AWS: From Basics to Production Operations book cover
Book

AWS: From Basics to Production Operations

From your first IAM policy to ECS Fargate · Terraform · cost governance — AWS in one practical book

In progress 33 chaptersLast updated: May 24, 2026
Start from chapter 1 →

What this book covers #

  1. From the console to IaC — the early chapters build the mental model with the console and CLI; from Part 4 onward, you switch to Terraform. Every piece of infrastructure in the latter half runs alongside Terraform code.
  2. A practical, not a certification, lens — the focus is on “putting production up and operating it reliably,” not on organizing exam scope. The certification exam is only bridged in Appendix A.
  3. Container-first — Lambda is covered too, but the book’s destination is operating a fullstack app on ECS Fargate. The EKS · Kubernetes route belongs to the Kubernetes book.
  4. It doesn’t avoid operations — security governance (Organizations · SCP · GuardDuty), disaster recovery & backup, cost governance, and observability (CloudWatch + X-Ray) are all covered in the final stretch of this introductory book.
  5. It finishes as one fullstack system — in the Part 6 capstone, the Next.js app from React and the FastAPI app from Modern Python are deployed together in one AWS account with ECS Fargate + RDS + S3 + CloudFront + Terraform. You can see directly how the services from Chapters 1 ~ 31 interlock inside a real system.

What this book does not cover #

  • Organizing AWS certification exam scope (CLF / SAA / SAP / DevOps, etc.) belongs to a separate AWS certification book. This book only bridges to it in Appendix A.
  • The depth of EKS · Kubernetes on AWS belongs to the Kubernetes book. This book handles container operations with ECS Fargate.
  • The depth of data / ML services (Redshift · SageMaker · Glue · Athena) is covered in a separate book.
  • It does not cover all AWS services. Of the 200-plus services, this book focuses on the ~30 essentials.

Who this book is for #

  • Developers new to the cloud — backend / fullstack developers who have only built on-premises / local services and feel lost when adopting the cloud. Parts 1 ~ 2 build the mental model of IAM · VPC · EC2 · RDS first.
  • Those who have only used the console — folks who have built infrastructure by clicking but are missing IaC · multi-account · governance. Parts 4 ~ 5 are the value-dense stretch.
  • Infra operators / DevOps · SRE entry track — Part 5 (operations · security · cost) + Part 6 (fullstack deployment) become the operating manual.
  • Those reading alongside the Kubernetes book — Part 6 deploys the same app on ECS Fargate, so comparing it with the EKS deployment in the Kubernetes book makes the operational difference between “managed containers vs k8s” clear.

How this book is structured #

The full length is 33 chapters: Chapters 1 ~ 32 in the main body plus one Appendix A.

  • Part 1: Getting Started with AWS (7 chapters) — AWS intro · IAM · cost management · CLI/SDK · CloudShell/SSO · security basics · CloudWatch intro. Builds the map and daily setup before you enter the console.
  • Part 2: Core Infrastructure (7 chapters) — EC2/VPC · S3 · RDS · Route 53 · ALB/ACM · CloudFront. The core resources for running a web service.
  • Part 3: Containers · Serverless (7 chapters) — ECS/Fargate · ECR · Lambda · API Gateway · EventBridge/SQS/SNS · Secrets Manager · Step Functions. The building blocks of modern architecture.
  • Part 4: IaC + CI/CD in Practice (6 chapters) — ECS Fargate deployment skeleton · RDS integration · CI/CD · Terraform intro · monitoring/X-Ray · cost optimization. One full cycle from console to code.
  • Part 5: Operations · Security · Cost (4 chapters) — VPC in depth · security governance · disaster recovery & backup · Lambda in depth. Four new chapters expanding into the operator’s view.
  • Part 6: Capstone (1 chapter) — deploy the modern-python (FastAPI) and modern-react (Next.js) apps together on one account with ECS Fargate + RDS + Terraform.
  • Appendix A (1 chapter) — a mapping table between this book’s 27 chapters and the CLF-C02 certification exam scope. For certification learners, a bridge to the certification track.

The series this book is built from #

This book is built from the 27 parts of the series below, plus 6 new chapters (4 in Part 5, 1 in Part 6, Appendix A) and a full revision pass. The series below are still up on the site for free.

  • AWS Basics (7 parts) — the Part 1 compile source, the series that first organized accounts · IAM · cost · CLI · security · CloudWatch.
  • AWS Intermediate (7 parts) — the Part 2 compile source, covering EC2/VPC · S3 · RDS · Route 53 · ALB · CloudFront.
  • AWS Advanced (7 parts) — the Part 3 compile source, covering ECS/Fargate · ECR · Lambda · API Gateway · messaging · Step Functions.
  • AWS in Practice (6 parts) — the Part 4 compile source, covering everything from ECS Fargate deployment to Terraform · monitoring · cost optimization.

