Simplifying private API integrations with Amazon EventBridge and AWS Step Functions

Post Syndicated from Eric Johnson original https://aws.amazon.com/blogs/compute/simplifying-private-api-integrations-with-amazon-eventbridge-and-aws-step-functions-2/

This blog written by Pawan Puthran, Principal Specialist TAM, Serverless and Vamsi Vikash Ankam, Senior Serverless Solutions Architect.

In December 2024, AWS announced that Amazon EventBridge and AWS Step Functions support integration with private APIs using AWS PrivateLink and Amazon VPC Lattice. This feature allows users to integrate applications seamlessly across private networks, on-premises infrastructure, and cloud platforms. It provides operational simplicity, enabling secure and controlled communication between services within a Virtual Private Cloud (VPC). This blog post explores how to leverage this new capability to integrate Step Functions with private APIs, making application interactions across private networks more efficient and secure.

Overview

Private integrations are essential for secure communication between cloud services within a VPC. As organizations modernize their applications in the cloud, they often need to integrate existing systems with private network environments. EventBridge and Step Functions previously needed proxies to send events to HTTPS applications. These proxies, such as AWS Lambda or Amazon Simple Queue Service (Amazon SQS), delivered events to applications running on Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Container Service (Amazon ECS). Now, users can directly invoke private HTTPS-based endpoints running within their VPC using EventBridge and Step Functions.

This new capability offers several key benefits:

  1. Enhanced security and compliance: Private API integrations significantly enhance security by keeping APIs within private networks, minimizing exposure to internet threats and making sure of compliance in regulated industries such as finance and healthcare.
  2. Simplified architecture and increased developer productivity: This feature streamlines integration by enabling direct access to private APIs, eliminating complex network setups and proxy solutions. It allows developers to focus on core logic, resulting in cleaner architectures, faster development, and reduced maintenance. By removing the need for custom code and unifying application architecture, the integration process accelerates, leading to faster time to market and enhanced innovation.
  3. Improved performance and reliability: Private API integrations to VPC resources enhance performance by leveraging the AWS backbone network. This direct connectivity improves speed, increases reliability, and minimizes external network dependencies and points of failure.

EventBridge and Step Functions use new capabilities of PrivateLink and VPC Lattice, Resource Gateway and Resource Configuration, to facilitate secure network connectivity to services and resources inside of a VPC. To establish the private connectivity, you need the following components:

  1. Resource Gateway: A Resource Gateway serves as a secure entry point for the inbound traffic to the resource. This acts as an ingress point within the VPC where the resources reside.
  2. Resource Configuration: A Resource Configuration is a logical entity that identifies the resource and specifies how and who can access it. Defining a resource configuration allows you to allow private, secure, and unidirectional network connectivity to resources in your VPC from clients and services in other VPCs and accounts.
  3. EventBridge Connections: EventBridge Connections used in EventBridge API destinations and Step Function workflows, establishes connectivity to your private HTTPS endpoints by using resource configurations.
  4. AWS Resource Access Manager: You can share the resource configuration through AWS Resource Access Manager (AWS RAM), a service that securely shares your VPC resources across your organizations and with other AWS accounts.

Workload overview

To illustrate how Step Functions invoke private HTTPS APIs, consider the following workflow that classifies product reviews as fake or real.

  1. The Step Functions workflow processes an array of product reviews using Distributed Map.
  2. It involves calling the Amazon Nova Micro model through Amazon Bedrock to classify the review text.
  3. If a review is classified as fake, then the workflow publishes an event to an EventBridge bus, providing a flexible integration for potential downstream analysis or notifications.
  4. If a review is classified as real, then Step Functions calls the private HTTPS endpoint, using DNS address to further process the reviews.
  5. This private API is hosted in AWS Fargate behind an internal Application Load Balancer (ALB) within a VPC.
Step Functions workflow calling private HTTPS-based endpoint running in AWS Fargate

Figure 1: Step Functions workflow calling private HTTPS-based endpoint running in AWS Fargate

In real-world scenarios, this includes analyzing text patterns, user behavior, and linguistic cues to determine the authenticity of each review. Suspicious reviews are automatically flagged by building customized workflows to maintain the integrity of the product feedback system.

Deploying the example

Before configuring the private integration, create an Amazon Route53 public hosted zone with a registered domain (such as api.com), and an AWS Certificate Manager (ACM) certificate corresponding to the domain. While Amazon Route53 private hosted zones is currently not supported, utilizing public hosted zones resolves the domain name to a private IP address, accessible only from within the VPC.

This post includes a sample application and deployment instructions. For complete details, refer to the README.

Scenario 1: Single account

In this scenario, the Step Functions, EventBridge connections, and private resources reside in the same account, as shown in the following figure

Overview of a single account setup with Step Functions workflow and private API in the same account

Figure 2: Overview of a single account setup with Step Functions workflow and private API in the same account

  1. VPC Resource Gateway acts like the entry point to access the private resources running within your VPC. As a best-practice, consider creating a resource gateway to span across multiple private subnets (Availability Zones) for high availability. Refer to the AWS Cloud Development Kit (AWS CDK) code snippet in lib/vpclattice-stack.ts for resource gateway implementation.
  2. Resource Configurations establish the connection between the private endpoint and the Resource Gateway and are used to uniquely identify the private resources running within your VPC. Refer to the AWS CDK code snippet in lib/vpclattice-stack.ts to create Resource Configuration, and configure the domain name and port.
  3. To enable Step Functions to communicate with the private VPC resources, you create an EventBridge Connection. This handles the authorization and private connectivity to connect to the private API. Refer to the AWS CDK code snippet in lib/workflow-stack.ts for creating EventBridge Connections.
  4. The Step Functions state machine deployed as part of the sample application uses the HTTPS Invoke task type to call the private API. Calling private APIs from Step Functions allows you to use features such as built-in error handling like retries for transient issues and redrive for errors.

You can use the following payload to test the Step Functions execution:

{
  "items": [
    {
      "asin": "B000FA64PA",
      "helpful": [ 0, 0],
      "overall": 5,
      "reviewText": "Darth Maul working under cloak of darkness committing sabotage now that is a story worth reading many times over. Great story.",
      "reviewTime": "10 11, 2013",
      "unixReviewTime": 1381449600
    },
    {
      "asin": "B000F83SZQ",
      "helpful": [ 1, 1],
      "overall": 4,
      "reviewText": "Never heard of Amy Brewster. But I don't need to like Amy Brewster to like this book. Actually, Amy Brewster is a sidekick in this story, who added mystery to the story not the one resolved it. The story brings back the old times, simple life, simple people, and straight relationships.",
      "reviewTime": "03 22, 2014",
      "unixReviewTime": 1395446400
    }
  ]
}

The following figure shows the Step Functions execution where the review is classified as real and successfully invokes the private HTTPS endpoint.

