| name | aws-cloud-services |
| description | Comprehensive AWS cloud services skill covering S3, Lambda, DynamoDB, EC2, RDS, IAM, CloudFormation, and enterprise cloud architecture patterns with AWS SDK |
AWS Cloud Services
A comprehensive skill for building, deploying, and managing cloud infrastructure on Amazon Web Services (AWS). Master S3 object storage, Lambda serverless functions, DynamoDB NoSQL databases, EC2 compute instances, RDS relational databases, IAM security, CloudFormation infrastructure as code, and enterprise-grade cloud architecture patterns.
When to Use This Skill
Use this skill when:
- Building scalable cloud applications on AWS infrastructure
- Implementing serverless architectures with Lambda and API Gateway
- Managing object storage and file uploads with S3
- Designing NoSQL database solutions with DynamoDB
- Deploying EC2 instances and managing compute resources
- Setting up RDS databases for relational data storage
- Implementing IAM security policies and access control
- Automating infrastructure deployment with CloudFormation
- Architecting multi-region, highly available systems
- Optimizing cloud costs and performance
- Migrating on-premises applications to AWS
- Implementing event-driven architectures
- Building data pipelines and analytics solutions
- Managing secrets and credentials securely
- Setting up CI/CD pipelines with AWS services
Core Concepts
AWS Fundamentals
AWS is Amazon's comprehensive cloud computing platform offering 200+ services across compute, storage, databases, networking, security, and more.
Key Concepts
Regions and Availability Zones
- Regions: Geographic areas with multiple data centers (e.g., us-east-1, eu-west-1)
- Availability Zones (AZs): Isolated data centers within a region
- Edge Locations: CDN endpoints for CloudFront content delivery
- Local Zones: Extensions of regions for ultra-low latency
AWS Account Structure
- Root Account: Primary account with full access (use sparingly)
- IAM Users: Individual user accounts with specific permissions
- IAM Roles: Temporary credentials for services and applications
- Organizations: Multi-account management for enterprises
Service Categories
- Compute: EC2, Lambda, ECS, EKS, Fargate
- Storage: S3, EBS, EFS, Glacier
- Database: RDS, DynamoDB, Aurora, ElastiCache, Redshift
- Networking: VPC, Route 53, CloudFront, API Gateway, ELB
- Security: IAM, Cognito, Secrets Manager, KMS, WAF
- Infrastructure: CloudFormation, CDK, Systems Manager
- Monitoring: CloudWatch, X-Ray, CloudTrail
AWS SDK for JavaScript v3
The AWS SDK v3 is modular, tree-shakable, and optimized for modern JavaScript/TypeScript applications.
Key Improvements
Modular Architecture
// v2 (monolithic)
const AWS = require('aws-sdk');
const s3 = new AWS.S3();
// v3 (modular)
import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
const client = new S3Client({ region: 'us-east-1' });
Command Pattern
- Each operation is a command class
- Clear separation between client and commands
- Better TypeScript support and type inference
Middleware Stack
- Customizable request/response pipeline
- Built-in retry and exponential backoff
- Request signing and authentication
Identity and Access Management (IAM)
IAM controls authentication and authorization across all AWS services.
Core IAM Components
Users
- Individual identities with long-term credentials
- Access keys for programmatic access
- Passwords for console access
- MFA (Multi-Factor Authentication) support
Groups
- Collections of users
- Attach policies to manage permissions collectively
- Users can belong to multiple groups
Roles
- Temporary credentials assumed by users, services, or applications
- Cross-account access
- Service-to-service communication
- Federation with external identity providers
Policies
- JSON documents defining permissions
- Identity-based policies (attached to users/groups/roles)
- Resource-based policies (attached to resources like S3 buckets)
- Service control policies (SCPs) for Organizations
Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
Policy Elements
- Effect: Allow or Deny
- Action: Services and operations (e.g., s3:GetObject)
- Resource: ARN of resources affected
- Condition: Optional constraints (IP, time, MFA, etc.)
