Igniting innovation: How Experience AI is empowering teachers and students across Kenya

Post Syndicated from Victor Murithi original https://www.raspberrypi.org/blog/experience-ai-is-empowering-teachers-and-students-across-kenya/

This blog post is written by Victor Murithi, Communications and Media Consultant at Young Scientists Kenya, one of our global partners for Experience AI in Kenya.

When over 100 teachers from across Kenya gathered at Kangaru High School in Embu County for the Kenya Science and Engineering Fair Nationals in April, few anticipated just how transformative a two-day workshop could be. Delivered by the Experience AI Young Scientists Kenya (YSK) team, with support from the Raspberry Pi Foundation, the training sparked more than curiosity — it sparked a shift in mindset.

This wasn’t just about introducing new tools: it was about empowering teachers to confidently lead their students into an artificial intelligence (AI)-driven future.

Students in a classroom learn about Experience AI.

National reach and local impact

What began as a plan to train just 40 teachers quickly grew into something much bigger. By the time the workshop kicked off, 104 teachers from over 80 schools across 37 counties in Kenya, had registered and participated — nearly tripling the initial target.

This overwhelming interest confirmed a powerful insight: teachers are eager to understand AI, not only to better prepare their students for the future, but also for their own professional growth.

The workshop’s curriculum didn’t just focus on technical skills, it aimed to create confidence, clarity, and community among the attendees — key ingredients for successfully integrating AI into teaching and learning.

“Helping teachers move past their fear of AI and understand its potential is incredibly powerful. Because AI is the future, and through this training, we’re reaching the minds that will shape it,” explained Lucy Mwaniki, AI Community Trainer at YSK.

Practical skills, real outcomes

As part of the training, the attendees completed interactive worksheets, tested basic machine learning models, and sat a final comprehension test, something they found both validating and motivational.

“We were able to do the summative test… which turned out to be a very effective way of us understanding how in-depth and how well they grasped the knowledge,” says Lucy Mwaniki.

In one standout session, teachers collaboratively brainstormed ways AI could address national educational challenges. Ideas included models to assist students in selecting academic pathways within Kenya’s Competency Based Curriculum (CBC). Several teachers also successfully built working models, demonstrating the potential of applied learning. 

“It was a very eye-opening session… some of the teachers were able to create a very basic model, which was a wonderful experience for them,” Lucy Mwaniki explains. 

What made this training exceptional was its immediate applicability and long-term vision. By the end of two days, teachers weren’t just AI-aware — they were AI-ready, with many already starting to explore how AI tools could support entrepreneurship, lesson planning, and personalised learning pathways.

Students in a classroom setting; two of them are using a laptop to learn about AI.

Celebrating our achievements and impact 

At the close of the training, each teacher received a Certificate of Participation, recognising their commitment to professional development and their new capacity to bring AI into the classroom. The awarding of certificates added a sense of accomplishment and pride, reinforcing that teachers are key drivers of technological transformation in education.

And the impact of the training was measurable:

  • 95% of teachers agreed that the training increased their knowledge and confidence to teach AI concepts
  • 88% of teachers agreed that the training was high quality and useful for preparing them to teach the Experience AI lessons

But it doesn’t end there, as Vanessa Inziani, Head of Programs at YSK, explains, “Our commitment doesn’t end with the training — we continue to support educators with resources, mentorship, and follow-up to ensure success in delivering the program in the classroom.”

Looking ahead towards a promising AI journey

With the rapidly evolving digital landscape, AI is no longer a distant concept — it’s a present-day classroom necessity. Yet, introducing AI into schools isn’t just about technical literacy; it’s about confidence, clarity, and community and the approach the Young Scientist Kenya team and Experience AI delivered during the two-day training is anchored in this belief. 

As AI continues to shape the global education landscape, programs like Experience AI provide the bridge needed to equip teachers, inspire students, and future-proof education systems. The Kangaru High School session was not a one-off — it was a catalyst for systemic change. 

Experience AI is scaling. As it expands across Kenya and beyond, the benefits are clear:

  • Empowered educators who gain confidence and skills to integrate AI in their teaching
  • Future-ready students who grasp foundational AI concepts and their real-world applications
  • Sustainable impact as trained teachers go on to influence thousands of learners in their communities

The journey from fear to fluency starts with a single step, a willingness for us all to explore what’s possible. Together, we can equip educators, inspire students, and shape Kenya’s future, one AI-literate classroom at a time. 

About Experience AI

Experience AI is an AI literacy programme, co-developed by the Raspberry Pi Foundation and Google DeepMind, that teaches students aged 11 to 14 about AI and machine learning. Thanks to funding from Google.org, Young Scientists Kenya has partnered with the Raspberry Pi Foundation to provide free training to Kenyan educators, equipping them with the skills they need to effectively deliver the programme in their settings. They are one of two global partners working with the Raspberry Pi Foundation in Kenya.

You can find out more about the programme on our website: rpf.io/expai-ysk-blogpost

The post Igniting innovation: How Experience AI is empowering teachers and students across Kenya appeared first on Raspberry Pi Foundation.

Where AI Provides Value

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/06/where-ai-provides-value.html

If you’ve worried that AI might take your job, deprive you of your livelihood, or maybe even replace your role in society, it probably feels good to see the latest AI tools fail spectacularly. If AI recommends glue as a pizza topping, then you’re safe for another day.

But the fact remains that AI already has definite advantages over even the most skilled humans, and knowing where these advantages arise—and where they don’t—will be key to adapting to the AI-infused workforce.

AI will often not be as effective as a human doing the same job. It won’t always know more or be more accurate. And it definitely won’t always be fairer or more reliable. But it may still be used whenever it has an advantage over humans in one of four dimensions: speed, scale, scope and sophistication. Understanding these dimensions is the key to understanding AI-human replacement.

Speed

First, speed. There are tasks that humans are perfectly good at but are not nearly as fast as AI. One example is restoring or upscaling images: taking pixelated, noisy or blurry images and making a crisper and higher-resolution version. Humans are good at this; given the right digital tools and enough time, they can fill in fine details. But they are too slow to efficiently process large images or videos.

AI models can do the job blazingly fast, a capability with important industrial applications. AI-based software is used to enhance satellite and remote sensing data, to compress video files, to make video games run better with cheaper hardware and less energy, to help robots make the right movements, and to model turbulence to help build better internal combustion engines.

Real-time performance matters in these cases, and the speed of AI is necessary to enable them.

Scale

The second dimension of AI’s advantage over humans is scale. AI will increasingly be used in tasks that humans can do well in one place at a time, but that AI can do in millions of places simultaneously. A familiar example is ad targeting and personalization. Human marketers can collect data and predict what types of people will respond to certain advertisements. This capability is important commercially; advertising is a trillion-dollar market globally.

AI models can do this for every single product, TV show, website and internet user. This is how the modern ad-tech industry works. Real-time bidding markets price the display ads that appear alongside the websites you visit, and advertisers use AI models to decide when they want to pay that price—thousands of times per second.

Scope

Next, scope. AI can be advantageous when it does more things than any one person could, even when a human might do better at any one of those tasks. Generative AI systems such as ChatGPT can engage in conversation on any topic, write an essay espousing any position, create poetry in any style and language, write computer code in any programming language, and more. These models may not be superior to skilled humans at any one of these things, but no single human could outperform top-tier generative models across them all.

It’s the combination of these competencies that generates value. Employers often struggle to find people with talents in disciplines such as software development and data science who also have strong prior knowledge of the employer’s domain. Organizations are likely to continue to rely on human specialists to write the best code and the best persuasive text, but they will increasingly be satisfied with AI when they just need a passable version of either.

Sophistication

Finally, sophistication. AIs can consider more factors in their decisions than humans can, and this can endow them with superhuman performance on specialized tasks. Computers have long been used to keep track of a multiplicity of factors that compound and interact in ways more complex than a human could trace. The 1990s chess-playing computer systems such as Deep Blue succeeded by thinking a dozen or more moves ahead.

Modern AI systems use a radically different approach: Deep learning systems built from many-layered neural networks take account of complex interactions—often many billions—among many factors. Neural networks now power the best chess-playing models and most other AI systems.

