multi-region AWS API, the team discovered that an obstacle to global failover was hiding in plain sight: a pre-flight discovery call baked into every client session years earlier as the only available option. This article describes what it took to remove it, and what the rollout actually cost. By Suresh Gururajan

2026-07-13 原文 →
AI 资讯

AWS Just Made Claude Code Cloud-Native: The Official AWS MCP Server Plugin

AWS released an official Agent Toolkit that plugs Claude Code, Codex, and Cursor directly into your AWS account through a single MCP server. Instead of wiring up IAM roles and endpoints by hand, you install one plugin and the agent can search AWS docs, run sandboxed Python, and follow curated cloud skills with full CloudTrail audit logging. What the AWS Agent Toolkit Actually Is The Agent Toolkit for AWS is an open-source project (published on GitHub at aws/agent-toolkit-for-aws ) that bundles two things: The AWS MCP Server — a managed server that gives agents access to AWS through the Model Context Protocol. Agents can search AWS documentation and pull service information without authentication. To actually execute AWS API calls, run Python in a sandboxed environment, or follow curated skills, the agent authenticates through your existing IAM credentials. Agent plugins — single-install packages that bundle the MCP server configuration and a curated set of agent skills, so you don't configure endpoints and install skills one by one. The point is consolidation. One endpoint, IAM-based access controls, CloudWatch metrics, and CloudTrail logging of every API call for audit visibility. Which Agents It Supports Per AWS's own documentation, plugins ship for Claude Code, Codex, and Cursor . Kiro connects to the AWS MCP Server directly without needing a plugin, and any MCP-capable agent can point at the server manually. The install flow is refreshingly short for Claude Code: /plugin install aws-core@claude-plugins-official /reload-plugins The aws-core plugin is the recommended default — it bundles the MCP server config and skills covering service selection, infrastructure as code (CDK and CloudFormation), serverless, containers, storage, observability, billing, SDK usage, and deployment. A second plugin, aws-agents , provides additional agent-oriented capabilities. Why This Matters for Coding-Agent Users Until now, getting an agent to safely touch your cloud account meant h

2026-07-12 原文 →
AI 资讯

Stop Paying AWS Just to Test Your Code Locally

Every developer building on AWS eventually runs into the same frustrations: waiting for deployments just to verify a small change, needing an internet connection for local development, watching cloud costs grow during testing, and discovering issues in CI that could have been caught earlier. That's exactly why we built LocalEmu. LocalEmu is an open-source AWS emulator that lets you build and test against AWS APIs entirely on your own machine. It supports 132 AWS services and works with the tools you already use every day—AWS CLI, boto3, Terraform, AWS CDK, and Pulumi. Instead of changing your workflow, you simply point your tools to localhost:4566 and continue developing. Unlike many local emulators that only mock API responses, LocalEmu focuses on realistic behavior where it matters most. Lambda functions execute using the official AWS runtime images. EC2 instances run as real containers connected through a virtual network with enforced security groups. RDS uses real PostgreSQL and MySQL engines, and optional IAM policy enforcement allows you to validate authorization rules before deploying to AWS. Getting started takes only a couple of commands: pip install localemu [runtime] localemu start Once running, you can use the included awsemu CLI or simply point your existing AWS CLI, boto3, Terraform, CDK, or Pulumi configuration to localemu. No new SDKs or complex setup are required. LocalEmu also includes a built-in dashboard that launches automatically. It provides a live overview of running services, resource exploration, an S3 object browser, a DynamoDB viewer, CloudTrail event history, and a real-time activity feed so you can inspect what's happening inside your local cloud environment. The biggest advantage is speed. You can iterate in seconds instead of minutes, experiment freely, reset your environment whenever you want, and develop without an AWS account, credentials, or cloud costs for local testing. We're actively improving LocalEmu and would love feedback f

2026-07-12 原文 →
AI 资讯

Building an Instagram AutoDM System at Scale: Webhooks, Event Driven Architecture, and Lessons Learned

