Day 78: Hunting Silent IAM Bugs & Securing DynamoDB

aws #serverless #react #webdev

published: true
date: "2026-05-08 21:30:00 UTC"
Today was one of those days where the code was technically correct, but the infrastructure said "No." I had to dive deep into AWS CloudWatch to fix a cascading series of silent failures in my AI Financial Agent.

Here is the breakdown of today's architecture fixes:

1. The Silent IAM Policy Trap
   I built a full account annihilation flow. The user clicks "Delete," and Lambda is supposed to wipe their DynamoDB history and Cognito identity. But it didn't work. The API returned a success status, but the data remained.
   Checking CloudWatch revealed an AccessDeniedException. My Lambda role lacked the dynamodb:BatchWriteItem and cognito-idp:AdminDeleteUser permissions. In serverless, if your IAM policies are strictly scoped (as they should be), you must account for every single AWS SDK method you call. I updated the inline policies, and the nuclear button finally worked.

2. DynamoDB Deletion Protection
   While running manual boto3 cleanup scripts to fix the IAM mess, I realized a single typo in my Table() definition could wipe my production database. To fix this, I enabled Deletion Protection on my FinanceAgent-Transactions table. It's a simple toggle in the AWS Console that makes it impossible to delete the table without explicitly disabling the protection first. A 30-second fix for ultimate peace of mind.

3. React Data Hydration Flash
   On the frontend, my UI had an annoying flash when loading the user's avatar. I was trying to be clever with Tailwind opacity-0 transitions and onLoad events. I ripped that out. By relying purely on localStorage caching and removing artificial CSS delays, the avatar now renders instantly on mount.

4. Context-Aware AWS SES Emails
   My backend was lazily recycling the "Daily Report" HTML template for new users, resulting in welcome emails that said "Yesterday's Expenses: 0.00". I refactored email_engine.py to include a dedicated, structurally clean generate_welcome_email() function, and tied it to a strict welcome_email_sent flag in DynamoDB to guarantee it only fires once per user.

Infrastructure is messy, but today the system is drastically more resilient.