📘 1.

Introduction to AWS
✅ What is AWS?
●​ Amazon Web Services (AWS) is a secure, scalable, and cost-effective cloud computing
platform offered by Amazon.
●​ Launched in 2006, it provides on-demand computing resources like storage, compute
power, databases, analytics, AI, and more on a pay-as-you-go basis.

✅ Why AWS?
Feature Description

Scalability Scale resources automatically using services

like Auto Scaling & Load Balancers

Security End-to-end encryption, Identity Access

Management (IAM), compliance certifications

Cost-Effective Pay only for what you use; flexible pricing

models

Flexibility Support for different programming languages,

operating systems, architectures

Global Infrastructure Deploy applications globally using AWS

Regions and Availability Zones

✅ Types of Cloud Models

Model Description

Public Cloud Owned and operated by third-party providers

(like AWS)

Private Cloud Dedicated infrastructure for one organization

Hybrid Cloud Combines public + private cloud with data

portability
✅ Cloud Service Models (IaaS, PaaS, SaaS)
Model AWS Examples Description

IaaS EC2, VPC, S3 Infrastructure as a Service:

Rent servers, storage,
networks

PaaS Elastic Beanstalk, RDS Platform as a Service:

Develop & deploy apps
without managing infra

SaaS Amazon Chime, AWS Software as a Service: Fully

WorkMail managed software tools on
cloud

✅ Common Use Cases of AWS

●​ Web hosting
●​ Data lakes and analytics
●​ Machine Learning
●​ DevOps CI/CD
●​ Serverless apps
●​ Disaster recovery and backups

🌍 2. AWS Global Infrastructure

✅ Key Concepts
Term Description

Region A geographical area that contains multiple

isolated locations (Availability Zones)

Availability Zone (AZ) A data center or cluster of data centers within

a region

Edge Location CDN endpoints for low-latency delivery (used

by Amazon CloudFront)
Local Zone Brings AWS services closer to users in large
metropolitan areas

Wavelength Zone For ultra-low latency applications over 5G

networks

✅ AWS Regions
●​ Each region is completely isolated for fault tolerance.
●​ Regions have at least two AZs, and some regions have up to six.
●​ Regions are identified by codes (e.g., us-east-1 for N. Virginia).

Region Name Code

US East (N. Virginia) us-east-1

US West (Oregon) us-west-2

Asia Pacific (Mumbai) ap-south-1

Europe (Frankfurt) eu-central-1

✅ Availability Zones
●​ AZs are physically separated by distance to reduce failure correlation.
●​ Connected by low-latency, high-throughput, redundant network links.
●​ You can deploy across multiple AZs for high availability (HA) and fault tolerance.

✅ Edge Locations (CDN)

●​ Over 450+ Edge Locations globally
●​ Used by Amazon CloudFront to serve content with low latency
●​ Edge locations cache copies of content closer to the user

✅ Benefits of Global Infra

●​ Low latency & fast content delivery
●​ High availability & fault isolation
 ●​ Geo-redundancy and disaster recovery
●​ Compliant with local data residency regulations

🎁 3. AWS Free Tier Overview

✅ What is AWS Free Tier?
AWS offers a Free Tier to help users explore and experiment with AWS services. It includes:

Type Duration Description

Always Free No time limit Free up to a specific usage

level

12-Month Free 12 months after account Free limits apply for 1 year
creation

Trials Limited time (short-term) Free trial of premium services

(e.g., SageMaker Studio Lab)

✅ Key Free Tier Services (12 Months)

Service Limit Details

EC2 750 hours/month t2.micro or t3.micro instance

S3 5 GB Standard storage

RDS 750 hours/month db.t2.micro for MySQL,

PostgreSQL

Lambda 1 million requests Per month

CloudFront 50 GB data transfer Per month

DynamoDB 25 GB storage + 25 WCUs + NoSQL database

25 RCUs

EBS 30 GB SSD-backed volumes

✅ Always Free Services

 Service Free Tier Limits

AWS Lambda 1M requests/month

DynamoDB 25 GB storage

CloudWatch 10 custom metrics

SNS 1 million publishes

Glacier 10 GB retrieval

AWS S3 Glacier 10 GB per month

✅ How to Monitor Free Tier Usage

●​ AWS Billing Dashboard
●​ Budgets & Alarms: Set up usage alerts
●​ Free Tier Tracker in Billing Console

🛡️ Free Tier Best Practices

●​ Delete unused resources (e.g., EC2, RDS)
●​ Use AWS Budgets to monitor billing
●​ Understand data transfer costs (in vs. out)
●​ Know your region's pricing for free-tier eligible services

📌 Tip: After 12 months, services will continue to run and start charging at standard rates
unless you delete or modify them.

⚙️ 1. Amazon EC2 (Elastic Compute

Cloud)
✅ What is EC2?
Amazon EC2 provides resizable virtual servers in the cloud. It allows you to launch and
manage Linux or Windows instances on-demand.

✅ EC2 Key Concepts

Term Description

Instance A virtual server

AMI A pre-configured template to launch EC2

Instance Type Defines CPU, RAM, storage, and networking

capacity

Key Pair Used for secure login (SSH)

Security Group Virtual firewall controlling inbound/outbound

traffic

Elastic IP Static IP for dynamic instances

EBS Block storage volume attached to EC2

✅ Instance Lifecycle
1.​ Pending – Starting
2.​ Running – Operational
3.​ Stopping/Stopped – Temporarily paused
4.​ Terminated – Deleted

✅ Pricing Models
Model Description Use Cases

On-Demand Pay per hour/second Short-term, unpredictable

workloads

Reserved Instances 1–3 year commitment Long-term steady-state

workloads

Spot Instances Up to 90% cheaper Fault-tolerant, batch jobs

 Savings Plans Flexible savings Ideal for cost optimization

Dedicated Hosts Physical servers Compliance or licensing

requirements

✅ EC2 Instance Types (Families)

Family Use Case Example

t3, t4g Burstable Lightweight apps

m5, m6g General purpose Web servers, Dev/Test

c5, c6g Compute optimized ML inference, gaming

r5, r6g Memory optimized Databases, analytics

g5, inf1 Accelerated computing ML training/inference

i3, i4i Storage optimized High IOPS workloads

✅ EC2 CLI Example

aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type t2.micro \
--key-name my-key \
--security-groups my-sg \
--count 1

📦 2. Amazon Machine Image (AMI)

✅ What is AMI?
An Amazon Machine Image (AMI) is a blueprint for your EC2 instance. It contains:

●​ OS configuration
●​ Application server
 ●​ Custom software & dependencies

✅ AMI Types
Type Description

Public AMIs Provided by AWS or community

Private AMIs Created and used by your account

Marketplace AMIs Pre-built AMIs with licensed software (e.g.,

WordPress, Bitnami)

✅ Creating Your Own AMI

You can create an AMI from an existing EC2 instance:

aws ec2 create-image \

--instance-id i-1234567890abcdef0 \
--name "MyCustomAMI" \
--no-reboot

🔁 3. Auto Scaling
✅ What is Auto Scaling?
Auto Scaling automatically adjusts the number of EC2 instances in your application based on
demand.