Step Functions execution classifying the product reviews as real and successfully invoking the private API

Figure 3: Step Functions execution classifying the product reviews as real and successfully invoking the private API

Scenario 2: Cross account

In this scenario, all the private resources reside in Account A. The Step Functions and EventBridge Connections reside in Account B. The cross-account resource sharing is powered by AWS RAM, as shown in the following figure.

Cross-account setup

Figure 4: Cross-account setup

Following the creation of the Resource Gateway and the Resource Configuration, as described in the previous section, configure the resource share using AWS RAM in Account A.

  1. The sample application creates the AWS RAM resource share in Account A. This allows Account B to access private VPC resources in Account A, enabling secure, AWS Identity and Access Management (IAM) authorized access to the VPC resources in Account A. Refer to the CDK code snippet in lib/vpclattice-stack.ts to create cross-account resource share using AWS RAM.
  2. In Account B, AWS RAM receives an invitation from Account A to access the private VPC resources. Upon acceptance, the resource share status changes to Active, granting access to the private VPC resources in Account A.
  3. To enable access from Account B’s Step Function or EventBridge to Account A’s private VPC resources, create an EventBridge Connection as described in Step 3 (Single account scenario). Map this connection to the shared AWS RAM Resource Configuration created from the previous step.

Enterprises with distributed development teams operate across multiple AWS accounts. The setup described above enables secure cross-account access to VPC resources.

New connection state events

EventBridge now publishes change in the state events for new or existing connections. This is useful when taking actions on state changes or for troubleshooting purposes. The following example shows the state change events published for Connection Authorized and Connection Activated.

Figure 5: EventBridge connections state change

Figure 5: EventBridge connections state change

Conclusion

The new integration allows Amazon EventBridge and AWS Step Functions to integrate with private APIs, powered by AWS PrivateLink and Amazon VPC Lattice. Users can integrate legacy on-premises systems with cloud-native applications using event-driven architectures and workflow orchestration. The integration helps enterprises modernize distributed applications across public and private networks, enabling faster innovation, higher performance, and lower costs by eliminating the need for custom networking or integration code.

For more details, refer to the EventBridge and Step Functions documentation. Check out this video on setting up integrations with EventBridge and Step Functions. Get the sample code used in this post from this GitHub repository.

To expand your serverless knowledge, visit Serverless Land.

Bypassing Ubuntu’s user-namespace restrictions

Post Syndicated from jzb original https://lwn.net/Articles/1015649/

Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor to
restrict access to user namespaces. Qualys has reported
three ways to bypass AppArmor’s restrictions and enable local users to
gain full administrative capabilities within a user namespace. Ubuntu
has followed up with a post
that explains the namespace-restriction feature in detail, and says
these bypasses do not constitute security vulnerabilities.

While a superficial observation of the application of user namespaces may indicate privileged (root level) access, this is a fictitious state that is operating as expected, with access control still mapped to the real (root namespace) user’s permissions. As such, these bypasses do not enable more access than what the default Linux kernel
unprivileged user namespace feature allows in most Linux
distributions. They do, however, demonstrate limitations that we are
looking to address in order to strengthen existing protections against
as-of-yet-unknown Linux kernel vulnerabilities.

LWN covered Ubuntu 24.04 LTS last May.

Rust adopting Ferrocene Language Specification

Post Syndicated from daroc original https://lwn.net/Articles/1015636/

One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project has
announced
that it will be adopting the

Ferrocene Language Specification (FLS) developed by
Ferrous Systems and maintaining it as part of the core project. While this may not satisfy die-hard standardization-process enthusiasts, it’s a step toward removing another barrier to using Rust in safety-critical systems.

It’s in that light that we’re pleased to announce that we’ll be adopting the FLS into the Rust Project as part of our ongoing specification efforts. This adoption is being made possible by the gracious donation of the FLS by Ferrous Systems. We’re grateful to them for the work they’ve done in assembling the FLS, in making it fit for qualification purposes, in promoting its use and the use of Rust generally in safety-critical industries, and now, for working with us to take the next step and to bring the FLS into the Project.

Accelerating CI with AWS CodeBuild: Parallel test execution now available

Post Syndicated from Sébastien Stormacq original https://aws.amazon.com/blogs/aws/accelerating-ci-with-aws-codebuild-parallel-test-execution-now-available/

I’m excited to announce that AWS CodeBuild now supports parallel test execution, so you can run your test suites concurrently and reduce build times significantly.

With the demo project I wrote for this post, the total test time went down from 35 minutes to six minutes, including the time to provision the environments. These two screenshots from the AWS Management Console show the difference.

Sequential execution of the test suite

CodeBuild Parallel Test Results

Parallel execution of the test suite

CodeBuild Parallel Test Results

Very long test times pose a significant challenge when running continuous integration (CI) at scale. As projects grow in complexity and team size, the time required to execute comprehensive test suites can increase dramatically, leading to extended pipeline execution times. This not only delays the delivery of new features and bug fixes, but also hampers developer productivity by forcing them to wait for build results before proceeding with their tasks. I have experienced pipelines that took up to 60 minutes to run, only to fail at the last step, requiring a complete rerun and further delays. These lengthy cycles can erode developer trust in the CI process, contribute to frustration, and ultimately slow down the entire software delivery cycle. Moreover, long-running tests can lead to resource contention, increased costs because of wasted computing power, and reduced overall efficiency of the development process.

With parallel test execution in CodeBuild, you can now run your tests concurrently across multiple build compute environments. This feature implements a sharding approach where each build node independently executes a subset of your test suite. CodeBuild provides environment variables that identify the current node number and the total number of nodes, which are used to determine which tests each node should run. There is no control build node or coordination between nodes at build time—each node operates independently to execute its assigned portion of your tests.

To enable test splitting, configure the batch fanout section in your buildspec.xml, specifying the desired parallelism level and other relevant parameters. Additionally, use the codebuild-tests-run utility in your build step, along with the appropriate test commands and the chosen splitting method.