Chess is not the only domain where eschewing conventional rules and formal logic in favor of highly sophisticated and inscrutable systems has generated progress. The stunning advance of AlphaFold2, the AI model of structural biology whose creators Demis Hassabis and John Jumper were recognized with the Nobel Prize in chemistry in 2024, is another example.

This breakthrough replaced traditional physics-based systems for predicting how sequences of amino acids would fold into three-dimensional shapes with a 93 million-parameter model, even though it doesn’t account for physical laws. That lack of real-world grounding is not desirable: No one likes the enigmatic nature of these AI systems, and scientists are eager to understand better how they work.

But the sophistication of AI is providing value to scientists, and its use across scientific fields has grown exponentially in recent years.

Context matters

Those are the four dimensions where AI can excel over humans. Accuracy still matters. You wouldn’t want to use an AI that makes graphics look glitchy or targets ads randomly—yet accuracy isn’t the differentiator. The AI doesn’t need superhuman accuracy. It’s enough for AI to be merely good and fast, or adequate and scalable. Increasing scope often comes with an accuracy penalty, because AI can generalize poorly to truly novel tasks. The 4 S’s are sometimes at odds. With a given amount of computing power, you generally have to trade off scale for sophistication.

Even more interestingly, when an AI takes over a human task, the task can change. Sometimes the AI is just doing things differently. Other times, AI starts doing different things. These changes bring new opportunities and new risks.

For example, high-frequency trading isn’t just computers trading stocks faster; it’s a fundamentally different kind of trading that enables entirely new strategies, tactics and associated risks. Likewise, AI has developed more sophisticated strategies for the games of chess and Go. And the scale of AI chatbots has changed the nature of propaganda by allowing artificial voices to overwhelm human speech.

It is this “phase shift,” when changes in degree may transform into changes in kind, where AI’s impacts to society are likely to be most keenly felt. All of this points to the places that AI can have a positive impact. When a system has a bottleneck related to speed, scale, scope or sophistication, or when one of these factors poses a real barrier to being able to accomplish a goal, it makes sense to think about how AI could help.

Equally, when speed, scale, scope and sophistication are not primary barriers, it makes less sense to use AI. This is why AI auto-suggest features for short communications such as text messages can feel so annoying. They offer little speed advantage and no benefit from sophistication, while sacrificing the sincerity of human communication.

Many deployments of customer service chatbots also fail this test, which may explain their unpopularity. Companies invest in them because of their scalability, and yet the bots often become a barrier to support rather than a speedy or sophisticated problem solver.

Where the advantage lies

Keep this in mind when you encounter a new application for AI or consider AI as a replacement for or an augmentation to a human process. Looking for bottlenecks in speed, scale, scope and sophistication provides a framework for understanding where AI provides value, and equally where the unique capabilities of the human species give us an enduring advantage.

This essay was written with Nathan E. Sanders, and originally appeared in The Conversation.

Дългите традиции на добре поддържаната брада в мюсюлманския свят (продължение)

Post Syndicated from Атанас Шиников original https://www.toest.bg/dulgite-traditsii-na-dobre-poddurzhanata-brada-v-myusyulmanskiya-svyat-produlzhenie/

<< Към първа част

Дългите традиции на добре поддържаната брада в мюсюлманския свят (продължение)

Да се върнем към историческия фундамент на брадата. Към нейния корен (асл, откъдето и идва нашенското аслъ!), там, където се крият доктринално-езиковите ѝ фоликули.

Старите арабски речници, да вземем, примерно, най-известния – „Езикът на арабите“ (Лисан ал-‘араб) на Ибн Манзур от XIII век, отделят доволно внимание на терминологията на брадата. На арабски е лихйа, споделя един корен с други думи, обозначаващи също и „кора“ (включително мозъчна), „обвивка“. И много ясно обозначава какво е брадата – събирателното за растящите косми по двете бузи и брадичката. Това си е стандартното определение, което устойчиво възпроизвеждат древните авторитети, понякога добавят и ограничителната линия откъм ухото (‘изар), което условно може да преведем като „бакенбард“. 

По този повод интересно наблюдение прави един от авторите на съвременни трактати – някой си шейх Абу Абд Аллах Мухаммад във вече споменатото съчинение „Брадата в Писанието, Сунната и преданията на праведните предци на общността“¹. Ценно книжле от около сто и трийсет страници, доколкото обобщава много стари и известни авторитети. Естествено, не попадайте в плоския херменевтичен капан да си мислите, че такива съчинения са лишени от тълкувателен елемент само защото ви изглеждат като компилация от средновековни извори. Тълкувателният елемент начева още с подбора на кои точно извори ще се цитират.

Но констатацията по повод термина за „бакенбард“ (‘изар) си струва. За него, твърди авторът, можело да се каже, че богословите прависти са по-конкретни, дават по-ясни дефиниции, отколкото филолозите. Имаме храна за размисъл тук, доколкото филологията в един класически мюсюлюмански светоглед не съществува самоцелно, а обслужва стремежите на правистите и богословите да разберат свещените текстове като основа на нормотворчеството и регулацията на живота на общността. И така, богословието, правото и езикознанието вървят ръка за ръка. Та ако имаме общо понятие за „бакенбард“, ще е логично да имаме разсъждение къде точно започва и свършва той. Ето ви едно софистицирано описание от египетския богослов и юрист Ал-Калюби от XVII век:

Ако се пусне конец по права линия от най-горната част на ухото до най-високата част на челото, то онова, що е долепено до ухото и върви успоредно на страната на лицето, е ‘изар.²

Пробвах тази телесна картография вкъщи пред огледалото. Може да е заради формата на черепа ми, но ми се струва, че доста високо се отсича горната граница на тоя арабски бакенбард.

Има и обозначения за други части около брадата, например пространството под долната устна, където също растат косми. Тази част или вид брада се нарича ‘анфака, на английски познато като „душевна кръпка“ (soul patch), подобно на българската „козя брадичка“. Пак Ибн Манзур говори и за определения като „мъж, чиято брада е заела цялото му лице, освен малка част“. На арабски се наричал агарр, а пък аз веднага се сещам за футболиста Трифон Иванов, лека му пръст. Ибн Манзур изрично уточнява, че има и женски вариант на прилагателното „брадат“ (лихйан)лихйана. Не знам защо го прави, но можете ли да избегнете асоциацията с брадатите женски джуджета от „Властелина на пръстените“ на Толкин?

От особена значимост е арабското определение касс, приложено към брада, и то не коя да е, а тази на самия Пророк. Защото е важно не само какво е казал в Сунната, а и как е изглеждал. Нали помните, че той е „прекрасен образец за вас“ (Коран 33:21)? Аз, ако съм мюсюлманин, ще се опитвам да му подражавам във всичко. И ето, разказва се за него, че брадата му можела да бъде описана с това прилагателно. А то, четем в речника на Ибн Манзур от тринайсетото столетие, си означава „гъст“ за телесна растителност, особено за брадата на Пророка. Но не просто гъста. Към това качество вървят и гъсти корени, плътни, не тънки косми, не твърде дълга, в същото време начупена. Добавете към това боядисана, редовно сресвана и поддържана – и получавате архетипните измерения на един истински пророчески груминг от пясъците на Арабия през VII век. Заслужава да бъде измежду достойните за възхищение характеристики на Мохамед.

Ненапразно „Кълна се в брадата на Пророка!“ е стандартно възклицание сред мюсюлманите,

забелязано още от самия Ричард Бъртън по време на поклонничеството му до Мека и Медина през XIX век. И с тази съвършена брада Пророкът съвършено се вписва в мюсюлманската профетология.

Ето, твърдят преданията, преди него пратениците на Аллах сред човечеството също са имали бради. Ибрахим (библ. Авраам) бил с бяла брада, а Иса (библ. Иисус) пък имал много черна лицева растителност. И в примера на самия Пророк с неговата гъста, но не прекомерно дълга брада, се крие ключът към язвителността на „неволниците“ от приказките от „Хиляда и една нощ“ към мъжете с твърде дълги бради. Същата подигравка откриваме и във възпитателната „Книга за глупците и невежите“ на друг мой любимец – историка, богослова и литератора Ибн ал-Джаузи от XII век. Подобно на „Скъперниците“ на по-ранния Ал-Джахиз, тук може да се заровим в истории за всякакви неразумни поведенчески модели. И сред тях значително място е отделено на невъздържано дългите бради.

