<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Cloudar</title>
	<atom:link href="https://cloudar.be/feed/" rel="self" type="application/rss+xml" />
	<link>https://cloudar.be/</link>
	<description>100% Focus On AWS // 100% Customer Obsession</description>
	<lastBuildDate>Thu, 02 Jul 2026 07:43:14 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>
	<item>
		<title>Leaving VMware is a question of timing</title>
		<link>https://cloudar.be/awsblog/leaving-vmware-is-a-question-of-timing/</link>
		
		<dc:creator><![CDATA[Tom De Blende]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 06:18:20 +0000</pubDate>
				<category><![CDATA[AWS Blog]]></category>
		<category><![CDATA[Migration]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22759</guid>

					<description><![CDATA[<p>Broadcom rewrote the VMware rules and general support for VCF 8 ends on 11 October 2027. A phased migration to AWS, via Amazon EVS or AWS Application Migration Service to Amazon EC2, then modernization to AWS-native services, solves the immediate problem and the long-term one in the same move.</p>
<p>The post <a href="https://cloudar.be/awsblog/leaving-vmware-is-a-question-of-timing/">Leaving VMware is a question of timing</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>If you are still running on VMware today, you do not necessarily have a bad platform. But if you are still running on VMware tomorrow without a concrete migration plan, you have a strategic problem. Broadcom has rewritten the rules: unilaterally, definitively, and with little empathy for the customers who stayed loyal for years. I do not want to turn this into a lament about Broadcom, though. I want to explain why this is the ideal moment to make a decision you might otherwise keep postponing for years.</p>
<p>When Broadcom closed its acquisition of VMware, everyone in the industry knew something was going to change. Have we already forgotten what happened to Symantec, among others? Broadcom bought Symantec&#8217;s enterprise unit in 2019, narrowed it to around 2,000 of the largest accounts (the Global 2000), and raised prices on most of the rest. VMware is the same script on a bigger stage. The only surprise was how fast it came. In short order, perpetual licenses were scrapped, thousands of cloud partners (Cloudar among them) received a termination letter, and a catalogue of over 8,000 SKUs was reduced to two bundles (VMware Cloud Foundation and VMware vSphere Foundation). The shift from per-CPU-socket licensing to per-physical-core licensing also meant that organizations expecting to simply carry on with an existing installation were suddenly facing invoices two to five times higher.</p>
<p>But those cost increases are relative. The real impact only lands on 11 October 2027, when general support for VCF 8 ends. By that date, every VMware customer has to either migrate to VCF 9 at the new (read: higher) prices and under the new model, or be shown the back door and leave the platform behind.</p>
<p><strong>Not deciding is also a decision</strong></p>
<p>Big decisions like this get postponed fast. Or, in the alternative: you do not decide, and you take the hit. I understand the reflex. Migrations are complex. Infrastructure is critical. You do not want to take risks with production environments. And maybe you are thinking Broadcom will course-correct once the pressure builds. I do not want to give you false hope. By now there is plenty of evidence that Broadcom has no intention of changing course. The messaging is consistent, prices have not come down, and contract negotiations follow a tight, inflexible script.</p>
<p>More importantly, the migration window shrinks every month. A phased, carefully prepared migration of enterprise workloads takes two to three years in practice. If you only start evaluating in 2026, you have almost no room for a calm, controlled execution. The result of waiting too long is not that you end up with more options. It is that you are forced to choose between an expensive rushed migration and an extension with Broadcom at prices you do not actually want to pay. Everyone wins, except the end customer.</p>
<p>And if you are going to migrate anyway, why not move to another on-premises hypervisor? It might look like the most logical step. Nutanix, Proxmox, Microsoft Hyper-V: there are alternatives that keep the virtualization layer intact.</p>
<p>My answer is a nuanced one. For certain workloads with strict data-residency requirements or specific latency constraints, on-premises can remain relevant. But for most companies, switching to another hypervisor is only a stopgap. You solve the price increase, but you keep working with the same operational model. You still manage hardware, license renewals, capacity planning, and the staffing overhead that comes with all of it. On top of that, you trade one vendor dependency for another.</p>
<p>Staying on-premises carries a second problem beyond the licensing model. Hardware is becoming a scarce commodity, and so is datacenter floor space. Prices are going through the roof, and supply is no longer guaranteed.</p>
<p>AWS offers something structurally different: the option to move away from the virtualization layer over time. And getting there is no longer a leap of faith. If you want the smallest possible change on day one, Amazon Elastic VMware Service (Amazon EVS) runs VMware Cloud Foundation directly inside an Amazon VPC in your own AWS account, so the same vSphere, vSAN and NSX stack your team already operates lands on AWS without a re-architecture. If you would rather leave the hypervisor behind right away, AWS Transform MGN (formerly AWS Application Migration Service) replicates your virtual machines block by block and cuts them over to Amazon EC2 with minimal downtime, while AWS Transform for VMware automates the unglamorous parts: discovery, dependency mapping, network conversion, and right-sizing the target instances. The two paths trade off differently. Amazon EVS keeps your VMware stack intact, and with it the VMware licensing, but moves it off your own hardware and onto AWS as the fastest possible landing. The MGN route leaves the hypervisor, and the VMware license, behind outright. Either way your teams keep their existing way of working and do not have to relearn everything on day one.</p>
<p>That is the floor, not the ceiling. Once a workload runs on AWS you can modernize it on its own timeline, and only where the business case justifies it: move a self-managed database onto Amazon RDS or Amazon Aurora, lift a tier of servers into containers on Amazon ECS or Amazon EKS, replace a scheduled job with an AWS Lambda function, and reach for managed AI through Amazon Bedrock. None of that is realistic to run well on-premises, or it is simply too expensive to operate yourself. A like-for-like hypervisor swap does not get you here: it can lower the licensing bill, but the operational model and the eventual modernization are left untouched. Moving to AWS is the option where the immediate fix and the longer-term path share one destination.</p>
<p>We have been doing this at Cloudar for 12 years, and a lot of those conversations reveal the same pattern. At some point an organization made a sound technology choice. And today they find that the choice is holding them in a situation they can no longer defend, or no longer want to. VMware was an excellent choice for years. It was stable, well documented, broadly supported. But the lesson of the Broadcom acquisition is that vendor lock-in is not an abstract technical concern. It is a concrete business risk that, sometimes only after ten or fifteen years, shows up as something you simply have no alternative to.</p>
<p>Moving to AWS does not make that problem disappear entirely, of course. Every major cloud provider has its own ecosystem and its own logic. But the nature of the dependency changes fundamentally. In the cloud you pay for what you use, and you can decide workload by workload how and where you run it. The technical architecture of cloud-native services (open standards, open containers, open APIs) lets you switch when you want. That is structurally different from proprietary hypervisor software with a binary licensing logic. It lets you design with a solid exit scenario built in from the start.</p>
<p><strong>Start with insight, then migrate in phases</strong></p>
<p>Migrations rarely fail on the technology. They fail through a lack of preparation, unclear priorities, and too little attention to the human side of the process. The first step every organization should take is insight: which workloads are you running, what are the dependencies, and what is the real cost of your current VMware installation versus the alternatives? Only once that is clear can you make a rational decision. The tooling to get there has matured: AWS Transform for VMware can inventory a vSphere estate and map its dependencies automatically, and AWS Migration Hub tracks the moves once they start. A Migration Readiness Assessment that used to take months is now achievable in a few weeks.</p>
<p>This is where AWS has invested most visibly. AWS Transform, its agentic migration service, puts AI agents on the parts of a migration that used to eat months of consultant time: discovery, dependency mapping, wave planning, and network conversion, with the actual rehost driven through AWS Transform MGN. It is not VMware-only either; the same agents cover Windows and .NET modernization and mainframe workloads. AWS reports discovery that once took a quarter compressing to about a week, and landing-zone networking provisioned up to 70 percent faster. None of that removes the need to start early. It does mean the preparation that scared you off a year or two ago is no longer the bottleneck it was.</p>
<p>AWS can help fund a lot of this work through the Migration Acceleration Program (MAP). The assessment phase produces a workload inventory, a dependency map, and a costed business case, all of which are yours to keep, whichever direction you choose afterwards. For projects with a strong enough case, MAP can also offset a meaningful share of the migration cost itself. A migration partner runs the assessment and unlocks that funding on your behalf, which is the role we play at Cloudar.</p>
<p>The approach we recommend is phased. Start with the most portable workloads on Amazon EC2, which immediately eliminates the VMware license cost, then replatform workload by workload to AWS-native services as the business case justifies it. And in the meantime, put all new VMware deployments on ice. Every new workload you still put on VMware today is a workload you will have to migrate again later.</p>
<p>What I want to leave you with is this. The best migrations are the ones you carry out when you have the time and the space to do them well. You still have that time and space now, but the clock is ticking. As I write this, there are 467 days left until 11 October 2027. That may sound like a lot&#8230;</p>
<p>The post <a href="https://cloudar.be/awsblog/leaving-vmware-is-a-question-of-timing/">Leaving VMware is a question of timing</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>When the model goes dark: keeping your AI agent available on Amazon Bedrock</title>
		<link>https://cloudar.be/awsblog/when-the-model-goes-dark-keeping-your-ai-agent-available-on-amazon-bedrock/</link>
		
		<dc:creator><![CDATA[Tom De Blende]]></dc:creator>
		<pubDate>Tue, 23 Jun 2026 14:34:02 +0000</pubDate>
				<category><![CDATA[AI]]></category>
		<category><![CDATA[AWS Blog]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22747</guid>

