AWS Services Guide 2026: EC2, S3, RDS, Lambda, ECS/EKS, CloudFront, IAM, VPC & Cost Optimization
Complete guide to core AWS services: compute (EC2, Lambda, ECS/EKS), storage (S3), databases (RDS, DynamoDB), networking (VPC, Route 53, CloudFront), security (IAM), messaging (SQS/SNS), monitoring (CloudWatch), and proven cost optimization strategies.
- EC2 provides elastic compute; Spot Instances save up to 90% cost
- S3 delivers 99.999999999% (11 nines) durability for data at any scale
- RDS for relational data, DynamoDB for single-ms latency key-value/document workloads
- Lambda charges per invocation; ECS/EKS for containerized microservices
- VPC + Security Groups + IAM build defense-in-depth security
- CloudFront + Route 53 deliver global sub-100ms response times
- SQS/SNS decouple microservices; CloudWatch provides full-stack observability
- Reserved Instances + Savings Plans + Auto Scaling cut 40-60% off your bill
- Choosing the right instance type and pricing model is the biggest cost lever
- Design everything for multi-AZ high availability from day one
- IAM least privilege is the security foundation — use roles, not access keys
- Serverless (Lambda + DynamoDB + API Gateway) reduces ops overhead to near zero
- Infrastructure as Code (CloudFormation / CDK / Terraform) is a production requirement
- AWS Well-Architected Framework five pillars guide every architecture decision
1. AWS Services Landscape
Amazon Web Services (AWS) is the world's largest cloud platform, offering over 200 services spanning compute, storage, databases, networking, security, analytics, machine learning, and more. Understanding core services and how they compose together is the foundation for building reliable, scalable cloud architectures.
| Category | Core Services | Typical Use Case |
|---|---|---|
| Compute | EC2, Lambda, ECS, EKS | Web servers, APIs, batch jobs, microservices |
| Storage | S3, EBS, EFS, Glacier | Object storage, block storage, file systems, archival |
| Database | RDS, DynamoDB, ElastiCache, Aurora | Relational, NoSQL, caching, high-perf OLTP |
| Networking | VPC, Route 53, CloudFront, ELB | Virtual networks, DNS, CDN, load balancing |
| Security | IAM, KMS, WAF, Shield | Identity, encryption, web firewall, DDoS protection |
| Messaging | SQS, SNS, EventBridge, Step Functions | Message queues, pub/sub, event-driven, workflows |
| Monitoring | CloudWatch, X-Ray, CloudTrail | Metrics, logs, tracing, audit trails |
2. EC2: The Foundation of Elastic Compute
Amazon EC2 (Elastic Compute Cloud) provides on-demand, resizable compute capacity. From a single development server to thousands of HPC nodes, EC2 scales to meet any demand. Understanding instance types, pricing models, and auto-scaling is the key to controlling costs and guaranteeing performance.
Instance Type Selection
| Family | Optimized For | Example | Use Case |
|---|---|---|---|
| T3 / T4g | Burstable | t3.medium | Dev/test, light web servers |
| M6i / M7g | General Purpose | m6i.xlarge | App servers, mid-size databases |
| C6i / C7g | Compute Optimized | c6i.2xlarge | Batch processing, modeling, encoding |
| R6i / R7g | Memory Optimized | r6i.4xlarge | In-memory DB, real-time big data |
| P4d / G5 | Accelerated (GPU) | p4d.24xlarge | ML training, graphics, HPC |
EC2 Pricing Models Compared
| Model | Discount | Commitment | Best For |
|---|---|---|---|
| On-Demand | 0% | None | Unpredictable, short-term workloads |
| Reserved (RI) | Up to 72% | 1 or 3 year | Steady-state baseline workloads |
| Spot | Up to 90% | None (interruptible) | Fault-tolerant batch, CI/CD, big data |
| Savings Plans | Up to 72% | 1 or 3 year $/hr commitment | Flexible across instance types/regions |
Auto Scaling Configuration Example
# EC2 Auto Scaling Group — CloudFormation snippet
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref MyLaunchTemplate
Version: !GetAtt MyLaunchTemplate.LatestVersionNumber
MinSize: 2
MaxSize: 10
DesiredCapacity: 2
VPCZoneIdentifier:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
TargetGroupARNs:
- !Ref MyTargetGroup
HealthCheckType: ELB
HealthCheckGracePeriod: 300
ScalingPolicy:
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AutoScalingGroupName: !Ref AutoScalingGroup
PolicyType: TargetTrackingScaling
TargetTrackingConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: ASGAverageCPUUtilization
TargetValue: 60.03. S3: Infinitely Scalable Object Storage
Amazon S3 (Simple Storage Service) delivers industry-leading durability (99.999999999%), availability, and security. S3 buckets store any number of objects from bytes to 5TB, widely used for static website hosting, data lakes, backups, and media distribution.