- Principal: Who the policy applies to (for resource-based policies)
Least Privilege Principle
Always grant minimum permissions necessary:
- Start with no permissions
- Add permissions incrementally as needed
- Use managed policies for common patterns
- Create custom policies for specific use cases
- Regularly audit and remove unused permissions
Credential Management
Credential Chain
The SDK searches for credentials in this order:
- Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
- Shared credentials file: ~/.aws/credentials
- Shared config file: ~/.aws/config
- IAM role (EC2/ECS/Lambda): Instance metadata service
- Process credentials: From a custom executable
Best Practices
- Never hardcode credentials in source code
- Use IAM roles for EC2, Lambda, ECS
- Use temporary credentials whenever possible
- Rotate access keys regularly (90 days recommended)
- Use AWS Secrets Manager for application secrets
- Enable MFA for privileged accounts
- Use AWS SSO for centralized access management
Regions and Endpoint Configuration
import { S3Client } from '@aws-sdk/client-s3';
// Specify region explicitly
const client = new S3Client({
region: 'us-west-2',
endpoint: 'https://s3.us-west-2.amazonaws.com' // Optional custom endpoint
});
// Use default region from environment/config
const defaultClient = new S3Client({}); // Uses AWS_REGION or default region
S3 (Simple Storage Service)
S3 is AWS's object storage service for storing and retrieving any amount of data from anywhere.
Core S3 Concepts
Buckets
- Globally unique names: Must be unique across all AWS accounts
- Regional resources: Created in a specific region
- Unlimited objects: No limit on number of objects
- Bucket policies: Resource-based access control
- Versioning: Keep multiple versions of objects
- Encryption: Server-side and client-side encryption
Objects
- Key-value store: Key is the object name, value is the data
- Metadata: System and user-defined metadata
- Size limit: 5TB per object
- Multipart upload: For objects > 100MB (required for > 5GB)
- Storage classes: Standard, IA, Glacier, etc.
S3 Storage Classes
S3 Standard
- Frequently accessed data
- 99.99% availability
- Millisecond latency
S3 Intelligent-Tiering
- Automatic cost optimization
- Moves data between access tiers
S3 Standard-IA (Infrequent Access)
- Lower cost for infrequently accessed data
- Retrieval fees apply
S3 One Zone-IA
- Single AZ storage for less critical data
- 20% cheaper than Standard-IA
S3 Glacier
- Long-term archival
- Minutes to hours retrieval
- Very low cost
S3 Glacier Deep Archive
- Lowest cost storage
- 12-hour retrieval
- Ideal for compliance archives
S3 Operations
Upload Objects
import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
import { readFileSync } from 'fs';
const client = new S3Client({ region: 'us-east-1' });
// Simple upload
const uploadFile = async (bucketName, key, filePath) => {
const fileContent = readFileSync(filePath);
const command = new PutObjectCommand({
Bucket: bucketName,
Key: key,
Body: fileContent,
ContentType: 'image/jpeg', // Optional
Metadata: { // Optional custom metadata
'uploaded-by': 'user-123',
'upload-date': new Date().toISOString()
},
ServerSideEncryption: 'AES256', // Enable encryption
ACL: 'private' // Access control
});
const response = await client.send(command);
return response;
};
Download Objects
import { GetObjectCommand } from '@aws-sdk/client-s3';
import { writeFileSync } from 'fs';
const downloadFile = async (bucketName, key, destinationPath) => {
const command = new GetObjectCommand({
Bucket: bucketName,
Key: key
});
const response = await client.send(command);
// Convert stream to buffer
const chunks = [];
for await (const chunk of response.Body) {
chunks.push(chunk);
}
const buffer = Buffer.concat(chunks);
writeFileSync(destinationPath, buffer);
return response.Metadata;
};
List Objects
import { ListObjectsV2Command } from '@aws-sdk/client-s3';
const listObjects = async (bucketName, prefix = '') => {
const command = new ListObjectsV2Command({
Bucket: bucketName,
Prefix: prefix, // Filter by prefix
MaxKeys: 1000, // Max 1000 per request
Delimiter: '/' // Treat / as folder separator
});
const response = await client.send(command);
return response.Contents; // Array of objects
};
// Pagination for large buckets
const listAllObjects = async (bucketName) => {
let allObjects = [];
let continuationToken;
do {
const command = new ListObjectsV2Command({
Bucket: bucketName,
ContinuationToken: continuationToken
});
const response = await client.send(command);
allObjects = allObjects.concat(response.Contents || []);
continuationToken = response.NextContinuationToken;
} while (continuationToken);
return allObjects;
};
Delete Objects
import { DeleteObjectCommand, DeleteObjectsCommand } from '@aws-sdk/client-s3';
// Delete single object
const deleteObject = async (bucketName, key) => {
const command = new DeleteObjectCommand({
Bucket: bucketName,
Key: key
});
await client.send(command);
};
// Delete multiple objects (up to 1000 at once)
const deleteMultipleObjects = async (bucketName, keys) => {
const command = new DeleteObjectsCommand({
Bucket: bucketName,
Delete: {
Objects: keys.map(key => ({ Key: key })),
Quiet: false // Return list of deleted objects
}
});
const response = await client.send(command);
return response.Deleted;
};
Presigned URLs
Generate temporary URLs for secure file uploads/downloads without AWS credentials.
