Introducing ClickOps Sentinel: AI Context for AWS Console Changes
Even in shops that live by infrastructure as code, someone eventually opens the AWS Console and clicks. A quick fix during an incident, a security group tweak, a “temporary” instance. That is ClickOps, and it is how drift and silent risk creep into an otherwise clean account. I built ClickOps Sentinel at zoph.io to catch those moments and, more importantly, to tell me what they actually mean. Detecting console changes Detection relies on the CloudTrail sessionCredentialFromConsole flag, which AWS sets server-side for every API call made with console session credentials. No user-agent guessing, no CloudTrail trail to create, no S3 log parsing. ...
AI-Augmented Home Assistant
AI-Augmented Home Assistant A small box runs in a network rack at home. It is a Home Assistant Yellow. It turns lights on, watches doors, pings my phone when the washing machine is done, and shuts a roof access point down before it cooks itself in a heatwave. I have not opened that YAML by hand in months. An AI coding agent in my editor does the writing for me. I read the diff, I commit, I reload HA. Everything lives in Git. ...
Replacing 1,500 AWS CLI Calls With One Boto3 Session: 46 min to 2.5 min on Fargate
The 46-Minute Problem The IAMTrail detection engine (originally MAMIP) fetches ~1,500 AWS managed IAM policies every run. The original approach was pure bash: 1 2 3 4 aws iam list-policies --output json | jq -cr '...' | xargs -P 16 -n3 sh -c \ 'aws iam get-policy-version --policy-arn $1 --version-id $2 | jq --indent 4 . > "policies/$3"' sh Looks fine, right? Except each iteration spawns a full AWS CLI process. That means a fresh Python runtime, boto3 import, credential resolution, one single HTTP call, then exit. Times 1,500. ...
IAMTrail.com: The AWS Managed Policy Archive (Evolved from MAMIP)
📜 The Origins Back in 2019, Scott Piper started a GitHub repository to track changes to AWS Managed Policies. It was a simple setup, manually triggered but it worked well and was incredibly useful. Using git diff or the Github.com UI, Scott and the community could easily see how policies evolved over time. At that time, AWS didn’t publicly share the changes made to managed policies by the various “two-pizza” product teams inside AWS. ...
AWS CloudFormation Phishing Attack: A Growing Threat
✨ Introduction It starts with an innocuous-looking email. The sender claims to be AWS Support, warning the recipient about an urgent security issue. A single button labeled “Launch Stack” is prominently placed, urging immediate action. What appears to be a standard security advisory is, in reality, the gateway to a sophisticated AWS account takeover attempt. Threat actors are exploiting AWS CloudFormation StackSets in phishing campaigns designed to compromise AWS environments. Originally reported by Rami McCarthy back in 2022 and by Scott Piper in this blog post (2021), this technique continues to evolve, demonstrating how adversaries leverage AWS automation against its own users. ...