Измежду знаците за глупостта, които не могат да бъдат сбъркани, пише той, е дължината на брадата.

Според самата Тора, Петокнижието Мойсеево (Таурат), твърди Ибн ал-Джаузи, брадата имала своите корени в мозъка, затова и който позволи на брадата му да порасте прекомерно, мозъкът му намалявал. Нещо като скачени съдове. Оттук и оглупяването. Мъдрите хора били казали, че „глупостта е тор за брадата“, а дългобрадият си е чисто кьосе откъм интелект.

Добре, а след като не върви нито с твърде дълга брада, нито съвсем без, колко е оптималното, се пита човек. Ибн ал-Джаузи е класик и по този въпрос. Златната среда е колкото една шепа или стиска. Представете си един юмрук дължина. Всичко над тази дължина си е чист минус за интелекта. Ако аз като един съвестен коментатор трябва да добавя допълнителен тълкувателен пласт, не е ли казал самият Аллах в Корана, че мюсюлманската общност е „общност по средата“ (Коран 2:143)? И тази среда може да се отнесе за всичко, като винаги ще се пита: средата между кои две крайности?

Най-голямото прегрешение на набедените глупци от разказа на Ибн ал-Джаузи, изглежда, се състои в тяхното отклонение от пророческия идеал. Затова и глупостта им се изразява не само и единствено в интелектуален дефицит, а в невъзможността да разпознаят и да изпълнят божествената повеля. А както знаем от пророческото предание, в човешката „природа“ (фитра) се включва подрязването на ноктите, подрязването на мустака и пускането на брадата. С други думи, ако трябва да препратим към началото на Аристотелевата „Метафизика“ и да го перифразираме, в природата на човека е не само стремежът към знание, но и подрязването на ноктите и пускането на брадата. Оттук следва и че колкото повече занемаряваш тези заповеди, толкова повече се отдалечаваш от истинската си същност и от целта на своето съществуване според Твореца. Ако трябва да зазвуча като съвременен корпоративен лайфкоуч, „спираш да бъдеш себе си“. Затова и в тази теологична парадигма бръсненето е напълно недопустимо.

Сега разбирате ли малко по-добре външността на талибаните и основанията на тяхната забрана върху бръснарските салони? Категорично се възбранява брадата да се премахва. Че и богословът от школата на маликитите Абу Умар ибн Абд ал-Барр от XI век не просто го обявява за греховно, ами и пояснява, че само женствените мъже със съмнителна сексуална идентичност (муханнасун) го правят. Брадата се възправя като неоспорим знак за разграничение между двата пола, като е греховно всяко уподобяване между тях. По силата на същата импликация се постановява и бръсненето на косми при жените, ако растат като брада или мустак. Защото универсалното богословско разбиране е, че при нежния пол това представлява недостатък, ущърбност (накс) или срам (‘иб). И там насоките са предимно по посока препоръчително бръснене (мустахабб). Защото така човек не извършва греховно вмешателство в творението на Всевишния Аллах, а напротив – утвърждава същностната направа на жената без брада, мустак или косми под долната устна. Даже някои богослови от школата на маликитите допълнително подсилват този принцип и постановяват, че ако на жената израсте брада, мустак или косми под долната устна, е направо задължително (уаджиб) да се обръсне.

За да не останем в заблуда, че консервативният поглед към брадата е потънал някъде в дебрите на въобразеното от нас мюсюлманско Средновековие, да надзърнем към електронния свят на порталите за фетви. Любознателен читател задава въпрос относно значението на пророческото предание за пускането на брадата и подрязването на мустака. Въпросът е интересен, защото се позовава на тълкувание от друг религиозен авторитет, според който „отпускането“ (и‘фа’) на брадата не означавало толкова да се остави да расте, колкото да не се сплита.

На това екипът на шейх Мухаммад Салих ал-Мунаджжид от неговата дигитализирана машина за религиозни консултации отговаря по няколко линии. „Пускането“ на брадата категорично означава да се остави да расте безпрепятствено. Позовава се на авторитета на известния историк Ибн ал-Асир от XII век, който противопоставя растежа на брадата на подрязването на мустака. Хадисите в тази връзка също са цитирани последователно, особено в заръката на мюсюлманите да се отграничат от останалите религиозни общности – „хората на Писанието“, тоест от юдеите и християните, както и от зороастрийците (маджус) – чрез пускането на брадата. Защото останалите общности или подрязвали твърде много брадите си, или направо се бръснели. Споменава се и друг авторитет – имам Ан-Науауи от XIII век. От него на български са преведени класиките „Четиридесет хадиса“ и „Градината на праведниците“. Тук авторът прави важно уточнение: и петте глагола в арабския език, употребени в преданието за отпускането на брадата, имат много сходно значение. Позволява се отнемането от брадата до дължина една стиска. И отпускането на брадата се смята за една от добродетелите, свързани с човешката същност.

В друг сайт – на шейх Ибн Баз, имаме друг нюанс на питането. Дали заръката да се отпуска брадата е със статус на задължение (уджуб), или просто на препоръка (истихбаб)? Защото ако е задължение, следва нещо много важно. Не го ли спазваш, може би извършваш грях (харам) и евентуално ще те обявят за неверник (кафир). Нещата са сериозни. И отговорът е доста рязък. Всичките тези предписания – да се подрязва мустакът и да се отпуска брадата като жест на категорично разграничение от неверниците – са религиозно задължение, твърди шейхът. А забраната за бръснене и прекомерно подрязване е категорична.

С други думи, по терминологията на мюсюлманското право (фикх) казусът се разглежда по оста на двете крайности на спектъра на категориите позволеност. От единия край стои тази на религиозната повеля и задължение. Ако не го правиш, гориш. От другия край стои категорията на пълна възбрана и грях. Пускаш брадата. Задължително. Не бръснеш. Напълно забранено. Така ставаш истински мюсюлманин. Разбира се, фетвата е много по-детайлна от моето опростенческо обобщение.

Но донякъде самодоволно мога да заключа, че съм успял да изградя един брадат разказ от времето на Пророка, разгръщащ се според своята консистентна свещена логика. Още преди да прочета фетвите, които съм открил, съм се досетил какво ще кажат днешните религиозни авторитети. Може би защото и аз съм се подхлъзнал да подбера само онези, с чиято логика съм съгласен.

Например преднамерено съм решил да заскобя Турция. Тамошните символни употреби на брадите и мустаците между религиозното и лаическото, между лявото и дясното, марксизма и турския национализъм през XX век оставяме за някой друг път. И на някой друг колега. Отделно може да разсъждаваме и защо бръснарниците в центъра на София не са точното място за оформяне на брада по свещения закон на исляма.
Важното е друго. Да усетите как въпросите на хигиената и естетиката, културата и религията, ритуалните изисквания, догматиката и идентичността, отношенията между половете, литературата, поезията и анекдотиката от София до Мека, Медина и Кайро се вплитат в една и съща брадата тъкан на историята.

А дотук, както казват фризьорите, сме обрали само връхчетата.

1 Хасуна, Абу Абд Аллах Мухаммад ибн Абд ал-Хамид. Ал-Лихйа фи-л-китаб уа-с-Сунна уа-акуал салафи л-умма. Кайро: Дар ал-китаб уа-с-Сунна, 2007.

2 Пак там, с. 13.

В рубриката „Ориент кафе“ Атанас Шиников поднася любопитни теми, свързани не толкова с горещата политика, колкото с историята и културата на Близкия изток. А той, древен и днешен, е по-близко до нас и съвремието ни, отколкото си представяме.

Zabbix at the Netherlands Ministry of Infrastructure and Water Management

Post Syndicated from Michael Kammer original https://blog.zabbix.com/zabbix-at-the-netherlands-ministry-of-infrastructure-and-water-management/30681/

The Ministry of Infrastructure and Water Management is the Dutch ministry responsible for transport, aviation, housing policy, public works, spatial planning, land management, and water resource management. Created in 2010 following the merger of the Ministry of Transport and Water Management and the Ministry of Housing, Spatial Planning, and Environment, the ministry works to create an efficient network of roads, railways, waterways, and airways, effective water management to protect against flooding, and improved air and water quality.