The book reorganizes the series above into a path from fundamentals to production operations, adding four operations · security · cost chapters + a fullstack ECS Fargate capstone + a CLF-C02 certification bridge appendix to bind it into one volume. The core is roughly a 30% new/revised ratio plus the fullstack capstone.

Tools that pair well #

This book’s exercises have you writing IAM policies (JSON) and Terraform / CloudFormation code by hand. A single unbalanced brace or misplaced indent will make the aws CLI or terraform apply fail in a way that is far from what you intended. Before you apply a policy document or manifest, paste it once into utilrepo’s JSON↔YAML converter and YAML validator to check the syntax — you’ll save exactly that much debugging time at the console and CLI. utilrepo is a lightweight collection of browser-based web utilities, and nothing secret leaves your machine.

How this book is funded #

This book is funded by site ads (AdSense) and reader support. There is no purchase flow, and all 33 chapters are open to read on the site.

If a chapter helps you, you can support the book on Ko-fi. Reader support is what makes time for the next minor revisions and the next book.

❤️ Support on Ko-fi (from $1)

Frequently asked questions #

How is this different from the Kubernetes book? #

The Kubernetes book and this book are sibling products. The same fullstack app (modern-python + modern-react) is deployed in the Part 6 capstone on different platforms — this book on ECS Fargate, the Kubernetes book on EKS. Reading the two side by side makes the operational difference between “managed containers vs k8s” clear.

Can I use this to prepare for a certification (SAA / CLF)? #

This is a practical book, so it doesn’t follow the exam scope verbatim. But Appendix A provides a mapping between this book’s 27 chapters and the CLF-C02 exam scope, bridging practical learning to certification prep. Exam-domain-based organization is covered in a separate certification book.

How much do the exercises cost? #

Most exercises fit within the AWS free tier. Following the Part 4 ECS Fargate deployment + Part 6 capstone may incur a small amount for a short period (around $10/month, on a Fargate Spot + Aurora Serverless v2 minimal setup). Each chapter ends with commands to tear resources down immediately.

Where can I get the book’s code? #

Each chapter’s policy (JSON) and Terraform code is written directly in the body as code blocks, so we recommend typing it out by hand. The finished version of the Part 6 capstone will be provided separately as a GitHub repository. We’ll add the link to this book page once it’s ready.

Can I read this in languages other than English? #

Korean, Japanese, and English all keep the same 33-chapter structure. You can read each from its own book page.

How do I send support or feedback? #

Feedback is welcome through blog comments or email. Typos, improvement suggestions, and code error reports per chapter are folded quickly into the next minor revision. Support runs through the Ko-fi channel, from $1 and up.

What’s next #

This book is currently in writing. Progress goes as follows.

  1. ko text — compile and revise the 27 existing AWS series parts into the book’s flow, and write the 6 new chapters (VPC in depth · security governance · disaster recovery · Lambda in depth · fullstack capstone · CLF-C02 bridge).
  2. ko release — publish all 33 chapters on the site with a launch post.
  3. ja / en alignment — translate into the same 33-chapter structure as a separate milestone.
  4. Regular AWS updates — review price tables · instance types · newly GA services on a six-month cadence.

You can subscribe to new-chapter and launch notices via the RSS feed.

Contents

Part 1: Getting Started with AWS 7 Chapter

AWS intro · IAM · cost management · CLI/SDK · CloudShell/SSO · security basics · CloudWatch intro — the seven topics that build the mental map and daily setup before you enter the console.

