Jacob Marks

I have two new open-source projects to announce. Both target the same problem from different angles: making it easier to move payment applications that depend on a hardware HSM onto AWS Payment Cryptography (APC). aws-payment-cryptography-hsm-proxy : a Rust TCP proxy that speaks Thales payShield 10K and Futurex Excrypt wire protocols and translates outbound calls to AWS Payment Cryptography. aws-payment-cryptography-mcp : a Model Context Protocol server that gives any MCP-compatible AI coding assistant (Claude Code, Codex CLI, Kiro, others) direct, domain-aware access to the APC control plane and data plane, plus embedded knowledge of HSM command sets and PCI PIN compliance rules. The proxy and the MCP server are designed to be used together, but each is useful on its own. Why this exists I was the founding manager for AWS Payment Cryptography and spent 6 years working with the service before I left Amazon earlier this year. APC launched in August 2022 and runs across mu...

I ended Moving from ChatGPT to Claude with "more once I've actually used it." I've used it. The answer isn't simple because chat and coding are different enough to warrant separate conclusions. I'll preface this with noting that these are my observations and not scientific conclusions. Overall Claude's setup friction was real. Claude depends on more non-Anthropic services than you'd expect and Pi-hole blocks a significant number of them silently. I ended up building an allow list and publishing it before I could use Claude reliably. ChatGPT has never required any of that. I also happened to start evaluating Claude during an outage, which didn't help first impressions. Not everyone runs Pi-hole, but enough technically-minded people do that it's worth noting. Anthropic's availability is noticeably worse than OpenAI's. The status dashboard reflects a steady stream of incidents. ChatGPT is install and forget. Claude required fighting to g...

When I hear companies like Anthropic make claims that they don’t know why AI comes to some conclusion, or they suggest that Claude somehow “resorted to blackmail” to prevent itself from being shut down as featured on 60 Minutes , it makes me feel we deserve a more honest take than we're getting. AI marketing, at least as it exists at the time of this article's writing, is filled with disingenuous assertions that create marketing leverage and product branding. It invokes fear, confusion, and hype. There's an important distinction being blurred here. We may not be able to trace why AI produces a specific response to a given prompt at any given time because of the sheer magnitude of steps but that is quite different than saying we don't know how it works. IT systems can suffer from the same problem, but thankfully they are much easier to solve because they are much smaller. Conflating the two is, at best, imprecise and at worst, deliberate. For example, it may be true that...

Update, May 2026: After completing a deeper review of the CyberChef Payments work, I split the project into a small ecosystem. The CyberChef fork remains the implementation/runtime layer, while CyberChef-Payments is now the workflow library and discovery surface. —— I built a set of payment cryptography extensions for CyberChef using Codex. The fork is at github.com/J8k3/CyberChef and there's a hosted instance running at cyberchef.jacobmarks.com . CyberChef is a browser-based data transformation and analysis tool from GCHQ . It's useful for a wide range of encoding, crypto, and parsing tasks, and the recipe model, where you chain operations together and run them in sequence, makes it well-suited for the kind of multi-step payment cryptography work that's otherwise done across several disconnected tools or scripts. In particular CyberChef is entierly browser based and you can freely download and run it locally making is a great tool for testing and prototyping without s...

I’ve been using ChatGPT and Codex for a while and I’m starting to evaluate Claude. No conclusions yet. Getting started was rough. The desktop app would look like it was working and then throw “unable to connect,” and when I tried to subscribe the Stripe payment page wouldn’t load at all. Claude also had an outage around the same time, which didn’t help, but even after recovery things were still inconsistent. The real issue turned out to be my Pi-hole. For anyone not familiar, Pi-hole is a DNS-level blocker. It sits in front of your devices and blocks ads, trackers, and a lot of third-party domains by default. That’s the point, but it also means anything that depends on those domains can partially or completely break. Claude depends on more than just claude.ai . It pulls in additional domains for payments, telemetry, and chat, and Pi-hole blocks a lot of that in ways that fail silently. Quick way to confirm: disable Pi-hole for 30 seconds and reload. If everything suddenly works, that’s...

 AWS announced support for Cartes Bancaires in AWS Payment Cryptography. You can read the official announcement here: https://aws.amazon.com/about-aws/whats-new/2026/02/payment-cryptography-cartes-bancaires/ I was not there for the final announcement, but I was heavily involved in the work that made it possible. A large part of that work was audit readiness and making sure the implementation would satisfy the requirements for approval. Cartes Bancaires was still developing their audit program while we were going through the process, which added complexity. I worked directly with Deloitte through the review and was on every vendor call covering progress, evidence, gaps, and what was needed to get across the finish line. Most of the work is not visible from the outside. It was documentation, evidence, validation, follow-up, and making sure assertions matched what could actually be defended during audit. That work is rarely visible, but it is what makes launch possible.

