AWS Cloud Fundamentals: Complete Beginner's Guide to Amazon Web Services
Amazon Web Services (AWS) is the world's largest cloud computing platform, powering everything from Netflix and Airbnb to startups running their first web application. With over 200 services spanning compute, storage, databases, machine learning, and more, AWS can feel overwhelming at first. It does not have to be.
This guide strips away the noise and focuses on what actually matters when you are getting started. You will learn the core services that 90% of AWS workloads depend on, how to set up your account securely, deploy your first web application, host a static website on S3, use the AWS CLI, write Infrastructure as Code with CloudFormation, and follow security best practices that prevent the horror stories you read about on Hacker News.
Table of Contents
- What Is AWS and Cloud Computing
- Core AWS Services Overview
- AWS Pricing Model and Free Tier
- Setting Up Your AWS Account Securely
- Deploying a Simple Web App on EC2
- S3 Static Website Hosting
- AWS CLI Basics
- Infrastructure as Code with CloudFormation
- Security Best Practices
- Monitoring with CloudWatch
- Common Architecture Patterns
- AWS vs Azure vs GCP Comparison
- Cost Optimization Tips
- Frequently Asked Questions
1. What Is AWS and Cloud Computing
Cloud computing means renting computing resources — servers, storage, databases, networking — from a provider instead of buying and maintaining physical hardware yourself. Instead of a server rack in your office closet, your application runs on machines in data centers managed by Amazon, Microsoft, or Google.
Amazon Web Services launched in 2006 with S3 (storage) and EC2 (virtual servers). It was the first major cloud platform and remains the market leader with approximately 31% global market share in 2026. AWS operates 33 geographic regions with over 100 Availability Zones worldwide, meaning your application can run close to users on every continent.
The three fundamental cloud service models are:
- IaaS (Infrastructure as a Service) — AWS gives you virtual machines, networking, and storage. You manage everything from the operating system up. Example: EC2.
- PaaS (Platform as a Service) — AWS manages the infrastructure and runtime. You deploy your code. Example: Elastic Beanstalk, App Runner.
- SaaS (Software as a Service) — Fully managed applications. Example: Amazon WorkMail, Amazon Chime.
The key advantage is elasticity. You can scale from one server to a thousand in minutes, and scale back down when traffic drops. You pay only for what you use, which means a startup can access the same infrastructure that powers Fortune 500 companies without any upfront capital investment.
2. Core AWS Services Overview
AWS has over 200 services, but the vast majority of workloads depend on fewer than a dozen. Here are the six services you need to understand first:
EC2 (Elastic Compute Cloud)
EC2 provides virtual servers (called instances) that you can launch in minutes. You choose the operating system (Amazon Linux, Ubuntu, Windows), the instance type (CPU and RAM), storage, and networking configuration.
Common EC2 Instance Types:
- t3.micro : 2 vCPU, 1 GB RAM (Free Tier eligible, dev/test)
- t3.medium : 2 vCPU, 4 GB RAM (small web apps)
- m6i.large : 2 vCPU, 8 GB RAM (general purpose production)
- c6i.xlarge : 4 vCPU, 8 GB RAM (compute-intensive tasks)
- r6i.large : 2 vCPU, 16 GB RAM (memory-intensive databases)S3 (Simple Storage Service)
S3 is object storage with virtually unlimited capacity. You store files (objects) in buckets. Every object gets a unique URL. S3 provides 99.999999999% (eleven nines) durability, meaning your data is essentially indestructible. It is used for file uploads, backups, static website hosting, data lakes, and serving images or videos.
RDS (Relational Database Service)
RDS is a managed database service supporting MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora. AWS handles backups, patching, replication, and failover. You get a database endpoint and connect as if it were a local database, but with automatic high availability and disaster recovery.
Lambda
Lambda runs your code without provisioning servers. You upload a function, configure a trigger (HTTP request, S3 upload, schedule), and AWS executes it. You pay only for the milliseconds your code actually runs. Lambda supports Python, Node.js, Java, Go, .NET, Ruby, and custom runtimes. It scales automatically from zero to thousands of concurrent executions.