The tests are split based on the sharding strategy you specify. codebuild-tests-run offers two sharding strategies:

  • Equal-distribution. This strategy sorts test files alphabetically and distributes them in chunks equally across parallel test environments. Changes in the names or quantity of test files might reassign files across shards.
  • Stability. This strategy fixes the distribution of tests across shards by using a consistent hashing algorithm. It maintains existing file-to-shard assignments when new files are added or removed.

CodeBuild supports automatic merging of test reports when running tests in parallel. With automatic test report merging, CodeBuild consolidates tests reports into a single test summary, simplifying result analysis. The merged report includes aggregated pass/fail statuses, test durations, and failure details, reducing the need for manual report processing. You can view the merged results in the CodeBuild console, retrieve them using the AWS Command Line Interface (AWS CLI), or integrate them with other reporting tools to streamline test analysis.

Let’s look at how it works
Let me demonstrate how to implement parallel testing in a project. For this demo, I created a very basic Python project with hundreds of tests. To speed things up, I asked Amazon Q Developer on the command line to create a project and 1,800 test cases. Each test case is in a separate file and takes one second to complete. Running all tests in a sequence requires 30 minutes, excluding the time to provision the environment.

In this demo, I run the test suite on ten compute environments in parallel and measure how long it takes to run the suite.

To do so, I added a buildspec.yml file to my project.

version: 0.2

batch:
  fast-fail: false
  build-fanout:
    parallelism: 10 # ten runtime environments 
    ignore-failure: false

phases:
  install:
    commands:
      - echo 'Installing Python dependencies'
      - dnf install -y python3 python3-pip
      - pip3 install --upgrade pip
      - pip3 install pytest
  build:
    commands:
      - echo 'Running Python Tests'
      - |
         codebuild-tests-run \
          --test-command 'python -m pytest --junitxml=report/test_report.xml' \
          --files-search "codebuild-glob-search 'tests/test_*.py'" \
          --sharding-strategy 'equal-distribution'
  post_build:
    commands:
      - echo "Test execution completed"

reports:
  pytest_reports:
    files:
      - "*.xml"
    base-directory: "report"
    file-format: JUNITXML

There are three parts to highlight in the YAML file.

First, there’s a build-fanout section under batch. The parallelism command tells CodeBuild how many test environments to run in parallel. The ignore-failure command indicates if failure in any of the fanout build tasks can be ignored.

Second, I use the pre-installed codebuild-tests-run command to run my tests.

This command receives the complete list of test files and decides which of the tests must be run on the current node.

  • Use the sharding-strategy argument to choose between equally distributed or stable distribution as I explain above.
  • Use the files-search argument to pass all the files that are candidates for a run. We recommend to use the provided codebuild-glob-search command for performance reasons, but any file search tool, such as find(1), will work.
  • I pass the actual test command to run on the shard with the test-command argument.

Lastly, the reports section instructs CodeBuild to collect and merge the test reports on each node.

Then, I open the CodeBuild console to create a project and a batch build configuration for this project. There’s nothing new here, so I’ll spare you the details. The documentation has all the details to get you startedParallel testing works on batch builds. Make sure to configure your project to run in batch.

CodeBuild : create a batch build

Now, I’m ready to trigger an execution of the test suite. I can commit new code on my GitHub repository or trigger the build in the console.

CodeBuild : trigger a new build

After a few minutes, I see a status report of the different steps of the build; with a status for each test environment or shard.

CodeBuild: status

When the test is complete, I select the Reports tab to access the merged test reports.

CodeBuild: test reports

The Reports section aggregates all test data from all shards and keeps the history for all builds. I select my most recent build in the Report history section to access the detailed report.

CodeBuild: Test Report

As expected, I can see the aggregated and the individual status for each of my 1,800 test cases. In this demo, they’re all passing, and the report is green.

The 1,800 tests of the demo project take one second each to complete. When I run this test suite sequentially, it took 35 minutes to complete. When I run the test suite in parallel on ten compute environments, it took six minutes to complete, including the time to provision the environments. The parallel run took 17.1 percent of the time of the sequential run. Actual numbers will vary with your projects.

Additional things to know
This new capability is compatible with all testing frameworks. The documentation includes examples for Django, Elixir, Go, Java (Maven), Javascript (Jest), Kotlin, PHPUnit, Pytest, Ruby (Cucumber), and Ruby (RSpec).

For test frameworks that don’t accept space-separated lists, the codebuild-tests-run CLI provides a flexible alternative through the CODEBUILD_CURRENT_SHARD_FILES environment variable. This variable contains a newline-separated list of test file paths for the current build shard. You can use it to adapt to different test framework requirements and format test file names.

You can further customize how tests are split across environments by writing your own sharding script and using the CODEBUILD_BATCH_BUILD_IDENTIFIER environment variable, which is automatically set in each build. You can use this technique to implement framework-specific parallelization or optimization.

Pricing and availability
With parallel test execution, you can now complete your test suites in a fraction of the time previously required, accelerating your development cycle and improving your team’s productivity. The demo project I created to illustrate this post consumes 18.7 percent of the time of a sequential build.

Parallel test execution is available on all three compute modes offered by CodeBuild: on-demand, reserved capacity, and AWS Lambda compute.

This capability is available today in all AWS Regions where CodeBuild is offered, with no additional cost beyond the standard CodeBuild pricing for the compute resources used.

I invite you to try parallel test execution in CodeBuild today. Visit the AWS CodeBuild documentation to learn more and get started with parallelizing your tests.

— seb

PS: Here’s the prompt I used to create the demo application and its test suite: “I’m writing a blog post to announce codebuild parallel testing. Write a very simple python app that has hundreds of tests, each test in a separate test file. Each test takes one second to complete.”

How is the News Blog doing? Take this 1 minute survey!

(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)

Experience CS: a new way to teach computer science

Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/experience-cs-a-new-way-to-teach-computer-science/

I am delighted to announce Experience CS, a free, integrated computer science curriculum for elementary and middle school students (8–14 years old) that will be available in June 2025. 

Experience CS enables educators to teach computer science through a standards-aligned curriculum that integrates computer science concepts and knowledge into core subjects like maths, science, languages, and the arts. 

An educator helps students with a coding task.

This cross-curricular and integrated approach is one of the most effective ways to provide younger students with an introduction to computer science and is increasingly important as the impact of digital technology reaches every corner of our lives. We also know that embedding CS in real-world contexts helps make it meaningful and relevant for students, which is essential if we are going to inspire kids from different backgrounds to want to learn more about computer science and technology. 

Built by educators, for educators 

The team behind Experience CS includes educators with significant experience of teaching CS in elementary and middle school settings and everything we do is being informed by the world’s leading research into effective pedagogy as well as extensive testing and research in classrooms. This won’t stop when we launch. We will continue to develop and improve the curriculum and resources in response to feedback from teachers and students. 

