diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md
index 8cb106e..691bccf 100644
--- a/lab-3/LAB-REPORT.md
+++ b/lab-3/LAB-REPORT.md
@@ -41,7 +41,7 @@
 
 ### Stretch
 - [x] Create a bucket policy that blocks all public access but allows your IAM role
-  - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
+  - [x] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
 
 <<<<<<< HEAD
 ![restrict to role](./assets/restrict-to-role.jpg)
@@ -51,16 +51,16 @@
 
 - [x] **Experiment** with requiring MFA or VPC conditions.
   - [x] MFA conditions
-    * MFA did not work out of the box after setting it in the s3 bucket policy. 
-      The ways I found you can configure MFA:
-    * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
-    * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
-    * [x] via cli roles - I set up a new set of role-trust relationships.
-      Update s3 Role: 
-        Update action: sts:assumerole 
-        Update principle (for user -- could not target group)
-        Add condition (MFA bool must be true)
-    * Commands referenced: I set up a script that looks like this
+  * MFA did not work out of the box after setting it in the s3 bucket policy. 
+    The ways I found you can configure MFA:
+  * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
+  * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
+  * [x] via cli roles - I set up a new set of role-trust relationships.
+    * Update s3 Role: 
+      * Update action: sts:assumerole 
+      * Update principle (for user -- could not target group)
+      * Add condition (MFA bool must be true)
+  * Commands referenced: I set up a script that looks like this
 
 ```bash
 MFA_TOKEN=$1
@@ -91,11 +91,11 @@ export AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SecretA
 aws s3 ls s3://witch-lab-3
 ```
 
-    * configuration via ~/.aws/credentials
-    * 1Password CLI with AWS Plugin
-      * I use bitwarden, which also has an AWS Plugin
-      * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
-        for 1password for password credential setup. Wonder why?
+* configuration via ~/.aws/credentials
+* 1Password CLI with AWS Plugin
+  * I use bitwarden, which also has an AWS Plugin
+  * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
+    for 1password for password credential setup. Wonder why?
 
 - [x] **Host a static site**
   - [x] Enable a static website hosting (`index.html`)
@@ -109,23 +109,56 @@ aws s3 ls s3://witch-lab-3
 =======
     * Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket
     * In this step, I disabled "static website hosting" on the s3 bucket
+    * This was actually maddening to set up. For reasons I can't understand even
+      after Google Searching and ChatGPTing, my s3 bucket is under us-east-2
+      and Cloudfront kept redirecting me to the us-east-1 for some reason. I don't like
+      switching up regions under AWS because this way it's easy to forget what region 
+      you created a specific service in because they're hidden depending on what
+      region is active at the moment.
+
 **Private "Invite-Only" Resume Hosting**
-1. [x] **Pre-signed URLs**
-  `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+
+- [x] **Pre-signed URLs**
+`aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+(see: presigned url screenshot)
 
 ![presigned url](./assets/create-presigned-url.jpg)
 >>>>>>> 1437cee (Add resume pdf & html)
 
 ### Further Exploration
-1. [ ] Snapshots & AMIs
+- [ ] Snapshots & AMIs
   - [ ] Create an EBS snapshot of `/dev/xvda`
   - [ ] Register/create an AMI from that snapshot
-    - [ ] How do you "version" a server with snapshots? Why is this useful?
+    - [x] How do you "version" a server with snapshots? Why is this useful?
+      **Cattle, not pets**
+      This is useful for following the concept for treating your servers as 
+      "cattle, not pets". Being able to keep versioned snapshots of your machines
+      means there's nothing special about your currently running server.
+      If it goes down (or you need to shoot it down), you can restore it on 
+      another machine from an older snapshot.
+
+      Or if you needed to suddenly scale your operation from 1 machine to many,
+      where each machine needed the exact same configuration set as the other
+      (all need fail2ban installed, etc. etc,) -- you can do that with
+      an AMI image.
   - [ ] Launch a new instance from your AMI
-2. [ ] Linux & Security Tooling
-3. [ ] Scripting & Automation
+- [ ] Linux & Security Tooling
+  - [ ] `ss -tulpn`, `lsof`, `auditctl` to inspect services and audit
+  - [ ] Install & run:
+    - [ ] nmap localhost
+    - [ ] tcpdump - c 20 -ni eth0
+    - [ ] lynis audit system
+    - [ ] fail2ban-client status
+    - [ ] OSSEC/Wazuh or ClamAV
+- [ ] Scripting & Automation
   - [ ] Bash: report world-writable files
   - [ ] Python with boto3: list snapshots, start/stop instances
+- [ ] Convert to terraform
+  - [ ] IAM Role
+  - [ ] IAM Policy
+  - [ ] IAM Group
+  - [ ] EC2 Instance
+  - [ ] S3 Bucket
 
