Why Kiro Just Killed Manual AWS Diagrams Stop wasting hours dragging icons in a "dumb" canvas. Manual diagrams are officially dead.In this video, I show you how to move from manual tools like Drawio...

By connecting Kiro to our AWS account, we generate maps from 𝐫𝐞𝐚𝐥𝐢𝐭𝐲.
If the code changes, the map updates.

We show exactly how to set this up in our new video.

Watch it here
www.youtube.com/watch?v=0Hs...

Your architecture diagram is lying to you.
It was probably correct on day one.
But then you added a Lambda function.
Changed a DynamoDB index.
And forgot to update the doc.

We all do this.
That is why we started using AI to fix it.

AWS Fundamentals Newsletter Learn AWS skills that actually work in production. Join 10k+ engineers mastering real-world cloud architecture

The full list covers more like typosquatting and token management.
But if you fix these 6, you are already ahead of 90% of projects.

We cover more security best practices here: awsfundamentals.com/newsletter

𝟓. 𝐀𝐮𝐝𝐢𝐭 𝐲𝐨𝐮𝐫 𝐝𝐞𝐩𝐬
`npm audit` is free. Run it in your CI. Fail the build if there are critical issues.

𝟔. 𝐔𝐬𝐞 𝐚 𝐩𝐫𝐨𝐱𝐲
Tools like Verdaccio let you cache and scan packages before they hit your developer's machines.

𝟑. 𝟐𝐅𝐀 𝐢𝐬 𝐧𝐨𝐭 𝐨𝐩𝐭𝐢𝐨𝐧𝐚𝐥
If you maintain a package, enable 2FA. Attackers target maintainers to inject malicious code.

𝟒. 𝐒𝐞𝐜𝐫𝐞𝐭𝐬 𝐝𝐨𝐧'𝐭 𝐛𝐞𝐥𝐨𝐧𝐠 𝐢𝐧 𝐍𝐏𝐌
I've seen API keys in published packages too often. Use `.npmignore` to whitelist what you publish.

`npm install` runs scripts by default. This is how malware gets in. Use `--ignore-scripts` to be safe.

𝟐. 𝐋𝐨𝐜𝐤𝐟𝐢𝐥𝐞𝐬 𝐚𝐫𝐞 𝐦𝐚𝐧𝐝𝐚𝐭𝐨𝐫𝐲
If you don't use `npm ci`, you are installing different versions than your team. That breaks things. And it opens security holes.

Supply chain attacks are rising. And your `node_modules` folder is the perfect target.

OWASP dropped their Top 10 for NPM security.
It's a wake-up call for many of us.

I summarized the key points you need to know.

𝟏. 𝐃𝐨𝐧'𝐭 𝐭𝐫𝐮𝐬𝐭 𝐬𝐜𝐫𝐢𝐩𝐭𝐬

Why Kiro Just Killed Manual AWS Diagrams Stop wasting hours dragging icons in a "dumb" canvas. Manual diagrams are officially dead.In this video, I show you how to move from manual tools like Drawio...

So when your infrastructure changes, your diagram changes.

No more stale documentation excuses.
This is how we are doing it now.

Link 🔗
www.youtube.com/watch?v=0Hs...

Stop dragging boxes around in Drawio.
Seriously.
It is 2026.
We should have 𝐚𝐮𝐭𝐨𝐦𝐚𝐭𝐞𝐝 this years ago.

We recorded a video showing how to use AI to generate your AWS diagrams.
It pulls data right from your 𝐥𝐢𝐯𝐞 𝐞𝐧𝐯𝐢𝐫𝐨𝐧𝐦𝐞𝐧𝐭.

Master Amazon S3 in One Page | AWS Fundamentals Object storage essentials from storage classes to lifecycle policies - everything on one page.

2. There is a tiny monitoring cost ($0.0025 per 1,000 objects).

So if you have millions of tiny files, stick to Standard.
For everything else, let AWS optimize the costs for you.

We visualized all the S3 storage classes here:
awsfundamentals.com/infographic...

It is available instantly. No retrieval fees. No restoration time.

You literally get the savings of Glacier with the experience of S3 Standard.

⚠️ 𝐓𝐡𝐞 𝐨𝐧𝐥𝐲 𝐜𝐚𝐯𝐞𝐚𝐭𝐬:
1. Files smaller than 128KB don't get moved (but you still pay the monitoring fee).

If you don't touch a file, it moves it to a cheaper tier automatically.

The savings add up fast:
• 30 days of no access? Moves to Infrequent Access (Save ~40%)
• 90 days of no access? Moves to Archive Instant Access (Save ~68%)

And if you need the file back?

We were paying for instant access to logs and backups that no one had touched in a year.

Now, I use 𝐒𝟑 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐭-𝐓𝐢𝐞𝐫𝐢𝐧𝐠 for almost everything.

The concept is simple:
AWS monitors the objects for you.

Stop using 𝐒𝟑 𝐒𝐭𝐚𝐧𝐝𝐚𝐫𝐝 as your default storage class.

Unless you know exactly how your data will be accessed, you are likely overpaying.

I used to default to Standard for everything.
Then I looked at our bill.

Master Amazon S3 in One Page | AWS Fundamentals Object storage essentials from storage classes to lifecycle policies - everything on one page.

For buckets with millions of tiny files (<128KB).
Because the monitoring fee per object will eat up your savings.

