Cloud Chronicles

SAN FRANCISCO — In a company-wide Slack post this week, software engineer Tyler McKeon publicly thanked his cloud security team for “building such a clean, secure, beautifully automated deployment pipeline,” before admitting he “didn’t actually use it.”

McKeon, who works at DataQuarry, described the new “paved road” for secure infrastructure as “a huge step forward for developer safety,” but added that he “needed a bit more flexibility to meet a personal deadline,” so he “just deployed everything manually in a test AWS account that might technically be prod now.”

“It’s nothing against the paved road,” McKeon told The Exploit Daily. “It’s great for people who like process. I just needed to get something running fast — so I skipped the guardrails and drove straight through the woods.”

The paved road took nine months and roughly $1.2 million to build. It includes one-click templates, pre-approved IAM roles, and automated scanning — a setup designed to make secure deployment “so easy even engineering would do it.”

“We gave them everything they asked for — less friction, more automation, Slack notifications that say nice things,” said Nina Alvarez, DataQuarry’s head of cloud security. “And then they immediately built something on their own using root credentials and a Reddit tutorial.”

When the team discovered 14 unapproved AWS environments under McKeon’s name — one running in a region the company hadn’t enabled — they initially assumed it was a penetration test.

“We thought red team was testing response times,” Alvarez said. “Turns out it was just Tyler testing in production.”

Experts say the scenario is common.

“Every enterprise builds a paved road,” said cloud governance analyst Ben Kingston. “And every engineer looks at it, nods approvingly, and then floors it into the swamp to ‘move faster.’ It’s just instinct.”

McKeon insists he appreciates the security team’s effort.

“They really nailed the UX,” he said. “But it takes five minutes to deploy through their system, and I can create a public S3 bucket in twelve seconds. That’s just math.”

Minutes after the interview, DataQuarry’s security Slack lit up again:

ALERT: Unrecognized resource detected — tyler-personal-prod-v3.

Alvarez stared at the screen and sighed.