import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
import { PutObjectCommand, GetObjectCommand } from '@aws-sdk/client-s3';
// Presigned URL for upload
const createUploadUrl = async (bucketName, key, expiresIn = 3600) => {
const command = new PutObjectCommand({
Bucket: bucketName,
Key: key,
ContentType: 'image/jpeg'
});
const url = await getSignedUrl(client, command, { expiresIn });
return url; // Client can PUT to this URL
};
// Presigned URL for download
const createDownloadUrl = async (bucketName, key, expiresIn = 3600) => {
const command = new GetObjectCommand({
Bucket: bucketName,
Key: key
});
const url = await getSignedUrl(client, command, { expiresIn });
return url; // Client can GET from this URL
};
Multipart Upload
For large files (> 100MB), use multipart upload for better performance and reliability.
import {
CreateMultipartUploadCommand,
UploadPartCommand,
CompleteMultipartUploadCommand,
AbortMultipartUploadCommand
} from '@aws-sdk/client-s3';
const multipartUpload = async (bucketName, key, fileBuffer, partSize = 5 * 1024 * 1024) => {
// 1. Initiate multipart upload
const createCommand = new CreateMultipartUploadCommand({
Bucket: bucketName,
Key: key
});
const { UploadId } = await client.send(createCommand);
try {
// 2. Upload parts
const parts = [];
const numParts = Math.ceil(fileBuffer.length / partSize);
for (let i = 0; i < numParts; i++) {
const start = i * partSize;
const end = Math.min(start + partSize, fileBuffer.length);
const partBody = fileBuffer.slice(start, end);
const uploadCommand = new UploadPartCommand({
Bucket: bucketName,
Key: key,
UploadId,
PartNumber: i + 1,
Body: partBody
});
const { ETag } = await client.send(uploadCommand);
parts.push({ PartNumber: i + 1, ETag });
}
// 3. Complete multipart upload
const completeCommand = new CompleteMultipartUploadCommand({
Bucket: bucketName,
Key: key,
UploadId,
MultipartUpload: { Parts: parts }
});
const result = await client.send(completeCommand);
return result;
} catch (error) {
// Abort on error to avoid storage charges for incomplete uploads
const abortCommand = new AbortMultipartUploadCommand({
Bucket: bucketName,
Key: key,
UploadId
});
await client.send(abortCommand);
throw error;
}
};
Lambda
AWS Lambda is a serverless compute service that runs code in response to events without provisioning servers.
Lambda Core Concepts
Execution Model
- Event-driven: Triggered by events from AWS services or HTTP requests
- Stateless: Each invocation is independent
- Concurrent execution: Automatically scales based on demand
- Timeout: 15-minute maximum execution time
- Memory: 128MB to 10GB (CPU scales with memory)
Handler Function
// Lambda handler signature
export const handler = async (event, context) => {
// event: Input data (API request, S3 event, etc.)
// context: Runtime information (request ID, remaining time, etc.)
console.log('Event:', JSON.stringify(event, null, 2));
console.log('Request ID:', context.requestId);
console.log('Remaining time:', context.getRemainingTimeInMillis());
// Process event
const result = await processEvent(event);
// Return response
return {
statusCode: 200,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(result)
};
};
Invocation Types
Synchronous (RequestResponse)
- API Gateway, SDK invoke
- Caller waits for response
- Error returned to caller
Asynchronous (Event)
- S3, SNS, CloudWatch Events
- Lambda queues event and returns immediately
- Built-in retry (2 attempts)
- Dead letter queue for failures
Poll-based (Stream)
- DynamoDB Streams, Kinesis
- Lambda polls stream and invokes function
- Ordered processing within shard
Lambda Configuration
// Using AWS SDK to create/update Lambda function
import {
LambdaClient,
CreateFunctionCommand,
UpdateFunctionCodeCommand,
UpdateFunctionConfigurationCommand