✅ Key Concepts
Term Description

Launch Configuration Instance setup template

Launch Template Advanced version with more options

Auto Scaling Group (ASG) Group of EC2 instances managed together

Scaling Policy Rules for scaling in/out (e.g., CPU > 80%)

Scheduled Scaling Based on time of day/week

Dynamic Scaling Based on CloudWatch metrics

✅ Auto Scaling CLI Example

aws autoscaling create-auto-scaling-group \
--auto-scaling-group-name my-asg \
--launch-template LaunchTemplateName=my-template \
--min-size 1 \
--max-size 5 \
--desired-capacity 2 \
--vpc-zone-identifier subnet-abc123,subnet-def456

⚡ 4. AWS Lambda (Serverless)

✅ What is Lambda?
AWS Lambda lets you run code without provisioning or managing servers. You simply
upload your function and AWS runs it in response to events.

✅ Key Features
Feature Description

Event-Driven Invoked by triggers (S3, DynamoDB, API

Gateway, etc.)

Stateless Each invocation is independent

 Managed Execution AWS handles server scaling, patching,
logging

Granular Billing Charged by execution time (ms) and requests

✅ Lambda Runtime Support

●​ Node.js, Python, Java, Go, Ruby, .NET, custom runtimes (via Lambda Layers)

✅ Lambda Use Cases

●​ REST APIs with API Gateway
●​ Image processing on S3 uploads
●​ Scheduled cron jobs
●​ Data transformation pipelines

✅ Lambda CLI Example

aws lambda create-function \
--function-name myLambda \
--runtime python3.9 \
--role arn:aws:iam::123456789012:role/execution_role \
--handler lambda_function.lambda_handler \
--zip-file fileb://function.zip

🐳 5. Amazon ECS (Elastic Container

Service)
✅ What is ECS?
Amazon ECS is a fully managed container orchestration service to run Docker containers.
✅ Key Concepts
Term Description

Task A running instance of a container

Task Definition Blueprint for running a task

Service Ensures tasks stay running and manages

scaling

Cluster Logical grouping of resources

Launch Types Fargate (serverless) or EC2 (managed infra)

✅ ECS Launch Types

Type Description

EC2 Launch You manage EC2 instances in the cluster

Fargate Launch No server management; AWS provisions

resources on-demand

✅ ECS CLI Task Example

aws ecs run-task \
--cluster my-cluster \
--launch-type FARGATE \
--network-configuration awsvpcConfiguration={...} \
--task-definition my-task

☸️ 6. Amazon EKS (Elastic Kubernetes

Service)
✅ What is EKS?
Amazon EKS is a managed Kubernetes service to run Kubernetes workloads without
managing control plane components.

✅ Why Use EKS?

●​ Fully compatible with native Kubernetes
●​ AWS manages availability and scalability of master nodes
●​ Deep integration with IAM, VPC, CloudWatch

✅ EKS Architecture
Component Description

EKS Control Plane Fully managed by AWS

EKS Worker Nodes Your EC2 instances or Fargate

kubectl CLI for Kubernetes

EKS Add-ons Core components like CoreDNS, kube-proxy,

etc.

✅ Common Tools for EKS

●​ eksctl – Easy cluster creation CLI
●​ kubectl – Kubernetes command-line tool
●​ Helm – Package manager for Kubernetes apps

✅ EKS Deployment Example with eksctl

eksctl create cluster \
--name my-cluster \
--region us-west-2 \
--nodegroup-name standard-workers \
--node-type t3.medium \
--nodes 3
🔚 Summary Table: Compute Services Overview
Service Use Case Server Mgmt Scalable

EC2 Custom VMs Yes Manual or Auto

AMI OS/Application Yes Used with EC2

Blueprint

Auto Scaling Scale EC2 Yes Yes

Lambda Serverless apps No Auto

ECS Containers Optional Auto

EKS Kubernetes No Control Plane Auto

Mgmt

💾 3. AWS Storage Services

🪣 Amazon S3 (Simple Storage Service)
✅ What is S3?
Amazon S3 is an object storage service that stores data as objects in buckets. It offers
99.999999999% (11 9s) durability and is suitable for storing everything from backups to
websites.

✅ Key Features of S3
Feature Description
 Object Storage Stores data as key-value pairs (objects), not
as files or blocks

Scalable Virtually unlimited storage

Durable 11 9s durability across multiple AZs

Secure IAM, bucket policies, encryption (SSE-S3,

SSE-KMS)

Flexible Tiers Store based on access patterns (Standard,

IA, Glacier, etc.)

✅ S3 Bucket Concepts
Term Description

Bucket Container for storing objects

Object File + metadata

Key Unique identifier for object

Prefix Folder-like structure

Storage Class Tier (Standard, IA, Glacier, etc.)

Region Buckets are region-specific

✅ S3 Lifecycle Rules
Used to automate the transition of data between storage classes or deletion.

Example Rules:

●​ Move to S3 IA after 30 days

●​ Archive to Glacier after 90 days
●​ Delete after 365 days

{
"Rules": [
{
"ID": "TransitionRule",
"Filter": {
 "Prefix": ""
},
"Status": "Enabled",
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER"
}
],
"Expiration": {
"Days": 365
}
}
]
}

✅ S3 Versioning
●​ Enables multiple versions of the same object
●​ Protects against accidental overwrites and deletions
●​ Can be used with MFA Delete

aws s3api put-bucket-versioning \

--bucket my-versioned-bucket \
--versioning-configuration Status=Enabled

✅ S3 Glacier
Feature Description
 S3 Glacier Low-cost, archival storage (retrieval in
minutes to hours)

S3 Glacier Deep Archive Lowest-cost storage, suitable for 7–10 year

archives

Use Cases Compliance data, backups, audit logs

✅ S3 CLI Examples
Upload a file:

aws s3 cp myfile.txt s3://my-bucket/

List bucket contents:

aws s3 ls s3://my-bucket/

📦 EBS vs EFS vs FSx (Block, File, and Specialized

Storage)

🧱 1. EBS (Elastic Block Store)

Feature Description

Type Block Storage

Use With EC2 instances

Durability Replicated within AZ

Performance SSD or HDD options

Scalability Up to 64 TiB per volume

Backup Snapshots to S3

Volume Types:

●​ gp3 (General Purpose SSD) – Balanced performance

 ●​ io2 (Provisioned IOPS SSD) – High-performance
●​ sc1/st1 (HDDs) – Throughput-optimized for big data

📌 Important: EBS is tied to a specific AZ and EC2 instance. Not shareable across instances.

🗂️ 2. EFS (Elastic File System)

Feature Description

Type Shared File Storage (NFS)

Use With Multiple EC2 instances (Linux)

Durability Multi-AZ replication

Elasticity Grows/shrinks automatically

Performance Standard and One Zone

Use Cases:

●​ Content management systems

●​ Web servers
●​ Shared config/data

📌 EFS is POSIX-compliant, meaning it supports standard Linux file system permissions.

