AWS & Terraform Essentials: Cloud Infrastructure Mastery
Comprehensive guide covering cloud computing fundamentals, AWS services (EC2, S3, RDS, IAM), infrastructure-as-code with Terraform, and practical provisioning of cloud resources. Covers identity management, networking, automation, and real-world enterprise patterns.
Cloud Computing Fundamentals
Why Cloud Computing Emerged
Before cloud, companies maintained expensive on-premises infrastructure requiring large upfront costs, dedicated teams, and poor scalability. Cloud computing solved this by allowing businesses to rent infrastructure over the internet, paying only for what they use, enabling faster deployment and reducing capital expenditure.
Cloud Service Models: IaaS, PaaS, SaaS
Infrastructure-as-a-Service (IaaS) provides servers and networking with user control over OS and runtime; Platform-as-a-Service (PaaS) adds pre-configured runtime and OS, requiring only application code; Software-as-a-Service (SaaS) delivers complete software over internet requiring no infrastructure management.
Key Cloud Computing Advantages
Cloud enables pay-as-you-go pricing, automatic scaling based on demand, fast deployment in minutes versus days, global data center presence reducing latency, and elimination of physical infrastructure maintenance burden.
AWS Overview & Global Infrastructure
AWS Market Position & History
Amazon Web Services launched in 2006 initially for internal e-commerce use, then opened to public. Currently dominates cloud market with 200+ services. AWS is the most widely adopted cloud provider globally, with strong demand for AWS-skilled engineers.
AWS Global Infrastructure: Regions & Availability Zones
AWS operates 39 geographical regions and 123 availability zones worldwide. Regions are geographic areas (e.g., Mumbai, Frankfurt); availability zones are isolated data centers within regions. This distributed infrastructure reduces latency and improves application performance for users globally.
Essential AWS Services to Master
Core services include EC2 (servers), security groups, load balancers, autoscaling, VPC (networking), RDS (databases), S3 (storage), IAM (access control), Lambda, ECS/ECR (containers), and Elastic Beanstalk (PaaS). DevOps and cloud engineers must focus on these rather than all 200+ services.
AWS Account Setup & Identity Management
Creating AWS Free Tier Account
AWS offers free tier accounts with $100 credit for 3 months. Account creation requires email, password, billing information (credit/debit card), and identity verification. AWS will not auto-deduct charges on free tier; account suspension occurs if limits exceeded without payment.
Root User vs IAM Users
Root user (account owner) has complete access to all AWS services and resources. IAM users are created with limited permissions based on role. Root credentials should be protected with MFA; in production, teams use IAM users with specific permissions rather than sharing root access.
IAM: Users, Groups, Policies, and Roles
IAM users are individual accounts with login credentials. Groups bundle multiple users for shared permissions. Policies define what actions users/groups can perform (permissions). Roles provide temporary permissions to AWS resources (e.g., EC2 instance accessing S3) without hardcoding credentials.
Enterprise AWS Access Patterns
Large enterprises use AWS Organizations to manage multiple accounts (dev, test, prod, security). Service Control Policies (SCPs) enforce guardrails at organization level. Authentication via corporate identity providers (Okta, Azure AD) through AWS Identity Center. Employees assume temporary roles with MFA, not permanent credentials. Production access heavily restricted and audited.
Multifactor Authentication (MFA) Best Practice
MFA should be enabled on root account immediately after creation. Options include hardware keys, authenticator apps (Google Authenticator), or keyboard-based security keys. MFA is mandatory in enterprise environments and prevents unauthorized access even if password is compromised.
EC2: Virtual Servers on AWS
EC2 Fundamentals: Creating Virtual Machines
EC2 (Elastic Compute Cloud) allows creation of virtual servers (instances) on AWS. Users select Amazon Machine Image (AMI) for OS, instance type for CPU/RAM, key pair for SSH access, security group for firewall rules, and storage configuration. Instances can be stopped, restarted, or terminated.
Security Groups: Network Access Control
Security groups act as virtual firewalls controlling inbound and outbound traffic. Inbound rules specify which ports/protocols are allowed (e.g., SSH port 22, HTTP port 80). Outbound rules control what traffic leaves the instance. Security groups can be created separately and reused across instances.
Key Pairs: SSH Authentication
EC2 instances use key pairs (public-private cryptographic keys) instead of passwords for SSH access. Private key is downloaded and stored securely; public key is embedded in instance. Linux file permissions (chmod 400) must be set on private key before SSH connection.
Instance Lifecycle: States and Cost Management
EC2 instances have states: running (incurs charges), stopped (no compute charges but storage charged), and terminated (deleted permanently). Best practice is to stop unused instances during practice and terminate when no longer needed to avoid unexpected bills.
Infrastructure as Code with Terraform
Terraform: Declarative Infrastructure Automation
Terraform is an Infrastructure-as-Code tool using HCL (HashiCorp Configuration Language) to define cloud resources declaratively. Instead of manual AWS console clicks, write code to provision EC2, S3, RDS, etc. Terraform tracks infrastructure state and manages create/update/delete operations idempotently.