The challenge:

The ministry needed a monitoring solution that could handle not only infrastructure monitoring, but also IoT devices responsible for monitoring water levels, water quality, temperature, and other data. The infrastructure components that needed to be monitored included Red Hat Satellite and Capsule servers, Red Hat Virtual Data Centers, Red Hat Identity management, Ansible automation platforms, and a wide range of custom IoT devices.

The solution:

The Red Hat Satellite and Capsule monitoring consists of one satellite, 6 server, and 15 satellite capsules for different environments, with approximately 2000 Linux machines connected to the satellite capsules. The machines retrieve their packages from the capsules and the capsules act as proxies that fetch data from the satellite servers. The capsules also manage the content packages and subscriptions for the machines.

For Red Hat satellite and Capsule monitoring, Zabbix performs capsule discovery via Low Level Discovery, which uses Http requests, which in turn collect data via the REST API. Each capsule’s content sync status is monitored and if the content sync fails, new packages are not installed. Connectivity between capsules and the satellite is also monitored by performing port checks, because capsules need to be able to connect to the satellite in order for the content to be synced.

Zabbix also discovers and monitors satellite repositories, checking both when the last sync was performed and the current sync status. Software subscriptions are also discovered and monitored and alerts are sent, with the severity of the alerts raised at the point when a subscription has only 30 days remaining.

Red Hat Virtual Data Center licences and identity management also benefit from the added flexibility that Zabbix brings to the table. Virtual DC licences must be present on ESX hosts, so situations where an ESX host with an active license has no VMS on it (or has VMS migrated to it) must be avoided, because that would mean that a license is being essentially wasted. Whenever a Zabbix trigger detects a problem, Ansible automatically attaches or detaches a licence to or from the ESX host, depending on the type of problem detected.

When it comes to Red Hat identity management, Zabbix discovers and monitors processes on the identity management platform (including identity management service status) thanks to the ability to extend Zabbix agent with user parameters.

Meanwhile, Ansible Automation Platform monitoring consists of monitoring for controllers. The Ansible Automation Platform API is used to discover the controllers, and each controller is checked to see if any jobs are running, their last seen time, their capacity, and their status. Sometimes controllers are disabled for maintenance and then re-enabled, so alerts are sent out for controllers that have been disabled for a longer time.

Ansible Automation Platform monitoring also includes monitoring decommission machines, which are assigned to a group instead of being immediately deleted. Zabbix monitors the grace period for the decommission machines and alerts users if the grace period is over, generating a warning if an Ansible host is disabled for seven days and then escalating it if the machine has been disabled for more than 14 days.

Zabbix also discovers and monitors configuration management jobs, and if a job fails it will attempt to restart it. If the issue is still not resolved, it gets escalated to the appropriate individual. These Ansible checks are primarily done via Http agents, from Zabbix servers or proxies.

Finally, in addition to infrastructure monitoring, Zabbix also monitors the health of IoT devices responsible for water levels, water quality, temperature, and other data. These devices are running Raspberry Pi modules and Zabbix Agent 2 is used to monitor the device status. Zabbix Agent 2 with a local agent database is used in cases where the agent is unable to send the metrics on these devices. Should a network outage happen, Zabbix stores the backlog data in the local agent database.

The results:

Trusting their monitoring to Zabbix has greatly improved processes at the ministry, saving time and money by making it easy to notice and fix issues before affected departments themselves were aware of them. In addition, having the latest historical data at their fingertips has been invaluable to the ministry’s technical teams during troubleshooting or when dealing with performance issues, saving everyone involved a great deal of time.

In conclusion

Zabbix’s flexible nature and its ability to integrate with popular platforms as well as custom devices made it the perfect “one-stop shop” for the ministry’s needs, consolidating all of their monitoring in a single pane of glass and giving them complete visibility into every layer of their infrastructure – while also integrating smoothly with their existing systems.

To learn more about what Zabbix can do for customers in the public sector, contact us.

The post Zabbix at the Netherlands Ministry of Infrastructure and Water Management appeared first on Zabbix Blog.

Locally hosting an internet-connected server

Post Syndicated from Matthew Garrett original https://mjg59.dreamwidth.org/72095.html

I’m lucky enough to have a weird niche ISP available to me, so I’m paying $35 a month for around 600MBit symmetric data. Unfortunately they don’t offer static IP addresses to residential customers, and nor do they allow multiple IP addresses per connection, and I’m the sort of person who’d like to run a bunch of stuff myself, so I’ve been looking for ways to manage this.

What I’ve ended up doing is renting a cheap VPS from a vendor that lets me add multiple IP addresses for minimal extra cost. The precise nature of the VPS isn’t relevant – you just want a machine (it doesn’t need much CPU, RAM, or storage) that has multiple world routeable IPv4 addresses associated with it and has no port blocks on incoming traffic. Ideally it’s geographically local and peers with your ISP in order to reduce additional latency, but that’s a nice to have rather than a requirement.

By setting that up you now have multiple real-world IP addresses that people can get to. How do we get them to the machine in your house you want to be accessible? First we need a connection between that machine and your VPS, and the easiest approach here is Wireguard. We only need a point-to-point link, nothing routable, and none of the IP addresses involved need to have anything to do with any of the rest of your network. So, on your local machine you want something like:

[Interface]
PrivateKey = privkeyhere
ListenPort = 51820
Address = localaddr/32

[Peer]
Endpoint = VPS:51820
PublicKey = pubkeyhere
AllowedIPs = VPS/0

And on your VPS, something like:

[Interface]
Address = vpswgaddr/32
SaveConfig = true
ListenPort = 51820
PrivateKey = privkeyhere

[Peer]
PublicKey = pubkeyhere
AllowedIPs = localaddr/32

The addresses here are (other than the VPS address) arbitrary – but they do need to be consistent, otherwise Wireguard is going to be unhappy and your packets will not have a fun time. Bring that interface up with wg-quick and make sure the devices can ping each other. Hurrah! That’s the easy bit.

Now you want packets from the outside world to get to your internal machine. Let’s say the external IP address you’re going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005. On the VPS, you’re going to want to do:

iptables -t nat -A PREROUTING -p tcp -d 321.985.520.309 -j DNAT --to-destination 867.420.696.005

Now, all incoming packets for 321.985.520.309 will be rewritten to head towards 867.420.696.005 instead (make sure you’ve set net.ipv4.ip_forward to 1 via sysctl!). Victory! Or is it? Well, no.

What we’re doing here is rewriting the destination address of the packets so instead of heading to an address associated with the VPS, they’re now going to head to your internal system over the Wireguard link. Which is then going to ignore them, because the AllowedIPs statement in the config only allows packets coming from your VPS, and these packets still have their original source IP. We could rewrite the source IP to match the VPS IP, but then you’d have no idea where any of these packets were coming from, and that sucks. Let’s do something better. On the local machine, in the peer, let’s update AllowedIps to 0.0.0.0/0 to permit packets form any source to appear over our Wireguard link. But if we bring the interface up now, it’ll try to route all traffic over the Wireguard link, which isn’t what we want. So we’ll add table = off to the interface stanza of the config to disable that, and now we can bring the interface up without breaking everything but still allowing packets to reach us. However, we do still need to tell the kernel how to reach the remote VPN endpoint, which we can do with ip route add vpswgaddr dev wg0. Add this to the interface stanza as:

PostUp = ip route add vpswgaddr dev wg0
PreDown = ip route del vpswgaddr dev wg0

That’s half the battle. The problem is that they’re going to show up there with the source address still set to the original source IP, and your internal system is (because Linux) going to notice it has the ability to just send replies to the outside world via your ISP rather than via Wireguard and nothing is going to work. Thanks, Linux. Thinux.

