AWS Primer - Claude

AWS Primer: A Comprehensive Guide

Table of Contents

1. Introduction to AWS
2. Core AWS Services
3. How Services Fit Together
4. Interacting with AWS
5. Pricing Overview
6. Security Concepts
7. Glossary

---

Introduction to AWS

Amazon Web Services (AWS) is a comprehensive cloud computing platform offering over 200 services. AWS operates on a pay-as-you-go model, allowing you to scale resources up or down based on demand. Services are deployed across multiple geographic regions, each containing multiple Availability Zones (isolated data centers).

Key Benefits

• Scalability: Scale resources automatically based on demand
• Global Infrastructure: Deploy applications worldwide in minutes
• Pay-as-you-go: Only pay for what you use with no upfront commitments
• Reliability: Built-in redundancy and high availability
• Security: Enterprise-grade security controls and compliance certifications

---

Core AWS Services

1. EC2 (Elastic Compute Cloud)

What it is: Virtual servers in the cloud that you can launch, configure, and manage.

Use cases:

• Web application hosting
• Development and test environments
• Batch processing
• High-performance computing
• Machine learning workloads

Key features:

• Multiple instance types optimized for different workloads (compute, memory, storage, GPU)
• Auto Scaling to handle traffic spikes
• Integration with load balancers
• Persistent storage via EBS volumes

Pricing (as of 2025):

• On-Demand: Pay by the hour/second with no commitments
  • Example: t3.small ~$15/month continuous usage
  • Example: m5.large ~$70/month continuous usage
• Reserved Instances: 1-3 year commitments save ~40-70%
• Spot Instances: Bid on spare capacity, save up to 90% (can be interrupted)
• Savings Plans: Flexible 1-3 year commitments save ~30-50%

Typical monthly costs: $15-$1000+ depending on instance type and usage

---

2. S3 (Simple Storage Service)

What it is: Object storage service for any amount of data with 99.999999999% (11 9’s) durability.

Use cases:

• Static website hosting
• Data lakes and big data analytics
• Backup and disaster recovery
• Content distribution
• Application data storage

Key features:

• Unlimited storage capacity
• Multiple storage classes for different access patterns
• Versioning and lifecycle management
• Server-side encryption
• Event notifications

Storage Classes:

• S3 Standard: Frequently accessed data - $0.023/GB/month
• S3 Intelligent-Tiering: Automatic cost optimization - $0.023/GB/month + monitoring fee
• S3 Standard-IA: Infrequent access - $0.0125/GB/month
• S3 One Zone-IA: Single AZ, infrequent access - $0.01/GB/month
• S3 Glacier Instant Retrieval: Archive with millisecond retrieval
• S3 Glacier Flexible Retrieval: Archive with minute-to-hour retrieval - $0.0036/GB/month
• S3 Glacier Deep Archive: Long-term archive (12-hour retrieval) - $0.00099/GB/month

Additional costs:

• Requests: PUT/COPY/POST $0.005per1,000,GET$0.0004 per 1,000
• Data transfer out: First 100GB free/month, then $0.09/GB
• Data transfer in: Free

Free Tier: 5GB storage, 20,000 GET requests, 2,000 PUT requests for 12 months

---

3. RDS (Relational Database Service)

What it is: Managed relational database service supporting MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora.

Use cases:

• Web/mobile applications
• E-commerce platforms
• Enterprise applications
• SaaS applications

Key features:

• Automated backups and snapshots
• Automated patching and updates
• Multi-AZ deployments for high availability
• Read replicas for scalability
• Point-in-time recovery

Pricing:

• Charged per database instance hour
• Storage costs separate (gp2: ~$0.115/GB/month,gp3:$0.08/GB/month)
• Backup storage beyond instance allocation
• Data transfer costs
• Multi-AZ deployments roughly double costs

Free Tier (for accounts created before July 15, 2025): 750 hours/month of db.t2.micro, db.t3.micro, or db.t4g.micro + 20GB storage for 12 months

---

4. Lambda

What it is: Serverless compute service that runs code in response to events without provisioning servers.

