Show HN: AWS Enhancement Suite (opens in new tab)

(chrome.google.com)

33 pointsbrandonbloom5y ago31 comments

31 comments

25 comments · 9 top-level

psychometry5y ago· 4 in thread

If there's one website I would never in a million years let a closed-source, venture-backed browser extension inject content into, it's console.aws.amazon.com. What a terrifying thought...

swyx5y ago

i dont disagree with your point here but just want to raise awareness that anyone can "view source" browser extensions: https://chrome.google.com/webstore/detail/chrome-extension-s...

of course, code obfuscation is a thing.

crtasm5y ago

and remember to stop the extension auto-updating (I assume Chrome lets you do so..?) and review any changes.

Diederich5y ago

> closed-source

Why do you believe that? https://github.com/deref/deref-browser-extensions

alexcroox5y ago

Chrome extensions don't mirror GitHub source, they can upload whatever they want in the zip file.

1 more reply

forty5y ago· 3 in thread

I think AWS console has a lot of room for improvement. However, I think of it as a feature, since I'm trying very hard to have people do everything in the infra as code, rather than clicking buttons, and the worse the console is, the better ;)

brandonbloomOP5y ago

Even for read-only use cases?

I've talked to _lots_ of folks who have nearly 100% IaC coverage, including folks who only expose read-only console access to the majority of their devs. But I haven't met anyone who has successfully managed to avoid logging in to the console during production incidents to debug things.

One feature we're looking at potentially adding is "Go To Definition", that lets you go from the AWS Console and jump directly to the Terraform code that produced that resource. Would that be useful to you?

forty5y ago

Good point, we do use it for read only use cases indeed.

And yes, jumping to terraform would indeed be a useful feature to have :)

Diederich5y ago

> Even for read-only use cases?

That's a bingo.

1 more reply

renewiltord5y ago· 3 in thread

Useful enough tool. Sadly I feel very nervous about any permissions on my AWS account so it must remain uninstalled. It's a pity, though.

I guess I could load it unpacked but the utility isn't high enough for me to go through the source myself.

brandonbloomOP5y ago

Anything that we could do to assuage your concerns?

For what it's worth, we're trying to be extremely thoughtful about security. If it helps (or hurts?), we're a venture backed company, have a published privacy policy, etc. We don't include any anonymous identity tracking, nor do we do any resource crawling, or anything like that. For the CloudTrail feature, we do hit a read-only API endpoint using your browser session, but we don't send any of that data to our servers. We'd never hit any read/write endpoints without you properly granting us an IAM role.

renewiltord5y ago

Actually, when I checked your website and found that you're venture-backed that made me feel safer. Ultimately, though, the problem is that the tool has too much access. I might prefer to use a role provisioned into my account to use a dedicated better console experience way before I would use the extension (it acting as me is too much exposure for me). As it so happens I find the console not too bad as it stands so maybe that's part of it.

I know you guys are well-intentioned and I'm trying to help you here by finding out what the key thing is that would make me comfortable and I'm really coming up with nothing. I just think it's too much power to get not that much utility for me.

Sorry I couldn't come up with anything concrete.

1 more reply

zxexz5y ago

One thing you can do is make the extension source-available.

deanCommie5y ago· 2 in thread

Pro-tip: Describe what this actually does. "adding functionality like price estimates for resources." is vague.

The Chrome extension asks for permission to "Read and change your data on all auth0.com sites, all aws.amazon.com sites, and all deref.io sites"

That's a LOT of power to give some random extension to my AWS account. I'm not going to do that unless I know EXACTLY what it does, how, and why.

The vaguer you are, the less I trust you.

And that doesn't get into why this extension also needs access to auth0 which is not described in the overview at all.

brandonbloomOP5y ago

Thanks for the feedback. We'll improve the description.

As for the auth0.com access, that's a bug! It's fixed in the next release. Sorry about that.

EDIT: The extension is also open source, if that's helpful at all - https://github.com/deref/deref-browser-extensions

deanCommie5y ago

That's super helpful! Please include that in the overview! :)

brandonbloomOP5y ago· 2 in thread

Hey, CEO of Deref here.

In our customer discovery calls, we've heard so much about how folks dislike the AWS Console. We figured we should do something about that!

