Cloud Fundamentals
— AWS Deep Dive Notes
All 14 modules. Every concept explained simply. Cloud vs on-premise comparisons so you understand the why, not just the clicks. Free to read — no account needed.
What is Cloud Computing?
Why companies moved from their own servers to the cloud — explained simply.
What is Cloud Computing?
Cloud computing means renting computers, storage, and networking from someone else's data center over the internet — instead of buying and running your own hardware. You pay for what you use, turn it on or off any time, and access it from anywhere.
Before cloud, a company that needed a server had to buy physical hardware, rack it in a data center, hire someone to manage it, and wait weeks for delivery. With cloud, you have a server running in 60 seconds and pay by the hour.
| Topic | On-Premise (Your Own Server) | Cloud (AWS/GCP/Azure) |
|---|---|---|
| Setup time | Weeks — order, deliver, rack, configure | 60 seconds — click or run a command |
| Cost model | Big upfront cost (CapEx) | Pay per hour/GB used (OpEx) |
| Scaling | Buy more hardware — slow and expensive | Add servers in minutes, remove when done |
| Maintenance | Your team manages hardware, power, cooling | Cloud provider handles the physical layer |
| Availability | One location — if it burns, you're down | Multiple regions — failover in seconds |
| Security | Your responsibility end to end | Shared — provider secures hardware, you secure data |
| Best for | Regulated industries, fixed workloads | Startups, variable workloads, global reach |
Cloud Service Models — IaaS, PaaS, SaaS
Cloud isn't one thing — it's a spectrum of how much the provider manages for you.
- IaaS
- Infrastructure as a Service. You get raw VMs, storage, networking. You manage the OS upward. Example: EC2, VPC.
- PaaS
- Platform as a Service. Provider manages OS and runtime. You just deploy your app. Example: AWS Elastic Beanstalk, Heroku.
- SaaS
- Software as a Service. Fully managed application. You just use it. Example: Gmail, Salesforce, Zoom.
- Region
- A geographic area with AWS data centers. Example: us-east-1 (N. Virginia), ap-south-1 (Mumbai).
- Availability Zone
- An isolated data center inside a region. Multiple AZs = high availability. Failure in one AZ doesn't affect others.
- Shared Responsibility
- AWS secures the hardware and infrastructure. You secure your OS, data, and applications.
Course focus: We use AWS — the largest cloud provider with 33% market share. Skills transfer to GCP and Azure since concepts are nearly identical.
Cloud Providers Overview
AWS, GCP, Azure, DigitalOcean — what each is best at and how to get started free.
| Provider | Best For | Free Tier |
|---|---|---|
| AWS | Everything — largest service catalog, most jobs require it | 12 months — 750hrs EC2 t2.micro/month |
| Google Cloud (GCP) | Machine learning, Kubernetes (GKE), data analytics | $300 credit for 90 days + always-free tier |
| Azure | Microsoft shops — Active Directory, .NET, Windows VMs | $200 credit for 30 days + 12 months free |
| DigitalOcean | Simple apps, small teams, developers — less complex | $200 credit for 60 days |
| Linode / Akamai | Budget-friendly Linux VMs, developer projects | $100 credit |
Why AWS First?
AWS has the largest market share (~33%), the most job postings, the widest service catalog (200+ services), and the biggest community. If you learn AWS, picking up GCP or Azure takes days — not months — because the concepts are identical. Only the names and console layouts differ.
# 1. Go to: https://aws.amazon.com/free # 2. Click "Create a Free Account" # 3. Enter email + password → set account name # 4. Enter contact info (Personal account is fine) # 5. Enter credit/debit card (required but not charged in free tier) # 6. Verify identity via SMS # 7. Choose Support Plan → Basic (Free) # 8. Sign in to AWS Console # IMPORTANT — Do these immediately after account creation: # - Enable MFA on root account # - Set a billing alarm (Module 14) # - Never use the root account for daily work # - Create an IAM user for everything (Module 03)
Free tier warning: AWS free tier has limits. An EC2 t2.micro runs free for 750 hours/month — that's one instance running 24/7. Two instances = you get billed. Always set a billing alarm before starting labs.