S3 Storage Classes & Cost
| Storage Class | Latency | Min Duration | Use Case |
|---|---|---|---|
| S3 Standard | Milliseconds | None | Frequently accessed data |
| S3 Intelligent-Tiering | Milliseconds | None | Unknown/changing access patterns |
| S3 Standard-IA | Milliseconds | 30 days | Infrequent but rapid access needed |
| S3 Glacier Instant | Milliseconds | 90 days | Quarterly access archives |
| S3 Glacier Deep Archive | 12-48h | 180 days | Compliance long-term archival |
S3 Lifecycle Policy Example
# AWS CLI — S3 lifecycle configuration
aws s3api put-bucket-lifecycle-configuration \
--bucket my-data-lake \
--lifecycle-configuration '{
"Rules": [
{
"ID": "ArchiveOldLogs",
"Status": "Enabled",
"Filter": { "Prefix": "logs/" },
"Transitions": [
{ "Days": 30, "StorageClass": "STANDARD_IA" },
{ "Days": 90, "StorageClass": "GLACIER" },
{ "Days": 365, "StorageClass": "DEEP_ARCHIVE" }
],
"Expiration": { "Days": 2555 }
}
]
}'4. RDS vs DynamoDB: Relational vs NoSQL
Database selection is one of the most critical architecture decisions. AWS offers fully managed relational databases (RDS/Aurora) and NoSQL databases (DynamoDB), each with distinct strengths.
RDS / Aurora Overview
Amazon RDS supports MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server. Aurora is AWS's custom MySQL/PostgreSQL-compatible engine delivering 5x MySQL and 3x PostgreSQL performance, with storage auto-scaling to 128TB.
# Create a Multi-AZ PostgreSQL RDS instance
aws rds create-db-instance \
--db-instance-identifier myapp-db \
--db-instance-class db.r6g.xlarge \
--engine postgres \
--engine-version 15.4 \
--master-username admin \
--master-user-password "\${SECURE_PASSWORD}" \
--allocated-storage 100 \
--storage-type gp3 \
--multi-az \
--vpc-security-group-ids sg-0abc1234 \
--db-subnet-group-name myapp-db-subnets \
--backup-retention-period 7 \
--storage-encryptedDynamoDB Key Concepts
DynamoDB is a fully serverless key-value and document database delivering single-digit millisecond responses. Core concepts include Partition Key, Sort Key, Global Secondary Indexes (GSI), and Local Secondary Indexes (LSI). Capacity modes are On-Demand and Provisioned.
# DynamoDB table with GSI — CloudFormation
OrdersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: Orders
BillingMode: PAY_PER_REQUEST # On-Demand
AttributeDefinitions:
- AttributeName: PK
AttributeType: S
- AttributeName: SK
AttributeType: S
- AttributeName: GSI1PK
AttributeType: S
KeySchema:
- AttributeName: PK
KeyType: HASH
- AttributeName: SK
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI1
KeySchema:
- AttributeName: GSI1PK
KeyType: HASH
- AttributeName: SK
KeyType: RANGE
Projection:
ProjectionType: ALL
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: trueRDS vs DynamoDB Decision Matrix
| Dimension | RDS / Aurora | DynamoDB |
|---|---|---|
| Data Model | Relational / SQL | Key-Value / Document |
| Latency | Low ms (query dependent) | Single-digit ms (consistent) |
| Scaling | Vertical (read replicas for reads) | Automatic horizontal scaling |
| Transactions | Full ACID | Limited (25 items / 4MB) |
| Operations | Instance sizing, maintenance windows | Fully serverless |
5. Lambda: Event-Driven Serverless Compute
AWS Lambda runs your code without provisioning or managing servers. Upload your code, and Lambda handles compute allocation, execution, and scaling. You pay only for actual compute time (billed per millisecond) with zero cost when idle.