					<description><![CDATA[<p>Keeping an LLM-powered agent available when a model is unavailable: configuring fallbacks, running your own models, and the Bedrock pitfalls that are not just a config switch.</p>
<p>The post <a href="https://cloudar.be/awsblog/when-the-model-goes-dark-keeping-your-ai-agent-available-on-amazon-bedrock/">When the model goes dark: keeping your AI agent available on Amazon Bedrock</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>In June 2026, Anthropic abruptly disabled access to its most capable models, Fable 5 and Mythos 5, for every customer, after a US export-control directive barred foreign nationals from using them. Not a throttle. Not a deprecation notice with a migration window. A frontier model that worked on Friday was simply gone, for reasons that had nothing to do with uptime.</p>
<p>That is the uncomfortable part of putting an LLM-powered agent into production: you inherit a dependency that never shows up on the architecture diagram. Someone else&#8217;s model has to stay reachable for your system to do anything at all. Usually the ways it fails are mundane. The model gets throttled the week you need it most, or deprecated on the vendor&#8217;s timeline rather than yours, or it simply has a bad afternoon while your incident volume spikes. June was the reminder that it can also be a regulator drawing a line. Either way, the day it happens, your &#8220;autonomous&#8221; system is exactly as autonomous as a 500 error.</p>
<p>We had been building an operations agent that investigates tickets and reasons over live infrastructure, and we had already decided not to hard-wire it to a single model. The June suspension is what turned that from a prudent hedge into an obvious one, and it is why we are writing this up now. The agent is genuinely useful, which is the problem: the more people rely on it, the less acceptable &#8220;the model is unavailable right now&#8221; becomes as an answer. This post is how we think about that availability problem, why we landed on Amazon Bedrock as the foundation, and (more importantly) the things we got wrong on the way, because the interesting lessons are in the pitfalls, not the happy path.</p>
<p><strong>Two ways to stop betting the business on one model</strong></p>
<p>There are really only two structural answers to &#8220;what happens when my model is gone&#8221;:</p>
<ul>
<li><strong>Configure fallbacks.</strong> Have more than one model the agent can run on, and fail over when the primary is unavailable.</li>
<li><strong>Run your own model.</strong> Remove the third-party API from the critical path entirely, so availability is something you control rather than something you subscribe to.</li>
</ul>
<p>Both are sound. Both are also more subtle than they sound, and the subtlety is the whole point of this article. Neither is &#8220;set a second model ID and you&#8217;re done.&#8221;</p>
<p>The reason we built on Amazon Bedrock is that it makes both strategies reachable from one place. Through a single AWS IAM surface, one set of credentials, one regional endpoint, and one billing path, Bedrock gives you access to a large catalogue of foundation models from multiple providers. Via Amazon Bedrock Custom Model Import you can bring your own open-weight models, and Amazon Bedrock Marketplace adds a catalogue of others to deploy. You can layer Amazon Bedrock Guardrails across all of them as a provider-independent safety control, and you keep your data inside your chosen AWS Region. For a European services partner like us, whose customers are specific about where their data is processed, Region control often settles the whole approach before model quality even enters the conversation.</p>
<p>So far, so much like a Bedrock landing page. Here is where it got real for us.</p>
<p><strong>Pitfall 1: &#8220;swap the model ID&#8221; is an access abstraction, not an application one</strong></p>
<p>The single most useful mental model we developed is this distinction. Bedrock abstracts <em>access and transport</em>: one credential, one API, one bill, to reach many models. It does <em>not</em> abstract the request and response shape your application actually depends on.</p>
<p>When you start, you almost certainly reach for a provider&#8217;s own SDK or the request format of whichever model you adopted first. That code grows roots. Your agent loop parses the specific content-block shape that model returns: the way tool calls are represented, the field names, the IDs. Your retry logic, your streaming handling, your token accounting all quietly assume one family&#8217;s conventions. The moment you point that code at a different model family, the transport works perfectly and the parsing falls apart, because you didn&#8217;t insert a model-agnostic layer. You inserted one-vendor-on-Bedrock, which borrows Bedrock&#8217;s plumbing but speaks only one dialect.</p>
<p>Amazon Bedrock does offer a genuinely cross-model interface, the Converse API, which normalises messages and tool configuration into a common shape across many models. Most current foundation models on Bedrock are reachable through it, so adopting Converse from day one avoids a lot of this pain. The catch is at the edges: you trade away some of the richer, provider-specific surface, and a few models still expose their newest capabilities only through their own API shapes. A fully general agent can therefore end up maintaining more than one transport path anyway, which is exactly the situation the next point is about.</p>
<p>The lesson that generalises: <strong>build a thin internal seam early.</strong> Define one interface that your agent talks to, pick one canonical shape for messages and tool calls, and put each model family behind an adapter that translates its wire format to and from that shape. Concretely, the boundary is about this small:</p>
<pre class="wp-block-code"><code class="" data-line=""># one interface the agent depends on; one adapter per model family behind it
class ModelClient(Protocol):
    async def respond(self, messages: list[Block], tools: list[Tool]) -&gt; list[Block]: ...

# AnthropicClient, ConverseClient, ... each satisfy this and own the
# translation between their provider&#039;s wire format and the canonical Block.
def make_client(model_id: str) -&gt; ModelClient: ...  # fail-closed: unknown id raises</code></pre>
<p>Your dispatch loop only ever sees the canonical block, never a vendor payload. Make the factory <em>fail-closed</em>: an unrecognised model ID should raise, never silently route to a &#8220;best guess.&#8221; Fallback is only safe if the fallback path is one you&#8217;ve explicitly built and tested, not one your code stumbles into.</p>
<p>This is also why a framework like LangChain or LiteLLM is not a shortcut past the problem. It hands you a ready-made version of that seam across providers, which is genuinely useful, but it abstracts the wire format, not the behaviour. The per-model prompt sensitivity, the tool-calling quirks, the caching mechanics: those leak straight through any unified interface, yours or off-the-shelf.</p>
<p><strong>Pitfall 2: models are not drop-in equivalents, even at equal &#8220;quality&#8221;</strong></p>
<p>The second hard lesson is that two models can both be excellent and still not be interchangeable in your harness.</p>
<p>Concrete example: provider-specific prompt caching. The cost and latency model of an agent that re-sends a large tool-and-context preamble every turn depends heavily on prompt caching, and the way you mark cacheable spans (and even how many cache breakpoints you are allowed) is vendor-specific. Switch families and your carefully tuned caching strategy simply does not apply; your costs and latency move, sometimes sharply.</p>
<p>Another: model-version quirks. We found a specific model version would occasionally malform its tool calls in a way we had to detect and repair in the dispatch loop. That repair is correct for that version and meaningless for every other model. Tool-calling reliability, instruction-following under pressure, willingness to say &#8220;I don&#8217;t know&#8221; instead of fabricating: these vary enormously between models and are exactly the behaviours an agent lives or dies by.</p>
<p>So &#8220;best way to use a model&#8221; is real, and it is per-model: the prompt that gets the best out of one model is not the prompt that gets the best out of another, and the safety posture that one model respects, another ignores. A fallback model isn&#8217;t a spare tyre of the same size; it&#8217;s a different vehicle that happens to drive on the same roads. Treat the migration to it as a real piece of engineering, scoped and tested ahead of time, so that on the day you actually need it you are flipping a switch you have already proven.</p>
<p><strong>Pitfall 3: a fallback ladder is also a cost ladder</strong></p>
<p>The third consideration bites only after you have shipped: the model you fail over to has a different price, and the Region you are obliged to run it in has a different price again. On Bedrock these are two separate effects worth keeping straight. Token pricing varies widely by family, often by an order of magnitude between a frontier model and a lighter open-weight one, which is visible on the public Bedrock pricing page. Separately, Cross-Region inference itself does not add a surcharge: a request is billed at the inference profile&#8217;s published rate, which for current AWS profiles matches the on-demand rate of that profile&#8217;s primary Region. What moves the number is which profile you are obliged to use. The EU inference profile that keeps data in-region can sit above the cheapest on-demand Region for the same model. In our own cost modelling we carry roughly a 10% uplift on the EU inference-profile routes for our primary family against the equivalent US on-demand rate, and we treat that as the standing price of residency.</p>
<p>So a fallback ladder is also a cost ladder, and the two do not move together. Failing over to a cheaper open-weight model can save money while costing you quality; failing over to a residency-compliant route can cost more for the same model. Work both deltas out in advance, so a failover event doesn&#8217;t arrive as a billing surprise stacked on top of an incident.</p>
<p><strong>Where Bedrock genuinely shines: cheap, isolated, side-by-side evaluation</strong></p>
<p>Here is the flip side of all that subtlety: because every model lives behind the same Bedrock access surface, comparing them becomes an infrastructure problem you already know how to solve, not a procurement project per vendor.</p>
<p>We stood up a second, isolated runtime (same agent code, separate deployment, separate logs, separate metrics namespace) whose only job is to run candidate models against hard, representative tasks without touching production. A few design choices made this evaluation trustworthy, and they generalise well:</p>
<ul>
<li><strong>Isolate it at the infrastructure level, not by convention.</strong> A separate runtime, image tag, log group and metrics namespace mean eval traffic can never pollute production dashboards or alerts, and a candidate model can never accidentally take a real action. Make the isolation fail-closed: if the eval deployment is missing its explicit configuration, it should refuse to deploy rather than fall back to production settings.</li>
<li><strong>Grade blind.</strong> If the evaluation environment can read the &#8220;right answer&#8221; (a human&#8217;s resolution notes, a linked root-cause record), a weaker model can look strong by quietly reading the answer key. Strip those inputs so you are measuring reasoning, not retrieval of the solution.</li>
<li><strong>Run a harness-fit probe before you blame the model.</strong> When a candidate underperforms, the natural reaction is &#8220;our prompt isn&#8217;t tuned for it.&#8221; So test that hypothesis directly: harden the prompt specifically for the candidate and re-measure. Our most valuable single finding came from this: the gap between our primary model and the alternatives was mostly model-intrinsic, not a prompt artefact. That told us the seam was worth keeping for break-glass resilience, but that switching the default wasn&#8217;t justified yet. You only learn that by measuring.</li>
</ul>
<p>A safety note that bears repeating, because it surprised us: a &#8220;dry-run&#8221; flag that suppresses one kind of side effect doesn&#8217;t suppress all of them. In our case, suppressing the agent&#8217;s writes did not suppress its reads against live infrastructure. If a candidate model can call tools, those calls execute for real during evaluation. The durable backstop is least-privilege, read-only credentials at the boundary, not a flag in your application code. Defence in depth applies to your evaluation environment too.</p>
<p><strong>Running your own model: removing the API from the critical path</strong></p>
<p>Configuring fallbacks hedges against one model being unavailable. Running your own hedges against a different risk: not wanting your core workflow to depend on a third-party inference API at all, whether for sovereignty, predictable capacity, or a model fine-tuned on your own domain. The point of doing it on Bedrock is that the operational surface barely changes when the weights become yours: the same IAM controls and the same API, with Guardrails layered on where the model architecture supports them. Amazon Bedrock Custom Model Import brings supported open-weight architectures behind that surface; Amazon Bedrock Marketplace widens the catalogue; and Provisioned Throughput reserves dedicated capacity for steady, latency-sensitive load. Because the surface stays the same, a single seam can mix managed and self-hosted models on the same ladder.</p>
<p>The honest caveats are real but different from classic self-hosting. With Custom Model Import the serving and autoscaling stay AWS-managed (billed by Custom Model Units, with cold-start latency on an idle model), so what you take on is the cost model, the supported-architecture limits, and a quality bar an open-weight model may not clear for your task, not server ops. You only own capacity planning and scaling if you go all the way to your own Amazon SageMaker or EC2 endpoints, outside Bedrock. For most teams the right posture is a hybrid:</p>
<ul>
<li><strong>Primary: a strong managed model.</strong> Your default. The one you have evaluated hardest and trust unattended.</li>
<li><strong>Fallback: a tested alternative, break-glass.</strong> Already proven through the seam on a normal day, not discovered during an outage.</li>
<li><strong>Self-hosted: for workloads where control wins.</strong> Reserved for cases where sovereignty or capacity genuinely outweighs the operational cost.</li>
</ul>
<p><strong>What we&#8217;d tell our past selves</strong></p>
<ul>
<li><strong>Build the seam before you need it.</strong> One internal interface, one adapter per model family, fail-closed routing. Retrofitting this under outage pressure is miserable.</li>
<li><strong>Treat &#8220;switch to the fallback&#8221; as engineering, not configuration.</strong> Prompts, caching, tool-calling quirks, and safety posture are all per-model. Prove the fallback works on a normal day.</li>
<li><strong>Default to your best model; keep the alternative warm.</strong> The point of the seam often isn&#8217;t to leave your strongest model; it&#8217;s resilience and the option to re-evaluate as the field moves.</li>
<li><strong>Make evaluation a first-class, isolated environment.</strong> Blind grading and a harness-fit probe will tell you whether your problem is the model or your prompt, saving you from both over-engineering and false economy.</li>
<li><strong>Put the real safety control at the boundary.</strong> Read-only, least-privilege credentials and Guardrails protect you regardless of which model is behind the seam, including during evaluation.</li>
</ul>
<p>Those five are tactics. The shift underneath them is the real payoff. Amazon Bedrock did not make the model-specific subtlety disappear, and nothing will. What it changed is where the subtlety lives: behind one access surface, one security model, and one bill that we own, instead of scattered across vendor relationships we could only hope held. &#8220;Keep the agent running when a model goes dark&#8221; stopped being a procurement question and became an architecture decision.</p>
<p><em>Written at Cloudar, an AWS Premier Tier Services Partner. The lessons here come from production experience building AI-assisted operations tooling on AWS.</em></p>
<p>The post <a href="https://cloudar.be/awsblog/when-the-model-goes-dark-keeping-your-ai-agent-available-on-amazon-bedrock/">When the model goes dark: keeping your AI agent available on Amazon Bedrock</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Tram, train, bus… the future is fleet-level intelligence</title>
		<link>https://cloudar.be/awsblog/tram-train-bus-the-future-is-fleet-level-intelligence/</link>
		
