Matteo Depascale

If you've ever had to delete and recreate an entire Cognito app client just to rotate a secret, you know how overdue this was.

#AWS #CloudSecurity
4/4

Why this matters:

→ Custom secrets = easier migration from other auth systems
→ On-demand rotation via AddUserPoolClientSecret API
→ Fits actual compliance and security requirements

Not just a nice-to-have — this was a real gap.
3/4

How Cognito secret rotation works now:

1. Add a second secret (up to 2 active per client)
2. Update your apps to use the new one
3. Delete the old secret

No downtime. No big bang credential swaps. Works via Console, CLI, SDKs, and CloudFormation.
2/4

Amazon Cognito now lets you bring your own client secrets and rotate them without downtime.

Before: one secret, no rotation, delete the whole client to change it.
Now: proper lifecycle management. Finally.
1/4

What it monitors:
• Kernel issues & process limits
• VPC CNI/network failures
• Storage I/O & throughput limits
• Container runtime failures
• GPU/accelerator errors (NVIDIA, AWS Neuron)

All open source. All transparent.

#CloudEngineering #DevSecOps
5/5

Key features:
🔹 Runs as DaemonSet on every node
🔹 Monitors: Kernel, Networking, Storage, Runtime, GPU
🔹 Auto-detects 5+ issue categories
🔹 Integrates with EKS auto-repair
🔹 Open source = full transparency

Check it out on GitHub!

#OpenSource #Kubernetes #AWS
4/5

Now with the open source EKS Node Monitoring Agent:
✅ Automated detection across 5 categories
✅ Kernel, network, storage, runtime, GPU monitoring
✅ NodeConditions for auto-repair integration
✅ Full visibility into detection logic

#CloudComputing #DevOps
3/5

Before this agent:
❌ Manual node health checks
❌ SSH + dmesg guesswork
❌ Stale GPU errors going unnoticed for hours
❌ Manual monitoring across kernel, network, storage, runtime

#DevOps #CloudNative
2/5

🚀 Big news for #Kubernetes users! Amazon EKS Node Monitoring Agent is now OPEN SOURCE!

No more SSHing into nodes to debug pod failures. The EKS Node Monitoring Agent is now available on GitHub for everyone.

#AWS #Kubernetes
1/5

One reframe:

Stop: "how I built it"
Start: "how I designed, owned, and drove impact"

Been through an Amazon loop? What surprised you most?

#AWS #SoftwareEngineering #TechCareers
6/6

Common mistakes:

❌ Tasks instead of ownership
❌ Vague stories, no data
❌ Dodging failure questions
❌ Wrong communication level
5/6

Prep that works:

- 12-16 stories remixable across LPs
- Map each to 3-5 LPs + different angles
- STAR + Impact
- Concrete metrics, tradeoffs, "what I'd change"
4/6

The Bar Raiser:

- Outside the hiring team
- Digs into shallow/polished stories
- Ensures you meet the bar for your level

You can't fake this one
3/6

Each interviewer covers 2-3 LPs.
10-12 LPs tested across the panel.

Even technical rounds go deep on behavior:
→ Metrics
→ Alternatives
→ Consequences
→ Scope at your level, not just skills
2/6

Amazon loop interviews ≠ "just more interviews."

3-5 hours. Back-to-back. Every round tests Leadership Principles — even technical ones.

Here's what actually happens 🧵
1/6

What's the most complex scheduling problem you've solved on AWS?

#AWS #Serverless #CloudComputing
8/8

More tips:

→ Clean up one-time schedules after execution (they count against quotas)
→ Batch small tasks to maximize free tier
→ Templated targets for Lambda/SQS/SNS, universal for everything else
7/8

Pro tips:

→ Flexible time windows for non-critical tasks
→ DLQs on every schedule, not just critical ones
→ Monitor InvocationAttempts vs SuccessfulInvocationAttempts ratio
6/8

Built-in resilience:

→ At-least-once delivery guarantee
→ 185 retry attempts over 24h w/ exponential backoff
→ DLQ integration for anything that still fails

No more custom retry logic from scratch
5/8

Universal target support:

→ 270+ AWS services, 6K+ API operations
→ Templated targets for Lambda, SQS, SNS, Step Functions
→ Universal targets for any supported AWS API
4/8

3 schedule types out of the box:

→ rate-based for regular intervals
→ cron-based with timezone + DST handling
→ one-time for precise single executions
3/8

The old way:

❌ Max 5 TPS
❌ 20 targets
❌ 300 rules per account
❌ Custom retry logic

EventBridge Scheduler:

✅ Thousands of TPS
✅ 270+ services, 6K+ API ops
✅ 10M schedules per region
✅ 185 retries over 24h built-in
2/8

Stop struggling with AWS scheduling at scale

Still using cron jobs and custom polling loops?

There's a better way → Amazon EventBridge Scheduler

Here's why you should switch 🧵

#AWS #Serverless
1/8

2026 default stack:
→ CloudFront + TLS 1.3 + HTTP/2/3 + HTTP→HTTPS redirect
→ ACM for auto cert management
→ ALB/NLB with TLS listeners
→ PrivateLink/VPC endpoints for private traffic

No excuses left

#cloud #security #softwareengineering
5/5

Still valid pushback:
→ Microsecond-latency trading systems
→ Constrained IoT/embedded devices
→ Legacy systems where retrofitting TLS has real cost

Otherwise? Encrypt everything
4/5

Edge/CDN termination puts the handshake close to the user

Crypto offloaded from your origin

Actual CPU cost? ~2% at peak. Noise on modern hardware
3/5

The real overhead was never CPU

It was handshake round-trips

TLS 1.3 cuts those in half. 0-RTT resumption for repeat clients

HTTP/2+3 means you rarely pay that cost anymore
2/5

"HTTPS everywhere is unnecessary overhead" is a 2010 argument

In 2026, it's mostly a myth

Here's why 🧵
1/5

How to enable nested virtualization on EC2:

New instance → Advanced details → Nested virtualization → Enable

Existing instance → Stop → Actions → Instance settings → Change CPU options → Enable

That's it.

#AWS #DevOps #CloudComputing
4/4

Before you enable it — know the gotchas:
⚠️ Windows: VSM auto-disabled
⚠️ No hibernate/resume support
⚠️ Windows capped at 192 vCPUs (no m8i.96xl)
⚠️ Latency-sensitive workloads → still use bare metal
⚠️ Security inside nested VMs = your responsibility
3/4