aws infrastructure guide

AWS Infrastructure Guide for Developers

January 11, 2025 4 min read

Casey SpauldingBy Casey Spaulding
AWS Infrastructure Guide for Developers

AWS Infrastructure Cheat Sheet

Core Concepts and Order of Operations

1. IAM (Identity and Access Management)

First, always start with IAM because it controls access to everything else.

Basic Setup:

# 1. Create an IAM User Group
aws iam create-group --group-name Developers

# 2. Create IAM User
aws iam create-user --user-name developer1

# 3. Add user to group
aws iam add-user-to-group --user-name developer1 --group-name Developers

Common IAM Patterns:

  • Always use roles for services (ECS, Lambda)
  • Use groups for users
  • Never put credentials in code
  • Use policy conditions for extra security

Basic Developer Policy Template:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-1"
                }
            }
        }
    ]
}

2. Networking (VPC and Subnets)

After IAM, set up your network infrastructure.

VPC Pattern:

  • One VPC per environment (dev/staging/prod)
  • Use at least two Availability Zones
  • Use CIDR blocks that don't overlap

Standard VPC Setup:

# Terraform example
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  
  name = "my-vpc"
  cidr = "10.0.0.0/16"
  
  azs             = ["us-east-1a", "us-east-1b"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
  
  enable_nat_gateway = true
  single_nat_gateway = true  # Cost savings for non-prod
}

Subnet Patterns:

  • Public Subnets: For ALBs, Bastions
  • Private Subnets: For RDS, ECS, Lambda
  • CIDR Size Guide:
    • /16 for VPC (65k addresses)
    • /24 for subnets (256 addresses)

3. Security Groups

After networking, configure security groups.

Common Patterns:

# ALB Security Group
resource "aws_security_group" "alb" {
  name        = "alb-sg"
  description = "ALB Security Group"
  vpc_id      = module.vpc.vpc_id
  
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# ECS Security Group
resource "aws_security_group" "ecs" {
  name        = "ecs-sg"
  description = "ECS Security Group"
  vpc_id      = module.vpc.vpc_id
  
  ingress {
    from_port       = 8000
    to_port         = 8000
    protocol        = "tcp"
    security_groups = [aws_security_group.alb.id]
  }
}

4. Database (RDS)

After network and security, set up databases.

RDS Pattern:

resource "aws_db_instance" "main" {
  identifier        = "my-rds"
  engine            = "postgres"
  engine_version    = "13.7"
  instance_class    = "db.t3.micro"
  allocated_storage = 20
  
  db_name  = "myapp"
  username = "dbadmin"
  password = var.db_password
  
  vpc_security_group_ids = [aws_security_group.rds.id]
  db_subnet_group_name   = aws_db_subnet_group.main.name
}

5. Application Infrastructure

Finally, set up your application infrastructure.

ECS Pattern:

resource "aws_ecs_cluster" "main" {
  name = "my-cluster"
}

resource "aws_ecs_service" "main" {
  name            = "my-service"
  cluster         = aws_ecs_cluster.main.id
  task_definition = aws_ecs_task_definition.main.arn
  desired_count   = 2
  
  network_configuration {
    subnets         = module.vpc.private_subnets
    security_groups = [aws_security_group.ecs.id]
  }
}

Quick Reference Cheat Sheet

IAM

# Create Role
aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json

# Attach Policy
aws iam attach-role-policy --role-name MyRole --policy-arn arn:aws:iam::aws:policy/AWSLambdaExecute

VPC

# List VPCs
aws ec2 describe-vpcs

# List Subnets
aws ec2 describe-subnets

# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16

Security Groups

# Create Security Group
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group"

# Add Rule
aws ec2 authorize-security-group-ingress --group-id sg-123456 --protocol tcp --port 80 --cidr 0.0.0.0/0

Common Problems and Solutions

1. Cannot Connect to RDS

Check:

  • Security Group inbound rules
  • Subnet routing
  • VPC endpoint for RDS
  • Database credentials

2. ECS Tasks Not Starting

Check:

  • Task Role permissions
  • Security Group rules
  • VPC endpoint for ECR
  • CloudWatch Logs permissions

3. ALB Health Checks Failing

Check:

  • Security Group allows health check port
  • Target Group settings
  • Application responding on correct port
  • Route table configuration

Best Practices

  1. Naming Convention:
{environment}-{service}-{resource}
Example: prod-api-sg (Security Group for API in production)
  1. Tagging Strategy:
{
  "Environment": "production",
  "Service": "api",
  "ManagedBy": "terraform",
  "CostCenter": "app1"
}

  1. Security:

    • Use AWS Secrets Manager for sensitive data
    • Enable VPC Flow Logs
    • Use WAF with ALBs
    • Enable CloudTrail
    • Use GuardDuty

  2. Cost Management:

    • Use AWS Cost Explorer
    • Set up Budget Alerts
    • Right-size instances
    • Use Spot Instances where possible
    • Clean up unused resources

Adding New Services Checklist

  1. IAM Setup:

    • Create Service Role
    • Attach necessary policies
    • Set up cross-service permissions

  2. Networking:

    • Check subnet capacity
    • Update security groups
    • Add VPC endpoints if needed

  3. Security:

    • Create security group
    • Configure access policies
    • Set up encryption

  4. Monitoring:

    • Set up CloudWatch logs
    • Create alarms
    • Configure metrics

  5. Deployment:

    • Update CI/CD pipeline
    • Add Terraform configuration
    • Test in staging first