} from '@aws-sdk/client-lambda';
const lambdaClient = new LambdaClient({ region: 'us-east-1' });
const createFunction = async () => {
const command = new CreateFunctionCommand({
FunctionName: 'myFunction',
Runtime: 'nodejs20.x',
Role: 'arn:aws:iam::123456789012:role/lambda-execution-role',
Handler: 'index.handler',
Code: {
ZipFile: zipBuffer // Or S3Bucket/S3Key for S3-stored code
},
Environment: {
Variables: {
'BUCKET_NAME': 'my-bucket',
'TABLE_NAME': 'my-table'
}
},
MemorySize: 512, // MB
Timeout: 30, // seconds
Tags: {
'Environment': 'production',
'Team': 'backend'
}
});
const response = await lambdaClient.send(command);
return response.FunctionArn;
};
Lambda Event Sources
API Gateway Integration
// Lambda function for API Gateway
export const handler = async (event) => {
// Parse request
const { httpMethod, path, queryStringParameters, body } = event;
const requestBody = body ? JSON.parse(body) : null;
// Route based on HTTP method and path
if (httpMethod === 'GET' && path === '/users') {
const users = await getUsers();
return {
statusCode: 200,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(users)
};
}
if (httpMethod === 'POST' && path === '/users') {
const newUser = await createUser(requestBody);
return {
statusCode: 201,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(newUser)
};
}
// Not found
return {
statusCode: 404,
body: JSON.stringify({ message: 'Not found' })
};
};
S3 Event Integration
// Lambda function triggered by S3 events
export const handler = async (event) => {
// Process each S3 event record
for (const record of event.Records) {
const bucket = record.s3.bucket.name;
const key = decodeURIComponent(record.s3.object.key.replace(/\+/g, ' '));
const eventName = record.eventName;
console.log(`Event: ${eventName}, Bucket: ${bucket}, Key: ${key}`);
if (eventName.startsWith('ObjectCreated:')) {
await processNewFile(bucket, key);
} else if (eventName.startsWith('ObjectRemoved:')) {
await handleFileDeleted(bucket, key);
}
}
return { statusCode: 200 };
};
DynamoDB Streams Integration
// Lambda function for DynamoDB Streams
export const handler = async (event) => {
for (const record of event.Records) {
const { eventName, dynamodb } = record;
// INSERT, MODIFY, REMOVE
console.log(`Event: ${eventName}`);
if (eventName === 'INSERT') {
const newItem = AWS.DynamoDB.Converter.unmarshall(dynamodb.NewImage);
await handleNewItem(newItem);
}
if (eventName === 'MODIFY') {
const oldItem = AWS.DynamoDB.Converter.unmarshall(dynamodb.OldImage);
const newItem = AWS.DynamoDB.Converter.unmarshall(dynamodb.NewImage);
await handleItemUpdate(oldItem, newItem);
}
if (eventName === 'REMOVE') {
const oldItem = AWS.DynamoDB.Converter.unmarshall(dynamodb.OldImage);
await handleItemDeleted(oldItem);
}
}
};
Lambda Best Practices
Cold Start Optimization
- Keep deployment package small
- Minimize external dependencies
- Use provisioned concurrency for latency-sensitive functions
- Initialize SDK clients outside handler
Error Handling
export const handler = async (event) => {
try {
// Process event
const result = await processEvent(event);
return { statusCode: 200, body: JSON.stringify(result) };
} catch (error) {
console.error('Error processing event:', error);
// Log to CloudWatch
console.error('Error details:', {
message: error.message,
stack: error.stack,
event
});
// Return error response
return {
statusCode: 500,
body: JSON.stringify({
error: 'Internal server error',
requestId: context.requestId
})
};
}
};
Environment Variables
// Access environment variables
const BUCKET_NAME = process.env.BUCKET_NAME;
const TABLE_NAME = process.env.TABLE_NAME;
const API_KEY = process.env.API_KEY; // Use Secrets Manager for sensitive data
DynamoDB
DynamoDB is a fully managed NoSQL database service for single-digit millisecond performance at any scale.