Lambda Function Best Practices
# Python Lambda with best practices
import json
import boto3
import os
from aws_lambda_powertools import Logger, Tracer, Metrics
from aws_lambda_powertools.utilities.typing import LambdaContext
# Initialize outside handler (reused across invocations)
logger = Logger()
tracer = Tracer()
metrics = Metrics()
dynamodb = boto3.resource("dynamodb")
table = dynamodb.Table(os.environ["TABLE_NAME"])
@logger.inject_lambda_context
@tracer.capture_lambda_handler
@metrics.log_metrics(capture_cold_start_metric=True)
def handler(event, context: LambdaContext):
"""Process API Gateway request."""
try:
body = json.loads(event["body"])
order_id = body["order_id"]
# Single-table design query
response = table.get_item(
Key={"PK": f"ORDER#{order_id}", "SK": "METADATA"}
)
if "Item" not in response:
return {"statusCode": 404, "body": "Not found"}
metrics.add_metric(name="OrderLookup", unit="Count", value=1)
return {
"statusCode": 200,
"headers": {"Content-Type": "application/json"},
"body": json.dumps(response["Item"], default=str)
}
except Exception as e:
logger.exception("Failed to process request")
return {"statusCode": 500, "body": "Internal error"}Lambda key limits: 15-minute max execution, 250MB deployment package (unzipped), 128MB-10GB memory, 1000 default concurrency (increase on request). Cold start latency depends on runtime and package size — use Provisioned Concurrency or SnapStart (Java) to eliminate cold starts.
6. ECS & EKS: Container Orchestration
When workloads outgrow Lambda limits (long-running, large memory, custom runtimes), containers are the next step. AWS offers two orchestrators: ECS (AWS-native) and EKS (managed Kubernetes). Both support Fargate serverless launch type.
ECS vs EKS Comparison
| Dimension | ECS | EKS |
|---|---|---|
| Learning Curve | Low — AWS-native concepts | High — requires K8s knowledge |
| Multi-Cloud | AWS only | Yes (standard K8s) |
| Control Plane Cost | Free | ~$73/month |
| Ecosystem | Deep AWS integration | CNCF / Helm / Istio ecosystem |
| Fargate | Fully supported | Supported (some limitations) |
ECS Fargate Task Definition
# ECS Fargate Task Definition — CloudFormation
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: myapp-api
Cpu: "512"
Memory: "1024"
NetworkMode: awsvpc
RequiresCompatibilities: [FARGATE]
ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn
TaskRoleArn: !GetAtt ECSTaskRole.Arn
ContainerDefinitions:
- Name: api
Image: !Sub "\${AWS::AccountId}.dkr.ecr.\${AWS::Region}.amazonaws.com/myapp:latest"
PortMappings:
- ContainerPort: 8080
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: /ecs/myapp-api
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: ecs
Environment:
- Name: NODE_ENV
Value: production
Secrets:
- Name: DB_PASSWORD
ValueFrom: !Ref DbPasswordSecret7. CloudFront & Route 53: Global CDN & DNS
CloudFront is AWS's CDN with 400+ edge locations worldwide, caching content to reduce latency to single-digit milliseconds. Route 53 is a highly available DNS service combining domain registration, DNS routing, and health checking.
Route 53 Routing Policies
| Policy | Description | Use Case |
|---|---|---|
| Simple | Standard routing to single resource | Single endpoint |
| Weighted | Distribute traffic by weight | Blue-green / canary deploys |
| Latency-based | Route to lowest-latency region | Multi-region applications |
| Failover | Auto-failover on health check failure | Active-passive DR |
| Geolocation | Route by user geographic location | Compliance & content localization |
CloudFront Distribution Setup
# CloudFront with S3 origin — CloudFormation
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt MyBucket.RegionalDomainName
S3OriginConfig:
OriginAccessIdentity: ""
OriginAccessControlId: !Ref OAC
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized
Compress: true
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.2_2021
Enabled: true
HttpVersion: http2and3
PriceClass: PriceClass_1008. IAM: Identity & Access Management
IAM is the foundation of AWS security. It controls who (identity) can perform what actions on which resources. IAM policies are JSON documents defining Effect (Allow/Deny), Action, Resource, and optional Condition. Following the principle of least privilege is the top security priority.
