I build cloud-based systems for startups and enterprises. My background in operations gives me a unique focus on writing observable, reliable software and automating maintenance work.
I love learning and teaching about Amazon Web Services, automation tools such as Ansible, and the serverless ecosystem. I most often write code in Python, TypeScript, and Rust.
B.S. Applied Networking and Systems Administration, minor in Software Engineering from Rochester Institute of Technology.
It’s been a while since I’ve had to pay close attention to WAF’s, and I still don’t love the maximum inspected body size of 8KB or Application Load Balancers and 64KB for API Gateway, CloudFront, etc. But there were a couple announcements this week that caught my eye.
First, CloudFront added JA4 Fingerprinting which I’d never heard of. It uses differences in each implementation of TLS libraries, you can take a fingerprint of the “HELLO” sent to start any HTTPS request and over time build lists of known-bad or known-good actors. Why use this? The hurdle for changing your fingerprint is at least somewhat harder than stripping session-id cookies, changing the user agent, and other browser-based fingerprints. For full details check out this article from Cloudflare.
Similar to a change in August that removed fees for S3 requests where access was denied, AWS WAF blocks no longer incur CloudFront charges. This makes using a WAF even more valuable than sidecar/agent-based systems like Signal Sciences because with sidecars/agents you still pay for the whole traffic path.
And finally for security data lakes: Amazon Data Firehose (formerly Kinesis Firehose) supports the Apache Iceberg format. This covers VPC flow logs, WAF logs, and just about every other kind of log service that can log to CloudWatch or Kinesis. This is both faster to query and more storage-efficient than JSONL, and allows row-level deletes you may want for compliance reasons.
I love it when announcements teach me something new.