📁 3. FSx (Amazon File System)

Amazon FSx offers fully managed file systems optimized for enterprise applications.

🧠 Types of FSx
FSx Type Use Case Description

FSx for Windows File Microsoft workloads SMB protocol support, Active
Server Directory integration

FSx for Lustre High-performance computing Sub-millisecond latency, ideal

for ML, data lakes
FSx for NetApp ONTAP Enterprise NAS Snapshots, NFS/SMB, data
deduplication

✅ FSx vs EFS vs EBS – Comparison Table

Feature EBS EFS FSx

Type Block File File (Windows,

Lustre, ONTAP)

Protocol NA NFS SMB, NFS

Attachments 1 EC2 only Many EC2s Multiple EC2s

OS Linux & Windows Linux Windows/Linux

Backup Snapshots Native backups Snapshots

Use Case Databases, Shared web servers, Enterprise & HPC

single-app storage CMS workloads

Cost Medium Higher Higher (enterprise

features)

📌 Summary Table
Service Type Best For Access

S3 Object Storage Unstructured data, Web/API

logs, media

EBS Block Storage OS, DB, high-speed Attached to EC2

apps

EFS File Storage (NFS) Shared storage for Mount as file system
Linux apps

FSx Enterprise File Windows/Enterprise/ SMB, NFS, AD

Storage HPC

🌐 4. AWS Networking Services

🏗️ 1. VPC (Virtual Private Cloud)
✅ What is VPC?
VPC allows you to provision a logically isolated network in AWS where you can launch AWS
resources (EC2, RDS, etc.). You control IP addressing, subnets, route tables, gateways, and
firewall settings.

✅ Key VPC Concepts

Concept Description

CIDR Block Defines IP address range (e.g.,

10.0.0.0/16)

Subnets Divide VPC into smaller segments

(private/public)

Route Tables Control traffic routing between subnets

Internet Gateway (IGW) Enables internet access for public subnets

NAT Gateway/Instance Allows private subnets to access the internet

Security Group Virtual firewall for instances

NACLs Firewall at subnet level (stateless)

✅ Default VPC vs Custom VPC

Feature Default VPC Custom VPC

Automatically created ✅ ❌
Public subnet ✅ User-defined

IGW attached ✅ Manually attach

Route tables Pre-configured User-defined

🧩 2. Subnets
✅ What is a Subnet?
A subnet is a range of IP addresses in your VPC. You can create:

●​ Public subnets – routed to the internet

●​ Private subnets – isolated from internet

✅ Subnet Types
Type Internet Access Use Cases

Public Subnet Yes (via IGW) Web servers, bastion hosts

Private Subnet No (use NAT) Databases, application

servers

Isolated Subnet No NAT, no IGW Sensitive back-end systems

🗺️ 3. Route Tables
Route tables define how traffic is directed within your VPC.

✅ Key Route Table Components

●​ Destination CIDR – e.g., 0.0.0.0/0 (for all internet traffic)
●​ Target – IGW, NAT Gateway, local, etc.

Example:

Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw-123abc

🌐 4. Internet Gateway (IGW)

✅ What is IGW?
A horizontally scaled, redundant AWS-managed component that allows communication
between instances in your VPC and the internet.

✅ IGW Use Cases

●​ Attaching to a public subnet
●​ Allowing outbound/inbound HTTP/HTTPS traffic

✅ CLI Example
aws ec2 attach-internet-gateway \
--vpc-id vpc-abc123 \
--internet-gateway-id igw-xyz789

🔁 5. NAT (Network Address Translation)

✅ What is NAT?
NAT enables private subnet instances to access the internet while preventing incoming
traffic from the internet.

Type Description Billing

NAT Instance EC2 instance configured as Manual scaling

NAT

NAT Gateway Managed AWS service Pay-per-use, scalable

📌 NAT Gateways are recommended for production; NAT Instances for cost-sensitive dev/test
environments.

🔐 6. Security Groups vs NACLs

✅ Security Groups (SG)
 Feature Value

Acts as Virtual firewall at instance level

Type Stateful

Default Deny all inbound, allow all outbound

Scope Attached to EC2 instances

Rules Only allow rules (no denies)

Example Rule:

●​ Allow inbound: port 22 (SSH) from 203.0.113.0/24

✅ NACLs (Network ACLs)

Feature Value

Acts as Firewall at subnet level

Type Stateless (return traffic must be explicitly

allowed)

Default Allow all

Scope Subnet-wide

Rules Allow and deny rules

Example Rule:

●​ Deny all inbound on port 80

●​ Allow all outbound

📌 Use Security Groups for most use cases; NACLs for extra layer of security.

🔌 7. AWS Direct Connect

✅ What is Direct Connect?
A dedicated private network connection from your on-premises data center to AWS.

✅ Key Benefits
●​ Lower latency & jitter
●​ Higher throughput
●​ Consistent network performance
●​ Bypasses the internet

✅ Use Cases
●​ Hybrid cloud
●​ Finance/Healthcare (compliance-heavy)
●​ Large data transfers

🌍 8. AWS CloudFront (CDN)

✅ What is CloudFront?
CloudFront is AWS’s Content Delivery Network (CDN) that securely delivers content with low
latency and high transfer speeds.

✅ Key Concepts
Concept Description

Edge Locations CDN servers that cache content closer to

users

Origin The original server (e.g., S3, EC2)

Distribution The CDN configuration

Caching Static/dynamic content acceleration

📌 Use CloudFront with:

●​ S3 static sites
●​ EC2 web servers
●​ API Gateway
●​ Lambda@Edge (custom logic)
✅ CloudFront Benefits
●​ DDoS protection (via AWS Shield)
●​ SSL/TLS encryption
●​ Gzip compression
●​ Custom error pages

⚡ 9. AWS Global Accelerator

✅ What is Global Accelerator?
AWS Global Accelerator uses the AWS global network to route user traffic to the nearest
endpoint with optimized performance.

✅ Differences from CloudFront

Feature CloudFront Global Accelerator

Content Static + dynamic content Entire application traffic

Protocol HTTP/HTTPS TCP/UDP

Acceleration Content delivery Global application routing

Use Case Websites, video Multiplayer gaming, VPNs,

APIs

✅ Benefits
●​ Static IP addresses
●​ Automatic health checks & failover
●​ Improved availability and latency

🧠 Summary Table
Component Purpose Scope Stateful Public Access

VPC Virtual network Entire AWS — ❌

region
 Subnet Subdivided Within VPC — Optional
network

Route Table Traffic routing Subnet level — ❌

IGW Internet access Public subnet — ✅
NAT Outbound Subnet level — ✅ (outbound
access for only)
private subnet

Security Group Instance-level EC2 ✅ ❌

firewall

NACL Subnet-level Subnet ❌ ❌

firewall

Direct Connect Dedicated line On-prem ↔ — ✅

AWS

CloudFront CDN Global — ✅

Global Latency-based Global — ✅
Accelerator routing

🗃️ 5. AWS Database Services

📌 Overview
AWS offers fully managed database services across relational, NoSQL, data warehouse, and
in-memory databases.

