DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
CDK Deploy-Twice: When Your Infrastructure Needs to Know About Itself



There is a moment that catches a lot of people out who are new to AWS CDK. You deploy a service, the deploy succeeds, and then you realize the service cannot fully configure itself because it did not know its own endpoint until after it was running.

This is not a CDK bug. It is a genuine chicken-and-egg problem, and once you understand it, the solution is straightforward-ish.

The problem

Some resources only exist after CloudFormation has provisioned them: ALB endpoints, service URLs, and auto-assigned DNS names. These values are not known at the cdk synth time. They are outputs that come back after the stack deploys.

If your application needs to know its own public URL (e.g., to build redirect links), well then, you are in a kerfuffle. You cannot pass a value into the stack that the stack itself has not produced yet. CloudFormation is not psychic, so unfortunately neither is CDK (I hear AI is working on this, though).

What it looks like in practice

Here is a real example from my latest YouTube tutorial video. This is a URL shortener that needs BASE_URL to construct the short links it returns, but BASE_URL is the service’s own endpoint, which CloudFormation only assigns after the ECS service and ALB are provisioned.

The CDK stack handles this with tryGetContext:

const baseUrl = this.node.tryGetContext(‘baseUrl’) as string | undefined;

const environment = (
{ name: ‘TABLE_NAME’, value: table.tableName },
{ name: ‘AWS_DEFAULT_REGION’, value: this.region },
);

if (baseUrl) {
environment.push({ name: ‘BASE_URL’, value: baseUrl });
}

Enter fullscreen mode

Exit fullscreen mode

And the endpoint is exported as a stack output:

new cdk.CfnOutput(this, ‘ServiceEndpoint’, {
value: service.attrEndpoint,
description: ‘Re-deploy with –context baseUrl= to wire BASE_URL’,
});

Enter fullscreen mode

Exit fullscreen mode

tryGetContext returns undefined if the value was not passed in, so deploy one works fine. It simply runs without BASE_URL set. Deploy two wires it in. Therefore, two deploys, one working service, zero existential crises.

The deploy pattern

Deploy 1: provision the infrastructure, get the endpoint:

cdk deploy EcsExpressStack

Enter fullscreen mode

Exit fullscreen mode

Deploy 2: pass the endpoint back in as context:

SERVICE_URL=$(aws cloudformation describe-stacks \
–stack-name EcsExpressStack \
–query “Stacks(0).Outputs(?OutputKey==’ServiceEndpoint’).OutputValue” \
–output text)

cdk deploy EcsExpressStack –context baseUrl=$SERVICE_URL

Enter fullscreen mode

Exit fullscreen mode

Why this is not a CDK bug

CDK synthesizes a CloudFormation template before anything is deployed. At synth time, late-bound values like ALB endpoints exist only as CloudFormation tokens, which are placeholders that resolve later. You can use them within the same stack (they resolve correctly in the template), but you cannot read them back into your TypeScript logic during synth. This is because the template has not run yet, and therefore the value does not exist yet. This is simply the correct order of operations.

tryGetContext sidesteps this. You supply the value externally on a subsequent deploy, once CloudFormation has resolved it.

When you will run into this

A service that builds URLs pointing to itself
A resource that needs its own ARN or DNS name as a config value
Cross-stack references where stack B’s input is stack A’s output and you have not wired them through CfnOutput and Fn.importValue

The pattern feels a little awkward the first time. It stops feeling awkward once you understand why it works that way. Then starts feeling awkward again when you dust off that old forgotten side project (you know, that one).

So which came first: the service or the endpoint?

The endpoint… but only after the service… which needed the endpoint to configure itself… which required the service to exist first.

At this point, I recommend not thinking about it too hard.



Source link

It’s not too late! Make your AWS Security Agent debut with a code review!


This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.

https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18

The penetration testing feature for AWS Security Agent (hereinafter referred to only as “Security Agent”), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven’t been able to try Security Agent yet can still try these features. I wasn’t able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!

This article reflects the author’s personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.This article was written based on information as of May 25, 2026.

As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).

https://aws.amazon.com/security-agent/

It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).

Function name
Feature Overview
Status(As of 2026/5/25)

Penetration testing
Attempting to infiltrate the system from an external source to evaluate security measures.
GA

Design Review
Analyze product specifications, architecture documents, and technical designs from a security risk perspective.
Preview

Code Review
Inspect source code and repositories to detect code-level vulnerabilities.
Preview

Code security review (hereinafter referred to as “code review”) is a web application diagnostic method that falls under “SAST” (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.