VPC (Virtual Private Cloud)
VPC is your isolated network within AWS. Every resource you launch (EC2 instances, RDS databases, Lambda functions) runs inside a VPC. You define subnets (public and private), route tables, internet gateways, and security rules. Think of it as building your own private data center network within the AWS cloud.
IAM (Identity and Access Management)
IAM controls who can do what in your AWS account. You create users, groups, and roles, then attach policies that define exact permissions. IAM is the foundation of AWS security and the first service you should learn thoroughly.
3. AWS Pricing Model and Free Tier
AWS uses a pay-as-you-go model. There are no upfront costs, no long-term contracts (unless you want discounts), and you pay only for the resources you consume. Pricing varies by service, region, and usage volume.
The three main pricing dimensions across AWS services are:
- Compute — charged per hour or per second of instance runtime (EC2) or per request and duration (Lambda)
- Storage — charged per GB per month (S3, EBS)
- Data transfer — data into AWS is free. Data out of AWS is charged per GB. Data transfer between services in the same region is usually free or very cheap.
Free Tier Highlights (12 months)
Service Free Tier Allowance
------- --------------------
EC2 750 hours/month of t2.micro or t3.micro
S3 5 GB storage, 20,000 GET requests
RDS 750 hours/month of db.t2.micro or db.t3.micro
Lambda 1 million requests/month, 400,000 GB-seconds
DynamoDB 25 GB storage, 25 read/write capacity units
CloudFront 1 TB data transfer out/month
CloudWatch 10 custom metrics, 10 alarms
SNS 1 million publishes
SQS 1 million requests
API Gateway 1 million REST API calls/monthSome services are always free regardless of the 12-month window: Lambda's 1 million requests, DynamoDB's 25 GB, SNS's first million publishes, and CloudWatch basic monitoring.
4. Setting Up Your AWS Account Securely
Follow these steps to create an AWS account that is secure from day one. Skipping these steps is how people end up with $50,000 bills from crypto miners who compromised their credentials.
Step 1: Create the Account
Go to aws.amazon.com and click "Create an AWS Account." You will need an email address, a credit card (for verification and charges beyond Free Tier), and a phone number. Choose the "Personal" account type for learning.
Step 2: Secure the Root Account
1. Sign in to the AWS Console as root
2. Go to: IAM > Security credentials (top right, click your name)
3. Enable MFA (Multi-Factor Authentication)
- Choose "Virtual MFA device"
- Scan the QR code with Google Authenticator, Authy, or 1Password
- Enter two consecutive codes to confirm
4. NEVER use the root account for daily work after this stepStep 3: Create an Admin IAM User
# After securing root, create an IAM user for daily use
# Go to IAM > Users > Create user
Username: your-name-admin
Access: AWS Management Console access + Programmatic access
Permissions: Attach "AdministratorAccess" policy
MFA: Enable MFA on this user too
# Save the Access Key ID and Secret Access Key securely
# You will need these for the AWS CLIStep 4: Set Up Billing Alerts
1. Go to: Billing > Billing preferences
2. Enable: "Receive Free Tier Usage Alerts"
3. Enable: "Receive Billing Alerts"
4. Go to: CloudWatch > Alarms > Create alarm
5. Select metric: Billing > Total Estimated Charge
6. Set threshold: $5 (or whatever your budget is)
7. Create an SNS topic to email you when the alarm triggersThis four-step setup takes about 15 minutes and prevents the most common security and billing disasters that beginners encounter.
5. Deploying a Simple Web App on EC2
Let us deploy a simple Node.js web application to an EC2 instance, step by step. This walkthrough teaches core AWS concepts: launching instances, security groups, SSH access, and serving web traffic.