IAM & Console
Identity and Access Management — who can do what in your AWS account.
What is IAM?
IAM (Identity and Access Management) controls who can access your AWS account and what they can do. The root account (email + password you signed up with) has unlimited power — like the Linux root user. You should never use it for daily work. Instead, create IAM users with only the permissions they need.
Think of IAM like a company's access card system — the CEO has a master key, employees have cards that open only the doors they need.
| Concept | AWS IAM | Linux Equivalent |
|---|---|---|
| Superuser | Root account (email login) | root user |
| Regular user | IAM User | useradd username |
| Group | IAM Group (attach policies to group) | groupadd, usermod -aG |
| Permissions | IAM Policy (JSON document) | chmod, chown, sudoers |
| Service identity | IAM Role (for EC2, Lambda etc.) | Service account user |
| Temp access | STS assume-role | su - username |
| API key | Access Key ID + Secret Key | SSH key pair |
# ── Console: Create IAM User ── # IAM → Users → Create User # → Username: kamran-admin # → Enable: AWS Management Console access # → Attach policy: AdministratorAccess (for learning) # → Download credentials CSV # ── Enable MFA on root (do this first!) ── # Top right → Security credentials → MFA → Assign MFA device # Use Google Authenticator or Authy on your phone # ── Create Access Keys for CLI ── # IAM → Users → Your User → Security credentials → Access keys # ── IAM Policy example (read-only S3) ── { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "*" }] }
- IAM User
- A person or application with a username and password or access keys to use AWS.
- IAM Group
- A collection of users. Attach one policy to the group — all users inherit it.
- IAM Policy
- A JSON document that says what actions are allowed or denied on which resources.
- IAM Role
- Like a user but for AWS services (e.g. give EC2 permission to access S3).
- Least Privilege
- Give only the permissions needed — nothing more. The golden rule of IAM.
- MFA
- Multi-Factor Authentication. Requires phone OTP in addition to password. Always enable on root.
EC2 — Your Server in the Cloud
Launch a virtual server, connect via SSH, understand what you're paying for.
What is EC2?
EC2 (Elastic Compute Cloud) is AWS's virtual machine service. You pick the OS, CPU, RAM, and storage — AWS runs it in their data center. You connect via SSH exactly like a Linux server in your office. The difference: it's billed by the hour and you can terminate it any time.
| Feature | EC2 (AWS) | Physical / Local Server |
|---|---|---|
| Setup time | 60 seconds | Days to weeks |
| Connect | SSH with key pair | SSH or direct console |
| OS | Amazon Linux, Ubuntu, RHEL, Windows | Whatever you install |
| Resize | Stop → change instance type → start | Buy new hardware |
| Cost | Pay per hour (t2.micro = ~$0.012/hr) | Fixed cost, always running |
| Backups | AMI snapshots in minutes | Manual backup process |
| Terminate | One click — billing stops instantly | Hardware still sitting there |
# EC2 → Launch Instance # 1. Name: my-web-server # 2. AMI: Amazon Linux 2023 (free tier eligible) # 3. Instance type: t2.micro (free tier) # 4. Key pair: Create new → download .pem file # 5. Security Group: Allow SSH (22) from your IP # 6. Storage: 8 GB gp3 (default) # 7. Launch! # Connect via SSH (Linux/Mac) chmod 400 my-key.pem ssh -i my-key.pem ec2-user@YOUR-PUBLIC-IP # Connect via SSH (Windows — use PuTTY or Windows Terminal) # Convert .pem to .ppk using PuTTYgen first # Once connected — it's just Linux! sudo dnf update -y sudo dnf install nginx -y sudo systemctl enable --now nginx
- AMI
- Amazon Machine Image. A template with OS + software pre-installed. Used to launch EC2 instances.
