How to protect your AWS secrets

I accidentally published my AWS credentials online. I got an immediate email from AWS explaining the exposure of AWS secrets and the importance of securing these keys. They attached an AWS Quarantine Policy to the compromised IAM User, limiting access to AWS services and requested I take action to ensure the security of my AWS account, with clear and detailed instructions.

A few hours later, I got a call from an AWS representative reminding me to secure my account, as I missed that original email. This is awesome and appreciated!

Photo by KRiemer on pixabay

We should not have credentials stored in code at any…


As I was getting into cloud development, and while still trying to figure out the best and fastest way to get my code tested and deployed, I learned about Lambda Layers.

Originally, the main satisfaction they provided was enabling me to see the Lambda code directly in the AWS Console, as they extracted away the dependencies I am using, which made my lambda code smaller as it should be. …


We don’t usually revisit and discuss Encryption (at least at a low level) much. Usually, Encryption and Decryption are abstracted through libraries, methods and protocols we use. However, last week, I had the chance to look at a feature that required a bit of work around Encryption and had to refresh my knowledge a bit. So I thought it could be an opportunity to share the learnings.

This is a series of 2 posts. In this first post, we will go over some theories around Encryption and use some examples to provide more clarity, highlighting how Encryption works in AWS…


When selecting a tool to perform API testing, it’s natural to pick one that’s built for this purpose, such as Postman, SoapUI, RestAssured, etc. There are many other similar tools in the market. Also, it’s possible to leverage Http Client libraries to perform API testing. Here are some of these libraries: Axios, Request, Supertest, etc.

Today is the 13th day of the API testing challenge, organized by The Ministry Of Testing - Auckland. The challenge for the day is to contribute to the list of API Automation tools at the club. …


If you’ve built a website, whether for personal or commercial use, you probably researched web hosting options. Lots of companies provide this kind of services. In this post, we will build a very simple website, and host it on Amazon S3 (Amazon storage service), which can be used to host a static website (a site that contains static content and client-side scripts).

The interesting part is that we will use AWS CDK to define the infrastructure we’re using. I’ve learned about this a couple of weeks ago, and thought to document my learnings through a blog post.

Below are a…


Photo by Goran Ivos on Unsplash

This post is the second and final of the series where we talk about Encryption.

We went over some encryption theory in the first post and introduced how Encryption works in AWS (server-side Encryption). In this post, we will go over client-side Encryption, which is the technique of encrypting data on the sender’s side before it’s sent to the server. That’s mainly your application. This kind of Encryption offers a high level of privacy as it eliminates the potential for data to be viewed by third parties your app is integrating with. For example, assume you are building a healthcare…


Assume you’ve been asked to create a VM on AWS to run some critical operations for your business; it needs to access the internet, but only can be accessed by the maintainers (e.g. people/services who would want to install/upgrade the software). How would you do it?

This is a series of 2 posts. In the first post, we went over what happens when we create an EC2 instance (VM) in AWS, where we explained how the instance gets attached to the default VPC and the traffic gets routed.

In this second post, we will go over creating a fully secure…


Assume you’ve been asked to create a VM on AWS to run some critical operations for your business; it needs to access the internet, but only can be accessed by the maintainers (e.g. people/services who would want to install/upgrade the software). How would you do it?

This is a series of 2 posts. In the first post, we will go over what happens when you create an EC2 instance (VM) in AWS; it would be an introductory post for another article about architecting a secure solution in a secure network in the cloud.

Why is that important?

When building solutions…


** The views in this post are my own and do NOT represent or reflect the views of my employer or any organizations **

In this post, we will build an insecure web application. The goal is to share some of my learnings building AWS serverless apps. At the same time, I am hoping this would start a discussion that increases the awareness around security when architecting or developing software.

This came to mind as I went through the “Secure development training” program at https://academy.safestack.io/ lately, so thought that could be an opportunity to introduce a couple of security vulnerabilities…

Ali Haydar

Software engineer (JS | REACT | Node | AWS | Test Automation)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store