AWS for Developers: The Definitive Pillar Guide to Cloud Infrastructure

Why This Article Exists

You have an application to deploy. You hear about EC2, S3, Lambda, RDS. You open the AWS console and see over 200 services. The sales guy says "it's cheap, it's scalable." Then the first bill arrives, and your accountant gives you that look. We, at Meteora Web, have been using AWS for years. We know the cloud is a powerful tool, but only if you use it wisely. We come from accounting and engineering: every service has a cost, a margin, a return. In this pillar guide, we cover everything a developer needs to know to use AWS in production: from IAM basics to infrastructure as code, containers, and serverless. No abstract theory: real examples, actionable commands, decisions to make.

Account, IAM, and Regions: The Entry Ticket

Before launching any resource, you need to understand who you are and where you are. IAM (Identity and Access Management) is AWS's permission system. Never use the root user for daily operations. Create a user with least-privilege permissions and enable MFA. We still see companies with root access keys in plain text config files. It's like leaving the house keys under the doormat.

Regions and Availability Zones

AWS has regions worldwide (us-east-1, eu-west-1, eu-south-1…). Choose the region closest to your users to reduce latency. Each region has at least 3 independent Availability Zones (AZs). For resilience, distribute resources across multiple AZs. A single-AZ instance is a single point of failure.

First command: create an S3 bucket

With AWS CLI configured, create a bucket with:

aws s3 mb s3://my-unique-bucket --region eu-west-1

Note: the bucket name must be globally unique. If you get an error, change the name.

EC2: The Classic Yet Versatile Virtual Machine

EC2 is the most well-known compute service. Choose an AMI, an instance type (t2.micro for testing, m5.large for production), configure a security group (firewall), and a key pair for SSH. Sounds simple, but mistakes are common.

Security Group: Allow only what's needed

A common mistake is opening all ports (0.0.0.0/0) for testing and then forgetting. When a DDoS attack or brute force attempt happens, the problem is yours. Golden rule: least privilege. If you need SSH from your IP, open only your public IP. Example rule via AWS CLI:

aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 203.0.113.0/32

Instance Type and Costs

We have seen projects using r5.2xlarge instances for a simple WordPress site. That's an overkill costing hundreds of euros per month. Use t3.medium for variable workloads, m5.large for standard web apps. Monitor with CloudWatch, scale vertically only when needed.

S3: Object Storage for Static Files, Backups, and Hosting

S3 is an object storage system with 99.999999999% durability (11 nines). Perfect for images, videos, backups, and static website hosting. Set a bucket policy to make content public only when necessary.

Versioning and Lifecycle

Enable versioning to protect against accidental deletions. Then configure a lifecycle policy to move old objects to S3 Glacier (low-cost archive). Example policy to transition after 30 days:

{
  "Rules": [{
    "Status": "Enabled",
    "Prefix": "",
    "Transitions": [{
      "Days": 30,
      "StorageClass": "GLACIER"
    }]
  }]
}

Static website hosting

Enable "Static website hosting" on a bucket, upload HTML/JS/CSS files, and get a public URL. For a custom domain, use CloudFront and Route 53. It's cheap and lightning fast.

Lambda and Serverless: Run Code Without Managing Servers

Lambda executes functions in response to events (S3 uploads, API Gateway requests, DynamoDB changes). You pay only for execution time and number of requests. Ideal for microservices, webhooks, async processing.

First Lambda function in Python

Example function that responds to an S3 event:

import json
import boto3

def lambda_handler(event, context):
    for record in event['Records']:
        bucket = record['s3']['bucket']['name']
        key = record['s3']['object']['key']
        print(f"New file: {bucket}/{key}")
        # do something, like resize an image
    return {'statusCode': 200}

Beware of Cold Starts

If a function isn't called for a while, the next request takes an extra few hundred milliseconds (cold start). For latency-sensitive workloads, use Provisioned Concurrency or move to containers on ECS/Fargate.

RDS and Aurora: Managed Databases Without Headaches

RDS manages MySQL, PostgreSQL, MariaDB, Oracle, SQL Server. Aurora is a proprietary engine compatible with MySQL/PostgreSQL, offering better performance and automatic replicas. We use Aurora Serverless for variable workloads: pay only for the resources consumed.

