Aidan Steele's blog (usually about AWS)

Step Function execution name format

Wed, 01 Apr 2026 09:00:00 +0000

I was looking at the execution history for a Step Functions state machine that is triggered daily by an EventBridge Scheduler schedule. The execution names caught my eye — they look like UUIDs, they're not UUIDv7, but there's clearly a pattern. It got me excited in the same way that noticing [AWS access key IDs were similarly-formatted][access-key-format] back in 2020. So of course I had to dig in.

Locking down AWS principal tags with RCPs and SCPs

Sat, 21 Feb 2026 03:08:00 +0000

AWS principal tags are useful for fine-grained access control. As an organisation administrator, you can craft service control policies (SCPs) that only allow tagged roles to call sensitive APIs. The problem then becomes: how do you guarantee that the tags are legitimate? This is where resource control policies (RCPs) come in handy - I provide a demonstration of them in this blog post, and an example of what you can achieve with the trustworthy tags in place.

Querying Terraform state with AWS Athena

Sun, 26 Oct 2025 17:06:52 +0000

Athena is one of my favourite AWS services. Though it's marketed as a big data service, it is useful in many other scenarios. Sometimes I use it as a "grep through unstructured logs in S3" and other times I use it to query CloudTrail logs - but this latter use case is likely better served by CloudTrail Lake nowadays. Today, I'll show how it can be used for querying Terraform state stored in S3.

Federating into Azure, GCP and AWS with OIDC

Sun, 27 Jul 2025 06:34:52 +0000

Lately, I've been interested in how third party vendors can best authenticate into their customers' cloud accounts. The status quo in AWS is usually role assumption from the vendor's account to the customers', but what about GCP and Azure? Can OIDC be used to authenticate into all three clouds in approximately the same way? I think the answer is yes, and this blog post aims to show how to do so.

CloudTrail wish: almost granted

Wed, 07 May 2025 00:50:00 +0000

CloudFront-triggered S3 data event formats

Mon, 10 Feb 2025 05:32:00 +0000

CloudTrail wishlist: filtering by principal ARN

Sat, 09 Nov 2024 03:57:00 +0000

Surprising behaviour in AWS web console session duration

Mon, 05 Aug 2024 05:26:00 +0000

Gotcha: always use ARNs for S3 SSE-KMS

Wed, 05 Jun 2024 01:36:00 +0000

When AWS invariants aren't [invariant]

Tue, 20 Feb 2024 00:21:00 +0000

Deep dive into AWS CloudShell

Thu, 11 Jan 2024 21:07:00 +0000

How ima.ge.cx works

Fri, 29 Dec 2023 04:11:52 +0000

An AWS IAM Identity Center vulnerability

Tue, 19 Dec 2023 20:40:00 +0000

Reversing AWS IAM unique IDs

Sun, 19 Nov 2023 21:51:00 +0000

AWS role session tags for GitHub Actions

Wed, 25 Oct 2023 01:24:00 +0000

Useful flags for Go Lambda functions

Wed, 02 Aug 2023 04:04:00 +0000

Lambda CloudTrail data events

Tue, 21 Mar 2023 06:03:00 +0000

A role for all your EC2 instances

Mon, 20 Feb 2023 22:12:52 +0000

Improve GitHub Actions OIDC security posture with custom issuer

Wed, 11 Jan 2023 03:30:52 +0000

Centralised logging: from CloudWatch to Kinesis Firehose

Fri, 16 Dec 2022 22:56:52 +0000