Service Type Use Case

RDS Relational (SQL) Web apps, transactional

systems

Aurora Relational (SQL, AWS-built) High performance,

MySQL/PostgreSQL
compatible
 DynamoDB NoSQL (Key-Value) Low-latency apps, gaming,
IoT

Redshift Data Warehouse Analytics, BI

ElastiCache In-memory Caching, real-time analytics

🛢️ 1. Amazon RDS (Relational Database Service)

✅ What is RDS?
Fully managed service for relational databases (automated patching, backups, high availability).

✅ Supported Engines
●​ MySQL
●​ PostgreSQL
●​ MariaDB
●​ Oracle
●​ SQL Server
●​ Aurora (AWS-optimized MySQL/PostgreSQL)

✅ RDS Features
Feature Description

Multi-AZ Deployment High availability (automatic failover)

Read Replicas Horizontal scaling for read-heavy workloads

Automatic Backups Daily snapshots & transaction logs

Monitoring Amazon CloudWatch, Performance Insights

Encryption At rest and in transit using KMS

✅ RDS Use Case

Use Case Service
 E-commerce app RDS MySQL/PostgreSQL

Legacy enterprise DB RDS SQL Server

Compliance-heavy RDS Oracle

Scalable cloud-native Aurora

💡 2. Amazon Aurora
✅ What is Aurora?
Amazon Aurora is a cloud-native relational DB engine with performance and availability of
high-end commercial DBs, but at 1/10th the cost.

Compatible with MySQL and PostgreSQL.

✅ Aurora Key Features

Feature Description

5x Faster than MySQL Up to 500,000 reads/sec, 100,000 writes/sec

6-way Replication Across 3 AZs for high availability

Auto Scaling Up to 128 TB storage per DB

Aurora Serverless v2 On-demand compute scaling

Global Database Up to 5 regions for low-latency global reads

✅ Aurora Use Cases

●​ Fintech applications
●​ SaaS multi-tenant platforms
●​ High-traffic APIs

📒 3. Amazon DynamoDB
✅ What is DynamoDB?
A fully managed NoSQL database service that provides single-digit millisecond
performance at any scale.

✅ DynamoDB Characteristics
Property Value

Type Key-Value and Document

Performance Fast and consistent

Managed No servers, no patching

Scaling Auto-scaling (on-demand or provisioned)

High Availability Across 3 AZs by default

✅ DynamoDB Features
Feature Description

DAX In-memory cache for 10x faster reads

Streams Change data capture (CDC) for triggers

TTL Auto-expiry for items

Global Tables Multi-region active-active DB

Fine-Grained Access Control Via IAM and condition expressions

✅ Use Cases
●​ Gaming leaderboards
●​ Shopping carts
●​ Serverless applications (integrates with Lambda)

✅ DynamoDB Data Model

{
 "TableName": "Users",
"Item": {
"UserID": {"S": "123"},
"Name": {"S": "Utkrist"},
"Score": {"N": "95"}
}
}

●​ Primary Key: Partition key (or composite with sort key)

●​ No Joins or Complex Queries like in RDS

🧱 4. Amazon Redshift
✅ What is Redshift?
A fully managed data warehouse designed for OLAP (Online Analytical Processing).

Used to analyze petabytes of structured and semi-structured data using SQL.

✅ Redshift Architecture
Feature Description

Columnar Storage Optimized for analytical queries

Massive Parallel Processing (MPP) Multiple nodes process queries

Redshift Spectrum Query S3 directly using SQL

Materialized Views Precomputed result caching

Integration With BI tools like QuickSight, Tableau

✅ Use Cases
●​ Business Intelligence
●​ Data Lakes
 ●​ Real-time Analytics

✅ Redshift vs RDS
Feature RDS Redshift

Use OLTP (transactions) OLAP (analytics)

Data Size GBs to TBs TBs to PBs

Storage Row-based Column-based

Concurrency Low High (read-heavy)

⚡ 5. Amazon ElastiCache
✅ What is ElastiCache?
A fully managed in-memory cache service to improve app performance.

Supports:

●​ Redis
●​ Memcached

✅ Use Cases
●​ Caching frequently accessed data
●​ Session stores
●​ Leaderboards
●​ Real-time analytics

✅ ElastiCache: Redis vs Memcached

Feature Redis Memcached

Data Types Strings, hashes, lists, sets Strings only

Persistence Yes (snapshots, AOF) No

Replication Yes No

Pub/Sub, TTL, Lua Yes No

✅ ElastiCache Benefits
●​ Sub-millisecond latency
●​ Reduces DB load
●​ Seamless scaling with clustering

🧠 Summary Table
Service Type Best For Key Feature

RDS Relational (SQL) Web apps, Managed backups,

transactions Multi-AZ

Aurora Relational (SQL) High performance Auto-scaling, global

SQL DB

DynamoDB NoSQL (KV/Doc) Serverless apps, IoT 1ms latency,

Streams, DAX

Redshift Data Warehouse BI/Analytics Columnar storage,

Spectrum

ElastiCache In-memory Real-time speed Redis/Memcached

support

✅ Real-World Mapping of Use Cases

Use Case Service

E-commerce orders RDS MySQL

Gaming scoreboards DynamoDB

BI dashboard Redshift

Social media feed caching ElastiCache Redis

 Banking back-end Aurora PostgreSQL

🔐 6. Identity & Access Management in

AWS
This module covers essential services and practices that help you securely control access to
AWS resources.

🔑 1. IAM (Identity and Access Management)

✅ What is IAM?
IAM is the core AWS security service that helps you manage access to your AWS account
and resources using:

●​ Users
●​ Groups
●​ Roles
●​ Policies

🧠 IAM is global (not region-specific).

✅ IAM Users
Feature Description

Represents A single person or application

Credentials Username + Password (for console), Access

Keys (for CLI/SDK)

Permissions Controlled via attached policies

MFA Can be enabled for extra security

🛠️ Example:
{
"UserName": "utkrist-admin",
"Permissions": ["AmazonS3FullAccess", "EC2ReadOnlyAccess"]
}

✅ IAM Groups
Feature Description

What Collection of IAM users

Purpose Assign the same policies to multiple users

Example DevOpsTeam, DataScientists

📌 IAM groups cannot be nested.

✅ IAM Roles
Feature Description

What AWS identity with temporary credentials

Used By AWS services, federated users, applications

Permissions Defined by attached policies

Trust Policy Specifies who can assume the role

🧠 Example Use Cases:

●​ EC2 Role for accessing S3
●​ Lambda Role for writing to DynamoDB
●​ Cross-account access

✅ IAM Policies
Policies define permissions.