- Instance Type
- CPU + RAM size. t2.micro = 1 vCPU, 1GB RAM. c5.4xlarge = 16 vCPU, 32GB RAM.
- Key Pair
- SSH key used to connect to EC2. AWS keeps the public key, you keep the private .pem file.
- Security Group
- Firewall rules for your EC2. Like Linux firewalld but managed by AWS.
- Elastic IP
- A permanent public IP. Without it, EC2's public IP changes every time you stop/start.
- User Data
- A startup script that runs when EC2 first boots. Use it to auto-install software.
VPC — Your Private Network
Build an isolated network inside AWS — subnets, routing, internet access.
What is a VPC?
VPC (Virtual Private Cloud) is your own private network inside AWS. Think of it as building walls around your servers — you control who can reach them and how. Without a VPC, your servers would be on AWS's shared network. Every AWS account gets a default VPC, but in production you always create your own.
| AWS VPC | Physical Network Equivalent |
|---|---|
| VPC | Your entire office network / building |
| Public Subnet | Reception area — accessible from outside |
| Private Subnet | Server room — internal only, no direct internet |
| Internet Gateway | The main door to the internet |
| NAT Gateway | One-way door — private servers can reach internet, internet can't reach them |
| Route Table | Network router — decides where traffic goes |
| Security Group | Firewall rules per server |
| NACL | Firewall rules per subnet (extra layer) |
# Standard 3-tier VPC layout: VPC: 10.0.0.0/16 (65,536 addresses) ├── Public Subnet A: 10.0.1.0/24 (AZ-1a) ← Load Balancer, Bastion ├── Public Subnet B: 10.0.2.0/24 (AZ-1b) ← Load Balancer (HA) ├── Private Subnet A: 10.0.3.0/24 (AZ-1a) ← EC2 App Servers ├── Private Subnet B: 10.0.4.0/24 (AZ-1b) ← EC2 App Servers (HA) ├── DB Subnet A: 10.0.5.0/24 (AZ-1a) ← RDS Database └── DB Subnet B: 10.0.6.0/24 (AZ-1b) ← RDS Standby # Traffic flow: # Internet → IGW → Public Subnet → Load Balancer # → Private Subnet → EC2 # → DB Subnet → RDS # Private EC2 → NAT Gateway → Internet (updates only)
Golden rule: Databases always go in private subnets. They should never be directly reachable from the internet — only from your app servers inside the same VPC.
Static IPs, DNS & Route 53
Give your server a permanent address and point a domain name at it.
The Problem with Dynamic IPs
When you stop and start an EC2 instance, its public IP changes. If your domain (e.g. devriston.com.pk) pointed to the old IP, your website goes down. Elastic IP solves this — it's a fixed public IP that stays the same regardless of stops and starts. Route 53 is AWS's DNS service that connects your domain name to that IP.
# Console: EC2 → Elastic IPs → Allocate Elastic IP # → Associate → choose your EC2 instance → Associate # AWS CLI equivalent: # Allocate an Elastic IP aws ec2 allocate-address --domain vpc # Associate it with an instance aws ec2 associate-address \ --instance-id i-0abc123def456789 \ --allocation-id eipalloc-0abc123def456789 # IMPORTANT: Elastic IP is FREE when attached to a running instance # You get charged if it's allocated but NOT attached — release unused EIPs!
# Console: Route 53 → Hosted Zones → Create Hosted Zone # → Domain name: devriston.com.pk → Type: Public # Create an A Record: # → Record name: @ (or www) # → Record type: A # → Value: YOUR-ELASTIC-IP # → TTL: 300 # Update your domain registrar's nameservers # Route 53 gives you 4 NS records — paste these into your registrar # Test DNS propagation: dig devriston.com.pk nslookup devriston.com.pk 8.8.8.8
- Elastic IP
- A static public IPv4 address for your AWS account. Stays the same when EC2 stops/starts.
- Route 53
- AWS DNS service. Translates domain names to IPs. Also does health checks and routing policies.
