Forem: Xauntasia Mabry

First Quarter 2026 Goal Update

Xauntasia Mabry — Wed, 01 Apr 2026 01:39:18 +0000

1) Continue doing hands on labs through SkillBuilder to refine my skills. I’ve learned a great deal in the world of enterprise scale for Cloud Operations, Generative AI, and Security and I’m going to double down on those while also seeking Quantum Computing learning opportunities. <- I doubled down, but not necessarily on SkillBuilder. I participated in the BeSA Batch 9 on Agentic AI, built my own personal agent to help with homeschool learning activies for my kids, and continued with TryHackMe SOC2 Learning Path.

2) Make my learning actionable by creating a technology roadmap and strategy to continue to build a secure, dynamic, and innovative cloud platform. <- This is hard. The challenge here is that there are more people also looking to make a roadmap for their capabilities. Sometimes it involves the platform that my team and I support, but we're not always in the conversation on how we make sure the "how" meets everyones needs. I also see the asks that we have to others can also impede others from their own roadmap. I don't take for granted the opportunities to work with busy people to accomplish big goals, but I probably underestimated the effort needed to actually do it. I think this is a stretch area for me in Q2

3) Refine skills in leadership so I can strengthen my people-centered approach as a technical lead for our cloud platform team. <- My biggest focus this year has been on continuing to learn and develop both relational and emotional intelligences. The surprise here for me was that people actually are open to me being a mentor, another thing I don't take for granted. With this opportunity, I get to share some lessons learned through my experience of applying what I've learned from leadership programs and podcasts from my favorites like Dr. Dharius Daniels, John Maxwell, and Craig Groeschel. Really excited about continuing this for the rest of the year.

The home stretch

Xauntasia Mabry — Wed, 01 Apr 2026 01:01:57 +0000

I never thought I’d be someone who actually thought it was a good idea to download GitHub as an App on my phone, but here we are. Charting territory I honestly felt like I didn’t belong in. To be honest, even working IT, there were moments where I just didn’t think I met the “mark” of someone who was “passionate” enough to do something like this.

For the first time in my career, I do feel that I’ve found enough “passion” to warrant having access to my coding agent at all times. Now that I've entered the testing phase of the homeschool site build out, I've been using GitHub Copilot to help me resolve the issues that pop up as I'm walking through the workflows for the site.

First, I've begun to use the issues on the repository to assign work to Copilot. The past few weeks have been a whirlwind of things on both the professional and personal side and this has been a really nice way to still stay plugged in without having to spend hours in front of the screens troubleshooting the website issues.

Also, my use of a public repo is coming in handy because I've been able to allow Copilot to help me make sure the dependencies for the React framework I'm using for the frontend stay up to date. Really nice. But I'm ready to use instructions to see if I can get Copilot to do this without my repo needing to be public. I decided to start with my backend because Python is easier for me to navigate

The first instruction I've created does these things:

Makes sure that my lambdas all stay on a supported runtime version
Pins package versions so that I can stay on versions that are not vulnerable and not automatically update latest just in case it's a compromised package
Makes sure I use the latest version of the github-actions for my python builds.
Runs a pip-audit to see if a package has any known CVEs

To get help writing this set of instructions, I used Copilot to assess my rough draft as an application security engineer and to make appropriate edits to the file to make it align with best practices. Some suggestions it included then was to ensure that I had something in place to protect against typosquating, address CORS, guard against injection attempts, and ensure there's a limit to input to my site.

These instructions are going to load into Copilot and essentially guide Copilot to help me ensure that the recommendations it makes will always align to these standards for my repository. Currently only have this enabled on my backend repo, so my frontend repo will be next.

How I’m using Bedrock Agents

Xauntasia Mabry — Sun, 22 Mar 2026 12:04:23 +0000

It was the day after I got all issues resolved and made the “it works in dev” post that I had the moment.

“What if instead of a form intake it’s a conversation?”

“How would parents like to create a series of activities that built upon each other?”