Use cases:

• API backends
• Real-time file/data processing
• Scheduled tasks (cron jobs)
• Event-driven workflows
• Microservices

Key features:

• Automatic scaling from zero to thousands of concurrent executions
• Pay only for compute time used
• Integrates with most AWS services
• Support for multiple languages (Python, Node.js, Java, Go, .NET, Ruby)

Pricing (2025):

• Requests: First 1 million free/month, then $0.20 per 1 million
• Duration (x86): $0.0000166667 per GB-second for first 6 billion GB-seconds
• Duration (ARM/Graviton2): $0.0000133334 per GB-second (20% cheaper)
• Free Tier: 1 million requests and 400,000 GB-seconds per month (always free)

Example cost: Running a 512MB function for 100ms, 1 million times/month = ~$4.17

---

5. VPC (Virtual Private Cloud)

What it is: Isolated virtual network where you deploy AWS resources with complete control over IP addressing, subnets, routing, and security.

Use cases:

• Network isolation for applications
• Hybrid cloud connectivity
• Multi-tier applications
• Secure production environments

Key components:

• Subnets: Public and private network segments
• Route Tables: Control traffic routing
• Internet Gateway: Connect to the internet
• NAT Gateway: Allow private resources internet access
• Security Groups: Stateful firewalls for instances
• Network ACLs: Stateless subnet-level firewalls
• VPC Peering: Connect VPCs privately
• VPN/Direct Connect: Connect to on-premises networks

Pricing:

• VPC itself is free
• NAT Gateway: ~$0.045/hour+$0.045/GB data processed
• VPN connections: ~$0.05/hour per connection
• Data transfer charges apply

---

6. EBS (Elastic Block Store)

What it is: Block-level storage volumes for EC2 instances (like virtual hard drives).

Use cases:

• Boot volumes for EC2 instances
• Database storage
• File systems
• Application storage

Volume types:

• gp3 (General Purpose SSD): $0.08/GB/month - balanced price/performance
• gp2 (General Purpose SSD): $0.10/GB/month - older generation
• io2 (Provisioned IOPS SSD): $0.125/GB/month + IOPS costs - high performance
• st1 (Throughput Optimized HDD): $0.045/GB/month - big data
• sc1 (Cold HDD): $0.015/GB/month - infrequent access

Snapshots: $0.05/GB/month (incremental backups to S3)

---

7. CloudFront

What it is: Content Delivery Network (CDN) that caches content at edge locations worldwide for fast delivery.

Use cases:

• Website acceleration
• Video streaming
• API acceleration
• Software distribution

Key features:

• 400+ edge locations globally
• Integration with S3, EC2, Load Balancers
• SSL/TLS encryption
• DDoS protection via AWS Shield
• Real-time metrics

Pricing:

• Data transfer out varies by region (~$0.085-0.17/GB)
• HTTP/HTTPS requests: $0.0075-0.016 per 10,000 requests
• First 1TB free with AWS Free Tier

---

8. DynamoDB

What it is: Fully managed NoSQL database service with single-digit millisecond performance at any scale.

Use cases:

• Mobile/web applications
• Gaming leaderboards
• IoT data storage
• Shopping carts
• Session management

Key features:

• Automatic scaling
• Built-in replication across AZs
• Point-in-time recovery
• Global tables for multi-region replication
• DynamoDB Streams for change data capture

Pricing modes:

• On-Demand: Pay per request - $1.25permillionwriterequests,$0.25 per million read requests + $0.25/GB storage
• Provisioned: Pay for reserved capacity - more predictable costs at scale

Free Tier: 25GB storage, 25 write capacity units, 25 read capacity units (always free)

---

9. ELB (Elastic Load Balancing)

What it is: Automatically distributes incoming traffic across multiple targets (EC2, containers, IPs).

Types:

• Application Load Balancer (ALB): HTTP/HTTPS traffic, Layer 7, path-based routing
• Network Load Balancer (NLB): TCP/UDP traffic, Layer 4, ultra-low latency
• Gateway Load Balancer: Third-party virtual appliances
• Classic Load Balancer: Legacy option

Use cases:

• High availability for applications
• Auto scaling integration
• SSL/TLS termination
• Health checks and failover

Pricing:

• ALB: ~$0.0225/hour+$0.008 per LCU-hour (Load Balancer Capacity Unit)
• NLB: ~$0.0225/hour+$0.006 per NLCU-hour
• Typical cost: $20-50/month per load balancer

---

10. CloudWatch

What it is: Monitoring and observability service for AWS resources and applications.

