Musings from Etienne — RSS Feed

re:invent 2025 - State of the Edge: Delivery of the web with CloudFront, WAF, & Shield (NET211)

Tue, 09 Dec 2025 00:00:00 GMT

Another re:invent in the books — great to be back in Las Vegas presenting on something I care deeply about.

AWS re:Invent 2025 — State of the Edge: Delivery of the web with CloudFront, WAF, & Shield (NET211)

As the internet evolves with new clients, protocols, and threats, leveraging global edge infrastructure has become critical for delivering exceptional user experiences. In this session, we examined the broader trajectory of the web — from the proliferation of mobile-first experiences to the rise of AI workloads and emerging security threats.

We explored how Amazon CloudFront, AWS Global Accelerator, AWS WAF, and AWS Shield have integrated to address today's most pressing web performance and security challenges, and how AWS is positioning its infrastructure to meet tomorrow's.

Ambrose Phey from Atlassian also joined to share how they've incorporated AWS edge networking services as foundational components to deliver fast and secure web applications at scale.

Presented with

Nishit Sawhney — Director, Amazon CloudFront, AWS
Ambrose Phey — Atlassian

Building with Coding AI Tools

Sun, 23 Mar 2025 00:00:00 GMT

Because Why Not Let Robots Write Your Blog?

A technical deep-dive into integrating Perplexity AI’s language models, or, “How I taught my computer to argue with itself.”

So, you want to make your Python app talk to Perplexity AI? Great! Because nothing says “cutting-edge” like outsourcing your brainpower to a server farm. In this article, I’ll dive into an example built with Amazon Q Developer, Perplexity and a few other tools. Maybe, just maybe, figure out if this is a good idea.

My effort; it’s a brautiful mess but works: Modsecurity Rule Explainer.

Project Overview

I started by trying to create a “flexible” language model interface. Translation: making it so you can swap out AI providers like you swap out socks or trying a new flavour of ice cream. There’s always a new flavour, or something like that. Except, instead of smelly feet, you get… well, potentially tastey AI responses.

Key Components

Penmenship lands better outcomes

Start with a plan, think of it as building psudeo code and request workflows ahead of time. This helps you understand the requirements. But the trick not only building great prompts, but knowing that these tools get it wrong (a lot).

Prompts MUST declare specific goals, steps, formats, constraints, etc. It’s a double edged sword to ask for best practises and error handling or test driven approaches as this often lands the models jumping down the prverbial rabbit hole and not delivering on the actual outcome you want.

Base LLM Interface

In the code example I built, I started using fancy “abstract base classes” to make sure all the AI buddies behave. Think of it as putting them in a digital kindergarten:

from abc import ABC, abstractmethod
from typing import Dict, Any

class LLMProvider(ABC):
    """Base class for all LLM providers. Basically, the boss telling them what to do."""
    
    def __init__(self, api_key: str):
        self.api_key = api_key # The magic password to make them work.
    
    @abstractmethod
    def analyze(self, prompt: str) -> Dict[str, Any]:
        """Analyze text using the LLM provider. Or, "Think, robot, THINK!" """
        pass

Perplexity Integration

Hooking up to Perplexity AI with all the grace of a toddler trying to plug in a USB:

from typing import Dict, Any
from .base import LLMProvider
import httpx

class PerplexityProvider(LLMProvider):
    """Implementation of LLMProvider for Perplexity AI. Or, "The robot that actually answers." """
    
    def __init__(self, api_key: str):
        super().__init__(api_key) # Super means "Do what your robot parents told you."
        self.client = httpx.Client(
            base_url="[https://api.perplexity.ai](https://api.perplexity.ai)", # Where the robot lives.
            headers={"Authorization": f"Bearer {api_key}"} # The robot's password.
        )
    
    def analyze(self, prompt: str) -> Dict[str, Any]:
        """Analyze text using Perplexity AI's API. Or, "Robot, tell me something interesting." """
        response = self.client.post("/chat/completions", json={
            "model": "pplx-7b-chat", # The robot's brain.
            "messages": [{"role": "user", "content": prompt}] # What we're asking the robot.
        })
        return response.json() # The robot's answer.

Factory Pattern Implementation

Figuring out a “factory pattern”, to create robot instances. Because who wants to manually assemble robots?

class LLMFactory:
    """Factory class for creating LLM providers. Or, the robot assembly line."""
    _providers: Dict[str, Type[LLMProvider]] = {} # Where we keep the robot parts.