Terraform Workflow: Init, Plan, Apply, Destroy
Terraform workflow: (1) terraform init initializes backend and downloads provider plugins; (2) terraform format formats code; (3) terraform validate checks syntax; (4) terraform plan shows what will be created; (5) terraform apply provisions resources; (6) terraform destroy removes all resources. State file tracks infrastructure state.
Terraform State File: Infrastructure Tracking
State file (terraform.tfstate) stores current infrastructure state. After first apply, state file is created. Subsequent applies compare desired state (code) with actual state (file) to determine changes. State file is critical and should be backed up; losing it requires manual resource cleanup.
Input Variables: Dynamic Configuration
Input variables allow parameterization of Terraform scripts. Instead of hardcoding values (AMI ID, instance type), define variables in separate file and reference them in main script. This enables reusability and separation of configuration from code.
Output Variables: Exposing Infrastructure Details
Output variables display infrastructure details after provisioning completes. After terraform apply, outputs print resource attributes (e.g., EC2 public IP, RDS endpoint, S3 bucket name). Useful for retrieving connection information without manual AWS console lookup.
Terraform Taint & Untaint: Force Resource Recreation
By default, terraform apply only creates/updates resources if code changes. Taint marks a resource for destruction and recreation on next apply without code changes. Untaint reverses this. Useful when infrastructure becomes corrupted or needs refresh without manual destroy/recreate.
Terraform Modules: Organizing Infrastructure Code
Modules organize Terraform code into reusable components. Root module contains provider and main configuration. Child modules (subdirectories) contain specific infrastructure (EC2, S3, RDS). Each module has its own variables.tf, main.tf, output.tf. Root module invokes child modules, passing inputs and collecting outputs.
Terraform with AWS Credentials
Terraform requires AWS access keys (Access Key ID, Secret Access Key) to provision resources. Credentials are set via environment variables (export AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or AWS credentials file. Never hardcode credentials in Terraform files; use environment variables or IAM roles.
AWS Storage & Databases
S3: Object Storage Service
S3 (Simple Storage Service) stores objects (files) in buckets. Bucket names must be globally unique. S3 supports versioning (track file history), access control lists (ACL), and lifecycle policies. Common use cases: backups, static website hosting, data lakes. Pay per GB stored.
RDS: Managed Relational Databases
RDS (Relational Database Service) provides managed databases (MySQL, PostgreSQL, Oracle, SQL Server). AWS handles backups, patching, replication. Users specify DB instance type, storage, and backup retention. RDS endpoints provide connection strings for applications.
Networking & VPC
VPC: Virtual Private Cloud Networking
VPC is a virtual network within AWS where resources are deployed. VPC includes subnets (public/private), internet gateway (internet access), NAT gateway (outbound-only access), route tables (traffic rules), and elastic IPs (static public IPs). Proper VPC design ensures security and performance.
Monitoring & Cost Management
AWS Billing & Cost Monitoring
AWS free tier provides $100 credit for 3 months. Users should monitor costs via Billing & Cost Management dashboard. Setting up budget alerts prevents unexpected charges. Best practice: delete unused resources immediately after testing, never leave resources running indefinitely.
Real-World DevOps Practices
Infrastructure-as-Code Best Practices
Use version control (Git) for all Terraform code. Separate environments (dev, test, prod) with different AWS accounts. Use modules for reusability. Never hardcode credentials. Implement code review before applying to production. Automate testing and deployment pipelines.
Linux Skills Essential for DevOps
DevOps engineers must master Linux fundamentals (file permissions, terminal commands, package management). Linux is the OS for most cloud servers and containers. Estimated skill distribution: 60% Linux, 40% DevOps tools (Terraform, Docker, Kubernetes).
Notable quotes
Cloud computing is no more optional. It is very essential. — Instructor
In the real world, nobody is manually creating IAM users for every employee. That becomes a massive security risk. — Instructor
For a DevOps engineer, I would focus 60% on Linux and 40% on other DevOps tools. Linux is the most critical. — Instructor
Action items
- Create AWS free tier account and enable MFA on root user immediately
- Create IAM user with limited EC2 permissions; log in as IAM user instead of root
- Launch EC2 instance: select Amazon Linux AMI, t2/t3.micro, create security group allowing SSH, download key pair
- Connect to EC2 via SSH terminal using key pair and Linux commands
- Create S3 bucket with versioning enabled via AWS console
- Set up billing alert in AWS Billing & Cost Management to prevent unexpected charges
- Install Terraform and AWS CLI on local machine; configure AWS credentials via environment variables
- Write Terraform script to provision EC2 instance: define variables.tf, main.tf, output.tf
- Execute terraform init, validate, plan, apply workflow to create infrastructure
- Organize Terraform code into modules (root + child modules for EC2, S3, RDS)
- Use terraform taint to force resource recreation without code changes
- Delete all test resources after practice using terraform destroy to avoid charges
- Version control all Terraform code in Git repository
- Study Linux fundamentals (file permissions, terminal commands, package management)