Use cases:

• Application and infrastructure monitoring
• Log aggregation and analysis
• Performance troubleshooting
• Automated responses to events
• Custom dashboards

Key features:

• Metrics collection (CPU, memory, disk, network)
• Log aggregation (CloudWatch Logs)
• Alarms and notifications
• Events and automation
• Custom metrics

Pricing:

• First 10 custom metrics free
• Standard metrics free for AWS services
• $0.30 per custom metric per month
• $0.50 per GB ingested for logs
• $0.03 per GB stored per month for logs

---

11. IAM (Identity and Access Management)

What it is: Service for managing access to AWS resources (covered in detail in Security section).

Use cases:

• User and role management
• Fine-grained permissions
• Federated access
• Temporary credentials
• Programmatic access

Key components:

• Users, Groups, Roles, Policies
• Multi-factor authentication (MFA)
• Identity federation (SAML, OIDC)
• Service Control Policies (SCPs)

Pricing: Free

---

12. Route 53

What it is: Highly available and scalable DNS web service.

Use cases:

• Domain registration
• DNS routing
• Health checks and failover
• Traffic management

Pricing:

• $0.50 per hosted zone per month
• $0.40 per million queries for standard queries
• $0.60 per million queries for Latency/Geo routing
• Domain registration varies by TLD

---

13. SNS (Simple Notification Service)

What it is: Pub/sub messaging service for application-to-application and application-to-person communication.

Use cases:

• Application alerts
• Push notifications to mobile devices
• Email notifications
• SMS messages
• Fan-out patterns

Pricing:

• First 1 million publishes free/month
• $0.50 per million publishes after that
• Email: $2 per 100,000 messages
• SMS: varies by country

---

14. SQS (Simple Queue Service)

What it is: Fully managed message queuing service for decoupling application components.

Use cases:

• Asynchronous processing
• Buffering requests
• Microservices communication
• Job queues

Key features:

• Standard queues (at-least-once delivery, best effort ordering)
• FIFO queues (exactly-once processing, strict ordering)
• Dead letter queues
• Message retention up to 14 days

Pricing:

• First 1 million requests free/month
• $0.40 per million requests after (Standard)
• $0.50 per million requests (FIFO)

---

15. ECS/EKS (Container Services)

ECS (Elastic Container Service): AWS-native container orchestration service.

EKS (Elastic Kubernetes Service): Managed Kubernetes service.

Use cases:

• Microservices architectures
• Containerized applications
• CI/CD pipelines
• Batch processing

Pricing:

• ECS: No additional charge, pay for underlying EC2/Fargate
• EKS: $0.10perclusterperhour($73/month) + compute costs
• Fargate: Pay per vCPU-hour and GB-hour

---

How Services Fit Together

Typical Web Application Architecture

Internet Users
      ↓
Route 53 (DNS)
      ↓
CloudFront (CDN) → S3 (Static Assets)
      ↓
Application Load Balancer
      ↓
EC2 Auto Scaling Group (Web Servers)
      ↓
Application Load Balancer (Internal)
      ↓
EC2 Instances (Application Servers)
      ↓
RDS (Database) + ElastiCache (Caching)
      ↓
S3 (File Storage)

Serverless Architecture

API Gateway
      ↓
Lambda Functions
      ↓
DynamoDB / RDS / S3
      ↓
SNS/SQS (Event Processing)
      ↓
Additional Lambda Functions

Common Integration Patterns

1. Web Application Stack:

   • CloudFront → S3 (static content)
   • Route 53 → ALB → EC2 → RDS
   • CloudWatch for monitoring
   • Auto Scaling for capacity

2. Event-Driven Processing:

   • S3 → Lambda → DynamoDB
   • CloudWatch Events → Lambda → SNS
   • SQS → Lambda → RDS

3. Data Pipeline:

   • Kinesis → Lambda → S3 → Athena
   • S3 → Glue → Redshift

4. Microservices:

   • API Gateway → Lambda (or ECS)
   • SQS for async communication
   • DynamoDB for state
   • CloudWatch for observability

---

Interacting with AWS

1. AWS Management Console

What it is: Web-based interface for managing AWS services.