		<dc:creator><![CDATA[Tom Geeroms]]></dc:creator>
		<pubDate>Tue, 21 Apr 2026 08:47:14 +0000</pubDate>
				<category><![CDATA[AWS Blog]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22724</guid>

					<description><![CDATA[<p>Tram, train, bus… the future is fleet-level intelligence Somewhere in Europe, a tram is running right now with a bearing fault that will cause a breakdown in eleven days. The onboard sensor has been registering it for weeks. But no one caught it. Why? Because no one was looking in the right way. Modern vehicles [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/tram-train-bus-the-future-is-fleet-level-intelligence/">Tram, train, bus… the future is fleet-level intelligence</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<h2>Tram, train, bus… the future is fleet-level intelligence</h2>
<p style="font-weight: 400;">Somewhere in Europe, a tram is running right now with a bearing fault that will cause a breakdown in eleven days. The onboard sensor has been registering it for weeks. But no one caught it. Why? Because no one was looking in the right way.</p>
<p style="font-weight: 400;">Modern vehicles are loaded with sensors. Vibration, temperature, brake pressure, power consumption: every detail is measured. But a sensor is just a sense organ, not a brain. Local alarms are reactive: they tell you what has already gone wrong. The real shift happens when you stop looking at data vehicle by vehicle, and start looking across an entire fleet. When hundreds of vehicles stream their telemetry to a central cloud platform, something fundamentally different emerges: fleet-level intelligence.</p>
<p style="font-weight: 400;">AWS provides a proven foundation for exactly this. Through AWS IoT Core, sensor data from thousands of vehicles &#8211; whether trains, trams, or buses, at any scale &#8211; flows in real time to a central platform. And what you see from there changes the nature of your decisions entirely.</p>
<p style="font-weight: 400;">The platform doesn&#8217;t just see that vehicle 47 is showing an unusual vibration. It sees that every vehicle travelling a particular route today showed the same anomaly. And from that, it draws the right conclusion: the problem isn&#8217;t the train. It&#8217;s the track. That&#8217;s the difference between raising a maintenance ticket and preventing an incident.</p>
<h3 style="font-weight: 400;"><strong>Cost vs ROI</strong></h3>
<p style="font-weight: 400;">Traditional preventive maintenance replaced parts on fixed schedules: expensive, inefficient, and often unnecessary. Cloud-based condition monitoring inverts that logic. You maintain what needs maintaining, exactly when it needs it.</p>
<p style="font-weight: 400;">For a COO, that means higher fleet availability and fewer unplanned disruptions. For a CFO, it means maintenance costs that move with reality rather than with a calendar. For a CEO, it means a direct, structural impact on the reliability promise made to passengers.</p>
<p style="font-weight: 400;">The cloud also democratises this capability. Large national rail operators have the scale to build their own data infrastructure. Regional transit authorities typically don&#8217;t. Through AWS, even a regional bus operator gains access to enterprise-grade analytical computing power, without the capital investment in hardware or specialist data teams.</p>
<p style="font-weight: 400;">But let&#8217;s be direct: data infrastructure alone solves nothing. The most common failure we see in transport organisations is not a lack of data. It&#8217;s the opposite: an abundance of data that no one actively uses. Vast amounts of operational information gets stored and never converted into decisions. A cloud analysis that identifies an imminent fault has zero value if getting that insight to the maintenance team takes three days of bureaucracy.</p>
<p style="font-weight: 400;">This is precisely where the role of the CTO and CIO extends beyond architecture choices. Technology can only prove its value if the organisation around it is built to act on insights. Technology and organisation must evolve together.</p>
<h3 style="font-weight: 400;"><strong>Public trust as a strategic objective</strong></h3>
<p style="font-weight: 400;">Public transport stands at a historic inflection point. The mobility transition asks people to swap their car for a train, tram, or bus. But they&#8217;ll only do that if they trust the system. Safety and punctuality are not operational parameters. They are the pillars on which that trust rests and on which the legitimacy of your organisation as a public service provider depends.</p>
<p style="font-weight: 400;">That trust isn&#8217;t earned once. It&#8217;s built daily, or quietly eroded. Every delay that could have been prevented, every breakdown that feels avoidable, every passenger who gives up and goes back to the car: these are small fractures in a foundation that took generations to build.</p>
<p style="font-weight: 400;">The technology available to us now offers something that was unthinkable not long ago: the ability to see those fractures before they form. An organisation that understands its fleet as a learning system &#8211; one that recognises patterns, flags anomalies, and gives context to raw data &#8211; is an organisation that can make a promise to its passengers and actually keep it.</p>
<p style="font-weight: 400;">That is ultimately what this is about. Not technology as an end in itself, but what it makes possible: a public transport system so reliable that choosing the train or the bus becomes second nature. Not a conscious trade-off anymore, but a habit. And habit is the highest form of trust.</p>
<p>The post <a href="https://cloudar.be/awsblog/tram-train-bus-the-future-is-fleet-level-intelligence/">Tram, train, bus… the future is fleet-level intelligence</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Cloudar is first local Benelux Anthropic Authorized Reseller</title>
		<link>https://cloudar.be/awsblog/cloudar-is-first-local-benelux-anthropic-authorized-reseller/</link>
		
		<dc:creator><![CDATA[All Colors Of Communication]]></dc:creator>
		<pubDate>Fri, 20 Mar 2026 08:42:19 +0000</pubDate>
				<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22741</guid>

					<description><![CDATA[<p>Kontich, 20 March 2026 — Cloudar, the leading Benelux AWS Premier Partner, has become the first local player in the Benelux to achieve the status of Anthropic Authorized Reseller. This makes Cloudar one of a small number of selected partners worldwide that can officially offer Anthropic&#8217;s latest Claude models (including Claude 4, 4.5, 4.6 and [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-is-first-local-benelux-anthropic-authorized-reseller/">Cloudar is first local Benelux Anthropic Authorized Reseller</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]"><strong>Kontich, 20 March 2026</strong> — Cloudar, the leading Benelux AWS Premier Partner, has become the first local player in the Benelux to achieve the status of Anthropic Authorized Reseller. This makes Cloudar one of a small number of selected partners worldwide that can officially offer Anthropic&#8217;s latest Claude models (including Claude 4, 4.5, 4.6 and future models) to customers via AWS Bedrock.</p>
<pre class="font-claude-response-body break-words whitespace-normal leading-[1.7]"><strong>A challenging process</strong></pre>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The recognition is the result of an intensive approval process. While global players recently announced the same status, Cloudar is the first partner with a local Benelux presence to have achieved this designation. To qualify, a partner must be able to demonstrate proven revenue and a substantial Anthropic-related pipeline — a threshold that only a handful of AWS partners worldwide manage to meet.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">In concrete terms, this means that Cloudar is now the only Benelux partner able to:</p>
<ul class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3">
<li class="font-claude-response-body whitespace-normal break-words pl-2">Deliver enterprise seats for Anthropic</li>
<li class="font-claude-response-body whitespace-normal break-words pl-2">Fully onboard customers onto the latest Anthropic models via AWS Bedrock</li>
<li class="font-claude-response-body whitespace-normal break-words pl-2">Build AI solutions based on models such as Claude Code, directly on AWS infrastructure</li>
</ul>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Since the AWS policy change of October 2025, access to the latest Claude models via Bedrock requires the managing AWS partner to be officially recognised by Anthropic. Customers working with an unrecognised partner simply cannot activate these models, regardless of their own intent or budget. As a result, large organisations in the Benelux have been left out in the cold for several months. Cloudar&#8217;s recognition now puts an end to that.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]"><strong>Strategic advantage in a competitive market</strong></p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]"><em>&#8220;This partnership is no coincidence. It is the result of years of deliberate choices. From the very beginning, we committed to AWS as our sole platform and to AI as our biggest growth pillar. The Anthropic Authorized Reseller status confirms we are on the right track. For our customers, it means they can start working today with the most advanced AI models on the market, supported by a local team that guides them through the entire journey — from architecture to governance to optimisation,&#8221;</em> says Senne Vaeyens, Co-Founder and Managing Partner at Cloudar.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">As the first local Benelux partner with this recognition, Cloudar can now offer organisations in the region a complete answer to their AI challenges, within the familiar AWS environment they already use. Whether it concerns a first AI experiment or a production-ready implementation on AWS Bedrock: Benelux customers no longer need to look to international players to get there.</p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-is-first-local-benelux-anthropic-authorized-reseller/">Cloudar is first local Benelux Anthropic Authorized Reseller</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Dear SaaS Vendor, We&#8217;ve Been Waiting Since 2017.</title>
		<link>https://cloudar.be/awsblog/dear-saas-vendor-weve-been-waiting-since-2017/</link>
		
		<dc:creator><![CDATA[Tom De Blende]]></dc:creator>
		<pubDate>Tue, 17 Mar 2026 07:27:19 +0000</pubDate>
				<category><![CDATA[Managed Services]]></category>
		<category><![CDATA[MSP]]></category>
		<category><![CDATA[Security & Compliance]]></category>
		<category><![CDATA[Serverless]]></category>
		<category><![CDATA[Well-Architected]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22717</guid>