Two students use computers in a classroom.

One of the most important design principles for Experience CS is that it can be used by any educator. You don’t need a CS qualification or any previous experience in teaching CS classes to deliver engaging and creative learning experiences for your students. 

We will provide lesson plans, classroom resources, and an online platform that is designed to be easy and safe to use. We will also provide educators with professional development to help build their confidence, knowledge, and skills. You don’t need to adapt or amend the resources to use them, but you will be able to if you want to. We trust teachers to know what is best for their classrooms.

A creative and safe learning experience 

Crucially, Experience CS will be a creative learning experience. We’ve all seen those apps and platforms that purport to teach computer science by having young people direct their favourite pop culture character around a maze. While those types of games can be fun, we think that they fail to convey the creative potential of computer science and leave more students feeling “why bother” rather than being inspired to learn more. 

That’s why Experience CS includes self-directed creative projects using the popular programming platform Scratch, with clear instructions and endless opportunities for young people to express themselves creatively. 

Students use their laptops in a classroom, supervised by a teacher.

We know that online safety is the most important consideration for schools, teachers, and parents, which is why we have built a version of Scratch that is safe for schools. That means it won’t have the community and sharing features that are so central to the full Scratch platform. It will come with simple and intuitive classroom management features that enable teachers to create accounts, set assignments, review progress, and provide feedback to students. 

Free forever, for everyone

Our promise is that Experience CS will be available for teachers and students anywhere in the world to use for free, for as long as you need it. 

Initially, we are developing the curriculum and resources for the US and Canadian education systems and we will be mapping the lessons to national and local standards in both countries. The materials will all be available in English, French, and Spanish. We will also be focusing our professional development and support for schools in the US and Canada, including working with a fantastic network of educational partners. 

Building on the legacy of CS First 

We are delighted that Experience CS is supported by Google and that we are able to build on the fantastic work that they have done over many years to support educators and students through CS First. 

Google has today announced that CS First will no longer be available from June 30, 2025 and that they are recommending that their users should move over to Experience CS for the next school year. That is a huge vote of confidence from a team that really knows what they are talking about. I want to pay tribute to everyone at Google who has worked so hard over the years to support teachers and inspire students through CS First. 

We are looking forward to working with all of the CS First community to make sure that you are supported through the transition and set up ready to go for the start of the new school year. You can find out more about the support we will be offering by registering here.

The post Experience CS: a new way to teach computer science appeared first on Raspberry Pi Foundation.

Announcing the AWS CDK L2 Construct for Amazon Cognito Identity Pools

Post Syndicated from Adam Keller original https://aws.amazon.com/blogs/devops/announcing-the-aws-cdk-l2-construct-for-amazon-cognito-identity-pools/

Today we’re announcing the general availability (GA) of the new Amazon Cognito Identity Pool Level 2 (L2) construct in the AWS Cloud Development Kit (AWS CDK). This construct simplifies the creation and management of identity pools, permissions, and provider integrations by providing intent-based APIs that help users securely manage their authenticated and unauthenticated (guest) users across multiple identity providers (such as Amazon Cognito user pools, social providers like Facebook or Google, OpenID Connect, and more).

Background

The AWS CDK is an open-source software development framework that allows you to define cloud infrastructure using familiar programming languages, such as TypeScript, Python, Java, C#, and Go. The CDK provides various levels of abstraction through Constructs, which are reusable cloud components. Constructs come in three levels:

  • L1 constructs: Lowest level of constructs that are automatically generated from AWS CloudFormation resource specifications and offer no abstraction. They provide a one to one mapping to CloudFormation and can be verbose.
  • L2 constructs: Curated, high level abstractions that provide sensible defaults and reduce boilerplate code and glue logic with intuitive, intent-based APIs, making infrastructure provisioning more straightforward.
  • L3 constructs: Opinionated patterns that encapsulate multiple resources for a specific use case (for example, an entire web application stack).

Previously, developers who wanted to create Cognito Identity Pools in their CDK applications often had to work directly with L1 CloudFormation resources (for example, CfnIdentityPool and CfnIdentityPoolRoleAttachment). This led to verbose code, manual IAM role handling, and less intuitive support for multiple identity providers. The developer was responsible for all of the glue logic required when connecting Identity Pools to other AWS resources , creating IAM roles and policies and provider references on your own, which introduced more complexity.

The new AWS CDK Cognito Identity Pool L2 construct provides the following out of the box:

  • An easy way to create and manage authenticated and unauthenticated roles and permissions.
  • Built-in support for a variety of identity providers, including social providers, Amazon Cognito user pools, OpenID Connect providers, and others.
  • A high level API that reduces the amount of code and complexity required to manage the lifecycle of your identity pool.

By using this new L2 construct, you can focus on developing your application rather than the intricacies of wiring up roles, trust relationships, and provider configurations.

Using the L2

Let’s walk through an example of creating a new Cognito Identity Pool. In addition to creating the Identity Pool, we will create a Amazon DynamoDB table and then we’ll show you how to grant different levels of access for authenticated and unauthenticated users.

Create the DynamoDB Table and Cognito Identity Pool

// Create an identity pool
const identityPool = new IdentityPool(this, 'MyIdentityPool', {
    identityPoolName: 'MyIdentityPoolName',
   // Enable unauthenticated identities, disabled by default, 
   // enabling here for demonstration purposes 
   allowUnauthenticatedIdentities: true
});

// Create a new DynamoDB table
const myTable = new TableV2(this, 'MyTable', {
    partitionKey: { name: 'id', type: AttributeType.STRING },
    billing: dynamodb.Billing.onDemand()
});
// Grant read/write access on the table to authenticated users
myTable.grantReadWriteData(identityPool.authenticatedRole);

// Grant read only access to unauthenticated (guest) users
myTable.grantReadData(identityPool.unauthenticatedRole);

Let’s highlight a few key points:

  1. Single Declaration: By declaring an IdentityPool construct, you automatically get a role for authenticated users and one for unauthenticated users; however, by default, the construct disables guest access and only allows authenticated users. To enable unathenticated identities (guest access), you can set the allowUnauthenticatedIdentities parameter to true.
  2. Role and Policy Creation: You don’t have to manually define policies and roles, attach them or configure trust relationships. The L2 construct sets all of this up for you.
  3. Providers: You can specify a variety of identity providers (e.g., Google, Facebook, Amazon, Twitter, OpenID Connect, or Cognito user pools) in the authenticationProviders property.
  4. Permissions: With the roles exposed (identityPool.authenticatedRole and identityPool.unauthenticatedRole), you can easily grant or restrict fine-grained AWS resource permissions.

