Navigating AWS Services: Laying the Groundwork for Scalable Cloud Architectures
Cloud infrastructure decisions get complicated fast. AWS now offers over 200 services, but a few key components drive the vast majority of production workloads. Focusing here builds operational fluency and reduces onboarding friction for new projects and teams.
Below: the essential patterns—compute, storage, networking, and monitoring—using practical, non-trivial configurations. Each section includes actual commands or config, a gotcha to watch for, and how established teams approach trade-offs.
Compute: EC2 and Lambda Are Not Interchangeable
EC2 – Persistent, Customizable VM Workloads
Bash script deployment? Legacy dependencies? EC2 provides persistent VMs with granular control at the OS and network layer.
Standard Pattern:
- OS: Amazon Linux 2 (
ami-0c02fb55956c7d316) - Instance profile with minimum privileges
- User-data script for immutable bootstraps
Create, bootstrap, test connectivity:
# Launch from CLI for idempotence
aws ec2 run-instances --image-id ami-0c02fb55956c7d316 --instance-type t3.micro --key-name your-key --security-group-ids sg-xxxxxx \
--user-data file://setup.sh
# sample setup.sh content:
#!/bin/bash
yum -y update
yum -y install httpd
systemctl enable httpd
systemctl start httpd
echo "EC2 baseline $(date)" > /var/www/html/index.html
Note: EC2 does not provide automated patching. Expect to schedule OS updates in CI/CD or with SSM.
Common use cases: long-lived backend services, self-hosted CI runners, customized security environments.
Lambda – Stateless, Event-Driven Compute
Lambda abstracts away the entire server lifecycle. Popular for event-driven workloads (e.g., S3 triggers, REST APIs via API Gateway). Maximum execution time per invocation is 15 minutes (latest at time of writing).
Stub example—Python 3.10 runtime:
def handler(event, context):
print(event)
return {"statusCode": 200, "body": "Lambda baseline"}
Performance caveat: Non-trivial cold starts. For <500ms latency requirements, pre-warm or use Provisioned Concurrency (cost trade-off).
Storage: S3 for Objects, EBS for Block Devices
S3: Durable Object Storage, Used Everywhere
If file size <5TB, use S3. For static site hosting, enable Static website hosting in bucket properties. Remember: bucket names are globally unique—expect collisions on generic names.
CLI example:
aws s3 mb s3://my-unique-company-bucket-202406 --region us-east-1
aws s3 cp index.html s3://my-unique-company-bucket-202406/
Permissions gotcha: The default is private. For public access, you must update the bucket policy explicitly.
Advanced: S3 versioning can be a lifesaver during accidental deletes, but incurs extra storage costs.
EBS: High-Performance Disk Attached to EC2
Attach an EBS volume for database workloads or writes-intensive applications.
# Attach at creation
aws ec2 create-volume --size 20 --availability-zone us-east-1a --volume-type gp3
# Attach via console or CLI, format, and mount
mkfs.xfs /dev/xvdh
mount /dev/xvdh /mnt/data
Known issue: Detaching EBS while mounted (and without proper OS unmount) can lead to data inconsistencies.
Networking: VPC, Security Groups, Load Balancing
VPC: Isolated, Programmable Cloud Networks
Define CIDR ranges, create subnets for different functional zones (public, private). For first deployments, use default VPC but move to custom VPC with explicitly defined routing in production.
[VPC CIDR] -----> [Subnet A (public)]
\--> [Subnet B (private)]
Non-obvious tip: If you deploy databases (RDS) in a private subnet, ensure there's a NAT Gateway for outbound traffic if patching or downloading dependencies is required.
Security Groups: Stateful Firewalls
Principle of least privilege is essential. Open only the exact ports required, and continuously audit.
Typical rule summary table:
| Port | Protocol | Source | Purpose |
|---|---|---|---|
| 22 | TCP | your IP only | SSH (dev only) |
| 80 | TCP | 0.0.0.0/0 | HTTP web traffic |
Gotcha: Changes to Security Groups are applied in near real-time; race conditions are possible during automated updates.
Elastic Load Balancer (ELB): Scale and Fault Tolerance
Put multiple EC2s behind an ALB (Application Load Balancer) or NLB (Network Load Balancer, if TCP/UDP required).
For HTTPS offload, use ACM (AWS Certificate Manager) to provision TLS certs—domains must be DNS-verified.
Example config:
{
"Listeners": [
{ "Port": 80, "Protocol": "HTTP", "DefaultActions": [{ "Type": "forward", "TargetGroupArn": "..." }] }
]
}
Known issue: ALB health checks are sensitive. Tune thresholds and intervals for slow-starting services; otherwise, healthy backends can be marked “unhealthy”.
Monitoring & Access Control: CloudWatch and IAM Nuances
CloudWatch: Metrics, Logs, Alarms
Instrument EC2 and Lambda with CloudWatch agent. For application-level insight, use custom metrics (publish via PutMetricData).
Example: Alert when EC2 CPU > 80% for 10 minutes:
{
"MetricName": "CPUUtilization",
"Namespace": "AWS/EC2",
"Statistic": "Average",
"Threshold": 80,
"Period": 600,
"EvaluationPeriods": 1
}
Recommended: Ship logs to CloudWatch Logs. Be aware of log ingestion/archival costs on high-traffic workloads.
IAM: Fine-Grained and Frustrating
IAM is complex. Start by denying everything, then add only the granular actions required (s3:PutObject, not s3:*). Leverage managed policies where available, but review permissions regularly.
Best practice: Never use root account for API work. Create an admin user and rotate credentials. Use roles for EC2/Lambda, not static keys.
Note: "IAM policy simulator” can save hours debugging denied requests.
Example Architecture: Minimal Scalable Web App
Requirements:
- Frontend: React static build
- API: Node.js REST
- Storage: User uploads
Pattern:
- S3 + CloudFront for frontend (
index.htmland assets; enable OAI for secure delivery) - Node.js backend on EC2, placed on private subnet, exposed via ALB on public subnet
- User files in S3; access via pre-signed URLs
- Backend EC2 instances assume role with limited S3 bucket policy
ASCII Diagram:
[Browser] --> (CloudFront) --> [S3 public] -- (API call) --> (ALB) --> [EC2 backend] <---> [S3 uploads]
Side note: If latency is a concern for uploads >100MB, consider S3 multipart upload from the client, not the backend proxy.
Infra-as-Code: Prefer Terraform or CloudFormation for reproducibility—manual configuration drifts over time.
Unpopular opinion: Even for small projects, start with minimal IaC scripts; avoid “console drift”.
Field-Tested Tips
- The AWS Free Tier is valuable, but monitor quotas and expiration—many surprise bills are due to leaving resources active after 12 months.
- AWS docs rarely warn about “eventual consistency” in S3; test read-after-write if post-upload processing is time sensitive.
- For auditing, enable AWS CloudTrail globally from day one. Retroactive forensics are painful without it.
- Explore “cfn_nag” or “tfsec” tools to lint your IaC for security misconfigurations.
Master the above and the rest of AWS (databases, analytics, ML) become approachable, not overwhelming. Most production outages stem from misunderstanding one of these basics—not from failing to use the latest managed database service.
Got questions on non-obvious scenarios (cross-account S3 access, custom VPC peering, Lambda cold start mitigation)? Seek out published runbooks—not just the official docs.
Corrections, alternative patterns, and additional real-world examples welcome below.