- A Record
- Maps a domain name directly to an IPv4 address.
- CNAME Record
- Maps a domain name to another domain name. Use for www → root domain.
- TTL
- Time To Live. How long DNS resolvers cache the record. Lower = faster propagation.
- Hosted Zone
- A container for DNS records for a domain in Route 53.
Load Balancer & Auto Scaling
Distribute traffic across servers and add/remove them automatically.
Why Load Balancers?
A load balancer sits in front of your servers and spreads incoming traffic evenly across them. If one server crashes, the load balancer stops sending traffic to it — users don't notice. Auto Scaling watches your CPU and adds servers when load is high, removes them when it drops. This is how Netflix handles millions of users without buying millions of servers.
| Scenario | Single Server | Load Balanced |
|---|---|---|
| Server crash | Site goes down | Traffic routes to healthy servers |
| Traffic spike | Server overloads, slow/down | Auto Scaling adds servers automatically |
| Deployment | Downtime during update | Rolling deploy — no downtime |
| SSL certificate | On each server | Once on the load balancer — simpler |
| Cost at low traffic | One server running 24/7 | Scale down to minimum — save money |
# Step 1: Create Launch Template (what servers to launch) # EC2 → Launch Templates → Create # → AMI, instance type, key pair, security group, user data # Step 2: Create Target Group (group of servers LB sends traffic to) # EC2 → Target Groups → Create # → Type: Instances | Protocol: HTTP | Port: 80 # → Health check path: / (or /health) # Step 3: Create Application Load Balancer # EC2 → Load Balancers → Create → Application Load Balancer # → Internet-facing | Select public subnets in 2+ AZs # → Listener: HTTP:80 → Forward to target group # Step 4: Create Auto Scaling Group # EC2 → Auto Scaling Groups → Create # → Use your launch template # → Select private subnets # → Attach to your load balancer target group # → Min: 2 | Desired: 2 | Max: 6 # → Scale out when CPU > 70% # → Scale in when CPU < 30%
S3 — Storage in the Cloud
Store files, host static websites, manage backups — the most-used AWS service.
What is S3?
S3 (Simple Storage Service) stores files as objects in containers called buckets. It's not a filesystem — you can't SSH into it or run commands on it. You upload files and they're accessible via a URL. S3 is used for everything: website assets, application logs, database backups, static website hosting, and as the backend for Terraform state files.
| Concept | S3 | Linux | Windows |
|---|---|---|---|
| Container | Bucket | Directory (/data) | Folder (C:\data) |
| File | Object (with key) | File | File |
| Access | HTTPS URL or CLI | File path | File path |
| Permissions | Bucket policy + IAM | chmod/chown | NTFS permissions |
| Max size | 5 TB per object | Disk size | Disk size |
| Redundancy | 3 AZs automatically | Manual RAID | Manual RAID |
# Create a bucket (name must be globally unique) aws s3 mb s3://devriston-backups-2026 # Upload a file aws s3 cp backup.tar.gz s3://devriston-backups-2026/ # Upload entire folder aws s3 sync /var/backups/ s3://devriston-backups-2026/daily/ # Download from S3 aws s3 cp s3://devriston-backups-2026/backup.tar.gz . # List bucket contents aws s3 ls s3://devriston-backups-2026/ # Delete a file aws s3 rm s3://devriston-backups-2026/old-backup.tar.gz # Enable versioning (keeps all versions of every file) aws s3api put-bucket-versioning \ --bucket devriston-backups-2026 \ --versioning-configuration Status=Enabled # Host a static website on S3 aws s3 website s3://my-site/ \ --index-document index.html \ --error-document 404.html
RDS — Managed Databases
Run MySQL or PostgreSQL without managing a database server.
What is RDS?
