Skip to content
SSE reading notes

AWS — Basics

AWS — Basics

Section titled “AWS — Basics”

Compute

Section titled “Compute”
  • EC2 — virtual machines. Instance types: general (t/m), compute (c), memory (r/x), storage (i/d), GPU (g/p). On-demand vs reserved (1-3y) vs savings plans vs spot (cheap but interruptible).
  • Lambda — serverless functions. 15min max, up to 10GB memory, ephemeral filesystem 512MB-10GB, free tier 1M req/mo. Triggered by API GW, S3, SQS, EventBridge, Kinesis, DynamoDB Streams.
  • ECS — managed Docker. Two launch types: EC2 (you manage hosts) or Fargate (serverless containers).
  • EKS — managed Kubernetes.
  • Elastic Beanstalk — PaaS abstraction over EC2/EBS/RDS. Less control.
  • App Runner / Lightsail — simpler container/VM hosting.

Storage

Section titled “Storage”
  • S3 — object store. 11 9s durability, 4 9s availability. Storage classes: Standard, IA, Glacier (cheap archive). Versioning, lifecycle, replication, Object Lock (immutable).
  • EBS — block storage for EC2. gp3 (default SSD), io2 (high IOPS), st1 (throughput HDD), sc1 (cold). Snapshots → S3.
  • EFS — managed NFS, multi-AZ, elastic.
  • FSx — managed Lustre / Windows / NetApp.
  • Glacier — long-term archive. Retrieval delays.

Databases

Section titled “Databases”
  • RDS — managed Postgres / MySQL / MariaDB / Oracle / SQL Server. Multi-AZ, read replicas, automated backups.
  • Aurora — proprietary MySQL/Postgres-compatible. Faster, decoupled storage. Aurora Serverless v2 auto-scales.
  • DynamoDB — NoSQL key-value + document. Single-digit ms latency. On-demand or provisioned. GSI/LSI. Streams.
  • ElastiCache — managed Redis / Memcached.
  • OpenSearch — managed Elasticsearch fork.
  • DocumentDB — Mongo-compatible (limited).
  • Neptune — graph DB.
  • Redshift — analytical warehouse, columnar.
  • Athena — serverless SQL over S3 (Presto/Trino).
  • Timestream — time series.

Networking

Section titled “Networking”
  • VPC — virtual network. CIDR, subnets (per AZ, public/private), route tables, IGW (internet gateway), NAT gateway.
  • Security Group — stateful firewall on ENI/instance level.
  • NACL — stateless ACL on subnet level.
  • VPC Peering / Transit Gateway — cross-VPC connectivity.
  • VPC Endpoint — private access to AWS services (Gateway type for S3/DynamoDB; Interface for others).
  • Route53 — DNS + health checks + geo routing.
  • CloudFront — CDN.
  • ELB: ALB (L7, HTTP/HTTPS), NLB (L4, TCP/UDP, ultra low latency, static IP), GWLB (security appliances).
  • API Gateway — REST or HTTP APIs. WebSocket too. Auth, throttling, caching.
  • PrivateLink — service-to-service across accounts privately.
  • Direct Connect / VPN — to on-prem.

Identity & Access

Section titled “Identity & Access”
  • IAM — users, groups, roles, policies. Use roles for service identity (EC2 instance profile, Lambda exec role).
  • Policy types: identity-based (on user/role), resource-based (on bucket, queue), permissions boundary (cap), SCP (org-wide).
  • Evaluation: explicit Deny > Allow. No matching Allow = implicit deny.
  • STS — temporary credentials, AssumeRole, federated access.
  • IAM Identity Center (SSO) — workforce SSO.
  • Cognito — end-user identity (user pools + identity pools).

Messaging / events

Section titled “Messaging / events”
  • SQS — queue (Standard or FIFO).
  • SNS — pub/sub (topics, subscribers).
  • EventBridge — event bus, rules, schemas, partner events. Cron-like schedules.
  • Kinesis Data Streams / Firehose — streaming.
  • MQ — managed RabbitMQ/ActiveMQ.
  • MSK — managed Kafka.
  • Step Functions — workflow orchestration.

Observability

Section titled “Observability”
  • CloudWatch — metrics, logs, alarms, dashboards, log insights.
  • CloudTrail — API audit log (all AWS API calls).
  • X-Ray — distributed tracing.
  • Config — resource state changes / compliance.
  • CloudWatch Synthetics — uptime probes.

Security

Section titled “Security”
  • KMS — managed encryption keys. CMK, AWS-managed, customer-managed.
  • Secrets Manager — secrets w/ rotation.
  • Parameter Store (SSM) — config/secrets, free tier.
  • WAF — L7 firewall.
  • Shield — DDoS protection (Advanced is paid).
  • GuardDuty — threat detection.
  • Inspector — vulnerability scan.
  • Macie — PII detection in S3.

Cost & accounts

Section titled “Cost & accounts”
  • Cost Explorer, Budgets, Cost Anomaly Detection.
  • Organizations — multi-account tree, SCPs.
  • Control Tower — landing zone with guardrails.
  • Tagging discipline = cost allocation.

Serverless event-driven stack (common pattern)

Section titled “Serverless event-driven stack (common pattern)”

API Gateway → Lambda → DynamoDB / SQS / EventBridge → Lambda → S3 / SNS. Cheap, scalable, ops-light.

CLI essentials

Section titled “CLI essentials”
Terminal window
aws sts get-caller-identity
aws s3 ls
aws s3 cp file s3://bucket/key
aws ec2 describe-instances --filters Name=tag:env,Values=prod
aws logs tail /aws/lambda/myfn --since 10m --follow
aws iam simulate-principal-policy --policy-source-arn ARN --action-names s3:GetObject

Well-Architected pillars

Section titled “Well-Architected pillars”

Operational excellence, Security, Reliability, Performance, Cost optimization, Sustainability.