Type Description
 Managed Policies AWS-predefined or customer-created

Inline Policies Embedded directly in user, group, or role

Permissions Boundaries Limits max permissions a role/user can have

🧠 Policy Format:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}

✅ IAM MFA (Multi-Factor Authentication)

Adds an extra layer of security:

●​ Something you know (password)

●​ Something you have (MFA device/app)

🛡️ Devices:
●​ Virtual MFA apps (Authy, Google Authenticator)
●​ Hardware MFA (YubiKey)

🏢 2. AWS Organizations
✅ What is AWS Organizations?
A service to centrally manage multiple AWS accounts, ideal for:

●​ Enterprises
●​ Billing consolidation
●​ Policy control across accounts
✅ Key Concepts
Concept Description

Management Account Root account of the organization

Member Accounts Other accounts under management

Organizational Units (OUs) Group accounts hierarchically

Service Control Policies (SCPs) Guardrails for account permissions

🧠 SCPs do not grant permissions — they only restrict maximum permissions.

✅ Use Cases
●​ Separate prod/dev/test environments
●​ Isolate billing
●​ Enforce compliance rules (e.g., deny EC2 in certain regions)

🧍 3. AWS Single Sign-On (SSO)

✅ What is AWS SSO?
SSO lets you centrally manage access to multiple AWS accounts and 3rd-party apps with
a single login.

Feature Description

Identity Source AWS SSO, Active Directory, Okta, etc.

SAML Support Yes

Integration IAM Identity Center

MFA Optional and configurable

🛠️ Assign users to accounts and permissions sets with fine control.

✅ Use Cases
●​ Enterprise-wide identity federation
●​ Developer access across multiple accounts
●​ Role-based access for auditors, DevOps, data teams

🔁 4. AWS STS (Security Token Service)

✅ What is STS?
Provides temporary, limited-privilege credentials for:

●​ IAM users
●​ Federated users
●​ Cross-account access

✅ Key Features
Feature Description

Temporary credentials Limited time + scope

AssumeRole API Used to get credentials

Federation Support SAML/LDAP/AD

Use Cases Mobile apps, cross-account access,

short-term privileges

🛠️ Example:
aws sts assume-role \
--role-arn arn:aws:iam::111122223333:role/CrossAccountRole \
--role-session-name devSession

✅ STS Credential Lifetime

 API Default Duration Max

AssumeRole 1 hour 12 hours

GetSessionToken 12 hours 36 hours

AssumeRoleWithWebIdent 1 hour 12 hours

ity

🧠 IAM vs SSO vs STS

Feature IAM SSO STS

Manages AWS ✅ ✅ ❌
permissions

Central identity store ❌ ✅ ❌

Temporary ❌ ✅ (via identity ✅
credentials federation)

Role-based ✅ ✅ ✅
delegation

Federation support ❌ ✅ ✅

✅ Best Practices
●​ Enforce MFA for all users (especially root)
●​ Use roles for EC2, Lambda, etc. (not access keys)
●​ Never use root user except for billing/account setup
●​ Use IAM policies with least privilege
●​ Rotate credentials and enable access key auditing
●​ Apply SCPs in Organizations to enforce account-wide policies

🚨 IAM Policy Simulator

Use the IAM Policy Simulator to test:
 ●​ What actions a policy allows or denies
●​ Effective permissions

🧠 Summary Table
Feature IAM Organizations SSO STS

User ✅ ❌ ✅ ❌
Management

Permissions ✅ SCPs (limits) ✅ Temporary

Role ✅ ✅ ✅ ✅
Assumption

MFA Support ✅ ❌ ✅ ❌
Cross-Account ✅ (roles) ✅ ✅ ✅
Use Case Secure single Multi-account Unified login Temporary
account control access

📊 7. Monitoring & Logging in AWS

AWS provides robust tools to monitor your applications, infrastructure, and security in real-time
and retain logs for auditing.

📡 1. Amazon CloudWatch
✅ What is CloudWatch?
CloudWatch is a monitoring and observability service for:
 ●​ Logs​

●​ Metrics​

●​ Events​

●​ Alarms​

●​ Dashboards​

🧠 It is regional and supports custom metrics as well.

🔍 A. CloudWatch Metrics
Numerical values over time, used to understand the performance of AWS services and
applications.

Type Examples

Built-in EC2 CPUUtilization, DiskReadOps, NetworkIn

Custom Application-specific metrics (latency, queue length)

Namespace AWS/EC2, AWS/Lambda, AWS/S3

s

🛠️ Example:
aws cloudwatch get-metric-statistics \

--metric-name CPUUtilization \

--namespace AWS/EC2 \

--dimensions Name=InstanceId,Value=i-1234567890 \
--statistics Average \

--period 300 --start-time 2025-06-06T00:00:00Z \

--end-time 2025-06-06T06:00:00Z

📘 B. CloudWatch Logs
Captures real-time log streams from AWS services or custom apps.

Source Description

EC2 Use CloudWatch agent to send

logs

Lambda Logs are pushed automatically

ECS Integration via Fluent Bit

Custom Use SDK or CLI

apps

🧠 Supports metric filters, log retention policies, subscriptions (e.g., send to S3, Kinesis,
Lambda).
🚨 C. CloudWatch Alarms
Used to trigger actions based on metric thresholds.

Alarm Type Example

Static CPUUtilization > 80% for 5 mins

Anomaly Detection Auto-detect outliers

Composite Alarms Combine multiple alarms using AND/OR

🔁 Actions:
●​ Send SNS notification​

●​ Auto scale EC2​

●​ Trigger Lambda​

📊 D. CloudWatch Dashboards
Customizable dashboards to visualize metrics and logs across AWS.

Feature Description

Widgets Graphs, numbers, text

Cross-Servic Mix EC2, Lambda, S3, etc.

e
 Cross-Region Yes (read-only)

Sharing JSON export/import possible

🕵️ 2. AWS CloudTrail
✅ What is CloudTrail?
CloudTrail records all API calls (via AWS Console, CLI, SDKs) made in your AWS account for
audit and security.

🧠 It is a regional + global service.

🧩 CloudTrail Components
Component Description

Event Record of an action: who, what, when, where

Management Control plane: create bucket, delete instance

Events

Data Events Data plane: S3 object-level, Lambda invocations

Insights Anomaly detection (e.g., large volume of

StopInstances)
🪵 Example CloudTrail Log
{

"eventTime": "2025-06-06T13:00:00Z",

"eventName": "StartInstances",

"userIdentity": {

"type": "IAMUser",

"userName": "utkrist"

},

"awsRegion": "us-east-1",

"sourceIPAddress": "12.34.56.78"

📤 Delivery
●​ Stored in S3 (optionally encrypted)​

●​ Integrates with CloudWatch Logs​

●​ Can be analyzed using Athena​

🛡️ Security
●​ Encrypt logs with KMS​
 ●​ Apply S3 bucket policies​

●​ Enable multi-region trails for enterprise audit logging​

✅ Use Cases
Use Case How CloudTrail Helps

Track user Who did what and when

actions

Forensics Investigate breaches

Compliance PCI, HIPAA, SOC 2 requirements

⚙️ 3. AWS Config
✅ What is AWS Config?
AWS Config is a resource inventory and compliance tool that records changes in resource
configurations.