DynamoDB Core Concepts
Tables and Items
Table: Collection of items (like a table in SQL) Item: Individual record (like a row), max 400KB Attribute: Key-value pair (like a column) Primary Key: Uniquely identifies each item
Primary Key Types
Partition Key (Simple Primary Key)
User Table:
- userId (Partition Key) -> "user-123"
- name -> "John Doe"
- email -> "john@example.com"
Partition Key + Sort Key (Composite Primary Key)
Order Table:
- userId (Partition Key) -> "user-123"
- orderId (Sort Key) -> "order-456"
- total -> 99.99
- status -> "shipped"
Indexes
Global Secondary Index (GSI)
- Different partition key and/or sort key
- Spans all partitions
- Eventually consistent
- Can be created/deleted anytime
Local Secondary Index (LSI)
- Same partition key, different sort key
- Scoped to partition
- Strongly or eventually consistent
- Must be created with table
DynamoDB Operations
Put Item
import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
import { DynamoDBDocumentClient, PutCommand } from '@aws-sdk/lib-dynamodb';
const client = new DynamoDBClient({ region: 'us-east-1' });
const docClient = DynamoDBDocumentClient.from(client);
const putItem = async (tableName, item) => {
const command = new PutCommand({
TableName: tableName,
Item: item,
ConditionExpression: 'attribute_not_exists(userId)', // Prevent overwrite
ReturnValues: 'ALL_OLD' // Return previous item if existed
});
try {
const response = await docClient.send(command);
return response;
} catch (error) {
if (error.name === 'ConditionalCheckFailedException') {
console.log('Item already exists');
}
throw error;
}
};
// Example usage
await putItem('Users', {
userId: 'user-123',
name: 'John Doe',
email: 'john@example.com',
createdAt: new Date().toISOString(),
preferences: {
theme: 'dark',
notifications: true
}
});
Get Item
import { GetCommand } from '@aws-sdk/lib-dynamodb';
const getItem = async (tableName, key) => {
const command = new GetCommand({
TableName: tableName,
Key: key,
ConsistentRead: true, // Strong consistency (default: false)
ProjectionExpression: 'userId, #n, email', // Return specific attributes
ExpressionAttributeNames: {
'#n': 'name' // name is reserved word, use placeholder
}
});
const response = await docClient.send(command);
return response.Item;
};
// Example usage
const user = await getItem('Users', { userId: 'user-123' });
Update Item
import { UpdateCommand } from '@aws-sdk/lib-dynamodb';
const updateItem = async (tableName, key, updates) => {
const command = new UpdateCommand({
TableName: tableName,
Key: key,
UpdateExpression: 'SET #n = :name, email = :email, updatedAt = :now',
ExpressionAttributeNames: {
'#n': 'name'
},
ExpressionAttributeValues: {
':name': updates.name,
':email': updates.email,
':now': new Date().toISOString()
},
ConditionExpression: 'attribute_exists(userId)', // Only update if exists
ReturnValues: 'ALL_NEW' // Return updated item
});
const response = await docClient.send(command);
return response.Attributes;
};
// Atomic counter increment
const incrementCounter = async (tableName, key, counterAttribute) => {
const command = new UpdateCommand({
TableName: tableName,
Key: key,
UpdateExpression: 'ADD #counter :inc',
ExpressionAttributeNames: {
'#counter': counterAttribute
},
ExpressionAttributeValues: {
':inc': 1
},
ReturnValues: 'UPDATED_NEW'
});
const response = await docClient.send(command);
return response.Attributes[counterAttribute];
};
Query
Query items with same partition key (efficient).
import { QueryCommand } from '@aws-sdk/lib-dynamodb';
const queryItems = async (tableName, partitionKeyValue) => {
const command = new QueryCommand({
TableName: tableName,
KeyConditionExpression: 'userId = :userId AND orderId BETWEEN :start AND :end',
ExpressionAttributeValues: {
':userId': partitionKeyValue,
':start': 'order-100',
':end': 'order-200'
},
FilterExpression: 'orderStatus = :status', // Filter results (applied after query)
ExpressionAttributeValues: {
':status': 'completed'
},
Limit: 100, // Max items to return
ScanIndexForward: false // Sort descending (default: ascending)
});
const response = await docClient.send(command);
return response.Items;
};
// Pagination
const queryAllItems = async (tableName, partitionKeyValue) => {
let allItems = [];
let lastEvaluatedKey;
do {
const command = new QueryCommand({
TableName: tableName,
KeyConditionExpression: 'userId = :userId',
ExpressionAttributeValues: {
':userId': partitionKeyValue
},
ExclusiveStartKey: lastEvaluatedKey
});
const response = await docClient.send(command);
allItems = allItems.concat(response.Items);
lastEvaluatedKey = response.LastEvaluatedKey;
} while (lastEvaluatedKey);
return allItems;
};
Scan
Scan entire table (inefficient, avoid in production).
