Cloud aws core

Limit cost overruns and blast radius with billing alerts, quotas, and organizational boundaries. Use billing alarms, service quotas, and separate accounts or OUs for prod vs non-prod. Use this when designing multi-account or when preventing runaway cost or impact.

EBS provides block storage for EC2 instances. Create a volume in an AZ, attach it to an instance in the same AZ, and mount it inside the OS. Use this when you need persistent disk for an instance or when sizing or changing the root or data volume.

Connect to a Linux EC2 instance using the key pair you chose at launch. Set permissions on the private key, use the correct user name for the AMI, and fix security group or network if connection fails. Use this when you cannot SSH to a new or existing instance.

EC2 instance types (t3, m5, c5, r5, etc.) offer different CPU, memory, and storage profiles. Choose by workload: general purpose, compute-optimized, memory-optimized, or storage-optimized. Use this when sizing a new instance or right-sizing for cost.

Launch an Amazon EC2 instance from the console or CLI: choose AMI, instance type, key pair, and network. Use this when you need a new Linux or Windows server in AWS and want to get it running with the right size and access (SSH or RDP key).

Keep S3 buckets private by enabling Block Public Access at the account and bucket level. Prevents accidental public read or write from bucket policy or ACLs. Use this when creating or auditing S3 buckets so data is not exposed to the internet.

Create an S3 bucket in a region; set bucket policy and block public access; upload and download objects. Use this when you need object storage for backups, static assets, or data lake and want to do it securely with the right permissions.

Enable server-side encryption (SSE) for S3 so objects are encrypted at rest. Use SSE-S3 (AWS-managed keys) or SSE-KMS (customer or AWS KMS key). Use this when storing sensitive data in S3 and when you need to meet encryption compliance.

Security groups are stateful firewalls for EC2 instances and other VPC resources. Rules allow inbound and outbound by port, protocol, and source/destination. Use this when you cannot reach an instance or when locking down access to a service.

A VPC is your isolated network in AWS: you control IP ranges, subnets, route tables, and gateways. Use it to place instances in public or private subnets and to control inbound and outbound traffic. Use this when designing or troubleshooting EC2 networking.

Use an Auto Scaling group (ASG) to maintain a desired number of instances; scale on demand or on a schedule. Attach to a load balancer target group for traffic distribution. Use this when you need high availability or when scaling instance count based on load or schedule.

Back up EBS volumes with snapshots (incremental, stored in S3 by AWS). Create snapshots manually or with Data Lifecycle Manager (DLM). AMIs include root volume snapshots. Use this when implementing backup strategy for EC2 or when automating snapshot creation and retention.

An AMI is a template for an EC2 instance. Use a public AMI (Amazon Linux, Ubuntu) or create your own from an instance for consistent deployments. AMI IDs are region-specific. Use this when launching instances or building a custom AMI.

Use an Application Load Balancer (ALB) or Network Load Balancer (NLB) to distribute traffic to EC2 or other targets. ALB is layer 7 (HTTP/HTTPS); NLB is layer 4 (TCP/UDP). Use this when exposing a multi-instance service or when you need TLS termination or path-based routing.

Security groups are stateful and apply to instances; NACLs are stateless and apply at the subnet level. Use security groups for most rules; add NACLs for subnet-level allow/deny or when you need rule numbers for order. Use this when designing VPC network security.

CloudWatch provides metrics, logs, and alarms in AWS. EC2 and many services send metrics automatically. Use for monitoring and alerting on AWS resources.

Control AWS spend with budgets, alerts, and tags. Set a budget and get alerts at thresholds. Use tags for allocation and cleanup. Use when you want to avoid surprise bills or allocate cost.

EC2 instances move through pending, running, stopping, stopped, terminated. Use stop to save cost without losing EBS; terminate to delete. Use this when managing instance state and cost.

Stop an EC2 instance to save cost; EBS is kept. Start again; public IP usually changes unless Elastic IP. Use when saving cost or pausing workloads.

Elastic IP is a static public IP you attach to an EC2 instance. Survives stop and start. You are charged if allocated but not attached. Use when you need a fixed public IP.

Use S3 lifecycle rules to transition objects to cheaper storage classes or expire them. Reduces cost for old or temporary data. Use when you have buckets with objects that age or are temporary.

Enable VPC Flow Logs to capture accepted and rejected traffic at ENI or subnet level. Send to CloudWatch Logs or S3. Use for security and network troubleshooting.

Create subnets with the right route tables so some are public (route to Internet Gateway) and others private (route to NAT for outbound only). Place load balancers and bastions in public subnets; app and DB in private. Use this when building a layered network in AWS.

Placement groups control how instances are placed: cluster for low latency, spread for isolation, partition for large distributed apps. Use when you need low latency or fault isolation.

After basic IAM setup, reduce risk with permission boundaries, SCPs, and regular audit. Use when you want to tighten IAM beyond least privilege and MFA.

RDS is managed relational database (PostgreSQL, MySQL, MariaDB, etc). Create a DB instance in a VPC; connect with endpoint. Use when you want managed DB without handling backups and patches yourself.