🧠 Think of it as “time machine + policy engine” for your AWS environment.

🧩 Key Features
Feature Description
 Resource Tracks config changes over time
Recording

Timeline View Visual history of changes

Rules Evaluate compliance (e.g., EC2 must be in

t3.micro)

Conformance Bundled rules for specific standards (PCI, HIPAA)

Packs

Remediation Trigger automatic fix (e.g., delete non-compliant SG)

🛠️ AWS Config Example Rule

Managed Rule: restricted-ssh

Ensures no security groups allow ingress from 0.0.0.0/0 on port 22.

🧠 Trigger remediation via SSM documents.

✅ Use Cases
Use Case Benefit

Compliance auditing Tracks deviations from policy

 Security Detects open ports or public S3
buckets

Inventory tracking Historical view of your resources

Automated fixes Apply remediation if out of policy

✅ Monitoring & Logging Summary Table

Tool Purpose Key Features

CloudWatch Operational monitoring Metrics, Logs, Alarms, Dashboards

CloudTrail Governance and auditing Tracks API calls

AWS Config Compliance & drift detection Monitors config changes, evaluates
rules

✅ Real-World Use Cases

Scenario Tool

Alert when EC2 CPU > 80% CloudWatch Alarm

 See who terminated an EC2 CloudTrail

Check if SG allows 0.0.0.0/0 AWS Config

Dashboard for Lambda errors CloudWatch Dashboard

Track EC2 type change AWS Config timeline

Alert on new IAM user creation CloudTrail + CloudWatch Event

🧑‍💻 8. Developer Tools in AWS

AWS provides fully managed DevOps tools for continuous integration, delivery, and
collaboration.

📂 A. AWS CodeCommit
✅ What is CodeCommit?
A fully managed Git-based source control service that hosts secure and scalable
repositories.

Feature Details

Version Control Git

 Encryption Encrypted at rest and in transit

Access Control IAM policies

Integrations CodeBuild, CodeDeploy, CodePipeline

🧠 No size limits on repos or files.

🔐 Security
●​ Supports MFA​

●​ IAM or federated identities​

●​ SSH keys or Git credentials​

🧱 B. AWS CodeBuild
✅ What is CodeBuild?
A fully managed CI service that compiles source code, runs tests, and produces artifacts.

Feature Description

Language Java, Python, Node.js, Go,

Support Docker

Billing Pay-as-you-go (per build minute)

 Isolation Each build in its own container

Custom Images Use your own Docker container

🛠️ Uses buildspec.yml file for instructions:

version: 0.2

phases:

install:

commands:

- echo Installing...

build:

commands:

- echo Building...

artifacts:

files:

- target/*.jar

🚀 C. AWS CodeDeploy
✅ What is CodeDeploy?
A deployment automation service for EC2, Lambda, or on-prem.

Mode Description

EC2/On-Prem Agent-based, supports Blue/Green

Lambda Shifts traffic between versions

ECS Integrated deployment for

containers

🛠️ Appspec file example for EC2:

version: 0.0

os: linux

hooks:

BeforeInstall:

- location: scripts/install.sh

✅ Tracks deployment status, rollback options available.

🔁 D. AWS CodePipeline
✅ What is CodePipeline?
A fully managed CI/CD orchestration service to model your entire software release process.
 Feature Description

Stages Source → Build → Test → Deploy

Integrates With GitHub, CodeCommit, CodeBuild, S3, Lambda, etc.

Triggers Push-based or manual

Approval Gates Add manual approval before prod

🧠 Use YAML + CodePipeline console to define stages visually.

💻 E. AWS Cloud9
✅ What is Cloud9?
A cloud-based IDE with support for:

●​ Code editing​

●​ Debugging​

●​ Running code in-browser​

Feature Description

Language Python, Node.js, JavaScript, etc.

Support
 Backend EC2 (t2.micro or larger)

Collaboration Share IDE with teammates

Terminals Pre-authenticated AWS CLI

access

🧠 Ideal for secure, team-based development in the cloud.

🧩 Summary: Developer Tools

Tool Purpose

CodeCommit Git-based code repository

CodeBuild Continuous integration (build/test)

CodeDeploy Deployment automation

CodePipeline CI/CD pipeline orchestration

Cloud9 Cloud IDE for development

🛠️ 9. Management & Governance in AWS

Manage, automate, audit, and govern your cloud environments efficiently.

🏗️ A. AWS CloudFormation
✅ What is CloudFormation?
Infrastructure as Code (IaC) service that helps you define and provision AWS infrastructure
using templates.

Feature Description

Format YAML or JSON

Resource EC2, S3, IAM, RDS, Lambda, etc.

Support

Benefits Version control, repeatability, rollback

Stack A collection of resources managed

together

🧠 Sample YAML:
Resources:

MyBucket:

Type: AWS::S3::Bucket
📦 Features
●​ Nested stacks: Modular templates​

●​ Drift detection: See if stack differs from template​

●​ Change sets: Preview changes before applying​

🧰 B. AWS Systems Manager

✅ What is Systems Manager?
A suite of tools for managing EC2 and hybrid environments from a single dashboard.

🧩 Key Features
Tool Purpose

Session Shell access to EC2 without SSH

Manager

Run Command Execute scripts remotely

Parameter Store Store config parameters (encrypted)

Automation Script routine tasks (patching,

backups)
 OpsCenter Centralized incident dashboard

Inventory Track installed software and configs

🧠 Great for secure, auditable operations at scale.

🛡️ Security
●​ Access via IAM​

●​ Session logs to CloudWatch​

●​ Role-based execution permissions​

🛡️ C. AWS Trusted Advisor

✅ What is Trusted Advisor?
A real-time recommendations engine that helps you follow AWS best practices.

📋 Trusted Advisor Checks

Category Examples

Cost Optimization Unused EC2 or ELBs

Security Open security groups, MFA on root

 Fault Tolerance Enable AZ redundancy

Performance Underutilized instances

Service Limits EC2 instance limits per region

🧠 Tiers
Plan Access

Basic 7 core checks

Business/Enterpris Full 50+ checks, automated

e alerts

🧠 Use with AWS Organizations for centralized recommendations.

✅ Summary Table
Tool Description Use Case

CloudFormation Define infra via code IaC, automation

Systems Manage and automate EC2, Patching, config mgmt

Manager hybrid
 Trusted Advisor Provides AWS best practice Cost, security, limits
checks

🤖 10. Machine Learning on AWS

AWS provides fully managed services to build, train, deploy, and scale ML models without
managing infrastructure.

📘 A. Amazon SageMaker
✅ What is SageMaker?
A fully managed machine learning platform to build, train, and deploy ML models.