    @classmethod
    def create(cls, provider_name: str, api_key: str) -> LLMProvider:
        """Create an instance of the specified LLM provider. Or, "Build me a robot!" """
        if provider_name not in cls._providers:
            raise ValueError(f"Unknown provider: {provider_name}") # "Sorry, we don't have that model in stock."
        return cls._providers[provider_name](api_key) # Here's your robot!

    @classmethod
    def register_provider(cls, name: str, provider_class: Type[LLMProvider]):
        """Register a new provider class. Or, "Add a new robot to the assembly line." """
        cls._providers[name] = provider_class # Put the robot parts in the machine.

Technical Implementation

Security considerations, built in patterns out the box. Whilst these code companions are constantly evolving, nearly all the tools I tested had a measure of common sense approaches to building secure code. For example, using environment variables, because hardcoding API keys is like leaving your front door unlocked with a sign that says “Please rob me.” Usage Examples

def get_llm_client(api_key: str, provider: str = "perplexity"):
    """Initialize and return an LLM client instance. Or, "Get me a robot to talk to." """
    return LLMFactory.create(
        provider_name=provider,
        api_key=api_key # The robot's secret password.
    )

# Create an instance and analyze text. Or, "Ask the robot something profound."
llm = get_llm_client(api_key="your-api-key")
response = llm.analyze("Explain the meaning of life, and also, what's for dinner?") 
   # Multitasking robots.

Testing and Quality Assurance

I really like testing everything TDD, because I wouldn’t trust a robot that hasn’t been thoroughly interrogated, would you? In one example, I built the desired example output JSON events and ask the code to build accordingly, code quality was pretty spot on.

Conclusion

We’ve successfully built a system to talk to Perplexity AI. Now, if it leads to a robot uprising or just better blog posts, only time will tell.

Note: For detailed setup instructions and API documentation, please refer to the project’s README.md file. Or, ask a robot. They probably know.

re:invent 2024 - protecting against DDoS events

Fri, 06 Dec 2024 00:00:00 GMT

I had a wonderful time meeting customers and presenting at re:invent ‘24!

AWS re:Invent 2024 - You are under a DDOS attack! Are you ready to respond? (CDN306)

Do your operational teams know how to respond in the event of an attack? Have you architected with a DDOS strategy in mind? This talk guides you through the steps that help you react when under attack. Explore AWS tools you should leverage and best practices you can follow to proactively prepare for such scenarios. Learn how to identify and respond to DDOS attacks using services such as Amazon CloudFront, AWS WAF, and AWS Shield Advanced.

re:inforce 2024 presentation with catch

Thu, 13 Jun 2024 00:00:00 GMT

I had the amazing priviledge to co-present at re:inforce!

AWS re:Inforce 2024 - How Catch Group uses AWS WAF Bot Control on their ecommerce platform (NIS306)

In the fast-paced world of ecommerce, security is crucial. This session explores Catch Group’s journey, the lessons they learned, and how AWS security services empowered them to improve safeguards for their ecommerce platform and customer experience. By leveraging AWS WAF Bot Control for targeted bots, AWS WAF Fraud Control for account takeover prevention, and AWS Shield Advanced, Catch Group was able to gain better visibility into potential threats. This allowed them to identify and implement targeted mitigations to protect against bots, DDoS attacks, and account takeover fraud. As a result, Catch Group was able to provide their customers with a secure and reliable shopping experience.

re:invent 2023 - Designing a secure perimeter with cost in mind

Thu, 07 Dec 2023 00:00:00 GMT

So grateful to have had the chance to co-present a chalk talk at re:invent!

re:invent 2023 - Designing a secure perimeter with cost in mind

Co-presentated with Damindra Bandara.

In this chalk talk, you will learn how to optimize your monthly AWS spend leveraging Amazon Security Services (Amazon CloudFront, AWS Shield, AWS WAF and AWS Global Accelerator) to design a secure perimeter. This session will outline in detail optimization techniques including: optimizing data egress costs using Savings Bundles, DDoS cost prevention, cost optimized configurations, WAF cost optimization, and visibility options such as usage trends and cost explorer. Attendees will get an opportunity to ask questions regarding their use cases and understand how to save their perimeter security cost.

Detect and block advanced bot traffic with AWS WAF

Fri, 11 Nov 2022 00:00:00 GMT

I published a post on the AWS Security Blog covering the newly launched AWS WAF Bot Control for Targeted Bots.

Targeted bots are the hard problem — they mimic human behaviour, rotate IPs, and bypass simple rate limits. The new targeted inspection level uses browser fingerprinting and client-side JavaScript interrogation to catch them, without requiring any changes to your application or architecture.