					<description><![CDATA[<p>Let me tell you about two feature requests. The first one was filed on November 19, 2017. Seven years ago. The ask: let an admin change a customer&#8217;s email address in Jira Service Management. Not migrate accounts through a four-step workaround involving Atlassian ID. Just&#8230; change an email address. The kind of thing you&#8217;d expect [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/dear-saas-vendor-weve-been-waiting-since-2017/">Dear SaaS Vendor, We&#8217;ve Been Waiting Since 2017.</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>Let me tell you about two feature requests.</p>
<p>The first one was filed on November 19, 2017. Seven years ago. The ask: let an admin change a customer&#8217;s email address in Jira Service Management. Not migrate accounts through a four-step workaround involving Atlassian ID. Just&#8230; change an email address. The kind of thing you&#8217;d expect a junior developer to ship on a Tuesday afternoon. As of today, it has 779 votes, 447 watchers, and a status of <em>&#8220;Future Consideration.&#8221;</em> Which, in SaaS-speak, translates roughly to: &#8220;we heard you, we filed it, please stop asking.&#8221;</p>
<p>The second one landed in January 2019. The request: make Confluence&#8217;s alphabetical page sorting persistent, so new pages don&#8217;t just pile up at the bottom like uninvited guests. Six years later: 600 votes, 261 watchers, status <em>&#8220;Under Consideration.&#8221;</em> Progress!</p>
<p>Now, to be fair to Atlassian, they&#8217;re not uniquely terrible. Every major SaaS vendor has a graveyard of feature requests exactly like these. Sensible, obvious, clearly wanted by thousands of paying customers. Just&#8230; never quite prioritized. Because they have a roadmap. And you&#8217;re not on it.</p>
<p>This is the part of the SaaS brochure they don&#8217;t show you.</p>
<p><strong>The Pitch vs. The Reality</strong></p>
<p>SaaS vendors are exceptionally good at one thing before you sign: making you feel like you&#8217;re about to get exactly what you need. The demos are polished. The slide decks are beautiful. The onboarding is smooth. Eighty percent of your requirements? Covered, on day one.</p>
<p>It&#8217;s that remaining twenty percent where things get interesting.</p>
<p>That twenty percent is where your actual workflows live. The edge cases. The things specific to how your organization actually operates. And when you file a support ticket asking about them, you enter a fascinating parallel universe where time moves differently. Features are &#8220;on the roadmap.&#8221; Updates will come &#8220;in a future release.&#8221; Your vote has been registered. Thank you for your feedback.</p>
<p>Meanwhile, you&#8217;re paying. Every month. For the product as it exists, not as it was promised.</p>
<p><strong>The Numbers Are Telling</strong></p>
<p>The scale of SaaS sprawl is difficult to overstate. According to BetterCloud&#8217;s annual State of SaaSOps report, the average number of SaaS applications per company peaked at 130 in 2022 and even after a wave of consolidation, still sits at over 100 today. That&#8217;s more than 100 subscriptions to manage, renew, secure, and integrate. For every single organization.</p>
<p>The waste embedded in that sprawl is just as striking. Gartner estimates that approximately 30% of purchased SaaS licenses go unused, what they bluntly call &#8220;toxic spend.&#8221; BetterCloud puts a price tag on it: companies report wasting an average of more than $135,000 per year on unused software licenses alone. And Gartner projects SaaS spending will continue growing at around 19% annually, reliably outpacing the budgets meant to fund it.</p>
<p>Do the arithmetic on a typical mid-market tool. Fifty users. €50 per user per month. That&#8217;s €30,000 per year. Every year. With annual price increases that arrive in your renewal email as a polite fait accompli. After five years, you&#8217;ve spent €150,000-plus on software you don&#8217;t own, can&#8217;t modify, and can&#8217;t easily leave and somewhere between a quarter and a third of those licenses have been sitting idle.</p>
<p><strong>Something Changed</strong></p>
<p>Here&#8217;s what&#8217;s different in 2026: building software got dramatically cheaper and faster. Not incrementally but by an order of magnitude.</p>
<p>Tools like Claude Code and Kiro represent a new category of agentic coding assistants. They don&#8217;t just suggest the next line. They can take a requirement, reason through a solution, write the code, test it, catch errors, and iterate, with minimal human supervision. What previously required a team of developers and months of work can now be done by one technically capable person in days.</p>
<p>This isn&#8217;t science fiction. It&#8217;s happening right now in engineering teams across the world.</p>
<p>And it fundamentally changes the math on one of the oldest questions in IT: should we build or buy?</p>
<p><strong>What You Get When You Build Your Own</strong></p>
<p>When you build a custom application -even a relatively simple internal tool- you build exactly what you need. No more, no less. You control the data model, the workflow, the integrations, and the roadmap. And critically: you decide what gets built next. Not a product manager in Sydney who&#8217;s never seen your workflows.</p>
<p>Running on cloud-native infrastructure like AWS means scalability, security, and availability are largely handled by the platform. The operational gap between &#8220;something you built&#8221; and &#8220;something a vendor hosts for you&#8221; has narrowed considerably. And the cost gap has flipped.</p>
<p>A custom-built equivalent to that €30,000/year SaaS tool, developed with AI-assisted tooling and running on serverless AWS infrastructure, might cost a fraction of that annually in operational expenses, after a one-time build investment that has also come down dramatically. More importantly: you own the asset. It does exactly what you need. And you&#8217;re not waiting seven years for someone to let you update an email address.</p>
<p><strong>A Word of Honesty</strong></p>
<p>Custom software isn&#8217;t free of responsibility. Someone has to maintain it, secure it, and evolve it. The SaaS argument, that someone else handles the infrastructure, the uptime and the patches, is not without merit. And for commodity functions like email, video conferencing, or payroll, that argument still wins. These are solved problems. Building your own would be an expensive act of reinvention.</p>
<p>But pairing custom-built applications with managed cloud services gives you the operational coverage of SaaS without the product dependency. You get uptime. You get security. You get to decide what comes next.</p>
<p><strong>So What Should You Actually Do?</strong></p>
<p>Not everything should be custom-built. That would be its own kind of madness.</p>
<p>The question worth asking is simpler: where are your core differentiating workflows? The processes that encode years of operational knowledge. The edge cases that keep showing up in feature request threads, yours and everyone else&#8217;s, year after year, status unchanged.</p>
<p>Those are exactly the features that will never quite make it onto a SaaS vendor&#8217;s roadmap.</p>
<p>The question is no longer &#8220;can we afford to build?&#8221; The question, in 2026, is whether you can afford to keep waiting.</p>
<p>JSDCLOUD-5746 would like a word.</p>
<p>The post <a href="https://cloudar.be/awsblog/dear-saas-vendor-weve-been-waiting-since-2017/">Dear SaaS Vendor, We&#8217;ve Been Waiting Since 2017.</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>AWS Secrets Management: Protecting Your Digital Keys in the Cloud</title>
		<link>https://cloudar.be/awsblog/aws-secrets-management-protecting-your-digital-keys-in-the-cloud/</link>
		
		<dc:creator><![CDATA[Bart Coddens]]></dc:creator>
		<pubDate>Mon, 26 Jan 2026 09:53:12 +0000</pubDate>
				<category><![CDATA[Compliance]]></category>
		<category><![CDATA[DevOps]]></category>
		<category><![CDATA[Security & Compliance]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22648</guid>

					<description><![CDATA[<p>Introduction Creating and managing secrets is perhaps as old as humans interacting with each other. Yet despite their critical importance, secrets remain one of the most vulnerable aspects of AWS infrastructure today. In our practice as Dev(Sec)Ops Engineers, we see these challenges daily accross our client environments. To start, the question needs to be asked: [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/aws-secrets-management-protecting-your-digital-keys-in-the-cloud/">AWS Secrets Management: Protecting Your Digital Keys in the Cloud</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<h2>Introduction</h2>
<p>Creating and managing secrets is perhaps as old as humans interacting with each other. Yet despite their critical importance, secrets remain one of the most vulnerable aspects of AWS infrastructure today. In our practice as Dev(Sec)Ops Engineers, we see these challenges daily accross our client environments.</p>
<p>To start, the question needs to be asked: “What exactly is a secret?”  In AWS and Cloud environments in general, a secret is anything used to access systems and/or data. These digital keys unlock potentially critical systems and must be protected from unauthorized access at all costs.</p>
<p>&nbsp;</p>
<p>As Dev(Sec)Ops Engineers working in AWS, you are responsible for managing an extensive arry of secrets:</p>
<p>&nbsp;</p>
<ul>
<li>RDS database usernames and passwords</li>
<li>API keys for AWS services and third-party integrations</li>
<li>CodeDeploy and deployment system credentials</li>
<li>KMS encryption keys for data protection</li>
<li>Private keys for SSL/TLS certificates and secure communications</li>
<li>EC2 SSH keys and key pairs</li>
<li>IAM user credentials for developers, QA, and operations teams</li>
<li>Application service accounts and roles</li>
<li>Any username/password combinations</li>
<li>Sensitive configuration data that could aid attackers</li>
</ul>
<p>&nbsp;</p>
<p>The challenge is not just the volume … it&#8217;s the complexity of securing these secrets across multiple AWS accounts and other environments while maintaining operational efficiency.</p>
<p>&nbsp;</p>
<h2>The Hidden Dangers: How Secrets Get Compromised in AWS</h2>
<h3> The Configuration File Trap</h3>
<p>Storing secrets in configuration files is convenient but dangerous, especially in AWS environments where these files often end up in S3 buckets or EC2 instances. This risk was nicely illustrated in the RSA conference presentation &#8220;Red Team vs Blue Team on AWS&#8221; by Kolby Allen and Teri Radichel: <a href="https://www.youtube.com/watch?v=pnwNtlwFYus" target="_blank" rel="noopener">Link to video</a></p>
<p>In the video Kolby deployed AWS resources using sample code found easily on the Internet.  Teri, simulating an attacker, conducted a penetration test and discovered a Lambda function’s configuration file stored in a S3 bucket (for convenience) complete with REDS database credentials in plain tekst.</p>
<p>&nbsp;</p>
<p>If you must use configuration files in AWS:</p>
<ul>
<li>Maintain separate files for development, QA, and production AWS accounts</li>
<li>NEVER commit these files to source control systems (GitHub, GitLab, Bitbucket)</li>
<li>Use S3 bucket policies and encryption, but understand this is still suboptimal</li>
<li>Consider AWS Systems Manager Parameter Store as a minimum improvement</li>
</ul>
<p>&nbsp;</p>
<p>This vulnerability is so important that it’s formally recognized in the MITRE attack framework:  [CWE-200: Exposure of Sensitive Information] (<a href="https://cwe.mitre.org/data/definitions/200.html" target="_blank" rel="noopener">link</a>)</p>
<p>&nbsp;</p>
<h2>Public Source Control: A Goldmine for AWS Account Takeovers</h2>
<p>The most devastating secrets management failures occur when AWS credentials are committed to public repositories. The scale of this problem is staggering.</p>
<p>The people at TruffleHog constructed a live scanner for this:</p>
<p><a href="https://forager.trufflesecurity.com/explore">https://forager.trufflesecurity.com/explore</a></p>
<p>This scanner continuously detects AWS access keys, secrets keys and other credentials in public Github commits, revealing the massive and constant stream of exposed AWS and other secrets.</p>
<p>&nbsp;</p>
<p>This has a widespread impact: TruffleHog researchers discovered approximately 4,500 secrets among the top 1 million websites, many of which were AWS credentials, as detailed in their comprehensive analysis:</p>
<p><a href="https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-source-code-secrets">https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-source-code-secrets</a></p>
<p>&nbsp;</p>
<p>Leaking these secrets can have far reaching financial consequences:</p>
<p>&nbsp;</p>
<p>A Reddit user faced a 26.000 $ bill after IAM was compromised to execute crypto miners:</p>
<p><a href="https://www.reddit.com/r/aws/comments/17p3v1e/account_got_hacked_and_get_26000k_bill/">https://www.reddit.com/r/aws/comments/17p3v1e/account_got_hacked_and_get_26000k_bill/</a></p>
<p>&nbsp;</p>
<p>A Developper was billed 14.000 $ on AWS following similar exposure:</p>
<p><a href="https://dev.to/juanmanuelramallo/i-was-billed-for-14k-usd-on-amazon-web-services-17fn">https://dev.to/juanmanuelramallo/i-was-billed-for-14k-usd-on-amazon-web-services-17fn</a></p>
<p>&nbsp;</p>
<p>AWS responded on these massive bills and is now actively scanning GitHub respositories through their AWS Credentials Exposed program and automatically disables discovery IAM access keys, but the frequency of these incidents remains alarmingly high as shown by the Trufflehog data.</p>
<p>&nbsp;</p>
<h2>Internal Systems: The False Security Blanket in AWS</h2>
<p>Private repositories and internal systems create a dangerous illusion of security, even within AWS environments. The 2020 Twitter breach perfectly illustrates this vulnerability:</p>
<p>&nbsp;</p>
<p>Attackers breached the perimeter, accessed internal Slack channels where developers had stored AWS credentials and other secrets, and used these to compromise infrastructure in a widely publicized incident:</p>
<p><a href="https://www.zdnet.com/article/twitter-says-hackers-accessed-dms-for-36-users-in-last-weeks-hack">https://www.zdnet.com/article/twitter-says-hackers-accessed-dms-for-36-users-in-last-weeks-hack</a></p>
<p>&nbsp;</p>
<p>Secrets embedded in code even in fully private AWS services, proliferate across AWS services and do appear in:</p>
<ul>
<li>CloudWatch logs from Lambda functions and EC2 instances</li>
<li>S3 bucket access logs</li>
<li>CloudTrail event data</li>
<li>Application Load Balancer logs</li>
<li>Systems Manager Session Manager history</li>
</ul>
<p>As such they do create additional attack vectors within your AWS environment.</p>
<p>&nbsp;</p>
<h2>Runtime Exposure: Secrets in AWS Production Workloads</h2>
<p>Running AWS applications create numerous opportunities for secret exposure:</p>
<ul>
<li>Configuration files within EC2 instances or container images</li>
<li>Environment variables visible in ECS task definitions or Lambda configurations</li>
<li>Memory dumps from EC2 instances containing sensitive data</li>
<li>Application caches in ElastiCache storing credentials</li>
<li>CloudWatch logs revealing secrets in error messages</li>
<li>EC2 instance metadata (IMDSv1) exposing IAM credentials</li>
<li>Unencrypted S3 bucket metadata and tags</li>
<li>AWS CloudShell command history</li>
<li>Bash history on EC2 instances</li>
<li>Container image layers in ECR with embedded secrets</li>
</ul>
<p>This non-exhaustive list demonstrates how secrets can leak from multiple AWS vectors without proper handling.</p>
<p>&nbsp;</p>
<h2>What does AWS offer to fight this battle ? AWS Native Secrets Management</h2>
<h3>Adopt Just-in-Time Secret Retrieval with AWS Services</h3>
<p>Core Principle: Store secrets in AWS-native management systems and retrieve them only when needed.</p>
<p>Instead of embedding secrets in configuration files, implement this AWS-secure workflow:</p>
<ol>
<li>Store secrets in AWS Secrets Manager or Systems Manager Parameter Store</li>
<li>Retrieve secrets programmatically using AWS SDKs at runtime</li>
<li>Use IAM roles and policies for access control</li>
<li>Clear secrets from memory when no longer needed</li>
</ol>
<p>&nbsp;</p>
<h3>AWS Access Control: Implement least-privilege IAM principles</h3>
<ul>
<li>Developers cannot access production secrets via IAM policies</li>
<li>Applications use IAM roles to retrieve only their required secrets</li>
<li>Cross-account access is controlled via resource-based policies</li>
</ul>
<p>&nbsp;</p>
<h3>AWS-Native Secrets Management Solutions</h3>
<ul>
<li>AWS Systems Manager Parameter Store</li>
<li>AWS Secrets Manager (Recommended for Production)</li>
<li style="list-style-type: none;"></li>
</ul>
<p>&nbsp;</p>
<p>As an MSSP, we recommend AWS Secrets Manager as the gold standard for AWS environments.</p>
<p>&nbsp;</p>
<h3>Why Secrets Manager over Parameter Store?</h3>
<ul>
<li>Enhanced security controls with fine-grained IAM integration</li>
<li>Automatic secret rotation for RDS, DocumentDB, and Redshift</li>
<li>Cross-account access capabilities essential for multi-account AWS strategies</li>
<li>Comprehensive audit trails via CloudTrail integration</li>
<li>No CloudFormation exposure risks unlike Parameter Store</li>
<li>Encryption at rest using AWS KMS by default</li>
</ul>
<p>As such we recommend the AWS Secrets Manager for Production workloads, the Encrypted Parameter Store can be used as a configuration store to fetch certain parameters.</p>
<p>&nbsp;</p>
<p>How to use this in code ?</p>
<p>&nbsp;</p>
<h3>Python with boto3:</h3>
<p>&nbsp;</p>
<pre><code class="" data-line="">
import boto3
import json

