AI Skill Library
Back

AWS Essentials

EC2, S3, RDS, CloudFront, IAM, ECS, Lambda -- key patterns for web apps.

awsclouddevopsdeployment
# AWS Essentials

## IAM (Identity & Access Management)
- **User**: long-term credentials for humans. Use MFA.
- **Role**: short-term credentials for services (EC2, Lambda, ECS). Prefer over keys.
- **Policy**: JSON document granting permissions. Principle of least privilege.
```json
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::my-bucket/*"
}
```
- Never hardcode AWS credentials. Use IAM roles or `~/.aws/credentials`.

## EC2
```bash
# Launch: choose AMI (Ubuntu 22.04), instance type (t3.micro free tier)
# Key pair -> download .pem
ssh -i key.pem ubuntu@<public-ip>

# Allocate Elastic IP for stable public IP
# Security Groups = firewall (inbound: 22, 80, 443)
```

## S3
```bash
aws s3 mb s3://my-bucket
aws s3 cp file.txt s3://my-bucket/
aws s3 sync ./dist s3://my-bucket --delete
aws s3 presign s3://my-bucket/file.txt --expires-in 3600
```
```ts
// Node.js SDK
import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3'
const s3 = new S3Client({ region: 'ap-east-1' })
await s3.send(new PutObjectCommand({
  Bucket: 'my-bucket', Key: 'path/file.txt',
  Body: buffer, ContentType: 'image/jpeg',
}))
```

## CloudFront (CDN)
- Origin: S3 bucket or EC2/ALB
- Distribution -> Domain -> HTTPS with ACM certificate
- Cache behaviors by path pattern
- Invalidation: `aws cloudfront create-invalidation --distribution-id XXX --paths "/*"`
- Use for static site hosting: S3 + CloudFront = free tier + global CDN

## RDS
```bash
# Create: choose engine (PostgreSQL 16), instance (db.t3.micro)
# VPC: place in private subnet, only accessible from EC2/ECS
# Enable automated backups (7-day retention)
# Multi-AZ for production (standby replica)
```
Connection string: `postgresql://user:pass@rds-endpoint:5432/dbname`

## ECS (Elastic Container Service)
```json
// Task definition
{
  "family": "api",
  "containerDefinitions": [{
    "name": "api",
    "image": "123456.dkr.ecr.ap-east-1.amazonaws.com/api:latest",
    "portMappings": [{ "containerPort": 3000 }],
    "environment": [{ "name": "NODE_ENV", "value": "production" }],
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": { "awslogs-group": "/ecs/api", "awslogs-region": "ap-east-1" }
    }
  }]
}
```
- Push to ECR: `aws ecr get-login-password | docker login --username AWS --password-stdin <ecr-url>`
- Fargate: serverless containers (no EC2 to manage)

## Lambda
```ts
export const handler = async (event: APIGatewayProxyEvent) => ({
  statusCode: 200,
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ message: 'Hello', path: event.path }),
})
```
- Triggers: API Gateway, S3 events, SQS, EventBridge, CloudWatch cron
- Cold start: keep functions warm or use provisioned concurrency
- Layers: shared dependencies
- 15-min max timeout, 10GB RAM max

## Cost tips
- Use Cost Explorer + billing alerts.
- Stop/terminate unused EC2.
- S3 lifecycle rules: move old objects to Glacier.
- Reserved Instances / Savings Plans for predictable workloads (up to 72% discount).

API: /api/skills/aws-essentials