Multiple Authentication Providers

When using multiple providers, pass in the relevant configuration details. For example, to enable sign-in via Facebook and Google, you can provide:

const identityPool = new IdentityPool(this, 'MyIdentityPool', {
  authenticationProviders: {
    facebook: { appId: 'your-facebook-app-id' },
    google: { clientId: 'your-google-client-id' },
  },
});

The L2 takes care of generating the correct roles, trust relationships, and identity provider references behind the scenes.

Considerations for Moving to the New Construct

  1. Upgrade Path: If you currently use the L1 resources (CfnIdentityPool, CfnIdentityPoolRoleAttachment, etc.), you can migrate to the L2 construct by replacing those L1 declarations with the new IdentityPool L2. Adjust any references to custom roles or attachments to leverage the provided authenticatedRole and unauthenticatedRole properties.
  2. Compatibility: Verify the version of your AWS CDK. This L2 is available in newer CDK releases (check the changelog for specifics).
  3. Customization: If you have very specific or advanced requirements, like custom IAM conditions or policy statements, you can still refine or override the default roles or attach custom policies using the roles exposed by the L2.
  4. Alpha to GA Changes: Verify any potential feature limitations or changes in the API from the alpha to stabilized (GA) versions of the construct.

Conclusion

We’re thrilled to introduce the AWS CDK Cognito Identity Pool L2 construct, which simplifies identity pool setup and management. By leveraging a higher level API, you reduce the complexity of configuring roles and providers for your application’s user base. Whether you’re supporting social logins, guest access, or both, this new construct empowers you to build secure and scalable applications more quickly.

We invite you to get started with the Cognito Identity Pool L2 construct in your AWS CDK projects. For more information and examples, visit the AWS CDK GitHub repository and the official AWS CDK documentation. Feedback is also very important to us, so please create an issue in GitHub for any bugs or feature requests. We look forward to seeing how this new construct helps you streamline your authentication workflows and deliver exceptional user experiences.

How engineers can use one-on-ones with their manager to accelerate career growth

Post Syndicated from Dalia Abuadas original https://github.blog/developer-skills/career-growth/how-engineers-can-use-one-on-ones-with-their-manager-to-accelerate-career-growth/


One-on-one meetings with your manager are one of the most valuable tools you have for career growth, problem-solving, and unlocking new opportunities. So if you’re only using them to provide status updates, you’re leaving a lot on the table.

I didn’t fully realize this potential until I mentioned in a one-on-one that I was interested in mentorship and growing my leadership skills. Not long after, I was asked to co-lead a project with an intern to build an internal tool that helped surface enterprise configuration details. This gave me the opportunity to take technical ownership on a project while mentoring someone in a real-world context—both of which pushed me outside my comfort zone in the best way. That experience made it clear: When used intentionally, one-on-ones can open doors you didn’t even know were there.

Many engineers treat one-on-ones as a low-stakes standup: reporting work, mentioning blockers, and getting general feedback. While that can be useful, it barely scratches the surface of what these meetings can accomplish. Instead, think of them as a system design review for your role—a time to debug challenges, optimize your workflow, and align on long-term career goals.

Reframing your perception of what a one-on-one can accomplish

A well-structured one-on-one meeting with your manager isn’t just a check-in, it’s an opportunity to shape your work environment and career trajectory. You wouldn’t build a system without evaluating its constraints, dependencies, and long-term maintainability. Why approach your career any differently?

Start by shifting your mindset: These meetings are not status updates. Your manager already sees your pull requests, sprint velocity, and planning docs. Instead, use this time to highlight what matters—what you’ve shipped, the value it’s delivered, and where the friction is.

You can also use this space to validate decisions and gather context. If you’re weighing different paths forward, don’t just ask for approval—frame the conversation in terms of trade-offs:

“Here are the pros and cons of refactoring this service now versus later. How does this align with our broader business goals?”

Treat your manager like a decision-making API: Feed in the relevant signals, surface what’s unclear, and work together on an informed response.

Use one-on-ones for career versioning (even before you’re “ready”)

One-on-one meetings are a great time to discuss your long-term career growth—even if you’re not actively seeking a promotion. Instead of waiting until promotion season, start having these conversations early to build clarity, direction, and momentum over time.

  • If you’re more than a year away from seeking a promotion, start talking to your manager about:
    • Where am I already meeting expectations?
    • Where should I focus on strengthening my skills?
  • If you’re approaching the next level or considering going up for promotion soon, try focusing the conversation on:
    • What kind of work would demonstrate readiness for the next level?
    • Are there specific opportunities I can take on to grow my scope or visibility?

By treating growth as an iterative process rather than an all-or-nothing milestone, you can continuously improve and course-correct based on early feedback.

A useful framework for structuring these discussions is the Three Circles of Impact:

  1. Individual Contributions – The direct value of your work.
  2. Collaboration – How you work with and support others across the team.
  3. Enabling Others – Mentorship, knowledge sharing, or improving systems and tooling for your peers.

If you’re not sure how to show impact across all three, your one-on-one is a great place to explore it. The key is surfacing your goals early so your manager can help guide you toward the kinds of work that will stretch your skills and broaden your influence.

The more you shape your contributions around these areas, the clearer your readiness for growth becomes—and the easier it is for your manager to advocate on your behalf.

Your manager can’t debug what they don’t see

Managers don’t have full visibility into your day-to-day experience, so one-on-ones are the right time to highlight persistent blockers and unclear expectations.

For instance, I once brought up a latency issue I was chasing down. The endpoint’s performance was slightly above our service level objective (SLO) target, and I had already spent a good chunk of time optimizing it. But in that conversation, my manager offered a different lens:

“Are we optimizing for the right thing? We control the SLO. If the extra latency is due to how the system is designed (and if users aren’t impacted) maybe the right move is to revisit the threshold instead of squeezing more performance out of it.”

That single conversation saved me hours and helped me reframe the problem entirely. Sometimes, the fix isn’t in your code—it’s in how you’re measuring success.

Make your one-on-ones work for you

Your one-on-ones will become far more effective—and lead to real growth—when you treat them as time to think strategically, not just check in. Reframing these meetings around your goals, your environment, and your long-term development puts you in a much stronger position to advocate for yourself and your work.