Capability Features

Studio Web-based IDE for ML

Notebooks Jupyter-based, with persistent storage

Training Managed infrastructure for model training

Inference Real-time or batch predictions

Debugging Built-in profiler, debugger

 Pipelines CI/CD for ML

🧠 SageMaker Workflow
1.​ Prepare Data​

○​ From S3, Athena, or Redshift​

2.​ Build Model​

○​ Use built-in algorithms or bring-your-own model (BYOM)​

3.​ Train Model​

○​ With managed GPU/CPU instances​

4.​ Deploy​

○​ Endpoint for predictions​

5.​ Monitor​

○​ Model drift, bias, latency​

📦 SageMaker Modules
Module Purpose

Ground Truth Data labeling

Autopilot AutoML (train & tune automatically)

 Experiments Track model runs

Model Monitor Detect drift in production

Feature Store Centralized repository of features

🖼️ B. Amazon Rekognition
✅ What is Rekognition?
A computer vision service that can identify objects, people, text, activities, and inappropriate
content in images and videos.

Feature Description

Face Detection Identify faces, attributes (age,

gender)

Face Verify match between two images

Comparison

Label Detection Objects, scenes, activities

Text in Image OCR capabilities

Unsafe Content Moderation APIs

🧠 Used in security, user verification, and content moderation.

📖 C. Amazon Comprehend
✅ What is Comprehend?
A natural language processing (NLP) service to analyze and extract insights from text.

Capability Description

Entity Recognition Extract names, places, orgs

Sentiment Analysis Positive, Neutral, Negative

Key Phrases Important words/phrases

Language Auto-detect text language

Detection

Custom Classifier Train your own classifier

Topic Modeling Discover topics from a corpus

🧠 Use for chatbots, customer support, reviews, etc.

🗣️ D. Amazon Lex
✅ What is Lex?
A conversational AI service to build chatbots and virtual assistants using:
 ●​ Automatic Speech Recognition (ASR)​

●​ Natural Language Understanding (NLU)​

Features Description

Multichannel Use on web, FB Messenger, Slack

Voice + Text Accept both modalities

Integrations Connect to Lambda for backend logic

State Context handling and dialog

Management management

🧠 Powering Amazon Alexa-like interactions.

🔊 E. Amazon Polly
✅ What is Polly?
A Text-to-Speech (TTS) service that turns text into lifelike speech using neural and standard
voices.

Feature Description

Neural TTS Natural sounding voices

 SSML Support Speech Synthesis Markup
Language

MP3 Output Downloadable audio

Real-time or Batch Instant or stored outputs

Voice Cloning (limited preview) Custom voices from recordings

🧠 Used in IVRs, audiobooks, and accessibility tools.

✅ Machine Learning Summary

Service Purpose

SageMaker End-to-end ML platform

Rekognition Image & video analysis

Comprehend Text analytics (NLP)

Lex Conversational chatbots

Polly Text-to-Speech
🔐 11. Security Services in AWS
Securing your cloud environment is shared responsibility: AWS secures infrastructure, you
secure your data and configurations.

🛡️ A. AWS WAF (Web Application Firewall)

✅ What is WAF?
Protects web apps from common web exploits (SQLi, XSS, etc.).

Feature Description

Rule Groups Reusable rule sets

Rate-based Block IPs with too many requests

Rules

Integration ALB, API Gateway, CloudFront

Custom Rules Regex-based, Geo-blocking

🧠 Define rules in Web ACLs (access control lists).

🛡️ B. AWS Shield
✅ What is Shield?
DDoS protection for applications running on AWS.
 Tier Description

Standard Always-on DDoS protection (free)

Advance 24x7 support, real-time metrics, cost

d protection

🧠 Works with CloudFront, ALB, Route 53, and more.

🔍 C. Amazon Macie
✅ What is Macie?
A data discovery and classification tool focused on sensitive data in S3.

Feature Description

Scan S3 Find PII (emails, SSNs, credit

buckets cards)

Alerts Trigger on sensitive data violations

Dashboards Data exposure and risk summaries

🧠 Useful for compliance (GDPR, HIPAA).

🕵️ D. Amazon GuardDuty
✅ What is GuardDuty?
A threat detection service that uses machine learning and threat intel to identify suspicious
activity.

Sources Description

VPC Flow Logs Network behavior

CloudTrail Logs API usage anomalies

DNS Logs Malicious domain lookups

🧠 Finds compromised credentials, unusual access, and crypto mining.

🔐 E. AWS KMS (Key Management Service)

✅ What is KMS?
A service to create, manage, and control cryptographic keys used to encrypt your data.

Key Type Use

CMK (Customer Master Key) Default encryption key

AWS-managed Default key for S3, RDS, etc.

Customer-managed Full control + rotation

 Asymmetric Keys Sign/verify, encrypt/decrypt (RSA/ECC)

🧠 Works with S3, EBS, Lambda, Secrets Manager, etc.

🧩 Security Services Summary

Service Function

WAF App-layer firewall (SQLi, XSS)

Shield DDoS protection

Macie Sensitive data discovery

GuardDuty Intelligent threat detection

KMS Key encryption and

management

💸 12. Cost Management in AWS

Managing and optimizing cost is essential in AWS. AWS provides tools to track, analyze, and
control your spending.
📊 A. AWS Budgets
✅ What is AWS Budgets?
A service to set custom cost and usage budgets and get alerted when thresholds are
exceeded.

Feature Description

Budget Cost, Usage, Reservation, Savings Plans

Types

Notifications Email or SNS when thresholds are crossed

Granularity Daily, Monthly, Quarterly

Scope Filter by service, linked account, region, tag, etc.

📌 Example Use Cases:

●​ Set $200 monthly EC2 budget → get alerts at 80%, 100%​

●​ Alert if S3 usage crosses 2 TB​

●​ Notify when Reserved Instances aren't used fully​

🧠 IAM permissions required to create/view budgets.

📈 B. AWS Cost Explorer

✅ What is Cost Explorer?
An interactive tool to visualize, filter, and analyze AWS costs and usage over time.

Feature Description

Graphs Daily, monthly cost/usage

Filtering By service, region, account, tags

Forecastin Predicts future spending based on

g history

Reports Save and share custom views

🧠 Ideal for trend analysis and identifying expensive resources.

📉 C. AWS Pricing Calculator

✅ What is Pricing Calculator?
A web-based tool to estimate AWS service costs before usage.

Feature Description

Service-by-service EC2, S3, RDS, Lambda, etc.

selection

Configurable inputs Region, usage hours, instance type,

storage
 Shareable estimates Download as CSV or share URL

Cost breakdown Per resource or per service

🧠 Helps in capacity planning, PoC cost estimation, and TCO analysis.

✅ Summary of Cost Tools

Tool Purpose

Budgets Set alerts for cost/usage

Cost Explorer Visualize and analyze costs

Pricing Calculator Estimate pricing pre-deployment

🖥️ 13. AWS CLI & SDK (boto3)

Interacting with AWS programmatically is essential for automation and scripting.

💻 A. AWS CLI (Command Line Interface)

✅ What is AWS CLI?
A unified tool to manage AWS services from the terminal.
| Install | pip install awscli or system package |​
| Configure | aws configure |​
| Auth | Uses Access Key ID & Secret Access Key |

aws configure

# prompts for: access key, secret key, region, output format

🧠 Common AWS CLI Commands

Task Command

List S3 Buckets aws s3 ls

Upload file to S3 aws s3 cp file.txt s3://mybucket/

Launch EC2 aws ec2 run-instances --image-id ami-123

--instance-type t2.micro ...