 ## Further Reading
 - [ ]
@@ -134,14 +167,21 @@ aws s3 ls s3://witch-lab-3
 
 ## Reflection
 * What I built
+  * A secured s3 bucket for secure content that can only be accessed via multi-factor authentication
+    Good for storing particularly sensitive information.
+  * A minimal HTML website served from an S3 bucket 
 * Challenges
-  * Groups cannot be used as the principal in a trust relationship
   * The stretch goal for setting up s3 + mfa was a bit of a pain:
-    * The earlier lab had me set up a trust relationship on the role to allow EC2 as a principal
-      on the role
-      When I later updated IAM permissions to include MFA, I promptly forgot about this detail
-      and had chatgpt help me with troubleshooting. It was pretty good at helping me figure out
-      the issue
+    * Groups cannot be used as the principal in a trust relationship, breaking my mental model
+      of the ideal way to onboard/offboard engineers by simply removing them from groups
+      (although I may have set up the IAM permissions in an inefficient way. I ended up having to 
+      assign a user as the principal of the trust relationship for my s3 role.)
+  * Issues between setting up Cloudflare -> CloudFront -> s3 bucket
+    * I think adding an extra service (Cloudflare, where I host my domain) added a little bit of complexity, though
+      my main issue was figuring out how to set up the ACM cert -> CloudFront distribution -> S3.
+      Most of the instructions I was able to parse through with ChatGPT -- I have to say I had a much 
+      better reading through those instructions than with the official AWS docs, which led me through
+      nested links (understandably, because there seem to be multiple ways of doing everything).
     
 * Security concerns
   On scale and security at scale
@@ -156,9 +196,4 @@ graph LR
 classDef aside stroke-dasharray: 5 5, stroke-width:2px;
 ```
 
-## End lab
-- [ ] On June 20, 2025, do the following:
-  - [ ] Clean up
-    - [ ] Custom roles
-    - [ ] Custom policies
-  - [ ] Shut down ec2 Instance
\ No newline at end of file
+![Identity Access Management](./assets/mermaid.jpg)
\ No newline at end of file
diff --git a/lab-3/assets/mermaid.jpg b/lab-3/assets/mermaid.jpg
new file mode 100644
index 0000000..909c55e
Binary files /dev/null and b/lab-3/assets/mermaid.jpg differ
diff --git a/resources/RESOURCES.md b/resources/RESOURCES.md
index c17e27f..d1d43d7 100644
--- a/resources/RESOURCES.md
+++ b/resources/RESOURCES.md
@@ -5,3 +5,5 @@
 ## Read
 - [ ] [Debugging Zine](https://jvns.ca/debugging-zine.pdf)
 - [ ] [The 5 Cybersecurity roles that will disappear first](./assets/The%205%20Cybersecurity%20Roles%20That%20Will%20Disappear%20First%20_%20by%20Taimur%20Ijlal%20_%20Jun,%202025%20_%20Medium-1.pdf)
+- [ ] Cloud Security For Beginners
+- [ ] Sandworm
\ No newline at end of file
diff --git a/utilities/pdf_make/Dockerfile b/utilities/pdf_make/Dockerfile
index 6d4bdab..1ff14d2 100644
--- a/utilities/pdf_make/Dockerfile
+++ b/utilities/pdf_make/Dockerfile
@@ -1,5 +1,5 @@
-# pdf_make/Dockerfile
-FROM pandoc/latex:2.19
+# Use the official Pandoc image as base
+FROM pandoc/latex:latest
 
 WORKDIR /app
 
diff --git a/utilities/pdf_make/generate_reports.sh b/utilities/pdf_make/generate_reports.sh
index cb1672e..a95cfb8 100755
--- a/utilities/pdf_make/generate_reports.sh
+++ b/utilities/pdf_make/generate_reports.sh
@@ -21,7 +21,7 @@ find . -maxdepth 1 -type d -name "lab-*" | while read lab_dir; do
             # Generate PDF using pandoc
             # Make sure 'pandoc' command is available in the image, which it is for pandoc/latex
             image_dir="$lab_dir"
-            pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=pdflatex --resource-path "$image_dir" -V geometry:margin=0.5in
+            pandoc "$markdown_file" -s -o "$pdf_file" --pdf-engine=xelatex --resource-path "$image_dir" -V geometry:margin=0.5in
 
             if [ $? -eq 0 ]; then
                 echo "Successfully generated $pdf_file"