AWS Core Concepts

TL;DR

AWS is organized by Regions (geographic areas) containing Availability Zones (isolated data centers). Access is controlled by IAM (users, roles, policies). Resources live inside VPCs (virtual networks). You pay per-second/per-GB with no upfront cost.

Concept Map

Here's how the core AWS building blocks relate to each other — every service you use sits on top of these foundations.

AWS core concepts map showing relationships between Regions, AZs, IAM, VPC, EC2, S3, and billing
Explain Like I'm 12

AWS is like a giant city with different neighborhoods (Regions). Each neighborhood has several buildings (Availability Zones) connected by hallways. To enter any building, you need a badge (IAM). Your apartment has its own private network with locked doors (VPC). The computers in your apartment (EC2) and your storage lockers (S3) all charge rent based on how much space and time you use.

Cheat Sheet

ConceptWhat It DoesKey Details
RegionGeographic area with AWS data centers30+ regions globally (us-east-1, eu-west-1, etc.)
Availability ZoneIsolated data center within a Region2-6 AZs per Region, connected by low-latency links
IAMIdentity & Access ManagementUsers, Groups, Roles, Policies — never use root account
VPCVirtual Private Cloud (your network)Subnets, route tables, internet/NAT gateways
EC2Virtual servers (compute)Instance types, AMIs, key pairs, security groups
S3Object storage (unlimited)Buckets, objects, storage classes, versioning
AWS CLICommand-line tool for AWSaws configure, aws s3 ls, aws ec2 describe-instances
CloudFormationInfrastructure as CodeYAML/JSON templates → automated resource creation

The Building Blocks

1. Regions & Availability Zones

AWS divides the world into Regions — independent geographic areas like us-east-1 (N. Virginia), eu-west-1 (Ireland), or ap-southeast-1 (Singapore). Each Region contains 2-6 Availability Zones (AZs), which are physically separate data centers connected by high-speed fiber.

Tip: Deploy your app in at least 2 AZs for high availability. If one data center goes down, the other keeps running. Choose a Region close to your users for lower latency.
# List all available regions
aws ec2 describe-regions --output table

# List AZs in your current region
aws ec2 describe-availability-zones --output table

2. IAM — Identity & Access Management

IAM controls who can access what in your AWS account. It's the first thing you set up and the most important security layer.

  • Users — Individual people or service accounts
  • Groups — Collections of users sharing the same permissions
  • Roles — Temporary permissions assumed by users or services (e.g., an EC2 instance that needs to read S3)
  • Policies — JSON documents defining allow/deny rules
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-bucket/*"
  }]
}
Warning: Never use the root account for daily tasks. Create an IAM user with admin permissions and enable MFA (Multi-Factor Authentication) on the root account immediately.

3. VPC — Virtual Private Cloud

A VPC is your own private network inside AWS. Every resource you launch (EC2 instances, RDS databases, Lambda functions) lives inside a VPC. You control:

  • Subnets — Subdivisions of your VPC (public vs. private)
  • Route tables — Rules for where network traffic goes
  • Internet Gateway — Connects public subnets to the internet
  • NAT Gateway — Lets private subnets reach the internet (outbound only)
# Create a VPC with a /16 CIDR block (65,536 IPs)
aws ec2 create-vpc --cidr-block 10.0.0.0/16

# Create a public subnet in AZ us-east-1a
aws ec2 create-subnet --vpc-id vpc-abc123 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a
Info: AWS creates a default VPC in every Region when you create your account. For production, always create custom VPCs with planned CIDR ranges.

4. Billing & the Free Tier

AWS charges for compute time, storage, and data transfer out. Data transfer in is free. Key billing concepts:

  • On-Demand — Pay per second/hour, no commitment
  • Reserved Instances — 1-3 year commitment, up to 72% discount
  • Spot Instances — Bid on unused capacity, up to 90% discount (can be interrupted)
  • Free Tier — 12 months of limited free usage (750 hrs EC2 t2.micro, 5 GB S3, etc.)
Tip: Set up AWS Budgets and billing alerts on day one. It's easy to accidentally leave resources running. Use aws ce get-cost-and-usage to check your bill from the CLI.

5. The AWS CLI

The AWS Command Line Interface lets you manage AWS services from your terminal. Install it, configure credentials, and you can script anything.

# Install AWS CLI v2 (macOS/Linux)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install

# Configure with your access key
aws configure
# AWS Access Key ID: AKIA...
# AWS Secret Access Key: wJal...
# Default region name: us-east-1
# Default output format: json

# Test it
aws sts get-caller-identity
Info: The CLI uses the same IAM permissions as the user whose access key you configure. For EC2 instances, use IAM Roles instead of access keys — they rotate credentials automatically.

Test Yourself

What happens if an entire Availability Zone goes offline? How should you architect for this?

Services running in that AZ become unavailable, but other AZs in the same Region keep running. You should deploy across multiple AZs using load balancers (ALB/NLB) and auto-scaling groups. S3 and DynamoDB are automatically multi-AZ.

What's the difference between an IAM User and an IAM Role?

A User has permanent long-term credentials (access key + password) and represents a person or service. A Role has no permanent credentials — it provides temporary security credentials that are assumed on demand. Use Roles for EC2 instances, Lambda functions, and cross-account access.

Why would you put a database in a private subnet instead of a public subnet?

A private subnet has no direct internet access, so attackers can't reach your database from the internet. Only resources in your VPC (like EC2 instances in public subnets) can connect to it. This follows the principle of least privilege — databases should never be directly internet-facing.

You left an m5.xlarge EC2 instance running for a month by accident. How could you have prevented a surprise bill?

Set up AWS Budgets with a monthly threshold and billing alerts via SNS email. Use AWS Cost Explorer to review spending. Tag all resources with a project name so you can track costs. For dev/test, use auto-stop scripts or AWS Instance Scheduler to shut down instances outside business hours.

When should you use an IAM Policy vs. a Security Group to control access?

IAM Policies control who can call which AWS API actions (e.g., "can this user create EC2 instances?"). Security Groups control network traffic to/from resources (e.g., "allow TCP port 443 from 0.0.0.0/0"). They operate at different layers: IAM = API authorization, Security Groups = network firewall.

Related Topics

🔐
Authentication & Authorization
Deep dive into identity, access control, OAuth, and security best practices
🔄
DevOps
CI/CD, infrastructure as code, and automation — the practices that make AWS manageable