Instagram creators love engagement. Every comment is an opportunity to start a conversation, share a product, deliver a resource, or convert a viewer into a customer. The problem is that manually replying to hundreds or thousands of comments doesn't scale. At Vyral , we set out to build an Instagram AutoDM platform capable of serving thousands of creators while handling bursts of traffic generated by viral Reels. Instead of building a traditional chatbot, we designed an event driven system powered by Instagram webhooks, AWS services, and asynchronous processing. This article walks through the architecture, the engineering challenges we encountered, and the lessons we learned while designing a system that can process large spikes of comment events reliably. The Problem Imagine a creator with 2 million followers. A Reel starts trending. Within minutes: 10,000+ comments arrive Thousands of users comment the same keyword Instagram sends webhook events continuously Every eligible comment should trigger a personalized DM From an engineering perspective, this isn't a chatbot problem. It's an event processing problem. The system needs to answer questions like: Which comments qualify? Has this comment already been processed? What happens if Instagram sends the same webhook twice? What if the user deletes the comment? What if our service is temporarily unavailable? How do we avoid overwhelming downstream APIs? Those questions shaped the architecture far more than the messaging logic itself. Why We Chose Webhooks Instead of Polling Polling Instagram every few seconds would have introduced unnecessary latency and API usage for Vyral AutoDM . Instead, Instagram pushes events whenever something happens. The flow looks like this: Instagram │ ▼ Webhook Endpoint │ ▼ Event Validation │ ▼ Event Queue │ ▼ Workers │ ▼ Business Rules │ ▼ Send DM This architecture offers several benefits: Low latency Lower infrastructure cost Better scalability Natural decoupling between components Most i

2026-07-12 原文 →
开发者

Hitting the Iceberg REST Catalog Directly: Understanding the Differences Between Glue Data Catalog and S3 Tables

Original Japanese article : Iceberg REST Catalogを直接叩いて、Glue Data CatalogとS3 Tablesの違いを理解する Introduction I'm Aki, an AWS Community Builder ( @jitepengin ). Most of the time, when working with Iceberg tables, we reach for PyIceberg or Spark. I'm no exception, and honestly there were parts of the PyIceberg configuration — rest.sigv4-enabled , rest.signing-name , warehouse — that I understood only vaguely. Iceberg defines a standard called the Iceberg REST Catalog Open API specification , and AWS implements it through two separate endpoints: The AWS Glue Iceberg REST endpoint ( https://glue.<region>.amazonaws.com/iceberg ) The Amazon S3 Tables Iceberg REST endpoint ( https://s3tables.<region>.amazonaws.com/iceberg ) If two implementations follow the same spec, sending the same requests to both and comparing the results should reveal what's actually different between them. In this article, I'll bypass clients like PyIceberg entirely and hit the REST API directly to explore the differences between the two endpoints. To state the conclusion up front: Even though both implement the same Iceberg REST Catalog specification, Glue is designed as an "entry point to multiple catalogs," while S3 Tables is designed as an "entry point to a single table bucket." That difference is visible just by looking at the URL paths. I previously wrote about the relationship between S3 Tables and Glue Data Catalog in another article — worth a read alongside this one: Does Amazon S3 Tables Replace AWS Glue Data Catalog? Understanding Their Relationship What Is the Iceberg REST Catalog? The Iceberg REST Catalog is a specification that standardizes Iceberg catalog operations as an HTTP API. It's published as an OpenAPI definition (YAML), and any catalog that conforms to it can be accessed the same way from clients such as PyIceberg, Spark, and Trino. The key points of the spec are: URL paths follow a pattern like GET /v1/{prefix}/namespaces , where {prefix} is a free-form segment Clients first call