This extension is super early days, but we'd love for it to grow. Feedback welcome!

email: hello@deref.io

twitter: @deref_inc

manigandham5y ago

Your actual website shows a much more interesting console product: https://www.deref.io/

Can you share more about that?

brandonbloomOP5y ago

We're in closed beta now and will have more to share publicly soon. Would be happy to chat though, so I'll reach out if you sign up for the beta invite list on our site or shoot a note to hello@deref.io

temp6675y ago· 2 in thread

AWS Enhancement Suite sounds like an AWS product. Consider calling it:

Enhancement Suite for AWS or

Deref Enhancement Suite for AWS

to avoid confusion?

dnissley5y ago

I think it's taking it's naming from "Reddit Enhancement Suite". I've seen a couple other extensions also go with that naming convention such as "Google Meet Enhancement Suite".

temp6675y ago

Isn't there a trademark infringement risk to put the AWS brand as the lead item? I'm surprised AWS approves of that vs the more common for AWS model for third parties targeting AWS. But great to hear AWS have such a relaxed view. The legal side would probably throw a fuss over this type of thing.

gagejustins5y ago

For a more secure approach, you might find Vantage interesting: https://www.vantage.sh/

silicon24015y ago

AWS is one of the main examples of why I miss the days when things had dedicated, native applications. I can imagine the AWS console being so much easier to use if it was something like Intellij. I don't even like Intellij compared to Sublime, but at least Intellij has an undeniable amount of power and customization. Meanwhile the AWS console is a drag to use and gets worse if you use the new UIs

tuananh5y ago

doesn't matter how cool this is, i would never use sth like this

j / k navigate · click thread line to collapse

31 comments

25 comments · 9 top-level

psychometry5y ago· 4 in thread

If there's one website I would never in a million years let a closed-source, venture-backed browser extension inject content into, it's console.aws.amazon.com. What a terrifying thought...

swyx5y ago

i dont disagree with your point here but just want to raise awareness that anyone can "view source" browser extensions: https://chrome.google.com/webstore/detail/chrome-extension-s...

of course, code obfuscation is a thing.

crtasm5y ago

and remember to stop the extension auto-updating (I assume Chrome lets you do so..?) and review any changes.

Diederich5y ago

> closed-source

Why do you believe that? https://github.com/deref/deref-browser-extensions

alexcroox5y ago

Chrome extensions don't mirror GitHub source, they can upload whatever they want in the zip file.

1 more reply

forty5y ago· 3 in thread

brandonbloomOP5y ago

Even for read-only use cases?

forty5y ago

Good point, we do use it for read only use cases indeed.

And yes, jumping to terraform would indeed be a useful feature to have :)

Diederich5y ago

> Even for read-only use cases?

That's a bingo.

1 more reply

renewiltord5y ago· 3 in thread

Useful enough tool. Sadly I feel very nervous about any permissions on my AWS account so it must remain uninstalled. It's a pity, though.

I guess I could load it unpacked but the utility isn't high enough for me to go through the source myself.

brandonbloomOP5y ago

Anything that we could do to assuage your concerns?

renewiltord5y ago

Sorry I couldn't come up with anything concrete.

1 more reply

zxexz5y ago

One thing you can do is make the extension source-available.

deanCommie5y ago· 2 in thread

Pro-tip: Describe what this actually does. "adding functionality like price estimates for resources." is vague.

The Chrome extension asks for permission to "Read and change your data on all auth0.com sites, all aws.amazon.com sites, and all deref.io sites"

That's a LOT of power to give some random extension to my AWS account. I'm not going to do that unless I know EXACTLY what it does, how, and why.

The vaguer you are, the less I trust you.

And that doesn't get into why this extension also needs access to auth0 which is not described in the overview at all.

brandonbloomOP5y ago

Thanks for the feedback. We'll improve the description.

As for the auth0.com access, that's a bug! It's fixed in the next release. Sorry about that.

EDIT: The extension is also open source, if that's helpful at all - https://github.com/deref/deref-browser-extensions

deanCommie5y ago

That's super helpful! Please include that in the overview! :)

brandonbloomOP5y ago· 2 in thread

Hey, CEO of Deref here.

In our customer discovery calls, we've heard so much about how folks dislike the AWS Console. We figured we should do something about that!

This extension is super early days, but we'd love for it to grow. Feedback welcome!

email: hello@deref.io

twitter: @deref_inc

manigandham5y ago

Your actual website shows a much more interesting console product: https://www.deref.io/

Can you share more about that?

brandonbloomOP5y ago

temp6675y ago· 2 in thread

AWS Enhancement Suite sounds like an AWS product. Consider calling it:

Enhancement Suite for AWS or

Deref Enhancement Suite for AWS

to avoid confusion?

dnissley5y ago

I think it's taking it's naming from "Reddit Enhancement Suite". I've seen a couple other extensions also go with that naming convention such as "Google Meet Enhancement Suite".

temp6675y ago

gagejustins5y ago

For a more secure approach, you might find Vantage interesting: https://www.vantage.sh/

silicon24015y ago

tuananh5y ago

doesn't matter how cool this is, i would never use sth like this

j / k navigate · click thread line to collapse