But there’s a way to solve this – policy routing. Linux allows you to have multiple separate routing tables, and define policy that controls which routing table will be used for a given packet. First, let’s define a new table reference. On the local machine, edit /etc/iproute2/rt_tables and add a new entry that’s something like:

1 wireguard

where “1” is just a standin for a number not otherwise used there. Now edit your wireguard config and replace table=off with table=wireguard – Wireguard will now update the wireguard routing table rather than the global one. Now all we need to do is to tell the kernel to push packets into the appropriate routing table – we can do that with ip rule add from localaddr lookup wireguard, which tells the kernel to take any packet coming from our Wireguard address and push it via the Wireguard routing table. Add that to your Wireguard interface config as:

PostUp = ip rule add from localaddr lookup wireguard
PreDown = ip rule del from localaddr lookup wireguard
and now your local system is effectively on the internet.

You can do this for multiple systems – just configure additional Wireguard interfaces on the VPS and make sure they’re all listening on different ports. If your local IP changes then your local machines will end up reconnecting to the VPS, but to the outside world their accessible IP address will remain the same. It’s like having a real IP without the pain of convincing your ISP to give it to you.

comment count unavailable comments

How AWS improves active defense to empower customers

Post Syndicated from Stephen Goodman original https://aws.amazon.com/blogs/security/how-aws-improves-active-defense-to-empower-customers/

At AWS, security is the top priority, and today we’re excited to share work we’ve been doing towards our goal to make AWS the safest place to run any workload. In earlier posts on this blog, we shared details of our internal active defense systems, like MadPot (global honeypots), Mithra (domain graph neural network), and Sonaris (network mitigations). We’re still inventing new ways to improve the effectiveness of threat intelligence and automated response to detect and help prevent attacks. Today we’ll share advancements in active defense related to malware, software vulnerabilities, and AWS resource misconfigurations. Like the other posts we linked to, these are constantly improving capabilities that our customers get just for being on the AWS network. We’ll discuss these topics in more depth at re:inforce 2025 during Innovation Talk SEC302.

Stopping malware from spreading

Financially motivated threat actors try to gain access to a wide array of networked assets. The more resources they control, the more places they can hide, and the longer they can profit from their abusive operations. As such, threat actor malware often contains modules to scan for new targets, replicate binaries over the network, and then repeat. If left unchecked, such rapidly spreading behavior can lead to network congestion, service availability loss, and data destruction. We want to help prevent this behavior to the greatest degree possible.

One effective strategy we employ is identifying the threat actor’s key infrastructure where malware is centrally controlled. We use a variety of techniques to identify, verify, track, and disrupt threat infrastructure. Using network traffic logs, honeypot interactions, and malware samples from an array of sensor positions, we mitigate botnets, abusive proxies, and peer-to-peer malware. Over the past 12 months, AWS helped prevent over 4 million malware infection attempts across 315 thousand distinct Amazon Elastic Compute Cloud (Amazon EC2) instances. By protecting workloads from these malware infections, we not only protect our network and our customers, but also the broader internet from further malware expansion.

Advancements in threat hunting and mitigating software vulnerabilities

At Amazon, we’re proud to support software vulnerability research with programs for bug bounty, vulnerability disclosure, and open source contribution. We’ve also become a more active participant in the CVE process by becoming a CVE Numbering Authority (CNA) for the software and services provided by Amazon. Thanks to the public CVE database, we see vulnerability research accelerating as reported CVEs have grown by 21 percent year-over-year since 2013, with over 40 thousand CVEs published in 2024. This virtuous cycle of finding and resolving vulnerabilities improves cyber security over time, but AWS sees threat actors searching for unresolved vulnerabilities to gain unauthorized access to resources.

We’ve expanded MadPot and Sonaris to identify and stop a broader range of malicious vulnerability scanning and exploitation activity, protecting every AWS customer from vulnerability exposure. We’ve added hundreds of new detections and MadPot service emulations to identify real attacks. As we’ve expanded our visibility, we’ve continued blocking hundreds of millions of CVE exploit attempts daily across the AWS network.

As we’ve made these active defense systems better at stopping CVE exploit attacks, the total number of attacks has gone down by over 55 percent in the last 12 months, as shown in Figure 1. There are many factors outside our control in this observation, but we’re happy to see fewer CVE exploit attacks. This trend coincides with the detection, regionalization, latency, and guardrail improvements we’ve made in 2025. No system can block everything, so fewer exploit attempts mean less risk across a wide range of workloads.

Figure 1: Chart showing the decrease in global malicious vulnerability exploit attempts

Figure 1: Chart showing the decrease in global malicious vulnerability exploit attempts

This work to identify known exploits in the wild directly benefits users of vulnerability intelligence in Amazon Inspector, which provides an Amazon Inspector score for customers to prioritize where to spend security hardening resources. This includes the most recent date of observed exploitation attempts, the MITRE ATT&CK techniques associated with the exploit activity, and the industries targeted.

Protecting architectures built on AWS

AWS actively defends compute and network resources for our customers; we also defend the distinct AWS-native resources that customers rely on. AWS access key credentials are a critical resource that allow access to customer accounts. The AWS Identity and Access Management best practices share proven techniques for customers to keep their credentials from being abused. Through active defense, we do even more to help customers who haven’t yet adopted these best practices.

Each day, AWS helps prevent an average of 167 million malicious scanning connections seeking unintentionally exposed AWS access key pairs. In case access keys are discovered through other means, we’ve expanded our protection of customer-managed IAM credentials. When our threat intelligence analytics show that a customer-managed credential is known by a threat actor, we put mitigations in place to restrict access to highly privileged operations. We also send customized notifications to help customers identify how the credential was exposed. These efforts are paying off for our customers every day; the following response is a good example of what we hear regularly:

This is a key that we already rotated a few weeks ago based on another alarm from you. It turned out that the new rotated key happened to be in your second alarm to us. So it meant that the app that the key was linked to was still leaking it.

So on Monday we sat down with the dev team, found where the app was leaking some secrets from, we patched it, I rotated all the exposed secrets (it was more than the IAM key) and we plugged in the extra security in the app.

So thanks again for those alerts, they are very precious.
– AWS Customer

In a specific case of threat activity in November and December of 2024, customers reported ransomware activity against their objects in Amazon Simple Storage Service (Amazon S3) storage. We saw that these ransom threats were highly correlated with exposed customer-managed IAM keys. We applied quarantines to the exposed keys, taking care to make sure that normal customer operations could continue safely. We re-sent our proactive notifications to customers about keys that were likely exposed, because the risk of an attack was elevated. During this period, we worked together with customers to deactivate over 30 thousand exposed credentials. Since this threat activity began, AWS has helped prevent over 943 million malicious attempts to encrypt customer Amazon S3 objects.

These credential exposure detections flow into Amazon GuardDuty Extended Threat Detection, simplifying threat detection and response operations for modern cloud environments.

Better together

The approach AWS takes to active defense shows how security can be improved by layering protections across the infrastructure stack and using threat intelligence to drive risk reduction. By building active defense into our services at no extra cost, AWS helps our customers stay protected from a wide range of threats.

While we continue to constantly improve our protections for our customers, some of our work is by nature probabilistic, because we never see inside customer workloads. We don’t apply active defense in situations where the detection is ambiguous, because that might impact our customers’ production systems. To stay secure, customers should never let down their own defenses. AWS security services like AWS Identity and Access Management (IAM), AWS Shield Advanced, AWS WAF, AWS Network Firewall, Amazon GuardDuty, and Amazon Inspector provide prevention, detection, and response that customers can configure for their unique needs. The good news is that by working together, we’re making the internet safer for everyone.

If you have feedback about this post, submit comments in the Comments section below.

Stephen Goodman

Stephen Goodman

As a senior manager for Amazon active defense, Stephen leads data-driven programs to protect AWS customers and the internet from threat actors.

Tom Scholl

Tom Scholl

AWS VP and Distinguished Engineer, Tom collaborates with networks across the globe to stop cyberattacks by tracking traffic from bad actors at its source.

Changes to Kubernetes Slack (Kubernetes Contributors blog)

Post Syndicated from jzb original https://lwn.net/Articles/1025634/

The Kubernetes project has announced
that it will be losing its “special status” with the Slack communication platform and will be
downgraded to the free tier in a matter of days:

On Friday, June 20, we will be subject to the feature
limitations of free Slack. The primary ones which will affect us
will be only retaining 90 days of history, and having to disable
several apps and workflows which we are currently using. The Slack
Admin team will do their best to manage these limitations.

