DevOps & Security
16 posts
-
CloudFront CDN in Practice (3) — Private Content, Edge Logic, Security, Monitoring
Protect private content with Signed URLs/cookies, run edge logic with CloudFront Functions vs Lambda@Edge, harden security with a custom domain (ACM), S3 OAC, and WAF, and monitor with cache hit ratio, CloudWatch, and logs plus cost optimization — advanced CloudFront operations
-
CloudFront CDN in Practice (2) — Putting a Spring Boot + Kotlin Origin Behind CloudFront (Terraform)
Put a Spring Boot + Kotlin app as the origin and CloudFront in front. Set Cache-Control/ETag in Kotlin, split /api/* (no cache) and /static/* (cached) behaviors, build it in Terraform, verify hit/miss via X-Cache, and run an invalidation
-
Understanding AWS Credential Federation — How IAM, STS, and OIDC Actually Fit Together
A foundational guide for engineers who followed a GitHub Actions OIDC tutorial but still aren't sure what STS really is, why it has no console page, what 'federation' actually means, or why the trust policy's sub condition matters so much. Covers IAM/STS/OIDC mechanics in depth, plus SAML, IAM Identity Center, and EKS IRSA as variants of the same pattern.
-
AWS Private EC2 Operations Guide Part 4: Deploying to Private EC2 from GitHub Actions — OIDC, SSM Run Command, CodeDeploy
Build a deployment pipeline that puts no port 22 and no AWS access key on the path. OIDC federation removes static credentials, S3 acts as the artifact hub, and either SSM Run Command (simple) or CodeDeploy (zero-downtime) lands the code on the instance.
-
AWS Private EC2 Operations Guide Part 3: Connecting Without Bastion via SSM Session Manager — IAM Role, VPC Endpoint, and Port Forwarding
How to land a shell on a Private EC2 without ever opening port 22. The mechanics of SSM Session Manager (the agent polls AWS), the three prerequisites (Agent / IAM / network path), the cost trade-off between NAT Gateway and VPC Endpoints, and the port-forwarding pattern that securely reaches RDS without a VPN.
-
AWS Private EC2 Operations Guide Part 2: Building VPC Infrastructure with Terraform — VPC/Subnet/Route Table/SG/ALB/EC2 in a Single main.tf
Turn the Part 1 architecture into real code. We build a 10.0.0.0/16 VPC, 2AZ Public/Private subnets, IGW/NAT Gateway, the SG-references-SG pattern, and ALB + EC2 — all in one main.tf that comes up with a single terraform apply.
-
Implementing FCFS with Tokens: From Entry Tickets to Bot Prevention
Implements a first-come-first-served system that issues entry tokens upfront — only token holders can purchase. Covers JWT-based token design, TTL expiration strategy, and multi-layered bot prevention with Rate Limiting + CAPTCHA.
-
SAML 2.0 Authentication Complete Guide: From Concepts to Microsoft Entra ID Integration
A practical guide to SAML 2.0 protocol core concepts and implementing Microsoft Entra ID (Azure AD) SAML integration with Spring Boot
-
Terraform Fundamentals: A Complete Guide
A comprehensive guide covering IaC fundamentals, Terraform core concepts, workflow, count/for_each, dependencies and lifecycle, dynamic blocks, state management (import, moved, remote_state), and modules -- everything in one post for developers getting started with infrastructure as code
-
Production-Level EKS Cluster Setup Guide
A practical guide to building production-grade EKS clusters from eksctl to Terraform, including networking setup
-
Spring Boot SSO Integration Guide: OAuth2/OIDC and SAML in Practice
A practical guide to SSO integration with IdPs like Keycloak, Okta, and Azure AD using Spring Security
-
Complete Guide to AWS CLI Setup and Resource Queries
A comprehensive guide to AWS CLI authentication methods (CloudShell, IAM Identity Center, access keys) and resource query commands for major services
-
AWS Bastion Host Setup Guide
A complete guide to configuring SSH access to Private EC2 instances through a Bastion Host
-
Spring Boot Pre-Interview Guide Part 6: DevOps & Deployment — Spring Boot 4 · Kotlin 2.3 · Docker · GitHub Actions
On Spring Boot 4 with Kotlin 2.3, this part covers what reviewers actually look at in the deployment layer: a Java 21 multi-stage Dockerfile, docker-compose with healthcheck + depends_on for real readiness, GitHub Actions with Gradle cache and JaCoCo coverage, profile-separated application.yml, and Actuator exposing health and prometheus — written without Lombok, using Kotlin primary constructors and val/var.
-
Spring Boot Pre-Interview Guide Part 5: Security & Authentication — Spring Boot 4 · Kotlin 2.3 · Spring Security 7, JWT (oauth2-resource-server), BCrypt vs Argon2, RBAC
On Spring Boot 4 with Kotlin 2.3, how to implement standard JWT authentication using Spring Security 7 and spring-boot-starter-oauth2-resource-server — JwtDecoder/JwtEncoder bean pair for verify and issue, JwtAuthenticationConverter mapping the role claim to ROLE_ authorities, @AuthenticationPrincipal Jwt for extracting the current user in controllers, picking between BCrypt and Argon2, @PreAuthorize plus service-layer resource ownership checks, and the common CORS traps — written from an evaluator's perspective on the security pieces of pre-interview assignments.
-
Spring Boot Pre-Interview Guide Part 2: Database & Testing — Spring Boot 4 · Kotlin Environment Separation, Test Pyramid, Testcontainers
On a Spring Boot 4 + Kotlin stack — picking the right DB per environment, the ddl-auto policy, gotchas when implementing a Memory Repository, choosing annotations along the Test Pyramid, when to reach for Dummy/Stub/Spy/Mock/Fake, and using Testcontainers to surface the bugs H2's dialect differences hide. Written with data classes and val/var instead of Lombok. Series Part 2.