Step 1: Launch an EC2 Instance
1. Open EC2 Console > Instances > Launch instance
2. Name: "my-web-app"
3. AMI: Amazon Linux 2023 (Free Tier eligible)
4. Instance type: t3.micro (Free Tier eligible)
5. Key pair: Create new > "my-key" > RSA > .pem format
- Download and save the .pem file securely
6. Network settings:
- Allow SSH (port 22) from "My IP"
- Allow HTTP (port 80) from "Anywhere"
- Allow HTTPS (port 443) from "Anywhere"
7. Storage: 8 GB gp3 (default, Free Tier eligible)
8. Click "Launch instance"Step 2: Connect via SSH
# Set correct permissions on key file
chmod 400 my-key.pem
# Connect to your instance (replace with your public IP)
ssh -i my-key.pem ec2-user@54.123.45.67
# You are now on your EC2 instanceStep 3: Install and Run Your App
# Update the system
sudo dnf update -y
# Install Node.js
sudo dnf install -y nodejs
# Create a simple web app
mkdir ~/myapp && cd ~/myapp
cat > app.js <<'EOF'
const http = require('http');
const server = http.createServer((req, res) => {
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end('<h1>Hello from AWS EC2!</h1><p>My first cloud deployment.</p>');
});
server.listen(80, () => console.log('Server running on port 80'));
EOF
# Run the app (port 80 requires sudo)
sudo node app.jsStep 4: Make It Production-Ready
# Install PM2 to keep the app running after you disconnect
sudo npm install -g pm2
# Start with PM2
sudo pm2 start app.js --name myapp
# Ensure it restarts on reboot
sudo pm2 startup
sudo pm2 save
# View logs
sudo pm2 logs myappOpen your browser and navigate to http://54.123.45.67 (your instance's public IP). You should see your web app running. Remember to stop or terminate the instance when you are done to avoid charges beyond the Free Tier.
6. S3 Static Website Hosting
S3 can host static websites (HTML, CSS, JavaScript) without any server. It is the cheapest and simplest way to host a frontend application, documentation site, or landing page on AWS.
Setting Up S3 Website Hosting via CLI
# Create a bucket (name must be globally unique)
aws s3 mb s3://my-awesome-site-2026
# Enable static website hosting
aws s3 website s3://my-awesome-site-2026 \
--index-document index.html \
--error-document error.html
# Set the bucket policy to allow public read access
cat > bucket-policy.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-awesome-site-2026/*"
}
]
}
EOF
# Disable block public access (required for public websites)
aws s3api put-public-access-block \
--bucket my-awesome-site-2026 \
--public-access-block-configuration \
"BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"
# Apply the bucket policy
aws s3api put-bucket-policy \
--bucket my-awesome-site-2026 \
--policy file://bucket-policy.json
# Upload your site
aws s3 sync ./my-site/ s3://my-awesome-site-2026/ \
--delete \
--cache-control "max-age=86400"
# Your site is live at:
# http://my-awesome-site-2026.s3-website-us-east-1.amazonaws.comFor production sites, put CloudFront (AWS CDN) in front of S3 for HTTPS, custom domains, caching, and global edge distribution. CloudFront's Free Tier includes 1 TB of data transfer per month.
7. AWS CLI Basics
The AWS CLI is a command-line tool that lets you manage AWS services from your terminal. It is faster than the web console for most tasks and essential for automation and scripting.
Installation and Configuration
# Install on macOS
brew install awscli
# Install on Linux
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" \
-o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Install on Windows (download MSI installer from AWS docs)
# Configure with your IAM credentials
aws configure
# AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name: us-east-1
# Default output format: json
# Verify it works
aws sts get-caller-identityEssential CLI Commands
# --- EC2 ---
aws ec2 describe-instances --output table
aws ec2 start-instances --instance-ids i-0abc123def456
aws ec2 stop-instances --instance-ids i-0abc123def456
aws ec2 describe-security-groups
# --- S3 ---
aws s3 ls # list all buckets
aws s3 ls s3://my-bucket/ # list objects in bucket
aws s3 cp file.txt s3://my-bucket/ # upload a file
aws s3 cp s3://my-bucket/file.txt . # download a file
aws s3 sync ./local/ s3://my-bucket/ --delete # sync directory
aws s3 rm s3://my-bucket/file.txt # delete a file
# --- IAM ---
aws iam list-users
aws iam list-roles
aws iam get-user --user-name myuser
# --- Lambda ---
aws lambda list-functions
aws lambda invoke --function-name myFunction output.json
# --- CloudWatch ---
aws cloudwatch list-metrics --namespace AWS/EC2
aws logs describe-log-groups
aws logs tail /aws/lambda/myFunction --follow
# --- Useful flags ---
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,IP:PublicIpAddress}' --output table
# The --query flag uses JMESPath syntax to filter output
# The --output flag supports json, table, text, and yamlUsing Named Profiles
# Configure multiple accounts/roles
aws configure --profile staging
aws configure --profile production
# Use a specific profile
aws s3 ls --profile staging
# Or set it for the whole session
export AWS_PROFILE=staging8. Infrastructure as Code with CloudFormation
CloudFormation lets you define your entire AWS infrastructure in YAML or JSON templates. Instead of clicking through the console, you describe what you want and CloudFormation creates, updates, and deletes resources as a single unit called a stack.
