What do encrypted OTP codes, base64 blobs, and Azure AD groups have in common? They all tried to break the new serverless client portal I was building on AWS during development. This session is an experience report from migrating a legacy EC2/RDS/WordPress client portal to a highly available serverless architecture built on Amazon Cognito, Amazon S3, Amazon CloudFront, Amazon DynamoDB, Amazon API Gateway, and AWS Lambda.

Rather than a step by step tutorial, this talk focuses on what actually went wrong during development and testing and how I worked through it: EntraID (Azure AD) groups not flowing into Cognito, unexpected complexity decrypting Cognito OTP codes with the AWS Encryption SDK v4, CORS issues between the frontend and API Gateway, learning how S3 Multi Region Access Points really work and how IAM permissions need to be configured for them, and document delivery problems when presigned URLs did not behave as expected.

This session is for cloud engineers, developers, and architects who already use, or plan to use, serverless services on AWS and want a realistic view of the trade-offs and “gotchas” you are likely to encounter before going live. It encourages a culture where you accept that you will not always know everything, you will make mistakes during design and implementation, and you can share those lessons openly so others can avoid the same pitfalls and build more reliable systems.

Attendees of this session can expect to walk away with:

A more realistic way to plan for unexpected issues in serverless projects, informed by concrete examples where identity, encryption, CORS, multi-region S3 access, and document delivery caused problems during this migration.

A better understanding of how to approach problems when AWS documentation or standard patterns are not enough, including when to keep trying configuration changes and when to step back and rethink the architecture instead.

Increased confidence that making mistakes during design and implementation is normal in real serverless projects, along with concrete examples of how to document and share those lessons so your team and community can avoid repeating them.