And it hit me…what I had wasn’t all I want to build. There’s still more skills to continue to cultivate and kids to develop. That doesn’t happen with just one activity. There’s freedom in consistency and progressive path learning so, here we are.

Bedrock Agent vs AgentCore

chose Bedrock Agents instead of Bedrock AgentCore because I’m really looking to minimize how much I manage for this agent. And I have automation already in place to handle to few tools/Lambdas that will be available to this lone agent.

Model Choice

What I noticed with Bedrock Agents is that the models available for it seemed just be limited to Anthropic and Amazon’s Models. I may be missing something on this screen but it also wasn’t the latest models that have been released. So I selected the Claude Sonnet model version that wasn’t marked as legacy just to get the configs together.

AWS CLI

I also decided instead of Terraform I wanted use the AWS CLI to deploy from GitHub Actions. After creating the necessary role for GH actions to assume, adding permissions for Bedrock and Lambda, this worked pretty well. That is until I prepared and tested my agent and I got no response. Want to know why?

User Input is disabled by default. If you want a conversation, this setting must be enabled. It’s also a secondary bedrock call after the agent’s initial creation call.

Once you get the right model id and figure out the right syntax for your user input you’re all set.

System Prompt

The agent’s system prompt instructs the agent to have a warm tone and pleasant conversation about opportunities to create a single worksheet or a series of worksheets that build upon each other. It’s supposed to carry on the conversation until it captures all of the required inputs for the tools in the action group. Refining this is really important because it grounds the agent to stay focused on the end result. I don’t want to pay for unnecessary dialogue either so this is likely going to save me a few dollars too.

Action Group

I learned that the maximum number of parameters that can be passed to a target action is 5 through Bedrock. To accomplish this, I made a a fairly sizable changes to the lambdas inputs. Using nested parameters that had multiple parts of metadata in the was where I started to lean on CoPilot to assist. This took a few tries before we got it right, but the action group is connected and accessible.

Wrapping this up

Something newer that I noticed is that encryption handled by AWS is done with “AWS Owned” keys. The old “AWS Managed” keys showed up in the KMS console. But more recently with newer services seems the AWS-owned keys will no longer show up there. Shift in visibility is probably something cyber policy for folks will have to adjust to, because the visibility necessary for “trust but verify” may no longer be available. Now you just trust that a key owned on the AWS side is there and actually encrypting your stuff.

But that’s all…we’ll see how it works out here soon.

Flowing to agentic

Xauntasia Mabry — Sat, 14 Mar 2026 03:33:09 +0000

The website I created is boring.

It uses Foundation models for generating content.

It sits behind an API gateway, uses Cognito for authentication, and Amplify serves up the front-end.

Boring...when there's agents to be built.

The spice of life is doing something you never thought you’d do. And this moment of "Ooo let me try it and see what happens" isn't one I expected to have at this point in the site build process. While I do intend to keep the site fundamentally the same, I’ll also be deploying a Bedrock agent to have conversations with parents who log in and want to discuss, plan, and create activities in a learning path. This does change the application architecturally, but that’s why this is getting its own series of posts. I’m going to break up writing about if the juice is worth the squeeze on this particular addition to the site I've created.

Here’s the gist of what I’m adding:

Effective De-bloating, Refining purpose

Xauntasia Mabry — Sat, 28 Feb 2026 04:28:56 +0000

After getting the homeschool app logistically up and running, I started doing some investigation into the content that was actually being generated. In that research, I realized that my use of Copilot definitely bloated the logic that I originally had for my backend. Initially the workflow generated text that was then stored in S3, used the generated text to try to generate an image, store the image and then did a parse of both content types to try to put together a worksheet according to my criteria, but the results were lack luster. So I did a few things:

I changed the model from image generation to using one that can generate markdown or rich text type of output so that the result is more readable and more easy to structure into a paginated worksheet. For this, I used Mistral Large as my primary model and got exponentially better content.
Improved the prompt that was being passed in to invoke the model. Since I'm not really looking for conversational or chat type of engagement, I need to make sure that the prompt I'm sending to the model actually includes something that sets the tone of the structure of the response I want
Kept the temperature low. I didn't even notice the temperature that was provided by CoPilot when it was developing the framework of the generator function and it was high. So when I was looking at the results, I was confused. The question "is this even a word in any language?" was front and center. I appreciated the creativity, but...because this is educational I had to back that down a good bit.