The post walks through:

The difference between common and targeted bot inspection levels
Configuring per-category actions — block, challenge, CAPTCHA, count, allow
Scope-down statements to limit Bot Control to the URIs that actually need it (login, checkout) and keep costs sane
Token domains — a single web ACL accepting WAF tokens across multiple domains and CloudFront distributions
Embedding the JavaScript Application Integration SDK so WAF can reject tokenless requests outright
Rule ordering and CloudWatch alarm setup for token-absent spikes

→ Read the full post on the AWS Security Blog

update to the blog

Sat, 01 Jan 2022 00:00:00 GMT

Welcome to my blog! As a Senior Edge Specialist Solutions Architect at AWS, I’ll be sharing insights and experiences from the forefront of cloud computing, with a particular focus on Edge services and distributed systems. My goal is to contribute practical knowledge to the technical community, especially in areas where performance, security, and global scale intersect.

What to Expect

I plan to write about:

Edge Computing & Content Delivery: Optimizing global content delivery through AWS Edge services including CloudFront, Lambda@Edge, and CloudFront Functions.
Security Architecture: Building secure, resilient applications using AWS Shield Advanced, WAF, and security best practices.
Serverless Architecture: Designing scalable, efficient serverless solutions with Lambda, API Gateway, and other Edge computing services.
Infrastructure as Code: Automating infrastructure deployment using AWS CDK and CloudFormation with multi-region considerations.
Solution Architecture: Implementing enterprise-scale architectural patterns focused on performance, security, and cost optimization.

Technical Focus

My posts will include practical examples in Python, Go, and Node.js, along with infrastructure-as-code samples using AWS CDK and CloudFormation. I’ll share real-world scenarios, architectural decisions, and lessons learned from helping organizations across Australia and New Zealand, as well as multinational enterprises.

Stay Connected

Subscribe to the RSS feed or follow me on social media to stay updated with new posts. I welcome discussions and knowledge sharing from the community.

Looking forward to sharing insights and learning together!

opencanary honey pot - part of my zero day initiative

Mon, 23 Sep 2019 00:00:00 GMT

It’s been a while :] But back to the grind stone, my nextr 1 day project was based out of curiousity about what was happening on my DSL router as as an attack surface after reading about common attacks to type home routers.

Fair warning - don’t open your router up to the net without understanding the risks - you’re letting the world into your home. I used a spare router…

The plan

So the plan was to grab inbound UDP and TCP connection data to ports 80(HTTP), 22(SSH) and 21(FTP). Unfortunately I couldn’t capture ICMP due to the router used (locked config by upstream provider)

Further ideas would be to capture any scans within my network for SMB(Samba / File Shares) and all DNS queries as a trip wire as to check if someone is in the network.

This is where OpenCanary was of interest for me, I wanted to gather data to see what type of attacks where occurring, from where and gather a user/password list of all the attack/discovery attempts. OpenCanary allows open to get going pretty quickly, it simulates services so that attackers attempt to connect which is then logged in detail….

Why use a honeypot?

The attempts to connect to ‘fake’ services allows SecOps (seucity operations) staff to understand what attackers are trying to do and potentially block IP address, put checks in place in production systems, prevent username and/or password combinations from being used on networks and the internet.

OpenCanary can easily be used within a LAN or on the internet, attackers could already be in your network :[…

Equipment used for my test

I used stock kit provided by my ISP, with only the and decided to dust of my Raspberry Pi (rpi) with the out the box rasbian OS. This was the only item connected as I don’t want the world having the opertunity to have access to my home network.

Oversimplified install steps:

Configure router to port forward, disable any DDOS, port triggering
Rasberry Pi - install rasbian, configure sshd to use port 222 and configure ufw, limit port 222 to listen to a particular IP from which admin actions will be done, allow port 80, 21, 22 access from any ip (for the honey pot to capture)
Install OpenCanary and configure the services in /etc/opencanaryd/opencanary.conf
Configure opencanaryd to start at boot using your prefer method…

Logs

I started receiving attempts against all ports immediately, the logs for

web services land in /var/tmp/opencanary.log
samba/SMB land in /var/log/samba-audit.log…