But for logs, media, and backups?
It is the best default setting in AWS.

We broke down all the storage classes in this infographic:
awsfundamentals.com/infographic...

If you suddenly need to read that file?
It opens instantly.
And you pay 𝐙𝐞𝐫𝐨 retrieval fees.

This is the killer feature.
With standard Glacier, reading your own backup is a hassle.
With Intelligent Tiering, you don't even notice it happened.

The only time I don't use it?

The fear of needing the data back.

Here is why it is different:
You get the cost savings of archive storage, but the performance of S3 Standard.

If your data sits there for 90 days?
AWS moves it to the Archive Instant Access tier.
You save ~68% on storage.

Everyone tells you to move old data to Glacier to save money.
But they usually forget to mention the pain.

• Retrieval fees hurt.
• Waiting 5-12 hours for data sucks.

That is why I prefer 𝐒𝟑 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐭-𝐓𝐢𝐞𝐫𝐢𝐧𝐠.

It solves the biggest problem with archiving:

AWS Fundamentals Newsletter Learn AWS skills that actually work in production. Join 10k+ engineers mastering real-world cloud architecture

Most of these take 5 minutes to set up.
But they save you weeks of headaches later.

Join 11,000+ devs learning real-world AWS: awsfundamentals.com/newsletter

8. 𝐓𝐮𝐫𝐧 𝐨𝐧 𝟐𝐅𝐀. This should be non-negotiable for every maintainer.
9. 𝐔𝐬𝐞 𝐠𝐫𝐚𝐧𝐮𝐥𝐚𝐫 𝐭𝐨𝐤𝐞𝐧𝐬. Don't use your personal token for CI/CD. Use automation tokens.
10. 𝐖𝐚𝐭𝐜𝐡 𝐨𝐮𝐭 𝐟𝐨𝐫 𝐭𝐲𝐩𝐨𝐬. `react` is not `rceact`. Typosquatting is real.

6. 𝐏𝐫𝐨𝐭𝐞𝐜𝐭 𝐲𝐨𝐮𝐫 𝐬𝐮𝐩𝐩𝐥𝐲 𝐜𝐡𝐚𝐢𝐧. Consider a local proxy like Verdaccio to control what comes in.
7. 𝐃𝐨𝐧'𝐭 𝐥𝐞𝐚𝐤 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬. If you find a bug, report it privately. Don't put it on Twitter.

4. 𝐂𝐡𝐞𝐜𝐤 𝐲𝐨𝐮𝐫 𝐩𝐫𝐨𝐣𝐞𝐜𝐭 𝐡𝐞𝐚𝐥𝐭𝐡. `npm outdated` and `npm doctor` are built-in tools. Use them.
5. 𝐒𝐜𝐚𝐧 𝐟𝐨𝐫 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬. Make `npm audit` part of your CI pipeline.

2. 𝐋𝐨𝐜𝐤 𝐲𝐨𝐮𝐫 𝐝𝐞𝐩𝐞𝐧𝐝𝐞𝐧𝐜𝐢𝐞𝐬. Don't just install. Use `npm ci` or `yarn install --frozen-lockfile` to ensure everyone uses the exact same version.
3. 𝐁𝐥𝐨𝐜𝐤 𝐦𝐚𝐥𝐢𝐜𝐢𝐨𝐮𝐬 𝐬𝐜𝐫𝐢𝐩𝐭𝐬. Attackers love post-install hooks. Add `--ignore-scripts` to your install commands.

1. 𝐒𝐭𝐨𝐩 𝐩𝐮𝐛𝐥𝐢𝐬𝐡𝐢𝐧𝐠 𝐬𝐞𝐜𝐫𝐞𝐭𝐬. It happens faster than you think. Use `.npmignore` and always dry-run before publishing.

We pull in thousands of dependencies. We trust them blindly.
That is a mistake. 💣

OWASP just released their top 10 security practices for NPM.
I went through them so you don't have to.

Here is what you need to change in your workflow:

Master AppSync in One Page | AWS Fundamentals GraphQL on AWS - schemas, resolvers, and real-time subscriptions in one visual guide.

AppSync has great SDKs that handle offline data synchronization automatically.

Stop the back-and-forth. Let the frontend drive.

Grab our full visual guide here
awsfundamentals.com/infographic...

You can cache specific fields or full queries. No need to spin up a separate Redis instance.

🔐 𝐅𝐢𝐧𝐞-𝐆𝐫𝐚𝐢𝐧𝐞𝐝 𝐀𝐜𝐜𝐞𝐬𝐬
Control who sees what. You can use @auth directives to lock down specific fields based on user groups.

📱 𝐎𝐟𝐟𝐥𝐢𝐧𝐞 𝐒𝐮𝐩𝐩𝐨𝐫𝐭

Two weeks later, the endpoint is updated. 🐢

This friction kills velocity.

AppSync removes the bottleneck entirely.
It lets the frontend query exactly what they need, when they need it.

Here is why developers love it

🛠️ 𝐁𝐮𝐢𝐥𝐭-𝐢𝐧 𝐂𝐚𝐜𝐡𝐢𝐧𝐠

Sometimes you need to give frontend developers the ability to choose their own data.
And if you want to build that in a serverless way you need to use AppSync!

We have all been there.
The frontend asks for one more field.
The backend team puts it on the backlog.

I see Opus is debugging in the same way I do: make the background red and figure out why there is so much fricking space at the top 😬