Lastly, I did some more research about the way we need to make sure that applications catering to education must also account for any type of compliance. I learned about COPPA with the help of ChatGPT and understanding what I would need to incorporate in my application to account for meeting the age requirement for using the site since I want this for parents seeking material for their kids. This took me through the exercise of adding new sections to the front end and a way to use a date picker that helps make sure that I only let people who use a birthday that's appropriate to be eligible for logging in to the site. I still haven't set up a sign up capability, simply for cost effectiveness and security purposes, but I'm evaluating that option.

Will they remember?

Xauntasia Mabry — Tue, 24 Feb 2026 01:52:24 +0000

Call me the exterminator because I'm getting rid of bugs. Of course, they're the digital kind. But it's been a few rounds of laying down the bait and traps before I got to a functional site. But now that I'm here, it's time to get some valuable feedback.

As any proud daughter would, I've sent the link to my parents. I channeled the same enthusiasm I had for creating a refrigerator magnet at 6-years-old too. I wonder, when they log in and look around will they feel the same way they responded to me when I handed them the magnet? I do know it's still on their refrigerator today, so maybe there are just some things that just can't be outdone.

After pressing send, it made me think how quickly life moves because that's actually probably one of the more vivid memories I have of that age, but it was decades ago. What's even more chaotic is my oldest is that age now!

I don't know if my kids will remember fondly the time that I spent at a laptop screen typing, coding, and thinking. They'll probably see pictures of themselves in my arms after I had returned to work, being exposed to screens while only weeks old. My COVID-era kids only know mom works on her laptop all day, cooks, does a Bluey freeze dance with us, and then gets back on her laptop. I just hope a strong desire to continue to learn and build new skills is both contagious and hereditary.

A Matter of Authentication

Xauntasia Mabry — Wed, 18 Feb 2026 02:35:46 +0000

AWS Cognito is the friendly, AWS-resident, managed authentication service I've chosen to use to ensure that the website I develop stays secure. I don't want anyone to be able to log in and use it unless I've set them up personally to do so. This requirement made the choice easy. I'm not an IAM guru with interest in managing an enterprise-scale Active Directory through Directory Services, so that's a bit over the top for my use case. I'm also not necessarily looking to create custom authorizers for the API's that I call from my frontend, so Cognito fits right into what I need for this use case.

Cognito User Pools provide you a means to leverage other identity providers like GitHub for federation of identities and assign access to them according to their scope/role, or by using locally managed identities managed in the user pool. User Pools can have application clients, which is what I've used to power the single-page application I'm building. It's also capable of supporting the M2M authentication utilizing OAuth 2.0, which if you're looking into agentic applications, can be beneficial for securely managing access to specific tooling available to your agents.

Once the User Pool is established, you can use that as an identity provider for an Identity pool used to grant access to AWS resources if needed. My use case does not require the use of an identity pool to grant authenticated users access directly to AWS Services, so I will not be implementing one for my website.

In my case, I'm going to be using the opportunity to test out the use of HTTP API Gateway endpoints to see if I can manage that. I've only done REST API's so far with API Gateway so this is yet another opportunity to stretch a little bit in my learning. With this, I'll need to set up Cognito user pool app client to be a JWT token generator for my API. I used the blog post here to make the magic happen.

Here's a summary of how this Cognito user pool works:
1) Admin creates a user in the console and places them in one of the pre-defined groups.
2) When the user gets notified (using the default Cognito email and SMS configuration) then they can log in and reset their password
3) The Cognito user pool allows these type of authentication flows:

4) The App client I created for this environment, does not have a client secret generated.