As a manager of software teams, I’ve been asked many times about the transition from building software to managing the people who build it. It’s an existential question for a lot of engineers as they think about career growth: Do I become a manager, or do I stay technical? That framing has always bothered me, because it assumes something I don’t believe to be true: that managing and continuing to develop technical depth are mutually exclusive. It’s certainly possible to manage a software project with only surface-level technical knowledge. Plenty of organizations do exactly that. But in my experience, truly understanding the systems your engineers are working on is invaluable, both to the team and to the outcomes they deliver. What Changes When You Become a Manager The real shift isn’t from technical to non-technical . It’s a shift in how and where your technical skills are applied. As an engineer, your leverage comes from the code you write. As a manager, your leverage come...

Note: I originally sketched this post years ago and never finished it. I’m publishing it now as a retrospective on how I think about VPC Flow Logs at scale. VPC Flow Logs: Use Them Intentionally For a long time, the default guidance in AWS environments was simple: enable VPC Flow Logs everywhere. At small to moderate scale, that advice is usually fine. At large scale, it becomes expensive, noisy, and often redundant. There’s an inherent catch-22 with Flow Logs. If you don’t have them enabled, you miss historical data when you need it. If you enable them universally, you can generate massive volumes of duplicated traffic data that few teams ever analyze in a meaningful way. At sufficient scale, AWS can perform network-level analysis across its infrastructure independent of whether an individual account is exporting Flow Logs. Because of that, Flow Logs are not always treated internally as a hard security requirement for every workload. I argued for that shift myself, main...

Note: I originally wrote this post in 2017 but never published it at the time. Please note that the AWS certification landscape has changed significantly since then; this is provided strictly as a historical reference. Another year another re:Invent. This year at re:Invent 2017, because my associate was up for renewal again, I decided to sit for the AWS Solutions Architect Professional Exam. The exam is in beta phase where questions are being tested, refined and the exam pass line is being set. I won't find out if I passed until March 2017 and I can't share actual exam questions but I can share advice for others that are interested in the exam in the future. Note that as of Jan 2017 the beta is currently closed as it's proved to be very popular. Preparation: I entered the exam cold, drawing only on my working knowledge of AWS and its services so my perspective should be an unbiased view of the exam. There is an exam blueprint but it's been pulled from the AWS...

AWS announced AWS Payment Cryptography is now available in the Asia Pacific (Sydney) Region. You can read the official announcement here: https://aws.amazon.com/about-aws/whats-new/2025/12/aws-payment-cryptography-in-sydney/ This was a particularly difficult launch. Not because of one major issue, but because there were a lot of moving pieces all happening at once. Hardware deployment issues, firmware rollout problems, feature dependencies colliding near the finish line, compliance requirements, launch timing, and the normal reality that things rarely line up as cleanly in practice as they do on a plan. A lot of the work near launch was simply making sure everything that needed to happen actually happened, in the right order, without creating new problems somewhere else. Regional expansion for a service like this is never just turning something on in another place. Every assumption around hardware, operations, and readiness gets tested again. Those are usually the hardest launches. Not...

AWS announced Multi-Region Keys in AWS Payment Cryptography. You can read the official post here: https://aws.amazon.com/blogs/security/multi-region-keys-a-new-approach-to-key-replication-in-aws-payment-cryptography/ This was a meaningful launch because it crossed one of the boundaries AWS takes very seriously: Region isolation. Replicating payment cryptographic keys across Regions meant moving highly sensitive customer material across a boundary that is normally treated as a hard line. That required a lot of design review, security scrutiny, and approvals. Moving critical customer data across Regions is not something anyone treats casually. One of my engineers handled much of the implementation while I drove execution, launch readiness, and stakeholder alignment. Because the launch was time-sensitive, I had to stay deeply involved in approvals, resolving concerns, and making sure decisions were happening fast enough to keep the work moving. A lot of the real work was not writing c...

AWS announced the launch of AWS Payment Cryptography this week, and I’ve had the opportunity to lead the service from its earliest definition through production launch. The official AWS announcement is here: https://aws.amazon.com/about-aws/whats-new/2023/06/aws-payment-cryptography/ . This was one of those projects where the hard part was never just building software. The challenge was defining a service that could meet the expectations of payment processors, issuers, and financial institutions who were used to a vastly different interaction model while operating inside the security, compliance, and operational standards required for payment cryptography. My role started at the beginning: taking early customer input, writing the initial business requirements, and helping shape the architecture that would eventually become the service. That meant defining the threat model, establishing the security posture, and making early decisions around control-plane boundaries, data-plane design, ...

The AWS Key Management Service (KMS) provides a capability to manage encryption keys with transparent integration to many other AWS services. Of particular significance is transparent data at rest encryption for the AWS Elastic Block Store (EBS) service. When using KMS encryption, the data stream from the underlying storage medium is encrypted/decrypted at the hypervisor level. KMS is a regional AWS account bound service leveraging software key generation and underlying Hardware Security Module (HSM) appliances for encrypted storage of key material. Keys are decrypted as needed, stored in memory for the duration of the operation and then immediately erased from memory. The end user has the ability to effect controls over access to keys used for customer data encryption. As part of a security management plan, the customer may desire or have the requirement to effect a key rotation strategy. Keys may require rotation by policy with a defined validity period or could require rotation du...