Best for:

• Learning AWS services
• Visual configuration
• One-off tasks
• Monitoring dashboards
• Quick troubleshooting

Access: https://console.aws.amazon.com

---

2. AWS CLI (Command Line Interface)

What it is: Command-line tool for managing AWS services.

Installation:

# macOS/Linux
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
 
# Windows: Download MSI installer

Configuration:

aws configure
# Enter: Access Key ID, Secret Access Key, Region, Output format

Common commands:

# S3 operations
aws s3 ls                           # List buckets
aws s3 cp file.txt s3://bucket/     # Upload file
aws s3 sync ./dir s3://bucket/dir/  # Sync directory
 
# EC2 operations
aws ec2 describe-instances          # List instances
aws ec2 start-instances --instance-ids i-1234567890abcdef0
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
 
# Lambda operations
aws lambda list-functions           # List functions
aws lambda invoke --function-name myFunction output.json

Best for:

• Automation scripts
• Batch operations
• CI/CD pipelines
• Server management

---

3. AWS SDKs

What they are: Libraries for programming languages to integrate AWS into applications.

Available languages: Python (Boto3), JavaScript, Java, .NET, Ruby, PHP, Go, C++

Python (Boto3) example:

import boto3
 
# Create S3 client
s3 = boto3.client('s3')
 
# Upload file
s3.upload_file('local.txt', 'my-bucket', 'remote.txt')
 
# List buckets
response = s3.list_buckets()
for bucket in response['Buckets']:
    print(bucket['Name'])
 
# DynamoDB example
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('users')
response = table.get_item(Key={'user_id': '123'})

JavaScript (AWS SDK) example:

const AWS = require('aws-sdk');
const s3 = new AWS.S3();
 
// Upload file
const params = {
  Bucket: 'my-bucket',
  Key: 'remote.txt',
  Body: fs.createReadStream('local.txt')
};
s3.upload(params, (err, data) => {
  console.log(data.Location);
});

Best for:

• Application integration
• Custom tools
• Backend services

---

4. Infrastructure as Code (IaC)

CloudFormation (AWS native):

Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-unique-bucket-name
      VersioningConfiguration:
        Status: Enabled

Terraform (third-party, multi-cloud):

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-unique-bucket-name"
  
  versioning {
    enabled = true
  }
}

CDK (Cloud Development Kit) - Define infrastructure using programming languages:

from aws_cdk import aws_s3 as s3
 
bucket = s3.Bucket(self, "MyBucket",
    versioned=True,
    encryption=s3.BucketEncryption.S3_MANAGED
)

Best for:

• Repeatable deployments
• Version control
• Multi-environment setups
• Team collaboration

---

5. AWS Console Mobile App

What it is: iOS/Android app for managing AWS on the go.

Features:

• View resources
• Monitor CloudWatch
• Respond to alerts
• Basic management tasks

Best for: Incident response, monitoring

---

Pricing Overview

General Pricing Principles

1. Pay-as-you-go: No upfront costs, pay only for what you use
2. Pay less when you reserve: Commit to 1-3 years for significant discounts
3. Pay less by using more: Volume discounts for many services
4. Pay less as AWS grows: AWS regularly reduces prices

AWS Free Tier (2025)

For new accounts created after July 15, 2025:

• Choose between Free Plan or Paid Plan at signup
• Both plans offer $100incredits+upto$100 more for activating foundational services
• Credits valid for 12 months

For accounts created before July 15, 2025:

• Traditional 12-month free tier
• 750 hours EC2 (t2.micro/t3.micro)
• 5GB S3 Standard storage
• 750 hours RDS (db.t2.micro/db.t3.micro)
• 1 million Lambda requests per month (always free)
• 25GB DynamoDB storage (always free)

Cost Management Tools

1. AWS Cost Explorer: Visualize and analyze spending patterns
2. AWS Budgets: Set custom cost and usage budgets with alerts
3. AWS Pricing Calculator: Estimate costs before deployment (https://calculator.aws/)
4. Cost Allocation Tags: Track costs by project, team, or environment
5. Savings Plans: Flexible pricing model for compute resources