# Using IAM role-based authentication (recommended)
client = boto3.client(&#039;secretsmanager&#039;, region_name=&#039;us-east-1&#039;)

try:
    secret_response = client.get_secret_value(SecretId=&#039;prod/rds/mysql-credentials&#039;)
    secret_dict = json.loads(secret_response[&#039;SecretString&#039;])
    
    # Use the secret
    db_username = secret_dict[&#039;username&#039;]
    db_password = secret_dict[&#039;password&#039;]
    
except ClientError as e:
    # Handle AWS-specific errors
    if e.response[&#039;Error&#039;][&#039;Code&#039;] == &#039;DecryptionFailureException&#039;:
        # Secrets Manager can&#039;t decrypt the protected secret text using the provided KMS key
        raise e
    elif e.response[&#039;Error&#039;][&#039;Code&#039;] == &#039;InternalServiceErrorException&#039;:
        # An error occurred on the server side
        raise e
    elif e.response[&#039;Error&#039;][&#039;Code&#039;] == &#039;InvalidParameterException&#039;:
        # Invalid parameter value
        raise e
    elif e.response[&#039;Error&#039;][&#039;Code&#039;] == &#039;InvalidRequestException&#039;:
        # Parameter value is not valid for the current state of the resource
        raise e
    elif e.response[&#039;Error&#039;][&#039;Code&#039;] == &#039;ResourceNotFoundException&#039;:
        # Can&#039;t find the resource that you asked for
        raise e


</code></pre>
<p>&nbsp;</p>
<p>&nbsp;</p>
<h3>Via Infrastructure as Code:</h3>
<ul>
<li>Cloudformation:
<ul>
<li><a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-secretsmanager-secret.html">https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-secretsmanager-secret.html</a></li>
</ul>
</li>
<li>Terraform:
<ul>
<li><a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/secure-sensitive-data-secrets-manager-terraform/using-secrets-manager-and-terraform.html">https://docs.aws.amazon.com/prescriptive-guidance/latest/secure-sensitive-data-secrets-manager-terraform/using-secrets-manager-and-terraform.html</a></li>
</ul>
</li>
<li>AWS CDK:
<ul>
<li><a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/cdk.html">https://docs.aws.amazon.com/secretsmanager/latest/userguide/cdk.html</a></li>
</ul>
</li>
<li>Pulumi:
<ul>
<li><a href="https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/">https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/</a></li>
</ul>
</li>
</ul>
<p>&nbsp;</p>
<h2>AWS Key Management Service (KMS)</h2>
<p>AWS KMS provides dedicated encryption key management, solving the &#8220;where to store the encryption key&#8221; problem for AWS environments. KMS integrates seamlessly with Secrets Manager and most AWS services.</p>
<p>&nbsp;</p>
<p>KMS Best Practices for Secrets:</p>
<ul>
<li>Use customer-managed KMS keys for production secrets</li>
<li>Implement key rotation policies</li>
<li>Use separate KMS keys per environment/account</li>
<li>Leverage KMS key policies for fine-grained access control</li>
</ul>
<p>&nbsp;</p>
<h2>AWS Systems Manager Parameter Store</h2>
<p>While we recommend Secrets Manager for sensitive data, **Parameter Store** works well for:</p>
<ul>
<li>Non-sensitive configuration data</li>
<li>Cost-conscious environments (free tier available)</li>
<li>Simple use cases without rotation requirements</li>
</ul>
<p>&nbsp;</p>
<h2>Multi-Account AWS Strategies</h2>
<p>For AWS Organizations with multiple accounts (our recommended approach), consider:</p>
<h3>Cross-Account Secrets Access:</h3>
<p>&nbsp;</p>
<pre><code class="" data-line="">
{
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Effect&quot;: &quot;Allow&quot;,
      &quot;Principal&quot;: {
        &quot;AWS&quot;: &quot;arn:aws:iam::PROD-ACCOUNT-ID:role/ApplicationRole&quot;
      },
      &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
      &quot;Resource&quot;: &quot;*&quot;,
      &quot;Condition&quot;: {
        &quot;StringEquals&quot;: {
          &quot;secretsmanager:ResourceTag/Environment&quot;: &quot;production&quot;
        }
      }
    }
  ]
}
</code></pre>
<p>&nbsp;</p>
<h3>Multi-Region Considerations:</h3>
<ul>
<li>Replicate critical secrets across AWS regions</li>
<li>Use AWS Secrets Manager automatic replication</li>
<li>Consider data residency requirements</li>
</ul>
<p>&nbsp;</p>
<h2>AWS Implementation Best Practices from Our MSSP Experience</h2>
<h3>Security Architecture Considerations</h3>
<ul>
<li>Design secure AWS deployment pipelines** using CodePipeline, CodeBuild, Github Actions with ci-cd plugins like trufflehog : <a href="https://undercodetesting.com/how-to-hunt-for-sensitive-credentials-using-trufflehog">https://undercodetesting.com/how-to-hunt-for-sensitive-credentials-using-trufflehog</a></li>
<li>Implement comprehensive IAM access management with least-privilege principles</li>
<li>Establish governance policies using AWS Config and AWS Organizations SCPs/RCPs</li>
<li>Plan for secret rotation using AWS Secrets Manager automation</li>
<li>Monitor and audit secret access via CloudTrail and CloudWatch</li>
</ul>
<p>&nbsp;</p>
<h3>Operational Excellence in AWS</h3>
<ul>
<li>Automate secret provisioning using AWS Lambda and CloudFormation/Terraform/…</li>
<li>Implement emergency access procedures via AWS SSO and break-glass roles</li>
<li>Establish incident response for compromised secrets using AWS Security Hub or other CSPM/CNAPP</li>
<li>Regular security assessments using AWS Inspector and third-party tools</li>
<li>Cost optimization by right-sizing Secrets Manager usage vs. Parameter Store</li>
</ul>
<p>&nbsp;</p>
<h3>AWS-Specific Monitoring and Alerting</h3>
<p>Set up CloudWatch alarms for:</p>
<ul>
<li>Unusual Secrets Manager API calls</li>
<li>Failed secret retrievals</li>
<li>Cross-account secret access</li>
<li>KMS key usage anomalies</li>
</ul>
<p>&nbsp;</p>
<h2>Conclusion</h2>
<p>Effective AWS secrets management is not just about choosing the right AWS service it&#8217;s about implementing a comprehensive security strategy that leverages AWS-native capabilities while addressing the entire lifecycle of sensitive data. The examples and breaches discussed here represent real financial and reputational risks that AWS customers face daily.</p>
<p>&nbsp;</p>
<h3>Key AWS Takeaways:</h3>
<ol>
<li>Never store secrets in configuration files, S3 buckets, or source control</li>
<li>Use AWS Secrets Manager for production secrets management</li>
<li>Implement just-in-time secret retrieval with AWS SDKs</li>
<li>Apply least-privilege IAM policies and roles</li>
<li>Leverage AWS KMS for encryption key management</li>
<li>Plan for multi-account and multi-region secret strategies</li>
</ol>
<p>The post <a href="https://cloudar.be/awsblog/aws-secrets-management-protecting-your-digital-keys-in-the-cloud/">AWS Secrets Management: Protecting Your Digital Keys in the Cloud</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>The Hidden Cost of Convenience</title>
		<link>https://cloudar.be/awsblog/the-hidden-cost-of-convenience/</link>
		
		<dc:creator><![CDATA[Tom De Blende]]></dc:creator>
		<pubDate>Fri, 17 Oct 2025 11:23:39 +0000</pubDate>
				<category><![CDATA[MSP]]></category>
		<category><![CDATA[AWS]]></category>
		<category><![CDATA[Managed Services]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22650</guid>

