Cloud AWS

Expert guidance for Amazon Web Services infrastructure, development, and operations.

Instructions

When helping with AWS tasks:

1. Identify the AWS service(s) involved in the request
2. Check authentication: Ensure AWS CLI is configured (aws sts get-caller-identity)
3. Use appropriate tools: AWS CLI or Terraform as needed
   • Avoid SAM, CloudFormation, and CDK - Always prefer Terraform for Infrastructure as Code
4. Follow security best practices: Least privilege IAM, encryption, no hardcoded credentials
5. Consider cost implications: Suggest cost-effective alternatives when relevant

AWS CLI Essentials

Authentication Check

aws sts get-caller-identity
aws configure list

Common Service Commands

S3:

aws s3 ls
aws s3 cp file.txt s3://bucket-name/
aws s3 sync ./local-dir s3://bucket-name/prefix/
aws s3 rm s3://bucket-name/prefix/ --recursive

EC2:

aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType}'
aws ec2 start-instances --instance-ids i-xxxxx
aws ec2 stop-instances --instance-ids i-xxxxx

Lambda:

aws lambda list-functions --query 'Functions[].{Name:FunctionName,Runtime:Runtime}'
aws lambda invoke --function-name my-function output.json
aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip
aws logs tail /aws/lambda/my-function --follow

DynamoDB:

aws dynamodb list-tables
aws dynamodb scan --table-name my-table
aws dynamodb get-item --table-name my-table --key '{"PK":{"S":"USER#123"},"SK":{"S":"PROFILE"}}'
aws dynamodb put-item --table-name my-table --item '{"PK":{"S":"USER#123"},"SK":{"S":"PROFILE"},"name":{"S":"John"}}'

API Gateway (HTTP API v2):

aws apigatewayv2 get-apis
aws apigatewayv2 get-routes --api-id API_ID
aws apigatewayv2 get-stages --api-id API_ID

CloudFront:

aws cloudfront list-distributions --query 'DistributionList.Items[].{Id:Id,Domain:DomainName,Status:Status}'
aws cloudfront create-invalidation --distribution-id DIST_ID --paths "/*"

CloudWatch:

aws logs describe-log-groups
aws logs tail /aws/lambda/my-function --follow --since 1h
aws cloudwatch get-metric-statistics --namespace AWS/Lambda --metric-name Invocations --dimensions Name=FunctionName,Value=my-function --start-time 2025-01-01T00:00:00Z --end-time 2025-01-02T00:00:00Z --period 3600 --statistics Sum

Cost Management

Get Current Costs

# Current month costs by service
aws ce get-cost-and-usage \
  --time-period Start=$(date -u +%Y-%m-01),End=$(date -u +%Y-%m-%d) \
  --granularity MONTHLY \
  --metrics "UnblendedCost" \
  --group-by Type=DIMENSION,Key=SERVICE

# Cost forecast
aws ce get-cost-forecast \
  --time-period Start=$(date -u +%Y-%m-%d),End=$(date -u +%Y-%m-31) \
  --granularity MONTHLY \
  --metric UNBLENDED_COST

# Filter by specific service
aws ce get-cost-and-usage \
  --time-period Start=2025-01-01,End=2025-12-01 \
  --granularity MONTHLY \
  --metrics "UnblendedCost" \
  --filter '{"Dimensions":{"Key":"SERVICE","Values":["Amazon CloudFront"]}}'

Set Budget Alert

aws budgets create-budget \
  --account-id ACCOUNT_ID \
  --budget file://budget.json \
  --notifications-with-subscribers file://notifications.json

Infrastructure as Code (Terraform)

provider "aws" {
  region = "us-east-1"
}

resource "aws_lambda_function" "my_function" {
  filename         = "function.zip"
  function_name    = "my-function"
  role             = aws_iam_role.lambda_role.arn
  handler          = "index.handler"
  runtime          = "python3.12"
  source_code_hash = filebase64sha256("function.zip")
}

Deploy:

terraform init
terraform plan
terraform apply -auto-approve
terraform destroy

Security Best Practices

IAM Policies

• Use least privilege principle
• Prefer managed policies for common use cases
• Use conditions to restrict access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query"],
      "Resource": "arn:aws:dynamodb:*:*:table/my-table",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${aws:userid}"]
        }
      }
    }
  ]
}

Secrets Management

# AWS Secrets Manager
aws secretsmanager create-secret --name my-secret --secret-string '{"key":"value"}'
aws secretsmanager get-secret-value --secret-id my-secret --query SecretString --output text

# SSM Parameter Store (cheaper for simple values)
aws ssm put-parameter --name /app/db-password --value "secret" --type SecureString
aws ssm get-parameter --name /app/db-password --with-decryption --query Parameter.Value --output text

Encryption

• Enable encryption at rest for all data stores
• Use AWS KMS for key management
• Enable encryption in transit (TLS/HTTPS)

Troubleshooting

Check Permissions

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::ACCOUNT:role/my-role \
  --action-names dynamodb:PutItem \
  --resource-arns arn:aws:dynamodb:us-east-1:ACCOUNT:table/my-table

Debug Lambda

aws logs tail /aws/lambda/my-function --since 1h
aws lambda get-function-configuration --function-name my-function
aws lambda get-function --function-name my-function

Network Issues

aws ec2 describe-flow-logs
aws ec2 describe-security-groups --group-ids sg-xxxxx
aws ec2 describe-network-acls --network-acl-ids acl-xxxxx

API Gateway Issues

aws apigatewayv2 get-api --api-id API_ID
aws logs tail /aws/api-gateway/API_ID --since 1h

Cost Optimization Tips

• Lambda: Use ARM64 (Graviton2) for ~34% cost savings
• DynamoDB: Use on-demand for variable workloads, provisioned for steady-state
• S3: Enable Intelligent-Tiering for variable access patterns
• CloudFront: Use caching to reduce origin requests
• API Gateway: Use HTTP APIs (v2) instead of REST APIs for ~70% cost savings
• Set up billing alerts and budgets
• Use AWS Cost Explorer to identify optimization opportunities