33 posts tagged with "AWS"

A developer pushes a commit. Buried on line 47 of a config file is a database password in plaintext. The repo is public. Within 6 hours, a bot has scraped the credential, connected to the RDS instance, and exfiltrated the user table. This isn't hypothetical — GitHub reports revoking millions of leaked secrets every year. The fix isn't discipline; it's architecture.

You start with one VPC. Then you add a staging VPC. Then a shared-services VPC. Then three more teams each get their own accounts. Suddenly you have 8 VPCs that all need to talk to each other, and you've created a mesh of 28 VPC peering connections that nobody can draw on a whiteboard anymore. This is where Transit Gateway enters the picture.

A team I worked with was paying $14,000/month on AWS. After three weeks of analysis and changes, we brought it down to $5,600. No services were removed, no performance was sacrificed. The problem was never that AWS is expensive — it's that the defaults are expensive, and nobody was watching.

An S3 bucket with default settings is not public — but one misconfigured bucket policy or legacy ACL can expose every object in it to the entire internet. Capital One's 2019 breach leaked 100 million records through an SSRF attack that reached an S3 bucket via an overly permissive IAM role. S3 security is not optional, and "it works" is not the same as "it's secure." Let's lock things down properly.

Your load balancer is distributing traffic perfectly across three servers. Then a marketing campaign goes live and traffic triples in ten minutes. Two of your servers hit 100% CPU, response times spike to 8 seconds, and users start dropping off. You needed six servers, not three — but only for the next four hours. Auto Scaling adds and removes capacity automatically so you stop paying for servers you don't need and stop losing customers when you don't have enough.

You've got three web servers running behind no load balancer. A user's request hits server 1, which is already at 95% CPU, while servers 2 and 3 are idle. Another user gets a timeout because server 1 crashed and there's nothing to redirect the traffic. Load balancers solve both problems — but AWS gives you three types, and picking the wrong one means paying more for less or missing features you actually need.