					<description><![CDATA[<p>When choosing an AWS Managed Service Provider (MSP), most organizations focus on immediate benefits: faster deployment, expert guidance, and managed operations. But there&#8217;s a critical question that often gets overlooked until it&#8217;s too late: What happens when you want to leave? In the AWS ecosystem, MSPs take vastly different approaches when building customer-specific landing zones [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/the-hidden-cost-of-convenience/">The Hidden Cost of Convenience</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>When choosing an AWS Managed Service Provider (MSP), most organizations focus on immediate benefits: faster deployment, expert guidance, and managed operations. But there&#8217;s a critical question that often gets overlooked until it&#8217;s too late: <strong>What happens when you want to leave?</strong></p>
<p>In the AWS ecosystem, MSPs take vastly different approaches when building customer-specific landing zones and cloud management platforms. Some approaches preserve your freedom and flexibility. Others quietly build the walls of a gilded cage.</p>
<h1><strong>The Two Paths: Open Standards vs. Proprietary Platforms</strong></h1>
<h2><em><strong>The Open Approach: AWS Landing Zone Accelerator (LZA)</strong></em></h2>
<p>AWS Landing Zone Accelerator represents the gold standard for customer independence. As an open-source solution built on AWS CDK and CloudFormation, we deploy LZA to provide several critical advantages:</p>
<ul>
<li><strong>Complete transparency</strong>: All infrastructure is defined as code that you can read, understand, and modify</li>
<li><strong>No licensing fees</strong>: Open-source with no proprietary components</li>
<li><strong>AWS-maintained</strong>: Continuously updated by AWS to keep up to date with new services and features</li>
<li><strong>Industry standard configuration:</strong> With multiple documented sample configurations, you do not need to start from scratch.</li>
<li><strong>Full customer ownership</strong>: Deployed directly into your environment with complete access to the Infrastructure as Code</li>
<li><strong>Exit-ready from day one</strong>: If you ever want to manage it yourself or switch MSPs, you own your landing zone configuration</li>
</ul>
<p>At Cloudar, we&#8217;ve built an entire landing zone practice around LZA precisely because we believe customers should never feel trapped. Your AWS foundation should be an asset you own, not a chain that binds you to any single provider.</p>
<h2><em><strong>The Proprietary Approach: Custom Orchestration Platforms</strong></em></h2>
<p>In contrast, many MSPs have developed proprietary cloud management platforms that create significant lock-in. These are often marketed as &#8220;revolutionary&#8221; or &#8220;next-generation&#8221; platforms that promise to make cloud management easier with &#8220;just a few simple clicks&#8221; or web-based portals that abstract away complexity.</p>
<p>The convenience is real. The long-term cost is hidden.</p>
<p>Here&#8217;s what proprietary platforms typically involve:</p>
<ul>
<li><strong>Black box deployment</strong>: Resources are created through proprietary tooling that abstracts away the underlying infrastructure</li>
<li><strong>Dependency on custom APIs</strong>: Your operations become dependent on the MSP&#8217;s platform rather than native AWS tools</li>
<li><strong>Limited portability</strong>: Moving to another MSP or bringing management in-house requires re-platforming</li>
<li><strong>Knowledge gap</strong>: Your team never develops deep expertise in AWS native tools because they&#8217;re shielded by the abstraction layer</li>
<li><strong>Commercial leverage</strong>: The MSP knows that switching costs are high, affecting pricing negotiations and service quality over time</li>
</ul>
<h1><strong>The Lock-in Mechanisms You Need to Watch For</strong></h1>
<ol>
<li><strong> Custom Landing Zones Without Source Code Access</strong></li>
</ol>
<p>Some MSPs deploy your resources using &#8220;their&#8221; landing zone—a pre-configured multi-account setup built with proprietary Infrastructure as Code that remains their intellectual property. When you want to leave, you inherit an AWS environment you don&#8217;t fully understand, configured by tools you can&#8217;t access.</p>
<p><strong>The Cloudar difference</strong>: We can deploy LZA directly into your AWS accounts. Every CloudFormation stack, every configuration file, every security baseline—you have access to it all.</p>
<ol start="2">
<li><strong> Web-Based Orchestrators That Become Operational Chokepoints</strong></li>
</ol>
<p>Fancy web portals that let you &#8220;deploy with one click&#8221; sound appealing. Until you realize that every operational change must flow through the MSP&#8217;s platform. Want to modify a VPC? You&#8217;re dependent on their UI. Need to adjust security groups? Better hope their platform supports your use case.</p>
<p>These orchestrators create <strong>operational lock-in</strong>: You can&#8217;t effectively operate your AWS environment without the MSP&#8217;s tooling. You&#8217;ve traded AWS complexity for MSP dependency.</p>
<ol start="3">
<li><strong> &#8220;Simplified&#8221; Interfaces That Hide AWS Reality</strong></li>
</ol>
<p>Abstraction layers that promise to &#8220;make AWS easy&#8221; can create a dangerous gap between what you think you&#8217;re deploying and what&#8217;s actually running in your account. When problems arise—and they always do—you discover that your team doesn&#8217;t understand the actual AWS infrastructure because they&#8217;ve only interacted with it through the MSP&#8217;s simplified interface.</p>
<h1><strong>The Real-World Impact of Lock-in</strong></h1>
<p><strong>Scenario 1: The Price Increase</strong></p>
<p>Your MSP announces a 30% price increase. With an LZA you own and open standards, you have options: negotiate from a position of strength, bring management in-house, or transition to another MSP in months. With a proprietary platform, you&#8217;re looking at risky and arduous re-platforming work—and your MSP knows it.</p>
<p><strong>Scenario 2: The Service Quality Decline</strong></p>
<p>Your MSP gets acquired. The new parent company shifts focus, key engineers leave, and service quality drops. With an open approach, you can transition smoothly. With lock-in, you&#8217;re stuck enduring declining service while planning an expensive migration.</p>
<p><strong>Scenario 3: The Strategic Pivot</strong></p>
<p>Your company wants to build internal cloud expertise and eventually self-manage. With LZA, your team can learn standard AWS tools and practices from day one. When you&#8217;re ready to transition, you already have the skills and the code. With proprietary platforms, your team has learned the MSP&#8217;s tools, not AWS—setting your in-house capability building back by years.</p>
<p><strong>Scenario 4: The Platform Limitation</strong></p>
<p>Your business needs evolve, and you need to implement a complex AWS architecture that isn&#8217;t supported by your MSP&#8217;s platform. You&#8217;re now in the worst position: paying for a platform that constrains you, unable to use native AWS capabilities, and facing the choice between living with limitations or undertaking an expensive re-platforming project.</p>
<h1><strong>How to Evaluate Your Current or Prospective MSP</strong></h1>
<p>Ask these critical questions:</p>
<ol>
<li><strong>&#8220;What landing zone solution do you use?&#8221;</strong>
<ul>
<li>Red flag: &#8220;Our proprietary solution&#8221; or vague answers. Subscription based landing zones (yes they exist!).</li>
<li>Green flag: &#8220;your own AWS Landing Zone Accelerator&#8221; or &#8220;a per-customer AWS Control Tower with Customizations for Control Tower&#8221;</li>
</ul>
</li>
<li><strong>&#8220;What happens to our infrastructure if we terminate the contract?&#8221;</strong>
<ul>
<li>Red flag: Vague answers about &#8220;transition planning&#8221; or &#8220;it depends&#8221;</li>
<li>Green flag: &#8220;You keep everything—we&#8217;ll help with knowledge transfer, and you&#8217;ll have all the code and documentation&#8221;</li>
</ul>
</li>
<li><strong>&#8220;Will our team learn AWS-native tools, or primarily your platform?&#8221;</strong>
<ul>
<li>Red flag: &#8220;Our platform abstracts AWS complexity away&#8221;</li>
<li>Green flag: &#8220;We teach AWS best practices and native tools&#8221;</li>
</ul>
</li>
</ol>
<h1><strong>The Cloudar Philosophy: Your Cloud, Your Terms</strong></h1>
<p>Here&#8217;s what that means in practice:</p>
<p><strong>Full LZA Implementation</strong></p>
<p>Every customer gets its own AWS Landing Zone Accelerator, deployed directly into their accounts with complete source code access to the LZA configuration. Deployments happen in your account, giving you end-to-end visibility on your Landing Zone.</p>
<p><strong>AWS-Native Tooling</strong></p>
<p>We use CloudFormation, CDK, AWS Config, Systems Manager—tools that work with or without us. If you hire another AWS expert or build an in-house team, they&#8217;ll recognize everything immediately.</p>
<p><strong>Comprehensive Documentation</strong></p>
<p>You can read about every configuration option today, in the documentation published by AWS. So while we pride ourselves in sharing our knowledge, you are not dependant on us to explain what is going on</p>
<p>Additionally, we write customer-specific documentation  in our Confluence – from architecture decisions to operational procedures.. If you decide to leave, we can provide you with an export of that information.</p>
<p><strong>Open Book Operations</strong></p>
<p>You have full Read Only access to your AWS environment —we&#8217;re partners, not gatekeepers. Want to check our work? Go ahead.</p>
<p><strong>Standard AWS Best Practices</strong></p>
<p>We follow AWS Well-Architected Framework principles and industry-standard patterns. No &#8220;special sauce&#8221; that only we understand.</p>
<p>We succeed by giving you excellent service so you want to stay, not by making it painful to leave.</p>
<p><strong>The Economics of Freedom</strong></p>
<p>Some argue that proprietary platforms are necessary to provide better service or lower costs. We disagree.</p>
<p><strong>Lower costs come from:</strong></p>
<ul>
<li>Automation that scales across customers (which we use)</li>
<li>Deep AWS expertise (which we have)</li>
<li>Efficient processes (which we&#8217;ve refined over years)</li>
</ul>
<p>Not from locking customers into proprietary platforms.</p>
<p><strong>Better service comes from:</strong></p>
<ul>
<li>Highly skilled engineers (which we continuously train)</li>
<li>Customer focus (which our retention rate proves)</li>
<li></li>
</ul>
<p>Not from proprietary abstraction layers.</p>
<p>We&#8217;ve proven that you can deliver excellent MSP services at competitive prices while keeping customers completely free. In fact, we believe customer freedom makes us <em>better</em>—we can&#8217;t coast on lock-in, so we must continuously earn our customers&#8217; business.</p>
<h1><strong>Making the Right Choice</strong></h1>
<p>Before signing with any MSP, ask yourself:</p>
<ul>
<li><strong>Do I understand what I&#8217;m getting into?</strong> Can you clearly explain how your infrastructure will be deployed and managed?</li>
<li><strong>What&#8217;s my exit strategy if things don&#8217;t work out?</strong> Is it measured in weeks, months, or years?</li>
<li><strong>Am I choosing this approach for the right reasons?</strong> Is convenience masking a lack of control?</li>
<li><strong>Do I retain full ownership?</strong> Of code, configurations, documentation, and knowledge?</li>
</ul>
<p><strong>Red Flags in MSP Sales Processes</strong></p>
<p>Be wary if you encounter:</p>
<ul>
<li><strong>Heavy emphasis on &#8220;simplicity&#8221; with little discussion of the underlying AWS architecture</strong></li>
<li><strong>Vague answers about exit strategies and transition processes</strong></li>
<li><strong>Marketing focused on proprietary platforms as the primary differentiator</strong></li>
<li><strong>Contracts that grant the MSP exclusive rights to infrastructure code</strong></li>
<li><strong>Lack of clarity about what you actually own vs. what you&#8217;re licensing</strong></li>
</ul>
<h1><strong>Conclusion: Freedom as a Feature</strong></h1>
<p>In the rush to cloud transformation, it&#8217;s easy to prioritize speed and convenience. And yes, a well-designed proprietary platform can deploy faster than custom LZA implementation—at least initially.</p>
<p>But cloud strategy isn&#8217;t measured in weeks. It&#8217;s measured in years and decades. The question isn&#8217;t &#8220;who can get me to cloud fastest?&#8221; It&#8217;s &#8220;who can help me build sustainable cloud capabilities that serve my business long-term?&#8221;</p>
<p>The MSP industry has a pattern: some providers build their business model around customer stickiness achieved through proprietary tooling. They create beautiful interfaces and slick demos that abstract away AWS complexity. Then, months or years later, customers realize they&#8217;ve traded AWS vendor lock-in for MSP vendor lock-in—often worse, because at least AWS is standardized.</p>
<p>At Cloudar, we reject this model fundamentally. We believe that <strong>customer freedom isn&#8217;t a bug to work around—it&#8217;s a feature to build for.</strong> We&#8217;re proud to be an AWS Premier MSP Partner that wins business through excellence, not lock-in.</p>
<p>Your cloud infrastructure is too important to be held hostage by convenient abstractions. You deserve an MSP that treats you as a partner who will grow and evolve, not a captive customer who might someday try to escape.</p>
<p>Choose partners who believe you should always have the keys to your own kingdom. Choose partners who succeed by being valuable, not by being necessary.</p>
<p>Choose freedom.</p>
<p>The post <a href="https://cloudar.be/awsblog/the-hidden-cost-of-convenience/">The Hidden Cost of Convenience</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Sign in with your eID: Using AWS IAM Roles Anywhere with a SmartCard Reader</title>
		<link>https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-roles-anywhere-with-a-smartcard-reader/</link>
		