From here, I will describe the steps to enable the Security Agent and run a code review.

Enable Security Agent

To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.

① Click (Set up AWS Security Agent)

② Enter (Agent Space name).③ Specify (User access configuration).

If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select “Single sign-on (SSO) with IAM Identity Center.” I chose this option because I also run a one-person organization. Even if you haven’t enabled Organizations yet, this might be a good opportunity to try out a one-person organization.

④ Enter a service role name. If there is no suitable role available in your account, a new service role will be created.⑤ If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.⑥ Set tags as needed.⑦ Click (Set up AWS Security Agent).

⑧ Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.

① Click “Enable code review”.

② Add a “Connected Integration”. Click “Add”.

③ Select “Create a new account” and “GitHub,” then click “Next.”

④ Click “Open AWS Security Agent on GitHub”.

⑤ You will be redirected to the GitHub page. Click “Install”.

⑥ Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.

⑦ Click “Only select repositories” and select the repository where you want to install the GitHub App from the “Select repositories” dropdown menu.

⑧ Click “Install,” and the setup is complete when a screen like the one below appears.

⑨ Return to the following screen and click “Add” again.

⑩ Select the added integration and click “Next”.

⑪ Select the GitHub repository name and click “Next”.

⑫ Select the features to enable. If you want to perform code reviews, enable “Code review comments”. If you want to automatically remediate detected vulnerabilities, enable “Automatic remediation”. Click Connect and confirm that “Integration resource added” is displayed.

⑬ Select the code review settings and click “Next”. I selected “Security requirements and vulnerability detection results,” which is selected by default.

⑭ If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).⑮ Create a role for service access. If you have already created one, click “Use existing service role”. If the default role is acceptable, click “Create default role”.⑯ Click “Save”.

This time, we created a default role, but I think it’s necessary to create a role with carefully considered policy settings. I’ll investigate what policies are necessary in the future.

⑰When it displays as shown below and “Ready” appears in the code review section, code review is enabled.

Add an IAM Identity Center user to allow code reviews from the application.

For testing purposes, you can access it with “Administrator Access” without creating a user, but since administrators don’t usually perform vulnerability assessments in normal operation, we’ll configure a user even for testing purposes.

① Return to the “Agent Spaces” top page and click “Add Users” from the “Web App” tab.

② Select the IAM Identity Center username you want to allow access to the Security Agent web app and click “Add users”.

③ Once the message indicating that the user has been added is displayed, click the Agent Web App URL.

④ When the following screen appears, click “Sign in” or wait a moment, and you will be redirected to the Agent Web App screen.

⑤ The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.

Now, we will run the code review.

① From the Agent Web App home screen, click “Create a code review.”

② Enter a title for the code review.③ Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click “Create a code review.”

④ Once the message indicating that the code review has been created is displayed, click “Start review.” A confirmation screen will appear, so click “Start review” again.

⑤ The message “Code review started” will be displayed. Reloading the screen will display “In progress.”

⑥ Clicking on the created code review will show the progress. Wait until completion.

This time it was completed in about an hour.

① Once completed, you can view the code review results.

② The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.

Although it says “Completed,” it remained showing “Finalizing” for some reason.

You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.

① Click “Generate Report” in the upper right corner of the code review results screen.

② Edit the extraction criteria and click “Generate and Download.” The code review results will be output as a PDF file to your PC’s download folder.

Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.

① Select the vulnerability you want to automatically fix and click “Fix Code.”

② Code remediation will begin.

If “Automatic remediation” is not enabled, the following error will appear. In the GitHub repository’s features management, turn on the “Automatic remediation” toggle button and save.

③ Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is ​​complete and the status changes to “COMPLETED,” a pull request is sent to GitHub.

④ Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.

Recognizing the Importance of SAST

This code review detected many types of vulnerabilities. It’s probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it’s an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.

Completely Eliminating Human Reviews is Not Yet Possible

I realized that Security Agent doesn’t completely replace human code reviews.

After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It’s possible that a detection method was added during the initial code review, or that it was a false positive, but it’s also possible that a fix in one place affected the entire code or even the entire repository.

As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there’s a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.

Wouldn’t it be great if it could be integrated with CodeCommit?

As of May 21, 2026, it’s not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn’t. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:

Store source code files in S3 and perform code reviews there
Migrate the repository to GitHub.

Storing files in S3 is troublesome, and migrating to GitHub doesn’t seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.

CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn’t be integrated. I guess we can only hope for future AWS updates.

It’s been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn’t last forever. I strongly felt that you should try it as soon as possible after the announcement.