Your First CloudFormation Template
# template.yaml - A simple web server with a security group
AWSTemplateFormatVersion: '2010-09-09'
Description: Simple EC2 web server with security group
Parameters:
InstanceType:
Type: String
Default: t3.micro
AllowedValues: [t3.micro, t3.small, t3.medium]
Description: EC2 instance type
KeyPairName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 key pair
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP and SSH
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
WebServer:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
KeyName: !Ref KeyPairName
ImageId: ami-0c02fb55956c7d316 # Amazon Linux 2023 us-east-1
SecurityGroupIds:
- !Ref WebServerSecurityGroup
UserData:
Fn::Base64: |
#!/bin/bash
dnf update -y
dnf install -y nginx
systemctl start nginx
systemctl enable nginx
Outputs:
PublicIP:
Description: Public IP of the web server
Value: !GetAtt WebServer.PublicIp
WebsiteURL:
Description: URL of the web server
Value: !Sub "http://${WebServer.PublicIp}"Deploying the Stack
# Create the stack
aws cloudformation create-stack \
--stack-name my-web-server \
--template-body file://template.yaml \
--parameters ParameterKey=KeyPairName,ParameterValue=my-key
# Watch the creation progress
aws cloudformation describe-stack-events \
--stack-name my-web-server \
--query 'StackEvents[].{Status:ResourceStatus,Type:ResourceType,Reason:ResourceStatusReason}' \
--output table
# Get the outputs (like the public IP)
aws cloudformation describe-stacks \
--stack-name my-web-server \
--query 'Stacks[0].Outputs'
# Update the stack (change a parameter or template)
aws cloudformation update-stack \
--stack-name my-web-server \
--template-body file://template.yaml \
--parameters ParameterKey=InstanceType,ParameterValue=t3.small \
ParameterKey=KeyPairName,ParameterValue=my-key
# Delete everything cleanly
aws cloudformation delete-stack --stack-name my-web-serverThe enormous advantage of CloudFormation is that delete-stack removes everything the template created. No orphaned resources, no forgotten security groups, no surprise charges. For more complex projects, consider Terraform (multi-cloud) or AWS CDK (define infrastructure using Python, TypeScript, or Java).
9. Security Best Practices
Security on AWS follows the shared responsibility model: AWS secures the infrastructure (physical data centers, hypervisors, networking hardware), and you secure everything you put on that infrastructure (your data, your configurations, your access controls).
IAM Best Practices
// Example: Minimal S3 read-only policy (least privilege)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-app-bucket",
"arn:aws:s3:::my-app-bucket/*"
]
}
]
}- Never use root for daily tasks — the root account has unrestricted access and cannot be limited by IAM policies.
- Enable MFA everywhere — require MFA for console login, and consider MFA for sensitive API operations.
- Use IAM roles, not access keys — EC2 instances and Lambda functions should use IAM roles (automatically rotated temporary credentials) instead of hardcoded access keys.
- Principle of least privilege — grant the minimum permissions needed. Start with nothing and add permissions as needed rather than starting with full access and trying to restrict.
- Never commit credentials to Git — use environment variables, AWS Secrets Manager, or Parameter Store. Add
.envand credentials files to.gitignore.