IAM Best Practices Checklist
1) Enable MFA on root and lock it down — never use for daily tasks. 2) Create individual IAM users or roles for every person/service. 3) Use IAM roles (not access keys) for EC2/Lambda. 4) Attach policies to groups, not individual users. 5) Use AWS Organizations + SCPs for cross-account governance. 6) Audit with IAM Access Analyzer regularly. 7) Use aws-vault or SSO for local credential management.
# Least-privilege IAM policy example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-app-data",
"arn:aws:s3:::my-app-data/*"
]
},
{
"Sid": "AllowDynamoDBCRUD",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["\${aws:PrincipalTag/tenant_id}"]
}
}
}
]
}9. VPC: Network Isolation & Architecture
A VPC (Virtual Private Cloud) is an isolated virtual network within AWS. A production-grade VPC typically spans multiple Availability Zones with public and private subnets, Internet Gateway, NAT Gateway, Security Groups, and Network ACLs. Proper VPC design is the foundation for security and availability.
Security Groups vs Network ACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance / ENI level | Subnet level |
| Statefulness | Stateful | Stateless |
| Rules | Allow rules only | Allow + Deny rules |
| Evaluation | All rules evaluated together | Rules processed in number order |
Production VPC Architecture
# Three-tier VPC architecture — Terraform
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.5.0"
name = "production-vpc"
cidr = "10.0.0.0/16"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
private_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
enable_nat_gateway = true
single_nat_gateway = false # One per AZ for HA
one_nat_gateway_per_az = true
enable_dns_hostnames = true
enable_dns_support = true
# VPC Flow Logs
enable_flow_log = true
create_flow_log_cloudwatch_log_group = true
create_flow_log_iam_role = true
tags = {
Environment = "production"
Terraform = "true"
}
}10. SQS & SNS: Async Messaging & Notifications
Loose coupling is a key principle in microservices. SQS (message queue) and SNS (publish/subscribe) are the two core AWS services for asynchronous communication. They are often used together: SNS fans out to multiple SQS queues for parallel processing.
SQS Standard vs FIFO Queues
| Feature | Standard | FIFO |
|---|---|---|
| Throughput | Unlimited | 300 TPS (3000 w/ batching) |
| Ordering | Best-effort | Strict FIFO |
| Deduplication | At-least-once | Exactly-once |
| Use Case | High-throughput workloads | Order processing, financial transactions |
SNS + SQS Fan-Out Pattern
# SNS topic fans out to multiple SQS queues
# — CloudFormation snippet
OrderTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: order-events
PaymentQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: payment-processing
VisibilityTimeout: 300
RedrivePolicy:
deadLetterTargetArn: !GetAtt PaymentDLQ.Arn
maxReceiveCount: 3
InventoryQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: inventory-update
VisibilityTimeout: 300
NotificationQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: customer-notification
# Subscribe all queues to the topic
PaymentSub:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Ref OrderTopic
Protocol: sqs
Endpoint: !GetAtt PaymentQueue.Arn
FilterPolicy:
event_type: [order_placed, order_updated]11. CloudWatch: Full-Stack Observability
CloudWatch provides metrics, logs, alarms, and dashboards as AWS's unified observability platform. Combined with X-Ray for distributed tracing and CloudTrail for API audit trails, they form the complete observability trinity.
Custom Metrics & Alarms
# Python — publish custom CloudWatch metric
import boto3
from datetime import datetime
cloudwatch = boto3.client("cloudwatch")
def publish_order_metric(order_total: float, region: str):
cloudwatch.put_metric_data(
Namespace="MyApp/Orders",
MetricData=[
{
"MetricName": "OrderValue",
"Dimensions": [
{"Name": "Region", "Value": region},
],
"Timestamp": datetime.utcnow(),
"Value": order_total,
"Unit": "None",
"StorageResolution": 60 # standard (1-min)
}
]
)CloudWatch Alarm Configuration
# CloudWatch Alarm — CloudFormation
HighCPUAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: high-cpu-api-cluster
AlarmDescription: "CPU > 80% for 5 minutes"
Namespace: AWS/ECS
MetricName: CPUUtilization
Dimensions:
- Name: ClusterName
Value: !Ref ECSCluster
- Name: ServiceName
Value: !GetAtt ECSService.Name
Statistic: Average
Period: 300
EvaluationPeriods: 1
Threshold: 80
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- !Ref OpsNotificationTopic
OKActions:
- !Ref OpsNotificationTopicCloudWatch Logs Insights provides a SQL-like query language for rapidly searching massive log volumes. Example query:
# Find top 10 slowest API requests in the last hour
fields @timestamp, @message
| filter @message like /duration/
| parse @message "duration=* ms" as duration_ms
| sort duration_ms desc
| limit 1012. Cost Optimization: Cutting 40-60% Off Your Bill
Cost optimization is not a one-time activity — it is an ongoing operational practice. AWS provides multiple tools and strategies to help dramatically reduce spending without sacrificing performance. Here is a proven cost optimization playbook.
