Analyzing VPC Flow Logs to Reduce NAT Gateway Costs

With cloud infrastructure costs increasingly a focus, many organizations are scrutinizing AWS bills for potential savings. NAT Gateway usage can be a significant line item, yet its intricacies can make cost-saving opportunities less obvious. As the standard solution for routing traffic from private subnets to the internet, NAT Gateways are a critical component of many …

Provisioned Concurrency in Serverless Framework Step Functions

This will be a short, but hopefully useful post for anyone trying to keep Lambda functions warm when using them in AWS Step Functions. It was not as straightforward as I initially thought – simply adjusting the provisionedConcurrency value in the function configurations will not suffice. In short, you must specify the Provisioned Concurrency alias …

Reverse Engineering Watermarks on a Professional Photography Platform

Professional photographers often add watermarks to their images to make them easy to identify, indicate copyright, promote their brand, among other reasons. Protecting images from theft online can be challenging and online photo gallery stores commonly employ various measures to deter it, e.g. disabling the context-menu in JavaScript (AKA right-click), stacking/overlaying DOM elements, or other …

Simplified SSO with AWS Application Load Balancer and Azure AD OIDC

AWS Application Loan Balancers support what I think is an underappreciated feature: the ability to authenticate requests (via OIDC) at Layer 7. This allows developers to keep almost all authentication outside of the application layer code. An ideal use-case could be an internal-only web application that requires authentication, but little if any RBAC authorization. This …

Building pymssql (FreeTDS) for Lambda

As I discussed in a previous post, connecting to MSSQL with Python in Lambda can be tricky. While I had solved this earlier with pyodbc, using pymssql / FreeTDS is an another option and I wanted to similarly share the build process for creating its respective Lambda layer. Here’s the multi-stage Dockerfile: FROM public.ecr.aws/lambda/python:3.9 as …

Event-Driven Access to My Home After a Run

I always run with my phone on me, so accessing my home afterward has been convenient since installing MyQ W-Fi connected garage doors several years ago. No need to remember to carry a separate house key anymore and getting into my house is (usually) an app launch away. It has worked great, until one day …

Mystery Timeouts with MS Graph API Webhook Subscriptions and AWS API Gateway

Microsoft Graph API supports a Subscription Resource type that manages their webhook implementation for delivering change notifications to clients. Subscriptions are enabled for several resources, including Outlook messages — this was a perfect fit for my need to manage incoming messages to a shared inbox in O365. At a high-level, an implementation looks like this: …

A Closer Look at Recent HTTP/2 Vulnerabilities Affecting K8s and Other Implementations

A couple of weeks ago, Netflix disclosed a number of resource exhaustion vulnerabilities (identified by Jonathan Looney) present in many third party HTTP/2 implementations. Notably, this directly affected h2 endpoints in Kubernetes (GoLang libraries net/http, x/net/http2) as well as other projects like nginx. Yes, it even has a logo. Though DoS weaknesses usually aren’t particularly …