AWS Basics for Non-Developer IT
Enough AWS to survive real interviews
Open interactive version (quiz + challenge)Real-world analogy
AWS is another office park next door to Azure. Different signage, same kind of suites, security guards, and rules. If you know one, you can read the other — but don’t pretend they’re identical.
What is it?
AWS for juniors is a cloud-literacy layer: IAM, EC2, VPC, S3, RDS, monitoring, and cost hygiene. You don’t need deep architecting; you need confident reading and safe daily admin of these primitives.
Real-world relevance
A small team needs a test web app. You create one VPC with public/private subnets, launch a t3.micro EC2 in the public subnet with a security group allowing HTTPS, put the app behind a load balancer, and store images in an S3 bucket with block-public-access. CloudTrail logs everything.
Key points
- Accounts, regions, AZs — Every AWS account is a billing and security boundary. Pick a region near users; critical workloads span multiple AZs. Organizations + AWS Control Tower manage many accounts at scale.
- IAM — users, groups, roles, policies — IAM users are long-lived identities (avoid for humans; prefer SSO). Groups hold policies. Roles are temporary identities assumed by services or users. Policies are JSON allow/deny statements.
- EC2 — virtual machines — Launch an instance: image (AMI), instance type, VPC/subnet, security group, key pair, IAM role. Tag everything. Stop (keeps disk, stops compute charge) vs terminate (deletes).
- VPC, subnets, security groups, NACLs — VPC is your private network. Public subnets have routes to an internet gateway; private subnets don’t. Security groups are stateful (per ENI); NACLs are stateless (per subnet). Use SGs primarily.
- S3 storage — Buckets and objects. Versioning, lifecycle, encryption (SSE-S3/KMS), block-public-access. ‘Unintentionally public bucket’ has caused many breaches — make block-public-access a default.
- RDS for managed databases — Managed SQL Server / MySQL / PostgreSQL / MariaDB / Oracle. Automated backups, snapshots, read replicas. Operations loves it; patching and backups become much simpler.
- CloudWatch & CloudTrail — CloudWatch: metrics, logs, alarms. CloudTrail: audit log of API calls. Every mature AWS account should enable CloudTrail across all regions + send logs to secure, immutable storage.
- Cost and hygiene — Cost Explorer, budgets, tags. Clean up unused EBS volumes, snapshots, and idle EC2. Turn on AWS Config for compliance visibility. Don’t leave credentials in git.
Code example
// AWS starter snippets (CLI)
aws configure sso # prefer SSO over long-lived keys
# IAM: list users and groups
aws iam list-users
aws iam list-groups
aws iam list-attached-user-policies --user-name alice
# EC2
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"
aws ec2 stop-instances --instance-ids i-0123456789abcdef0
# S3
aws s3 mb s3://contoso-lab-bucket --region ap-south-1
aws s3api put-public-access-block \
--bucket contoso-lab-bucket \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Tag resources
aws ec2 create-tags --resources i-0123456789abcdef0 \
--tags Key=env,Value=lab Key=owner,Value=it-support Key=costcenter,Value=IT-001
# CloudTrail quick check
aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail-name>Line-by-line walkthrough
- 1. AWS starter CLI snippets
- 2. Prefer SSO for credentials
- 3. Blank separator
- 4. IAM listing commands
- 5. Users, groups, attached policies
- 6. Blank separator
- 7. EC2 commands
- 8. Describe running instances
- 9. Stop instance
- 10. Blank separator
- 11. S3 commands
- 12. Create bucket
- 13. Enable block-public-access
- 14. Blank separator
- 15. Tagging commands
- 16. Apply tags for cost tracking
- 17. Blank separator
- 18. CloudTrail checks
- 19. Describe trails
- 20. Get trail status
Spot the bug
Plan: 'Use a single IAM user named root-user for everything, save the access key in our git repo, and share it with the team.'Need a hint?
How many foundational controls does this violate?
Show answer
(1) Using root-level credentials for daily work, (2) long-lived access keys (prefer SSO + short-term roles), (3) secrets in git (easily leaked), (4) shared credentials (no auditability), (5) no MFA on powerful accounts. Replace with: SSO/IAM Identity Center, per-user identities, MFA everywhere, roles for services, secrets in AWS Secrets Manager or Parameter Store — never in git.
Explain like I'm 5
AWS is another huge office park. Put your stuff in a private room (private subnet), let the receptionist (load balancer) route visitors, and never accidentally leave your storage locker (S3) unlocked in the lobby.
Fun fact
The #1 cause of AWS data exposure incidents over the past decade has been publicly accessible S3 buckets. ‘Block Public Access’ is now on by default — but misconfigurations still happen every week.
Hands-on challenge
Open the AWS Free Tier. Create a VPC with 1 public and 1 private subnet, launch a t3.micro EC2 in the private subnet accessed via SSM/Session Manager (no public IP). Add a properly locked-down S3 bucket. Terminate everything when done.
More resources
- AWS Well-Architected Framework (AWS)
- AWS CLI reference (AWS)
- AWS Free Tier (AWS)