 Hi, I'm Sean Curie. I'm a enterprise YAML architect at Pivotal. How many guys out there keep your manifest in source control or parts of your manifest? Okay, how many keep them on GitHub? Who's ever pushed a manifest to GitHub with the keys in it? Yeah, you do a quick search out on GitHub. You'll find all kinds of AWS access keys. Okay? It was an accident, right? We had an accident. We had a six-figure bill from Amazon. We don't want to do this ever, right? So Amazon wants to help us with this. They have this great tool called IAM. Who's a Amazon user out here? Who uses IAM? Instance profiles. Okay, I'm telling you you need to nick. Okay, what instance profiles do, what instance profiles let us do is take that high-level key, right, that we want no one to have, right? Assign it to an instance with a role. Okay, that role is going to give that instance certain permissions, right? Then that instance can create the short-term key called an STS key, right? That's just valid for the single action that you want it to do, right? So if I want to scale with Bosch, my instance has permission to do that, okay? If you want a cloud controller, right, that has permission to write to an S3 bucket, you can do that, right? If you have a go-router that wants to register with your ELB, you can have dedicated instance role permissions for those things by assigning them through AWS IAM. Okay, so STS stands for Security Token Services. It's a temporary security credential, right? Your security guys, you tell them you're using a least privilege model. They're gonna be super happy with that and they expire, right? We have an audit record of the key we used. We can go back and say, okay, this key got generated from that key. We know where everything came from, but you can't reuse that key. We don't have to worry about taking it out of our logs. Awesome, because taking shit out of logs sucks. Oops, I think I went too far there. Okay, so this is how we would, a basic workflow here. It would deploy a jumpbox or a bashing host, whatever you guys want to call that, from AWS with that role. From there, we do our Bosch init to create our Bosch, add our instance profiles into the instance groups and deploy, or we could just inherit that Bosch key if that's something you want to use, right? For me, that's a little too much on the permission side. I'd rather have fewer permissions than that. Amazon also gives us some other features that allow us to leverage Justin Smith's model here and then the nice circle. Do you guys remember what that was called? That, uh, Sam, Sam Circle. I thought I'd throw all that stuff in there, right? We can quickly swap out all our keys using Amazon mechanisms, right? We can rotate those keys quickly. We can repave our whole thing and get new keys, and then we can record that in the Amazon CloudWatch logs, send it out through your syslog server, whatever you guys want to do with that. All right, that's some references for the documentations. This, I don't know if this is a Bosch 2.0 feature. Actually, it's been out for a while. You can find some more information about it out there. And then there's some information if you want to contact me. Thanks.