import { ScanCommand } from '@aws-sdk/lib-dynamodb';
const scanTable = async (tableName, filterExpression) => {
const command = new ScanCommand({
TableName: tableName,
FilterExpression: 'age > :minAge',
ExpressionAttributeValues: {
':minAge': 18
},
Limit: 1000
});
const response = await docClient.send(command);
return response.Items;
};
// Parallel scan for performance
const parallelScan = async (tableName, totalSegments = 4) => {
const scanSegment = async (segment) => {
const command = new ScanCommand({
TableName: tableName,
Segment: segment,
TotalSegments: totalSegments
});
const response = await docClient.send(command);
return response.Items;
};
// Scan all segments in parallel
const promises = [];
for (let i = 0; i < totalSegments; i++) {
promises.push(scanSegment(i));
}
const results = await Promise.all(promises);
return results.flat();
};
Delete Item
import { DeleteCommand } from '@aws-sdk/lib-dynamodb';
const deleteItem = async (tableName, key) => {
const command = new DeleteCommand({
TableName: tableName,
Key: key,
ConditionExpression: 'attribute_exists(userId)', // Only delete if exists
ReturnValues: 'ALL_OLD' // Return deleted item
});
const response = await docClient.send(command);
return response.Attributes;
};
Batch Operations
import { BatchGetCommand, BatchWriteCommand } from '@aws-sdk/lib-dynamodb';
// Batch get (up to 100 items)
const batchGetItems = async (tableName, keys) => {
const command = new BatchGetCommand({
RequestItems: {
[tableName]: {
Keys: keys // Array of key objects
}
}
});
const response = await docClient.send(command);
return response.Responses[tableName];
};
// Batch write (up to 25 items)
const batchWriteItems = async (tableName, items) => {
const command = new BatchWriteCommand({
RequestItems: {
[tableName]: items.map(item => ({
PutRequest: { Item: item }
}))
}
});
await docClient.send(command);
};
// Batch delete
const batchDeleteItems = async (tableName, keys) => {
const command = new BatchWriteCommand({
RequestItems: {
[tableName]: keys.map(key => ({
DeleteRequest: { Key: key }
}))
}
});
await docClient.send(command);
};
DynamoDB Patterns
Single-Table Design
Use one table with overloaded keys for complex data models.
// User entity
{
PK: "USER#user-123",
SK: "METADATA",
type: "user",
name: "John Doe",
email: "john@example.com"
}
// User's order
{
PK: "USER#user-123",
SK: "ORDER#order-456",
type: "order",
total: 99.99,
status: "shipped"
}
// Access patterns:
// 1. Get user: PK = "USER#user-123", SK = "METADATA"
// 2. Get all user's orders: PK = "USER#user-123", SK begins_with "ORDER#"
// 3. Get specific order: PK = "USER#user-123", SK = "ORDER#order-456"
EC2 (Elastic Compute Cloud)
EC2 provides resizable compute capacity in the cloud with virtual machines (instances).
EC2 Core Concepts
Instance Types
General Purpose (T3, M6i)
- Balanced CPU, memory, and networking
- Web servers, development environments
Compute Optimized (C6i)
- High-performance processors
- Batch processing, gaming servers
Memory Optimized (R6i, X2idn)
- Large in-memory workloads
- Databases, caching layers
Storage Optimized (I4i, D3)
- High sequential read/write
- Data warehouses, distributed file systems
Accelerated Computing (P4, G5)
- GPU instances
- Machine learning, graphics rendering
AMI (Amazon Machine Image)
Pre-configured templates for instances containing:
- Operating system (Amazon Linux, Ubuntu, Windows, etc.)
- Application software
- Configuration settings
EC2 Operations
import {
EC2Client,
RunInstancesCommand,
DescribeInstancesCommand,
StartInstancesCommand,
StopInstancesCommand,
TerminateInstancesCommand
} from '@aws-sdk/client-ec2';
const ec2Client = new EC2Client({ region: 'us-east-1' });
// Launch instance
const launchInstance = async () => {
const command = new RunInstancesCommand({
ImageId: 'ami-0c55b159cbfafe1f0', // Amazon Linux 2 AMI
InstanceType: 't3.micro',
MinCount: 1,
MaxCount: 1,
KeyName: 'my-key-pair',
SecurityGroupIds: ['sg-0123456789abcdef0'],
SubnetId: 'subnet-0123456789abcdef0',
IamInstanceProfile: {
Name: 'ec2-instance-profile'
},
UserData: Buffer.from(`#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "Hello from EC2" > /var/www/html/index.html
`).toString('base64'),
TagSpecifications: [{
ResourceType: 'instance',
Tags: [
{ Key: 'Name', Value: 'WebServer' },
{ Key: 'Environment', Value: 'production' }
]
}]
});
const response = await ec2Client.send(command);
return response.Instances[0].InstanceId;
};
// Describe instances
const describeInstances = async (instanceIds) => {
const command = new DescribeInstancesCommand({
InstanceIds: instanceIds,
Filters: [
{ Name: 'instance-state-name', Values: ['running'] }
]
});
const response = await ec2Client.send(command);
return response.Reservations.flatMap(r => r.Instances);
};
// Stop instance
const stopInstance = async (instanceId) => {
const command = new StopInstancesCommand({
InstanceIds: [instanceId]
});
await ec2Client.send(command);
};
// Terminate instance
const terminateInstance = async (instanceId) => {
const command = new TerminateInstancesCommand({
InstanceIds: [instanceId]
});
await ec2Client.send(command);
};
RDS (Relational Database Service)
RDS provides managed relational databases (PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, Aurora).