You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it’s not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?

Also, since design reviews are still in preview, I plan to try those out soon as well.

I hope this article is helpful to someone. Thank you for reading to the end!



Source link

Cloud Engineer Journey #6 — EC2 Explained Simply & Launching Your First Cloud Server



After understanding:

Linux fundamentals
AWS basics
and Cloud Computing concepts,

it’s time to work with one of the most important AWS services:

EC2 is one of the core services in AWS and is heavily used in:

Cloud Engineering
DevOps
Hosting applications
Automation
CI/CD
Docker & Kubernetes environments

In this post, we’ll understand:

what EC2 actually is,
why companies use it,
and how to launch your first cloud server step by step.

I’ll keep everything beginner-friendly and practical.

EC2 stands for:

EC2 allows you to create virtual servers in the cloud.

Think of EC2 like:🖥️ renting a computer/server online whenever you need it.

Instead of buying physical hardware, AWS lets you launch servers within minutes.

These servers can run:

websites,
applications,
databases,
APIs,
automation tools,
and many cloud workloads.

Most modern cloud applications run on servers.

EC2 helps companies:

deploy applications quickly,
scale resources,
reduce hardware costs,
and manage infrastructure more easily.

It is one of the most commonly used AWS services.

Imagine you want to host:

a website,
a backend application,
or a Jenkins server.

Instead of buying a physical machine:👉 you can launch an EC2 instance in AWS within minutes.

This is one of the main reasons cloud computing became so popular.

When you launch a server in AWS, it is called an:

Each instance includes:

CPU
Memory (RAM)
Storage
Networking
Operating System

Just like a real computer.

Before launching an EC2 instance, there are a few important concepts to understand.

An AMI is a preconfigured operating system template.

Example:

Amazon Linux
Ubuntu
Red Hat

Think of it like:💿 selecting which operating system you want to install on your server.

Instance type decides:

CPU power
RAM size
performance level

Example:

“`bash id=”22j9mo”t2.micro

This is commonly used in AWS Free Tier.

# 🔐 3. Key Pair

AWS uses SSH keys for secure login.

When creating an EC2 instance, AWS generates:

* a public key
* and a private key

The private key (`.pem` file) is used to connect to the server securely.

# 🛡️ 4. Security Groups

Security Groups act like virtual firewalls.

They control:

* incoming traffic
* outgoing traffic

Example:

* Allow SSH (port 22)
* Allow HTTP (port 80)

Without proper Security Group rules, you cannot access the server.

# 🌍 5. Region

AWS has multiple regions worldwide.

Example:

* Mumbai
* Virginia
* Singapore
* London

Choosing a region closer to users improves performance and reduces latency.

# 🚀 Launching Your First EC2 Instance

Basic steps:

### 1. Open AWS Console

Search for:

“`bash id=”mf4ib7″
EC2

Enter fullscreen mode

Exit fullscreen mode

2. Click “Launch Instance”

3. Select an AMI

Example:

4. Choose Instance Type

Example:

“`bash id=”7rk0p7″t2.micro

### 5. Create or Select Key Pair

Download the `.pem` file safely.

### 6. Configure Security Group

Allow:

* SSH (22)

Optional:

* HTTP (80)
* HTTPS (443)

### 7. Launch Instance

AWS will now create your cloud server.

# 🔗 Connecting to the EC2 Instance

Once the instance is running, connect using SSH.

Example:

“`bash id=”m1v2p2″
ssh -i key.pem ec2-user@your-public-ip

Enter fullscreen mode

Exit fullscreen mode

Now you are connected to your cloud server 🚀

EC2 is heavily used in:

application hosting,
automation,
CI/CD pipelines,
Docker setups,
Kubernetes clusters,
monitoring tools,
and cloud infrastructure.

Understanding EC2 is one of the biggest first steps in Cloud Engineering.

Try this on AWS:

Task:

Launch an EC2 instance
Use Amazon Linux AMI
Select t2.micro
Create a key pair
Configure Security Group for SSH
Connect to the instance using SSH

👉 In the next post, I’ll explain the solution and common beginner mistakes step by step.

EC2 may sound advanced at first, but the core idea is simple:

👉 AWS gives you virtual servers on demand.

Instead of managing physical infrastructure, you can launch servers within minutes and use them for real-world applications.

This is one of the most important foundations in AWS and Cloud Engineering ☁️

If you are learning AWS, Linux, or Cloud basics and need help with even small doubts, feel free to connect with me through LinkedIn or email — always happy to learn and grow together 🚀



Source link