How To Tutorial

Never again waste time to set up permissions for an S3 access point.

Bubble Nebula by , , and the Hubble SM4 ERO Team

Recently, I got a call from one of my customers, saying they were struggling to set up a S3 access point. They wanted to share a large data set across several company accounts, but could not get the permissions to work correctly. After some back and forth, I managed to weed out all the issues. However, we ended up spending much more time than any of us would like to admit.

To avoid this happening in the future, I decided to write a follow-up, which summarizes main points and caveats regarding the S3 access points permissions.

The requirement

We have a S3…


Notes from Industry, What I’ve learned

Security best practices that helped us pass a security audit with flying colors

AG Carinae (“Celebrity Star” Nebula) by NASA, ESA and STScI

Currently Amazon S3 and CloudFront are some of the best cloud services for delivering production-ready SPAs, such as Angular apps, Vue apps or React apps. Unfortunately, by default, S3 and CloudFront don’t have all security features enabled, needed to run such SPA frontend apps in production.

Recently, we have launched a platform with a frontend (Angular apps) hosted on Amazon S3 and CloudFront. In this article, I want to share main security best practices and how we implemented them for our platform. Having these security best practices in place, helped us pass a very stringent security audit with flying colors!

Overview of Security best practices with S3 and CloudFront


How To Tutorial

Not passing an auth token header from CloudFront to AWS Application Load Balancer can be a huge mistake

Crab Nebula by , , and STScI

Failing to inject custom headers in CloudFront distribution! I have seen my customers make this mistake time and again. They do a wonderful job setting up the infrastructure with CloudFront and Application Load Balancer (ALB), but fail to block direct access to their ALB properly. Effectively, rendering the whole setup useless.

In this article, I will show why this is a problem and how we can use CloudFront header injection and ALB’s dynamic forwarding rules to fix it. This approach works regardless of the backend application or services are deployed on EC2 instance EKS, ECS, or Kubernetes cluster.

Securely configuring ALB with CloudFront

There are…


What I’ve learned

An S3 policy anti-pattern to avoid; And how to unlock an S3 bucket

Carina Nebula by NASA, ESA and STScI

Recently, I did a review of security policies for one of my customers. In the process, I managed to accidentally lock myself and everyone in the company, out of an S3 bucket. It was not just any bucket, no — it was the bucket holding all the customers' media files. Imagine having to ask all your customers to reupload all their photos, videos etc…

An anti-pattern S3 policy to avoid

Let’s see what I did so wrong, when I attached the following policy to the S3 bucket.

Anti-pattern S3 policy statement that will render a bucket fully locked.

Attaching the above policy to an S3 bucket…


How to tutorial

Part 1: How to build a development container with VS Code and Docker (plus a demo video)

Butterfly Nebula by , , and the Hubble SM4 ERO Team

Dev containers and CLI tools have been gaining popularity among open-source and commercial projects. Recently, I built a dev container for , an open-source project I am involved with. Previously, I reported on main . In this two-part series, I will give a hands-on tutorial on how to build a development container, with VS Code and Docker (Part 1 — this article) and how to create a CLI tool, with Nx (Part 2).

Building a dev container with Docker and VS Code

In this section, I will show how to build a dev container from scratch using VS Code and Docker. Later in the article, I…


What I’ve Learned

What I’ve learned from building a dev container for an open source project

The Pillars of Creation in the Eagle Nebula by Hubble Space Telescope

With the rise of cloud native applications and the advent of microservice architectures, a lot has changed in terms of how we develop applications. Recently, I have spent some time setting up development containers for , an open source project I lead. My main aim was to make our project more accessible to our (future) developers. Since it is a Kubernetes project, configuring local development environment can be a project in itself — I wanted to improve this experience.

Development containers

A development container is a running Docker container with a well-defined tool/runtime stack and its prerequisites¹. Basically, a development…

Stefan Nastic

Software engineer, Cloud expert, DevOps enthusiast. Sharing my experiences and learnings from solving interesting engineering problems.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store