https://buildonaws.lakil.org/posts/Recent content in Posts on Build on AWSHugoenFri, 15 May 2026 00:00:00 +0000https://buildonaws.lakil.org/posts/ai-agent-blocked-by-managed-rule/Fri, 15 May 2026 00:00:00 +0000https://buildonaws.lakil.org/posts/ai-agent-blocked-by-managed-rule/<h1 id="quick-tip-when-ai-agents-get-blocked-by-aws-managed-rules">Quick Tip: When AI Agents Get Blocked by AWS Managed Rules</h1> <p><strong>TL;DR:</strong> OpenAI agent traffic was being blocked by AWS WAF&rsquo;s Anonymous IP List rule (HostingProviderIPList). The source IP belonged to an Azure range included in the HostingProviderIPList. Bot Control was correctly identifying the same traffic as a verified bot, so the fix was to switch HostingProviderIPList to Count and add a custom rule that blocks only &ldquo;hosting provider AND NOT verified bot&rdquo; traffic. Caveat: traffic previously blocked by HostingProviderIPList now reaches Bot Control, increasing Bot Control costs.</p>https://buildonaws.lakil.org/posts/share-files-with-signed-url/Thu, 14 May 2026 00:00:00 +0000https://buildonaws.lakil.org/posts/share-files-with-signed-url/<h1 id="sharing-large-files-with-customers--automating-s3--cloudfront-signed-urls">Sharing Large Files with Customers — Automating S3 + CloudFront Signed URLs</h1> <p><strong>TL;DR:</strong> When you need to share large files or directories with customers, this script automates the entire flow — zip compression, S3 upload, and CloudFront Signed URL generation — in a single command: <code>sharelink.py &lt;path&gt;</code>. The generated link is valid for 7 days.</p> <p><strong>Key Terms:</strong> CloudFront Signed URL = A time-limited URL that grants access to a CloudFront distribution, signed with an RSA key pair | S3 = Amazon Simple Storage Service, object storage | OAC = Origin Access Control, restricts direct S3 access so files are only accessible through CloudFront</p>https://buildonaws.lakil.org/posts/ddos-log-auto-filter/Tue, 12 May 2026 00:00:00 +0000https://buildonaws.lakil.org/posts/ddos-log-auto-filter/<h1 id="we-blocked-the-ddos-then-the-cloudwatch-bill-arrived">We Blocked the DDoS, Then the CloudWatch Bill Arrived</h1> <p><strong>TL;DR:</strong> AWS Shield Advanced protects against DDoS-related scaling costs, but WAF log costs are not covered. When a customer said &ldquo;I need to keep logs but reduce costs,&rdquo; I proposed three incremental steps: (1) switch log destination to Data Firehose for ~8.5x cost reduction, (2) apply a WAF Logging Filter to DROP logs by DDoS label, (3) if logs must be preserved during normal operations, use CloudWatch Alarm + Lambda to automatically toggle the filter only during active DDoS. Step 3 is not a best practice — it is a workaround for specific edge cases.</p>https://buildonaws.lakil.org/posts/serving-markdown-to-bots/Mon, 11 May 2026 00:00:00 +0000https://buildonaws.lakil.org/posts/serving-markdown-to-bots/<h1 id="why-my-blog-wont-serve-html-to-bots">Why My Blog Won&rsquo;t Serve HTML to Bots</h1> <p><strong>TL;DR:</strong> Serving Markdown instead of HTML to verified bots gives you two things: your content gets cited accurately in AI answers, and Data Transfer Out costs drop by 94 %. AWS WAF Bot Control identifies the bots, and CloudFront Functions rewrites the URL.</p> <p><strong>Key Terms:</strong> Bot Control Targeted = AWS WAF&rsquo;s bot detection level combining IP reputation, TLS fingerprinting, and behavioral analysis | CloudFront Functions = lightweight JavaScript execution at CloudFront edge (viewer-request/viewer-response stage) | Data Transfer Out = cost charged for traffic leaving CloudFront to the internet | Verified Bot = a crawler whose identity AWS WAF has confirmed (Googlebot, Bingbot, GPTBot, etc.)</p>