AWS has everything to offer for building applications in the cloud. They have so many services. So many I’m too lazy to count. The sheer number of services on their main documentation page is intimidating. I remember when I first started learning AWS. I had more questions than answers.
Where do I start?
How do I do X?
Where do I find documentation on Y?
How can I try service Z out without paying anything or much at all?
Should I use this or that service for my application?
This guide will point you in the direction to answer these questions. Let’s break down what I’ll be talking about:
introduce common AWS services you’ll most likely use
discuss best practices to build a foundation to build upon
provide links to common documentation and guides so you know where to look for things
suggest resources and tasks vital to the development and operations of your applications
This guide will not:
provide a step-by-step guide to building applications
provide in-depth coverage of AWS services
Let's get to it.
Create an Account
Services involved: IAM
Start by creating an AWS account with a very strong unique password. This will create an account and a root user. The root user, by default, is granted full administrative privileges. This means this user can do whatever they want. No worries. Later on, you'll create yourself an IAM user with fewer privileges and use that instead.
Enable MFA for the Root User
Immediately enable MFA for the root user to lock it down. After this, you'll rarely use this user to perform anything other than managing the root user, billing information, and other privileged administrative tasks.
Create a Billing Alarm
Services involved: CloudWatch and SNS
Create a billing alarm to get notified when your monthly bill exceeds an amount you configure. If you're testing out services that accrue charges and forget to stop and terminate the service it will continue to accrue charges. Some examples include a running EC2 instance and data left stored in S3 and EBS. I’ve heard horror stories of people unknowingly racking up a thousand-dollar bill overnight. Seriously, just follow the AWS or DevOps Subreddit.
How does it work? CloudWatch, the application and infrastructure monitoring service, will monitor your billing report and trigger SNS, Simple Notification Service, to notify you through email when a threshold is exceeded.
When you get that scary email you can quickly log in to the AWS Console to investigate and take action to prevent any further charges. Shoots, I have an alarm on one of my sandbox personal accounts set to a $1 threshold because I know it should never exceed that. If it does I know I overlooked something.
Remember, all services charge differently so make sure you understand how the service charges money before using it. Some services are free, others charge for what and how much you use, and others charge by how much time you use it for.
Get Familiar with IAM
Services involved: IAM
IAM is the Identity and Access Management service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Everything you do in AWS will first be authorized by IAM. When you click a button in the AWS console, make an API request to AWS within your app, or send a CLI request, it will first go through IAM to confirm you, or the person or application making the request, are authorized.
It is easy to initially ignore IAM since it's not the most exciting service. However, don't do this. You'll quickly face errors when trying to do the simplest things with other services. Nearly all services depend on IAM so learn it well.
So go through the IAM documentation and follow the recommended best practices.
Create a Non-Root User
Now that you know the basics of IAM, create another IAM user for yourself to use. Provide this user the minimum necessary IAM permissions to perform the tasks you need to perform.
How do you know what permissions you need? Consider what you’re trying to build on AWS, research the IAM permissions that your user needs, and give your user the permissions. Repeat this until you’re satisfied. This cyclical process will be tedious but you’ll get a good grasp of how IAM works.
If for some reason this user ever gets compromised you can always use the root user to take action.
If you’re part of an organization that uses SSO it’s strongly recommended to use that instead of creating individual IAM users. If you don’t know what SSO is don’t worry about this advice at the moment.
Take Advantage of the Free-Tier Offering
AWS offers some services for free forever, for a free trial, and for the first 12 months of signing up. As a new user make sure to take advantage of all of these offerings, especially those that expire within 12 months.
Still, read the pricing fine print. AWS documentation may say the service you’re viewing is free but ancillary services incur charges. For example, a virtual private cloud (VPC) is free but if you want to monitor the network traffic you get charged.
