Cloud

☁️ AWS Cloud Services Guide

Last updated: May 24, 2025
~25 min read

Amazon Web Services (AWS) is Maxi's Computers' primary cloud provider. This guide covers the core services used across our infrastructure, from compute and storage to managed databases, serverless, and observability.

IAM & Security

Identity and Access Management (IAM) is the foundation of AWS security. Always follow the principle of least privilege β€” grant only the permissions required for the specific task.

🚫

Never use root account The AWS root account must never be used for day-to-day operations. Enable MFA on the root account immediately and create IAM users/roles for all access.

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3ReadOnlyForApp",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mc-assets-prod",
        "arn:aws:s3:::mc-assets-prod/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}
bash
# AWS CLI β€” common IAM commands
aws iam get-caller-identity                          # Who am I?
aws iam list-users --output table                   # List all IAM users
aws iam list-attached-role-policies --role-name app-role  # View role policies
aws iam simulate-principal-policy \                 # Test permissions
  --policy-source-arn arn:aws:iam::123456789:role/app-role \
  --action-names s3:GetObject \
  --resource-arns "arn:aws:s3:::mc-assets-prod/*"

Compute (EC2)

bash
# EC2 instance management
aws ec2 describe-instances \
  --filters "Name=tag:Environment,Values=production" \
  --query "Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name,PublicIpAddress]" \
  --output table

# Launch an instance with user data
aws ec2 run-instances \
  --image-id ami-0c55b159cbfafe1f0 \
  --instance-type m6i.xlarge \
  --key-name mc-prod-key \
  --security-group-ids sg-0123456789abcdef0 \
  --subnet-id subnet-0123456789abcdef0 \
  --iam-instance-profile Name=app-instance-profile \
  --user-data file://user-data.sh \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Environment,Value=production},{Key=ManagedBy,Value=terraform}]'

# Systems Manager Session Manager (no SSH keys needed)
aws ssm start-session --target i-0123456789abcdef0

Storage (S3)

bash
# S3 operations
aws s3 ls s3://mc-assets-prod/ --recursive --human-readable
aws s3 cp dist/ s3://mc-assets-prod/ --recursive --cache-control "max-age=31536000"
aws s3 sync dist/ s3://mc-assets-prod/ --delete --exclude ".git/*"

# Presigned URL (temporary access β€” 1 hour)
aws s3 presign s3://mc-assets-prod/private/report.pdf --expires-in 3600

# Enable versioning on bucket
aws s3api put-bucket-versioning \
  --bucket mc-assets-prod \
  --versioning-configuration Status=Enabled

# Lifecycle rule β€” transition to Glacier after 90 days
aws s3api put-bucket-lifecycle-configuration \
  --bucket mc-logs-prod \
  --lifecycle-configuration file://lifecycle.json

Networking & VPC

A production VPC at Maxi's Computers follows a multi-AZ architecture with public, private, and data subnets, a NAT Gateway per AZ, and a Transit Gateway for multi-account connectivity.

  • Public subnets β€” ALBs, NAT Gateways, bastion hosts. Has route to Internet Gateway.
  • Private subnets β€” Application servers, EKS worker nodes. Egress via NAT Gateway.
  • Data subnets β€” RDS instances, ElastiCache. No internet route whatsoever.
  • Security Groups β€” Stateful firewalls at the instance level. Always deny-all default.
  • NACLs β€” Stateless subnet-level controls. Use as an additional defense layer.
  • VPC Flow Logs β€” Enable on all VPCs and ship to CloudWatch or S3 for security auditing.

Databases (RDS)

bash
# RDS snapshot and restore
aws rds create-db-snapshot \
  --db-instance-identifier mc-prod-postgres \
  --db-snapshot-identifier mc-prod-postgres-$(date +%Y%m%d)

# List snapshots
aws rds describe-db-snapshots \
  --db-instance-identifier mc-prod-postgres \
  --query "DBSnapshots[*].[DBSnapshotIdentifier,SnapshotCreateTime,Status]" \
  --output table

# Restore to point-in-time
aws rds restore-db-instance-to-point-in-time \
  --source-db-instance-identifier mc-prod-postgres \
  --target-db-instance-identifier mc-prod-postgres-restore \
  --restore-time 2025-05-20T14:00:00Z

Serverless (Lambda)

bash
# Deploy Lambda from container image
aws lambda update-function-code \
  --function-name mc-image-processor \
  --image-uri 123456789.dkr.ecr.us-east-1.amazonaws.com/lambda-functions:2.1.0

# Invoke and capture response
aws lambda invoke \
  --function-name mc-image-processor \
  --payload '{"bucket":"mc-uploads","key":"image.jpg"}' \
  --log-type Tail \
  --query "LogResult" \
  response.json | base64 -d

# Configure reserved concurrency
aws lambda put-function-concurrency \
  --function-name mc-image-processor \
  --reserved-concurrent-executions 50

Containers (EKS / ECS)

bash
# EKS β€” update kubeconfig
aws eks update-kubeconfig \
  --region us-east-1 \
  --name mc-prod-eks \
  --alias mc-prod

# ECR β€” authenticate and push image
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS \
    --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

docker build -t mc-api:2.1.0 .
docker tag mc-api:2.1.0 123456789.dkr.ecr.us-east-1.amazonaws.com/mc-api:2.1.0
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/mc-api:2.1.0

# Scan ECR image for vulnerabilities
aws ecr start-image-scan \
  --repository-name mc-api \
  --image-id imageTag=2.1.0

Monitoring & Observability

bash
# CloudWatch β€” query logs with Insights
aws logs start-query \
  --log-group-name /aws/eks/mc-prod/application \
  --start-time $(date -d '1 hour ago' +%s) \
  --end-time $(date +%s) \
  --query-string 'fields @timestamp, @message
    | filter level = "ERROR"
    | stats count(*) as errors by bin(5m)
    | sort @timestamp desc'

# CloudWatch metrics alarm
aws cloudwatch put-metric-alarm \
  --alarm-name "mc-api-error-rate-high" \
  --metric-name "5XXError" \
  --namespace "AWS/ApplicationELB" \
  --threshold 10 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --period 60 \
  --statistic Sum \
  --alarm-actions arn:aws:sns:us-east-1:123456789:mc-alerts

Cost Optimization

  • Reserved Instances / Savings Plans β€” Commit to 1–3 year terms for stable workloads. Save up to 72% vs. On-Demand.
  • Spot Instances β€” Use for fault-tolerant batch jobs and CI workers. Up to 90% discount.
  • Auto Scaling β€” Scale in during off-hours. Schedule scale-down for dev/staging environments overnight.
  • S3 Intelligent-Tiering β€” Automatically move infrequently accessed objects to cheaper storage classes.
  • CloudWatch Cost Anomaly Detection β€” Receive alerts when unexpected spend occurs.
  • AWS Compute Optimizer β€” Review right-sizing recommendations monthly for EC2, RDS, and Lambda.
  • Delete unattached EBS volumes β€” Orphaned volumes are a common source of wasted spend.
πŸ—οΈ
Terraform IaC
Infrastructure
 ☸️
Kubernetes
DevOps
 🐳
Docker Containers
DevOps
πŸ“± Install MC Wiki
Add to home screen for offline access.