Necessary environment vars for getting this to work:


# Cognito Authentication Configuration
# Cognito User Pool Domain (without the .auth.region.amazoncognito.com part)
VITE_COGNITO_DOMAIN=your-cognito-domain

# Cognito User Pool App Client ID
VITE_COGNITO_CLIENT_ID=your-cognito-client-id (ex. 1a2b3c4d5e6f7g8h9i0j1k2l3m)


# AWS Region (optional - defaults to us-east-1)
VITE_AWS_REGION=us-east-1

# Redirect URI after successful login (optional - defaults to current origin)
VITE_COGNITO_REDIRECT_URI=http://localhost:3000
# For production: VITE_COGNITO_REDIRECT_URI=https://your-domain.com

Setting my own rules

Xauntasia Mabry — Sat, 07 Feb 2026 21:45:21 +0000

First, let me explain the title. In my normal work, I infrequently get the opportunity to build with AWS services that have not been approved for use within my company. So that's why, when I use services like AWS Amplify in my personal project knowing it's not approved in my 9-5, it feels a little scandalous. Like I'm jumping out the window to go to a party I've been told I can't attend. I didn't know this kind of feeling would be part of the journey creating my own stuff, but it's hilarious to finally experience setting my own rules in how I want to use technology. Like new levels unlocked I didn't see coming. I like it here.

Now that you understand that, I'd take a moment to double-click on AWS Amplify from this previous post and how I've gotten a chance to learn about it in the midst of my frontend development efforts. Amplify lives up to the expectation of being able to deploy something quickly. Just as fast as I got Copilot to help me create a frontend app using React framework, Amplify immediately deployed it. I had the Amplify application set up to auto-detect branches and to auto-build so from this point on as long as I pushed new changes to the app that compiled, the build and deployment was completely handled.

What I am choosing not to do is to directly integrate the Amplify with functions, storage and data options. That seems to be a major perk in having Amplify be able to interact with other AWS services on your behalf, but for this I'd like to have a little more control. I've chosen to use API Gateway to control access to my Lambdas so that I can implement granular validation and error handling for requests with API Gateway. I also want to protect with a managed authorizer the Lambdas that will be calling Bedrock Models for generating content and downloading content from S3. Last reason is because I'm not willing to write the backend in TypeScript lol. React Frontend is enough learning for me in 2026. Backend will be in a language I'm more comfortable with.

In a previous post, I asked how others chose to deploy their resources for personal projects. This post is an indication I chose to create TF after manual deployment just for lack of familiarity with the Amplify resources in the provider. With that, I'm testing myself to see if I can quickly come up with the Terraform necessary to deploy the same resource and configured the way I did it in console.

This is actually one of the points of friction I've heard from development teams in my 9-5. Coming up with Terraform to deploy the resources hasn't always been an easy dance. I can attest to this from my own previous experience, but this particular experience with Amplify highlighted this further. The current AWS Terraform provider doesn't give you resources to manage or customize the monitoring or alerting for the application, so that still needs to be done in console.

Here's a code snippet of the way I initially configured Amplify to deploy my frontend app:

resource "aws_amplify_app" "homeschool_app" {
  name       = "homeschool-app"
  repository = "https://github.com/homeschool-app" # Replace with your GH repository

  build_spec = <<-EOT
    version: 1
    frontend:
    phases:
        preBuild:
        commands:
            - npm ci
        build:
        commands:
            - npm run build
    artifacts:
        baseDirectory: build
        files:
        - '**/*'
    cache:
        paths:
        - node_modules/**/*

  EOT

  enable_auto_branch_creation = true
  auto_branch_creation_patterns = [
    "*",
    "*/**",
  ]
  auto_branch_creation_config {
    enable_auto_build = true
  }

  environment_variables = {

# Cognito User Pool Domain (without the .auth.region.amazoncognito.com part). This is important
VITE_COGNITO_DOMAIN=your-cognito-domain