RDS Operations
import {
RDSClient,
CreateDBInstanceCommand,
DescribeDBInstancesCommand,
ModifyDBInstanceCommand,
DeleteDBInstanceCommand
} from '@aws-sdk/client-rds';
const rdsClient = new RDSClient({ region: 'us-east-1' });
// Create database instance
const createDatabase = async () => {
const command = new CreateDBInstanceCommand({
DBInstanceIdentifier: 'mydb',
DBInstanceClass: 'db.t3.micro',
Engine: 'postgres',
EngineVersion: '15.3',
MasterUsername: 'admin',
MasterUserPassword: 'SecurePassword123!',
AllocatedStorage: 20, // GB
StorageType: 'gp3',
BackupRetentionPeriod: 7, // days
MultiAZ: true, // High availability
PubliclyAccessible: false,
VpcSecurityGroupIds: ['sg-0123456789abcdef0'],
DBSubnetGroupName: 'my-db-subnet-group',
StorageEncrypted: true,
Tags: [
{ Key: 'Environment', Value: 'production' },
{ Key: 'Application', Value: 'api' }
]
});
const response = await rdsClient.send(command);
return response.DBInstance;
};
// Describe database
const describeDatabase = async (dbInstanceId) => {
const command = new DescribeDBInstancesCommand({
DBInstanceIdentifier: dbInstanceId
});
const response = await rdsClient.send(command);
return response.DBInstances[0];
};
CloudFormation
Infrastructure as Code (IaC) service for defining and provisioning AWS resources.
CloudFormation Template
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Full-stack web application infrastructure'
Parameters:
Environment:
Type: String
Default: production
AllowedValues:
- development
- staging
- production
Resources:
# S3 Bucket for static assets
AssetsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${AWS::StackName}-assets-${Environment}'
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
# DynamoDB Table
UsersTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub '${AWS::StackName}-users-${Environment}'
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: userId
AttributeType: S
- AttributeName: email
AttributeType: S
KeySchema:
- AttributeName: userId
KeyType: HASH
GlobalSecondaryIndexes:
- IndexName: EmailIndex
KeySchema:
- AttributeName: email
KeyType: HASH
Projection:
ProjectionType: ALL
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
# Lambda Execution Role
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: DynamoDBAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:Query
Resource: !GetAtt UsersTable.Arn
# Lambda Function
ApiFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub '${AWS::StackName}-api-${Environment}'
Runtime: nodejs20.x
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
ZipFile: |
exports.handler = async (event) => {
return {
statusCode: 200,
body: JSON.stringify({ message: 'Hello from Lambda!' })
};
};
Environment:
Variables:
TABLE_NAME: !Ref UsersTable
BUCKET_NAME: !Ref AssetsBucket
ENVIRONMENT: !Ref Environment
Timeout: 30
MemorySize: 512
# API Gateway
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Sub '${AWS::StackName}-api-${Environment}'
Description: REST API for application
ApiResource:
Type: AWS::ApiGateway::Resource
Properties:
RestApiId: !Ref RestApi
ParentId: !GetAtt RestApi.RootResourceId
PathPart: users
ApiMethod:
Type: AWS::ApiGateway::Method
Properties:
RestApiId: !Ref RestApi
ResourceId: !Ref ApiResource
HttpMethod: GET
AuthorizationType: NONE
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${ApiFunction.Arn}/invocations'
ApiDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn: ApiMethod
Properties:
RestApiId: !Ref RestApi
StageName: !Ref Environment
LambdaApiPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref ApiFunction
Action: lambda:InvokeFunction
Principal: apigateway.amazonaws.com
SourceArn: !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${RestApi}/*'
Outputs:
ApiUrl:
Description: API Gateway URL
Value: !Sub 'https://${RestApi}.execute-api.${AWS::Region}.amazonaws.com/${Environment}'
Export:
Name: !Sub '${AWS::StackName}-api-url'
BucketName:
Description: S3 Bucket Name
Value: !Ref AssetsBucket
Export:
Name: !Sub '${AWS::StackName}-bucket-name'
TableName:
Description: DynamoDB Table Name
Value: !Ref UsersTable
Export:
Name: !Sub '${AWS::StackName}-table-name'
CloudFormation Operations
import {
CloudFormationClient,
CreateStackCommand,
DescribeStacksCommand,
UpdateStackCommand,
DeleteStackCommand
} from '@aws-sdk/client-cloudformation';
import { readFileSync } from 'fs';