Compute Cost Optimization
| Strategy | Potential Savings | Implementation Effort |
|---|---|---|
| Right-sizing instances | 10-30% | Low |
| Savings Plans | Up to 72% | Low |
| Spot Instances | Up to 90% | Medium |
| Graviton (ARM) | 20-40% | Low-Medium |
| Auto Scaling | 20-50% | Medium |
| Migrate to Lambda/Fargate | 30-70% | High |
Storage & Data Transfer Optimization
Storage optimization strategies: 1) Use S3 Intelligent-Tiering for data with unknown access patterns. 2) Enable S3 lifecycle policies to transition old data to Glacier. 3) Use gp3 instead of gp2 EBS volumes (same performance, 20% cheaper). 4) Regularly clean up unattached EBS volumes and expired snapshots. 5) Use CloudFront to reduce data transfer costs — edge transfer is much cheaper than direct S3/EC2 transfer.
AWS Cost Management Tools
# Set up a monthly budget alert with AWS CLI
aws budgets create-budget \
--account-id 123456789012 \
--budget '{
"BudgetName": "MonthlySpend",
"BudgetLimit": {
"Amount": "1000",
"Unit": "USD"
},
"BudgetType": "COST",
"TimeUnit": "MONTHLY"
}' \
--notifications-with-subscribers '[
{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 80,
"ThresholdType": "PERCENTAGE"
},
"Subscribers": [
{
"SubscriptionType": "EMAIL",
"Address": "ops-team@example.com"
}
]
}
]'Cost Optimization Checklist
- Use AWS Cost Explorer to analyze spending trends (by service, account, tags)
- Enable AWS Compute Optimizer for right-sizing recommendations
- Run Trusted Advisor cost optimization checks
- Tag all resources with cost allocation tags (team, environment, project)
- Set AWS Budgets alerts (80% / 100% / forecasted overspend)
- Review Savings Plans and RI coverage reports monthly
- Clean up: unused Elastic IPs, EBS volumes, old AMIs, empty load balancers
- Consider multi-region vs single-region — data transfer is a hidden cost killer
13. AWS Well-Architected Reference Architecture
The AWS Well-Architected Framework defines five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. Below is a typical three-tier web application architecture combining the core services covered in this guide.
# Three-tier architecture overview
#
# Internet
# |-- Route 53 (DNS, latency-based routing)
# |-- CloudFront (CDN, static assets + API caching)
# |-- WAF (rate limiting, SQL injection protection)
# |
# VPC (10.0.0.0/16)
# |
# |-- Public Subnets (3 AZs)
# | |-- ALB (Application Load Balancer)
# | |-- NAT Gateways
# |
# |-- Private Subnets (3 AZs)
# | |-- ECS Fargate / EKS (app containers)
# | |-- Lambda (async processing)
# | |-- SQS queues + SNS topics
# |
# |-- Database Subnets (3 AZs)
# |-- Aurora PostgreSQL (Multi-AZ)
# |-- ElastiCache Redis (cluster mode)
# |-- DynamoDB (session store)
#
# Observability:
# CloudWatch Metrics + Logs + Alarms
# X-Ray distributed tracing
# CloudTrail API audit logging
#
# Security:
# IAM roles (least privilege)
# KMS encryption (at rest + in transit)
# Secrets Manager (DB creds, API keys)
# GuardDuty (threat detection)Five Pillars Quick Reference
| Pillar | Key Practices | Core Services |
|---|---|---|
| Operational Excellence | IaC, CI/CD, Runbooks | CloudFormation, CodePipeline, Systems Manager |
| Security | Least privilege, encryption, audit | IAM, KMS, GuardDuty, CloudTrail |
| Reliability | Multi-AZ, auto-recovery, backups | Auto Scaling, Route 53, S3 Cross-Region |
| Performance Efficiency | Right instance type, caching, CDN | CloudFront, ElastiCache, Graviton |
| Cost Optimization | Reserved/Spot, right-size, lifecycle policies | Savings Plans, Compute Optimizer, S3 IT |
Conclusion
The AWS ecosystem is vast but follows clear patterns. From compute (EC2/Lambda/ECS) to storage (S3), databases (RDS/DynamoDB), networking (VPC/CloudFront/Route 53), security (IAM), messaging (SQS/SNS), and monitoring (CloudWatch), each service has its optimal use case. The key is choosing the right service combination for your workload characteristics, following the Well-Architected Framework's five pillars, and continuously optimizing costs. Start small, scale on demand, leverage managed services — that is the core philosophy of AWS cloud architecture.