Start thinking about your career progression earlier than feels natural. Come prepared. Bring in what’s going well, what’s stuck, and where you want to grow. And remember: your manager can’t fix what they don’t know about, and they can’t support your goals if you never share them.

If this shift feels unfamiliar, you’re not alone. The Engineer’s Survival Guide helped me reframe my thinking around one-on-ones.

Here are a few ideas that stuck with me:

  • Your manager isn’t a mind reader.
  • You can’t expect guidance if you don’t come with a direction.
  • Your growth is a shared effort, but it starts with you.

The earlier you see one-on-ones as a tool for impact and growth, the more value you’ll get from them.

The post How engineers can use one-on-ones with their manager to accelerate career growth appeared first on The GitHub Blog.

[$] A process for handling Rust code in the core kernel

Post Syndicated from corbet original https://lwn.net/Articles/1015409/

The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summit
included a tense session on the use of Rust
code in the kernel’s filesystem layer. The Rust topic returned in 2025 in
a session run by Andreas Hindborg, with a scope that also covered the
storage and memory-management layers. A lot of progress has been made, and
the discussion was less adversarial this year, but there are still process
issues that need to be worked out.

Unpacking a post-compromise breach simulation with Vector Command

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/03/27/unpacking-a-post-compromise-breach-simulation-with-vector-command/

The reality of modern cyber threats

Unpacking a post-compromise breach simulation with Vector Command

In today’s evolving cyber landscape, breaches are not a matter of if, but when. Attackers continue to refine their techniques, using stealthy post-compromise tactics to maintain persistence, escalate privileges, and move laterally across networks. The key to staying ahead is not just preventing attacks, but building resilience to withstand and respond to them effectively.

This concept of resilience aligns with Continuous Threat Exposure Management (CTEM), a proactive approach to security validation. According to Gartner, CTEM consists of five pillars:

When we look at the five pillars, described by Gartner:

  1. Scope of your organization’s attack surface;
  2. Discover your attack surface;
  3. Prioritize your vulnerabilities;
  4. Validate security controls and finally;
  5. Mobilize people and processes to operationalize the CTEM findings.

Vector Command plays a critical role in the fourth pillar, continuously testing security defenses through post-compromise breach simulations that replicate real-world adversary tactics.

How Vector Command tests resilience

This blog is the third in our Vector Command series, where we explore the tactics, techniques, and procedures (TTPs) leveraged by Rapid7’s expert red team. Today, we’re focusing on post-compromise breach simulations—a critical capability in assessing an organization’s ability to detect and respond to a persistent adversary.

Unpacking a post-compromise breach simulation with Vector Command
Figure 1: Post Compromise Breach Simulation Attack

TTP mapping to the MITRE ATT&CK framework

Once an attacker gains access—whether through phishing or external exploitation—the real damage begins. As part of our post-compromise breach simulation, Vector Command emulates the tactics and techniques adversaries use once they’re inside, leveraging the MITRE ATT&CK® frameworks as a guide.

Our red team stages command and control payloads and executes a series of proven attacker behaviors to test your resilience across the most common post-compromise scenarios:

  • Configure host persistence – Attackers work to maintain their foothold across reboots and user sessions by modifying startup tasks, hijacking processes, or introducing malicious code. We simulate these tactics to test your defenses against long-term compromise.
  • Attempt host privilege escalation – Gaining initial access is just the beginning. Adversaries often exploit misconfigurations or unpatched vulnerabilities to escalate privileges from standard user accounts to full admin control—enabling deeper access into your environment.
  • Query Active Directory for hosts accessible with compromised credentials – With valid credentials in hand—often obtained through phishing—we test whether an attacker could identify and access other systems or sensitive services using tools that mimic common enumeration techniques.
  • Attempt lateral movement on the network – We simulate how attackers move through your environment by pivoting between systems using native tools and compromised credentials. This reveals how far a real threat actor could go—and how quickly they’d reach your most critical assets.
  • Attempt domain privilege escalation using common misconfigurations – During breach simulations, our red team frequently tests for domain privilege escalation using misconfigurations that are surprisingly common in real-world environments. These include:
  • Local administrator accounts
  • Users with admin-like access
  • Standard users with elevated access to specific systems or sensitive functions

These misconfigurations often intersect with persistence techniques, as attackers take advantage of elevated contexts to maintain long-term access.

Want to see how exposed your organization might be? Surface Command can help identify admin users without multi-factor authentication (MFA), offering a quick view into high-risk accounts and helping fulfill the “Discover” step of Exposure Management.(See our Surface Command Admin users without MFA use case

  • Initial access payloads and internal breach playbooksEvery simulation is guided by detailed internal breach playbooks. These help test your incident response readiness and ensure alignment with known attacker workflows, including phishing payload delivery and post-access exploitation.

Each of these steps represents a real-world risk. By simulating them in a controlled environment, Vector Command helps organizations identify blind spots, validate security controls, and improve detection and response capabilities.

Beyond simulation: Actionable reporting & remediation with Vector Command

Security testing is only as valuable as the insights it delivers. With Vector Command, organizations receive tailored reports designed for both executive leadership and security practitioners:

  • Executive-Level Report: A high-level summary of key findings, business risks, and prioritized remediation steps, written in plain language for strategic decision-making.
  • Technical Report: A detailed breakdown of attack simulations, including timestamps, screenshots, and step-by-step execution logs for the security team to analyze and act on.

These insights are not just reports—they are action plans to help teams fortify their defenses against real adversary behaviors.

Take command of your attack surface

Cyber resilience is about understanding your adversary’s tactics before they use them against you. Vector Command delivers an always-on red teaming service that helps organizations stay ahead of attackers by continuously validating defenses and improving response strategies.

Want to learn more? Join us at our upcoming Take Command virtual summit, where we’ll explore how red teaming is evolving to outpace modern threats.

Register here.

Security updates for Thursday

Post Syndicated from jzb original https://lwn.net/Articles/1015589/

Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode).

A new home for kernel.org

Post Syndicated from corbet original https://lwn.net/Articles/1015555/

Akamai has sent out a
press release saying that it is now hosting the kernel.org
repositories.

The Linux kernel is massive — approximately 28 million lines of
code. Since 2005, more than 13,500 developers from more than 1,300
different companies have contributed to the Linux
kernel. Additionally, there are many kernel versions, and
developers update the code constantly, distributing that code to
developers who are working on various distributions of
Linux. Akamai now delivers the infrastructure that these developers
and their users rely on, at no cost, supporting the Git
environments developers use to access kernel sources quickly,
regardless of where they’re based.

