Reflections on 20 Years with AWS: From Early Challenges to Lasting Contributions

I embarked on my journey with AWS on April 10, 2006, intrigued by the potential of Amazon S3 for secure backups. Although I didn't launch Tarsnap until later, the concept of an online storage service was compelling, especially given my background in web services since 1998. Initially, AWS required specific requests to enable new services, and my account came pre-enabled with Amazon Simple Queue Service and Amazon E-Commerce Service.

Security was a primary concern from the start. As FreeBSD Security Officer, I noted the lack of response signature in AWS, which posed risks when requests were made over HTTP. Though less critical with TLS, end-to-end signing remains superior. My interest in running FreeBSD on Amazon EC2 led to early collaborations with Amazon, despite initial hurdles like faxing NDAs.

In 2007, I raised security concerns about Xen, the virtualization technology AWS used, recommending a thorough audit. This led to Tavis Ormandy uncovering vulnerabilities in Xen. I also advocated for EC2 features like read-only root disks and memory state wipes to enhance security, ideas that took years to materialize.

My 2007 blog post, "Amazon, Web Services, and Sesame Street," critiqued Eventual Consistency, proposing a model of Eventually Known Consistency. While AWS services like S3 and DynamoDB evolved, I still see my model as theoretically superior.

Efforts to run FreeBSD on EC2 faced technical challenges, like Xen's limitations, but persistence paid off. By 2008, I had Tarsnap in beta, using Amazon SimpleDB for accounting. I reported security issues with SimpleDB's signing scheme, leading to improvements and ongoing collaboration with AWS.

Despite setbacks, like FreeBSD's initial incompatibility with EC2's Xen version, I continued to push for solutions. By 2010, I had FreeBSD running on EC2, albeit with workarounds like using Windows instances. This persistence eventually led to broader FreeBSD support on AWS.

Security remained a focus, with concerns about IAM Roles and credential exposure via IMDS. My warnings were validated by the 2019 Capital One breach, leading to improvements like IMDSv2. Recognition came in 2019 when I joined the AWS Heroes program, acknowledging my contributions to AWS.

In 2021, EC2's support for UEFI booting improved FreeBSD's performance, though decisions about compatibility remained complex. My role as FreeBSD Release Engineering Lead since 2023 has been demanding, balancing AWS contributions with FreeBSD responsibilities.

Amazon's sponsorship via GitHub has been crucial, allowing me to address FreeBSD/EC2 issues more effectively. My journey with AWS has been collaborative, relying on support from Amazon engineers and the broader community, underscoring the shared effort behind these achievements.