Security research, cloud experiments, homelab notes, and TILs.https://lab.brad-duhon.com/https://lab.brad-duhon.com/aws-sso-incident-when-ai-deleted-my-identity-platform/https://lab.brad-duhon.com/aws-sso-incident-when-ai-deleted-my-identity-platform/An AI agent autonomously deleted my AWS SSO instance during a greenfield identity migration, and the cascading failures taught me more about agentic guardrails than any documentation could.Mon, 18 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/autonomous-environment-unifying-agents/https://lab.brad-duhon.com/autonomous-environment-unifying-agents/How I unified Gemini CLI and Claude Code into a single high-integrity environment with autonomous background auditing and organic memory.Tue, 12 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/engram-build-narrative/https://lab.brad-duhon.com/engram-build-narrative/How I built a personal memory layer for Claude Code in a weekend - the architecture decisions, the wrong turns, and what the collaboration actually looked like.Sun, 10 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/terraform-module-kms-key/https://lab.brad-duhon.com/terraform-module-kms-key/Building a reusable KMS CMK module with enforced rotation, admin/user separation in the key policy, and sensible prod defaults.Sun, 10 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/terraform-module-s3-secure/https://lab.brad-duhon.com/terraform-module-s3-secure/Building a reusable S3 module that defaults to locked down: SSE-KMS, Block Public Access, access logging, versioning, and a bucket policy that enforces TLS.Sun, 10 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/terraform-module-waf-baseline/https://lab.brad-duhon.com/terraform-module-waf-baseline/Building a reusable WAF WebACL for CloudFront with managed rule groups, rate limiting, geo-restriction, and full request logging to S3.Sun, 10 May 2026 00:00:00 GMThttps://lab.brad-duhon.com/terraform-iam-circular-dependency-postmortem/https://lab.brad-duhon.com/terraform-iam-circular-dependency-postmortem/A one-line CloudFront change triggered a cascade of IAM permission failures, exposed an architectural design flaw in how CI/CD roles were managed, and required a full workspace refactor to resolve correctly. This is the honest account of what went wrong, what was tried, and what the right answer actually is.Thu, 23 Apr 2026 00:00:00 GMThttps://lab.brad-duhon.com/aws-apigateway-cross-account-privatelink/https://lab.brad-duhon.com/aws-apigateway-cross-account-privatelink/A four-layer defense-in-depth pattern for Lambda-to-API Gateway calls across AWS accounts - zero public internet exposure using Interface VPC Endpoints, Security Group peering, endpoint policies, and SigV4 authentication.Wed, 22 Apr 2026 00:00:00 GMThttps://lab.brad-duhon.com/wsl-dev-environment-setup/https://lab.brad-duhon.com/wsl-dev-environment-setup/End-to-end walkthrough of setting up a full dev environment inside WSL2 - from bare shell through ZSH, Claude Code, Git, Terraform, AWS credentials, and deploying brad-duhon.com as an Astro monorepo on AWS.Sat, 18 Apr 2026 00:00:00 GMThttps://lab.brad-duhon.com/building-brad-duhon-com/https://lab.brad-duhon.com/building-brad-duhon-com/A complete walkthrough of building this site in a single session with Claude - infrastructure, accessibility gotchas, the knowledge graph, and an honest accounting of what the AI got wrong.Fri, 17 Apr 2026 00:00:00 GMT