		<dc:creator><![CDATA[Ben Bridts]]></dc:creator>
		<pubDate>Thu, 26 Jun 2025 07:53:14 +0000</pubDate>
				<category><![CDATA[Security & Compliance]]></category>
		<category><![CDATA[AWS]]></category>
		<category><![CDATA[Managed Services]]></category>
		<category><![CDATA[MSP]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22584</guid>

					<description><![CDATA[<p>Using temporary credentials to access resources, has long been a best practice and is usually straight-forward if the person or machine that is starting the action is already known in AWS (either by using IAM Identity Center, or because you are running inside the AWS Cloud). However, if you are running on a machine that [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-roles-anywhere-with-a-smartcard-reader/">Sign in with your eID: Using AWS IAM Roles Anywhere with a SmartCard Reader</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>Using temporary credentials to access resources, <a href="https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_identities_unique.html">has long been a best practice</a> and is usually straight-forward if the person or machine that is starting the action is already known in AWS (either by using IAM Identity Center, or because you are running inside the AWS Cloud). However, if you are running on a machine that exists outside of AWS you will need an extra component like AWS IAM Roles Anywhere to give you temporary credentials.</p>
<p>Interestingly, Roles Anywhere does not completely solve the problem of not needing to create long-lived credentials, instead it moves (and reduces) the problem from credential management (rotation) to certificate management (distribution).</p>
<p>Setting up a Certificate Authority (CA) that can create certificates can be done with AWS Private Certificate Authority, and there are some options out there to manage distribution (usually as part of a bigger Device Management solution), but wouldn&#8217;t it be nice if the government of Belgium would do that for us?</p>
<h1>The Belgian eID</h1>
<p>In Belgium every citizens gets an identity card. The government makes sure that these get distributed and renewed, and since 2005 they contain a chip that holds (among other things) a certificate that can be used for digital authentication. If we can tie this to Roles Anywhere, we don&#8217;t have to worry about certificate management ourselves.</p>
<p>This eID is the size of a bankcard and the chip can be interacted with using off the shelf smart card readers. Most information can be read without any additional authentication &#8211; if you have the correct middleware, but to sign something you need to enter a PIN code.</p>
<h2>The different certificates</h2>
<p>Every eID holds an &#8220;authentication certificate&#8221; that is tied to the owner of the eID and has been signed by the &#8220;Citizens CA&#8221;.  The Citizens CA&#8217;s certificate is in turn signed by the Belgium Root CA . The Root certificate is self-signed. If we trust the Belgium Root CA, we will be able to validate any authentication certificate. More information about this setup can be found at https://repository.eidpki.belgium.be/#/home</p>
<p>The authentication certificate has two pieces of information that are going to be useful to us:</p>
<ul>
<li>The Issuer, showing us that the certificate is indeed issued by the Citizen CA.</li>
<li>The Subject, containing the name and National Number (a number that uniquely points to one person) of the owner.</li>
</ul>
<h1>AWS IAM Roles Anywhere</h1>
<p>Roles Anywhere allows you to use a certificate and its private key to get temporary credentials. You can think of it as an AssumeRole call, but instead of starting from an Access Key, we start from a certificate.</p>
<p>There are a few components we need:</p>
<ul>
<li>Configuration in our AWS Account, to indicate which CA we trust, and which roles can be assumed by different Issuer and/or Subjects. This also includes the creation of IAM Roles.</li>
<li>Software on our computer to interact with the Card Reader so we can prove we have access to the eID and know its PIN.</li>
</ul>
<p>For our use case we are going to trust the Belgium Root CA, and create a Role that can be assumed with any certificate issued by the Citizen CA. We will than limit the permissions of that IAM Role, so it can only write to a unique prefix in S3.</p>
<p>We can do that because every component of the Subject in our certificate gets mapped to a principal tag on the role session. E.g. if the subject is &#8220;C=BE, SN=Doe, GN=John, serialNumber=70010112345, CN=John Doe (Authentication)&#8221;, we have the following principal tags, and we can use principal tags in any policy.</p>
<ul>
<li>x509Subject/C: BE</li>
<li>x509Subject/SN: Doe</li>
<li>x509Subject/GN: John</li>
<li>x509Subject/serialNumber: 70010112345</li>
<li>x509Subject/CN: John Doe (Authentication)</li>
</ul>
<h1>Putting it all together</h1>
<h2>In our AWS Account</h2>
<p>We will create the following resources in our AWS Account:</p>
<ul>
<li>An S3 Bucket</li>
<li>A trust anchor, configured to trust the Belgium Root CA certificate that is publicly available via https://crt.eidpki.belgium.be/eid/brca6.crt.  This way we can use any certificate created by the Root CA of any of its subordinate CAs (like the Citizen CA)</li>
<li>An IAM Role, where we configure the trust policy to only allow usage of the Role if:
<ul>
<li>The principal is the Roles Anywhere service (rolesanywhere.amazonaws.com)</li>
<li>The Issuer is Citizen CA (aws:PrincipalTag/x509Issuer/CN must equal &#8220;Citizen CA&#8221;)</li>
<li>The source is our trust anchor (aws:SourceArn equals the ARN of the Root CA trust anchor)</li>
</ul>
</li>
<li>An IAM Policy on this role that allows PutObject acces to all objects that start with the unique National Number (aws:PrincipalTag/x509Subject/serialNumber)</li>
<li>a (Roles Anywhere) profile that ties the trust anchor to the Role. We could configure more settings here, like a mapping of fields from the certificate or a session policy, but don&#8217;t need to.</li>
</ul>
<p>Of course we do not have to do this by hand, we create a CloudFormation template for this. It can be found in our sample repository: https://github.com/WeAreCloudar/cloudformation-samples/tree/main/templates/roles-anywhere-eid</p>
<h2>On our machine</h2>
<p>On our machine, we will need &#8211; besides the eID and its PIN (at least on macOS, where I tested this):</p>
<ul>
<li>a SmartCard Reader</li>
<li>the Roles Anywhere Credential Helper (<a href="https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html">downloadable from the AWS Website</a>)</li>
<li>The AWS CLI (or any other tool we want to use with our AWS Credentials)</li>
</ul>
<p>We also need a few pieces of information:</p>
<ul>
<li>The ARNs of the trust anchor, profile and role we created</li>
<li>Our own National Number and the name of the bucket (to test our policy)</li>
</ul>
<p>Ideally we&#8217;d be able to configure the credential helper to read any eID we insert, and this is possible if you install the Belgian eID Middleware using the following command.<br />
<code class="" data-line=""><br />
aws_signing_helper credential-process \<br />
</code><code class="" data-line=""> --trust-anchor-arn $trust_anchor_arn \<br />
--profile-arn $profile_arn \<br />
--role-arn $role_arn \<br />
--certificate &quot;pkcs11:model=Belgium%20eID;object=Authentication&quot; \<br />
--pkcs11-lib &#039;/Library/Belgium Identity Card/Pkcs11/beid-pkcs11.bundle/Contents/MacOS/libbeidpkcs11.dylib<br />
</code><br />
However <a href="https://github.com/aws/rolesanywhere-credential-helper/issues/58">because of an issue with the helper, this only works on macOS if you build the helper yourself from source</a>. Since we do not want to do that, we can plug in our eID and find and identifier using &#8220;aws_signing_helper read-certificate-data&#8221;. You should get something like<br />
<code class="" data-line=""><br />
Matching identities<br />
1) bf013dd57aa34f8f9d4e22ab89dd8eb2 &quot;SERIALNUMBER=70010112345,CN=John Doe (Authentication),C=BE,...&quot;<br />
2) 786f7572198a4a8a82ee7ef3f205d7be &quot;SERIALNUMBER=70010112345,CN=John Doe (Signature),C=BE,...&quot;<br />
</code></p>
<p>Copying everything between quotes, allows us to create a new file, selector.json that looks like this:</p>
<p><code class="" data-line=""><br />
[<br />
{<br />
&quot;Key&quot;: &quot;x509Subject&quot;,<br />
&quot;Value&quot;: &quot;SERIALNUMBER=70010112345,CN=John Doe (Authentication),C=BE,...&quot;<br />
}<br />
]<br />
</code><br />
and use that to select our specific certificate:</p>
<p><code class="" data-line="">aws_signing_helper credential-process \<br />
</code><code class="" data-line=""> --trust-anchor-arn $trust_anchor_arn \<br />
--profile-arn $profile_arn \<br />
--role-arn $role_arn \<br />
--cert-selector file://selector.json</code></p>
<p>Our smart card reader will now prompt us for a PIN. If we enter the right one, we get credentials as output:<br />
<code class="" data-line=""><br />
{&quot;Version&quot;:1,&quot;AccessKeyId&quot;:&quot;ASIA...&quot;,&quot;SecretAccessKey&quot;:&quot;COA...&quot;,&quot;SessionToken&quot;:&quot;IQoJ...&quot;,&quot;Expiration&quot;:&quot;2025-03-28T14:16:07Z&quot;}<br />
</code></p>
<p>We can put this command in our ~/.aws/config file, so the AWS CLI will execute it for us, but for testing purposes it&#8217;s slightly easier to use the &#8220;serve&#8221; option.  The AWS Documentation has a longer explanation about how you can use the credential-process: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html#credential-helper-examples</p>
<h2>Testing with s3</h2>
<p>In one terminal we can run a credential / metadata server that can be used by the AWS CLI:</p>
<p><code class="" data-line="">~$ aws_signing_helper serve -process \<br />
</code><code class="" data-line=""> --trust-anchor-arn $trust_anchor_arn \<br />
--profile-arn $profile_arn \<br />
--role-arn $role_arn \<br />
--cert-selector file://selector.json<br />
</code></p>
<p>This gives us<code class="" data-line=""><br />
2025/03/28 14:28:12 Local server started on port: 9911<br />
2025/03/28 14:28:12 Make it available to the sdk by running:<br />
2025/03/28 14:28:12 export AWS_EC2_METADATA_SERVICE_ENDPOINT=http://127.0.0.1:9911/</code></p>
<p>We can than use a second terminal to run:</p>
<p><code class="" data-line="">AWS_EC2_METADATA_SERVICE_ENDPOINT=http://127.0.0.1:9911/ aws s3 cp example_file s3://$bucket/serialNumber/70010112345/example_file</code></p>
<p>and get our file in s3:</p>
<p><code class="" data-line="">upload: example_file to s3://.../serialNumber/70010112345/example_file</code></p>
<h1>Conclusion</h1>
<p>This experiment shows that being able to use an external device withIAM Roles, is a very powerful feature, because it can remove a lot of tasks related to certificate and credential management. Being able to do this with something I had in my backpocket made it extra cool.</p>
<p>However, the Belgian eID is probably not the best way to go about this in a real scenario:</p>
<ul>
<li>I just gave everyone living in Belgium access to my S3 Bucket. I could use a more scoped-down trust policy, but I would eventually run into limitations of trust-policy size.</li>
<li>I also didn&#8217;t tackle Certificate Revocation Lists (CRL). Every time someone loses their wallet, I would need to invalidate certain certificates &#8211; this also runs into size limitations</li>
<li>I already have a good way to give users access to AWS Accounts, using Identity Center or Cognito.</li>
<li>The pkcs11 support on macOS seems limited, and I would have to install the middleware everywhere,</li>
</ul>
<p>This does not mean that Roles Anywhere is not a good solution for this kind of cases:</p>
<ul>
<li>If you are already putting certificates on machines (e.g using an MDM solution), AWS IAM Roles Anywhere is a great fit</li>
<li>Instead of relying on the Belgian Government you can buy an hardware key like a yubikey and use it as your certificate source. This is as secure as using the eID (only the machine with the key plugged in will be able to request credentials), and you would be limiting it to the exact serial number(s) in your trust policy anyway &#8211; making CRLs mostly moot.</li>
</ul>
<p>The post <a href="https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-roles-anywhere-with-a-smartcard-reader/">Sign in with your eID: Using AWS IAM Roles Anywhere with a SmartCard Reader</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Cloudar Achieves AWS SMB Competency</title>
		<link>https://cloudar.be/awsblog/cloudar-achieves-aws-smb-competency/</link>
		