# Cognito User Pool App Client ID
VITE_COGNITO_CLIENT_ID=your-cognito-client-id
# Example Usage: VITE_COGNITO_CLIENT_ID=1a2b3c4d5e6f7g8h9i0j1k2l3m 

# AWS Region (optional - defaults to us-east-1)
VITE_AWS_REGION=us-east-1

# Redirect URI after successful login (optional - defaults to current origin)
VITE_COGNITO_REDIRECT_URI=http://localhost:3000 # Local development redirect 
# For production: VITE_COGNITO_REDIRECT_URI=https://your-domain.com

# API Configuration
# Main API Gateway URL for backend endpoints
VITE_API_ENDPOINT=https://your-api-gateway.execute-api.us-east-1.amazonaws.com/prod

  }
}

To Terraform or...CloudFormation

Xauntasia Mabry — Sun, 25 Jan 2026 01:47:50 +0000

I heavily debated whether I would start off with using Terraform to deploy the resources necessary for my homeschool education site. I'm familiar enough with the syntax to be able to create resources that I'd use, but at the same time, I'm not trying to do this at scale. I'm just building this for one-time use for my own education site. At this point, I realize this is an opportunity I don't get professionally often to manually create resources and to also use CloudFormation. So I'm taking my chances with CloudFormation...after deploying everything once manually.

Feels like a betrayal to everything I've tried to establish corporately, but maybe this leads to new revelation helpful in my day to day. For folks who use both or do similar activities professionally as you do personally from a cloud building perspective, what do you normally do?

My Exam Experience: AWS Certified Solution Architect - Professional

Xauntasia Mabry — Tue, 20 Jan 2026 13:45:33 +0000

The AWS Certified Solution Architect - Professional exam was the first of three exams I planned to take in a two week span. To be fully transparent, this one was a stretch goal for me this year. I talked myself out of thinking I was ready to take the plunge in 2024 and spent the year renewing my solution architect associate because it felt more comfortable. But 2025, shifted gears because being known as a cloud security SME wasn’t enough anymore. I wanted to make sure it’s clear, if to no one but myself, that I am proficient in cloud engineering, architecture, development, AND security.

Content Review

The amount of information covered in this exam was about 3x what was covered in the Solution Architect Associate (SAA) exam. Because in this exam there’s literally more than one right answer available for you to choose from. It’s your job to read carefully and completely to decide which approach is the BEST one to achieve the expressed goal of the situation. The questions are a little longer with more context, some of which is there to distract you.

The themes I found occurring most in my questions were around cost optimization and operational excellence. So I strongly suggest a deep awareness of the different pillars of the well architected framework.

How I studied

I said this before, but SkillBuilder saw a lot of me in 2025. I used the AWS Certified Solution Architect Professional Exam preparation learning path and touched pretty much all of the content. These paths are super long with lots of reading and Simulearn labs as well. These paths question banks for this exam is not quite as extensive as what was available for the SAA exam, but they definitely helped me get familiar with how to read the problem and think through the best options even if more than one is available. You’ll see a lot of phrases like “most cost-effectively” or “least operational overhead” at least 60% of the time and those questions generally have answer choices that look very similar to one another with minor differences.

In addition to SkillBuilder, Stephane Maarek’s course on Udemy for this exam was incredibly helpful in learning about the architectures and recommended patterns of implementation across pretty much the entire landscape of AWS. He has his course organized by cloud capability (I.e. computer, ML/AI, storage,etc) and that is how my brain best learned. There are other courses that take the exam domain approach, but I felt those helped me prepare for the exam and not really life, which is really the goal. Not to just hypothetically design sustainable systems, but to actually build them, support them, and improve them over time.

This exam was the one I poured most of my intentional study time to when my exam days got closer. Not because it’s more important, but because the end of year is also when I began planning for what’s to come for my team. This study directly impacted the way I framed the high priority objectives for the year. Let this be a recommendation from me, if there’s any exam for you to study for, I definitely say this is the one.