RDS (Relational Database Service) runs your database on AWS-managed infrastructure. You don't install MySQL, manage backups, apply patches, or handle hardware failures — AWS does all of that. You just connect to it like a normal database. The tradeoff: less control, but much less work and built-in high availability.
| Task | RDS (Managed) | Self-Managed on EC2 |
|---|---|---|
| Install | Click and launch | dnf install mysql-server, configure |
| Backups | Automatic daily snapshots | Write your own backup scripts |
| Patches | AWS applies them | You run dnf update, test, apply |
| Failover | Multi-AZ — automatic in ~60 sec | Manual — set up replication yourself |
| Scaling | One click to resize | Migrate data to bigger server |
| Cost | Higher per hour | Lower — just EC2 cost |
| Best for | Production apps, less ops team | Full control, cost-sensitive, expertise available |
# Console: RDS → Create Database # → Standard Create # → Engine: MySQL 8.0 # → Template: Free tier (for learning) # → DB instance ID: myapp-db # → Master username: admin # → Master password: (strong password) # → Instance: db.t3.micro (free tier) # → VPC: your custom VPC # → Subnet group: private subnets # → Public access: NO (always) # → VPC security group: allow port 3306 from app servers only # Connect from EC2 inside the same VPC: mysql -h myapp-db.xxxxxxxx.us-east-1.rds.amazonaws.com \ -u admin -p # Create a manual snapshot: aws rds create-db-snapshot \ --db-instance-identifier myapp-db \ --db-snapshot-identifier myapp-db-snap-20260627
Never make RDS publicly accessible. Always place it in a private subnet. Only your EC2 app servers in the same VPC should reach it — never the open internet.
Backup, Snapshots & AMIs
Create server images, take disk snapshots, restore from disaster.
Why Backups Matter
Servers fail. Humans make mistakes. Databases get corrupted. Without backups, one bad command can destroy months of work. In AWS, snapshots and AMIs are your safety net — they let you roll back to any point in time or launch an identical copy of a server in minutes.
| Type | What it Backs Up | Use Case |
|---|---|---|
| EBS Snapshot | One disk (volume) | Backup a single disk, restore to any EC2 |
| AMI | Entire server (all disks + config) | Clone a server, launch identical copies |
| RDS Snapshot | Entire database | Point-in-time database restore |
| AWS Backup | Centralized — EC2, RDS, S3, EFS | One policy for all resources |
| S3 Versioning | Every version of every file | Recover accidentally deleted/modified files |
# Create an EBS Snapshot aws ec2 create-snapshot \ --volume-id vol-0abc123def456789 \ --description "Web server disk backup 2026-06-27" # Create an AMI from a running EC2 aws ec2 create-image \ --instance-id i-0abc123def456789 \ --name "web-server-v1-2026-06-27" \ --description "Web server before deployment" # Launch a new EC2 from your AMI aws ec2 run-instances \ --image-id ami-0your-ami-id \ --instance-type t2.micro \ --key-name my-key \ --security-group-ids sg-0abc123 # List your snapshots aws ec2 describe-snapshots --owner-ids self # List your AMIs aws ec2 describe-images --owners self
Before every deployment: Create an AMI of your server. If the deployment breaks production, you launch a new instance from the AMI and it's back in 2 minutes. This is your undo button.
CloudWatch — Monitoring
Watch your infrastructure health, set alarms, get alerted before things break.
What is CloudWatch?
CloudWatch collects metrics from all your AWS resources — CPU usage, network traffic, disk reads, memory (with the agent), application logs. You set alarms that trigger when a metric crosses a threshold. When CPU hits 90%, CloudWatch sends you an email via SNS before your server melts. It's AWS's built-in Prometheus + Grafana equivalent.