The project has a FAQ
covering the change, its impacts, and more. The CNCF projects staff
has proposed
a move to the Discord service as
the best option to handle the more than 200,000 users and thousands of
posts per day from the Kubernetes community. The Kubernetes Steering
Committee will be making its decision “in the next few weeks“.

Reduce time to access your transactional data for analytical processing using the power of Amazon SageMaker Lakehouse and zero-ETL

Post Syndicated from Avijit Goswami original https://aws.amazon.com/blogs/big-data/reduce-time-to-access-your-transactional-data-for-analytical-processing-using-the-power-of-amazon-sagemaker-lakehouse-and-zero-etl/

As the lines between analytics and AI continue to blur, organizations find themselves dealing with converging workloads and data needs. Historical analytics data is now being used to train machine learning models and power generative AI applications. This shift requires shorter time to value and tighter collaboration among data analysts, data scientists, machine learning (ML) engineers, and application developers. However, the reality of scattered data across various systems—from data lakes to data warehouses and applications—makes it difficult to access and use data efficiently. Moreover, organizations attempting to consolidate disparate data sources into a data lakehouse have historically relied on extract, transform, and load (ETL) processes, which have become a significant bottleneck in their data analytics and machine learning initiatives. Traditional ETL processes are often complex, requiring significant time and resources to build and maintain. As data volumes grow, so do the costs associated with ETL, leading to delayed insights and increased operational overhead. Many organizations find themselves struggling to efficiently onboard transactional data into their data lakes and warehouses, hindering their ability to derive timely insights and make data-driven decisions. In this post, we address these challenges with a two-pronged approach:

  • Unified data management: Using Amazon SageMaker Lakehouse to get unified access to all your data across multiple sources for analytics and AI initiatives with a single copy of data, regardless of how and where the data is stored. SageMaker Lakehouse is powered by AWS Glue Data Catalog and AWS Lake Formation and brings together your existing data across Amazon Simple Storage Service (Amazon S3) data lakes and Amazon Redshift data warehouses with integrated access controls. In addition, you can ingest data from operational databases and enterprise applications to the lakehouse in near real-time using zero-ETL which is a set of fully-managed integrations by AWS that eliminates or minimizes the need to build ETL data pipelines.
  • Unified development experience: Using Amazon SageMaker Unified Studio to discover your data and put it to work using familiar AWS tools for complete development workflows, including model development, generative AI application development, data processing, and SQL analytics, in a single governed environment.

In this post, we demonstrate how you can bring transactional data from AWS OLTP data stores like Amazon Relational Database Service (Amazon RDS) and Amazon Aurora flowing into Redshift using zero-ETL integrations to SageMaker Lakehouse Federated Catalog (Bring your own Amazon Redshift into SageMaker Lakehouse). With this integration, you can now seamlessly onboard the changed data from OLTP systems to a unified lakehouse and expose the same to analytical applications for consumptions using Apache Iceberg APIs from new SageMaker Unified Studio. Through this integrated environment, data analysts, data scientists, and ML engineers can use SageMaker Unified Studio to perform advanced SQL analytics on the transactional data.

Architecture patterns for a unified data management and unified development experience

In this architecture pattern, we show you how to use zero-ETL integrations to seamlessly replicate transactional data from Amazon Aurora MySQL-Compatible Edition, an operational database, into the Redshift Managed Storage layer. This zero-ETL approach eliminates the need for complex data extraction, transformation, and loading processes, enabling near real-time access to operational data for analytics. The transferred data is then cataloged using a federated catalog in the SageMaker Lakehouse Catalog and exposed through the Iceberg Rest Catalog API, facilitating comprehensive data analysis by consumer applications.

You then use SageMaker Unified Studio, to perform advanced analytics on the transactional data bridging the gap between operational databases and advanced analytics capabilities.

Prerequisites

Make sure that you have the following prerequisites:

Deployment steps

In this section, we share steps for deploying resources needed for Zero-ETL integration using AWS CloudFormation.

Setup resources with CloudFormation

This post provides a CloudFormation template as a general guide. You can review and customize it to suit your needs. Some of the resources that this stack deploys incur costs when in use. The CloudFormation template provisions the following components:

  1. An Aurora MySQL provisioned cluster (source).
  2. An Amazon Redshift Serverless data warehouse (target).
  3. Zero-ETL integration between the source (Aurora MySQL) and target (Amazon Redshift Serverless). See Aurora zero-ETL integrations with Amazon Redshift for more information.

Create your resources

To create resources using AWS Cloudformation, follow these steps:

  1. Sign in to the AWS Management Console.
  2. Select the us-east-1 AWS Region in which to create the stack.
  3. Open the AWS CloudFormation
  4. Choose Launch Stack
    https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/template?templateURL=https://aws-blogs-artifacts-public.s3.us-east-1.amazonaws.com/BDB-4866/aurora-zero-etl-redshift-lakehouse-cfn.yaml
  5. Choose Next.
    This automatically launches CloudFormation in your AWS account with a template. It prompts you to sign in as needed. You can view the CloudFormation template from within the console.
  6. For Stack name, enter a stack name, for example UnifiedLHBlogpost.
  7. Keep the default values for the rest of the Parameters and choose Next.
  8. On the next screen, choose Next.
  9. Review the details on the final screen and select I acknowledge that AWS CloudFormation might create IAM resources.
  10. Choose Submit.

Stack creation can take up to 30 minutes.

  1. After the stack creation is complete, go to the Outputs tab of the stack and record the values of the keys for the following components, which you will use in a later step:
    • NamespaceName
    • PortNumber
    • RDSPassword
    • RDSUsername
    • RedshiftClusterSecurityGroupName
    • RedshiftPassword
    • RedshiftUsername
    • VPC
    • Workgroupname
    • ZeroETLServicesRoleNameArn

Implementation steps

To implement this solution, follow these steps:

Setting up zero-ETL integration

A zero-ETL integration is already created as a part of CloudFormation template provided. Use the following steps from the Zero-ETL integration post to complete setting up the integration.:

  1. Create a database from integration in Amazon Redshift
  2. Populate source data in Aurora MySQL
  3. Validate the source data in your Amazon Redshift data warehouse

Bring Amazon Redshift metadata to the SageMaker Lakehouse catalog

Now that transactional data from Aurora MySQL is replicating into Redshift tables through zero-ETL integration, you next bring the data into SageMaker Lakehouse, so that operational data can co-exist and be accessed and governed together with other data sources in the data lake. You do this by registering an existing Amazon Redshift Serverless namespace that has Zero-ETL tables as a federated catalog in SageMaker Lakehouse.

Before starting the next steps, you need to configure data lake administrators in AWS Lake Formation.

  1. Go to the Lake Formation console and in the navigation pane, choose Administration roles and then choose Tasks under Administration. Under Data lake administrators, choose Add.
  2. In the Add administrators page, under Access type, select Data Lake administrator.
  3. Under IAM users and roles, select Admin. Choose Confirm.

Add AWS Lake Formation Administrators

  1. On the Add administrators page, for Access type, select Read-only administrators. Under IAM users and roles, select AWSServiceRoleForRedshift and choose Confirm. This step enables Amazon Redshift to discover and access catalog objects in AWS Glue Data Catalog.

Add AWS Lake Formation Administrators 2

With the data lake administrators configured, you’re ready to bring your existing Amazon Redshift metadata to SageMaker Lakehouse catalog:

  1. From the Amazon Redshift Serverless console, choose Namespace configuration in the navigation pane.
  2. Under Actions, choose Register with AWS Glue Data Catalog. You can find more details on registering a federated Amazon Redshift catalog in Registering namespaces to the AWS Glue Data Catalog.

  1. Choose Register. This will register the namespace to AWS Glue Data Catalog

  1. After registration is complete, the Namespace register status will change to Registered to AWS Glue Data Catalog.
  2. Navigate to the Lake Formation console and choose Catalogs New under Data Catalog in the navigation pane. Here you can see a pending catalog invitation is available for the Amazon Redshift namespace registered in Data Catalog.

  1. Select the pending invitation and choose Approve and create catalog. For more information, see Creating Amazon Redshift federated catalogs.