const cfClient = new CloudFormationClient({ region: 'us-east-1' });
// Create stack
const createStack = async (stackName, templatePath, parameters = {}) => {
const templateBody = readFileSync(templatePath, 'utf8');
const command = new CreateStackCommand({
StackName: stackName,
TemplateBody: templateBody,
Parameters: Object.entries(parameters).map(([key, value]) => ({
ParameterKey: key,
ParameterValue: value
})),
Capabilities: ['CAPABILITY_IAM'],
Tags: [
{ Key: 'ManagedBy', Value: 'CloudFormation' },
{ Key: 'Application', Value: 'MyApp' }
]
});
const response = await cfClient.send(command);
return response.StackId;
};
// Get stack status
const getStackStatus = async (stackName) => {
const command = new DescribeStacksCommand({
StackName: stackName
});
const response = await cfClient.send(command);
const stack = response.Stacks[0];
return {
status: stack.StackStatus,
outputs: stack.Outputs || []
};
};
Best Practices
Security
IAM Best Practices
- Enable MFA for root and privileged accounts
- Use IAM roles instead of access keys
- Apply least privilege principle
- Rotate credentials regularly
- Use IAM Access Analyzer to identify overly permissive policies
- Enable CloudTrail for audit logging
Data Encryption
- Encrypt data at rest (S3, EBS, RDS, DynamoDB)
- Use SSL/TLS for data in transit
- Store secrets in AWS Secrets Manager or Parameter Store
- Use KMS for encryption key management
Network Security
- Use VPCs for network isolation
- Implement security groups and NACLs
- Enable VPC Flow Logs
- Use AWS WAF for web application protection
- Implement DDoS protection with AWS Shield
Cost Optimization
Compute
- Use Auto Scaling to match capacity to demand
- Choose appropriate instance types and sizes
- Use Spot Instances for fault-tolerant workloads
- Leverage Lambda for event-driven workloads
- Use Savings Plans and Reserved Instances for steady-state workloads
Storage
- Implement S3 lifecycle policies
- Use appropriate storage classes
- Enable S3 Intelligent-Tiering
- Delete unused EBS volumes and snapshots
- Use compression and deduplication
Database
- Right-size database instances
- Use read replicas to offload read traffic
- Enable DynamoDB auto-scaling
- Use Aurora Serverless for variable workloads
- Archive old data to cheaper storage
Performance
Application Design
- Implement caching (ElastiCache, CloudFront)
- Use content delivery networks (CloudFront)
- Optimize database queries and indexes
- Implement connection pooling
- Use async/parallel operations
Monitoring and Optimization
- Use CloudWatch for metrics and alarms
- Implement X-Ray for distributed tracing
- Set up performance budgets
- Conduct regular performance testing
- Use AWS Compute Optimizer recommendations
Reliability
High Availability
- Deploy across multiple Availability Zones
- Use Auto Scaling for automatic recovery
- Implement health checks and automatic failover
- Use Route 53 for DNS-based failover
- Design for graceful degradation
Disaster Recovery
- Implement automated backups
- Test recovery procedures regularly
- Use multi-region replication for critical data
- Document recovery time objectives (RTO) and recovery point objectives (RPO)
- Implement chaos engineering practices
Error Handling
- Implement retry logic with exponential backoff
- Use dead letter queues for failed messages
- Set up CloudWatch alarms for errors
- Implement circuit breakers
- Log errors comprehensively
Operational Excellence
Infrastructure as Code
- Version control all infrastructure code
- Use CloudFormation or CDK for resource provisioning
- Implement CI/CD for infrastructure changes
- Use stack sets for multi-account/region deployments
- Validate templates before deployment
Monitoring and Logging
- Centralize logs with CloudWatch Logs
- Set up custom metrics and dashboards
- Implement log aggregation and analysis
- Use CloudTrail for API auditing
- Set up alarms for critical metrics
Automation
- Automate deployments with CodePipeline
- Use Systems Manager for patch management
- Implement automated scaling policies
- Use Lambda for operational tasks
- Automate backup and recovery procedures
Skill Version: 1.0.0 Last Updated: October 2025 Skill Category: Cloud Infrastructure, Serverless, Database, DevOps Compatible With: AWS SDK v3, CloudFormation, AWS CLI, Terraform