Cost Optimization Strategies

1. Right-sizing: Choose appropriate instance types and sizes
2. Reserved Instances: Commit to 1-3 years for 40-70% savings
3. Spot Instances: Use spare capacity for 90% savings (interruptible)
4. Auto Scaling: Scale resources based on demand
5. S3 Lifecycle Policies: Move data to cheaper storage classes automatically
6. Terminate unused resources: Regularly audit and clean up
7. Use CloudFront: Reduce data transfer costs
8. Schedule instances: Stop dev/test environments during off-hours
9. Use Lambda for bursty workloads: Avoid idle EC2 instances

Sample Monthly Costs (2025)

Small startup web app:

• 1 t3.small EC2 instance: $15
• 30GB EBS gp3: $2.40
• 50GB S3 storage: $1.15
• RDS db.t3.micro: $15
• Total: ~$35/month

Medium production app:

• 2 m5.large EC2 instances: $140
• Application Load Balancer: $20
• 500GB EBS: $40
• 100GB RDS (db.m5.large): $145
• 200GB S3: $4.60
• CloudFront + data transfer: $50
• Total: ~$400/month

Large enterprise app:

• 10 EC2 instances (mixed types): $1,500
• Load balancers: $100
• 5TB storage (EBS + S3): $450
• RDS Multi-AZ: $600
• Data transfer: $500
• Total: ~$3,000+/month

---

Security Concepts

IAM (Identity and Access Management)

Core Concepts:

IAM is the foundation of AWS security, controlling who can access what resources.

1. Users:

• Individual identities with long-term credentials
• Each person should have their own user
• Users have username and password for console access
• Can have access keys for programmatic access (CLI/SDK)

2. Groups:

• Collections of users
• Apply policies to groups instead of individual users
• Examples: Developers, Admins, Auditors
• Users can belong to multiple groups

3. Roles:

• Identities that can be assumed temporarily
• No long-term credentials (AWS generates temporary security tokens)
• Used by:
  • AWS services (e.g., EC2 instance needs S3 access)
  • Cross-account access
  • Federated users (SSO)
  • Applications running on EC2

4. Policies:

• JSON documents defining permissions
• Attached to users, groups, or roles
• Effect: Allow or Deny
• Actions: What can be done (s3:GetObject)
• Resources: What it applies to (arn:aws:s3:::my-bucket/*)

Example Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

IAM Best Practices:

1. Enable MFA for all users, especially root account
2. Use roles instead of sharing credentials
3. Grant least privilege (minimum permissions needed)
4. Rotate credentials regularly
5. Use IAM roles for EC2 instances (never hardcode credentials)
6. Enable CloudTrail for auditing
7. Never use root account for daily tasks

---

Access Methods

1. AWS Management Console:

• Username and password
• Optional MFA
• For human users

2. Programmatic Access:

• Access Key ID and Secret Access Key
• Used by CLI, SDKs, and APIs
• Can be rotated
• Should be stored securely (never commit to code)

3. Temporary Security Credentials:

• Generated by AWS STS (Security Token Service)
• Used with IAM roles
• Automatically expire (15 min to 12 hours)
• Best for short-term access

---

OIDC (OpenID Connect)

What it is: Authentication protocol for federated access to AWS.

Use cases:

• SSO (Single Sign-On) from corporate identity providers
• Mobile/web app authentication
• CI/CD pipelines (GitHub Actions, GitLab)

How it works:

1. User authenticates with identity provider (IdP)
2. IdP issues JWT token
3. AWS STS exchanges token for temporary AWS credentials
4. User accesses AWS resources

Example: GitHub Actions accessing AWS:

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
    aws-region: us-east-1

Benefits:

• No long-term credentials to manage
• Centralized identity management
• Automatic credential rotation
• Better security posture

---

SAML 2.0 Federation

What it is: Standard for exchanging authentication and authorization data between identity providers and service providers.

