Blog
AWS Payment Cryptography Extra — Implement TR-31 Key Export and Import
Export a CVV key wrapped with KEK via TR-31, import it, and verify the same CVV2 is generated. Key material transfer and KCV-based identity verification with Python (boto3).
Blog
All blog posts
Blog
AWS Payment Cryptography Extra — Gotchas and Workarounds for Payment Cryptographic Operations
A collection of Java SDK v2 gotchas discovered across the 3-part series. HMAC gaps, enum naming mismatches, class name confusion, and other undocumented pitfalls with workarounds.
Blog
AWS Payment Cryptography Acquirer Edition — Implement PIN Translation and MAC Verification
Implement TranslatePinData for PIN re-encryption without exposing plaintext, and CMAC for data integrity verification. The core of acquirer processing: key relay without touching the PIN.
Blog
AWS Payment Cryptography Issuer Edition — Implement CVV Generation, PIN Verification, and ARQC Verification
Implement 3 core issuer cryptographic operations with Java SDK. Discover how GeneratePinData requires PEK and PVK simultaneously — multiple purpose-built keys cooperating in a single API call.
Blog
Getting Started with AWS Payment Cryptography — Create Payment Keys and Understand the KMS Design Difference
Create 4 types of payment cryptographic keys with Java SDK, test wrong-key-usage errors, and experience how TR-31 KeyUsage enforcement differs from KMS.
Blog
Agentic AI security starts with treating agents like employees: Unpacking the 7 principles for financial services
A deep dive into the AWS Security Blog's agentic AI security framework for financial services. Reorganizes the 7 design principles into three axes—permissions, traceability, and controls—with Bedrock AgentCore implementation guidance.
Blog
Verifying AI-driven A/B test decision-making with Bedrock tool use
Hands-on verification of the AI-powered A/B testing engine from the AWS blog — implementing context-dependent variant selection with Bedrock Converse API tool use. Discovered that omitting context from the prompt reverses the variant choice, highlighting prompt design as the critical factor.
Blog
ECS + NLB Linear / Canary Deployments — The 10-Minute Delay That Shapes Your Step Design
Hands-on verification of Amazon ECS Linear and Canary deployments with NLB. Measured how the NLB-specific 10-minute delay accumulates per step, making step count the deployment time bottleneck.
Blog
Aurora PostgreSQL now starts in seconds without a VPC — hands-on with Express Configuration
Hands-on verification of Aurora PostgreSQL Express Configuration. VPC-free setup in ~30 seconds, TLS 1.3 via Internet Access Gateway, and default IAM auth — with real measurements and edge cases.
Blog
JDBC Wrapper Valkey Cache Test — The ElastiCache Serverless timeout pitfall
Verified the Remote Query Cache Plugin in AWS Advanced JDBC Wrapper 3.3.0 with ElastiCache for Valkey Serverless. The first connection always times out, pushing CacheMonitor into SUSPECT state — a Serverless-specific issue not seen with node-based clusters.