| Feature | CloudWatch | Prometheus + Grafana |
|---|---|---|
| Setup | Built-in — works automatically | Install, configure, maintain |
| Cost | Pay per metric/alarm/log | Free (self-hosted on EC2) |
| AWS integration | Native — all services report here | Needs exporters per service |
| Custom metrics | Yes — via API or agent | Yes — via exporters |
| Dashboards | Basic | Grafana — highly customizable |
| Best for | AWS-native alerts, quick setup | Custom dashboards, multi-cloud, advanced queries |
# Create a CPU alarm — email when CPU > 80% for 5 minutes # Step 1: Create SNS topic (for email notifications) aws sns create-topic --name DevOps-Alerts # Step 2: Subscribe your email aws sns subscribe \ --topic-arn arn:aws:sns:us-east-1:123456789:DevOps-Alerts \ --protocol email \ --notification-endpoint kamran@devriston.com.pk # Step 3: Create the CloudWatch alarm aws cloudwatch put-metric-alarm \ --alarm-name "High-CPU-web-server" \ --metric-name CPUUtilization \ --namespace AWS/EC2 \ --dimensions Name=InstanceId,Value=i-0abc123def456789 \ --period 300 \ --evaluation-periods 1 \ --threshold 80 \ --comparison-operator GreaterThanThreshold \ --statistic Average \ --alarm-actions arn:aws:sns:us-east-1:123456789:DevOps-Alerts # Install CloudWatch Agent on EC2 (for memory/disk metrics) sudo dnf install amazon-cloudwatch-agent -y sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
AWS CLI — Control AWS from Terminal
Stop clicking the console. Manage everything from your terminal.
Why CLI Over Console?
The AWS Console (web UI) is good for learning and exploring. But real engineers use the CLI — you can script it, run it in CI/CD pipelines, repeat exact commands, and automate anything. One CLI command does in 2 seconds what takes 10 clicks in the console. And you can put it in a bash script that runs every night.
| Method | Speed | Repeatable | Best For |
|---|---|---|---|
| Console (Web UI) | Slow — many clicks | No — manual each time | Learning, exploring |
| AWS CLI | Fast — one command | Yes — put in scripts | Automation, quick tasks |
| Terraform | Medium — plan then apply | Yes — version controlled | Full infrastructure as code |
| SDK (Python/boto3) | Variable | Yes — programmable | Custom tools, Lambda |
# Install on Linux curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install # Install on Windows # Download: https://awscli.amazonaws.com/AWSCLIV2.msi # Configure with your IAM access keys aws configure # AWS Access Key ID: AKIAIOSFODNN7EXAMPLE # AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG # Default region: ap-south-1 # Default output format: json # Verify it works aws sts get-caller-identity # Common CLI commands aws ec2 describe-instances # list all EC2 aws ec2 start-instances --instance-ids i-0abc123 # start EC2 aws ec2 stop-instances --instance-ids i-0abc123 # stop EC2 aws s3 ls # list all buckets aws iam list-users # list IAM users aws rds describe-db-instances # list databases # Use profiles for multiple accounts aws configure --profile production aws s3 ls --profile production
Lambda — Serverless Functions
Run code without servers — pay only for what actually runs.
What is Lambda?
Lambda runs your code in response to events — without you managing any server. You upload a function (Python, Node.js, bash etc.), define what triggers it, and AWS handles everything else. It starts in milliseconds, runs, and stops. You pay only for the milliseconds it ran — not for idle time. Perfect for automations, scheduled jobs, and event-driven tasks.
| Feature | Lambda | EC2 | Linux Cron |
|---|---|---|---|
| Server to manage | None | Yes — patch, monitor, maintain | Yes — runs on a server |
| Cost at zero traffic | $0.00 | Still paying per hour | Server still running |
| Max runtime | 15 minutes | Unlimited | Unlimited |
| Triggers | S3, API, schedule, SNS, SQS | Manual or script | Time-based only |
| Scale | Automatic — thousands of parallel runs | Manual or Auto Scaling | One job at a time |
| Best for | Short tasks, event-driven, automation | Long-running apps, full control | Scheduled tasks on a server |
# Example Lambda: Stop EC2 instances every night at 11pm import boto3 def lambda_handler(event, context): ec2 = boto3.client('ec2', region_name='ap-south-1') # Find all running instances tagged Environment=dev response = ec2.describe_instances( Filters=[ {'Name': 'tag:Environment', 'Values': ['dev']}, {'Name': 'instance-state-name', 'Values': ['running']} ] ) instance_ids = [] for reservation in response['Reservations']: for instance in reservation['Instances']: instance_ids.append(instance['InstanceId']) if instance_ids: ec2.stop_instances(InstanceIds=instance_ids) print(f"Stopped: {instance_ids}") return {'stopped': instance_ids} # Deploy this function: # Lambda → Create Function → Author from scratch # Runtime: Python 3.12 # Execution role: IAM role with EC2 stop permissions # Add trigger: EventBridge (cron) → cron(0 18 * * ? *) = 11pm PKT
Free tier: Lambda gives 1 million free requests and 400,000 GB-seconds of compute per month — forever, not just 12 months. Most learning workloads run completely free.