Security Groups (Firewall Rules)
Security Group Best Practices:
- Default deny: Security groups deny all inbound traffic by default
- Only open ports you need (80, 443 for web; 22 for SSH)
- Never open SSH (port 22) to 0.0.0.0/0 in production
- Use a bastion host, VPN, or AWS Systems Manager Session Manager
- Use separate security groups for web servers, app servers, and databases
- Reference security groups by ID instead of IP ranges where possible
- Example: Allow app-server-sg to talk to db-sg on port 5432
Example layout:
Internet --> [ALB: 80,443] --> [App: 8080 from ALB-sg] --> [DB: 5432 from App-sg]
Each layer only accepts traffic from the layer in front of it.Enable CloudTrail
# CloudTrail logs every API call in your account
aws cloudtrail create-trail \
--name my-audit-trail \
--s3-bucket-name my-cloudtrail-logs \
--is-multi-region-trail
aws cloudtrail start-logging --name my-audit-trail
# Now every action (console clicks, CLI commands, SDK calls)
# is recorded with who did it, when, and from where10. Monitoring with CloudWatch
CloudWatch is the monitoring and observability service for AWS. It collects metrics, logs, and events from your resources and lets you set alarms, create dashboards, and automate responses.
Key Metrics to Monitor
EC2 Metrics (automatic, no agent needed):
- CPUUtilization (percentage of allocated CPU used)
- NetworkIn/NetworkOut (bytes transferred)
- StatusCheckFailed (instance or system health)
- DiskReadOps/WriteOps (I/O operations)
RDS Metrics:
- DatabaseConnections (active connections)
- FreeableMemory (available RAM)
- ReadLatency/WriteLatency
- FreeStorageSpace (disk space remaining)
Lambda Metrics:
- Invocations (number of function calls)
- Duration (execution time)
- Errors (failed executions)
- Throttles (rate-limited invocations)
- ConcurrentExecutions (simultaneous runs)Creating Alarms
# Alert when EC2 CPU exceeds 80% for 5 minutes
aws cloudwatch put-metric-alarm \
--alarm-name "HighCPU-WebServer" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 \
--threshold 80 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 2 \
--dimensions Name=InstanceId,Value=i-0abc123def456 \
--alarm-actions arn:aws:sns:us-east-1:123456789:my-alerts
# Alert when your estimated bill exceeds $10
aws cloudwatch put-metric-alarm \
--alarm-name "BillingAlarm-10USD" \
--metric-name EstimatedCharges \
--namespace AWS/Billing \
--statistic Maximum \
--period 21600 \
--threshold 10 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 1 \
--dimensions Name=Currency,Value=USD \
--alarm-actions arn:aws:sns:us-east-1:123456789:billing-alertsCloudWatch Logs
# View Lambda function logs
aws logs tail /aws/lambda/my-function --follow --since 1h
# Search for errors across all log streams
aws logs filter-log-events \
--log-group-name /aws/lambda/my-function \
--filter-pattern "ERROR" \
--start-time $(date -d '1 hour ago' +%s)000
# Set up log retention (default is forever = expensive)
aws logs put-retention-policy \
--log-group-name /aws/lambda/my-function \
--retention-in-days 3011. Common Architecture Patterns
These are the architecture patterns you will encounter in the majority of AWS deployments:
Three-Tier Web Application
User Request
|
v
[CloudFront CDN] -- caches static assets at edge locations
|
v
[Application Load Balancer] -- distributes traffic, terminates SSL
|
v
[EC2 Auto Scaling Group] -- 2+ instances across availability zones
| |
v v
[ElastiCache] [RDS Multi-AZ]
(Redis cache) (Primary + Standby database)
|
v
[S3] -- static files, user uploads, backupsServerless Application
User Request
|
v
[API Gateway] -- REST/HTTP API, request validation, rate limiting
|
v
[Lambda Functions] -- business logic, auto-scales to zero
| | |
v v v
[DynamoDB] [S3] [SES/SNS]
(NoSQL DB) (files) (email/notifications)
|
v
[CloudFront] -- serves the frontend SPA from S3Static Website with CI/CD
Developer pushes code to GitHub
|
v
[GitHub Actions / CodePipeline] -- builds and tests
|
v
[S3 Bucket] -- static site files deployed
|
v
[CloudFront] -- HTTPS, custom domain, global CDN
|
v
[Route 53] -- DNS management, domain routingThe serverless pattern is increasingly popular because you pay nothing when there is no traffic, and it scales automatically during traffic spikes. The three-tier pattern remains the default for applications that need persistent connections, WebSocket support, or complex background processing.