  1. 1. Getting Started with AWS — Accounts · Regions · AZs The map you need in your head before you put anything on AWS. The rise of the cloud and AWS, accounts and the root user, Regions and Availability Zones (AZs), the difference between global and regional services, and the first setup right after sign-up.
  2. 2. IAM — Users, Groups, Roles, Policies Sort out IAM's four elements — users · groups · roles · policies — that decide who you work as on AWS, all in one go. Covers JSON policy syntax, the essence of AssumeRole, and permission-design patterns that hold up even in a small team.
  3. 3. Cost Management — Billing Alerts, Cost Explorer, Free Tier The limits of the free tier, setting up AWS Budgets and billing alerts, how to slice the invoice with Cost Explorer, and the tag strategy that's the prerequisite for cost analysis. The guardrails that prevent first-invoice shock.
  4. 4. AWS CLI and SDK Setup Installing aws cli v2 and aws configure, profiles and credentials files, the purpose of SDKs like boto3 / aws-sdk-js, and the order the credential chain flows in — the setup for working with AWS outside the console.
  5. 5. CloudShell and IAM Identity Center (SSO) The in-browser terminal CloudShell, plus the IAM Identity Center (SSO) setup that has become the standard for multi-account login, and the aws cli sso login flow.
  6. 6. Security Basics — MFA, Key Rotation, Least Privilege Enforcing MFA on root and IAM users, automating access-key rotation, checking permissions with IAM Access Analyzer, least-privilege patterns, and common incident cases — the security guardrails that hold up in operations.
  7. 7. CloudWatch Intro — Logs / Metrics The structure of CloudWatch Logs / Metrics / Alarms / Dashboards, log groups and retention, Metric Filters, and the basics of Logs Insights queries — the observability tool that becomes the eye of all operations.
Part 2: Core Infrastructure 7 Chapter

EC2/VPC · S3 · RDS · Route 53 · ALB/ACM · CloudFront — the seven core resources needed to run a web service.

  1. 8. EC2 and VPC Basics The cloud's oldest compute and network, EC2 and VPC. How instance types, AMIs, and EBS, plus VPC / subnets / route tables / IGW / NAT all weave into one picture — laying the first skeleton of your operational infrastructure.
  2. 9. EC2 Operations — security group, key pair, SSM The everyday tools of EC2 operations. Security Group rule design, the difference from NACLs, the limits of key pairs and SSM Session Manager, IMDSv2, and how to harden an instance's skeleton with an AMI.
  3. 10. S3 — static hosting, presigned URLs AWS's oldest object storage, S3. The shape of a bucket and the global uniqueness of its name, policies and Public Access Block, static site hosting, presigned URLs, and the patterns for lowering cost with storage classes.
  4. 11. RDS — managed DB, backups, parameter groups AWS's managed relational DB service, RDS. A comparison with a DB on EC2, automated backups and snapshots and PITR, Multi-AZ, parameter / option groups, and the operational flow of minor vs major upgrades.
  5. 12. Route 53 — domains and DNS AWS's managed DNS, Route 53. Domain registration and Hosted Zones, the difference between A / AAAA / CNAME / Alias records, and the Simple / Failover / Latency / Geolocation routing policies.
  6. 13. ALB / NLB and ACM (HTTPS) The role differences among AWS's managed load balancers ALB / NLB / GWLB, the flow of Listener / Target Group / Health Check, and the operational flow of issuing a certificate with ACM and adding HTTPS in one go.
  7. 14. Deploying a static site with CloudFront AWS's global CDN, CloudFront. The flow of Origin / Behavior / Cache Policy, the S3 + CloudFront static hosting pattern, how to safely shield S3 with OAC, and the operational flow of invalidation.
Part 3: Containers · Serverless 7 Chapter

ECS/Fargate · ECR · Lambda · API Gateway · EventBridge/SQS/SNS · Secrets Manager · Step Functions — the building blocks of modern architecture.

  1. 15. ECS and Fargate — Deploying Containers Putting containers on AWS, all in one place. We cover how ECS works (vs EKS), its four building blocks — Cluster · Service · Task · Task Definition — the difference between the EC2 launch type and Fargate, the split between Execution Role and Task Role, ALB · VPC wiring, and everything from your first deployment to Auto Scaling and cost.
  2. 16. ECR — the Image Registry Where you store the container images that ECS and Lambda will pull. We cover the private / public difference in Amazon ECR, IAM authentication, docker push / pull, image scanning, tag strategy, lifecycle policies, multi-architecture (linux/amd64 + arm64), VPC Endpoints, and cross-account access.
  3. 17. Lambda Basics The first button of AWS serverless. We cover Lambda's role (vs ECS / EC2), the runtime / handler / event / context model, synchronous / asynchronous / stream invocation, concurrency and cold starts, Reserved / Provisioned Concurrency, memory · time limits, logging and Layers, and cost.
  4. 18. API Gateway + Lambda The standard pattern for exposing Lambda over HTTP. We cover the difference between REST API and HTTP API, Lambda integration (proxy / non-proxy), routes / methods, authorization (IAM / Cognito / Lambda authorizer), CORS, stages / deployment, throttling, usage plans, caching, custom domains, and cost.
  5. 19. EventBridge / SQS / SNS AWS's messaging infrastructure, all in one place. We cover the difference between the three tools, SNS topic / SQS queue / EventBridge bus·rule, the fan-out pattern, FIFO vs Standard, DLQs and idempotency, Visibility Timeout, and how they tie into Lambda / ECS.
  6. 20. Secrets Manager / Parameter Store AWS's secret / configuration management, all in one place. We cover the difference in role between Secrets Manager and SSM Parameter Store, automatic rotation, fetching from code (boto3 / caching / Powertools), ECS and Lambda integration, IaC connection, separating secrets from configuration, and a cost comparison.
  7. 21. Step Functions Intro The AWS workflow engine, all in one place. We cover the role of a State machine, the four states Task / Choice / Parallel / Map, Standard vs Express, the Amazon States Language (ASL), Lambda / ECS / SDK integration, Retry / Catch error handling, and patterns like Saga and Human-in-the-loop.
Part 4: IaC + CI/CD in Practice 6 Chapter