Utilize the various tools to interact with AWS services
Services involved: Console, CLI, and SDK
You can interact with AWS in four ways:
through the AWS Console (e.g., the web application at aws.amazon.com)
through the AWS CLI tool
through the AWS SDK in your favorite programming language
through the AWS API (very rarely will you use this approach)
The AWS Console is:
great for beginners to get a feel for how AWS looks and feels
great for visually interacting with AWS
great for testing out services through a step-by-step user interface
great for performing administrative tasks such as those you can only perform within the Console
not so great for automating tasks since operations are performed manually making it harder to reproduce
The AWS CLI is:
great for interacting with AWS through the command line
great for automating tasks and scripting
great for CI/CD and DevOps
The AWS SDK is:
great for interacting with AWS within application code
Other commonly used third-party tools such as Terraform, Packer, and Ansible will leverage the AWS SDKs or APIs and perform operations on your behalf.
All of these approaches will require valid IAM credentials for the tool to work.
Start Leverage “Infrastructure-as-Code” Extensively
It is atypical that an application on AWS requires the use of only one AWS service. Creating applications requires using many of them together. For example, you might use EC2, S3, IAM, and RDS to encompass your application.
If you’re creating this application in the AWS Console it can be tedious to tie all these services together. It’s even harder to remember all the steps you took once you’ve finished. Once you feel this pain or want to skip it entirely I recommend leveraging “Infrastructure-as-Code” or IaC.
What if you could provide AWS a file that declares the details of the resources you want created and include how they should interact with each other? You could and this is how IaC works.
AWS offers Cloudformation as their IaC service. You provide it a JSON or YAML file and AWS CloudFormation handles the provisioning and configuration of all the resources in this file. You could write a template that could declare something like this:
a load-balanced auto-scaled set of EC2 instances
a S3 bucket
IAM permissions for the EC2 instances to write pictures and videos to the S3 bucket
a PostgreSQL RDS DB
You may have heard of similar tools like AWS CDK, Hashicorp’s Terraform, and Pulumi. How do these compare? They achieve the same goals but in different ways. For Terraform you write in Hashicorp’s configuration language, HCL. For AWS CDK & Pulumi you write in your favorite programming language. In each case, you submit the file to the tool and it provisions the infrastructure on your behalf.
I use and recommend Terraform but I advise you to look into each to see which fits you best. If you like YAML and JSON consider Cloudformation. If you want to use your favorite programming language consider CDK or Pulumi.
Bookmark Essential AWS Documentation Reference
It's impossible to remember all the APIs, SDK functions, IAM policies, and CloudFormation resources and property types. Below is essential documentation I commonly visit. I suggest you bookmark each for quick reference.
AWS Services Documentation- the central hub for documentation on all AWS services
AWS CLI Reference- documentation on the AWS CLI
AWS SDK Reference- documentation on the various AWS SDK's
AWS Service ARNs and Namespaces- documentation on the Amazon Resource Names that uniquely identify AWS resources
AWS IAM Policy Reference- documentation on all IAM policies
AWS Resource and Property Types Reference- documentation for all resource and property types supported by CloudFormation
Where to Next?
Follow the documentation depending on what you're trying to build. Refer to your documentation bookmarks when you need clarification on a service. Here are some common AWS services you may be interested in investigating next:
AWS EC2 is a compute service that offers virtual servers. Look into EC2 if you want to work directly with a virtual server.
AWS S3 is an object storage service. You can use it to store nearly anything from text and binary files, pictures, videos, and more.
AWS DynamoDB is a NoSQL database service.
AWS RDS is a SQL database service.
AWS Elastic Beanstalk is a compute service that lets you deploy and manage applications without having to manage infrastructure. You simply upload your application, and the service handles the details of capacity provisioning, load balancing, scaling, and application health monitoring. This service is often compared to Heroku.
AWS ECS is a container management service that makes it easy to run, stop, and manage Docker containers on a cluster. If you're interested in distributed Docker systems ECS may be of interest to you. Look into Fargate too!
Now I’ve got a question for you. What service do you want to learn more about?
Thanks for reading AWS Vet! Subscribe for free to receive new posts and support my work.