{"dst_host": "10.0.0.2", "dst_port": "22", "local_time": "2019-09-01 13:13:36.569491", "logdata": {"DF": "", "ID":"34943", "IN": "xxxx", "LEN": "60", "MAC": "zz:zz:z3:3z:zz:11:11:11:00:22:44:17:28:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "42", "URGP": "0", "WINDOW": "14440"}, "logtype": 5001, "node_id": "my-rpi-canary", "src_host": "11.11.112.71", "src_port": "60831"}
{"dst_host": "10.0.0.2", "dst_port": 22, "local_time": "2019-09-01 13:13:37.530184", "logdata": {"SESSION": "603"}, "logtype": 4000, "node_id": "my-rpi-canary", "src_host": "11.11.112.71", "src_port": 60831}
{"dst_host": "10.0.0.2", "dst_port": 22, "local_time": "2019-09-01 13:13:41.151453", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "REMOTEVERSION": "SSH-2.0-PUTTY"}, "logtype": 4001, "node_id": "my-rpi-canary", "src_host": "11.11.112.71", "src_port": 60831}
{"dst_host": "10.0.0.2", "dst_port": 22, "local_time": "2019-09-01 13:13:43.225079", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "daniel", "REMOTEVERSION": "SSH-2.0-PUTTY", "USERNAME": "root"}, "logtype":4002, "node_id": "my-rpi-canary", "src_host": "11.11.112.71", "src_port": 60831}

There is an ability to push alerts to Slack and push logs using the OpenCanary Correlator, more on this soon.

some news and podcasts

Mon, 01 Jul 2019 00:00:00 GMT

Whilst I haven’t posted I’ve been studying towards certifications, here are some worthy news items

links & podcasts I’m listening to at the moment

HAProxy agent for ModSecurity web application firewall - jcmoraisjr/modsecurity-spoa - https://github.com/jcmoraisjr/modsecurity-spoa

Like any other field, the world of Software Development has some interesting and famous rules, principles and laws - https://www.timsommer.be/famous-laws-of-software-development/

Podcasts: DarkNet Diaries, Data Engineering Podcast, JS Party

load testing with h2load

Wed, 08 May 2019 00:00:00 GMT

some basic load testing wirth h2load - there are far better tools for load testing, but sometimes one needs a quick n dirty load testing tool which h2load can help with.

Why did I use h2load?

h2load is a HTTP2 and HTTP1.1 tool from the nghttp2 package, the implementation of HTTP2 is pretty solid and verbose logging is pretty detailed. Also very easy to get going, for instance here is a basic command to hit an endpoint with 100 requests:

> h2load -n100 http://someendpoint

To really start pushing some numbers start to play with the number of threads and clients:

> h2load --warm-up-time 5 https://yourtestwebsite -c10 -t2 -n100
starting benchmark...
spawning thread #0: 5 total client(s). 50 total requests
spawning thread #1: 5 total client(s). 50 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 26.75s, 3.74 req/s, 1.79MB/s
requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx

traffic: 47.78MB (50102431) total, 107.52KB (110100) headers (space savings 0.00%), 47.64MB (49951217) data
                     min         max         mean         sd        +/- sd
time for request:   690.85ms       5.95s       2.06s       1.43s    79.00%
time for connect:    24.21ms     27.18ms     25.01ms      1.11ms    80.00%
time to 1st byte:   261.91ms    875.21ms    415.44ms    247.46ms    80.00%
req/s           :       0.37        0.78        0.51        0.13    60.00%

Monitor for 5xx errors and time for requests, connection and to 1st byte, high values could indicate an issue that needs to be dealt with (ie add some caching in, etc etc)

References

nghttp2 h2load documentation

interesting links and github repos

Wed, 01 May 2019 00:00:00 GMT

Interesting Links & Github Repos

I’ve created a discord channel to be a more realtime way to reach out and chat about projects and some of the cool stuff you may be working through.

A cool collection of CloudFormation Templates

Decode JWT tokens (useful for debugging SSO signon issues): https://jwt.io/

BBR - Congestion Control Research - TCP delay-controlled TCP flow control algorithm from Google - https://blog.apnic.net/2017/05/09/bbr-new-kid-tcp-block/

Sysctl Performance Research - https://wiki.mikejung.biz/Sysctl_tweaks

dns over https

Mon, 22 Apr 2019 00:00:00 GMT

This had been an interesting dive into the next generation of securing DNS interactions. I’ll deal with DOT (DNS over TLS) in a seperate post to focus on DOH (DNS over HTTPS) in this post.

DNS over HTTPS:

Why would has the IETF decided to use this approach? From the RFC. Well frankly DNSSEC failed to get wide spread adoption, and since DNS was designed in the days where security the use and protocol was not really a consideration there has to be a new approach to help prevent bad actors poisoning and interfering with DNS operation. DOH albeit controvercially has been given the green light by the IETF. So per the RFC, why DOH:

These use cases are preventing on-path devices from interfering with DNS operations(1), and also allowing web applications to access DNS information via existing browser APIs (2) in a safe way consistent with Cross Origin Resource Sharing (CORS)

Okay, so the plan is (1) to prevent DNS operations from being messed with by upstream DNS services, as the resolvers communications will be encrypted between the client and the DNS server/resolver (HTTPS). This has some interesting implications:

The client can choose to ignore an invalid certificate presented by DOH DNS resolver, but in general terms this is an issue with any HTTPS/TLS situation for any web service.