ECS Fargate deployment skeleton · RDS integration · CI/CD · Terraform intro · monitoring/X-Ray · cost optimization — one full cycle from the console to code.

  1. 22. Infra skeleton — deploying FastAPI/Django on ECS Fargate The flow of pushing a container image to ECR, writing a Task Definition, and bringing it up as an ECS Fargate Service behind an ALB. The chapter where you put a small blog API into a production environment for the first time.
  2. 23. RDS integration and migration operations RDS Postgres Multi-AZ inside the VPC, Security Group design, injecting the password via Secrets Manager, the operational flow of Alembic / Django migrations, and a blue/green-compatible migration pattern, all in one place.
  3. 24. CI/CD — GitHub Actions + ECR + ECS Access-key-free GitHub Actions with OIDC, ECR push, automatic Task Definition updates, ECS Service rolling deployment, deployment circuit breaker and auto-rollback, all the way to CodeDeploy blue/green. A deployment flow that finishes in a single git push.
  4. 25. IaC — Terraform Intro Why IaC, the shape of Terraform's provider / resource / state, team collaboration with an S3 + DynamoDB backend, environment separation with modules, and the flow of codifying the previous chapters' infrastructure step by step.
  5. 26. Monitoring — CloudWatch Alarms and X-Ray Operational CloudWatch Logs Insights queries, the core metrics and alarm thresholds for ECS / RDS / ALB, SNS → Slack notifications, and capturing a slow request with X-Ray distributed tracing. Turning on the eyes of operations.
  6. 27. Cost Optimization and Dashboards Cost Explorer analysis, Savings Plans / Spot / Graviton, Right Sizing, tag enforcement and cost classification, and the FinOps area. Patterns that actually cut a production system's cost, wrapping up Part 4, 'From the console to code.'
Part 5: Operations · Security · Cost 4 Chapter

VPC in depth · security governance (Organizations/SCP) · disaster recovery & backup · Lambda in depth — four new chapters that expand into the operator's point of view.

  1. 28. VPC in Depth — Subnet Design · Peering · Transit Gateway · PrivateLink Takes the VPC basics from Chapter 8 up to production scale. Covers 3-tier / 4-tier subnet design and CIDR planning, internet ingress/egress with NAT · Egress-only IGW · VPC Endpoint complete with Terraform code and cost math, how to stitch VPCs together with VPC Peering and Transit Gateway, and rounds out with PrivateLink, IPv6 dual-stack, and a multi-VPC mental model.
  2. 29. Security Governance — Organizations · SCP · Account Monitoring When and how to move from a single account to multi-account. This chapter lays out the structure of grouping accounts into OUs with AWS Organizations, how to set organization-wide guardrails with SCP (Terraform example), the Control Tower landing zone, how to turn GuardDuty · Security Hub · Config · Inspector on for the whole organization from a delegated administrator, connecting IAM Identity Center SSO, and the one-account → N-account migration pattern.
  3. 30. Disaster Recovery & Backup — Backups · Cross-region DR · RTO/RPO Designing how to bring data and services back when one AZ or one region collapses. Set RTO/RPO first, then learn to put backups in place with Terraform via RDS PITR · S3 versioning and Cross-Region Replication · AWS Backup, and round out the cross-region DR patterns Pilot Light · Warm Standby · Multi-Site with Route 53 failover.
  4. 31. Lambda in Depth — Cold Starts · SnapStart · Packaging · Observability Adds a production-operations lens on top of Chapter 17's Lambda basics. Covers cold starts and SnapStart · Provisioned Concurrency, packaging with Layers and container images (one full FastAPI cycle), Lambda Powertools-based observability, combining with Step Functions, and the Lambda vs Fargate cost trade-off.
X