Describe aws ec2 describe-instances

Instances

Start/Stop EC2 aws ec2 start-instances --instance-ids i-0123...

Invoke Lambda aws lambda invoke --function-name myFunc out.json

🔐 Profiles in CLI
Use named profiles for multiple accounts:

aws configure --profile dev

aws s3 ls --profile dev

🐍 B. boto3 (AWS SDK for Python)

✅ What is boto3?
Python SDK to programmatically interact with AWS services.

| Install | pip install boto3 |​

| Auth | Uses ~/.aws/credentials or IAM role |

🔧 Boto3 Basic Workflow

1.​ Import and Session​

import boto3

session = boto3.Session(profile_name='default')

2.​ Create Resource or Client​

s3 = session.resource('s3')

ec2 = session.client('ec2')
 3.​ Perform Actions​

# List all S3 buckets

for bucket in s3.buckets.all():

print(bucket.name)

# Start EC2 instance

ec2.start_instances(InstanceIds=['i-0123'])

🧠 Useful boto3 Examples

Task Code

Upload to S3 s3.Bucket('mybucket').upload_file('local.txt',
'remote.txt')

Describe EC2 ec2.describe_instances()

 Invoke Lambda lambda_client.invoke(FunctionName='myFunc',
Payload=b'{}')

✅ boto3 vs CLI
Feature CLI boto3

Languag Shell/Terminal Python

e

Use Quick ops Scripting & automation

Case

Auth Access keys/profile Access keys, IAM role

Output JSON/table/text Python objects/dicts

🧠 Security Tips
●​ Always rotate IAM keys​

●​ Prefer IAM roles (for EC2, Lambda)​

●​ Use parameter store or environment variables for secrets​

✅ Summary
 Tool Function

AWS CLI Terminal access to AWS

boto3 Python-based AWS

automation

Budgets Set limits and alerts

Cost Explorer Visual breakdown of cost

Pricing Calculator Pre-deployment cost planning

🏛️ 14. Architecture & Best Practices in

AWS
Designing cloud solutions the AWS way means focusing on security, performance,
cost-efficiency, and resilience.

🌐 A. AWS Well-Architected Framework (WAF)

✅ What is It?
A set of principles and best practices designed to help cloud architects build secure,
high-performing, resilient, and efficient infrastructure.
Originally introduced by AWS, the Well-Architected Framework is structured around 6 pillars:

📚 1. Operational Excellence
Run and monitor systems to deliver business value and continually improve
processes.

Key Concepts:

●​ Infrastructure as Code (IaC)​

●​ Regular game days / failure simulations​

●​ Automate deployments and rollback​

●​ Enable metrics, alarms, and dashboards​

🔐 2. Security
Protect data, systems, and assets using a layered approach.

Best Practices:

●​ Use IAM with least privilege​

●​ Enable MFA and logging (CloudTrail, Config)​

●​ Encrypt at rest (KMS) and in transit (SSL/TLS)​

●​ Automate security audits​

⚙️ 3. Reliability
Recover from failures and meet customer demands.

Techniques:
 ●​ Design for failure (multi-AZ, multi-region)​

●​ Use health checks & failovers (Route 53, ELB)​

●​ Monitor and auto-replace unhealthy components​

●​ Backup and disaster recovery (S3, Glacier)​

🚀 4. Performance Efficiency
Use IT and computing resources efficiently.

How:

●​ Choose right instance type and size​

●​ Use Auto Scaling and Lambda for elasticity​

●​ Optimize storage tiers (S3 → Glacier)​

●​ Use caching (CloudFront, ElastiCache)​

💰 5. Cost Optimization
Avoid unnecessary costs and pay only for what you use.

Strategies:

●​ Use Reserved Instances/Savings Plans​

●​ Schedule instances to shut down​

●​ Monitor unused EBS volumes & snapshots​

●​ Use Cost Explorer and Budgets​

🌿 6. Sustainability (Added in 2021)
Minimize environmental impact.

Tactics:

●​ Use managed services over self-managed​

●​ Optimize compute for load​

●​ Consolidate workloads​

●​ Use carbon-aware regions​

🏗️ B. AWS Reference Architectures

AWS provides pre-built architecture diagrams and blueprints for common workloads.

📄 Common Reference Architectures

Use Case Description

Web App Hosting ALB → EC2/Auto Scaling → RDS + S3 + CloudFront

Serverless Backend API Gateway → Lambda → DynamoDB/S3

Big Data Kinesis → EMR → S3/Redshift

IoT Analytics IoT Core → Lambda → Timestream/S3

 Machine Learning SageMaker → S3 → Lambda for inference

Hybrid Cloud On-prem → AWS via Direct Connect/VPN

Multi-tier App Frontend (S3/CloudFront) → ALB → EC2 → RDS

Media Streaming MediaConvert → S3 → CloudFront CDN

Disaster Recovery Active-Passive setup using Route 53 & S3 backups

(DR)

📌 Architectural Patterns
Pattern Use

Decoupling Use SQS/SNS to isolate

services

Microservices ECS/EKS with API Gateway

Event-Driven Lambda, EventBridge, SNS

CQRS Separate read/write services

Edge Optimization CloudFront, Lambda@Edge

📐 Sample Architecture: Serverless Image Upload App
Client → API Gateway → Lambda (Python)

↳ S3 (Image Storage)

↳ DynamoDB (Metadata)

↳ SNS (Email Notification)

✅ Highly scalable, no server management, pay-per-use.

🔁 Multi-AZ Web App Architecture

Route 53 (DNS)

ALB (Elastic Load Balancer)

↓ ↓

EC2-AZ1 EC2-AZ2 (Auto Scaling)

↓ ↓

RDS (Multi-AZ)

S3 (Static Assets)

CloudWatch (Monitoring)
✅ Best Practices Summary
Area Best Practice

Design Use Well-Architected Framework

Security IAM least privilege, MFA, logging

Performance Auto Scaling, caching, right-sizing

Resilience Multi-AZ, backups, monitoring

Cost Use free tier, budget alerts, reserved

pricing

Tools AWS Trusted Advisor, Config, CloudWatch

🔧 Tools to Help
Tool Purpose

Well-Architected Tool Evaluate workloads against WAF

Trusted Advisor Best practice checks (cost, security, fault

tolerance)
 Architecture Center Hundreds of reference diagrams & sample code

🧠 Pro Tips
●​ Always use multiple Availability Zones for high availability.​

●​ Favor stateless services for easier scaling.​

●​ Use tagging across resources for cost, security, and management.​

●​ For compliance-heavy apps, use Control Tower, Organizations, and Service Control
Policies (SCPs).​

📦 Wrapping Up
Domain Purpose

Well-Architected Framework Guidelines to build efficient, secure systems

Reference Architectures Ready-to-use blueprints for real-world use

cases