Create an RDS instance

In console or CLI:

aws rds create-db-instance \
  --db-instance-identifier mydb \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --master-username admin \
  --master-user-password 'StrongP@ss123'

Important: do not expose the database to the Internet. Place it in a private subnet of your VPC. Connect from an application via an application server (e.g., PHP on EC2) or RDS Proxy endpoint.

CloudFront: CDN for Global Speed and HTTPS

CloudFront distributes your content (static or dynamic) through a network of edge locations. Result: reduced load times, DDoS protection (AWS Shield Standard included), free HTTPS with AWS Certificate Manager.

Serve an S3 bucket behind CloudFront

Create a distribution with S3 origin, set the behavior for HTTPS, and attach a custom domain via Route 53. To prevent direct bucket access, use Origin Access Control (OAC) and block public bucket policies.

VPC: Your Private Network on AWS

A VPC (Virtual Private Cloud) is an isolated virtual network where you launch your resources. Every AWS account has a default VPC, but for production, create a custom one with public and private subnets, an Internet Gateway, and a NAT Gateway for private subnets.

Public and Private Subnets

Public subnets: instances with public IP addresses, reachable from the Internet (e.g., load balancer, bastion host). Private subnets: instances without public IP, only reachable via NAT or VPN. A typical web app: load balancer in public, web servers in private (more secure). We always do this.

Containers on AWS: ECS vs EKS

If you use Docker containers, you have two main choices: Amazon ECS (AWS-managed) or Amazon EKS (Kubernetes). ECS is simpler, with native integration. EKS is the de facto standard for complex orchestration, multi-cloud, or if you already use Kubernetes elsewhere.

When to choose ECS

If your stack is simple (e.g., a Node.js app with RDS), ECS with Fargate (serverless containers) is ideal. No nodes to manage, pay for CPU and RAM used.

EKS and Helm

If you already use Kubernetes or need flexibility (sidecars, service mesh), go with EKS. We have written a practical guide on Helm for Kubernetes to automate deployments. With EKS, you can use the same toolchain.

Infrastructure as Code with AWS CDK and SAM

Manually manipulating the console or CLI for every resource is unsustainable. AWS Cloud Development Kit (CDK) lets you define infrastructure with programming languages (TypeScript, Python, Java, C#). AWS SAM is specialized for serverless applications.

Example with CDK (Python)

from aws_cdk import (
    Stack,
    aws_s3 as s3,
    aws_lambda as lambda_,
    aws_s3_notifications as s3n
)
from constructs import Construct

class MyStack(Stack):
    def __init__(self, scope: Construct, id: str, kwargs):
        super().__init__(scope, id, kwargs)
        bucket = s3.Bucket(self, "MyBucket")
        fn = lambda_.Function(self, "MyFunction",
            runtime=lambda_.Runtime.PYTHON_3_9,
            handler="index.handler",
            code=lambda_.Code.from_asset("./lambda"))
        bucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.LambdaDestination(fn))

With CDK, deployment is a single command: cdk deploy. Rollback? cdk destroy. Full version control. We use it for all new projects.

Cost Management with AWS Cost Explorer

The part nobody loves but makes the difference. AWS Cost Explorer provides charts and forecasts. Set up budgets and alarms to receive alerts when spending exceeds a threshold. We recommend enabling cost allocation tags: tag every resource with project, environment (dev, prod), client.

5 ways to save money immediately

• Reserved Instances or Savings Plans for predictable workloads (up to 72% discount).
• Shut down unused resources (e.g., test instances left running for months).
• Use storage tiers for S3 (move old data to Glacier).
• Lambda with Provisioned Concurrency only when needed; otherwise use on-demand.
• Monitor data transfer costs: cross-region traffic is expensive. Keep assets in the same region.

In Summary — What to Do Now

We've covered a lot. But here's the concrete action plan:

1. Create an AWS account (if you don't have one). Enable MFA on the root user and create an IAM admin user with access keys.
2. Set a budget of $10 per month. You'll get an alert if you exceed it. No surprise bills.
3. Launch a t2.micro EC2 instance in the free tier. SSH into it, install a web server. Then terminate it.
4. Try a Lambda function with S3 trigger. Upload an image, watch the log in CloudWatch.
5. Read the official AWS documentation for IAM and EC2.

We, at Meteora Web, use AWS every day for clients across Italy. If you need a solid, measured, cost-controlled infrastructure, contact us. We talk numbers, not hype.