Frequently Asked Questions
What is the difference between EC2 On-Demand, Reserved, and Spot Instances?
On-Demand instances charge per second with no commitment, ideal for unpredictable workloads. Reserved Instances offer up to 72% discount for 1-3 year commitments, best for steady-state usage. Spot Instances provide up to 90% discount by using spare EC2 capacity, but can be interrupted with 2 minutes notice — perfect for fault-tolerant batch jobs, CI/CD, and data processing.
When should I use RDS vs DynamoDB?
Use RDS when you need relational data with complex joins, transactions, and SQL support (MySQL, PostgreSQL, Oracle, SQL Server). Use DynamoDB for key-value or document workloads requiring single-digit millisecond latency at any scale, such as gaming leaderboards, session stores, IoT data, and e-commerce carts. DynamoDB is fully managed and serverless, while RDS requires instance sizing and maintenance windows.
How do I choose between ECS and EKS for container orchestration?
Choose ECS if you want a simpler, AWS-native container orchestration service with deep integration into other AWS services and no additional management overhead. Choose EKS if you need Kubernetes compatibility, want to run the same workloads across AWS and other clouds, or already have Kubernetes expertise. Both support Fargate for serverless containers, eliminating the need to manage underlying EC2 instances.
What are the best practices for AWS IAM security?
Follow the principle of least privilege — grant only permissions needed. Enable MFA on all accounts, especially root. Use IAM roles instead of long-lived access keys. Implement Service Control Policies in AWS Organizations. Rotate credentials regularly. Use IAM Access Analyzer to identify unused permissions. Never embed credentials in code; use IAM roles for EC2/Lambda or AWS Secrets Manager.
How does Amazon VPC work and what are the key components?
A VPC is an isolated virtual network within AWS. Key components include subnets (public and private), route tables, Internet Gateway (for public internet access), NAT Gateway (for private subnet outbound access), security groups (stateful instance-level firewall), and NACLs (stateless subnet-level firewall). Best practice is to use multiple Availability Zones with public subnets for load balancers and private subnets for application servers and databases.
What is the difference between SQS and SNS?
SQS (Simple Queue Service) is a message queue for decoupling producers and consumers — messages are pulled by consumers and processed once. SNS (Simple Notification Service) is a pub/sub system that pushes messages to multiple subscribers simultaneously (Lambda, SQS, HTTP, email, SMS). Use SQS for task queues and work distribution, SNS for fan-out notifications. They are often used together: SNS publishes to multiple SQS queues for parallel processing.
How can I reduce my AWS bill by 40-60%?
Key strategies: 1) Use Reserved Instances or Savings Plans for steady workloads (up to 72% savings). 2) Leverage Spot Instances for fault-tolerant workloads (up to 90% savings). 3) Right-size instances using AWS Compute Optimizer. 4) Use S3 Intelligent-Tiering for automatic storage cost optimization. 5) Enable auto-scaling to match capacity to demand. 6) Delete unused EBS volumes, snapshots, and Elastic IPs. 7) Use AWS Cost Explorer and set billing alerts.
How do CloudFront and Route 53 work together for global applications?
Route 53 provides DNS resolution with health checks and routing policies (latency-based, geolocation, failover, weighted). CloudFront is a CDN that caches content at 400+ edge locations worldwide, reducing latency to single-digit milliseconds. Together, Route 53 routes users to the nearest CloudFront edge location, which serves cached content or fetches from the origin. This combination delivers global sub-100ms response times with automatic failover.