Use cases:

• Corporate SSO (Active Directory, Okta, Azure AD)
• Enterprise authentication

How it works:

1. User authenticates with corporate IdP
2. IdP generates SAML assertion
3. User presents assertion to AWS
4. AWS STS provides temporary credentials
5. User accesses AWS console or API

---

Security Best Practices

1. Network Security:

• Use VPCs to isolate resources
• Security Groups: Allow only necessary traffic
• Network ACLs: Additional subnet-level filtering
• VPN or Direct Connect for on-premises connectivity
• Use private subnets for databases and backend services

2. Encryption:

• In transit: Use SSL/TLS (HTTPS)
• At rest:
  • S3: Server-side encryption (SSE-S3, SSE-KMS, SSE-C)
  • EBS: Enable encryption at volume creation
  • RDS: Enable encryption for databases
  • KMS: Key Management Service for encryption keys

3. Monitoring and Logging:

• CloudTrail: Logs all API calls (who did what, when)
• CloudWatch Logs: Application and system logs
• VPC Flow Logs: Network traffic logs
• GuardDuty: Threat detection service
• Security Hub: Centralized security findings

4. Compliance:

• AWS Config: Track resource configuration changes
• AWS Artifact: Access compliance reports
• Certifications: SOC, PCI-DSS, HIPAA, ISO, FedRAMP

5. Backup and Recovery:

• Regular automated backups
• Test restore procedures
• Multi-region replication for critical data
• Versioning for S3 objects

---

Resource Isolation

1. AWS Accounts:

• Separate accounts for dev, staging, production
• Use AWS Organizations for centralized management
• Service Control Policies (SCPs) for account-level restrictions

2. VPCs:

• Separate VPCs per environment or application
• Use VPC peering or Transit Gateway to connect

3. Resource Tagging:

• Tag resources for cost allocation, automation, and access control
• Example tags: Environment, Owner, Project, CostCenter

---

Security Services

1. AWS WAF (Web Application Firewall):

• Protect web applications from common exploits
• Rate limiting, IP blocking, SQL injection prevention
• Integrates with CloudFront, ALB, API Gateway

2. AWS Shield:

• DDoS protection
• Standard (free): Automatic protection for all AWS customers
• Advanced (paid): Enhanced protection + 24/7 DDoS response team

3. AWS KMS (Key Management Service):

• Create and manage encryption keys
• Integrate with S3, EBS, RDS, and other services
• Audit key usage with CloudTrail

4. AWS Secrets Manager:

• Store and rotate credentials, API keys, tokens
• Automatic rotation for RDS passwords
• Fine-grained access control

5. AWS Certificate Manager (ACM):

• Provision and manage SSL/TLS certificates
• Free certificates for use with AWS services
• Automatic renewal

---

Glossary

A

Availability Zone (AZ): Isolated data center within an AWS Region. Each region has multiple AZs for high availability.

AMI (Amazon Machine Image): Template for launching EC2 instances, containing OS and pre-installed software.

ARN (Amazon Resource Name): Unique identifier for AWS resources. Format: arn:aws:service:region:account-id:resource

Auto Scaling: Automatically adjust the number of EC2 instances based on demand.

AWS Organizations: Service for managing multiple AWS accounts centrally.

B

Bucket: Container for objects in S3. Bucket names must be globally unique.

Billing: AWS provides detailed billing reports. Set up billing alerts to avoid surprises.

C

CIDR Block: IP address range for VPC/subnet. Example: 10.0.0.0/16 (65,536 addresses)

CloudFormation: Infrastructure as Code service for provisioning AWS resources declaratively.

CloudTrail: Service that logs all API calls in your AWS account for auditing.

CloudWatch: Monitoring and observability service for AWS resources and applications.

Compute Savings Plans: Flexible discount pricing for EC2, Lambda, and Fargate based on usage commitment.

D

Data Transfer: Moving data between AWS services, regions, or out to the internet. Often a hidden cost.

Dead Letter Queue (DLQ): SQS queue for messages that fail processing multiple times.

Durability: Likelihood data will not be lost. S3 offers 99.999999999% (11 9’s) durability.

E

EBS Volume: Block storage device attached to EC2 instances. Persists independently of instance lifetime.

EC2 Instance: Virtual server in AWS cloud.

Edge Location: CloudFront cache location for delivering content to users with low latency.

Elastic IP: Static IPv4 address for EC2 instances. Persists even when instance is stopped.