  1. Enter the Name, Description, and IAM role (created by the CloudFormation template). Choose Next.

  1. Grant permissions using a principal that is eligible to provide all permissions (an admin user).
    • Select IAM users and rules and choose Admin.
    • Under Catalog permissions, select Super user to grant super user permissions.

  1. Assigning super user permissions grants the user unrestricted permissions to the resources (databases, tables, views) within this catalog. Follow the principal of least privilege to grant users only the permissions required to perform a task wherever applicable as a security best practice.

  1. As final step, review all settings and choose Create Catalog

After the catalog is created, you will see two objects under Catalogs. dev refers to the local dev database inside Amazon Redshift, and aurora_zeroetl_integration is the database created for Aurora to Amazon Redshift ZeroETL tables

Fine-grained access control

To set up fine-grained access control, follow these steps:

  1. To grant permission to individual objects, choose Action and then select Grant.

  1. On the Principals page, grant access to individual objects or more than one object to different principals under the federated catalog.

Access lakehouse data using SageMaker Unified Studio

SageMaker Unified Studio provides an integrated experience outside the console to use all your data for analytics and AI applications. In this post, we show you how to use the new experience through the Amazon SageMaker management console to create a SageMaker platform domain using the quick setup method. To do this, you set up IAM Identity Center, a SageMaker Unified Studio domain, and then access data through SageMaker Unified Studio.

Set up IAM Identity Center

Before creating the domain, makes sure that your data admins and data workers are ready to use the Unified Studio experience by enabling IAM Identity Center for single sign-on following the steps in Setting up Amazon SageMaker Unified Studio. You can use Identity Center to set up single sign-on for individual accounts and for accounts managed through AWS Organizations. Add users or groups to the IAM instance as appropriate. The following screenshot shows an example email sent to a user through which they can activate their account in IAM Identity Center.

Set up SageMaker Unified domain

Follow steps in Create a Amazon SageMaker Unified Studio domain – quick setup to set up a SageMaker Unified Studio domain. You need to choose the VPC that was created by the CloudFormation stack earlier.

The quick setup method also has a Create VPC option that sets up a new VPC, subnets, NAT Gateway, VPC endpoints, and so on, and is meant for testing purposes. There are charges associated with this, so delete the domain after testing.

If you see the No models accessible, you can use the Grant model access button to grant access to Amazon Bedrock serverless models for use in SageMaker Unified Studio, for AI/ML use-cases

  1. Fill in the sections for Domain Name. For example, MyOLTPDomain. In the VPC section, select the VPC that was provisioned by the CloudFormation stack, for example UnifiedLHBlogpost-VPC. Select subnets and choose Continue.

  1. In the IAM Identity Center User section, look up the newly created user from (for example, Data User1) and add them to the domain. Choose Create Domain. You should see the new domain along with a link to open Unified Studio.

Access data using SageMaker Unified Studio

To access and analyze your data in SageMaker Unified Studio, follow these steps:

    1. Select the URL for SageMaker Unified Studio. Choose Sign in with SSO and sign in using the IAM user, for example datauser1, and you will be prompted to select a multi-factor authentication (MFA) method.
    2. Select Authenticator App and proceed with next steps. For more information about SSO setup, see Managing users in Amazon SageMaker Unified Studio.After you have signed in to the Unified Studio domain, you need to set up a new project. For this illustration, we created a new sample project called MyOLTPDataProject using the project profile for SQL Analytics as shown here.A project profile is a template for a project that defines what blueprints are applied to the project, including underlying AWS compute and data resources. Wait for the new project to be set up, and when status is Active, open the project in Unified Studio.By default, the project will have access to the default Data Catalog (AWSDataCatalog). For the federated redshift catalog redshift-consumer-catalog to be visible, you need to grant permissions to the project IAM role using Lake Formation. For this example, using the Lake Formation console, we have granted below access to the demodb database that is part of the Zero-ETL catalog to the Unified Studio project IAM role. Follow steps in Adding existing databases and catalogs using AWS Lake Formation permissions.In your SageMaker Unified Studio Project’s Data section, connect to the Lakehouse Federated catalog that you created and registered earlier (for example redshift-zetl-auroramysql-catalog/aurora_zeroetl_integration). Select the objects that you want to query and execute them using the Redshift Query Editor integrated with SageMaker Unified Studio.If you select Redshift, you will be transferred to the Query editor where you can execute the SQL and see the results as shown in the following figure.

With this integration of Amazon Redshift metadata with SageMaker Lakehouse federated catalog, you have access to your existing Redshift data warehouse objects in your organizations centralized catalog managed by SageMaker Lakehouse catalog and join the existing Redshift data seamlessly with the data stored in your Amazon S3 data lake. This solution helps you avoid unnecessary ETL processes to copy data between the data lake and the data warehouse and minimize data redundancy.

You can further integrate more data sources serving transactional workloads such as Amazon DynamoDB and enterprise applications such as Salesforce and ServiceNow. The architecture shared in this post for accelerated analytical processing using Zero-ETL and SageMaker Lakehouse can be further expanded by adding Zero-ETL integrations for DynamoDB using DynamoDB zero-ETL integration with Amazon SageMaker Lakehouse and for enterprise applications by following the instructions in Simplify data integration with AWS Glue and zero-ETL to Amazon SageMaker Lakehouse

Clean up

When you’re finished, delete the CloudFormation stack to avoid incurring costs for some of the AWS resources used in this walkthrough incur a cost. Complete the following steps:

  1. On the CloudFormation console, choose Stacks.
  2. Choose the stack you launched in this walkthrough. The stack must be currently running.
  3. In the stack details pane, choose Delete.
  4. Choose Delete stack.
  5. On the Sagemaker console, choose Domains and delete the domain created for testing.

Summary

In this post, you’ve learned how to bring data from operational databases and applications into your lake house in near real-time through Zero-ETL integrations. You’ve also learned about a unified development experience to create a project and bring in the operational data to the lakehouse, which is accessible through SageMaker Unified Studio, and query the data using integration with Amazon Redshift Query Editor. You can use the following resources in addition to this post to quickly start your journey to make your transactional data available for analytical processing.

  1. AWS zero-ETL
  2. SageMaker Unified Studio
  3. SageMaker Lakehouse
  4. Getting started with Amazon SageMaker Lakehouse

About the authors

Avijit Goswami is a Principal Data Solutions Architect at AWS specialized in data and analytics. He supports AWS strategic customers in building high-performing, secure, and scalable data lake solutions on AWS using AWS managed services and open-source solutions. Outside of his work, Avijit likes to travel, hike in the San Francisco Bay Area trails, watch sports, and listen to music.

Saman Irfan is a Senior Specialist Solutions Architect focusing on Data Analytics at Amazon Web Services. She focuses on helping customers across various industries build scalable and high-performant analytics solutions. Outside of work, she enjoys spending time with her family, watching TV series, and learning new technologies.

Sudarshan Narasimhan is a Principal Solutions Architect at AWS specialized in data, analytics and databases. With over 19 years of experience in Data roles, he is currently helping AWS Partners & customers build modern data architectures. As a specialist & trusted advisor he helps partners build & GTM with scalable, secure and high performing data solutions on AWS. In his spare time, he enjoys spending time with his family, travelling, avidly consuming podcasts and being heartbroken about Man United’s current state.

Нужда от помощ за „онази“ карта

Post Syndicated from Боян Юруков original https://yurukov.net/blog/2025/help-3d-map/

Питат ме от време на време как може да се помогне с 3D картата показваща възможното застрояване. Няколко пъти съм разяснявал процесът на създаването ѝ, както и трудностите при събирането на информация чрез т.н. crowdsourcing. Последно, ако не се лъжа, беше при Ratio събитието за отворени данни.

Сега обаче има нещо, с което може да се помогне директно. Една от най-честите търсените функции на картата е да се отбележат сградите, които са вече в строеж или построени. Както обясних с пускането на проекта, използвам фотореалистични 3D карти на Google, които за съжаление показват състоянието на града преди две години. От тогава доста сгради са построени или са започнали строеж.