		<dc:creator><![CDATA[Andy Mommerency]]></dc:creator>
		<pubDate>Mon, 02 Jun 2025 09:22:01 +0000</pubDate>
				<category><![CDATA[Cloudar news]]></category>
		<category><![CDATA[Company news]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22613</guid>

					<description><![CDATA[<p>Cloudar Earns AWS SMB Competency: Helping Small and Medium Businesses Thrive in the Cloud We’re proud to share some exciting news: Cloudar has achieved the AWS Small and Medium Business (SMB) Competency—a recognition that highlights our deep expertise in helping SMBs leverage the power of AWS to grow, innovate, and compete in today’s fast-moving digital [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-achieves-aws-smb-competency/">Cloudar Achieves AWS SMB Competency</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<h3 data-start="159" data-end="252"><strong data-start="159" data-end="252">Cloudar Earns AWS SMB Competency: Helping Small and Medium Businesses Thrive in the Cloud</strong></h3>
<p class="" data-start="254" data-end="530">We’re proud to share some exciting news: <strong data-start="295" data-end="370">Cloudar has achieved the AWS Small and Medium Business (SMB) Competency</strong>—a recognition that highlights our deep expertise in helping SMBs leverage the power of AWS to grow, innovate, and compete in today’s fast-moving digital world.</p>
<p class="" data-start="532" data-end="782">For many small and medium-sized businesses, the cloud represents both an opportunity and a challenge. Limited resources, time constraints, and evolving customer demands make it critical to choose the right technology partner. That’s where we come in.</p>
<p class="" data-start="784" data-end="1140">At <strong data-start="787" data-end="798">Cloudar</strong>, we’ve built our reputation by delivering <strong data-start="841" data-end="900">tailor-made, cost-effective, and scalable AWS solutions</strong>—with a strong focus on simplicity, security, and performance. Whether you&#8217;re a fast-growing startup or a well-established company looking to modernize, our <strong data-start="1057" data-end="1096">local team of AWS-certified experts</strong> is here to guide you every step of the way.</p>
<h3 class="" data-start="1142" data-end="1181">Why This Competency Matters for You</h3>
<p class="" data-start="1183" data-end="1312">Earning the AWS SMB Competency is more than just a badge. It confirms that Cloudar has a <strong data-start="1272" data-end="1311">proven track record of helping SMBs</strong>:</p>
<ul data-start="1314" data-end="1600">
<li class="" data-start="1314" data-end="1382">
<p class="" data-start="1316" data-end="1382"><strong data-start="1316" data-end="1352">Optimize their IT infrastructure</strong> for flexibility and agility</p>
</li>
<li class="" data-start="1383" data-end="1449">
<p class="" data-start="1385" data-end="1449"><strong data-start="1385" data-end="1401">Reduce costs</strong> by leveraging right-sized cloud architectures</p>
</li>
<li class="" data-start="1450" data-end="1538">
<p class="" data-start="1452" data-end="1538"><strong data-start="1452" data-end="1487">Improve security and compliance</strong>, without the need for complex in-house solutions</p>
</li>
<li class="" data-start="1539" data-end="1600">
<p class="" data-start="1541" data-end="1600"><strong data-start="1541" data-end="1573">Scale operations efficiently</strong> as business needs evolve</p>
</li>
</ul>
<p class="" data-start="1602" data-end="1842">Our customer-centric approach means we take the time to <strong data-start="1658" data-end="1692">understand your business goals</strong>, not just your technical requirements. From initial strategy to hands-on implementation and ongoing support, we become a true extension of your team.</p>
<h3 class="" data-start="1844" data-end="1880">Real Results for Real Businesses</h3>
<p class="" data-start="1882" data-end="2147">We’ve helped dozens of SMBs in the Benelux and beyond to transform their operations with AWS. From e-commerce platforms and SaaS providers to manufacturing and logistics companies, our clients trust us to deliver <strong data-start="2095" data-end="2146">cloud environments that work—today and tomorrow</strong>.</p>
<p class="" data-start="2149" data-end="2406">Curious how we can support your journey? Take a look at some of the solutions we’ve delivered and the value they’ve created:</p>
<p data-start="2149" data-end="2406"><a class="c-link" href="https://cloudar.be/services-solutions/services-for-small-and-medium-businesses/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://cloudar.be/services-solutions/services-for-small-and-medium-businesses/" data-sk="tooltip_parent">https://cloudar.be/services-solutions/services-for-small-and-medium-businesses/</a></p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-achieves-aws-smb-competency/">Cloudar Achieves AWS SMB Competency</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Cloudar Reaches a New Milestone with Dutch Expansion</title>
		<link>https://cloudar.be/awsblog/cloudar-reaches-a-new-milestone-with-dutch-expansion/</link>
		
		<dc:creator><![CDATA[Nele Claes]]></dc:creator>
		<pubDate>Thu, 06 Mar 2025 13:10:58 +0000</pubDate>
				<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://cloudar.be/?p=22550</guid>

					<description><![CDATA[<p>Cloudar Expands Beyond Belgium: New Office in Utrecht Marks Dutch Growth Cloudar, an AWS Premier Consulting Partner in Belgium, is expanding beyond its borders after more than a decade. A new location in Utrecht will facilitate further growth in the Netherlands. We discuss Cloudar’s plans with Steyn Huizinga. Steyn Huizinga, Managing Partner at Cloudar NL, [&#8230;]</p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-reaches-a-new-milestone-with-dutch-expansion/">Cloudar Reaches a New Milestone with Dutch Expansion</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p data-pm-slice="1 1 []"><strong>Cloudar Expands Beyond Belgium: New Office in Utrecht Marks Dutch Growth</strong></p>
<p>Cloudar, an AWS Premier Consulting Partner in Belgium, is expanding beyond its borders after more than a decade. A new location in Utrecht will facilitate further growth in the Netherlands. We discuss Cloudar’s plans with <a href="https://www.linkedin.com/in/steyn/" target="_blank" rel="noopener">Steyn Huizinga</a>.</p>
<p>Steyn Huizinga, Managing Partner at Cloudar NL, is leading the company’s Dutch expansion efforts. With ten years of AWS expertise, he brings the necessary experience to develop this new market. Cloudar was founded in 2014 and has always had a strong focus on AWS, a defining characteristic that sets it apart from other cloud specialists in both Belgium and the Netherlands.</p>
<p>&nbsp;</p>
<p><strong>Smart in Belgium and the Netherlands</strong></p>
<p>While Cloudar has primarily focused on Belgian customers in the past, it has always operated beyond the border, Huizinga explains. “After a delay due to COVID, now is the right time to open a dedicated Dutch office, allowing us to fully concentrate on the Dutch market.” According to Huizinga, it is important that Cloudar is not just seen as “those smart guys from Belgium,” but rather as “those smart guys from Belgium <strong>and</strong> the Netherlands.” The Belgian team will continue focusing on its home market, while the Dutch team will be dedicated to local customers.</p>
<p>The growth ambitions for the Netherlands are significant. “We aim to attract around ten new colleagues by the end of 2025, with plans for even stronger growth in the second year to meet demand,” says Huizinga. That demand is particularly high in Azure-dominated Netherlands, he notes.</p>
<p>&nbsp;</p>
<p><strong>AWS Premier Consulting Partner</strong></p>
<p>Achieving AWS Premier Consulting Partner status is no small feat. With only a few hundred partners worldwide holding this title, Cloudar is part of an exclusive group. Maintaining this status requires complete dedication to AWS, with stringent certification requirements for a significant portion of the workforce. Cloudar successfully meets these requirements with a relatively compact team, allowing it to be mentioned alongside much larger market players.</p>
<p>Cloudar’s AWS expertise is demonstrated through six AWS Competencies and five Service Validations across various domains. Given the vastness of the AWS portfolio, excelling in all services is impossible. Instead, Cloudar specializes in five core areas: security, cloud-native development, containerization, FinOps, and AI technology.</p>
<p>A key part of Cloudar’s approach is balancing innovation with responsible cloud usage. Many organizations start enthusiastically with AWS but later face unexpectedly high costs or overlooked security requirements. Cloudar advocates a ‘job-zero’ approach, integrating security and FinOps from the outset to prevent unpleasant surprises down the line.</p>
<p>By focusing exclusively on AWS, Cloudar stays close to the source of innovation. The company gains early access to AWS roadmaps, allowing it to anticipate new developments. This position in the AWS ecosystem enables Cloudar to respond quickly to changes and advise customers on the most effective implementations. For example, a container workload can be deployed in seventeen different ways on AWS, and Cloudar helps determine the optimal approach for each specific case. However, AWS can still surprise everyone, so consultants must be well-versed in the existing offerings.</p>
<p>In 2024, Cloudar achieved the AWS Sovereign Cloud Competency, aligning with the growing need for cloud sovereignty. The company embraces the mantra “encrypt everything” to ensure maximum data security. Additionally, Cloudar leverages AWS to approach IoT data in a more human-centric way rather than solely relying on dashboards.</p>
<p>&nbsp;</p>
<p><strong>Different Customer Preferences</strong></p>
<p>Huizinga notes clear differences in cloud preferences among customer segments: “ISVs often prefer to run their IT on AWS, while enterprise customers typically adopt a multicloud approach.” In such cases, Cloudar collaborates with Azure-focused colleagues, ensuring that Cloudar’s expertise remains dedicated to the AWS portion of a customer’s cloud strategy.</p>
<p>Choosing between cloud providers can be complex and should always be based on a clear cloud strategy, Huizinga emphasizes. “Organizations need to determine why they use Cloud X or Y for specific situations.” This is particularly important when internal IT operations run on Azure, while customer-facing platforms such as websites or retail environments operate on AWS. “You don’t want data to be transferred unnecessarily between different clouds.”</p>
<p>&nbsp;</p>
<p><strong>Dutch Customers Already on Board</strong></p>
<p>For Cloudar, expanding into the Netherlands is a natural step in its growth journey. The company already serves several Dutch clients, including <a href="https://cloudar.be/case-studies/coop-e-commerce-website-infrastructure/" target="_blank" rel="noopener">Coop</a>, <a href="https://cloudar.be/case-studies/mediahuis-shared-news-platform/" target="_blank" rel="noopener">Mediahuis</a> (operating in both Belgium and the Netherlands), and <a href="https://cloudar.be/case-studies/rgf-staffing-fast-forward-to-the-cloud/" target="_blank" rel="noopener">RGF</a>, an HR service provider. “Our approach is focused on helping organizations leverage Amazon’s cutting-edge technologies for competitive advantage while maintaining the fundamental aspects of a solid cloud infrastructure,” says Huizinga.</p>
<p>Huizinga observes that many companies adopt a multicloud strategy, with Microsoft Azure commonly used for office applications. AWS is frequently the preferred choice for customer-facing platforms, portals, and digital initiatives. “Of course, this is the perspective we see from our AWS-focused standpoint,” he adds.</p>
<p>According to Huizinga, AWS’s ‘model freedom’ philosophy provides a key advantage, particularly in AI. “AWS aims to offer customers as many AI options as possible, giving organizations the flexibility to choose the best solution for their specific needs.”</p>
<p>&nbsp;</p>
<p>The post <a href="https://cloudar.be/awsblog/cloudar-reaches-a-new-milestone-with-dutch-expansion/">Cloudar Reaches a New Milestone with Dutch Expansion</a> appeared first on <a href="https://cloudar.be">Cloudar</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