12. AWS vs Azure vs GCP Comparison
All three major cloud providers offer equivalent core services. Here is how they compare:
| Category | AWS | Azure | GCP |
|---|---|---|---|
| Market Share (2026) | ~31% | ~25% | ~11% |
| Virtual Machines | EC2 | Virtual Machines | Compute Engine |
| Object Storage | S3 | Blob Storage | Cloud Storage |
| Serverless Functions | Lambda | Azure Functions | Cloud Functions |
| Managed SQL Database | RDS / Aurora | Azure SQL / Cosmos DB | Cloud SQL / Spanner |
| NoSQL Database | DynamoDB | Cosmos DB | Firestore / Bigtable |
| Container Orchestration | ECS / EKS | AKS | GKE |
| CDN | CloudFront | Azure CDN / Front Door | Cloud CDN |
| DNS | Route 53 | Azure DNS | Cloud DNS |
| IaC | CloudFormation / CDK | ARM / Bicep | Deployment Manager |
| ML/AI Platform | SageMaker | Azure ML | Vertex AI |
| Best For | Broadest service catalog, largest ecosystem | Microsoft shops, hybrid cloud, .NET | Data/ML workloads, Kubernetes, BigQuery |
The core skills transfer well between providers. If you learn AWS networking (VPCs, subnets, security groups), the concepts map directly to Azure VNets and GCP VPCs. Start with one provider, master the fundamentals, and expand to others as your career requires.
13. Cost Optimization Tips
AWS bills can grow quickly if you are not paying attention. These strategies can reduce your costs by 30-70% without any performance impact:
Right-Size Your Resources
- Check AWS Compute Optimizer — it analyzes your EC2 usage patterns and recommends smaller or different instance types if you are over-provisioned.
- Use t3/t4g instances for variable workloads — burstable instances cost less than fixed-performance instances when your average CPU usage is under 20-30%.
- Start small and scale up — it takes 2 minutes to change an instance type. Start with t3.micro and upgrade if monitoring shows you need more.
Use the Right Pricing Model
Pricing Model Discount Commitment Best For
-------------- -------- ---------- --------
On-Demand 0% None Dev/test, unpredictable workloads
Spot Instances 60-90% None Batch processing, fault-tolerant work
Reserved Instances 30-60% 1 or 3 year Steady-state production workloads
Savings Plans 30-60% 1 or 3 year Flexible commitment across services
Fargate Spot 50-70% None Containers with interruption toleranceStorage Optimization
- S3 storage classes — move infrequently accessed data to S3 Infrequent Access (50% cheaper) or S3 Glacier (90% cheaper). Use S3 Lifecycle policies to automate transitions.
- Delete unused EBS volumes — when you terminate an EC2 instance, its EBS volume might persist and accrue charges. Check for unattached volumes regularly.
- Set CloudWatch log retention — logs stored forever cost real money. Set retention to 30 or 90 days unless compliance requires longer.
Eliminate Waste
# Find and delete unused resources regularly:
# List stopped EC2 instances (still paying for EBS storage)
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=stopped" \
--query 'Reservations[].Instances[].{ID:InstanceId,Name:Tags[?Key==`Name`].Value|[0],Stopped:StateTransitionReason}'
# Find unattached EBS volumes (costing money for nothing)
aws ec2 describe-volumes \
--filters "Name=status,Values=available" \
--query 'Volumes[].{ID:VolumeId,Size:Size,Created:CreateTime}'
# List unused Elastic IPs (charged when not attached to a running instance)
aws ec2 describe-addresses \
--query 'Addresses[?AssociationId==null].{IP:PublicIp,AllocID:AllocationId}'
# Check for old snapshots
aws ec2 describe-snapshots --owner-ids self \
--query 'sort_by(Snapshots, &StartTime)[].{ID:SnapshotId,Size:VolumeSize,Date:StartTime}' \
--output tableSet a monthly calendar reminder to run these checks. Five minutes of cleanup can save hundreds of dollars per year. For organizations, AWS Cost Explorer and AWS Budgets provide dashboards and automated alerts to keep spending under control.
Frequently Asked Questions
How much does AWS cost for a beginner?