My Exam Experience: AWS Certified Security Specialty

Xauntasia Mabry — Tue, 13 Jan 2026 12:28:19 +0000

This exam was the last exam I took in 2025 in the series of three I sat for in the span of two weeks. This was the renewal exam for me, but this was the first time taking the SCS-C03.

Content Review

This version of the exam content is drastically different from the first. Not in that there are more security tools in AWS to familiarize yourself with, but that this was a test of how to secure any given workload for any given set of requirements. The first time I took this exam, there were quite a few more questions around what tool was right for the security task and common integration patterns of security tooling. This time, the questions were centered on you having experience with a variety of workloads, with cloud architecture, and awareness of securing Generative AI solutions. It was a welcomed shift because I’d already been studying for the Solution Architect Pro exam and Generative AI Pro exam. But I know for a fact I would not have been prepared because none of the current Udemy courses really had been fully adapted to this version of the exam at the time I was studying.

There were questions on evaluating SCP having an expected effect where ability to understand AWS Organizations was important. There were questions on the ability of Security Hub to ingest alerting and logging from other AWS security services to aggregate alerts in a single pane. There’s questions about HSM keys being used in KMS and what are the operational requirements for that to happen. There were a few questions on what steps you should take in troubleshooting access issues that change after an event for any given resource. Lastly there were questions around what would you do to quickly and effectively stop malicious behavior without negatively impacting a production application. The questions varied a good bit, but definitely required more situational awareness than the previous exam version.

How I studied

This version of the exam doesn’t have a lot of course material out there yet, but I did use SkillBuilder Exam Preparation course for practice questions and reviewing the new distribution between the different domains. Zeal Vora’s AWS Certified Security - Specialty course on Udemy helped me dust off the cobb webs on services I didn’t use day to day. His deep dives are also really helpful because he articulates lessons learned from his extensive experience in cloud security engineering during his demonstrations.

But what prepared me most for this exam was experience in setting up security infrastructure at enterprise scale at work and reading about different TTPs (Tactics, Techniques, and Procedures) of threat actors out in the wild. Interestingly enough my experience on the TryHackMe platform helped me think through “how would someone attack this particular cloud resource?” While I spent more time studying and learning AWS in 2025, my 2024 THM platform experience helped me navigate the situation presented in each question through the lens of the attacker and the protector.

I finished the exam with ~25 minutes to spare and review the questions I’d flagged. Some of which were on IAM policies for IoT things(and yes, they are legitimately called things lol) and one on Resource control policies and how they behave in combination with other identity and resource based policies. All in all I felt challenged by the questions despite having so much time to review. I was appreciative of the fact it was the last exam for the year and I did my best to prepare.

Solving my own real-world problem

Xauntasia Mabry — Sun, 11 Jan 2026 16:38:40 +0000

I've been in the software development and devsecops space for long enough to learn a few good patterns, solve complex problems, and build cool things. But if I'm honest, it wasn't until recently I found the mental space for connecting the dots on how I can use my technical skills to solve personal problems. For example, I have a few kids that will be home with me during the summer all day. I've searched online for hacks, how-to's, tools and more, to try to find something that could help me prepare for this test of time and resource management. Everything I found either costs more than I'm willing to pay, takes more effort than I'm willing to give, or is less than ideal for the age range of the kids I have. Hence, the personal problem I'll be building a website to help solve.

I was inspired by my studies in generative AI and AWS, and decided to build a site that uses GAI. My intent is to use the site to help me create engaging educational content for my kids while they are home. I want to also be able to store grades so they can see their progress over time as well. Here's a quick visual of what I will build to start:

While I chart new territory, I plan to take the recommendation of one of my co-workers to try a modeling solution called IcePanel to try using it for diagraming my solution. So if you're interested in learning more about the tool used for the diagram, check them out. I do not claim to be an expert on this platform since I've only known about the tool for ~48 hours. But so far it's definitely been cool to play with and tap into the solution architect toolbox.

If you have kids, what type of things would you really value in a website that helped you generate things to help your kids stay fresh on their learning and move ahead?