I've been writing software for 25 years, and been getting paid for the last 20. My AWS account will be turning 18 this September, and it should be quite the celebration. If I may toot my own horn: I've got pretty good at writing and deploying software in that time - to the point that you're actually spending your time reading this blog. All this, and the release of Opus 4.5 in November 2025 hit me like a tonne of bricks. My value-add (as I knew it) would soon be over.
AWS principal tags are useful for fine-grained access control. As an organisation administrator, you can craft service control policies (SCPs) that only allow tagged roles to call sensitive APIs. The problem then becomes: how do you guarantee that the tags are legitimate? This is where resource control policies (RCPs) come in handy - I provide a demonstration of them in this blog post, and an example of what you can achieve with the trustworthy tags in place.
Athena is one of my favourite AWS services. Though it's marketed as a big data service, it is useful in many other scenarios. Sometimes I use it as a "grep through unstructured logs in S3" and other times I use it to query CloudTrail logs - but this latter use case is likely better served by CloudTrail Lake nowadays. Today, I'll show how it can be used for querying Terraform state stored in S3.
Lately, I've been interested in how third party vendors can best authenticate into their customers' cloud accounts. The status quo in AWS is usually role assumption from the vendor's account to the customers', but what about GCP and Azure? Can OIDC be used to authenticate into all three clouds in approximately the same way? I think the answer is yes, and this blog post aims to show how to do so.