Затова е полезно да се отбележат на картата. В момента всичко стои в червено – нещо, което доста дразни не един или двама архитекти или инвеститори. Отбелязаните сгради ще бъдат в стоманено сиво. За целта молбата ми е да отворите картата и сградите, които знаете, че са построени или в строеж, да ги отбележите с менюто, което виждате долу.

Преди време писах, че може да се отбелязват сгради визуално, ако искате да направите снимка и да споделите, както и да се търсят документи направо в тази 3D карта. Сега добавих още два бутона за отбелязване на започнати и завършени сгради.

За съжаление, картата не работи на iPhone. Има проблем с показването на толкова много данни, който е специфичен за устройството. Знам как да го оправя, но ще отнеме време. Работи на лаптоп и Android. Картата с документите няма проблем на което и да е устройство.

Разбира се, отбелязаните така първо ще бъдат одобрени и тогава ще се появят на картата с различен цвят. Сега започваме фазата на събиране на информация от хората запознати с районите. Това е експеримент за crowdsourcing. Имал съм доста такива през годините започвайки с картографиране на катастрофите в София. Най-големият беше може би Lipsva.

Ако имате други предложения и съвети, ще се радвам да ги споделите. Друг начин да подкрепите картата за сега е да се абонирате за новини и документи около дома или място на интерес или за цял район в София.

The post Нужда от помощ за „онази“ карта first appeared on Блогът на Юруков.

AWS Weekly Roundup: AWS re:Inforce 2025, AWS WAF, AWS Control Tower, and more (June 16, 2025)

Post Syndicated from Esra Kayabali original https://aws.amazon.com/blogs/aws/aws-weekly-roundup-aws-reinforce-2025-aws-waf-aws-control-tower-and-more-june-16-2025/

Today marks the start of AWS re:Inforce 2025, where security professionals are gathering for three days of technical learning sessions, workshops, and demonstrations. This security-focused conference brings together AWS security specialists who build and maintain the services that organizations rely on for their cloud security needs.

AWS Chief Information Security Officer (CISO) Amy Herzog will deliver the conference keynote along with guest speakers who will share new security capabilities and implementation insights. The event offers multiple learning paths with sessions designed for various technical roles and expertise levels. Many of my colleagues from across AWS are leading hands-on workshops, demonstrating new security features, and facilitating community discussions. For those unable to join us in Philadelphia, the keynote and innovation talks will be viewable by livestream during the event, and available to watch on demand after the event. Look out for the key announcements and technical insights from the conference in upcoming posts!

Let’s look at last week’s new announcements.

Last week’s launches
Here are the launches that got my attention.

Extend Amazon Q Developer IDE plugins with MCP toolsAmazon Q Developer now supports Model Context Protocol (MCP) in its integrated development environment (IDE) plugins, helping developers integrate external tools for enhanced contextual development workflows. You can now augment the built-in tools with any MCP server that supports the stdio transport layer. These servers can be managed within the Amazon Q Developer user interface. This makes it easy to add, remove, and modify tool permissions. The integration enables more customized responses by orchestrating tasks across both native and MCP server-based tools. MCP support is available in Visual Studio Code and JetBrains IDE plugins, as well as in the Amazon Q Developer command line interface (CLI), with detailed documentation and implementation guides available in the Amazon Q Developer documentation.

AWS WAF now supports automatic application layer DDoS protection – AWS has enhanced its application layer (L7) distributed denial of service (DDoS) protection capabilities with faster automatic detection and mitigation that responds to events within seconds. This AWS Managed Rules group automatically detects and mitigates DDoS attacks of any duration to keep applications running on Amazon CloudFront, Application Load Balancer, and other AWS WAF supported services available to users. The system establishes a baseline within minutes of activation using machine learning (ML) models to detect traffic anomalies, then automatically applies rules to address suspicious requests. Configuration options help you customize responses such as presenting challenges or blocking requests. The feature is available to all AWS WAF and AWS Shield Advanced subscribers in all supported AWS Regions, except Asia Pacific (Thailand), Mexico (Central), and China (Beijing and Ningxia). To learn more about AWS WAF application layer (L7) DDoS protection, visit the AWS WAF documentation or the AWS WAF console.

AWS Control Tower now supports service-linked AWS Config managed AWS Config rulesAWS Control Tower now deploys service-linked AWS Config rules directly in managed accounts, replacing the previous CloudFormation StackSets deployment method. This change improves deployment speed when enabling service-linked AWS Config rules across multiple AWS Control Tower managed accounts and Regions. These service-linked rules are managed entirely by AWS services and can’t be edited or deleted by users. This helps maintain consistency and prevent configuration drift. AWS Control Tower Config rules detect resource noncompliance within accounts and provide alerts through the dashboard. You can deploy these controls using the AWS Control Tower console or AWS Control Tower control APIs.

Powertools for AWS Lambda introduces Bedrock Agents Function utility – The new Amazon Bedrock Agents Function utility in Powertools for AWS Lambda simplifies building serverless applications integrated with Amazon Bedrock Agents. This utility helps developers create AWS Lambda functions that respond to Amazon Bedrock Agents action requests with built-in parameter injection and response formatting, eliminating boilerplate code. The utility seamlessly integrates with other Powertools features like Logger and Metrics, making it easier to build production-ready AI applications. This integration improves the developer experience when building agent-based solutions that use AWS Lambda functions to process actions requested by Amazon Bedrock Agents. The utility is available in Python, TypeScript, and .NET versions of Powertools.

Announcing open sourcing pgactive: active-active replication extension for PostgreSQL – Pgactive is a PostgreSQL extension that enables asynchronous active-active replication for streaming data between database instances, and AWS has made it open source. This extension provides additional resiliency and flexibility for moving data between instances, including writers located in different Regions. It helps maintain availability during operations like switching write traffic. Building on PostgreSQL’s logical replication features, pgactive adds capabilities that simplify managing active-active replication scenarios. The open source approach encourages collaboration on developing PostgreSQL’s active-active capabilities while offering features that streamline using PostgreSQL in multi-active instance environments. For more information and implementation guidance, visit the GitHub repository.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

We launched existing services and instance types in additional Regions:

Other AWS events
Check your calendar and sign up for upcoming AWS events.

AWS GenAI Lofts are collaborative spaces and immersive experiences that showcase AWS expertise in cloud computing and AI. They provide startups and developers with hands-on access to AI products and services, exclusive sessions with industry leaders, and valuable networking opportunities with investors and peers. Find a GenAI Loft location near you and don’t forget to register.

AWS Summits are free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Register in your nearest city: Milano (June 18), Shanghai (June 19 – 20), Mumbai (June 19) and Japan (June 25 – 26).

Browse all upcoming AWS led in-person and virtual events here.

That’s all for this week. Check back next Monday for another Weekly Roundup!

— Esra

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

[$] Supporting NFS v4.2 WRITE_SAME

Post Syndicated from jake original https://lwn.net/Articles/1025257/

At the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit
(LSFMM+BPF), Anna Schumaker led a discussion about implementing the NFS
v4.2 WRITE_SAME
command in both the NFS client and server. WRITE_SAME is
meant to write large amounts of identical data (e.g. zeroes) to the server
without actually needing to transfer all of it over the wire. In her topic
proposal, Schumaker wondered whether other filesystems needed the
functionality, so that it should be implemented at the virtual filesystem
(VFS) layer, or whether it should simply be handled as an NFS-specific ioctl().

Security updates for Monday

Post Syndicated from jake original https://lwn.net/Articles/1025618/

Security updates have been issued by AlmaLinux (.NET 8.0 and .NET 9.0), Arch Linux (curl, ghostscript, go, konsole, python-django, roundcubemail, and samba), Fedora (aerc, chromium, golang-x-perf, libkrun, python3.11, python3.12, rust-kbs-types, rust-sev, rust-sevctl, valkey, and wireshark), Gentoo (Konsole and sysstat), Oracle (.NET 9.0), Red Hat (bootc, grub2, keylime-agent-rust, python3.12-cryptography, rpm-ostree, rust-bootupd, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (apache2-mod_auth_openidc, docker, grub2, java-1_8_0-openj9, kernel, less, python-Django, screen, and sqlite3), and Ubuntu (cifs-utils and modsecurity-apache).

The collective thoughts of the interwebz