Elasticity: Ability to scale resources up or down based on demand.

Encryption: Protecting data by converting it to unreadable format. AWS supports encryption in transit and at rest.

Endpoint: URL for accessing AWS services (e.g., s3.amazonaws.com).

F

Fargate: Serverless compute engine for containers (ECS/EKS). No need to manage EC2 instances.

FIFO: First-In-First-Out. SQS queue type that ensures exactly-once processing and ordering.

G

Gateway: Entry/exit point for network traffic. Examples: Internet Gateway (VPC to internet), NAT Gateway (private subnet to internet).

GB-second: Pricing unit for Lambda. Memory allocated (GB) × execution time (seconds).

gp3/gp2: General Purpose SSD volume types for EBS.

H

High Availability (HA): Architecture designed to minimize downtime by eliminating single points of failure.

Hosted Zone: Route 53 container for DNS records for a domain.

I

IAM Policy: JSON document defining permissions for users, groups, or roles.

IOPS: Input/Output Operations Per Second. Performance metric for storage.

Instance Profile: Container for IAM role that EC2 instance can assume.

Instance Type: EC2 instance size and configuration (e.g., t3.small, m5.large).

K

KMS Key: Encryption key managed by AWS Key Management Service.

L

Lambda Function: Code that runs on AWS Lambda in response to events.

Launch Template: Configuration for launching EC2 instances (replaces Launch Configurations).

Lifecycle Policy: S3 rule to automatically transition objects between storage classes or delete them.

Load Balancer: Distributes incoming traffic across multiple targets for high availability.

M

MFA (Multi-Factor Authentication): Additional security layer requiring second authentication factor.

Metadata: Data about data. In EC2, instance metadata is information about the running instance.

Multi-AZ: Deploying resources across multiple Availability Zones for high availability.

Multi-Region: Deploying resources across multiple AWS Regions for disaster recovery or global reach.

N

NAT Gateway: Enables instances in private subnet to access the internet while remaining private.

Network ACL: Stateless firewall for subnets. Controls inbound and outbound traffic.

O

Object: File stored in S3, along with metadata and unique identifier.

On-Demand: Pay-as-you-go pricing with no long-term commitments.

OIDC (OpenID Connect): Authentication protocol for federated access to AWS.

P

Policy: Document defining permissions in IAM, S3, or other services.

Principal: Entity (user, role, service) that can make requests to AWS.

Private Subnet: Subnet without direct internet access. Requires NAT Gateway for outbound internet.

Public Subnet: Subnet with route to Internet Gateway, allowing direct internet access.

Provisioned IOPS: EBS volume type with guaranteed IOPS performance.

R

Read Replica: Copy of RDS database for read-only queries. Improves performance and availability.

Region: Geographic area containing multiple Availability Zones (e.g., us-east-1, eu-west-1).

Reserved Instance: 1-3 year commitment for EC2 instances at discounted rates (40-70% savings).

Resource: Entity in AWS you can work with (EC2 instance, S3 bucket, RDS database).

Role: IAM identity with policies that determine what it can do. Can be assumed by users, services, or applications.

Route Table: Set of rules (routes) determining where network traffic is directed within VPC.

S

SAML (Security Assertion Markup Language): Standard for exchanging authentication and authorization data.

Scaling: Adjusting capacity to meet demand. Vertical (bigger instances) or Horizontal (more instances).

Security Group: Stateful firewall for EC2 instances. Controls inbound and outbound traffic.

Snapshot: Point-in-time backup of EBS volume or RDS database.

Spot Instance: Spare EC2 capacity at up to 90% discount. Can be interrupted with 2-minute warning.

STS (Security Token Service): Provides temporary security credentials for IAM roles.

Subnet: Segment of VPC IP address range where you launch AWS resources.

T

Tag: Key-value pair attached to AWS resources for organization, cost allocation, and automation.

Target Group: Set of targets (EC2, Lambda, IP) for load balancer to route traffic to.

Throughput: Amount of data transferred per second. Important for storage and network performance.

Transit Gateway: Hub for connecting VPCs and on-premises networks.

TTL (Time To Live): DNS record cache duration. CloudFront cache expiration time.

V

VPC (Virtual Private Cloud): Isolated virtual network in AWS cloud.

