Anecdote: I haven’t done any web development since 2002 and I always farmed that off to someone else.

But since I started using coding agents, I have done two feature full internal web apps authenticated by Amazon Cognito. While the UI looks like something from 2002, I am good at putting myself in the shoes of the end user, I iterated often (and quickly) over the UX.

I didn’t look at a line of code and have no plans to learn web development. I might have taken the time to learn a little before AI just to help me with internal websites. Yes I know it’s secure - I validated the endpoints can’t be accessed unauthenticated and the IAM role.

Second anecdote: I know AWS (trust me on this) like the back of my hand. I also know CloudFormation. For years I’ve been putting off learning Terraform and the CDK. After AI, why bother? I can one shot either for IAC and I’m very specific about what I want.

My company is happy and my customer is happy (consulting) what else matters? Substitute “customer” for “the business” or “stakeholders”

▲

acmerfight a day ago | parent | next [-]

Agreed. This is pure architectural thinking: you hold the ground truth, enforce the strict IAM boundaries, and outsource the mud-playing to the LLM. Mindless 'vibe coding' without this structural discipline is just tittytainment. The job is contract validation now, not typing.

▲

mattmanser a day ago | parent | prev [-]

I didn’t look at a line of code... I know it’s secure - I validated the endpoints can’t be accessed unauthenticated and the IAM role

Oh god, this made me laugh so hard.

Best 'we gonna get hacked' comment of the day.

▲

raw_anon_1111 a day ago | parent [-]

Please tell me how is going to be “hacked”?

A) The IAM role of the Lambda runtime it’s running in is least privileged and only has access read and write access to the required S3 bucket and other required AWS services and even those are tightly scoped.

B) For authentication I used Amazon Cognito and ran a curl shell script against each endpoint for authentication vs non authenticated end points

C) The database user has least privilege access

So how pray tell could insecure code overcome that?

▲

mattmanser 20 hours ago | parent [-]

So you've made a read only wrapper around a database? That one person needs to access? There's no tentantization? You can't access more than one person's data? So there's zero chance one user can access someone else's data?

If you answered NO to any question, refer to my previous post.

If you answered YES, you could have just hooked your DB up to power BI or tableaux or whatever. Not exactly something to start boasting about that you're doing web dev.

	▲	raw_anon_1111 18 hours ago \| parent [-]
		I see you didn’t say anything about the possible security issues if I was using AWS Cognito for auth, tightly scoped IAM privileges for the runtime environment and a tightly scoped database user. BTW, with AWS you can also enforce DynamoDB, Postgres and Redshift (?) to only allows rows to be accessed based on the user (IAM or Cognito) so no matter what Claude did, as long as you validate your security boundary at the AWS and database level, there wouldn’t be an issue. Why would I trust developers (or Claude) to write secure multi tenant code when I can enforce it on the database/AWS layer? https://aws.amazon.com/blogs/database/multi-tenant-data-isol... https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_p... 1. I did say it’s an internal admin site and I mentioned AWS and S3. I didn’t say it was a reporting site only dealing with the database. 2. It’s B2B, every company pays 5-6 figures annually and they each have their own AWS account. No company can access any other company’s data because they each have their AWS account, user pool and database. 3. How am I “boasting” about doing “web dev” (poorly paid commodity work) when I specifically said I hadn’t done web development “since 2002” and talked about the UI was something from 2002? 4. I said it was an “Admin site”. I didn’tg say it was a reporting dashboard.