AWS offers a generous Free Tier that lasts 12 months after account creation. It includes 750 hours per month of t2.micro or t3.micro EC2 instances, 5 GB of S3 storage, 750 hours of RDS db.t2.micro or db.t3.micro, 1 million Lambda requests per month, and 25 GB of DynamoDB storage. Many beginners can learn and build small projects entirely within the Free Tier without spending anything. After the Free Tier expires, costs depend entirely on usage. A small personal project typically costs between $5 and $20 per month. Always set up billing alerts to avoid surprises.
What is the difference between EC2 and Lambda?
EC2 provides virtual servers that you manage yourself. You choose the OS, instance size, and handle patching, scaling, and availability. Instances run continuously and you pay for uptime regardless of traffic. Lambda is serverless: you upload code and AWS runs it in response to events like HTTP requests, file uploads, or schedules. You pay only for actual execution time in milliseconds. Lambda auto-scales from zero to thousands of concurrent executions. Use EC2 for long-running applications or workloads needing full OS control. Use Lambda for event-driven tasks, APIs, scheduled jobs, and variable traffic patterns.
What AWS services should I learn first?
Start with IAM (Identity and Access Management) since every other service depends on permissions. Then learn S3 for storage and static hosting. Next, learn EC2 to understand virtual servers and networking. Then explore VPC to understand subnets, security groups, and route tables. Finally, learn CloudWatch for monitoring and logging. Once comfortable with these five foundational services, branch into Lambda for serverless, RDS for managed databases, or CloudFormation for infrastructure as code, depending on your project needs.
How do I keep my AWS account secure?
Follow these critical practices: Never use your root account for daily tasks — create an IAM user with admin permissions instead. Enable MFA on both the root account and all IAM users. Follow the principle of least privilege by granting only the minimum permissions needed. Never hardcode access keys in code or commit them to Git. Use IAM roles instead of access keys for EC2 instances and Lambda functions. Enable CloudTrail to log all API activity. Set up billing alerts to detect compromised credentials (unexpected charges are often the first sign of a breach). Rotate access keys regularly and delete unused ones.
Should I choose AWS, Azure, or Google Cloud?
AWS is the best starting point for most developers: it has the largest market share (~31%), the most services (200+), the largest community, and the most job opportunities. Azure is strongest when your organization already uses Microsoft products (Active Directory, Office 365, .NET). Google Cloud excels in data analytics (BigQuery), machine learning (Vertex AI), and Kubernetes (GKE). The core concepts transfer well between all three providers, so mastering one makes learning the others straightforward. Choose based on your job market and existing tooling rather than trying to learn all three at once.
What is Infrastructure as Code and why should I use it?
Infrastructure as Code (IaC) means defining cloud resources in configuration files rather than clicking through a web console. CloudFormation (AWS-native) and Terraform (multi-cloud) are the two most popular tools. Benefits include repeatability (deploy identical infrastructure in any region), version control (track changes in Git), consistency (eliminate manual configuration drift), and disaster recovery (rebuild entire environments from templates in minutes). IaC is essential for any production workload because it makes your infrastructure reproducible, auditable, and shareable across your team.
Conclusion
AWS is vast, but the path to competence is not. The six core services covered in this guide — EC2, S3, RDS, Lambda, VPC, and IAM — account for the vast majority of what developers need day to day. Master these first, then expand into specialized services as your projects require them.
The most important next steps are practical: create an account, secure it properly, launch an EC2 instance, deploy something. Reading about cloud computing is useful, but real understanding comes from seeing a security group block traffic, watching CloudWatch metrics spike during a load test, or accidentally leaving a resource running and getting a billing alert. Those hands-on lessons stick.
Start with the Free Tier, set up billing alerts, and build something small. A static site on S3, a simple API with Lambda and API Gateway, or a WordPress site on EC2 with an RDS database are all excellent first projects. Once you have a working deployment, layer on CloudFormation to make it reproducible, CloudWatch to monitor it, and proper IAM policies to secure it. That progression — deploy, codify, monitor, secure — is the path every AWS professional follows.
Related Resources
- Docker Containers: Complete Beginner's Guide — containerize applications for consistent deployment on AWS ECS or EKS
- GitHub Actions CI/CD: Complete Guide — automate testing and deployment to AWS
- Bash Scripting: Complete Guide — write scripts to automate AWS CLI workflows
- JSON: The Complete Guide — understand JSON for IAM policies, CloudFormation, and API responses