Skip to content

Blog

Filtering S3 events by CloudFormation stack

AWS just announced that S3 event notifications now include the system-generated tags attached to the bucket responsible for the notification. This sounds like a small change, but it will enable some useful patterns. It's also at least the third example of an AWS service offering value-add through tag enrichment.

The release notes were a bit light on details, so I verified for myself what tags are (and more importantly: are not) included in events. I also want to take this as an opportunity to promote EventBridge for S3 object notifications, as it's not used nearly enough.

OIDC tokens can now restrict which AWS roles they assume

AssumeRoleWithWebIdentity seems to have a new, barely-documented, policy condition key. It's called sts:RoleAuthorizedByIdp and if you're anything like me (my condolences), that name will pique your interest. It's not super useful today (unless you're running an OIDC IdP), but its utility will grow as adoption improves over time. So here's what I've learned so far.

Apps can now impersonate human access to AWS via IAM Identity Center

Earlier today, AWS IAM Identity Center launched the ability for server-side applications to assume roles on behalf of their users. This is a big deal, I've wanted this exact kind of functionality for years. The docs are pretty sparse on how it works and what the events look like in CloudTrail, so here are my field notes, recommendations on whether you should use it today and feature requests for whichever AWS service team is working on this.

CloudTrail in CloudWatch isn't very good

Amazon has deprecated CloudTrail Lake as of 1st June 2026 for new customers. I assume this is due to lack of uptake. I never got around to properly using it, and I'm a CloudTrail fan! So I can only imagine not many others used it. In its place, Amazon recommends that we "explore CloudWatch". I explored CloudWatch and came away quite disappointed.

Micro-transactions and the first AI-native fax service

I've been interested in micro-transactions for about as long as I can remember. I've wanted to sell something for a tiny amount of money ever since I learned about PayPal's micro-transaction support via NearlyFreeSpeech, the hosting provider. I've finally done it, by combining some of the oldest and newest tech I can think of: faxes and AI.

unofax.com

I've been writing software for 25 years, and been getting paid for the last 20. My AWS account will be turning 18 this September, and it should be quite the celebration. If I may toot my own horn: I've got pretty good at writing and deploying software in that time - to the point that you're actually spending your time reading this blog. All this, and the release of Opus 4.5 in November 2025 hit me like a tonne of bricks. My value-add (as I knew it) would soon be over.

Locking down AWS principal tags with RCPs and SCPs

AWS principal tags are useful for fine-grained access control. As an organisation administrator, you can craft service control policies (SCPs) that only allow tagged roles to call sensitive APIs. The problem then becomes: how do you guarantee that the tags are legitimate? This is where resource control policies (RCPs) come in handy - I provide a demonstration of them in this blog post, and an example of what you can achieve with the trustworthy tags in place.

Querying Terraform state with AWS Athena

Athena is one of my favourite AWS services. Though it's marketed as a big data service, it is useful in many other scenarios. Sometimes I use it as a "grep through unstructured logs in S3" and other times I use it to query CloudTrail logs - but this latter use case is likely better served by CloudTrail Lake nowadays. Today, I'll show how it can be used for querying Terraform state stored in S3.