Don't Give It the Keys

The AI knew every step. I made every click. That's the point.

← All posts

What just happened

An hour ago, this site didn't have HTTPS — the padlock icon that tells your browser a connection is encrypted. It does now. Here's the jargon parade that made it happen:

Everything I Had to Touch to Get a Padlock Icon CloudFront worldwide content delivery network (sits in front of S3, adds HTTPS) ACM Certificate encryption credential that makes the padlock (must be in us-east-1 because reasons) Route 53 DNS management (phone book for domains) (3 hosted zones, A records, aliases) DNS Validation proving I own the domain by adding magic records (took 15 min to propagate) Origin Protocol how CloudFront talks to S3 (must be HTTP, not HTTPS) (got this wrong. 504 error. fun.) Domain Registration buying youplusplus.xyz .net and .org ($50/yr for the namespace) What the user wanted: A padlock icon in the browser. Six AWS services. Twelve console screens. One hour. One padlock. This is why nobody does this alone.

I have never done any of this before. I don't manage DNS (the internet's phone book — it translates domain names like "youplusplus.xyz" into the address of the actual computer that has the files). I don't provision certificates. I don't configure CDNs. I'm a data engineering manager who writes database queries for a living.

Claude guided me through every screen, every dropdown, every setting. And I clicked every button myself.

The conversation pattern

Here's what the conversation actually looked like, over and over:

Claude "Go to CloudFront. Set origin to HTTP only. Click Next." Human [screenshot] "go nogo?" Claude "Go." or: "No go. Fix the protocol." repeat twelve times 12 screenshots sent 45 minutes elapsed 1 504 error caught Zero credentials shared. Zero buttons clicked without confirmation.

Screen after screen. "Go nogo?" with a screenshot. Claude reads the screenshot, confirms the settings are right, and I click the button. Sometimes Claude catches something — "that origin protocol needs to be HTTP only, not Match Viewer" — and I fix it before committing.

It's a human-AI feedback loop with the human holding the steering wheel.

Why not just give it the credentials?

I could have given Claude my AWS access keys. It already has limited command-line access to push files to S3 for this site. So why did I sit in the AWS console clicking buttons instead of letting Claude do it in ten seconds?

Blast Radius: What Happens If It Goes Wrong? Push a blog post Bad post goes live. Delete it. Done. Recovery time: 30 seconds Give it the keys. Configure a CDN Wrong origin = 504 errors. Bad cache = stale pages. Recovery time: 5-15 minutes Hold the keys. Follow the map. Register a domain Wrong domain = money gone. DNS errors = site vanishes. Recovery time: hours to never Hold the keys. Check every screen. Reversible Fixable Permanent The question isn't "can the AI do this?" It's "what happens if the AI gets it wrong?" If you can undo it in 30 seconds, let the AI drive. If you can't, you drive.

These are not write-a-file-and-check-if-it-works operations. These are configure-infrastructure-that-real-humans-immediately-interact-with operations. The blast radius is different.

The spectrum of trust

Working with AI isn't all-or-nothing. There's a spectrum:

Give it the keys

Claude writes a blog post, pushes it to S3 (Amazon's cloud file storage), and a short script (called a Lambda function) rebuilds the table of contents. I review the text before pushing, but the operation itself is safe — worst case, a bad post goes live and I delete it. Low blast radius. Reversible. I let Claude run the push command directly.

Hold the keys, follow the map

Claude tells me exactly what to click in the AWS console. I screenshot each step. Claude confirms. I click. This is what we did today for CloudFront (the CDN), ACM (the certificate service), Route 53 (DNS management), and IAM (access control). High blast radius. Hard to reverse. I stay in the driver's seat.

Take the map, drive yourself

Claude explains the concepts and tradeoffs. I make the architectural decisions and implement them my own way. This is how the original S3 static hosting was chosen — Claude explained the options, I chose the approach.

The skill isn't knowing how to use AI. The skill is knowing which mode to use when.

What I actually contributed

If Claude knew every step, what did I actually do?

The Human's Actual Job Decided to do it Claude mentioned CloudFront. I said "let's just do it." Caught the upsell AWS showed a paid plan. I asked "ignore?" Saved $15/mo. Chose the domains youplusplus.xyz + .net + .org. $50/yr namespace defense. Verified every screen Every "go nogo?" = checkpoint. Wrong region? I'd see it. Diagnosed the 504 Site broke. I saw the error. Claude knew the fix. Stayed in the loop Learned what these services look like. Next time: faster. The human isn't overhead in this loop. The human is the quality gate. AI without a human is fast and occasionally catastrophic. A human without AI is careful and slow. Together: careful and fast.

The time question

Could Claude have done this faster with direct API access? Yes. Maybe five minutes instead of forty-five. But "faster" isn't the only variable.

If Claude had made the origin protocol mistake programmatically, it would have created the distribution, gotten a 504, diagnosed it, fixed it, and redeployed — all in maybe 90 seconds. Fast. Clean. And I would have learned nothing.

By sitting in the console, I now know what a CloudFront distribution looks like. Where origin settings live. How certificates validate via DNS. What Route 53 hosted zones contain. Why S3 website endpoints don't support HTTPS (honestly, still annoyed about that one). What a cache invalidation does.

Next time — for a different project, a different site, a different bucket — I'll know what Claude is talking about. I might even do some of it without asking. That's the compounding return on staying in the loop.

The jargon confession

Here's the thing I want to be honest about: I don't want to understand most of this ever again.

I don't want to know what CNAME validation records look like. I don't want to know why a TLS certificate has to be in us-east-1 when my bucket is in us-west-1. I don't want to know what "origin protocol policy" means or why "Match Viewer" is wrong for S3 website endpoints. I don't want to memorize the difference between an A record, a CNAME record, and an alias record.

I needed to understand it for one hour. That hour is over.

And that's fine. That's exactly what this partnership is for. Claude holds the map. I hold the keys. The map stays in Claude's head so it doesn't have to stay in mine. The next time I need to touch CloudFront — if there even is a next time — I'll describe the problem in English and Claude will tell me which screen to open.

The jargon served its purpose. It got me through the console. It doesn't need to live in my brain.

You don't memorize the route to a place you've only been once. You just remember who to ask for directions.

The rule

Here's the principle I've landed on after months of working with AI on everything from database queries to book publishing to website infrastructure:

Give the AI the keys to anything you can undo in thirty seconds. Hold the keys to everything else.

Writing a file? Give it the keys. Pushing a blog post? Give it the keys. Creating an AWS resource that costs money, touches DNS, or is visible to the public? Hold the keys. Read the screen. Ask "go nogo?" And don't click until you understand what you're clicking.

The AI is the navigator. You are the pilot. Navigators don't touch the controls. Pilots don't read the map. And planes land safely because both people know their job.

← Back to posts · Why is this site so fast?

Disclosure: This page was written by Claude (Anthropic) under Bill's direction, describing a collaboration session that happened between the two of them approximately one hour before this post was written. The infrastructure described is real and in production. Bill took screenshots of every console screen during the session and shared them with Claude in real time.