The cloud market continues to get more competitive. AWS built its early success by winning developers first. Startups and builders were willing to take risks, move fast, and trust new platforms if those platforms made their jobs easier. AWS became the default choice because it gave developers access to infrastructure and services that previously required enormous capital, time, and operational overhead. That advantage should not be taken for granted. As the market matures, competitors are closing the gap. Microsoft in particular understands something important: developers and operations professionals are often the real catalyst for cloud adoption inside an enterprise. CIOs, CTOs, and procurement teams may approve the decision, but developers and operators heavily influence which technologies ever make it that far. If AWS wants to maintain its leadership position, we cannot rely only on top-down executive relationships. We must continue to win the people who actually build and operate s...

*** NOTE: AWS has pulled this specific certification version, refunding those who took the original beta exam. *** 2026 Status Update: The AWS Certified Security - Specialty is now a mature, standard certification. While the beta period mentioned below ended years ago, the core focus on deep-dive security across IAM, Encryption, and Incident Response remains the primary objective of the current exam version. I had the opportunity to take the AWS Certified Security Specialty Exam at re:Invent 2016. The exam was in a beta phase where questions were being tested, refined, and the exam pass line was being set. While I can't share actual exam questions, I can share advice for others interested in the certification path. Preparation I entered the exam cold, drawing only on my working knowledge of AWS and its services, so my perspective is an unbiased view of the exam's difficulty. While blueprints change, the foundational security pillars remain consistent. Format ...

Implementing the Amazon Cognito User Pool Admin Authentication Flow with AWS SDK For .NET offers a path to implement user authentication without management of a host components otherwise needed to signup, verify, store and authenticate a user. Though Cognito is largely framed as a mobile service, it is well suited to support web applications. In order to implement this process you would use the Admin Auth Flow outlined in the AWS produced slide below. This example assumes that you have already configured both a Cognito User Pool w/ an App, ensuring the "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" is checked for that app on the App tab and that no App client secret is defined for that App. App client secrets are not supported in the .NET SDK. It is also assumed that a Federated Identity Pool is configured to point to the before mentioned User Pool. This auth flow bypasses the use of Secure Remote Passwor...

For those of us that are .NET developers at heart, we have powerful tools for running serverless C# applications on AWS. AWS Lambda now officially supports .NET 10 as a managed runtime, providing long-term support (LTS) through November 2028. Modern C# support in Lambda has evolved beyond early .NET Core. Developers can now utilize C# File-Based apps , which eliminate much of the traditional boilerplate code. These functions typically publish as Native AOT (Ahead-of-Time) by default, offering up to an 86% improvement in cold start times by removing the need for JIT compilation at runtime. Prerequisites: Development Environment: Visual Studio 2022 (latest version) with the .NET 10 SDK installed. AWS Toolkit for Visual Studio: Install the latest extension from the Visual Studio Marketplace. It now includes Amazon Q Developer for AI-assisted coding and one-click publishing. Getting Started with the .NET CLI: The fastest way to scaffold a new function is using the...

Note: The US Government cloud security policy landscape has changed significantly since this was originally written. I no longer have the first-hand, current context required to provide a meaningful update to this information, so please treat the following as a historical reference. The Federal Information System Management Act (FISMA), a US Law signed in 2002, defines the information protection requirements for US Government, "government", data and is applicable to all information systems that process any government data regardless of ownership or control of such systems. Systems Integrators (SI) under contract to perform work for the government are almost always provided some government furnished information (GFI) or government furnished equipment(GFE) and FISMA requirements extend to the systems owned and/or operated by these SIs if they store or process government data. Government data always remains under the ownership of the source agency with that agency holding sol...

Looking for a quick and easy way to query an Amazon Redshift Database Cluster? I was and the first place I turned was to my favorite tool for this kind of thing, Linqpad . I was a bit dismayed to find that none has developed, that I could find, a Linqpad database driver for Redshift. Small note, there are a few Postresql options and Redshift is supposed to be Postresql compatible however, none of them seemed to work for Redshift. Giving credit to the author of this article describing the use of Linqpad for connections to MS Access, I made a few tweaks and boom, I have a working way to connect to and query Redshift. So in the pay it forward spirit, I thought I'd share. 2026 Driver Update: AWS is retiring the legacy 1.x ODBC driver on June 1, 2026. Ensure you have installed the Amazon Redshift ODBC Driver 2.x . Unlike previous versions, the x64 driver is now the standard requirement for modern versions of LINQPad. // PREREQUISITES: // (1) Copy and paste this entire b...

CloudWatch includes a powerful feature that enables auto recovery of an EC2 instance if it ever fails a system status check. A key benefit of this feature is that it relaunches an instance with the exact same configuration, preserving any auto-assigned public IP addresses and using the current instance volumes. Modern Update (2026): Automatic recovery is now supported for most deployed Amazon EC2 instances. Most current-generation instances (Nitro-based) support Simplified Automatic Recovery , which can be configured directly from the EC2 Instance console without manually building a CloudWatch alarm from scratch. Every EC2 instance is monitored for two distinct types of status checks that report as metrics to CloudWatch: System status checks: These identify AWS infrastructure issues, such as hardware failures, network connectivity loss, or power outages in the data center. Instance status checks: These identify software or configuration issues, such as corrupted...