Как е възможно хомосексуална жена да е начело на „Алтернатива за Германия“

Post Syndicated from Светла Енчева original https://www.toest.bg/kak-e-vuzmozhno-homoseksualna-zhena-da-e-nachelo-na-alternativa-za-germania/

Как е възможно хомосексуална жена да е начело на „Алтернатива за Германия“

Алис Вайдел, съпредседателка на „Алтернатива за Германия“ (АзГ), е хомосексуална. На всичко отгоре дългогодишната ѝ партньорка, с която имат две деца, е с произход от Шри Ланка и е осиновена като бебе от швейцарци. Тези факти обаче не бяха пречка за крайнодясната ѝ партия да я предложи за канцлер преди предсрочните избори в Германия, провели се на 23 февруари. Как е възможно тя да бъде най-разпознаваемото лице на крайнодясна партия?

Лесните отговори

На този въпрос могат да се дадат поне два отговора, които не са грешни, но се плъзгат по повърхността. Става въпрос за непоследователността на популистите, от една страна, и за триковете за постигане на публично легитимиране, от друга.

Непоследователността на популистите

Правило ли ви е впечатление, че популистите доста често живеят в противоречие с принципите, които те и партиите им пропагандират? Да вземем настоящия президент и вицепрезидент на САЩ. Една от основните им цели е „нелегалните пришълци“ да бъдат депортирани от САЩ. Обявиха война на политиките на разнообразие и социално включване.

Същевременно съпругите и на двамата са с мигрантски произход, както и първата съпруга на Доналд Тръмп.

Когато е пристигнала в САЩ през 1996 г., настоящата първа дама Мелания Тръмп е нарушила имиграционното законодателство, защото, преди да получи работна виза, е полагала труд, за който е получила малко над 20 000 долара. Днес граничните власти на САЩ прилагат колкото е възможно по-строга институционална репресия върху хора, допуснали далеч по-дребни прегрешения. 28-годишната британка Беки Бърк например е затворена за седмици в център за задържане при ужасни условия, защото участвала в програма за културен обмен, а според имиграционните служители тя не трябвало да получава безплатно храна и подслон по време на обмена.

Съпругата на вицепрезидента Уша Ванс е родена в Щатите, но родителите ѝ са имигранти от Индия. По профил семейството ѝ впрочем доста напомня на това на кандидат-президентката на демократите Камала Харис – чужденци от друга раса, получили шанс в САЩ да се развият академично и професионално, както и да предоставят възможности за добро образование на дъщерите си. А това не би било възможно без заклеймените днес политики за разнообразие и включване.

Подобни прецеденти имаме и в България. Сред основните политици на крайнодясната партия ВМРО – БНД например са Карлос Контрера, чийто баща е кубинец, и Александър Сиди, евреин по произход.

Трикове за публично легитимиране

Присъствието на представители на малцинства в крайнодесни партии, особено на водещи позиции, отправя към системните политически сили и гласоподаватели посланието, че съответната партия не ще да е толкова крайна.

Тук отново може да се даде пример с ВМРО. През 2017 г., когато партията беше в управлението като част от коалицията „Обединени патриоти“, избухна скандал със снимки с нацистки поздрави на Иво Антонов от ВМРО, директор на дирекция „Социална политика“ в Министерството на отбраната, и Петър Харалампиев от „Обединените патриоти“ – председател на Агенцията за българите в чужбина. Тогава Александър Сиди се опита да омаловажи съдържанието на снимките от позициите на еврейския си произход:

Аз съм евреин и съм член на ръководството на ВМРО, и съм народен представител от „Обединени патриоти“. И всякакви квалификации, че всичките ние – „Обединени патриоти“ – сме фашисти, някак си обижда паметта на баба ми и дядо ми, които всъщност са били […] товарени във вагоните 43-та година.

По аналогичен начин реагира Сиди и на скандала в Европарламента през 2022 г., когато Ангел Джамбазки направи жест, подобен на „Хайл Хитлер“. Той обвини „цялото либерално общество“ в лицемерие и заяви, че „едни хора търсят под вола теле и явно са си го намерили“.

По тази логика поставянето на Вайдел начело на АзГ може да се използва като аргумент, че партията не е нацистка, щом се съпредседателства от хомосексуална жена – по време на националсоциализма хомосексуалните (предимно мъже) са изпращани в концентрационни лагери. Личността на Вайдел играе ролята на смокиново листо, прикриващо срамотиите на партията ѝ.

АзГ и ЛГБТИ хората

Преминаваме към не чак толкова лесните отговори и се налага да поставим под въпрос някои убеждения. Защото в България е естествено да възприемаме чуждите крайнодесни партии като аналогични на нашите си. А тук и повечето от системните партии отправят анти-ЛГБТИ послания и гласуват за хомофобски политики, какво остава за крайнодесните. Хомофобията и трансфобията са стратегия за печелене на избиратели, а т.нар. демократични партии избягват да отправят послания в подкрепа на ЛГБТИ хората, за да не загубят гласоподавателите си.

АзГ също отправя хомофобски и трансфобски послания и прави законодателни предложения в тази област. Но за разлика от България, отношението към ЛГБТИ хората в Германия е далеч по-приемащо. Според изследване на Ipsos от 2021 г. едва 8% от германците са против всякаква форма на признание на ЛГБТИ хората. 71% подкрепят хомосексуалните бракове, 73% – равните права на еднополовите двойки при осиновяването на деца, 70% смятат, че транс хората трябва да са защитени от дискриминация.

Относително по-шумно е недоволството в Германия по отношение на легализирането на неутралния пол, и по-специално на включването му в езика. Разпространено е това да става със звездички, двоеточия или други знаци, с които да се покаже, че множественото число включва всички полове – напр. Student*innen. В началото на 2024 г. Бавария забрани тези езикови нововъведения в институциите, училищата и университетите. Те обаче продължават да се използват масово в страната.

Но на общия толерантен фон анти-ЛГБТИ позициите на АзГ са по-умерени, отколкото тези на „Възраждане“ например.

Позициите на Алис Вайдел

В публичните си изявления самата Алис Вайдел като цяло не подкрепя равните права на ЛГБТИ хората. От една страна, в противоречие с позицията на партията ѝ, че семейството се състои от баща, майка и децата им, тя твърди, че семейството е там, където има деца. От друга страна обаче, съпредседателката на АзГ не е сключила брак с дългогодишната си партньорка и смята, че бракът трябва да бъде само между мъж и жена, а за еднополовите двойки да има регистрирано партньорство, което да носи същите права като брака.