Cost Management & Billing Alerts
Never get a surprise AWS bill. Understand what costs what and how to control it.
Why Cost Management Matters
AWS bills you for every resource every hour. A forgotten running EC2, a NAT Gateway you didn't delete, an Elastic IP sitting unattached — these all cost real money. Many beginners get their first AWS bill and panic. The fix is simple: set billing alerts on day one, check Cost Explorer weekly, and always clean up resources after labs.
| Resource | Cost | How to Avoid |
|---|---|---|
| EC2 running 24/7 | t2.micro ~$8.50/month | Stop when not in use; use Lambda for scheduled stop |
| NAT Gateway | ~$32/month + data transfer | Delete after lab; use NAT Instance for learning |
| Elastic IP (unattached) | $0.005/hour = ~$3.60/month | Release when not attached to running instance |
| RDS (even stopped) | Charges resume after 7 days stopped | Delete RDS after lab; take final snapshot first |
| Data transfer out | $0.09/GB after first 100GB | Keep data within same region; use CloudFront |
| CloudWatch logs | $0.50/GB ingested | Set log retention — don't keep logs forever |
# Console: Billing → Budgets → Create Budget # → Budget type: Cost budget # → Amount: $10 (alert before you're surprised) # → Alert threshold: 80% of budget ($8) # → Email: your email # CLI: Create billing alarm via CloudWatch aws cloudwatch put-metric-alarm \ --alarm-name "Billing-Alert-10USD" \ --metric-name EstimatedCharges \ --namespace AWS/Billing \ --dimensions Name=Currency,Value=USD \ --period 86400 \ --evaluation-periods 1 \ --threshold 10 \ --comparison-operator GreaterThanThreshold \ --statistic Maximum \ --alarm-actions arn:aws:sns:us-east-1:123456:DevOps-Alerts \ --region us-east-1 # Cost Explorer — check your spending # Billing → Cost Explorer → View by service # Filter by last 7 days to catch unexpected charges fast # Clean up after labs (in order): # 1. Terminate EC2 instances # 2. Delete Load Balancers # 3. Delete NAT Gateways # 4. Release Elastic IPs # 5. Delete RDS instances (take snapshot first) # 6. Delete VPC
Billing alerts are in us-east-1 only. Even if your resources are in ap-south-1, the EstimatedCharges metric only exists in us-east-1. Always set the region to us-east-1 when creating billing alarms.
- Cost Explorer
- Visual tool to see AWS spending by service, region, tag, or time period.
- AWS Budgets
- Set spending thresholds and get email/SMS alerts before you exceed them.
- Free Tier
- 12 months of selected services free after account creation. Always check free tier limits.
- Reserved Instances
- Commit to 1 or 3 years — save up to 72% vs on-demand pricing for fixed workloads.
- Spot Instances
- Unused EC2 capacity at up to 90% discount — can be terminated by AWS any time.
- Resource Tags
- Key-value labels on resources. Tag everything with Project, Environment, Owner to track costs.
Ready to go beyond reading?
The live course includes hands-on labs in your real AWS account, Q&A sessions, and a final 3-tier infrastructure project using Terraform. Same instructor who wrote these notes.
💬 Enroll via WhatsApp →Batch info & fee on request