AWS · Cloud Provider Deep Dive

Quick Facts

At a Glance

Launched

2006 (S3, EC2)

Parent

Amazon

Services

200+

Regions

~33 globally

Market share

~31% (largest)

Compliance

FedRAMP High, IL5/6, SOC, HIPAA, PCI…

Basic Concepts

Region = geographic area (e.g. us-east-1); AZ = isolated datacenter inside a region.
IAM is the universal access-control system — users, roles, policies in JSON.
Console / CLI / SDK / CloudFormation / CDK are the five ways to do anything.
VPC isolates your network; everything lives in one (or peered ones).
Largest service catalog means there's an "AWS way" to do almost anything — but also the most complexity.

Services

Signature Services Cheatsheet

Category	Service	Use
Compute	EC2	Virtual machines (the original).
Compute	Lambda	Serverless functions.
Compute	ECS / EKS / Fargate	Containers (own / Kubernetes / serverless).
Compute	App Runner / Elastic Beanstalk	PaaS-style.
Storage	S3	The de-facto object storage standard.
Storage	EBS / EFS	Block / file storage.
Database	RDS / Aurora	Managed Postgres / MySQL / Oracle / SQL Server.
Database	DynamoDB	Serverless key-value / document, single-digit-ms latency.
Networking	VPC, Route 53, CloudFront	Network, DNS, CDN.
Messaging	SQS / SNS / EventBridge / Kinesis / MSK	Queues, pub/sub, events, streams, Kafka.
Identity	IAM, Cognito, IAM Identity Center	Service / app / workforce identity.
Analytics	Athena, Redshift, Glue, EMR	SQL on S3, warehouse, ETL, Spark.
AI / ML	Bedrock, SageMaker	Foundation models, full ML platform.
Security	KMS, Secrets Manager, GuardDuty, WAF, Shield	Keys, secrets, threat detection, perimeter.
Observability	CloudWatch, X-Ray	Metrics, logs, tracing.

Mechanics

Working in AWS

The Mental Model

AWS is built bottom-up: small, sharp building blocks you compose. Most production setups end up combining ~10 services (EC2/ECS, ALB, RDS, S3, IAM, CloudWatch, Route 53, KMS, Secrets, SQS). Once you know IAM and VPC, the rest is mostly variations.

IAM Done Right

Roles, not users — services and humans assume roles for short-lived credentials.
Least privilege via policy conditions; iam:PassRole is the trickiest pattern.
IAM Identity Center (formerly SSO) for workforce; permission sets per account.
Multi-account by default — Organizations + AWS Control Tower.

Networking

VPC with public / private subnets; NAT for outbound.
Security Groups = stateful instance firewalls. NACLs = subnet-level (rarely tuned).
Transit Gateway connects many VPCs & on-prem.
PrivateLink exposes AWS services without internet egress.
VPC endpoints route S3 / DynamoDB traffic through the AWS backbone.

Cost Surprises

NAT Gateway charges per GB egress — proxy / VPC endpoints often cheaper.
Cross-AZ traffic for chatty microservices.
S3 list / get / put requests for high-volume workloads.
CloudWatch Logs ingestion can dwarf EC2 cost on chatty apps.
Idle EBS / unused snapshots / orphaned EIPs.

The "AWS Well-Architected" Pillars

Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability

A free Well-Architected Review with AWS partners is genuinely useful before going production.

When to Pick

Where AWS Wins

Maximum Optionality

The widest catalog of any cloud — there's a service for almost anything.

Mature Ops & Compliance

Most certifications, most government use, most enterprise battle-testing.

Largest Hiring Pool

More AWS-certified engineers than any other cloud.

Hybrid Reality

Outposts & Local Zones bridge to data centers and metros.

Continue

Other Cloud Providers

Microsoft Azure Google Cloud Oracle Cloud DigitalOcean / Linode Vercel / Netlify / Cloudflare ↑ Back to Cloud