Да принадлежиш към дадена социална група не те прави автоматично част от общност. „Аз не съм куиър“, заявява Вайдел. Вероятно една от причините да изрече тези думи е, че понятието „куиър“ носи ляв политически заряд. Не е само това обаче – доскорошната кандидатка на АзГ за канцлер не се смята за част от ЛГБТИ общност. Тя се изказва срещу транс хората, говорейки за „джендър глупости“ и за необходимостта да се защитят децата от „тъпата транс-попкултура“.

Вайдел впрочем съвсем не е изключение. Много хомо- и бисексуални хора не подкрепят транссексуалните и смятат, че борбата на транс лицата за правно признаване пречи на тази за равни права на хомосексуалните. Има лесбийки, които смятат, че техните проблеми нямат нищо общо с тези на гей мъжете, и обратното. И т.н.

Харесват ли ЛГБТИ хората в Германия АзГ?

„Ромео“ е популярна платформа за запознанства на хомо- и бисексуални мъже в Германия. Според анкета за електоралните нагласи на потребителите ѝ от февруари 2025 г. на принципа на отзовалите се, пусната на платформата, АзГ се нарежда на първо място с 27,9%. На второ място на „Зелените“, с 8 процентни пункта по-малко. Резултатите създават измамното впечатление, че едва ли не близо 28% от нехетеросексуалните мъже подкрепят АзГ.

Не е възможно да се направи представително изследване на ЛГБТИ хората в дадена държава, защото никой не знае колко са те. Все пак обаче е възможно да се използват методи, които водят до по-прецизни резултати, вместо просто да зададеш някакви въпроси и да не контролираш какви хора отговарят.

В Университета в Гисен са се постарали да направят по-сериозно проучване на електоралните нагласи на ЛГБТИ хората в Германия. Резултатите сочат, че едва 2,8% от анкетираните смятат да гласуват за АзГ, а делът конкретно на мъжете е 5,3%. Мнозинството от запитаните – 45,3%, подкрепят „Зелените“.

Къде е ключът?

Алис Вайдел не е прецедент, нито пък наличието на крайнодесни открито хомосексуални политици е нещо ново.

Днес името на Пим Фортаун (1948–2002 г.) е позабравено. Той беше нидерландски политик и открит гей, убит през 2002 г. от критик на антиислямизма. В младостта си Фортаун е марксист и комунист, а през 90-те прехожда от крайнолявото към крайнодясното, разочарован от политиката на мултикултурализъм и от имиграцията, конкретно от ислямски държави. Той изразява тревога, че ако мюсюлманите в Нидерландия не възприемат ценностите на приемащата страна, постиженията на борбата на жените и хомосексуалните за еманципация ще претърпят регрес. В същото време Фортаун има либерални позиции по отношение на еднополовите бракове, наркотиците и евтаназията.

Ето как защитата на европейските либерални ценности може да се превърне в обосновка на крайнодесен завой и в крайна сметка – в отрицание на идеята за единството на Европа. Защото тя според критиците ѝ, допускайки мюсюлмани на територията си, не успява да удържи принципите, върху които се основава.

Сега вече Вайдел престава да изглежда толкова странна птица – и тя гледа на исляма като на заплаха за правата на хомосексуалните и жените. Друг въпрос е, че членовете и избирателите на АзГ, подкрепящи гей хората, имат „сляпо петно“ по отношение на все по-репресивната хомофобска политика в Русия например.

Антиимигрантските нагласи и ислямофобията са най-малкото общо кратно в АзГ.

Те са и обединяващият принцип на избирателите на партията, които по отношение на ЛГБТИ хората може да имат разнообразни позиции, но общото между тях е, че възприемат миграцията като заплаха, особено ако е от ислямски страни.

Част от избирателите на АзГ имат откровено неонацистки възгледи, но мнозина са далеч по-умерени и искрено се засягат, ако ги нарекат нацита. Те обаче се преживяват като губещи от начина на развитие на Германия и най-лесно им е да нарочат някой външен враг. Чужденците са особено удобни за целта и колкото по-различни са от германците по култура и външен вид, толкова по-големи врагове изглеждат.

Представителите на различни групи германци се преживяват като губещи по различен начин.

В Източна Германия усещането за изоставане от западната част на държавата и за снизходително отношение от страна на населението ѝ ескалират дотам, че АзГ става първа политическа сила.

В Рурския регион в Северозападна Германия например към АзГ се обръщат хора, чиито семейства поколения наред са гласували за социалдемократите. Мините в района са затворени, а Социалдемократическата партия, адекватна на индустриалната епоха, не успява да предложи политики, подходящи за постиндустриално общество. Някогашните работници стават трайно безработни или упражняват неотговарящи на квалификацията им професии. Градовете им се обезлюдяват, в тях се заселват все повече бежанци и роми. Освен че променят облика на родните им места, новодошлите се превръщат в конкуренция за евтини жилища и социални помощи. И стават удобен обект за мразене.

В доста по-богатия Югозапад на чужденците се гледа основно като на хора, безвъзвратно унищожаващи Германия, каквато е била преди няколко десетилетия – в която почти всички са етнически германци и която икономически е далеч по-силна от днес. Имигрантите – и особено бежанците, а не липсата на адекватна жилищна политика – се привиждат като основната причина за жилищната криза и непрекъснато растящите цени на наемите както в Югозападна Германия, така и в големите градове.

Пренебрежима подробност с възможна двойна употреба

Да обобщим. За разлика от България и други страни от бившия Източен блок, Германия не е обхваната от кампанията срещу Истанбулската конвенция и „джендъра“. Тя е стигнала основно до представителите на ултраконсервативни религиозни кръгове в страната, които са пренебрежимо малцинство. Макар да има анти-ЛГБТИ настроени германци, те не са масовият случай. Основният лайтмотив, подхранващ радикализацията, е миграцията, особено от ислямски страни. Затова сексуалността на съпредседателката на АзГ изглежда пренебрежима подробност.

В същото време тя е символно оръжие с възможна двойна употреба. Пред членовете и симпатизантите на партията фактът, че Алис Вайдел е лесбийка, се използва като аргумент срещу мюсюлманите чужденци, представяни като заплаха за жените и хомосексуалните. От друга страна, личността на Вайдел е маската, имаща за цел да убеди демократичния свят, че АзГ не е екстремистка, а нормална и даже толерантна партия.

The collective thoughts of the interwebz