Pretty much means anyone can stand up a server with a valid cert and start serving DOH, as long as the CA from the cert is on the Mozilla list.

Controlling client DNS queries from within a corporate network to outside resolvers is often something network/firewall admins do to help protectect there networks. This may prove be more difficult with DOH, as browsers/applications could be setup to drectly make DNS queries to resolvers outside the network and bypass proxies/UTM DNS checking. In saying this UTM’s could potentially prevent queries using certain content or header evaluations to detect that are particular to DOH and prevent them, not as simple as blocking UDP/TCP on port 53.

One will need a DNS proxy to allow for applications that do not natively support DOH for the time being. More modern application in the future may have the application logic and libraries integrated to support DOH much like Chrome and Firefox have.

CORS

CORS (2) support by resolvers ensures requests can be made across domains thereby allowing for browsers/applications supporting CORS responses to use DOH without further client security hoops to jump through. So, how does this work in actuallity?

There are only a handful resolvers supporting DOH at the moment, I’ve run some tests against Cloudflare and Google using curl (I used an older version that doesn’t support DOH natively).

Using the HTTPS endpoints provided by google using curl (GET) demostrates the request and responses structure [a]. There are some interesting items that come out of a simple test here:

DNS query is also available via QUIC / HTTP3. Which means TLS1.3 goodness over UDP or TCP

cache-control header response value matched the TTL of the DNS record, however if run many times showed wildly variying times, appears to be some caching issue or something along these line - a little more digging (see what I did there) into this is going to be needed.

I used jq (third-party) to help prettify the JSON output (Cloudflare)[https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/] has an implmentation that allows for both JSON and DNS wire format. I noticed whilst curling the cache-control mirrored the DNS record TTL and wasn’t all over the place as with the Google tests (ie TTL counted down as you’d expect for bog (udp, port 53) standard DNS queries) [b].

Suffice to say the change to use DOH will require some further consideration before implmeneting. But I believe overall that this is a step in the right direction (to secure DNS communications) that can be easily adopted however I guess time will tell. Been fun playing with this! I found that when testing CloudFlares 1.1.1.1 Andriod App that DNS latency performance for DOH was notibly faster than DOT, but more on that later.

As a side note about no zero days; whilst I may not post every day I am working on such posts over a number of days. I may change this approach, but this is working for now :)

[a] Google Query:

curl -v https://dns.google.com/resolve?name=www.news24.com -H "Origin: www.someorigin.com" | jq
....
> GET /resolve?name=www.news24.com HTTP/1.1
> Host: dns.google.com
...
> Origin: www.someorigin.com
> 
 GET /dns-query?name=www.news24.com&type=A HTTP/1.1
> Host: cloudflare-dns.com
> User-Agent: curl/7.54.0
> accept: application/dns-json
>

working with maxmind geoip

Sat, 20 Apr 2019 00:00:00 GMT

scripting querys against the maxmind db’s with python

There comes a time when one needs to check for an IP’s likely physical location, in my case I’ve been playing with DNS of HTTPS and DNS over TLS and part of the workflow I had whilst testing was to check the responses GEO location against the free Maxmind database, but more on that another time.

So I downloaded the GeoLite2 (Free) City + ASN Databases from maxmind, install the prereq’s via pip and built a simple python script to test.

Found maxmind’s project maxmind (on github) that made building the script easier:

pip3 install geoip2 --user
brew install libmaxminddb
import geoip2.database
import json

# This creates a Reader object. You should use the same object
# across multiple requests as creation of it is expensive.
reader = geoip2.database.Reader('./GeoLite2-City_20190416/GeoLite2-City.mmdb')
reader2 = geoip2.database.Reader('/./GeoLite2-ASN_20190416/GeoLite2-ASN.mmdb')

# Replace "city" with the method corresponding to the database
# that you are using, e.g., "country".
ip = '72.163.4.185'
response = reader.city(ip)
response2 = reader2.asn(ip)

output = {
    "IP":ip, 
    "Details":
    [
        {"ISO":response.country.iso_code}, 
        {"Country":response.country.name}, 
        {"City":response.city.name},
        {"ASN":response2.autonomous_system_number}
        ]
    }

print (json.dumps(output, indent=4))

reader.close()