2026-07-10 原文 →
AI 资讯

Terraform LifeCycle Rules

Day 9 of the 30 Days of AWS Terraform series focuses on Terraform Lifecycle Rules — powerful controls that decide how Terraform creates, updates, replaces, and destroys resources. What Terraform LifeCycle meta arguments are Lifecycle meta arguments allow us to control how Terraform behaves when it creates, updates, or destroys resources. They help us: Avoid downtime Protect important resources Handle changes made outside Terraform Validate configurations before and after deployment Enforcing compliance Controlling replacement behavior Lifecycle rules allow us to override default behavior safely. Lifecycle rules are Terraform-native controls applied inside a resource block: lifecycle { ... } Lifecycle Rules Covered 1️⃣ create_before_destroy — Zero Downtime Updates Problem: Terraform destroys the old resource before creating the new one → downtime. Solution: lifecycle { create_before_destroy = true } Behavior: New resource is created first Old resource is destroyed only after Ensures zero downtime 2️⃣ prevent_destroy — Protect Critical Resources This setting prevents Terraform from deleting a resource. Example If Terraform tries to destroy this resource, it will fail with an error. This is useful for: Production databases State storage buckets Important data resources 3️⃣ ignore_changes — Allow External Modifications Problem: Terraform overwrites manual or automated external changes. Solution: lifecycle { ignore_changes = [desired_capacity] } Demo: Auto Scaling Group desired capacity modified manually in AWS Console terraform apply did not revert the change Behavior: Terraform ignores changes for specified attributes. ✅ Use for: Auto Scaling Groups Resources modified by external systems Ops-driven configurations 4️⃣ replace_triggered_by — Replace When Dependency Changes Problem: Changing a dependency doesn’t always recreate dependent resources. Solution: lifecycle { replace_triggered_by = [aws_security_group.main] } Behavior: When security group changes EC2 instance i

2026-07-08 原文 →
AI 资讯

Deploy Code By Using AWS Continuous Integration And Continuous Delivery (CI/CD) Services | 🏗️ Build A Complete CI/CD Pipeline

Exam Guide: Developer - Associate 🏗️ Domain 3: Deployment 📘 Task 4: Deploy Code By Using AWS Continuous Integration And Continuous Delivery (CI/CD) Services This task tests your ability to build and manage CI/CD pipelines using AWS developer tools. You need to understand how CodeCommit, CodeBuild, CodeDeploy, and CodePipeline work together, how to write buildspec and appspec files, how deployment strategies differ, and how to configure automatic rollbacks. Deployment strategies for Lambda and EC2, SAM deployment preferences, and pipeline orchestration. 📘 Concepts AWS CI/CD Pipeline Overview The four AWS developer tools form a complete CI/CD pipeline: Service Role Input Output CodeCommit Source control Git push Source artifact CodeBuild Build and test Source artifact Build artifact CodeDeploy Deploy Build artifact Running application CodePipeline Orchestration Trigger (push, schedule) Coordinated pipeline execution How they connect: CodeCommit (source) → CodeBuild (build/test) → CodeDeploy (deploy) ↑ | └──────── CodePipeline (orchestrates all) ─────┘ 💡CodePipeline is the orchestrator. It doesn't build or deploy anything itself. It connects stages (source, build, test, deploy) and manages transitions between them. Each stage can use different providers (GitHub instead of CodeCommit, Jenkins instead of CodeBuild, etc.). CodeCommit Fundamentals Feature Details What It Is Managed Git repository hosted in AWS Authentication HTTPS (Git credentials or credential helper) or SSH (SSH keys) Encryption Encrypted at rest (AWS managed keys) and in transit (HTTPS/SSH) Triggers SNS notifications or Lambda functions on repository events Cross-account Use IAM roles with AssumeRole for cross-account access Branching Standard Git branching: main, develop, feature branches 💡CodeCommit supports triggers for push events that can invoke Lambda functions or send SNS notifications. This is different from CodePipeline's source stage: triggers are repository-level events, while CodePipeline po

2026-07-08 原文 →