VPC Peering: Private connection between two VPCs.

VPN (Virtual Private Network): Encrypted connection between on-premises network and AWS.

vCPU: Virtual CPU core for EC2 instances.

Versioning: S3 feature that preserves, retrieves, and restores every version of every object.

W

WAF (Web Application Firewall): Protects web applications from common exploits.

Other Terms

ACL (Access Control List): List of permissions attached to object or subnet.

API (Application Programming Interface): Interface for programmatically interacting with AWS services.

CORS (Cross-Origin Resource Sharing): Mechanism allowing web apps from one domain to access resources from another.

ECS Task: Single running instance of a container in ECS.

Egress: Outbound network traffic (data leaving AWS).

Ingress: Inbound network traffic (data entering AWS).

Payload: Data sent with API request or Lambda invocation.

SDK (Software Development Kit): Libraries for integrating AWS into applications.

Stateful: Remembers previous interactions (e.g., Security Groups).

Stateless: Treats each request independently (e.g., Network ACLs).

---

Quick Reference: Common Operations

Launching a Web Application

1. Plan architecture: Identify services needed
2. Set up VPC: Create VPC with public and private subnets
3. Launch RDS: Set up database in private subnet
4. Launch EC2: Deploy application servers in private subnet with Auto Scaling
5. Configure Load Balancer: Create ALB in public subnet
6. Set up S3: For static assets and backups
7. Configure Route 53: Point domain to load balancer
8. Set up CloudWatch: Monitor application and set alarms
9. Enable CloudTrail: Audit API activity
10. Test and deploy: Validate security, performance, and failover

Cost Optimization Checklist

• Right-size EC2 instances based on actual usage
• Purchase Reserved Instances for steady-state workloads
• Use Spot Instances for fault-tolerant workloads
• Implement S3 lifecycle policies to move data to cheaper storage
• Delete unused EBS volumes and snapshots
• Enable S3 Intelligent-Tiering for unpredictable access patterns
• Use CloudFront to reduce data transfer costs
• Schedule non-production instances to run only during business hours
• Set up billing alerts and budgets
• Regularly review Cost Explorer and Trusted Advisor recommendations
• Tag all resources for cost allocation
• Use Lambda for bursty, unpredictable workloads

Security Checklist

• Enable MFA on root account and IAM users
• Create individual IAM users (never share credentials)
• Apply principle of least privilege to IAM policies
• Use IAM roles for EC2 instances
• Enable CloudTrail in all regions
• Encrypt data at rest (S3, EBS, RDS)
• Use HTTPS/TLS for data in transit
• Configure Security Groups with minimal necessary access
• Regularly rotate access keys and passwords
• Enable VPC Flow Logs
• Use AWS Config to track configuration changes
• Enable GuardDuty for threat detection
• Implement backup strategy with automated snapshots
• Review IAM permissions quarterly
• Use AWS Organizations and SCPs for multi-account governance

---

Additional Resources

• AWS Documentation: https://docs.aws.amazon.com/
• AWS Training: https://aws.amazon.com/training/
• AWS Well-Architected Framework: Best practices for cloud architectures
• AWS Support Plans: Developer, Business, Enterprise support options
• AWS Pricing Calculator: https://calculator.aws/
• AWS Free Tier: https://aws.amazon.com/free/
• AWS CLI Reference: https://docs.aws.amazon.com/cli/
• Boto3 (Python SDK) Docs: https://boto3.amazonaws.com/v1/documentation/api/latest/index.html

---

Final Tips

1. Start small: Use Free Tier to experiment and learn
2. Think in terms of services, not servers: Leverage managed services when possible
3. Design for failure: Assume everything will fail and build redundancy
4. Automate everything: Use IaC, CI/CD, and scripts
5. Monitor relentlessly: Set up comprehensive monitoring and alerting
6. Optimize continuously: Regularly review costs and performance
7. Stay updated: AWS releases new features weekly
8. Use multiple AZs: For production workloads requiring high availability
9. Tag religiously: Good tagging saves time and money
10. Security first: Never compromise on security for convenience

---

This primer covers the essentials of AWS as of November 2025. AWS continuously evolves, so always refer to official documentation for the latest information.